Running head: COMPUTER SECURITY 1

Computer Security

Student Name

Course Name

Date
COMPUTER SECURITY 2

1. Security activities across SDLC stages

Software development life cycle (SDLC) is a combination of stages and procedures important in
the development maintenance of a software application. The security of an application is heavily
reliant on security procedures and stages such as security in the conceptual stage, security
application requirement and specifications, security in application design, threat risk modeling,
security in application coding, and security testing.
Security in the conceptual stage
Formation application ideas in the conceptual stage require application of some concepts of
security. The stage involves taking the sensitivity of information to be present in the application
more seriously. The stage phase of security question at this stage addresses the flow of data from
and to the application, including to and from the organization in question. The next concept
under the stage is the question individuals to access and use the application, including the
administrative access, user access and third party access. The conceptual stage also involves the
questions of regulatory requirements, application dependency and service infrastructure use.
Security application requirement and specification.
This stage involves provision of simple details essential for the operation of an application. The
description should be in such a way that the developer is able to develop every single
requirement for example, the workflow, editing, interfaces of systems, roles of users and
administrators. Generally, this stage involved a detailed description of functionality requirement
of an application including standards, security, functionality, and test plan.
Security in application design
Application design is essential because it eliminates ambiguities and ensures smooth run of the
application. Some of the processes in the design may include workflows, audit logs, database
schema, systems, and integration with other services, among other activities that ensures that the
application requirements and specifications are harmoniously included in the general technology
surroundings and recommended by all stakeholders.
Threat risk modelling
This stage should come after application design to determine any kind of threats that require
countermeasures. The testing enables developers to identify weaknesses in the design and make
possible modifications in relevant areas.
Application coding.
This stage is essential after modelling since it helps avoid vulnerabilities that might cost the all
design of the application such as sensitive data exposure, injection flaws, and security
misconfiguration among other vulnerabilities. To avoid the vulnerabilities, the application
designer should use safe libraries safe against vulnerabilities.
Security testing
COMPUTER SECURITY 3

Testing of application involves scans that ensures that coding are properly done and are devoid
of any vulnerabilities in all the levels of an application design.
Protecting the SDLC itself
To ensure security of the application, more security measures should be taken to protect the
whole process. Such measures include, control of the source code, software development
systems’ protection e.g. Prevention of malware attacks and software development tools’
protection.
2. Security activities across the types of controls
Control can be defined as an activity that dictates entrances or and ensures integrity, availability
or confidentiality of an asset. In that sense, controls that manage information systems are
classified into physical, technical and administrative controls.
Physical controls
There are security measures put in place to guard access to physical places where there are
information systems for example network devices and app servers. Physical controls therefore
can range from video surveillance to key and access controls to signs written, “No Trespassing.”
Some physical control measures goes ahead to notify users that their actions are viewed and
recorded. Fencing is also a type of physical control that determines the access points to a room or
place.
Technical controls
These are sometimes referred to as logical controls and they are programs laid on information
system to control the behavior of systems and access by users. One of the technical control
example is the authentications, which are generally modified to permit or deny access to systems
or data depending on the personnel seeking such data or function. ACL or access control list is
also another type of technical control that determines user’s access to files, application, networks
or systems. Other technical controls are also meant to block installation of malicious malwares
into computers and systems, an example of such control is the anti-virus and anti-spyware
software. Information can also be kept in a form that is only translatable or read by individual
who are authorized through encryption. Remote access is another form of technical control
which enable users to access systems from their remote location. Firewall is another form of
technical control which will allow devices to block-off all unwanted network traffic.
Administrative controls
These controls take a general perspective in organizations by setting principles, rules, standards
and procedures that dictates individual and information systems’ actions. The administrative
control can be categorized into policies, standards, and processes and procedures. Policies are
statements communicated by the administration or management that highlights how operations
are to take place in the organization. Under policy are some categorizations such as security
policy and acceptable application policy. Standards are another administrative controls that
specifies on how the operations of an organizations are conducted, for example, how what is
COMPUTER SECURITY 4

