Stanford Foundations of Information Security XACS101 1.1 - Security Goals

Notes from section 1.1 - Security Goals of Stanford Foundations of Information Security XACS101 Course.

Security is Holistic

Hackers start with the simplest thing possible.

  1. Physical
    1. Limit access to physical spaces includes offsite Data Centers
    2. Dumpster diving - shred sensitive documents
  2. Technological
    1. Application Security e.g.:
      1. No flaws in identity verification process
      2. server configured correctly
      3. Interpret data robustly
    2. OS
    3. Network Security
      1. Mitigate malicious traffic
      2. Firewalls and Intrusion Detection Systems
    4. Policies and Procedures
      1. e.g. Phishing/Social Engineering
      2. Sneaking in tail gators
      3. Fixed through Education eg. never give out your password

Authentication - Who are you talking to


Verify Identity - Three Ways:

  1. Something you Know (Passwords)
    • One-time Passwords (OTP)
  2. Something you Have (Token)
    • Strength depends on difficult of forging
  3. Something you Are (Biometrics)
    • Palm scans for most effective
    • Has false positives and false negatives
      • false positive - authentic user rejected
      • false negative - imposter accepted
    • Key management harder i.e. you can’t issue a new finger

Three types:

  1. Server authentication - verifying cert
  2. Client authentication - logging in
  3. Mutual - both

Authorization - Has permission to conduct action

Access Control List - e.g. Unix permission model

Access Control Model:

  1. Mandatory - computer decides who can do what
  2. Discretionary (unix) - users authorized to determine access
  3. Non-Discretionary- determined by role

Bell-LaPadula Model

**2 Side Note: Biba Integrity Model

Confidentiality - keep contents secret

Data Integrity





  1. AAA - Authentication, Authorization, Accountability
  2. CIA - Confidentiality, Integrity, Availability

Further study:

  1. MACs
  2. Bell-LaPadula Model