Design Guidelines for Cyber Security

Cybersecurity is one of the sectors in the world that has faced many issues from time to time. Different organisations have often faced cyber attacks that have endangered their business. Cybersecurity is always a concern in every entrepreneur or business leaders’ thoughts. The reason because different organisations have had greater breaches that have ended up crippling their business. Cybersecurity is vital and of its significant strategies is the lock that helps to keep your personal life and business safe. The need for design guidelines in the cyber security sector is to improve the security of the information technology, critical infrastructures and the networks that have been vulnerable in the past. Cybersecurity guideline would define both functional and assurance requirements within a process, commodity, system or technology environment (Von Solms and Van Niekerk 2013). Guidelines that allow consistency among the product designers and serve as a reliable metric for buying security product. Flexibility and reliability are essential tools that a well-developed guideline should entail. There is a need for design guideline that would meet the user demands and at the same time be cost efficient when coming up with the commodities that meet the trends. However, there are current cyber trends that have helped reduce the problems in cybersecurity. There are improvements in the payment ecosystems that has been continually changing.

There is an improvement in cybersecurity laws; however, there is a need for more development since the cybersecurity nature is fast moving and dynamic and this outruns the regulations which are slower and clumsy. There are more design guidelines on control and practices for businesses to integrate into their protection policies. Another trend is increased automation of security implementation for prevention, more machine learning for detecting and remediating for a response. Previously, there was a shortage in some experts in the cyber security industry (Fischer 2014). Most employees were not able to handle the new compliance issues such as updating softwares and breaches in a quick response. The automation of technology being used has been able to solve the changes in compliance and software updates. With these trends in cybersecurity, there are challenges that the designers have faced when coming up with proper design guidelines. Cybersecurity is more of an arms race where there is a struggle between the attackers and the defenders. When the new designs emerge, the fraudsters are always in line to break it AG, 2018). The designers can still offer protection against weaknesses but challenges such as supply chain vulnerability, which can allow the insertion of malicious software or hardware during the acquisition process.

Design trends intended to improve cybersecurity

Understanding the attackers

Programmers should adopt control strategies that prevent the mismanagement of the application by malicious people including criminal organisations, disgruntles programmers and staffs, script kiddies (OWASP, n.d).  The most dangerous type of attacks that designers must protect against are the disgruntled programmers and teams. The main reason is that their access to complex systems is high.

Essential pillars of information security. All cybersecurity controls should be made with vital components of information security such as confidentiality that allows access to data for which the user is permitted, integrity which warrants that evidence does not interfere with users that are unauthorised and availability that ensures availability of data and system when needed by the authorised users.

Reduce cyberattack surface area.

Security vulnerability risk increases each time a programmer adds a new feature to their application. This guideline minimises the attack surface area which restricts the functions the clients are allowed to access, to reduce potential weaknesses.

Develop secure defaults. This guideline recommends that applications should safe by default. Having safe defaults means that a user must make specific steps or procedures to get privileges and do away with additional security measures (Nurse et al. 2011). The secure defaults mean there are strong security guidelines on how the registration of new users is handled. It includes how sophisticated passwords have to be and how often they are updated. Some features may be turned off by the clients, but their security should be set high above.

The guideline on least privilege

This guideline provides that the client or user should have a basic set of privileges that are required to perform a specific duty. This guideline can be used on all web and net application that include resource access and user rights. For instance, users that are signed up for a blog as authors should not have the privilege of removing or adding users to the blog (McKenna et al. 2015).  They should only have access when posting the documents or articles to the blog application. This guideline begins by permitting non and seeing where the errors transpire.

The guideline on defence in depth

This guideline states that the best choice for safeguarding an application is using several security control techniques that handle risk in diversified ways. Rather than having a single security control for access by users, the design would have various powers for validation, logging tools and additional auditing tools for security purpose. Adopting an Ip check brute force detection and captcha system for logging in instead of username only.

Securely failed

A web application may fail due to wrong data input by the user or failed database connection. This guideline states that the application in use should fail in a secure way. The failure of the form should not expose the privileges that are critical such as logs or database queries and additional opportunities to the user. Begin by denying all accessibility and then allow only the ones that have been authorised.

