ISA 400 Management of Information Security

Philip Robbins – November 14, 2015

Security Architecture and Design

Information Security & Assurance ProgramUniversity of Hawai'i West Oahu

Week #4

Security Architecture & Design

Topics• Week #12, Domain: Security Architecture & Design

• Quiz #7• Assignment #7

3

Security can take place in 3 main areas:

Security Architecture & Design

• Reference Monitor• Trusted Computing Base• Security Control Architecture• Rings of Protection• Confidentiality Models• Integrity Models• Security Modes• Trusted Computer System Evaluation Criteria (TCSEC)• Information Technology System Evaluation Criteria (ITSEC)• Common Criteria• Certification & Accreditation

4

Domain Concepts

• Abstract machine that is used to implement security.• Verifies that the subject meets the minimum

requirements for access to an object.• Enforced by the Security Kernel (aka, the heart of the

RM).

5

Reference Monitor

• Central component to most Operating Systems.• Interface to system hardware.• In charge of access to computer resources.• Implements multitasking for processes continuously

competing for system resources (enforcing isolation).

6

OS Kernel

Process Isolation• Ensures processes do not interfere with each other.• Each process has and runs in its own memory space.

Protection Rings• Security mechanism used along with memory protection.• Supports Confidentiality, Integrity, and Availability.• Most common architectures use 4 protection rings.• The lower the number, the greater amount of privilege (trust)

given to the process running within that ring.• The OS kernel is the most trusted component (Ring 0).

7

Security Control Architecture

8

Protection “Privilege” Rings

Ring 0: Operating system kernelRing 1: Operating SystemRing 2: Drivers & UtilitiesRing 3: Applications

• Two Processor Access Modes:- User Mode

Application code runs in a non-privileged mode.- Supervisor (Kernel) Mode

Processor has access to all system memory and all CPU instructions.

• Protects the processor and the activities it performs.• Prevents memory access from lower access levels.

Processor Privilege States

10

Processor Privilege States

@Ring 3, User (Non-privileged) Mode: Applications@Ring 0, Kernel (Privileged) Mode: Operating system kernel@Ring 1, Kernel (Privileged) Mode: Operating System@Ring 2, Kernel (Privileged) Mode: Drivers & Utilities

Layering & Data Hiding• Provided by placing unique processes in different protection

rings and controlling communication between less trusted and more trusted processes.

Abstraction• Suppress unnecessary details not needed to perform an

activity.

Data Hiding• Control lower-level processes from higher-level processes.

Encapsulation• Protect an object’s private data from outside access.

Security Control Architecture

• The sum of all the protection mechanisms within a computer.

• Responsible for Confidentiality and Integrity.• TCB components enforce security policies.

Trusted Computing Base (TCB)

Open System• Built upon open standards, protocols, and interfaces that have

published specifications.• Provides interoperability between components and devices.

Closed System• Uses architecture that does not follow industry standards.• Are proprietary.• Traditionally lack interoperability.• Generally considered to be more secure.

Open & Closed Systems

• A flow of information not controlled by a security control.

• Attackers know that you can’t deny what you must permit.

• Only covert channels that breach security policy require action (i.e. rootkits, backdoors, Loki).

• Security steps:- Identify possible covert channels.- Analyze whether a channel actually exists.- Verify if the channel creates security concerns.

Covert Channel

Server-Side Attack• A listening service is attacked directly from outside

the network.• Defenses: Firewalls, Patching, System Hardening,

Defense in Depth.

Server / Client-Side Attacks

Client-Side Attack• Caused by the user download malicious content.• Reverse of server-side attack.• Attack initiated from victim.

Server / Client-Side Attacks

Making a change slowly over time so an attacker remains undetected.

Data Diddling• Making small incremental changes to data or files.

Salami Attack• Making small incremental changes to financial

accounts or records.

Incremental Attacks

Web Protection• If you use cookies with program, encrypt them.• Do not use sequential, calculable, or predictable

cookies, session numbers, or URL data.• Validate all input and output.• Fail secure.• Do not cache secure pages.• Do not automatically trust data, regardless of

source.• Audit.

Web Input Validation

Database Vulnerabilities & Threats

Database Vulnerabilities & Threats• Aggregation

– Combining information from sources to acquire knowledge when there is lack of clearance.

– The process of combining several low-sensitivity items, and drawing medium or high sensitivity conclusions.

• Inference– Results of aggregation.– The process of deducing new privileged

information from available unprivileged sources.

Polyinstantiation– Creating two versions of the same object.– Versions are distinguished by security levels.– Prevents Inference Attacks.– Enables a relation to contain multiple rows with

the same primary key.

Polyinstantiation

Bell-LaPadula Confidentiality Security Model

• Simple Security Property: no read up• * Property: no write down

Bell-LaPadula Confidentiality Security Model

• Developed from DoD multilevel security policy– Security labels– Need-to-know– First mathematical model of a multilevel security policy

• Blend of general security models– Information flow and state machine– Mandatory access controls and lattice model

• Prevent information from flowing from a higher security level to a lower one.

Lattice Model• Zones of security (compartmentalization)

– This structure governs information flow– One way information flow

• Model associated with MAC.• Subjects are assigned security clearances.• Objects are assigned security labels.

Lattice Model

Biba Integrity Security Model

• Simple Integrity Axiom: no read down• * Integrity Axiom: no write up

Biba Integrity Security Model

• Simple Integrity Axiom: no read down• * Integrity Axiom: no write up

Biba Integrity Security Model• Blend of general security models

– Concerned about the contamination of data– Mandatory access controls and lattice model– Information flow and state machine

• Supports integrity only– Prevents object modification by attackers– No support for confidentiality or availability

• Covert channels

• Prevents information from flowing from a low integrity level to a high integrity label.

Information Flow Model• State machine models that focus on the flow of

information.• Lattice based: one way flow.• Basis of design for both Biba and Bell-LaPadula.• The goal is to prevent information from flowing froma higher-security level to a lowerone.

Clark-Wilson Security Model• Focuses on integrity

• Constrained data items (CDI) • Transformation Procedures (TP)• Integrity Verification Procedures (IVP)

• Uses a subject/program/object relationship• Subjects are restricted in the way they access objects• Objects are accessed only through programs

• Dictates that Separation of duties be enforced• Critical functions are broken up among multiple subjects• Prevents authorized subjects from making improper

modifications to objects

• Requires all changes be logged.

Clark-Wilson Security Model

Constrained data items (CDI) Unconstrained data items (UDI)Transformation Procedures (TP)Integrity Verification Procedures (IVP)

Brewer and Nash Security Model

• “Chinese Wall” Model• Goal is to prevent conflicts of interest

– Information flow model.– Subject is prevented from access information of

two competing clients.• Subject’s access controls change dynamically.

Noninterference Model

• Ensures that objects and subjects of different levels don’t interfere with objects and subjects of other levels.

• Preventing high-level actions from being examined by low-level users– Information leakage

• Inference attack (indirect covert channel)

– Requires complete separation between security levels

Noninterference Model

Take-Grant Model

• Confidentiality-based.• Primary focus is on how subjects pass on their

“rights”.• Supports 4 basic operations:

– Take– Grant– Create– Revoke

Security Modes

• Mode of operation which the DAA/AO accredits an IS to operate; based on:– Sensitivity of the information being processed.– Clearance levels of authorized users.– 4 modes:

• Dedicated • System High• Compartmented or Partitioned• Multilevel Security

Security Modes

• Dedicated– Security clearance required for all data.– Approval required to access all data.– Need-to-know for all information.

• System High– Security clearance required for all data.– Approval required to access all data.– Need-to-know for some information.– Mode must provide audit trail capability.

Security Modes

• Compartmented– Security clearance required for the highest level of

data classification on the system.– Approval required to access all data.– Valid Need-to-know for some information.

Security Modes

• Multilevel– Security clearance where security clearance

dominates the file’s security label (using MAC).– Approval required to access data they will have

access to.– Valid Need-to-know for data they will have access

to.

Security Modes

Dedicated System High Compartmented Multimode

Nondisclosure Agreement

Yes Yes Yes Yes

Clearance All All All Some

Formal Access All All Some Some

Need To Know All Some Some Some

Orange Book• Trusted Computer System Evaluation Criteria• “Orange Book”: evaluates stand-alone

system’s functionality and trustworthiness.• Developed to evaluate standalone systems.• Basis of measurement is Confidentiality.• Four categories (A, B, C, D).• For each category, a higher number indicates a

more secure system.

Orange Book• The Orange Book defines four categories

(broad hierarchical divisions) of security protection. In descending order of trust, they are:

A Verified protectionB Mandatory protectionC Discretionary protectionD Minimal security

Orange Book• Each division consists of one or more numbered

classes, with higher numbers indicating a higher degree of security.

• For example, division C contains two distinct classes (C2 offers more security than C1); division B contains three classes ( B3 > B2 > B1 ); division A currently contains only one class (A1).

TCSEC Categories• A – Verified protection

– A1 – Verified Design & Protection• For Top-Secret data

• B – Mandatory protection: based on Bell-LaPadula model and MAC– B3 – Security Domains

• Good for up to Secret data.• Must be able to boot “securely”.• Layering, abstraction, and data hiding required.

– B2 – Structured Protection• Must prevent covert channels.• Operator and admin functions are separated.• Process isolation implemented.• Must support hierarchical device labeling.

TCSEC Categories– B1 – Labeled Security

• Security labels are required.• Sufficient enough to house classified data.• Provides mandatory access control.

• C – Discretionary protection: based on DAC– C2 – Controlled Access

• Users must be identified before gaining access to any system resource.• Object reuse protection.• Full auditing of security events.• Mandatory IDs.

– C1 – Discretionary Security• UserID and groups are used.• Implement access control lists.

• D – Minimal Security

TCSEC

TCSEC Measurement• The evaluation criteria for the Orange Book were

developed with three basic objectives:• Measurement: To provide users with a metric with

which to assess the degree of trust & assurance that can be placed in computer systems for the secure processing of classified, or other sensitive, information.

• For example, a user can rely on a B2 system to be “more secure” than a C2 system.

TCSEC Guidance• Provides guidance to manufacturers as to what to

build into their trusted commercial products to satisfy trust requirements for sensitive applications.

Orange Book Complaints• Model works only in a government classified

environment, and the higher levels of security aren’t appropriate for the protection of commercial data, where data integrity is the chief concern.

• Emphasizes protection from unauthorized access, while most security attacks actually involve insiders.

• Doesn’t address networking issues. Stand-alone only.

Rainbow Series• The government produced a number of other

volumes interpreting Orange Book requirements. These are known collectively as the Rainbow Series, since each has a different cover color.

• Red Book – Trusted Network Interpretation

• Lavender Book – Trusted Data Base Management System Interpretation

• Green Book– Password Management Guideline

• Tan Book– Guide to Understanding Audit in Trusted Systems

• Purple Book– Guidelines for Formal Verification Systems

• Burgundy Book– Guide to Understanding Design Documentation in Trusted Systems

Information Technology Security Evaluation Criteria• ITSEC• European Standard developed in the 1980’s• Designed to more flexible than TCSEC .• Evaluates all information security services.• Does not require a TCB.• Evaluation divided into 2 parts:

– Functionality (F)• F1 – F10

– Assurance (E)• E0 – E6

Information Technology Security Evaluation Criteria

Common Criteria• Globalized merger of ITSEC and TCSEC.• Defacto standard for evaluating systems.• Made an official standard by ISO (ISO 15408).• Signed by France, Germany, UK, USA, Austrailia, New

Zealand, and Canada in 1998.• Assurance categorized into one of seven Evaluation

Assurance Levels (EALs).• EALs provide a specific level of confidence in the

security functions of the system being analyzed.

Common Criteria EALs• EAL 0 - Inadequate Assurance• EAL 1 - Functionally Tested• EAL 2 - Structurally Tested• EAL 3 - Methodically tested and checked• EAL 4 - Methodically designed, tested, & reviewed• EAL 5 - Semiformally designed and tested• EAL 6 - Semiformally verified design and tested• EAL 7 - Formally verified design and tested

Standards OverviewTCSEC ITSEC CC Designation

A1 F6+E6 EAL 7 Verified Security

B3 F5+E5 EAL 6 Security Domains

B2 F4+E4 EAL 5 Structured Security

B1 F3+E3 EAL 4 Security Labels

C2 F2+E2 EAL 3 Controlled Access

C1 F1+E1 EAL 2 Discretionary Security

D E0 EAL 1 Minimal Security

Certification• Verification & validation of a system and its

controls / safeguards.• Security evaluation criteria is compared to the

testing results.– Hardware, software, and configuration– Administrative, technical, and physical controls– Recertification is conducted at expiration or if

system is changed• Results of security review is certified by a CA.

Accreditation• Management or Risk Authority compares system

capabilities, worth, and merit to the needs of the organization and its resources.

• Formal declaration to accept the operation and any system risks for specified period of time.

• Changes require recertification.• Types:

– Provisional / Conditional (Interim)– Full

60

Quiz #7• Short answer, closed book, closed notes.

61

Questions?

probbins@hawaii.eduwww2.hawaii.edu/~probbinshttps://www.dorkatron.com/docs/ISA400/