Upload
dangxuyen
View
218
Download
1
Embed Size (px)
Citation preview
CISSP Domain 3Security Engineering
and Management of Security
• Clif Meier• Shawn Pearson• Terry Seiple
Key Security Engineering Knowledge Areas
• Implement and Manage Engineering using secure design principles
• Understand the fundamental concepts of Security Models• Selection of controls and countermeasures based upon
system security evaluation models• Understand security capabilities of information systems• Assess and mitigate vulnerabilities of security architecture,
designs and solution elements
Key Security Engineering Knowledge Areas cont.
• Assess and mitigate vulnerabilities in web-based systems• Assess and mitigate vulnerabilities in mobile systems • Assess and mitigate vulnerabilities in embedded devices
and cyber-physical systems• Apply principles to site and facility design• Design and implement physical security• Apply Cryptography
Security Engineering at the State of MN
Secure Systems Engineering (SSE)
The goal of the Secure Systems Engineering program is to proactively design appropriate security controls into new systems or systems that are undergoing substantial redesign
Treat security as an integral part of the overall system designEstablish a sound security policy as the “foundation” for
design Implement tailored system security measures to meet
organizational security goals & additional threats and other risksEnsure developers, system engineers, and architects are
trained in how to develop/implement secure software & systemsReduce risk to an acceptable level
Security Designed
into New & Existing Systems
3rd Party Security
Application Security
Security Architecture Standards
Project Security
Consulting
Border Control
Governance
Artifact. Definition Examples
Technology Solution Standard
Strategic Technology Direction. Technologies that have been endorsed for enterprise use
• Microsoft Active Directory Certificate Services
• Comodo• MSSQL• Windows Server• RedHat Enterprise
Reference Architecture Standard
Agnostic design requirements for the implementation of particular environments, technologies, hardware or software
• Mobile• Certificate Services • Wireless• Security Zone Model
Configuration Standard Prescribed technical configuration parameters for the implementation of a specific technology.
Could be security (hardening standards) or general operational settings
• Exchange Active Sync• vSphere 5.5 ESXi• AirWatch
Security Architecture Standards
Application Security
Developer TrainingApplication Security Assurance Testing & Defect
Management to ensure compliance with state & industry standardsStatic Code Analysis Offline assessment of compiled or ready to deploy
applications to detect security flaws in the underlying code.
Dynamic Code Analysis Online, malicious user simulated, assessment of a web
application looking for vulnerabilities.
Integration of security requirements into outsourced services (XaaS, Hosted)Perform 3rd party security assessments Review penetration & application security testing resultsPerform application security assessments of COTS
products Identify risk mitigation strategies
3rd Party Security
Review proposed changes to ensure network changes align with zone security reference architecture and other security standardsMitigate security risks through designing alternate secure
solutions
Border Control
Governance
Work full time on major projects, leading the development of system security plans and residual risk recommendations Identify security requirements based on State standards,
organizational security goals, and compliance regulationsConsult to project teams with design of secure solutionsSecurity design & implementation validation review
checkpoints
Project Security
Consulting
SecurityRequirements Identification
Design System
SSE review design to ensure requirements are met
Design meets requirements
Gaps identified
Security Checkpoint
Risk Exception Process
Document Planned
Controls / exceptions in
SSP
Build Phase
Build System
Security validation(Security development tools,
vulnerability scanning, configuration compliance,
penetration test, etc.)
Security Checkpoint
Requirements met
Gaps identified
Risk Exception Process
Document Implemented
Controls / Exceptions in
SSP
Authorize System
Security Designed
into New & Existing Systems
3rd Party Security
Application Security
Security Architecture Standards
Project Security
Consulting
Border Control
Governance
Security is integrated into the SDLC Security check points are in place to ensure requirements
are met or identified risks are managedSecurity standards, for various technologies, are
published and communicated to System Engineers, Architects, and Developers
Security Designed
into New & Existing Systems
Security Information System Capabilities
Access Control and Memory Management
20
Essential Protection Mechanisms
Controls– Access Control– Secure Memory Management– Layering -Defense in Depth/Ring Strategy– Abstraction -Use objects and groups and request
permissions– Data Hiding -Place data in separate containers– Process Isolation -Separate Memory Space for each
process– Hardware Segmentation-Physical hardware controls
rather than logical
Essential Protection Mechanisms
Controls– Cryptographic Protections –Protect information from
different portions of system by encrypting it– Host Firewalls and Intrusion Prevention– Audit and Monitoring– Virtualization Controls –Easy to fallback/Sandboxes
Security Architecture Vulnerabilities