Keeping security simple

Designers should avoid the use of complex architecture when creating security controls for their applications. Having mechanisms or systems that are very sophisticated can lead to increment in the error risk. If the designer pressures the user to shift their passwords constantly, they may only write them down on a paper and stick them to their monitors. It is essential for the developer to buy into security. The user interface to the security systems should be in an understandable form.

The principle of not trusting services

Many firms use the processing abilities of third-party firms or partners who have security strategies that are different from theirs. Controlling this external party is a hard task and their implied trust put on the third party is not warranted (McKenna et al. 2014). For instance, a loyalty program earner provides data that is utilized by internet banking, giving the number of prize points and minor list of possible redemption items, however the data should be counter checked to make sure that it is secure to exhibit to end users and that the prize points are positive numerical figure and not implausibly large.

 

Justifications of this user guideline and improved usability

Having a secure default where there are procedures for registration of new users and the process required for logging are safeguarded through passwords.  This would ensure the confidential information stays hidden from malicious people. There is a lot of sensitive information that is being handled by the web application hence the need for secure defaults. The complicated procedures for logins such as passwords ensure the protection of the critical user information from the hackers. The user can keep their accounts safer by using better words when developing their passwords. Reduction in cyber attack surface area means reducing the number of features that are accessible by the user. For instance, one may add a search feature to an application. The feature faces potential attacks from SQL injection and files inclusive attacks. The designer limits the accessibility to the search feature to only allow the registered clients or users to use it and therefore minimising the attack surface. This helps to ensure the user interface is protracted. The multiple security controls help in detecting forced access. This control follows the depth guidelines where the multiple security control is used in facing the risks in different ways (Anon 2018). This helps in the reinforcement of access by the user to the application. This guideline minimizes the threat that is brought about by malicious people accessing the web application. It helps to reduce the vulnerability to the risks by the hackers who may have access to relevant information. The guideline or principle of the least privilege improves the usability for instance in sandboxes to curb partly untrusted code. Keeping security pure will reduces restrictions on the user.it is always very essential for the users to buy into the security design. The simple security design will allow the users to interact with the user interface with a lot of ease.

 

In conclusions, the designers that use these guidelines or principles in cybersecurity are accrued with a lot of benefits. They get  to prevent different attacks ranging from the internal staffs and external partners. Adopting the reduce attack surface guideline helps the designer to restrict the risk by not allowing the user to access the different functional features. It is difficult to have a 100% application that is free from cybersecurity but adopting this trend will help minimise the cybercrimes.

 

 

Reference list

AG, 2018. Creating a cybersecurity policy for your business. [Online]
Available at: https://www.business.gov.au/risk-management/cyber-security/creating-a-cyber-security-policy-for-your-business[Accessed 15 March 2019].

Anon., 2018. cybersecurity guide. [Online]
Available at: https://medium.com/west-stringfellow/cybersecurity-guide-how-to-secure-your-corporation-4f19768d0f39
[Accessed 15 March 2019].

Fischer, E.A., 2014. Cybersecurity issues and challenges: In brief.

McKenna, S., Mazur, D., Agutter, J. and Meyer, M., 2014. Design an activity framework for visualisation design. IEEE Transactions on Visualization and Computer Graphics20(12), pp.2191-2200.

McKenna, S., Staheli, D. and Meyer, M., 2015, October. Unlocking user-centred design methods for building cybersecurity visualizations. In 2015 IEEE Symposium on Visualization for Cyber Security (VizSec) (pp. 1-8). IEEE.

Nurse, J.R., Creese, S., Goldsmith, M. and Lamberts, K., 2011, September. Guidelines for usable cybersecurity: Past and present. In 2011 third international workshop on cyberspace safety and security (CSS) (pp. 21-26). IEEE.

OWASP, n.d. Security by Design Principle. [Online]
Available at: https://www.owasp.org/index.php/Security_by_Design_Principles
[Accessed 15 March 2019].

Von Solms, R. and Van Niekerk, J., 2013. From information security to cybersecurity. computers & security38, pp.97-102.