cissp certification- security engineering-part1

SECURITY ENGINEERING Objectives of Domain:

Understand the engineering lifecycle and apply security design principles.

Understand the fundamental concepts of security models.

Select controls and countermeasures based upon systems security standards.

Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements, mobile systems, and embedded devices.

Apply cryptographyApply secure principles to site and facility design.

1

SECURITY ENGINEERING The Engineering Lifecycle Using

Security Design principles Systems engineering models and processes usually

organize themselves around the concept of lifecycle. Concept of operations Requirements Design Integration, Test, and Verification Verification and Validation Operation and Maintenance Retirement

2

SECURITY ENGINEERING Fundamental principles of Security

Models Common system components Processors Memory and storage

Primary storage Memory protection Secondary storage Virtual memory Firmware Peripherals and other I/O devices Operating system

3

SECURITY ENGINEERING• Security architecture is part of the overall

architecture of an information system. It directs how the components included in the system architecture should be organized to ensure that security requirements are met. The security architecture of an information system should include:

A description of the locations in the overall architecture where security measures should be placed.

A description of how various components of the architecture should interact to ensure security.

The security specifications to be followed when designing and developing the system.

4

SECURITY ENGINEERING

Computer ArchitectureIt comprises all the parts in a computer system that are

necessary for it to function. Such parts include the operating system, memory chips, logic circuits, storage devices, I/O devices, security components, buses, and networking components.

The Central Processing Unit (CPU) – Processes the instructions provided by the various applications/programs. To do this the CPU needs to access such instructions from their memory locations.

The CPU can access the memory locations in its cache, along with memory locations in the random access memory (RAM). These types of memory are called primary memory.

The major components.The Arithmetic Logic Unit (ALU) Control Unit (coordinates instruction execution)Registers that act as temporary memory locations and store

the memory addresses of the instructions and data that needs processing by the CPU. 5


Computer Architecture

Multiprocessing – more than one CPUOperating System ArchitectureProcess ActivityMemory ManagementMemory Types – RAM, ROM, etc.Virtual MemoryCPU Modes & Protection Rings

6

SECURITY ENGINEERING CPU Modes & Protection rings

Protection Rings provide a security mechanism for an operating system by creating boundaries between the various processes operating on a system and also ensures that processes do not affect each other or harm critical system components.

Ring 0 – Operating system kernel (supervisor /privilege mode)

Ring 1 – Remaining parts of the operating system (OS)Ring 2 – Operating system and I/O drivers and OS utilitiesRing 3 – Applications (Programs) and user activity

7

SECURITY ENGINEERINGRecognizing access permissions

Let us evaluate access control mechanism provided by the protection rings:

Suppose a subject is located in ring 3. Which of the ring levels can this subject access?

A subject located in ring 3 can directly access objects in its own ring.Most applications running on a system operate from ring 3 which has

the least access to system components.On the contrary, a subject in a lower numbered ring can directly

access objects in higher numbered rings.

Suppose an application located in ring 3 has directly sends an instruction to the CPU. What would be the result of this instruction (choose one)?

A. The CPU executes the instruction.B. The CPU raises an exception error.C. The operating systems uses a system call to handle the instruction

Answer: B. In case an application located in ring 3 directly sends an instruction directly to the CPU, the CPU raises an exception error!

When an application needs to perform an operation that requires access to the CPU – which is only accessible from ring 0 – the application needs to send a request to the OS. The OS then executes the instruction on behalf of the application by using system calls. 8


Computer Architecture

•Domains• Layering & Data Hiding• Virtual Machines• A virtual machine is a simulated real machine

environment created to simultaneously run multiple applications on a computer.

• Additional Storage Devices• Input/Output Device Management

9

SECURITY ENGINEERING• System Architecture

Defined Subset of Subjects and ObjectsTrusted Computing Base (TCB)

Originated from the Orange Book and deals with the protection mechanisms within a computer. It addresses hardware, software, and firmware.

Security Perimeter It delineates the trusted and the untrusted components within a computer

system.Reference Monitor

The reference monitor is an abstract machine concept that mediates all access between subjects and objects.

Security KernelThe Security kernel enforces the reference monitor concept.

Must facilitate isolation of processesMust be invoked at every access attempt.Must be small enough to be tested and verified in a comprehensive

manner.Security Policy – a set of rules on how resources are managed

within a computer system.Least Privilege – one process has no more privileges than it

needs. 10

SECURITY ENGINEERING• Security Models

The function of a Security Model is toMap the abstract goals of a security policies to an information

system.Specify mathematical formulae and data structures for

implementing security policy goals.While a security policy states goals without specifying how

to accomplish them, a security model specifies a framework to implement these goals.