Single Points of Failure and Client and Server Vulnerabilities
Security Vulnerabilities General
• Emanations -Metadata that is obtained through electrical, mechanical, optical or acoustical energy
• State Attacks -Taking advantage of how a system handles multiple requests
• Covert Channels -Channels that are hidden from traditional Access Control mechanisms
Secure Design
Avoiding Single Points of Failure– Data Connectivity -Multiple SAN Connections– Network Connectivity –Multiple Network Interfaces
and Paths– Server Clustering– Application High Availability– Redundant Infrastructure
Security Vulnerabilities Client-Based
• Client-Based (attack focused on client such as Java applet or ActiveX control transferred to a vulnerable browser)
• Local Cache (Temporarily stored on client for future reuse)– ARP Cache-IP to MAC mapping (ARP Poisoning)– DNS Cache-DNS to IP Mapping (DNS Poisoning/HOST
Files/Fake DHCP Server)– Internet File Cache (store downloaded content for remote script
execution)
Security Vulnerabilities Server-Based
• Remote Access Methods– Out of Band– Multifactor– Password Escrow
• Configuration Management– Monitoring– Patching– Vulnerability Management– Change Control Process
Database Security
• Aggregation (Collecting data from multiple low security level tables to create higher level value)
• Inference (Combining non-sensitive information and using deductive reasoning For Example hiring vs total salary information)
• Data Mining and Warehousing (Ensure sensitive information is stored in more secure containers)
Distributed Systems
• Client-Server Architecture– Shared Processing– Diverse Client Side devices (Handhelds/Laptops/Workstations)– Need to ensure common protocols and interfaces– Small peer-to-peer workgroups
• Grid Computing– Sharing of CPU and other resources from multiple clients not
requiring similarity in clients– Weakness in that you can not ensure sanctity of end user device
Distributed Systems
• Cloud Computing– On-demand computing resources such as
compute/storage/network– 5 Characteristics
• On-Demand Self Service• Broad Network Access• Resource Pooling• Rapid Elasticity• Measured Service
– Service Models• Software as a Service (SAAS)• Platform as a Service (PAAS)• Infrastructure as a Service (IAAS)
Distributed Systems
Cloud Computing Deployment Models
– Private Cloud -Single Organization– Community Cloud -Specific Community type such as
Government– Public Cloud -General Public Use such as AWS– Hybrid Cloud -Some Combination of Above
Software and System Vulnerabilities and
Threats
32
Software and System Vulnerability and Threats
Web-Based systems are particularly vulnerable due to their accessibilityFootprint Risk Reductions-• Patching• Intrusion Prevention• Application Firewalls• Remove administration interfaces• Validate Input• Vulnerability Assessments• Remediate OWASP Top 10
Mitigate Mobile and Embedded Device
VulnerabilitiesRemote Computing and Mobile Workforce
34
Remote Computing SecurityVPNs provide a trusted backdoor into your communications infrastructure.
Risk Mitigation Options– Verify user and device– Segregate VPN traffic accordingly– Inspect remote devices for controls such as AV– Force Policy– Institute complete incident response procedures around lost or
stolen devices
Mobile Device Security• Mobile devices often contain sensitive data such as contacts, text
messages, email, and possibly notes and documents.• Risk Mitigation Options
– Full Device Encryption– Remote Wiping– Lockout– Screen Locks– GPS Tracking– Application Installation Controls – Storage Segmentation– Asset Tracking– Disable unused features– Enterprise Policies
Embedded Device SecurityEmbedded devices include network-attached printers, smart TVs, HVAC controls, smart appliances, smart thermostats
Risk Mitigation Options– Network Segmentation of devices– Application Firewalls– Firmware Version Control– Integrity and Authentication Wrappers– Multiple Layers of Access Control
Site & Facility Design Considerations
Facility Design, Datacenter and Work Area Security
Secure Principles for Site Selection
• Target Identification (Threat Matrix)• Physical Vulnerability Assessment• Secure Facility Plan (Multipath Connections to
utility and internet)
• Site Selection (Traffic/Hazardous Materials)
• Visibility (Crime Rates/Terrain)
• Natural Disasters (Floods/Hurricanes)
• Facility Design (Flooring/HVAC/Emergency Services)
Secure Principles for Facility Security
• Cable Plant Management (OSI Layer 1)
• Entrance Facility (Provider termination)
• Equipment Room (UPS/PBX/Cabling Racks)
• Backbone Distribution (Multi-floor closets)
• Telecommunications Room (Provides for each floor)
• Horizontal Distribution (Patch Panels/Cross Connects)
• Server Rooms (Rack Security)
Secure Principles for Data Center Security
• Elevated Physical Access Controls (Biometrics/Card Readers/Multi-factor)
• Utilities and Power• Uninterruptable Power Supply (UPS)
• Generators• Heating, Ventilation & Air Conditioning
(HVAC)
• Air Contamination Protection (Anthrax & Airborne Threats)
Secure Principles for Data Center Security
Fire Suppression & Detection– Wet Systems (Constant Water Supply)
– Dry Systems (Electric Valve Release)
– Pre-Action Systems (Prevent water damage)
– Deluge Systems (Same as above but sprinkler heads are always open)
– Aero-K (Multiple detectors to activate then sprays microscopic potassium compounds)
– FM-200 (Stored as liquid and dispensed as clear vapor/non toxic)
CryptographyUsage and Implementation Types
Cryptography
Goals of Cryptography or Why Encrypt?
