CYBR 3300 - Chapter 8
Four processes of access controls
1. Obtaining the identity of the entity request access to a logical or physical area (identification) 2. Confirming the identity of the entity seeking access to a logical or physical area (authentication) 3. Determining which actions an authenticated entity can perform in that physical or logical area (authorization) 4. Documenting the activities of the authorized individual and systems (accountability)
timing channels
A TCSEC-defined covert channel that communicates by managing the relative timing of events.
security clearance
A personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is "cleared" to access.
mandatory access control (MAC)
A required, structured data classification scheme that rates each collection of information as well as each user. These ratings are often referred to as sensitivity or classification levels.
lattice-based access control
A variation on the MAC form of access control, which assigns users a matrix of authorizations for particular areas of access, incorporating the information assets of subjects such as users and objects.
discretionary access controls (DACs)
Access controls that are implemented at the discretion or option of the data user.
nondiscretionary controls
Access controls that are implemented by a central authority.
dumpster diving
An information attack that involves searching through a target organization's trash and recycling bins for sensitive information.
Information Technology System Evaluation Criteria (ITSEC)
An international set of criteria for evaluating computer systems, very similar to TCSEC Targets of Evaluation (ToE) are compared to detailed security function specifications, resulting in an assessment of systems functionality and comprehensive penetration testing was, for the most part, functionally replaced by the Common Criteria rates products on a scale of E1 (lowest) to E6 (highest)
Common Criteria for Information Technology Security Evaluation
An international standard (ISO/IEC 15408) for computer security certification that is considered the successor to TCSEC and ITSEC reconciles some of the differences between the various other standards This and CEM are the technical basis for CCRA Seeks the widest possible mutual recognition of secure IT products process assures that the specification, implementation, and evaluation of computer security products are performed in a rigorous and standard manner
Security Clearances
Another component of a data classification scheme each user of an information asset is assigned an authorization level that identifies the level of information classification he or she can access Accomplished by assigning each employee to a names role Most organizations have developed roles and corresponding _________ so individuals are assigned into authorization levels correlating with the classifications of the information assets
ISO/IEC 27001's primary purpose
Be used as a standard so organizations can adopt it to obtain certification and build an info sec program Serves better as an assessment tool than as an implementation framework
ISO/IEC 27000:2013
Broad overview of the various areas of security Provides information on 14 security control clauses and addresses 35 control objectives and more than 110 individual controls
Security functional requirements (SFRs)
Catalog of a product's sec functions
Clean desk policy
Control that managers can use to maintain the confidentiality of classified documents Risk management control Requires each employee to secure all information in its appropriate storage container at the end of every business day
Managerial
Controls that cover security processes designed by strategic planners, integrated into the organization's management practices, and routinely used by security administrators to design, implement, and monitor other control systems
Operation (or administrative)
Controls that deal with the operational functions of security that have been integrated into the repeatable processes of the organization
EAL Scale
EAL1: Functionally tested EAL2: Structurally tested EAL3: Methodically tested and checked EAL$: Methodically designed, tested, and reviewed EAL5: Semiformally designed and tested EAL6: Semiformally verified design and tested EAL7: Formally verified design and tested
Directive
Employs administrative controls such as policy and training designed to proscribe certain user behavior in the organization
Non-NSi Government classification
For Official Use Only (FOUO) Sensitive but Unclassified (SBU) Law Enforcement Sensitive (LES)
Preventative
Helps an organization avoid an incident
Dumpster bins
If located on public property, individuals may not be violating the law to search through them If located on private property, individuals may be charged with trespassing
blueprint
In Information security, a framework or security model customized to an organization, including implementation details includes information on how to get to the end product
capabilities table
In a lattice-based access control, the row of attributes associated with a particular subject (such as a user).
