CISSP Domain 3 Security Engineering and Management of Securitymnissa.org/wp-content/uploads/2016/05/CISSP_Domain… · · 2017-03-04CISSP Domain 3 Security Engineering and Management

CISSP Domain 3Security Engineering

and Management of Security

• Clif Meier• Shawn Pearson• Terry Seiple

Key Security Engineering Knowledge Areas

• Implement and Manage Engineering using secure design principles

• Understand the fundamental concepts of Security Models• Selection of controls and countermeasures based upon

system security evaluation models• Understand security capabilities of information systems• Assess and mitigate vulnerabilities of security architecture,

designs and solution elements

Key Security Engineering Knowledge Areas cont.

• Assess and mitigate vulnerabilities in web-based systems• Assess and mitigate vulnerabilities in mobile systems • Assess and mitigate vulnerabilities in embedded devices

and cyber-physical systems• Apply principles to site and facility design• Design and implement physical security• Apply Cryptography

Security Engineering at the State of MN

Secure Systems Engineering (SSE)

The goal of the Secure Systems Engineering program is to proactively design appropriate security controls into new systems or systems that are undergoing substantial redesign

Treat security as an integral part of the overall system designEstablish a sound security policy as the “foundation” for

design Implement tailored system security measures to meet

organizational security goals & additional threats and other risksEnsure developers, system engineers, and architects are

trained in how to develop/implement secure software & systemsReduce risk to an acceptable level

Security Designed

into New & Existing Systems

3rd Party Security

Application Security

Security Architecture Standards

Project Security

Consulting

Border Control

Governance

Artifact. Definition Examples

Technology Solution Standard

Strategic Technology Direction. Technologies that have been endorsed for enterprise use

• Microsoft Active Directory Certificate Services

• Comodo• MSSQL• Windows Server• RedHat Enterprise

Reference Architecture Standard

Agnostic design requirements for the implementation of particular environments, technologies, hardware or software

• Mobile• Certificate Services • Wireless• Security Zone Model

Configuration Standard Prescribed technical configuration parameters for the implementation of a specific technology.

Could be security (hardening standards) or general operational settings

• Exchange Active Sync• vSphere 5.5 ESXi• AirWatch



Developer TrainingApplication Security Assurance Testing & Defect

Management to ensure compliance with state & industry standardsStatic Code Analysis Offline assessment of compiled or ready to deploy

applications to detect security flaws in the underlying code.

Dynamic Code Analysis Online, malicious user simulated, assessment of a web

application looking for vulnerabilities.

Integration of security requirements into outsourced services (XaaS, Hosted)Perform 3rd party security assessments Review penetration & application security testing resultsPerform application security assessments of COTS

products Identify risk mitigation strategies

3rd Party Security

Review proposed changes to ensure network changes align with zone security reference architecture and other security standardsMitigate security risks through designing alternate secure

solutions

Border Control

Governance

Work full time on major projects, leading the development of system security plans and residual risk recommendations Identify security requirements based on State standards,

organizational security goals, and compliance regulationsConsult to project teams with design of secure solutionsSecurity design & implementation validation review

checkpoints

Project Security

Consulting

SecurityRequirements Identification

Design System

SSE review design to ensure requirements are met

Design meets requirements

Gaps identified

Security Checkpoint

Risk Exception Process

Document Planned

Controls / exceptions in

SSP

Build Phase

Build System

Security validation(Security development tools,

vulnerability scanning, configuration compliance,

penetration test, etc.)

Security Checkpoint

Requirements met

Gaps identified

Risk Exception Process

Document Implemented

Controls / Exceptions in

SSP

Authorize System

Security Designed


3rd Party Security



Project Security

Consulting

Border Control

Governance

Security is integrated into the SDLC Security check points are in place to ensure requirements

are met or identified risks are managedSecurity standards, for various technologies, are

published and communicated to System Engineers, Architects, and Developers

Security Designed


Security Information System Capabilities

Access Control and Memory Management

20

Essential Protection Mechanisms

Controls– Access Control– Secure Memory Management– Layering -Defense in Depth/Ring Strategy– Abstraction -Use objects and groups and request

permissions– Data Hiding -Place data in separate containers– Process Isolation -Separate Memory Space for each

process– Hardware Segmentation-Physical hardware controls

rather than logical

Essential Protection Mechanisms

Controls– Cryptographic Protections –Protect information from

different portions of system by encrypting it– Host Firewalls and Intrusion Prevention– Audit and Monitoring– Virtualization Controls –Easy to fallback/Sandboxes

Security Architecture Vulnerabilities

Single Points of Failure and Client and Server Vulnerabilities

Security Vulnerabilities General

• Emanations -Metadata that is obtained through electrical, mechanical, optical or acoustical energy

• State Attacks -Taking advantage of how a system handles multiple requests

• Covert Channels -Channels that are hidden from traditional Access Control mechanisms

Secure Design

Avoiding Single Points of Failure– Data Connectivity -Multiple SAN Connections– Network Connectivity –Multiple Network Interfaces

and Paths– Server Clustering– Application High Availability– Redundant Infrastructure

Security Vulnerabilities Client-Based

• Client-Based (attack focused on client such as Java applet or ActiveX control transferred to a vulnerable browser)

• Local Cache (Temporarily stored on client for future reuse)– ARP Cache-IP to MAC mapping (ARP Poisoning)– DNS Cache-DNS to IP Mapping (DNS Poisoning/HOST

Files/Fake DHCP Server)– Internet File Cache (store downloaded content for remote script

execution)

Security Vulnerabilities Server-Based

• Remote Access Methods– Out of Band– Multifactor– Password Escrow

• Configuration Management– Monitoring– Patching– Vulnerability Management– Change Control Process

Database Security

• Aggregation (Collecting data from multiple low security level tables to create higher level value)

• Inference (Combining non-sensitive information and using deductive reasoning For Example hiring vs total salary information)

• Data Mining and Warehousing (Ensure sensitive information is stored in more secure containers)

Distributed Systems

• Client-Server Architecture– Shared Processing– Diverse Client Side devices (Handhelds/Laptops/Workstations)– Need to ensure common protocols and interfaces– Small peer-to-peer workgroups

• Grid Computing– Sharing of CPU and other resources from multiple clients not

requiring similarity in clients– Weakness in that you can not ensure sanctity of end user device

Distributed Systems

• Cloud Computing– On-demand computing resources such as

compute/storage/network– 5 Characteristics

• On-Demand Self Service• Broad Network Access• Resource Pooling• Rapid Elasticity• Measured Service

– Service Models• Software as a Service (SAAS)• Platform as a Service (PAAS)• Infrastructure as a Service (IAAS)

Distributed Systems

Cloud Computing Deployment Models

– Private Cloud -Single Organization– Community Cloud -Specific Community type such as

Government– Public Cloud -General Public Use such as AWS– Hybrid Cloud -Some Combination of Above

Software and System Vulnerabilities and

Threats

32

Software and System Vulnerability and Threats

Web-Based systems are particularly vulnerable due to their accessibilityFootprint Risk Reductions-• Patching• Intrusion Prevention• Application Firewalls• Remove administration interfaces• Validate Input• Vulnerability Assessments• Remediate OWASP Top 10

Mitigate Mobile and Embedded Device

VulnerabilitiesRemote Computing and Mobile Workforce

34

Remote Computing SecurityVPNs provide a trusted backdoor into your communications infrastructure.

Risk Mitigation Options– Verify user and device– Segregate VPN traffic accordingly– Inspect remote devices for controls such as AV– Force Policy– Institute complete incident response procedures around lost or

stolen devices

Mobile Device Security• Mobile devices often contain sensitive data such as contacts, text

messages, email, and possibly notes and documents.• Risk Mitigation Options

– Full Device Encryption– Remote Wiping– Lockout– Screen Locks– GPS Tracking– Application Installation Controls – Storage Segmentation– Asset Tracking– Disable unused features– Enterprise Policies

Embedded Device SecurityEmbedded devices include network-attached printers, smart TVs, HVAC controls, smart appliances, smart thermostats

Risk Mitigation Options– Network Segmentation of devices– Application Firewalls– Firmware Version Control– Integrity and Authentication Wrappers– Multiple Layers of Access Control

Site & Facility Design Considerations

Facility Design, Datacenter and Work Area Security

Secure Principles for Site Selection

• Target Identification (Threat Matrix)• Physical Vulnerability Assessment• Secure Facility Plan (Multipath Connections to

utility and internet)

• Site Selection (Traffic/Hazardous Materials)

• Visibility (Crime Rates/Terrain)

• Natural Disasters (Floods/Hurricanes)

• Facility Design (Flooring/HVAC/Emergency Services)

Secure Principles for Facility Security

• Cable Plant Management (OSI Layer 1)

• Entrance Facility (Provider termination)

• Equipment Room (UPS/PBX/Cabling Racks)

• Backbone Distribution (Multi-floor closets)

• Telecommunications Room (Provides for each floor)

• Horizontal Distribution (Patch Panels/Cross Connects)

• Server Rooms (Rack Security)

Secure Principles for Data Center Security

• Elevated Physical Access Controls (Biometrics/Card Readers/Multi-factor)

• Utilities and Power• Uninterruptable Power Supply (UPS)

• Generators• Heating, Ventilation & Air Conditioning

(HVAC)

• Air Contamination Protection (Anthrax & Airborne Threats)

Secure Principles for Data Center Security

Fire Suppression & Detection– Wet Systems (Constant Water Supply)

– Dry Systems (Electric Valve Release)

– Pre-Action Systems (Prevent water damage)

– Deluge Systems (Same as above but sprinkler heads are always open)

– Aero-K (Multiple detectors to activate then sprays microscopic potassium compounds)

– FM-200 (Stored as liquid and dispensed as clear vapor/non toxic)

CryptographyUsage and Implementation Types

Cryptography

Goals of Cryptography or Why Encrypt?

– Cryptographic systems are utilized to meet four fundamental goals: confidentiality, integrity, authentication, and nonrepudiation. Achieving each of these goals requires the satisfaction of a number of design requirements, and not all cryptosystems are intended to achieve all four goals.

Confidentiality

Confidentiality ensures that data remains private while at rest, such as when stored on a disk, or in transit, such as during transmission between two or more parties. This is the most widely cited goal of cryptosystems— the preservation of secrecy for stored information or for communications between individuals and groups.

Two main types of cryptosystems enforce confidentiality. Symmetric key cryptosystems use a shared secret key available to all users of the cryptosystem. Asymmetric cryptosystems use individual combinations of public and private keys for each user of the system.

IntegrityIntegrity ensures that data is not altered without authorization. If integrity mechanisms are in place, the recipient of a message can be certain that the message received is identical to the message that was sent. Similarly, integrity checks can ensure that stored data was not altered between the time it was created and the time it was accessed.

Message integrity is enforced through the use of encrypted message digests, known as digital signatures or hashes that are created upon transmission of a message.– MD5– SHA

AuthenticationAuthentication verifies the claimed identity of system users.

Nonrepudiation

Nonrepudiation provides assurance to the recipient that the message was originated by the sender and not someone masquerading as the sender. It also prevents the sender from claiming that they never sent the message in the first place (also known as repudiating the message).

Early Cryptography

Caesar Cipher– One of the earliest known cipher systems was used by Julius

Caesar to communicate with Cicero in Rome while he was conquering Europe.

– The system is extremely simple. To encrypt a message, you simply shift each letter of the alphabet three places to the right. For example, A would become D, and B would become E. If you reach the end of the alphabet during this process, you simply wrap around to the beginning so that X becomes A, Y becomes B, and Z becomes C.

Cryptography in History

Enigma– Germany developed a commercial code machine

nicknamed Enigma. The machine used a series of three to six rotors to implement an extremely complicated substitution cipher. The only possible way to decrypt the message with was to use a similar machine with the same rotor settings used by the transmitting device. The Allies successfully broke the Enigma code in 1940 and it is credited as the major break though to winning WWII.

The Enigma Machine

Cryptography in History

Enigma– Germany developed a commercial code machine

nicknamed Enigma. The machine used a series of three to six rotors to implement an extremely complicated substitution cipher. The only possible way to decrypt the message with was to use a similar machine with the same rotor settings used by the transmitting device. The Allies successfully broke the Enigma code in 1940 and it is credited as the major break though to winning WWII.

Crytpo Intro

• Encryption - process by which plaintext is converted to ciphertext using a key

• Decryption - process by which ciphertext is converted to plaintext (with the appropriate key)

• plaintext (cleartext)- intelligible data

Crypto Terms

• Cryptography - art/science relating to encrypting, decrypting information

• cryptanalysis - art/science relating to converting ciphertext to plaintext without the (secret) key

• end-to-end encryption - the encryption of data from source system to end system (https)

Work Function

You can measure the strength of a cryptography system by measuring the effort in terms of cost and/ or time using a work function or work factor. The time and effort required to perform a complete brute-force attack against an encryption system is what the work function represents. Size the work function against the relative value of the protected asset. Spend no more effort to protect an asset than it warrants

Codes vs Ciphers

People often use the words code and cipher interchangeably, but technically, they aren’t interchangeable.

– Codes are cryptographic systems of symbols that represent words or phrases, are sometimes secret, but they are not necessarily meant to provide confidentiality. For instance most people know 10-4.

– Ciphers, on the other hand, are always meant to hide the true meaning of a message.

Transposition Ciphers

Transposition ciphers use an encryption algorithm to rearrange the letters of a plaintext message, forming the ciphertext message. The decryption algorithm simply reverses the encryption transformation to retrieve the original message.

Earlier a simple transposition cipher was used to reverse the letters of the message so that apple became elppa.

Substitution Ciphers

Substitution ciphers use the encryption algorithm to replace each character or bit of the plaintext message with a different character.

The Caesar cipher is a good example of a substitution cipher. We simply shift each letter three places to the right in the message to generate the ciphertext.

Advanced Substitution Ciphers

Polyalphabetic substitution ciphers use multiple alphabets in the same message to hinder decryption efforts. One of the most notable examples of a polyalphabetic substitution cipher system is the Vigenère cipher. The Vigenère cipher uses a single encryption/ decryption chart.

Vigenère CipherNotice that the chart is simply the alphabet written repeatedly (26 times) under the master heading, shifting by one letter each time. You need a key to use the Vigenère system. For example, the key could be secret. 1) Write out the plain text. 2) Write out the encryption key, repeating the key as many times as needed to establish a line of text that is the same length as the plain text. 3) Convert each letter position from plain text to ciphertext. A. Locate the column headed by the first plaintext

character B. Next, locate the row headed by the first character of

the key (s). C. Finally, locate where these two items intersect, and

write down the letter that appears there (s). This is the ciphertext for that letter position.

D. Repeat steps 1 through 3 for each letter in the plaintext version.

• Although polyalphabetic substitution protects against direct frequency analysis, it is vulnerable to a second-order form of frequency analysis called period analysis, which is an examination of frequency based on the repeated use of the key.

One-Time Pad (Vernam Ciphers)

A one-time pad is an extremely powerful type of substitution cipher. One-time pads use a different substitution alphabet for each letter of the plaintext message.Benefits:

– When used properly virtually unbreakable– No repeating patter rendering cryptanalytic efforts useless

Requirements:– One-Time Pad must be randomly generated using a phrase or

passage from a book– One-Time pad must be protected against disclosure or decryption

is simple• One-time pads are usually only used for short messages due to long

key lengths

Reflection

Some of you may be thinking at this point that the Caesar cipher, Vigenère cipher, and one-time pad sound very similar. They are!

The only difference is the key length. The Caesar shift cipher uses a key of length one, the Vigenère cipher uses a longer key (usually a word or sentence), and the one-time pad uses a key that is as long as the message itself.

Running Key Ciphers (Book)

Many cryptographic vulnerabilities surround the limited length of the cryptographic key. One-time pads avoid these vulnerabilities by using a key that is at least as long as the message. However, one-time pads are awkward to implement because they require the physical exchange of pads.Solution is to use a book such as Moby Dick at an agreed upon start location say the 3rd paragraph.

Block Ciphers

• Block ciphers operate on “chunks,” or blocks, of a message and apply the encryption algorithm to an entire message block at the same time. Transposition ciphers are examples of block ciphers.

• Most modern encryption algorithms implement some type of block cipher.

Stream Ciphers

Stream ciphers operate on one character or bit of a message (or data stream) at a time.

The Caesar cipher is an example of a stream cipher. The one-time pad is also a stream cipher because the algorithm operates on each letter of the plaintext message independently.

Confusion and Diffusion

Cryptographic algorithms rely on two basic operations to obscure plaintext messages—confusion and diffusion.• Confusion occurs when the relationship between the plain text and the

key is so complicated that an attacker can’t merely continue altering the plain text and analyzing the resulting ciphertext to determine the key.

• Diffusion occurs when a change in the plain text results in multiple changes spread throughout the ciphertext.

• An algorithm that first performs a complex substitution and then uses transposition to rearrange the characters of the substituted ciphertext. In this example, the substitution introduces confusion and the transposition introduces diffusion.

Modern Cryptography

Modern cryptosystems use computationally complex algorithms and long cryptographic keys to meet the cryptographic goals of confidentiality, integrity, authentication, and nonrepudiation.

Basically 3 types of Algorithms commonly used today:1. Symmetric Encryption2. Asymmetric Encryption3. Hashing Algorithms

Symmetric Key Algorithms

Symmetric key algorithms rely on a “shared secret” encryption key that is distributed to all members who participate in the communications. This key is used by all parties to both encrypt and decrypt messages, so the sender and the receiver both possess a copy of the shared key. The sender encrypts with the shared secret key and the receiver decrypts with it. When large-sized keys are used, symmetric encryption is very difficult to break.

Primarily employed to perform bulk encryption and provides only for the security service of confidentiality.

Symmetric Key Algorithm Strengths & Weaknesses

• Key distribution is a major problem. • Symmetric key cryptography does not implement

nonrepudiation. • The algorithm is not scalable. Everyone requires a private

key• Keys must be regenerated when someone leaves

The major strength is speed at which it can operate. Symmetric key encryption is very fast, often 10,000 times faster than asymmetric algorithms.

Symmetric Key Algorithm Examples

• Data Encryption Standard (DES) • Triple Data Encryption Standard (3DES)• International Data Encryption Algorithm (IDEA) Used in Phil

Zimmerman's Pretty Good Privacy (PGP)• Blowfish/Twofish-Bruce Schneier, Block Ciphers• Skipjack- US Gov’t holds key Escrow, Not well trusted• Advanced Encryption Standard (AES) In October 2000, the National

Institute of Standards and Technology (NIST) announced that the Rijndael (pronounced “rhine-doll”) block cipher had been chosen as the replacement for DES. In November 2001, NIST released FIPS 197, which mandated the use of AES/ Rijndael for the encryption of all sensitive but unclassified data by the US government.

Asymmetric Key Algorithms

Asymmetric key algorithms, also known as public key algorithms, provide a solution to the weaknesses of symmetric key encryption.

In these systems, each user has two keys: a public key, which is shared with all users, and a private key, which is kept secret and known only to the user. Opposite and related keys must be used in tandem to encrypt and decrypt. In other words, if the public key encrypts a message, then only the corresponding private key can decrypt it, and vice versa.

Asymmetric Key Algorithm Strengths & Weaknesses

• Addition of new users requires the generation of only one public-private key pair.

• Users can be removed far more easily from asymmetric systemsthrough key revocation

• Key regeneration is required only when a user’s private key is compromised.

• Asymmetric key encryption can provide integrity, authentication, and nonrepudiation.

• Key distribution is a simple process by publically advertising your key• No preexisting communication link needs to exist.• Major weakness of public key cryptography is the slow speed of

operation

Asymmetric Key Algorithm Issues

• Key distribution is a major problem. • Symmetric key cryptography does not implement

nonrepudiation. • The algorithm is not scalable. Everyone requires a private

key• Keys must be regenerated when someone leaves

The major strength is speed at which it can operate. Symmetric key encryption is very fast, often 10,000 times faster than asymmetric algorithms.

Asymmetric Key Algorithm Examples

• RSA- Most widely used. Developed by Rivest, Shamir and Adleman• El Gamal• Elliptic Curve Cryptosystem (ECC)

Symmetric vs Asymmetric Algorithms

Hashing Algorithms

Message digests are summaries of a message’s content produced by a hashing algorithm.

Requirements of a hash function

1. Allow input of any length2. Provide fixed-length output3. Easy to compute hash function for any

input4. One-way Functionality (Non-reversible)5. Collision Free- When 2 distinct pieces of data

have the same hash value or checksum

Hash Standard

Public Key Infrastructure (PKI)

The major strength of public key encryption is its ability to facilitate communication between parties previously unknown to each other. This is made possible by the public key infrastructure (PKI) hierarchy of trust relationships. These trusts permit combining asymmetric cryptography with symmetric cryptography along with hashing and digital certificates, giving us hybrid cryptography.

Certificates

Digital certificates provide communicating parties with the assurance that the people they are communicating with truly are who they claim to be. Digital certificates are essentially endorsed copies of an individual’s public key. When users verify that a certificate was signed by a trusted certificate authority (CA), they know that the public key is legitimate. Digital certificates contain specific identifying information, and their construction is governed by an international standard— X. 509.

Certificate Authorities

Certificate authorities (CAs) are the glue that binds the public key infrastructure together. These neutral organizations offer notarization services for digital certificates. To obtain a digital certificate from a reputable CA, you must prove your identify to the satisfaction of the CA.• Symantec • Thawte • GeoTrust• Comodo• GoDaddy

Certificate Generation & Destruction

1. Enrollment2. Verification3. Revocation

– The certificate was compromised (End user gives away private key)

– The certificate was erroneously issued (Verification not done correctly)

– Certificate Details have Changed– Security Association Changed– If a certificate is revoked it will be published on a certificate

revocation list (CRL)

Some Applications of Cryptography

1. Portable Devices- Devices can have full disk encryption (FDE) which ensures if lost or stolen data is protected.

2. S/MIME Encrypted Email-Encrypt to provide confidentiality and hash the message for integrity

3. Web Applications- Utilize PKI/certificates to encrypt traffic

Steganography

Steganography is the art of using cryptographic techniques to embed secret messages within another message.Example would be to embed a secret message in an illustration or web page.

Digital Watermarks are also an example of steganography. The hidden information is known only to the file’s creator. If someone later creates an unauthorized copy of the content, the watermark can be used to determine the validity of the content.

Digital Rights Management (DRM)

Digital rights management (DRM) software uses encryption to enforce copyright restrictions on digital media.

• Music• Movies• Video Games• Documents

Securing Networks

Two Types:

• Link Encryption- Protects the entire communications circuit

• End-to-End- Protects path between to parties such as a client and server

Encryption done at the lower OSI layers it is usually Link Encryption. Higher OSI layers such as application layer is usually end-to-end.

Cryptographic Attacks

• Analytic Attack- An algebraic manipulation that attempts to reduce the complexity of the algorithm. Analytic attacks focus on the logic of the algorithm itself.

• Implementation Attack- Exploits weaknesses in the implementation of a cryptography system.

• Statistical Attack- A statistical attack exploits statistical weaknesses in a cryptosystem, such as floating-point errors and inability to produce truly random numbers.

• Brute Force- These attacks are quite straightforward. It simply attempts every possible valid combination for a key or password.


• Frequency Analysis- Using the knowledge that the letters E, T, O, A, I, and N are the most common in the English language, you can then test several hypotheses to solve.

• Known Plaintext-In the known plaintext attack, the attacker has a copy of the encrypted message along with the plaintext message used to generate the ciphertext (the copy).

• Chosen Plaintext- In a chosen plaintext attack, the attacker has the ability to encrypt plaintext messages of their choosing and can then analyze the ciphertext output of the encryption algorithm.


• Man in the Middle- In the man-in-the-middle attack, a malicious individual sits between two communicating parties and intercepts all communications (including the setup of the cryptographic session).

• Replay- In this attack, the malicious individual intercepts an encrypted message between two parties (often a request for authentication) and then later “replays” the captured message to open a new session. This attack can be defeated by incorporating a time stamp and expiration period into each message.

Fundamental Concepts of Security Models

Security Engineering Lifecycle

90

Security Model Concepts

• Security Architect must translate business requirements into secure technology solutions by providing controls to protect standard system components

• Common System Components– Processors– Memory & Storage

• Primary Storage (RAM)• Secondary Storage (Fixed Disks)• Virtual Memory (Swap Files)• Firmware (ROM)

– Peripherals and I/O Devices– Operating Systems

Enterprise Security Architecture

• Objectives and Goals– Long-term Vision – Unified Vision– Leverage Existing Investments– Provide flexible approach that integrates Enterprise

vision with current architectures to provide appropriate safeguards and countermeasures

Enterprise Security Architecture

Common Security Services– Boundary Control Services – Access Control Services

• Identification• Authentication• Authorization

– Integrity Services (AV/Content Filtering/IPS)– Cryptographic Services (Encryption/PKI)– Audit and Monitoring Services (SEIM and logging capabilities)

Security Zones of Control– Grouping systems of similar functionality and security risk

Fundamentals Concepts of Security Models

• An information system’s architecture must satisfy the defined business and security requirements.

• Security should be built into an information system by design.

• When designing system architecture, security and business requirements needs to be carefully balanced.

• Tradeoffs are involved in reaching a balance between security and business requirements.

94


• The security requirements of an information system are driven by the security policy of the organization that will use the system.

• To incorporate the abstract goals of a security policy into an information system’s architecture, you will need to use security models.

• A security model lays out the framework and mathematical models that act as security-related specifications for a system architecture.

• The system architecture, in turn, is the overall design of the components - such as hardware, operating systems, applications, and networks – of an information system. This design should meet the specifications provided by the security model. 95


The architecture of an information system includes various components:

– Enterprise architecture that is a representation of the mode of operation of an enterprise. This mode of operation needs to be derived systematically.

– Network architecture that describes how various entities in a network communicate with each other. It also defines if a system is an open system or a closed system.

– Platform architecture that describes how a system optimally uses system resources, such as storage devices, input/output (I/O) devices, memory management, CPU states, operating system, and various utilities.

– Protection mechanisms refer to the mechanisms needed to protect the system and ensure that all the objects in the system are separated.

– Security models refer to methods to integrate security into a system’s architecture. Some common security models are Bell-LaPadula, Biba, and Clark-Wilson

96

Fundamentals Concepts of Security ModelsSecurity architecture is part of the overall architecture of an information system. It directs how the components included in the system architecture should be organized to ensure that security requirements are met. The security architecture of an information system should include:

– A description of the locations in the overall architecture where security measures should be placed.

– A description of how various components of the architecture should interact to ensure security.

– The security specifications to be followed when designing and developing the system.

97


Computer ArchitectureIt comprises all the parts in a computer system that are necessary for it to function. Such parts include the operating system, memory chips, logic circuits, storage devices, I/O devices, security components, buses, and

networking components.

• The Central Processing Unit (CPU) – Processes the instructions provided by the various applications/programs. To do this the CPU needs to access such instructions from their memory locations.

• The CPU can access the memory locations in its cache, along with memory locations in the random access memory (RAM). These types of memory are called primary memory.

• The major components.– The Arithmetic Logic Unit (ALU) – Control Unit (coordinates instruction execution)– Registers that act as temporary memory locations and store the memory

addresses of the instructions and data that needs processing by the CPU.

98


Computer Architecture• Program: An Application• Process: A program loaded into memory• Thread: Each individual instruction within a process• Multiprogramming: no true isolation• Multiprocessing – more than one CPU• Multi threading—in the past multiple CPUs were needed.

Today multi-core processors provide this.• Operating System Architecture• Process Activity• Memory Management• Memory Types – RAM, ROM, etc• Virtual Memory• CPU Modes & Protection Rings

99


CPU Modes & Protection rings• Protection Rings provide a security mechanism for an operating system by

creating boundaries between the various processes operating on a system and also ensures that processes do not affect each other or harm critical system components.

• Ring 0 – Operating system kernel (supervisor /privilege mode)• Ring 1 – Remaining parts of the operating system (OS)• Ring 2 – Operating system and I/O drivers and OS utilities• Ring 3 – Applications (Programs) and user activity

100


Recognizing access permissions

• Let us evaluate access control mechanism provided by the protection rings:– Suppose a subject is located in ring 3. Which of the ring levels can this subject access?

» A subject located in ring 3 can directly access objects in its own ring.» Most applications running on a system operate from ring 3 which has the least

access to system components.» On the contrary, a subject in a lower numbered ring can directly access objects in

higher numbered rings.

– Suppose an application located in ring 3 has directly sends an instruction to the CPU. What would be the result of this instruction (choose one)?

» A. The CPU executes the instruction.» B. The CPU raises an exception error.» C. The operating systems uses a system call to handle the instruction

• Answer: B. In case an application located in ring 3 directly sends an instruction directly to the CPU, the CPU raises an exception error!

• When an application needs to perform an operation that requires access to the CPU – which is only accessible from ring 0 – the application needs to send a request to the OS. The OS then executes the instruction on behalf of the application by using system calls.

101


Protection Mechanisms

• Domains• Layering & Data Hiding• Virtual Machines

– A virtual machine is a simulated real machine environment created to simultaneously run multiple applications on a computer.

• Additional Storage Devices• Input/Output Device Management

102


System Architecture• Defined Subset of Subjects and Objects• Trusted Computing Base (TCB)

– Originated from the Orange Book and deals with the protection mechanisms within a computer. It addresses hardware, software, and firmware.

• Security Perimeter– It delineates the trusted and the untrusted components within a computer system.

• Reference Monitor– The reference monitor is an abstract machine concept that mediates all access between

subjects and objects.• Security Kernel

– The Security kernel enforces the reference monitor concept.» Must facilitate isolation of processes» Must be invoked at every access attempt.» Must be small enough to be tested and verified in a comprehensive manner.

• Security Policy – a set of rules on how resources are managed within a computer system.

• Least Privilege – one process has no more privileges than it needs.

103

Security Evaluation Models

Formal Security Design Models

Manually enter date here if desired.

104


• Security Models• The function of a Security Model is to

– Map the abstract goals of a security policies to an information system.– Specify mathematical formulae and data structures for implementing security policy

goals.• While a security policy states goals without specifying how to accomplish them, a

security model specifies a framework to implement these goals.• An organization can use different types of security models. However, it is very

important for security personnel to understand the different security models to protect the organization’s resources.

• For example the security model that a military organization uses is quite different from that of a commercial entity, due to the variations in the types of data.

• Security Model can be formal when it is based on pure mathematical implementation of security policies and assure high security. For example in military systems, air controller systems, etc.

• Security Model is informal when it merely describes how to express and execute security policies.

105


• Security Models• State Machine Models• **The Bell-LaPadula Model• **The Biba Model• The Clark-Wilson Model• The Brewer & Nash Model• The Information Flow Model• The Non-Interference Model• The Lattice Model

106


Security Models• State Machine Models

– The state of a system is its snapshot at any one particular moment. The state machine model describes subjects, objects, and sequences in a system. The focus of this model is to capture the system’s state and ensure its security.

– When an object accepts input, the value of the state variable is modified. For a subject to access this object or modify the object value, the subject should have appropriate access rights.

– State transitions refer to activities that alter a systems state.

107

108


Confidentiality models:Bell & LaPadula)

– Developed by David Elliot Bell and Len LaPadula– This model focuses on data confidentiality and access to classified

information.– A Formal Model developed for the DoD multilevel security policy– This formal model divides entities in an information system into

subjects and objects.– Model is built on the concept of a state machine with different

allowable states (i.e. Secure state)

109


Bell & LaPadula Confidentiality ModelHas 3 rules:– Simple Security Property – “no read up”

• A subject cannot read data from a security level higher than subject’s security level.

– *_Security Property – “no write down”– A subject cannot write data to a security level lower than the subject’s

security level.

– Strong * Property – “no read/write up or down”.– A subject with read/write privilege can perform read/write functions only

at the subject’s security levels.

110


Integrity models (e.g., Biba, Clark and Wilson)Biba Integrity Model – Developed by Kenneth J. Biba in 1977 based on a set of access

control rules designed to ensure data integrity– No subject can depend on an object of lesser integrity– Based on a hierarchical lattice of integrity levels– Authorized users must perform correct and safe procedures to protect

data integrity

111


Biba Integrity Model The Rules:– Simple integrity axiom – “no read down” – A Subject cannot read data from an

object of lower integrity level.– * Integrity axiom – “no write up” – A Subject cannot write data to an object at

a higher integrity level.– Invocation property – A subject cannot invoke (call upon) subjects at a higher

integrity level.

112


Commercial Models

Integrity models – Clark-Wilson ModelModel Characteristics:Clark Wilson enforces well-formed transactions through

the use of the access triple: UserTransformation ProcedureCDI (Constrained Data Item)

Deals with all three integrity goalsSEPARATION of DUTIES– Prevents unauthorized users from making modifications– Prevents authorized users from making improper modifications– Maintain internal and external consistency – reinforces separation

of duties

113


Commercial Models – cont’d

Brewer-Nash Model – a.k.a. Chinese WallDeveloped to combat conflict of interest in databases housing

competitor information– Publish in 1989 to ensure fair competition – Defines a wall and a set of rules to ensure that no subject accesses

objects on the other side of the wall– Way of separating competitors data within the same integrated database

114


Information flow modelModel Characteristics:

– Hold data in distinct compartments– Data is compartmentalized based on classification and the need to know– Model seeks to eliminate covert channels– Model ensures that information always flows from a low security level to a

higher security level and from a high integrity level to a low integrity level.– Whatever component directly affects the flow of information must dominate all

components involved with the flow of information

115


Non-interference ModelModel Characteristics:

– Model ensures that actions at a higher security level does not interfere with the actions at a lower security level.

– The goal of this model is to protect the state of an entity at the lower security level by actions at the higher security level so that data does not pass through covert or timing channels.

116


Lattice ModelModel Characteristics– Model consists of a set of objects constrained between the least upper bound

and the greatest lower bound values.– The least upper bound is the value that defines the least level of object access

rights granted to a subject.– The greatest lower bound is value that defines the maximum level of object

access rights granted to a subject– The goal of this model is to protect the confidentiality of an object and only

allow access by an authorized subject.


Security Modes of Operation• Dedicated Security Mode

– Where all users have a clearance for, and a formal need to know about, all data processed within a system.

• System High-Security Mode– Where all users have security clearance to access information but not necessarily a need

to know all the information processed on a system.• Compartmented Security Mode

– Where all users have security clearance to access all the information processed on a system in a high security mode, but not the need to know or formal access approval.

• Multilevel Security Mode– When it permits two or more classification levels of information to be processed at the

same time when not all users have the clearance or approval to access the info being processed. All users must have the right approval to access what they need to perform their duties.

• Trust & Assurance– Trust levels give a customer how much protection is being offered. This leads to the

expectation of assurance that the system will act in a predictable manner.

117


Why Evaluate? – To carefully examine the security-related components of a system– Trust vs. Assurance

• The Orange Book (TCSEC)• The Orange Book & the Rainbow Series• ITSEC (Information Technology Security

Evaluation Criteria)• Common Criteria

118

119


Trusted Computer Security Evaluation Criteria (TCSEC)

• Developed by the National Computer Security Center (NCSC)• Also known as the Orange Book• Based on the Bell-LaPadulla model (deals with only

confidentiality)• Uses a hierarchically ordered series of evaluation classes

– A1 – Verified Protection– B1, B2, B3 – Mandatory Protection– C1, C2 – Discretionary Protection– D – Minimal Security

120


Information Tech Security Evaluation Criteria (ITSEC)

– Created by some European nations in 1991 as a standard to evaluate security attributes of computer systems

– Evaluates functionality and assurance separately– F1 toF10 rates for functionality– E0 to E6 for assurance

121


Common Criteria (CC)– ISO (15408) Standard created in 1993 for global security evaluation– Made up from TCSEC, ITSEC, and the Canadian version

ComponentsProtection profile

a set of security requirements and objectives for the system

– A Protection Profile consists of• Descriptive elements – contains the name of the profile and the description of the security

problem to solved.• Rationale – justifies the profile and provides a detailed description of the real-world problems

that need to be solved.• Functional requirements – establishes a protection boundary that the product must provide.• Development assurance requirements – Identify the requirements for the various development

phases of the product.• Evaluation assurance requirements – establish the type and intensity of the evaluation.

122


Common Criteria (CC)

– Target of evaluation– Security target– Evaluation packages

123


Common Criteria (CC) RatingsRated as Evaluation Assurance Level (EAL) 1 through 7

1. EAL 1 – Functionally tested2. EAL 2 – Structurally tested3. EAL 3 – Methodically tested and checked4. EAL 4 – Methodically designed, tested, and reviewed5. EAL 5 – Semi formally designed and tested6. EAL 6 – Semi-formally verified designed and tested7. EAL 7 – Formally verified designed and tested


Elements of System ArchitectureProtection MechanismsSecurity Kernel and Reference ModelSecurity Models Evaluation Criteria

124