Part 1: List some of the principles related to secure computing.

Information security follows three overarching principles:

 Confidentiality: This means that information is only being seen or used by people who

are authorized to access it.

 Integrity: This means that any changes to the information by an unauthorized user are

impossible (or at least detected), and changes by authorized users are tracked.

 Availability: This means that the information is accessible when authorized users need it.

Principle 1: There Is No Such Thing As Absolute Security

In 2003, the art collection of the Whitworth Gallery in Manchester, England, included three

famous paintings by Van Gogh, Picasso, and Gauguin. Valued at more than $7 million, the

paintings were protected by closed-circuit television (CCTV), a series of alarm systems, and 24-

hour rolling patrols. Yet in late April 2003, thieves broke into the museum, evaded the layered

security system, and made off with the three masterpieces. Several days later, investigators

discovered the paintings in a nearby public restroom along with a note from the thieves saying,

“The intention was not to steal, only to highlight the woeful security.”

Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability

All information security measures try to address at least one of three goals:

 Protect the confidentiality of data

 Preserve the integrity of data

 Promote the availability of data for authorized use

Principle 3: Defense in Depth as Strategy

A bank would never leave its assets inside an unguarded safe alone. Typically, access to the safe

requires passing through layers of protection that might include human guards and locked doors

with special access controls. Furthermore, the room where the safe resides could be monitored by

closed-circuit television, motion sensors, and alarm systems that can quickly detect unusual

activity. The sound of an alarm might trigger the doors to automatically lock, the police to be

notified, or the room to fill with tear gas.

Principle 4: When Left on Their Own, People Tend to Make the Worst Security Decisions

The primary reason identity theft, viruses, worms, and stolen passwords are so common is that

people are easily duped into giving up the secrets technologies use to secure systems. Organizers

of Info security Europe, Britain’s biggest information technology security exhibition, sent

researchers to London’s Waterloo Station to ask commuters to hand over their office computer

passwords in exchange for a free pen. Three-quarters of respondents revealed the information

immediately, and an additional 15 percent did so after some gentle probing. Study after study
like this one shows how little it takes to convince someone to give up their credentials in

exchange for trivial or worthless goods.

Principle 5: Computer Security Depends on Two Types of Requirements: Functional and

Assurance

Functional requirements describe what a system should do. Assurance requirements describe

how functional requirements should be implemented and tested. Both sets of requirements are

needed to answer the following questions:

 Does the system do the right things (behave as promised)?

 Does the system do the right things in the right way?

Principle 6: Security through Obscurity Is Not an Answer

Many people in the information security industry believe that if malicious attackers don’t know

how software is secured, security is better. Although this might seem logical, it’s actually untrue.

Security through obscurity means that hiding the details of the security mechanisms is sufficient

to secure the system alone. An example of security through obscurity might involve closely

guarding the written specifications for security functions and preventing all but the most trusted

people from seeing it. Obscuring security leads to a false sense of security, which is often more

dangerous than not addressing security at all.

Principle 7: Security = Risk Management

It’s critical to understand that spending more on securing an asset than the intrinsic value of the

asset is a waste of resources. For example, buying a $500 safe to protect $200 worth of jewelry

makes no practical sense. The same is true when protecting electronic assets. All security work is
a careful balance between the level of risk and the expected reward of expending a given amount

of resources. Security is concerned not with eliminating all threats within a system or facility, but

with eliminating known threats and minimizing losses if an attacker succeeds in exploiting

vulnerability. Risk analysis and risk management are central themes to securing information

systems. When risks are well understood, three outcomes are possible:

 The risks are mitigated (countered).

 Insurance is acquired against the losses that would occur if a system were compromised.

 The risks are accepted and the consequences are managed.

Principle 8: The Three Types of Security Controls Are Preventative, Detective, and

Responsive

Controls (such as documented processes) and countermeasures (such as firewalls) must be

implemented as one or more of these previous types, or the controls are not there for the

purposes of security. Shown in another triad, the principle of defense in depth dictates that a

security mechanism serve a purpose by preventing a compromise, detecting that a compromise or

compromise attempt is underway, or responding to a compromise while it’s happening or after it

has been discovered.

Part 2: List some of the practices related to secure computing.

 Use passwords that can't be easily guessed, and protect your passwords.

Don't share your passwords and avoid writing them down. Characteristics of good, cryptic

passwords: Contain a mixture of upper and lower case letters, numbers, and symbols At least 8

characters in length (or longer if they're less complex) Difficult to guess (e.g. don't include real
words or personal information like user name, names of family members, places, pets, birthdays,

addresses, hobbies, etc.) Easy to remember (so you don't have to write them down) Password

protect all of your devices.

 Minimize storage of sensitive information.

Delete sensitive information whenever you can. Keep it off of your workstation, laptop computer

and other electronic devices if at all possible. Don't keep sensitive information or your only copy

of critical data, projects, files, etc. on portable or mobile devices (such as laptop computers,

tablets, phones, memory sticks, CDs/DVDs, etc.) unless they are properly protected. These items

are extra vulnerable to theft or loss.

 Beware of scams: Never reveal your password or click on unknown links or

attachments.