manufactured, system configurations and product models among other standard qualities.
Procedures and management is the last administrative control under this category that deals with
crucial business activities for example, change control, vulnerability management, access
administration, service extension management and new employee hiring.
3. How to maintain the confidentiality, integrity availability and authenticity using
cryptography.
Cryptography is used to secure data from access by unauthorized individuals. In some situations,
cryptography is used as part of in-depth data defense plan. However, when transmitting
information over public servers, cryptography proves to be the only way to make data secure.
File encryption. This kind of encryption helps protect the content of files that are transmitted
over public network via FTP or email. This is possible because only individual who have the
encryption key can access the content of file. Encrypting file system(EFS) is one of the tool used
to encrypt files. It is a file encryption and directory capability built in windows 2000, windows
vista 7, windows vista 8, and XP. Pretty good privacy ( PGP) is another tool that is used to
encrypt files, where one or more public key recipients. Gnu Privacy Guard is also another tool
used to encrypt files because it is compatible with most PGP operations. Some other
cryptography tools used include crypt and WinZip, with crypt able to save a copy of the
encrypted file.
Disk encryption. And entire disk or subtype of a disk can also be encrypted using the tools like,
PGP used to create an encrypted disk subtype or volume on a the hard drive of a computer. Some
other tools that can be used to encrypt the whole disk volume into a computer include, Truecrypt,
BitLocker and SafeBoot.
E-mail security. Protection of communications that happen via email is vital for parties involved
and this is possible by encryption plans such as, S/Mine, PGP, PEM and MOSS. S/MIME stands
for secure/Multipurpose Internet Mail Extensions, and it is a credential-based e-mail encryption
system. Encrypting e-mail communications forwarded to other receivers can be done with
PGP and GPG.  PGP Keys is a program that allows users to control their private and shared key,
including the shared key of receivers.
Private –Enhanced Mail is an encryption that depends on the availability of hierarchical PKI with
a one root. MIME Object Security Services (MOSS) is a standard device that allows message
digests and encryption keys to offer authentication, non-repudiation, and credibility. Secure
Point-to-Point Communications Encryption can be used to protect data in the communication
between two systems such as serves and work stations using tools like Secure Shell (SSH),
IPsecs , Security Associations(Sas), and Secure Shock Layer (SSL) and Transport Layer Security
(TLS).
Web browser and e-commerce security
Programs that access web-based applications over the Internet are known as web browsers. Web
browsers uses HyperText Transfer Protocol (HTTP) to communicate with web servers in either a
public mode using TCPpoer 80, URL http, or private mode using URL, https. Users are usually
COMPUTER SECURITY 5

secure and sure if they have a ‘padlock’ sign in their browsers, which means that the user ID and
password are encrypted hence secured.
Web service security.
This is usually a term used to refer to communication between machines through applications. In
most cases, most of the data circulating between browser and the application is encrypted to
ensure that users are secured from hackers. Secure Hypertext Transfer protocol is used to encrypt
data sent from the server to the client. Other tools used to secure data web data include, Secure
Electronic Transcation (SET) and session identification cookies.
Virtual private networks.
A virtual private network (VPN) is a conceptual communication system that allows for
safe remote access between two sites or places. It  also be used to encrypt traffic in two
different networks that are not connected. This allows two networks to interact over the public
Internet without fear of hijacking, exposing their communications. Each network's router can be
set up to protect all data headed for the other connection.
4. Countermeasures principles for cloud computing.
Countermeasures are acts that lessen the threat's capability by lowering the threat's likelihood of
occurrence or effect. The supply of  infrastructure, system, or application services over an
internet is commonly referred to as cloud computing. The possibility to employ services from a
network operator at a cheaper cost than enterprises could accomplish solely, is the key motivator
for corporations to deploy cloud computing. Organizations experienced reduced cost because of
the IT expenses cut because of using cloud services. Using cloud services also enables
organization to concentrate on delivery f services and not computer or IT systems. Cloud
computing however faces several threats that are information systems-related. Some attacker aim
at stealing or interfering with customers and organizations using cloud computing for their
malicious intentions.
Multitenancy and logical separation. Cloud-based services render opportunities to different
companies from a one infrastructure. The subject of conceptually segregating data across
customers is likely the defining aspect of those services that incorporate the keeping or data
processing for their clients. A cloud computing, in addition to the controls and
protections required to safeguard any information system, also requires controls to ensure that all
information and operations of its users are kept completely distinct.
Data Sovereignty. This a term used to describe the constitutional authority that a data holder has
their data, as well as the jurisdictional matter of electronic information kept in a specific state or
nation. Because the architecture of most cloud-based services are handled by the hosting
cloud company, the client  has no personal control over their data. And besides, the data is stored
on systems or devices that the company does not own or manage. The firm has given up direct
control of its information to its cloud-based network operator to some extent.
Data Jurisdiction. The data stored on a cloud computing service provider's systems that may be
practically situated in a single or numerous legal jurisdictions is the legal property of an
COMPUTER SECURITY 6