An organization can use different types of security models. However, it is very important for security personnel to understand the different security models to protect the organization’s resources.

For example the security model that a military organization uses is quite different from that of a commercial entity, due to the variations in the types of data.

Security Model can be formal when it is based on pure mathematical implementation of security policies and assure high security. For example in military systems, air controller systems, etc.

Security Model is informal when it merely describes how to express and execute security policies.

11

SECURITY ENGINEERING Enterprise Security Architecture (ESA) Implements the building blocks of information

security infrastructure across the entire organization. It focuses on a strategic design for a set of security

services that can be leveraged by multiple applications, systems, or business processes

Key goals and objectives of an ESA includes, Long term view of controls A unified vision for common security controls Leverages existing technology investments Provides a flexible approach to current and future threats

12

SECURITY ENGINEERINGCommon Security Services Boundary control services – firewalls, border

routers, etc. Access control services – authentication, SSO,

etc. Integrity services – antivirus, content filtering,

file integrity services, etc. Cryptographic services – encryption services,

PKI, etc Audit and monitoring services – log collection

and management, analytics (SEIM – Security Event Information Management)

13

SECURITY ENGINEERINGSecurity Zones of Control Area or grouping within which a defined set of

security policies and measures are applied to achieve a specific level of security.

Ensures that systems in a more secured zone do not leak through to a less secured zone.

Zones are tightly controlled with mechanisms such as firewalls, authentication services, proxies, etc.

14

SECURITY ENGINEERINGCommon Architecture Frameworks An architecture framework is a structure that

can further be used to develop a broad range of architectures.

It describes a method of designing an integrated set of systems or system components.

It may include a set of recommended standards and operational practices.

15

SECURITY ENGINEERINGZachman Framework Developed as a common context for

understanding complex architectures. Allows for the communication and collaboration

of all entities in the development of architectures.

It provides a logical structure for integrating the plan, design, and build aspects of an architecture.

16

CISSPSECURITY ENGINEERINGASM EDUCATIONAL CENTER INC. (ASM)WHERE TRAINING, TECHNOLOGY & SERVICE CONVERGEWWW.ASMED.COMPHONE: (301)984-7400

17

http://www.asmed.com/

SECURITY ENGINEERINGSherwood Applied Business Security Architecture (SABSA) Framework A holistic lifecycle for developing a

security architecture that considers business requirements.

It creates a chain of traceability through the phases of strategy, concept, design, implementation, and metric.

18


The Open Group Architecture Framework (TOGAF) It is an open framework for organizations

to design and build enterprise architectures.

It provides an architecture development method that describes the step-by-step process.

19

SECURITY ENGINEERINGIT Infrastructure Library (ITIL) Developed by the Central Computer and

Telecommunications Agency (CCTA), an agency under the British Government.

ITIL defines the organizational structure and skill requirements and operational procedures with practices that direct IT operations and infrastructure, including security.

What sets ITIL apart is the strong focus on end-to-end service delivery and management.

20

SECURITY ENGINEERING Types of Security Models State Machine Model. Multilevel Lattice Model Non-interference Model Information Flow Model

21

SECURITY ENGINEERING•Security ModelsState Machine ModelsThe Bell-LaPadula ModelThe Biba ModelThe Clark-Wilson ModelThe Brewer & Nash ModelTake-Grant ModelAccess Control MatrixThe Graham-Denning ModelThe Information Flow ModelThe Non-Interference ModelThe Harrison-Ruzzo-Ulman Model

22

SECURITY ENGINEERINGSecurity ModelsState Machine Models

The state of a system is its snapshot at any one particular moment. The state machine model describes subjects, objects, and sequences in a system. The focus of this model is to capture the system’s state and ensure its security.

When an object accepts input, the value of the state variable is modified. For a subject to access this object or modify the object value, the subject should have appropriate access rights.

State transitions refer to activities that alter a systems state.

23

24


Confidentiality models: Bell & LaPadula)

Developed by David Elliot Bell and Len LaPadula This model focuses on data confidentiality and

access to classified information. A Formal Model developed for the DoD multilevel

security policy This formal model divides entities in an information

system into subjects and objects. Model is built on the concept of a state machine with

different allowable states (i.e. Secure state)

25

SECURITY ENGINEERING Bell & LaPadula Confidentiality Model

Has 3 rules: Simple Security Property – “no read up”

A subject cannot read data from a security level higher than subject’s security level.

* Security Property – “no write down” A subject cannot write data to a security level

lower than the subject’s security level. Strong * Property – “no write up and no

read down”. A subject with read/write privilege can perform

read/write functions only at the subject’s security levels.

26


Integrity models (e.g., Biba, Clark and Wilson)

Biba Integrity Model Developed by Kenneth J. Biba in 1977 based

on a set of access control rules designed to ensure data integrity

No subject can depend on an object of lesser integrity

Based on a hierarchical lattice of integrity levels

Authorized users must perform correct and safe procedures to protect data integrity

27


Biba Integrity Model The Rules:Simple integrity axiom – “no read down” – A

Subject cannot read data from an object of lower integrity level.

* Integrity axiom – “no write up” – A Subject cannot write data to an object at a higher integrity level.

Invocation property – A subject cannot invoke (call upon) subjects at a higher integrity level.

28


Commercial ModelsIntegrity models – Clark-Wilson ModelModel Characteristics:Deals with all three integrity goalsPrevents unauthorized users from making

modificationsPrevents authorized users from making

improper modificationsMaintain internal and external consistency

– reinforces separation of duties

29


Commercial Models – cont’d

Brewer-Nash Model – a.k.a. Chinese WallDeveloped to combat conflict of interestPublish in 1989 to ensure fair competition Defines a wall and a set of rules to ensure that no

subject accesses objects on the other side of the wall

Way of separating competitors data within the same integrated database

30


Commercial Models

Take-Grant ModelModel CharacteristicsMathematical framework used for granting

and revoking access rightsThe take rule allows a subject to take the

rights of another subjectThe grant rule allows a subject to grant

rights to another subject.

31

SECURITY ENGINEERING Commercial ModelsAccess Control Matrix Model (ACL)Model CharacteristicsImplemented using an Access Control ListSpecifies access rights for each subject as it relates to

objectsTwo dimensional matrix representing subjects in rows and

objects in columnsSubjects & Objects

Admin Directory

Payroll File

Pay Process

Kwame Read Read/Write NoneDan Read Read None

Angela Read Delete ExecuteJuan Read Read/Write ExecuteLee Read Update Delete

32


Commercial ModelsGraham Denning ModelModel CharacteristicsDefines the commands that a subject

can execute to securelySuch as

Create and delete an objectCreate and delete a subjectProvide read, grant, delete, and transfer access

rights

33

SECURITY ENGINEERINGInformation flow modelModel Characteristics:Hold data in distinct compartmentsData is compartmentalized based on

classification and the need to knowModel seeks to eliminate covert channelsModel ensures that information always flows

from a low security level to a higher security level and from a high integrity level to a low integrity level.

Whatever component directly affects the flow of information must dominate all components involved with the flow of information

34


Noninterference ModelModel Characteristics:Model ensures that actions at a higher

security level does not interfere with the actions at a lower security level.

The goal of this model is to protect the state of an entity at the lower security level by actions at the higher security level so that data does not pass through covert or timing channels.

35

SECURITY ENGINEERINGHarrison-Russo-Ulman ModelModel Characteristics

Harrison-Ruzzo-Ullman Model is a security model that provides policies for changing access rights and rights for the creation and deletion of subjects and objects. It is generally considered to be one of the more complex security models.

SECURITY ENGINEERINGSecurity Modes of Operation

Dedicated Security ModeWhere all users have a clearance for, and a formal need to know

about, all data processed within a system.System High-Security Mode

Where all users have security clearance to access information but not necessarily a need to know all the information processed on a system.

Compartmented Security ModeWhere all users have security clearance to access all the

information processed on a system in a high security mode, but not the need to know or formal access approval.

Multilevel Security ModeWhen it permits two or more classification levels of information to

be processed at the same time when not all users have the clearance or approval to access the info being processed. All users must have the right approval to access what they need to perform their duties.

Trust & AssuranceTrust levels give a customer how much protection is being offered.

This leads to the expectation of assurance that the system will act in a predictable manner.

36

SECURITY ENGINEERINGCapturing & Analyzing Requirements Functional requirements Nonfunctional requirements

37

SECURITY ENGINEERINGCreating & Documenting Security

Architecture Requirement capturing is paramount

to the architecture and design of every system .

