All systems fail large systems are always failing in

This preview shows page 272 - 275 out of 281 pages.

All systems fail; large systems are always failing in some way.No failure mode that could result in serious problems should be overlooked.The designer should never assume that detection and recovery are notrequired.Such assumptions can be catastrophic. Cybersecurity designsshould include a failure analysis and a dependability argument with respect tocybersecurity critical failure modes.Failing to plan for failure guarantees catastrophic failure.20.5.2 Expect Failure: Confine Damages Using Bulkheads
Least privilege means granting the minimum authorized access needed toperform a specified task. The purpose is to minimize damage should grantedaccess be abused. The principle reduces overall risk exposure by reducingthe attack surface. The concept certainly applies to human users who gorogue, but is more important in its application to programs operating on behalfof users. Such programs often require the authority of the user to requestaccess to protected resources such as databases. Giving all programs all ofthe authority of the user, when they only need limited authority, is dangerousbecause we rarely have assurance that the program is correct anduncorrupted by an adversary (through, say, a life-cycle attack).Least privilege reduces risk exposure.Standing in counterbalance to the principle of least privilege is the emergingprinciple ofresponsibility-to-share.The responsibility-to-share principleacknowledges that excessive sharing restrictions can damage mission asmuch as sharing information too freely—known as Dunn's Conundrum[LEE14].Responsibility-to-share emphasizes customers discovering andpulling the information they need as opposed to owners knowing a priori whatclients need and pushing the information to them.Least privilege must be balanced against responsibility-to-share.Need-to-knowworks well in a very stable and long-standing world ofadversaries, organizations, and defended systems, such as was the caseduring the Cold War. Responsibility-to-share acknowledges a much moredynamic world in which missions, organizations, and systems are constantlyshifting. The dynamic world requires innovative thinking involving discoveryand making connections that may not be consistent with the static notions ofneed-to-know.Although the principle of least privilege, which mirrors the principle of need-to-know, seems to be in direct opposition to responsibility-to-share, it is really amatter of balance. The optimal balance is dictated by minimizing overall risk—the risk of excessive sharing against risk of excessive restriction.When balancing these two principles, there are really two separate cases:
balancing for human users and for programs operating on the user's behalf.The attacks and risks are different for each case. Irrespective of how thebalance is struck for each, it is wise to increase the intrusion detectionsurrounding the additional leeway provided in each case, to reduce thechance that that leeway is not abused.

Upload your study docs or become a

Course Hero member to access this document

Upload your study docs or become a

Course Hero member to access this document

End of preview. Want to read all 281 pages?

Upload your study docs or become a

Course Hero member to access this document

Term
Fall
Professor
NoProfessor

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture