ISA 400 Management of Information Security Philip Robbins – November 14, 2015 Security...
-
Upload
barbara-paul -
Category
Documents
-
view
217 -
download
2
Transcript of ISA 400 Management of Information Security Philip Robbins – November 14, 2015 Security...
ISA 400 Management of Information Security
Philip Robbins – November 14, 2015
Security Architecture and Design
Information Security & Assurance ProgramUniversity of Hawai'i West Oahu
Week #4
Security Architecture & Design
Topics• Week #12, Domain: Security Architecture & Design
• Quiz #7• Assignment #7
3
Security can take place in 3 main areas:
Security Architecture & Design
• Reference Monitor• Trusted Computing Base• Security Control Architecture• Rings of Protection• Confidentiality Models• Integrity Models• Security Modes• Trusted Computer System Evaluation Criteria (TCSEC)• Information Technology System Evaluation Criteria (ITSEC)• Common Criteria• Certification & Accreditation
4
Domain Concepts
• Abstract machine that is used to implement security.• Verifies that the subject meets the minimum
requirements for access to an object.• Enforced by the Security Kernel (aka, the heart of the
RM).
5
Reference Monitor
• Central component to most Operating Systems.• Interface to system hardware.• In charge of access to computer resources.• Implements multitasking for processes continuously
competing for system resources (enforcing isolation).
6
OS Kernel
Process Isolation• Ensures processes do not interfere with each other.• Each process has and runs in its own memory space.
Protection Rings• Security mechanism used along with memory protection.• Supports Confidentiality, Integrity, and Availability.• Most common architectures use 4 protection rings.• The lower the number, the greater amount of privilege (trust)
given to the process running within that ring.• The OS kernel is the most trusted component (Ring 0).
7
Security Control Architecture
8
Protection “Privilege” Rings
Ring 0: Operating system kernelRing 1: Operating SystemRing 2: Drivers & UtilitiesRing 3: Applications
• Two Processor Access Modes:- User Mode
Application code runs in a non-privileged mode.- Supervisor (Kernel) Mode
Processor has access to all system memory and all CPU instructions.
• Protects the processor and the activities it performs.• Prevents memory access from lower access levels.
Processor Privilege States
10
Processor Privilege States
@Ring 3, User (Non-privileged) Mode: Applications@Ring 0, Kernel (Privileged) Mode: Operating system kernel@Ring 1, Kernel (Privileged) Mode: Operating System@Ring 2, Kernel (Privileged) Mode: Drivers & Utilities
Layering & Data Hiding• Provided by placing unique processes in different protection
rings and controlling communication between less trusted and more trusted processes.
Abstraction• Suppress unnecessary details not needed to perform an
activity.
Data Hiding• Control lower-level processes from higher-level processes.
Encapsulation• Protect an object’s private data from outside access.
Security Control Architecture
• The sum of all the protection mechanisms within a computer.
• Responsible for Confidentiality and Integrity.• TCB components enforce security policies.
Trusted Computing Base (TCB)
Open System• Built upon open standards, protocols, and interfaces that have
published specifications.• Provides interoperability between components and devices.
Closed System• Uses architecture that does not follow industry standards.• Are proprietary.• Traditionally lack interoperability.• Generally considered to be more secure.
Open & Closed Systems
• A flow of information not controlled by a security control.
• Attackers know that you can’t deny what you must permit.
• Only covert channels that breach security policy require action (i.e. rootkits, backdoors, Loki).
• Security steps:- Identify possible covert channels.- Analyze whether a channel actually exists.- Verify if the channel creates security concerns.
Covert Channel
Server-Side Attack• A listening service is attacked directly from outside
the network.• Defenses: Firewalls, Patching, System Hardening,
Defense in Depth.
Server / Client-Side Attacks
Client-Side Attack• Caused by the user download malicious content.• Reverse of server-side attack.• Attack initiated from victim.
Server / Client-Side Attacks
Making a change slowly over time so an attacker remains undetected.
Data Diddling• Making small incremental changes to data or files.
Salami Attack• Making small incremental changes to financial
accounts or records.
Incremental Attacks
Web Protection• If you use cookies with program, encrypt them.• Do not use sequential, calculable, or predictable
cookies, session numbers, or URL data.• Validate all input and output.• Fail secure.• Do not cache secure pages.• Do not automatically trust data, regardless of
source.• Audit.
Web Input Validation
Database Vulnerabilities & Threats
Database Vulnerabilities & Threats• Aggregation
– Combining information from sources to acquire knowledge when there is lack of clearance.
– The process of combining several low-sensitivity items, and drawing medium or high sensitivity conclusions.
• Inference– Results of aggregation.– The process of deducing new privileged
information from available unprivileged sources.
Polyinstantiation– Creating two versions of the same object.– Versions are distinguished by security levels.– Prevents Inference Attacks.– Enables a relation to contain multiple rows with
the same primary key.
Polyinstantiation
Bell-LaPadula Confidentiality Security Model
• Simple Security Property: no read up• * Property: no write down
Bell-LaPadula Confidentiality Security Model
• Developed from DoD multilevel security policy– Security labels– Need-to-know– First mathematical model of a multilevel security policy
• Blend of general security models– Information flow and state machine– Mandatory access controls and lattice model
• Prevent information from flowing from a higher security level to a lower one.
Lattice Model• Zones of security (compartmentalization)
– This structure governs information flow– One way information flow
• Model associated with MAC.• Subjects are assigned security clearances.• Objects are assigned security labels.
Lattice Model
Biba Integrity Security Model
• Simple Integrity Axiom: no read down• * Integrity Axiom: no write up
Biba Integrity Security Model
• Simple Integrity Axiom: no read down• * Integrity Axiom: no write up
Biba Integrity Security Model• Blend of general security models
– Concerned about the contamination of data– Mandatory access controls and lattice model– Information flow and state machine
• Supports integrity only– Prevents object modification by attackers– No support for confidentiality or availability
• Covert channels
• Prevents information from flowing from a low integrity level to a high integrity label.
Information Flow Model• State machine models that focus on the flow of
information.• Lattice based: one way flow.• Basis of design for both Biba and Bell-LaPadula.• The goal is to prevent information from flowing froma higher-security level to a lowerone.
Clark-Wilson Security Model• Focuses on integrity
• Constrained data items (CDI) • Transformation Procedures (TP)• Integrity Verification Procedures (IVP)
• Uses a subject/program/object relationship• Subjects are restricted in the way they access objects• Objects are accessed only through programs
• Dictates that Separation of duties be enforced• Critical functions are broken up among multiple subjects• Prevents authorized subjects from making improper
modifications to objects
• Requires all changes be logged.
Clark-Wilson Security Model
Constrained data items (CDI) Unconstrained data items (UDI)Transformation Procedures (TP)Integrity Verification Procedures (IVP)
Brewer and Nash Security Model
• “Chinese Wall” Model• Goal is to prevent conflicts of interest
– Information flow model.– Subject is prevented from access information of
two competing clients.• Subject’s access controls change dynamically.
Noninterference Model
• Ensures that objects and subjects of different levels don’t interfere with objects and subjects of other levels.
• Preventing high-level actions from being examined by low-level users– Information leakage
• Inference attack (indirect covert channel)
– Requires complete separation between security levels
Noninterference Model
Take-Grant Model
• Confidentiality-based.• Primary focus is on how subjects pass on their
“rights”.• Supports 4 basic operations:
– Take– Grant– Create– Revoke
Security Modes
• Mode of operation which the DAA/AO accredits an IS to operate; based on:– Sensitivity of the information being processed.– Clearance levels of authorized users.– 4 modes:
• Dedicated • System High• Compartmented or Partitioned• Multilevel Security
Security Modes
• Dedicated– Security clearance required for all data.– Approval required to access all data.– Need-to-know for all information.
• System High– Security clearance required for all data.– Approval required to access all data.– Need-to-know for some information.– Mode must provide audit trail capability.
Security Modes
• Compartmented– Security clearance required for the highest level of
data classification on the system.– Approval required to access all data.– Valid Need-to-know for some information.
Security Modes
• Multilevel– Security clearance where security clearance
dominates the file’s security label (using MAC).– Approval required to access data they will have
access to.– Valid Need-to-know for data they will have access
to.
Security Modes
Dedicated System High Compartmented Multimode
Nondisclosure Agreement
Yes Yes Yes Yes
Clearance All All All Some
Formal Access All All Some Some
Need To Know All Some Some Some
Orange Book• Trusted Computer System Evaluation Criteria• “Orange Book”: evaluates stand-alone
system’s functionality and trustworthiness.• Developed to evaluate standalone systems.• Basis of measurement is Confidentiality.• Four categories (A, B, C, D).• For each category, a higher number indicates a
more secure system.
Orange Book• The Orange Book defines four categories
(broad hierarchical divisions) of security protection. In descending order of trust, they are:
A Verified protectionB Mandatory protectionC Discretionary protectionD Minimal security
Orange Book• Each division consists of one or more numbered
classes, with higher numbers indicating a higher degree of security.
• For example, division C contains two distinct classes (C2 offers more security than C1); division B contains three classes ( B3 > B2 > B1 ); division A currently contains only one class (A1).
TCSEC Categories• A – Verified protection
– A1 – Verified Design & Protection• For Top-Secret data
• B – Mandatory protection: based on Bell-LaPadula model and MAC– B3 – Security Domains
• Good for up to Secret data.• Must be able to boot “securely”.• Layering, abstraction, and data hiding required.
– B2 – Structured Protection• Must prevent covert channels.• Operator and admin functions are separated.• Process isolation implemented.• Must support hierarchical device labeling.
TCSEC Categories– B1 – Labeled Security
• Security labels are required.• Sufficient enough to house classified data.• Provides mandatory access control.
• C – Discretionary protection: based on DAC– C2 – Controlled Access
• Users must be identified before gaining access to any system resource.• Object reuse protection.• Full auditing of security events.• Mandatory IDs.
– C1 – Discretionary Security• UserID and groups are used.• Implement access control lists.
• D – Minimal Security
TCSEC
TCSEC Measurement• The evaluation criteria for the Orange Book were
developed with three basic objectives:• Measurement: To provide users with a metric with
which to assess the degree of trust & assurance that can be placed in computer systems for the secure processing of classified, or other sensitive, information.
• For example, a user can rely on a B2 system to be “more secure” than a C2 system.
TCSEC Guidance• Provides guidance to manufacturers as to what to
build into their trusted commercial products to satisfy trust requirements for sensitive applications.
Orange Book Complaints• Model works only in a government classified
environment, and the higher levels of security aren’t appropriate for the protection of commercial data, where data integrity is the chief concern.
• Emphasizes protection from unauthorized access, while most security attacks actually involve insiders.
• Doesn’t address networking issues. Stand-alone only.
Rainbow Series• The government produced a number of other
volumes interpreting Orange Book requirements. These are known collectively as the Rainbow Series, since each has a different cover color.
• Red Book – Trusted Network Interpretation
• Lavender Book – Trusted Data Base Management System Interpretation
• Green Book– Password Management Guideline
• Tan Book– Guide to Understanding Audit in Trusted Systems
• Purple Book– Guidelines for Formal Verification Systems
• Burgundy Book– Guide to Understanding Design Documentation in Trusted Systems
Information Technology Security Evaluation Criteria• ITSEC• European Standard developed in the 1980’s• Designed to more flexible than TCSEC .• Evaluates all information security services.• Does not require a TCB.• Evaluation divided into 2 parts:
– Functionality (F)• F1 – F10
– Assurance (E)• E0 – E6
Information Technology Security Evaluation Criteria
Common Criteria• Globalized merger of ITSEC and TCSEC.• Defacto standard for evaluating systems.• Made an official standard by ISO (ISO 15408).• Signed by France, Germany, UK, USA, Austrailia, New
Zealand, and Canada in 1998.• Assurance categorized into one of seven Evaluation
Assurance Levels (EALs).• EALs provide a specific level of confidence in the
security functions of the system being analyzed.
Common Criteria EALs• EAL 0 - Inadequate Assurance• EAL 1 - Functionally Tested• EAL 2 - Structurally Tested• EAL 3 - Methodically tested and checked• EAL 4 - Methodically designed, tested, & reviewed• EAL 5 - Semiformally designed and tested• EAL 6 - Semiformally verified design and tested• EAL 7 - Formally verified design and tested
Standards OverviewTCSEC ITSEC CC Designation
A1 F6+E6 EAL 7 Verified Security
B3 F5+E5 EAL 6 Security Domains
B2 F4+E4 EAL 5 Structured Security
B1 F3+E3 EAL 4 Security Labels
C2 F2+E2 EAL 3 Controlled Access
C1 F1+E1 EAL 2 Discretionary Security
D E0 EAL 1 Minimal Security
Certification• Verification & validation of a system and its
controls / safeguards.• Security evaluation criteria is compared to the
testing results.– Hardware, software, and configuration– Administrative, technical, and physical controls– Recertification is conducted at expiration or if
system is changed• Results of security review is certified by a CA.
Accreditation• Management or Risk Authority compares system
capabilities, worth, and merit to the needs of the organization and its resources.
• Formal declaration to accept the operation and any system risks for specified period of time.
• Changes require recertification.• Types:
– Provisional / Conditional (Interim)– Full
60
Quiz #7• Short answer, closed book, closed notes.