– Cryptographic systems are utilized to meet four fundamental goals: confidentiality, integrity, authentication, and nonrepudiation. Achieving each of these goals requires the satisfaction of a number of design requirements, and not all cryptosystems are intended to achieve all four goals.
Confidentiality
Confidentiality ensures that data remains private while at rest, such as when stored on a disk, or in transit, such as during transmission between two or more parties. This is the most widely cited goal of cryptosystems— the preservation of secrecy for stored information or for communications between individuals and groups.
Two main types of cryptosystems enforce confidentiality. Symmetric key cryptosystems use a shared secret key available to all users of the cryptosystem. Asymmetric cryptosystems use individual combinations of public and private keys for each user of the system.
IntegrityIntegrity ensures that data is not altered without authorization. If integrity mechanisms are in place, the recipient of a message can be certain that the message received is identical to the message that was sent. Similarly, integrity checks can ensure that stored data was not altered between the time it was created and the time it was accessed.
Message integrity is enforced through the use of encrypted message digests, known as digital signatures or hashes that are created upon transmission of a message.– MD5– SHA
AuthenticationAuthentication verifies the claimed identity of system users.
Nonrepudiation
Nonrepudiation provides assurance to the recipient that the message was originated by the sender and not someone masquerading as the sender. It also prevents the sender from claiming that they never sent the message in the first place (also known as repudiating the message).
Early Cryptography
Caesar Cipher– One of the earliest known cipher systems was used by Julius
Caesar to communicate with Cicero in Rome while he was conquering Europe.
– The system is extremely simple. To encrypt a message, you simply shift each letter of the alphabet three places to the right. For example, A would become D, and B would become E. If you reach the end of the alphabet during this process, you simply wrap around to the beginning so that X becomes A, Y becomes B, and Z becomes C.
Cryptography in History
Enigma– Germany developed a commercial code machine
nicknamed Enigma. The machine used a series of three to six rotors to implement an extremely complicated substitution cipher. The only possible way to decrypt the message with was to use a similar machine with the same rotor settings used by the transmitting device. The Allies successfully broke the Enigma code in 1940 and it is credited as the major break though to winning WWII.
The Enigma Machine
Cryptography in History
Enigma– Germany developed a commercial code machine
nicknamed Enigma. The machine used a series of three to six rotors to implement an extremely complicated substitution cipher. The only possible way to decrypt the message with was to use a similar machine with the same rotor settings used by the transmitting device. The Allies successfully broke the Enigma code in 1940 and it is credited as the major break though to winning WWII.
Crytpo Intro
• Encryption - process by which plaintext is converted to ciphertext using a key
• Decryption - process by which ciphertext is converted to plaintext (with the appropriate key)
• plaintext (cleartext)- intelligible data
Crypto Terms
• Cryptography - art/science relating to encrypting, decrypting information
• cryptanalysis - art/science relating to converting ciphertext to plaintext without the (secret) key
• end-to-end encryption - the encryption of data from source system to end system (https)
Work Function
You can measure the strength of a cryptography system by measuring the effort in terms of cost and/ or time using a work function or work factor. The time and effort required to perform a complete brute-force attack against an encryption system is what the work function represents. Size the work function against the relative value of the protected asset. Spend no more effort to protect an asset than it warrants
Codes vs Ciphers
People often use the words code and cipher interchangeably, but technically, they aren’t interchangeable.
– Codes are cryptographic systems of symbols that represent words or phrases, are sometimes secret, but they are not necessarily meant to provide confidentiality. For instance most people know 10-4.
– Ciphers, on the other hand, are always meant to hide the true meaning of a message.
Transposition Ciphers
Transposition ciphers use an encryption algorithm to rearrange the letters of a plaintext message, forming the ciphertext message. The decryption algorithm simply reverses the encryption transformation to retrieve the original message.
Earlier a simple transposition cipher was used to reverse the letters of the message so that apple became elppa.
Substitution Ciphers
Substitution ciphers use the encryption algorithm to replace each character or bit of the plaintext message with a different character.
The Caesar cipher is a good example of a substitution cipher. We simply shift each letter three places to the right in the message to generate the ciphertext.
Advanced Substitution Ciphers
Polyalphabetic substitution ciphers use multiple alphabets in the same message to hinder decryption efforts. One of the most notable examples of a polyalphabetic substitution cipher system is the Vigenère cipher. The Vigenère cipher uses a single encryption/ decryption chart.
Vigenère CipherNotice that the chart is simply the alphabet written repeatedly (26 times) under the master heading, shifting by one letter each time. You need a key to use the Vigenère system. For example, the key could be secret. 1) Write out the plain text. 2) Write out the encryption key, repeating the key as many times as needed to establish a line of text that is the same length as the plain text. 3) Convert each letter position from plain text to ciphertext. A. Locate the column headed by the first plaintext
character B. Next, locate the row headed by the first character of
the key (s). C. Finally, locate where these two items intersect, and
write down the letter that appears there (s). This is the ciphertext for that letter position.
D. Repeat steps 1 through 3 for each letter in the plaintext version.
• Although polyalphabetic substitution protects against direct frequency analysis, it is vulnerable to a second-order form of frequency analysis called period analysis, which is an examination of frequency based on the repeated use of the key.
One-Time Pad (Vernam Ciphers)
A one-time pad is an extremely powerful type of substitution cipher. One-time pads use a different substitution alphabet for each letter of the plaintext message.Benefits:
– When used properly virtually unbreakable– No repeating patter rendering cryptanalytic efforts useless
Requirements:– One-Time Pad must be randomly generated using a phrase or
passage from a book– One-Time pad must be protected against disclosure or decryption
is simple• One-time pads are usually only used for short messages due to long
key lengths
Reflection
Some of you may be thinking at this point that the Caesar cipher, Vigenère cipher, and one-time pad sound very similar. They are!
The only difference is the key length. The Caesar shift cipher uses a key of length one, the Vigenère cipher uses a longer key (usually a word or sentence), and the one-time pad uses a key that is as long as the message itself.
Running Key Ciphers (Book)
Many cryptographic vulnerabilities surround the limited length of the cryptographic key. One-time pads avoid these vulnerabilities by using a key that is at least as long as the message. However, one-time pads are awkward to implement because they require the physical exchange of pads.Solution is to use a book such as Moby Dick at an agreed upon start location say the 3rd paragraph.
Block Ciphers
• Block ciphers operate on “chunks,” or blocks, of a message and apply the encryption algorithm to an entire message block at the same time. Transposition ciphers are examples of block ciphers.
• Most modern encryption algorithms implement some type of block cipher.
Stream Ciphers
Stream ciphers operate on one character or bit of a message (or data stream) at a time.
The Caesar cipher is an example of a stream cipher. The one-time pad is also a stream cipher because the algorithm operates on each letter of the plaintext message independently.
Confusion and Diffusion
Cryptographic algorithms rely on two basic operations to obscure plaintext messages—confusion and diffusion.• Confusion occurs when the relationship between the plain text and the
key is so complicated that an attacker can’t merely continue altering the plain text and analyzing the resulting ciphertext to determine the key.
• Diffusion occurs when a change in the plain text results in multiple changes spread throughout the ciphertext.
• An algorithm that first performs a complex substitution and then uses transposition to rearrange the characters of the substituted ciphertext. In this example, the substitution introduces confusion and the transposition introduces diffusion.
Modern Cryptography
Modern cryptosystems use computationally complex algorithms and long cryptographic keys to meet the cryptographic goals of confidentiality, integrity, authentication, and nonrepudiation.
Basically 3 types of Algorithms commonly used today:1. Symmetric Encryption2. Asymmetric Encryption3. Hashing Algorithms
Symmetric Key Algorithms
Symmetric key algorithms rely on a “shared secret” encryption key that is distributed to all members who participate in the communications. This key is used by all parties to both encrypt and decrypt messages, so the sender and the receiver both possess a copy of the shared key. The sender encrypts with the shared secret key and the receiver decrypts with it. When large-sized keys are used, symmetric encryption is very difficult to break.
Primarily employed to perform bulk encryption and provides only for the security service of confidentiality.
Symmetric Key Algorithm Strengths & Weaknesses
• Key distribution is a major problem. • Symmetric key cryptography does not implement
nonrepudiation. • The algorithm is not scalable. Everyone requires a private
key• Keys must be regenerated when someone leaves
The major strength is speed at which it can operate. Symmetric key encryption is very fast, often 10,000 times faster than asymmetric algorithms.
Symmetric Key Algorithm Examples
• Data Encryption Standard (DES) • Triple Data Encryption Standard (3DES)• International Data Encryption Algorithm (IDEA) Used in Phil
Zimmerman's Pretty Good Privacy (PGP)• Blowfish/Twofish-Bruce Schneier, Block Ciphers• Skipjack- US Gov’t holds key Escrow, Not well trusted• Advanced Encryption Standard (AES) In October 2000, the National
Institute of Standards and Technology (NIST) announced that the Rijndael (pronounced “rhine-doll”) block cipher had been chosen as the replacement for DES. In November 2001, NIST released FIPS 197, which mandated the use of AES/ Rijndael for the encryption of all sensitive but unclassified data by the US government.
Asymmetric Key Algorithms
Asymmetric key algorithms, also known as public key algorithms, provide a solution to the weaknesses of symmetric key encryption.
In these systems, each user has two keys: a public key, which is shared with all users, and a private key, which is kept secret and known only to the user. Opposite and related keys must be used in tandem to encrypt and decrypt. In other words, if the public key encrypts a message, then only the corresponding private key can decrypt it, and vice versa.
Asymmetric Key Algorithm Strengths & Weaknesses
• Addition of new users requires the generation of only one public-private key pair.
• Users can be removed far more easily from asymmetric systemsthrough key revocation
• Key regeneration is required only when a user’s private key is compromised.
• Asymmetric key encryption can provide integrity, authentication, and nonrepudiation.
• Key distribution is a simple process by publically advertising your key• No preexisting communication link needs to exist.• Major weakness of public key cryptography is the slow speed of
operation
Asymmetric Key Algorithm Issues
• Key distribution is a major problem. • Symmetric key cryptography does not implement
nonrepudiation. • The algorithm is not scalable. Everyone requires a private
key• Keys must be regenerated when someone leaves
The major strength is speed at which it can operate. Symmetric key encryption is very fast, often 10,000 times faster than asymmetric algorithms.
Asymmetric Key Algorithm Examples
• RSA- Most widely used. Developed by Rivest, Shamir and Adleman• El Gamal• Elliptic Curve Cryptosystem (ECC)
Symmetric vs Asymmetric Algorithms
Hashing Algorithms
Message digests are summaries of a message’s content produced by a hashing algorithm.
Requirements of a hash function
1. Allow input of any length2. Provide fixed-length output3. Easy to compute hash function for any
input4. One-way Functionality (Non-reversible)5. Collision Free- When 2 distinct pieces of data
have the same hash value or checksum
Hash Standard
Public Key Infrastructure (PKI)
The major strength of public key encryption is its ability to facilitate communication between parties previously unknown to each other. This is made possible by the public key infrastructure (PKI) hierarchy of trust relationships. These trusts permit combining asymmetric cryptography with symmetric cryptography along with hashing and digital certificates, giving us hybrid cryptography.
Certificates
Digital certificates provide communicating parties with the assurance that the people they are communicating with truly are who they claim to be. Digital certificates are essentially endorsed copies of an individual’s public key. When users verify that a certificate was signed by a trusted certificate authority (CA), they know that the public key is legitimate. Digital certificates contain specific identifying information, and their construction is governed by an international standard— X. 509.
Certificate Authorities
Certificate authorities (CAs) are the glue that binds the public key infrastructure together. These neutral organizations offer notarization services for digital certificates. To obtain a digital certificate from a reputable CA, you must prove your identify to the satisfaction of the CA.• Symantec • Thawte • GeoTrust• Comodo• GoDaddy
Certificate Generation & Destruction
1. Enrollment2. Verification3. Revocation
– The certificate was compromised (End user gives away private key)
– The certificate was erroneously issued (Verification not done correctly)
– Certificate Details have Changed– Security Association Changed– If a certificate is revoked it will be published on a certificate
revocation list (CRL)
Some Applications of Cryptography
1. Portable Devices- Devices can have full disk encryption (FDE) which ensures if lost or stolen data is protected.
2. S/MIME Encrypted Email-Encrypt to provide confidentiality and hash the message for integrity
3. Web Applications- Utilize PKI/certificates to encrypt traffic
Steganography
Steganography is the art of using cryptographic techniques to embed secret messages within another message.Example would be to embed a secret message in an illustration or web page.
Digital Watermarks are also an example of steganography. The hidden information is known only to the file’s creator. If someone later creates an unauthorized copy of the content, the watermark can be used to determine the validity of the content.
Digital Rights Management (DRM)
Digital rights management (DRM) software uses encryption to enforce copyright restrictions on digital media.
• Music• Movies• Video Games• Documents
Securing Networks
Two Types:
• Link Encryption- Protects the entire communications circuit
• End-to-End- Protects path between to parties such as a client and server
Encryption done at the lower OSI layers it is usually Link Encryption. Higher OSI layers such as application layer is usually end-to-end.
Cryptographic Attacks
• Analytic Attack- An algebraic manipulation that attempts to reduce the complexity of the algorithm. Analytic attacks focus on the logic of the algorithm itself.
• Implementation Attack- Exploits weaknesses in the implementation of a cryptography system.
• Statistical Attack- A statistical attack exploits statistical weaknesses in a cryptosystem, such as floating-point errors and inability to produce truly random numbers.
• Brute Force- These attacks are quite straightforward. It simply attempts every possible valid combination for a key or password.
Cryptographic Attacks
• Frequency Analysis- Using the knowledge that the letters E, T, O, A, I, and N are the most common in the English language, you can then test several hypotheses to solve.
• Known Plaintext-In the known plaintext attack, the attacker has a copy of the encrypted message along with the plaintext message used to generate the ciphertext (the copy).
• Chosen Plaintext- In a chosen plaintext attack, the attacker has the ability to encrypt plaintext messages of their choosing and can then analyze the ciphertext output of the encryption algorithm.
Cryptographic Attacks
• Man in the Middle- In the man-in-the-middle attack, a malicious individual sits between two communicating parties and intercepts all communications (including the setup of the cryptographic session).
• Replay- In this attack, the malicious individual intercepts an encrypted message between two parties (often a request for authentication) and then later “replays” the captured message to open a new session. This attack can be defeated by incorporating a time stamp and expiration period into each message.
Fundamental Concepts of Security Models
Security Engineering Lifecycle
90
Security Model Concepts
• Security Architect must translate business requirements into secure technology solutions by providing controls to protect standard system components
• Common System Components– Processors– Memory & Storage
• Primary Storage (RAM)• Secondary Storage (Fixed Disks)• Virtual Memory (Swap Files)• Firmware (ROM)
– Peripherals and I/O Devices– Operating Systems
Enterprise Security Architecture
• Objectives and Goals– Long-term Vision – Unified Vision– Leverage Existing Investments– Provide flexible approach that integrates Enterprise
vision with current architectures to provide appropriate safeguards and countermeasures
Enterprise Security Architecture
Common Security Services– Boundary Control Services – Access Control Services
• Identification• Authentication• Authorization
– Integrity Services (AV/Content Filtering/IPS)– Cryptographic Services (Encryption/PKI)– Audit and Monitoring Services (SEIM and logging capabilities)
Security Zones of Control– Grouping systems of similar functionality and security risk
Fundamentals Concepts of Security Models
• An information system’s architecture must satisfy the defined business and security requirements.
• Security should be built into an information system by design.
• When designing system architecture, security and business requirements needs to be carefully balanced.
• Tradeoffs are involved in reaching a balance between security and business requirements.
94
Fundamentals Concepts of Security Models
• The security requirements of an information system are driven by the security policy of the organization that will use the system.
• To incorporate the abstract goals of a security policy into an information system’s architecture, you will need to use security models.
• A security model lays out the framework and mathematical models that act as security-related specifications for a system architecture.
• The system architecture, in turn, is the overall design of the components - such as hardware, operating systems, applications, and networks – of an information system. This design should meet the specifications provided by the security model. 95
Fundamentals Concepts of Security Models
The architecture of an information system includes various components:
– Enterprise architecture that is a representation of the mode of operation of an enterprise. This mode of operation needs to be derived systematically.
– Network architecture that describes how various entities in a network communicate with each other. It also defines if a system is an open system or a closed system.
– Platform architecture that describes how a system optimally uses system resources, such as storage devices, input/output (I/O) devices, memory management, CPU states, operating system, and various utilities.
– Protection mechanisms refer to the mechanisms needed to protect the system and ensure that all the objects in the system are separated.
– Security models refer to methods to integrate security into a system’s architecture. Some common security models are Bell-LaPadula, Biba, and Clark-Wilson
96
Fundamentals Concepts of Security ModelsSecurity architecture is part of the overall architecture of an information system. It directs how the components included in the system architecture should be organized to ensure that security requirements are met. The security architecture of an information system should include:
– A description of the locations in the overall architecture where security measures should be placed.
– A description of how various components of the architecture should interact to ensure security.
– The security specifications to be followed when designing and developing the system.
97
Fundamentals Concepts of Security Models
Computer ArchitectureIt comprises all the parts in a computer system that are necessary for it to function. Such parts include the operating system, memory chips, logic circuits, storage devices, I/O devices, security components, buses, and
networking components.
• The Central Processing Unit (CPU) – Processes the instructions provided by the various applications/programs. To do this the CPU needs to access such instructions from their memory locations.
• The CPU can access the memory locations in its cache, along with memory locations in the random access memory (RAM). These types of memory are called primary memory.
• The major components.– The Arithmetic Logic Unit (ALU) – Control Unit (coordinates instruction execution)– Registers that act as temporary memory locations and store the memory
addresses of the instructions and data that needs processing by the CPU.
98
Fundamentals Concepts of Security Models
Computer Architecture• Program: An Application• Process: A program loaded into memory• Thread: Each individual instruction within a process• Multiprogramming: no true isolation• Multiprocessing – more than one CPU• Multi threading—in the past multiple CPUs were needed.
Today multi-core processors provide this.• Operating System Architecture• Process Activity• Memory Management• Memory Types – RAM, ROM, etc• Virtual Memory• CPU Modes & Protection Rings
99
Fundamentals Concepts of Security Models
CPU Modes & Protection rings• Protection Rings provide a security mechanism for an operating system by
creating boundaries between the various processes operating on a system and also ensures that processes do not affect each other or harm critical system components.
• Ring 0 – Operating system kernel (supervisor /privilege mode)• Ring 1 – Remaining parts of the operating system (OS)• Ring 2 – Operating system and I/O drivers and OS utilities• Ring 3 – Applications (Programs) and user activity
100
Fundamentals Concepts of Security Models
Recognizing access permissions
• Let us evaluate access control mechanism provided by the protection rings:– Suppose a subject is located in ring 3. Which of the ring levels can this subject access?
» A subject located in ring 3 can directly access objects in its own ring.» Most applications running on a system operate from ring 3 which has the least
access to system components.» On the contrary, a subject in a lower numbered ring can directly access objects in
higher numbered rings.
– Suppose an application located in ring 3 has directly sends an instruction to the CPU. What would be the result of this instruction (choose one)?
» A. The CPU executes the instruction.» B. The CPU raises an exception error.» C. The operating systems uses a system call to handle the instruction
• Answer: B. In case an application located in ring 3 directly sends an instruction directly to the CPU, the CPU raises an exception error!
• When an application needs to perform an operation that requires access to the CPU – which is only accessible from ring 0 – the application needs to send a request to the OS. The OS then executes the instruction on behalf of the application by using system calls.
101
Fundamentals Concepts of Security Models
Protection Mechanisms
• Domains• Layering & Data Hiding• Virtual Machines
– A virtual machine is a simulated real machine environment created to simultaneously run multiple applications on a computer.
• Additional Storage Devices• Input/Output Device Management
102
Fundamentals Concepts of Security Models
System Architecture• Defined Subset of Subjects and Objects• Trusted Computing Base (TCB)
– Originated from the Orange Book and deals with the protection mechanisms within a computer. It addresses hardware, software, and firmware.
• Security Perimeter– It delineates the trusted and the untrusted components within a computer system.
• Reference Monitor– The reference monitor is an abstract machine concept that mediates all access between
subjects and objects.• Security Kernel
– The Security kernel enforces the reference monitor concept.» Must facilitate isolation of processes» Must be invoked at every access attempt.» Must be small enough to be tested and verified in a comprehensive manner.
• Security Policy – a set of rules on how resources are managed within a computer system.
• Least Privilege – one process has no more privileges than it needs.
103
Security Evaluation Models
Formal Security Design Models
Manually enter date here if desired.
104
Security Evaluation Models
• Security Models• The function of a Security Model is to
– Map the abstract goals of a security policies to an information system.– Specify mathematical formulae and data structures for implementing security policy
goals.• While a security policy states goals without specifying how to accomplish them, a
security model specifies a framework to implement these goals.• An organization can use different types of security models. However, it is very
important for security personnel to understand the different security models to protect the organization’s resources.
• For example the security model that a military organization uses is quite different from that of a commercial entity, due to the variations in the types of data.
• Security Model can be formal when it is based on pure mathematical implementation of security policies and assure high security. For example in military systems, air controller systems, etc.
• Security Model is informal when it merely describes how to express and execute security policies.
105
Security Evaluation Models
• Security Models• State Machine Models• **The Bell-LaPadula Model• **The Biba Model• The Clark-Wilson Model• The Brewer & Nash Model• The Information Flow Model• The Non-Interference Model• The Lattice Model
106
Security Evaluation Models
Security Models• State Machine Models
– The state of a system is its snapshot at any one particular moment. The state machine model describes subjects, objects, and sequences in a system. The focus of this model is to capture the system’s state and ensure its security.
– When an object accepts input, the value of the state variable is modified. For a subject to access this object or modify the object value, the subject should have appropriate access rights.
– State transitions refer to activities that alter a systems state.
107
108
Security Evaluation Models
Confidentiality models:Bell & LaPadula)
– Developed by David Elliot Bell and Len LaPadula– This model focuses on data confidentiality and access to classified
information.– A Formal Model developed for the DoD multilevel security policy– This formal model divides entities in an information system into
subjects and objects.– Model is built on the concept of a state machine with different
allowable states (i.e. Secure state)
109
Security Evaluation Models
Bell & LaPadula Confidentiality ModelHas 3 rules:– Simple Security Property – “no read up”
• A subject cannot read data from a security level higher than subject’s security level.
– *_Security Property – “no write down”– A subject cannot write data to a security level lower than the subject’s
security level.
– Strong * Property – “no read/write up or down”.– A subject with read/write privilege can perform read/write functions only
at the subject’s security levels.
110
Security Evaluation Models
Integrity models (e.g., Biba, Clark and Wilson)Biba Integrity Model – Developed by Kenneth J. Biba in 1977 based on a set of access
control rules designed to ensure data integrity– No subject can depend on an object of lesser integrity– Based on a hierarchical lattice of integrity levels– Authorized users must perform correct and safe procedures to protect
data integrity
111
Security Evaluation Models
Biba Integrity Model The Rules:– Simple integrity axiom – “no read down” – A Subject cannot read data from an
object of lower integrity level.– * Integrity axiom – “no write up” – A Subject cannot write data to an object at
a higher integrity level.– Invocation property – A subject cannot invoke (call upon) subjects at a higher
integrity level.
112
Security Evaluation Models
Commercial Models
Integrity models – Clark-Wilson ModelModel Characteristics:Clark Wilson enforces well-formed transactions through
the use of the access triple: UserTransformation ProcedureCDI (Constrained Data Item)
Deals with all three integrity goalsSEPARATION of DUTIES– Prevents unauthorized users from making modifications– Prevents authorized users from making improper modifications– Maintain internal and external consistency – reinforces separation
of duties
113
Security Evaluation Models
Commercial Models – cont’d
Brewer-Nash Model – a.k.a. Chinese WallDeveloped to combat conflict of interest in databases housing
competitor information– Publish in 1989 to ensure fair competition – Defines a wall and a set of rules to ensure that no subject accesses
objects on the other side of the wall– Way of separating competitors data within the same integrated database
114
Security Evaluation Models
Information flow modelModel Characteristics:
– Hold data in distinct compartments– Data is compartmentalized based on classification and the need to know– Model seeks to eliminate covert channels– Model ensures that information always flows from a low security level to a
higher security level and from a high integrity level to a low integrity level.– Whatever component directly affects the flow of information must dominate all
components involved with the flow of information
115
Security Evaluation Models
Non-interference ModelModel Characteristics:
– Model ensures that actions at a higher security level does not interfere with the actions at a lower security level.
– The goal of this model is to protect the state of an entity at the lower security level by actions at the higher security level so that data does not pass through covert or timing channels.
116
Security Evaluation Models
Lattice ModelModel Characteristics– Model consists of a set of objects constrained between the least upper bound
and the greatest lower bound values.– The least upper bound is the value that defines the least level of object access
rights granted to a subject.– The greatest lower bound is value that defines the maximum level of object
access rights granted to a subject– The goal of this model is to protect the confidentiality of an object and only
allow access by an authorized subject.
Security Evaluation Models
Security Modes of Operation• Dedicated Security Mode
– Where all users have a clearance for, and a formal need to know about, all data processed within a system.
• System High-Security Mode– Where all users have security clearance to access information but not necessarily a need
to know all the information processed on a system.• Compartmented Security Mode
– Where all users have security clearance to access all the information processed on a system in a high security mode, but not the need to know or formal access approval.
• Multilevel Security Mode– When it permits two or more classification levels of information to be processed at the
same time when not all users have the clearance or approval to access the info being processed. All users must have the right approval to access what they need to perform their duties.
• Trust & Assurance– Trust levels give a customer how much protection is being offered. This leads to the
expectation of assurance that the system will act in a predictable manner.
117
Security Evaluation Models
Why Evaluate? – To carefully examine the security-related components of a system– Trust vs. Assurance
• The Orange Book (TCSEC)• The Orange Book & the Rainbow Series• ITSEC (Information Technology Security
Evaluation Criteria)• Common Criteria
118
119
Security Evaluation Models
Trusted Computer Security Evaluation Criteria (TCSEC)
• Developed by the National Computer Security Center (NCSC)• Also known as the Orange Book• Based on the Bell-LaPadulla model (deals with only
confidentiality)• Uses a hierarchically ordered series of evaluation classes
– A1 – Verified Protection– B1, B2, B3 – Mandatory Protection– C1, C2 – Discretionary Protection– D – Minimal Security
120
Security Evaluation Models
Information Tech Security Evaluation Criteria (ITSEC)
– Created by some European nations in 1991 as a standard to evaluate security attributes of computer systems
– Evaluates functionality and assurance separately– F1 toF10 rates for functionality– E0 to E6 for assurance
121
Security Evaluation Models
Common Criteria (CC)– ISO (15408) Standard created in 1993 for global security evaluation– Made up from TCSEC, ITSEC, and the Canadian version
ComponentsProtection profile
a set of security requirements and objectives for the system
– A Protection Profile consists of• Descriptive elements – contains the name of the profile and the description of the security
problem to solved.• Rationale – justifies the profile and provides a detailed description of the real-world problems
that need to be solved.• Functional requirements – establishes a protection boundary that the product must provide.• Development assurance requirements – Identify the requirements for the various development
phases of the product.• Evaluation assurance requirements – establish the type and intensity of the evaluation.
122
Security Evaluation Models
Common Criteria (CC)
– Target of evaluation– Security target– Evaluation packages
123
Security Evaluation Models
Common Criteria (CC) RatingsRated as Evaluation Assurance Level (EAL) 1 through 7
1. EAL 1 – Functionally tested2. EAL 2 – Structurally tested3. EAL 3 – Methodically tested and checked4. EAL 4 – Methodically designed, tested, and reviewed5. EAL 5 – Semi formally designed and tested6. EAL 6 – Semi-formally verified designed and tested7. EAL 7 – Formally verified designed and tested
Security Evaluation Models
Elements of System ArchitectureProtection MechanismsSecurity Kernel and Reference ModelSecurity Models Evaluation Criteria
124