framework
In infosec, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including infoSec policies, security education and training programs, and technological controls. AKA security model
Temporal (time-based) isolation
In some cases, access to information is limited by a time-of-day constraint Physical example: time-release safe
Internal benchmarking
Known as baselining Involves comparing organizational performance at some defined state against current or expected performance
Key principles of access control
Least privilege Need-to-know Separation of duties
Organizational classification scheme
Most orgs working outside of national security don't need the detailed level of classification Confidential, internal, and external •Data owners must classify the information assets for which they are responsible and review the classifications periodically •Public - for general public dissemination •For official (or internal) use only - not for public release but not sensitive •Confidential (or Sensitive) - essential and protected information, could severely damage the finances or reputation
Role-based controls
Nondiscretionary controls that are based on a role are tied to the role that a particular user performs in an organization, whereas task-based controls are tied to a particular assignment or responsibility
Task-based controls
Nondiscretionary controls that are based on a specified set of tasks Can be based on lists maintained on subjects or objects Tied to a particular assignment, project, or responsibility
Rule-based access control
One discretionary model access is granted based on a set of rules specified by the central authority The individual user is the one who creates the rule
ISO/IEC 27001:2013
Provides information for how to implement ISO/IEC 27002 and set up an ISMS
Corrective
Remedies a circumstance or mitigates damage done during an incident
Compensating
Resolves shortcomings
Recovery
Restores operating conditions back to normal
Constrained user interfaces
Some systems are designed specifically to restrict what information an individual user can access The most common example: ATMs
TCSEC defined two types of channels
Storage channels Timing channels
Categories of Access Conrols
Table 8-6, pg. 441
Access control list (ACL)
The column of attributes associated with a particular object within lattice-based access control
Benchmarking
The comparison of two related measures Describes both internal and external comparisons Can provide details on how controls are working or which new controls should be considered, but it does not provide implementation details that explain how controls should be put into action
least privilege
The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation needed. Least privilege implies a need to know. The principle by which members of the organization can access the min amount of info for the min amount of time necessary Presumes a need to know and implies restricted access to the level required
separation of duties
The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them Reduces the chance of an individual violating InfoSec policy and breaching the confidentiality, integrity, and availability of the information
need-to-know
The principle of limiting users' access privileges to only the specific information required to perform their assigned tasks. This principle limits a user's access to only the specific information required to perform the currently assigned task
Evaluation assurance lev
The rating or grading of a ToE after evaluation
access control
The selective method by which systems specify who may use a particular resource and how they may use it. regulate the admission of users into trusted areas of the organization—both the logical access to the information systems, or the physical access to the organization's facilities maintained by means of a collection of policies, programs to carry out those policies, and technologies that enforce policies enables the organization to restrict access to information, information assets, and other tangible assets to those with a bona fide business need
Target of Evaluation (TOE)
The system being evaluated
Compartmentalization
The use of specialty classification schemes The restriction of information to the very fewest people possible to prevent compromise or disclosure to unauthorized people
Protection Profile (PP)
User-generated specification for sec reqs
ISO/IEC 27002 is focused on
a broad overview of the various areas of security, providing information on 127 controls over 10 areas,
A collection of users with access to the same data typically has
a centralized access control authority
Methodology
a formal way of accomplishing a task Usually recommended or endorsed by an organization or group of experts in a particular field
state machine model
a model in which the design follows a conceptual approach in which the state of the content of the system being modeled is always in a known secure condition, in other words, this kind of model is provably secure Provably secure
Lattice-Based Access Controls
a variation on the MAC form of access control •assigns users a matrix of authorizations for particular areas of access contains subjects and objects, and the boundaries associated with each subject/object pair are clearly demarcated Then specifies the level of access each subject has to each object, if any
Content-dependent access controls
access to a specific set of information may be dependent on its content
One way to select a methodology is to
adapt or adopt an existing security management model or set of practices •Because each InfoSec environment is unique, you may need to modify or adapt portions of several frameworks; what works well for one organization may not precisely fit another
Simple security
also called the read property •prohibits a subject of lower clearance from reading an object of higher classification, but allows a subject with a higher clearance level to read an object at a lower level (read down)
Nondiscretionary Controls
are determined by a central authority in the organization and can be based on roles—called role-based access controls or RBAC—or on a specified set of tasks—called task-based controls Make it easier to maintain controls and restrictions
Classified documents must be accessible only to
authorized individuals, which usually requires locking file cabinets, safes, or other such protective devices for hard copies ad physical systems
An information asset that has a classification designation other than unclassified or public must
be clearly marked as such - with a cover page and headers & footers