38

SECURITY ENGINEERINGInformation Systems Security

Evaluation Models Common formal security methods. Evaluation criteria

39

SECURITY ENGINEERINGProduct Evaluation Models Trusted Computer System Evaluation

Criteria (TCSEC). ITSEC The Common Criteria

40

41

SECURITY ENGINEERINGTrusted Computer Security Evaluation Criteria

(TCSEC)Developed by the National Computer Security Center (NCSC) for the DODAlso known as the Orange BookBased on the Bell-LaPadulla model (deals with only confidentiality)Uses a hierarchically ordered series of evaluation classes

Fundamental RequirementsSecurity policy – evaluated to check if it is well-defined and enforced in the

systemMarking/Labels – evaluated to ensure availability of access control for all objects Identification – evaluated to check if all individual subjects are uniquely

identified. Accountability – evaluated to check if security audit data is logged and protected.Life-cycle Assurance – evaluated by separately testing software, hardware, and

firmware to ascertain if they implement the security policy.Continuous protection – if designs support continuous protection.Documentation – evaluated for completeness and should include user guides;

manuals; and test, design, and specification documents.

42

SECURITY ENGINEERINGTrusted Computer Security Evaluation

Criteria (TCSEC)Ratings:A1 – Verified ProtectionB1, B2, B3 – Mandatory ProtectionC1, C2 – Discretionary ProtectionD – Minimal Security

43

SECURITY ENGINEERINGInformation Tech Security Evaluation Criteria (ITSEC)Created by some European nations in

1991 as a standard to evaluate security attributes of computer systems

Evaluates functionality and assurance separately

E1 to E6 for assuranceFunctional levels of F1 to F10 are not

strictly required

44

SECURITY ENGINEERINGInformation Technology Security Evaluation

criteria (ITSEC):Functionality ratings areF1 to F5 – Maps to the TCSEC ratings C1 to A1F6 - For systems that require high levels of integrity for data and

programsF7 - For systems that require high levels of availability of their functionsF8 - For systems that require high levels of data integrity during

communicationsF9 - For systems that require high levels of data confidentiality during

communicationsF10 – For networks that require high levels of data confidentiality and

integrity

45

SECURITY ENGINEERINGInformation Technology Security Evaluation Criteria (ITSEC):Assurance ratings areE0 – Indicates inadequate assurance and assigned to systems that fail to meet the E1

criteriaE1 - Rating includes functional testing to verify if TOE meets its security targetE2 - Includes the evaluation of testing evidence, configuration controls, and distribution

processesE3 - Evaluates the source code and hardware drawings of the security mechanism and

also the testing of the mechanisms.E4 - Verifies the availability of a formal model of the security policy. Also verifies

semiformal specifications of security mechanisms, architectural design and detailed design

E5 - Evaluates whether there is close correspondence between the detailed design and the source code or hardware drawings

E6 – Verifies whether the security mechanisms and the architectural design are consistent with the security policy

46

SECURITY ARCHITECTURE & DESIGNInformation Technology Security

Evaluation criteria (ITSEC) ITSEC TCSEC

E0 DF1 + E1 C1F2 + E2 C2F3 + E3 B1F4 + E4 B2F5 + E5 B3F5 + E6 A1

47

SECURITY ENGINEERINGCommon Criteria (CC) ISO Standard created in 1993 for global security evaluationMade up from TCSEC, ITSEC, and the Canadian version

ComponentsProtection profile

a set of security requirements and objectives for the system

A Protection Profile consists of Descriptive elements – contains the name of the profile and the description of

the security problem to solved. Rationale – justifies the profile and provides a detailed description of the real-

world problems that need to be solved. Functional requirements – establishes a protection boundary that the product

must provide. Development assurance requirements – Identify the requirements for the

various development phases of the product. Evaluation assurance requirements – establish the type and intensity of the

evaluation.

48

SECURITY ENGINEERINGCommon Criteria (CC)Target of evaluationSecurity targetEvaluation packages

49

SECURITY ENGINEERINGCommon Criteria (CC) RatingsRated as Evaluation Assurance Level (EAL) 1 through 7

EAL 1 – Functionally testedEAL 2 – Structurally testedEAL 3 – Methodically tested and checkedEAL 4 – Methodically designed, tested, and reviewedEAL 5 – Semi formally designed and testedEAL 6 – Semi-formally verified designed and testedEAL 7 – Formally verified designed and tested

SECURITY ENGINEERINGIndustry & International Security

Implementation Guidelines ISO/IEC 27001 and 27002 Security Standards Control Objectives for Information & Related

Technology (COBIT) Payment Card Industry Data Security

Standard (PCI-DSS)

50

GOOD LUCK!ASM EDUCATIONAL CENTER INC.

(ASM)WHERE TRAINING, TECHNOLOGY & SERVICE

CONVERGEWWW.ASMED.COM

PHONE: (301)984-740051

http://www.asmed.com/

cissp certification- security engineering-part1

Education