enterprise situated in one jurisdiction. The legal precedents are established to assist both cloud
service providers and organizations to understand their terms of operations and concerns about
privacy and data storage.
Controls and Audits. An enterprise that uses cloud services may be accountable for creating
and administering security controls linked to data processing integrity and confidentiality.
Because some restrictions are under the authority of the cloud computing provider, determining
their effectiveness can be challenging in many circumstances. A cloud provider may withhold
information of some key controls that the organization is accountable for in the sake
of intellectual rights preservations. However, this challenge can be solved by external audits, for
example Statement on Standards for Attestation Engagements No. 16 (SSAE-16)

5. How to maintain the confidentiality, integrity, availability of an organization’s data

or digital assets for business travelers from the physical and environmental
perspective.
Other than protecting their employees while they are in the organization’s premises,
organizations have the mandate to protect their employees when they are travelling too. This
entails that organizations will publish a travel policy that highlights all the requirements that will
ensure that their employees are safe. In the policy, it is often the access to emergency are that is
taken care of by employers. This means that employees are provided with medical cover, just in
case they fall sick. To reduce crime, organizations always advice their business traveler to be
wary of their situation. A change in business itinerary helps the organization know where their
employees are all the time, hence safety. Employers must also ensure there is a mean of
emergency communication be it from unrest or weather conditions that should be avoided by the
business traveler.
Personnel privacy. Depending on the nature of operations of the organization, employers may
find it appropriate to protect the privacy of the employees when they are on a business trip. This
can be done through concealment of personal information, which may include address and
telephone numbers. The organization may also decide to conceal the full name of the employee,
as this is regarded as part of the privacy.
Secure siting. This concept entails locating a business in an environment that allows business
growth and not threaten its operations. Practically there is no site considered threat-free, even
though business location does not also entirely depend on the a single factor, threat. The
presence or absence of threats is crucial since it informs the decision making of businesses
allocations. When discussing threats, there are a myriad of threats, some natural for example
flooding, landslides, severe weather, high tides, earthquakes, tsunamis, volcanic eruption among
others. Man-made threats may include transportation, utilities, terrorism, chemical poisonings,
among other threats. Other siting factors may include the building construction and material,
loading and offloading spaces and shared tenant facilities.
Equipment protection. For progress of business operations, organizations have to protect their
properties against damage and theft. For theft protection, there are several measure that can be
taken to reduce theft. One of the measures is protecting employees’ laptops and computers
through use of cable lock to prevent theft, use of other software for example anti-theft, tracking
COMPUTER SECURITY 7

devices and self-destructive controls. Computer theft can also be prevented by use of encryption
to prevent data lose, use of double authentication to gain access the computers among other
workable measures.
Organizations can also involve in some activities that reduces the chances of their equipment and
valuable damaging. This generally involves deploying some safeguards for example, earthquake
bracing and water detection and drainage. In case of fires protection, organizations ought to
deploy systems able to detect smoke, fire extinguishers, fire alarm and automatic sprinkler
systems.
Environmental controls. This are electric systems that aid in the cooling, heating electric power
and humidity of a facility. Air conditioning that suits the workers is appropriate for business
equipment and information systems. Humidity should be in a range that is quite comfortable for
employees who will then produce maximally. The electric power should be constant to enable
employees work without alterations or disruptions from related shortcomings. The electric power
can be protected by proving substitute power supply or electric generator or liner conditioner or
supply of power through batteries. Some facilities like building and power supply are required in
huge volumes, known as redundancy of facilities.
6. How to maintain the confidentiality, integrity, availability of an organization’s data
or digital assets for Network Access Control (NAC) and the.
COMPUTER SECURITY 8

References