Clark-Wilson Integrity Model
built upon principles of change control rather than integrity levels was designed for the commercial environment
When copies of classified information are no longer valuable or too many copies exist
care should be taken to destroy them properly to discourage dumpster diving
Brewer-Nash Model (Chinese Wall)
commonly known as a Chinese Wall designed to prevent a conflict of interest between two parties requires users to select one of two conflicting sets of data, after which they cannot access the conflicting data
A system that serves as a reference monitor
compares the level of classification of the data with the clearance of the entity requesting access; it allows access only if the clearance is equal to or higher than the classification
When someone carries a classified report, it should be
concealed, kept in a locked briefcase or portfolio and in compliance with appropriate policies
The less critical the protected information, the more
controls tend to be decentralized
Harrison-Ruzzo-Ullman (HRU) model
defines a method to allow changes to access rights and the addition and removal of subjects and objects, a process that the Bell-LaPadula model does not •Since systems change over time, their protective states need to change built on an access control matrix and includes a set of generic rights and a specific set of commands By implementing this set of rights and commands and restricting the commands to a single operation each, it is possible to determine if and when a specific subject can obtain a particular right to an object
The communities of interest accountable for the security of an organization's information assets must
design a working security plan and then implement a management model to execute and maintain that plan •This may begin with the creation or validation of a security framework, followed by an InfoSec blueprint that describes existing controls and identifies other necessary security controls Framework > blueprint
To generate a usable security blueprint, most organizations
draw on established security frameworks, models, and practices The model you choose must be flexible, scalable, robust, and sufficiently detailed
U.S. government's three-level classification scheme
for information deemed to be National Security Information (NSI), Executive Order 13526 •Top Secret - could be expected to cause exceptionally grave damage to the national security •Secret - could be expected to cause serious damage to the national security •Confidential - could be expected to cause damage to the national security
aspects of information asset life cycle
from specification to design, acquisition, implementation, use, storage, distribution, backup, recovery, retirement, and destruction
Discretionary Access Controls (DACs)
implemented at the discretion or option of the data user The ability to share resource in a peer-to-peer configuration allows users to control and possible provide access to information or resources at their disposal Users can allow general, unrestricted access, or they can allow specific individuals or sets of individuals to access these resources Most personal computer operating systems are designed bsed on this model
The original purpose of ISO/IEC 27002
offer guidance for the management of InfoSec to individuals responsible for their organization's security programs the standard was "intended to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings"
The level of centralization appropriate to a given situation varies by
organization and the type of information protected
simple integrity property
permits a subject to have read access to an object only if the security level of the subject is either lower or equal to the level of the object
Every classified document should also contain the appropriate
security designation in its headers at the top of each page and at the bottom of each page
ISO 27002 is for organizations
that want information about implementing sec controls Not a standard used for certification
elements of the Clark-Wilson model
•Constrained data item (CDI)—Data item with protected integrity •Unconstrained data item—Data not controlled by Clark-Wilson; nonvalidated input or any output •Integrity verification procedure (IVP)—Procedure that scans data and confirms its integrity •Transformation procedure (TP)—Procedure that only allows changes to a constrained data item. All subjects and objects are labelled with TPs. Operate as the intermediate layer between subjects and objects
eight primitive protection rights
•Create object •Create subject •Delete object •Delete subject •Read access right • Grant access right •Delete access right Transfer access right
One of the most widely referenced and often discussed security models is
•Information Technology - Code of Practice for Information Security Management, originally published as British Standard BS 7799 - later published as ISO/IEC 17799, then as ISO/IEC 27002
Three approaches to categorize access controls
1. Inherent characteristics - directive, deterrent, preventative, detective, etc. 2. Operational impact - managerial, operational, technical 3. Degree of authority - mandatory, nondiscretionary, or discretionary
storage channels
A TCSEC-defined covert channel that communicates by modifying a stored object, such as in steganography.
Technical
Controls that support the tactical portion of a sec program and that have been implemented as reactive mechanisms to deal with the immediate needs of the organizations as it responds to the realities of the technical environment
TCSEC Levels of Protection
D: Minimal protection - Default evaluation when a product fails to meet any of the other requirements C: Discretionary protection B: Mandatory protection A: Verified protection pg. 436
Detective
Detects or identifies an incident or threat when it occurs
Deterrent
Discourages or deters an incipient incident
Security Target (ST)
Document describing the ToE's sec properties
External benchmarking
Involves comparing one's organizational results against other similar organizations
The states purpose of ISO/IEC 27002, as derived from its ISO/IEC 17799 origins
Offer guidelines and voluntary directions for information security management Meant to provide a high level, general descriptiong of the areas currently considered important when initiating, implementing, or maintaining information security Specifically identifis itself as a starting point for developing organization specific guidance Not all guidance control in it may be applicable Not intended to give definitive how-tos.
Several countries refused to adoppt it, claiming that it had the following fundamental problems
The global information sec community had not defined any justification for a code of practice identified in ISO/IEC 17799 The standard lacked the measurement precision associated with a technical standard There was no reason to believe that ISO/IEC 17799 was more useful than any other approach It was not as complete as other frameworks The standard was hurriedly prepared given the tremendous impact its adoption could have on industry information security controls
security model
see framework standards that are used for reference or comparison and often serve as the stepping-off point for emulation and adoption
Documents should be destroyed by means of
shredding, burning, or transfer to a service offering authorized document destruction policy should ensure that no classified information is inappropriately disposed of in trash
One way to determine how closely an organization is complying with ISO 27002 is to use
the SANS SCORE (Security Consensus Operational Readiness Evaluation) Audit Checklist, which is based on 17799:2005
California v. Greenwood
the Supreme Court ruled that there is no expectation of privacy for items thrown away in trash or refuse containers 1998
The level of authorization may vary depending on
the classification authorizations that individuals possess for each group of information assets or resources
We distinguish between framework, security model, and blueprint predominantly on
the level of detail provided
A framework or security model
the outline of the more thorough and organization-specific blueprint form the basis for the design, selection, and initial and ongoing implementation of all subsequent security controls, including policy, SETA and technologies describes what the end product should look like
Another way to create a blueprint is to look at
the paths taken by other organizations •In this kind of benchmarking, you follow the recommended practices or industry standards
capabilities table
the row of attributes associated with a particular subject (such as a user) in lattice-based access control.
The * property
the write property prohibits a high-level subject from sending messages to a lower-level object
Graham-Denning Access Control Model
three parts: a set of objects, a set of subjects, and a set of rights subjects are composed of two things: a process and a domain
ISO 27000 Series current and planned (Table 8-3, pg. 419)
•27000:2016 Series Overview and Terminology •27001:2013 InfoSec Mgmt System Specification •27002:2013 Code of Practice for InfoSec Mgmt •27003:2017 InfoSec Mgmt Systems Implementation Guidance •27004:2016 InfoSec Measurements •27005:2011 ISMS Risk Management •27006:2015 Requirements for Bodies Providing Audit and Certification of an ISMS •27007:2011 Guidelines for ISMS Auditing •27008:2011 Guidelines for InfoSec Auditing •27010:2015 Guidelines for Inter-sector and Inter-organizational Communications •27011:2016 Guidelines for Telecomm orgs •27013:2015 Guideline on the Integrated Implementation of ISO/IEC 20000-1 and ISO/IEC 27001 •27014:2013 InfoSec Governance Framework •27015:2012 InfoSec Mgmt Guidelines for Financial Services •27016: 2014 InfoSec and Organizational Economics •27017:2015 Code of practice for InfoSec controls for cloud computing services based on ISO/IEC 27002 •27018:2014 Code of practice for PII protection in public clouds acting as PII processors •27019:2013 InfoSec Mgmt guidelines for process control systems specific to the energy industry •27023:2015 Mapping the revised editions of ISO/IEC 27001 and 27002 •27031:2012 Guidelines for information and communication technology readiness for business continuity •27032:2012 Guidelines for cybersecurity
Clark-Wilson Integrity Model change control principles
•No changes by unauthorized subjects •No unauthorized changes by authorized subjects •The maintenance of internal and external consistency
Clark-Wilson Integrity Model controls
•Subject authentication and identification •Access to objects by means of well-formed transactions •Execution by subjects on a restricted set of programs
Bell-LaPadula Confidentiality Model
•a state machine reference model that helps ensure the confidentiality of an information system by means of mandatory access controls (MACs), data classification, and security clearances Its security rules prevent infromation from being moved from a level of higher security to a level of lower security the principle is "no read up, no write down"
ISO/IEC 27001 provides information on
•how to implement ISO/IEC 27002 and how to set up an information security management system (ISMS)
integrity * property
•permits a subject to have write access to an object only if the security level of the subject is equal to or higher than that of the object
Mandatory Access Control (MAC)
•required and is structured and coordinated within a data classification scheme that rates each collection of information as well as each user •These ratings are often referred to as sensitivity levels or classification levels users and data owners have limited control over access to information resources
Biba Integrity Model
•similar to BLP based on the premise that higher levels of integrity are more worthy of trust than lower levels •The intent is to provide access controls to ensure that objects or subjects cannot have less integrity as a result of read/write operations Assigns integrity levels to subjects and objects using the simple integrity property (read) and the integrity (*) property (write) •ensures that no information from a subject can be passed on to an object in a higher security level •This prevents contaminating data of higher integrity with data of lower integrity •In short "no write up, no read down"