Be careful who you share your private information with. Don't respond to email, instant

messages (IM), texts, phone calls, etc., asking you for your password. You should never disclose

your password to anyone, even if they say they work for UCSC, ITS, or other campus

organizations. Only click on links from trusted sources. Never click on an unfamiliar link unless

you have a way to independently verify that it is safe. This includes tiny URLs and any link

where you can't tell where it will take you. Don't open unsolicited or unexpected attachments. If

you can't verify an attachment is legitimate, delete it. Don't give private information to anyone

you don't know or who doesn't have a legitimate need for it -- in person, over the phone, via e-

mail, IM, text, Facebook, Twitter, etc. Beware of IRS scams and phony computer support scams.

These are usually over the phone and threaten dire consequences if you don't act immediately.

 Protect information when using the Internet and email.

Only use trusted, secure web pages when entering personal or sensitive information online. Don't

log in to web sites or online applications unless the login page is secure. Look for https (not http)

in the URL to indicate that there is a secure connection. Be especially careful about what you do

over wireless. Information and passwords sent via standard, unencrypted wireless are especially

easy for hackers to intercept (most public access wireless is unencrypted).

 Make sure your computer is protected with anti-virus and all necessary security

"patches" and updates and that you know what you need to do, if anything, to keep

them current.

Shut down or restart your computer at least weekly -- and whenever your programs tell you to in

order to install updates. This helps to make sure software and security updates are properly

installed and if you get an antivirus alert that there is malware on your computer, contact the ITS

Support Center (info below) for assistance.

 Secure laptop computers and mobile devices at all times

Lock them up or carry them with you in your office or dorm room, at coffee shops, meetings,

conferences, etc. Remember: Phones and laptops get stolen from cars, houses, and offices all the

time. Make sure it is locked to or in something permanent. Laptop lockdown cables are available

at the Bay Tree Bookstore and most computer or office supply stores.

 Don't install or download unknown or unsolicited programs/apps to your computer,

phone, or other devices.

These can harbor behind-the-scenes viruses or open a "back door" giving others access to your

devices without your knowledge.

 Secure your area before leaving it unattended.

Lock windows and doors, take keys out of drawers and doors, and never share your access code,

card or key. Be sure to lock up portable equipment and sensitive material before you leave an

area unattended.

Part 3: List some of the security features of Java.

Introduction

Today, Java is driving more than $100 billion of business annually. If we take a look at

the enterprise side, more than $2.2 billion are being spent by the enterprises in Java

application server. There is no denying that Java is used extensively for developing Java

enterprise applications reason being Security. Java brings some of the most fascinating

features or benefits that are impossible to find in any other programming languages or

platforms.

Have a look at a few arguments (security measures/features) that showcase how secure

Java platform is.

 1. Java’s security model

Java’s security model is intended to help and protect users from hostile programs

downloaded from some untrusted resource within a network through “sandbox”. It allows

all the Java programs to run inside the sandbox only and prevents many activities from

untrusted resources including reading or writing to the local disk, creating any new

process or even loading any new dynamic library while calling a native method.

2. No use of pointers

C/C++ language uses pointers, which may cause unauthorized access to memory blocks

when other programs get the pointer values. Unlike conventional C/C++ language, Java

never uses any kind of pointers. Java has its internal mechanism for memory

management. It only gives access to the data to the program if has appropriate verified

authorization.

3. Exception handling concept

The concept of exception handling enables Java to capture a series of errors that helps

developers to get rid of risk of crashing the system.

4. Defined order execution

All the primitives are defined with a predefined size and all the operations are defined in

a specific order of execution. Therefore, the code executed in different Java Virtual

Machines won’t have a different order of execution.

5. Byte code is another thing that makes Java more secure

Every time when a user compiles the Java program, the Java compiler creates a class file

with Bytecode, which are tested by the JVM at the time of program execution for viruses

and other malicious files.

6. Tested code re-usability

The Java object encapsulation provides support for the concept of “programming by

contract”. This allows the developers to re-use the code that has already been tested while

developing Java enterprise applications.

7. Access Control functionality

Java’s access-control functionality on variables and methods within the objects provide

secure program by preventing access to the critical objects from the untrusted code.

8. Protection from security attacks

It allows developers to declare classes or methods as FINAL. We all know that any class

or method declared as final can’t be overridden, which helps developers to protect code

from security attacks like creating a subclass and replacing it with the original class and

override methods.

9. Garbage collection mechanism

Garbage collection mechanism aids more to the security measures of Java. It provides a

transparent storage allocation and recovering unutilized memory rather than deal locating

memory through manual action. It will help developers to ensure the integrity o f the
program during its execution and avoids any JVM crash due to incorrect freeing of

memory.

10. Type-safe reference casting in JVM

Whenever you use an object reference, the JVM monitors you. If you try to cast a

reference to a different type, it will make the cast invalid. Apart from all these, structured

error handling contributes a lot to the security model of Java by helping to enhance the

robustness of the programs. The above arguments definitely prove that the projects

developed in Java are more secure as compared to the other programming language.

However, it is the responsibility of the developers to follow some best practices while

developing enterprise-level Java applications.

References:

https://www.cygnet-infotech.com/blog/key-features-that-make-java-more-secure-than-other-

languages

https://www.studytonight.com/java/features-of-java.php

https://security.berkeley.edu/resources/best-practices-how-to-articles/top-10-secure-computing-tips

https://its.ucsc.edu/security/top10.html#pass

https://security.calpoly.edu/content/practices/good_practices

https://www.techopedia.com/2/27825/security/the-basic-principles-of-it-security

http://www.pearsonitcertification.com/articles/article.aspx?p=2218577&seqNum=9