ch6 - info security management

•NIST-SP 800-14:

"Generally Accepted Principles and Practices for Securing Information Technology Systems": -Describesrecommended practices and provides information on commonly accepted InfoSec principles. -Can direct the security team in the development of a security blueprint -Also describes the philosophical principles that the security team should integrate into the entire InfoSec process

•Evaluation models: The Common Criteria •Common Criteria for Information Technology Security Evaluation?

- an international standard for computer security certification -Often called "Common Criteria" or "CC" -Considered the successor to TCSEC and ITSEC -International standard.

•Harrison-Ruzzo-Ullman (HRU) model ? •HRU is built on an access control matrix and includes a set of generic rights and a specific set of commands: 4

- defines a method to allow changes to access rights and the addition and removal of subjects and objects --- -Create subject/create object -Enter right X into -Delete right X from -Destroy subject/destroy object

•"Clean desk policy"

- requires each employee to secure all information in its appropriate storage container at the end of every business day

•Compartmentalization ?

- the restriction of information to the very fewest people possible (Need-to-know)

•Evaluation models: Trusted computing base. •Covert channels ? • •TCSEC defines two kinds of covert channels: 2

- unauthorized or unintended methods of communications hidden inside a computer system --- 1-Storage channels - communicate by modifying a stored object 2-Timing channels - transmit information by managing the relative timing of events

•Security Management models 6.. explained in detail later

-1 The ISO 27000 Series -2 NIST Security Models -3 COBIT -4 COSO -5 ITIL -6 Information Security Governance Framework

•Information Technology Infrastructure Library (ITIL)?

-A collection of methods and practices for managing the development and operation of IT infrastructures. • •ITIL has produced a series of books, Each of which covers an IT management topic. • •ITIL can be tailored to many IT organizations. Because it includes a detailed description of many significant IT-related practices.

•Access control is maintained by means of: 3

-A collection of policies -Programs to carry out those policies -Technologies to enforce policies

Graham-Denning Access Control Model...Graham-Denning access control model has three parts:

-A set of objects -A set of subjects -A set of rights • •Set of rights governs how subjects may manipulate the passive objects

•Committee Of Sponsoring Organizations (COSO)? •

-Another control-based model -private-sector initiative formed in 1985 •Major objective of COSO is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence •COSO established a common definition of internal controls, standards, and criteriawhich organizations can use to assess their control systems.

Information Security Governance Framework..•recommends the responsibilities that various members should have toward an organization, including the following: 5 •

-Board of directors -Senior executives -Executive team members who report to a senior executive -Senior managers -All employees and users

•Other models of access control include: 3

-Content-dependent access controls: access may be dependent on its content -Constrained user interfaces: Some systems are designed specifically to restrict what information an individual user can access. •The most common example is the bank automated teller machine (ATM), which restricts authorized users to simple account queries, transfers, deposits, and withdrawals -Temporal (time-based) isolation:access to information is limited by a time-of-day constraint

•The COSO framework is built on five interrelated components: 5

-Control environment:The foundation of all internal control components. The environmental factors include integrity,ethical values, management's operating style,delegation of authority systems, and the processes for managing peoplein the organization. -Risk assessment: Identification and examination of valid risks to information assets or to the defined objectives of the organizations. -Control activities: This includes those policies and procedures that support management directives. -Information and communication:This encompasses the delivery of reports: regulatory, financial, and otherwise. -Monitoring: Continuous or discrete activities to ensure internal control systems are functioning as expected.

Graham-Denning Access Control Model...The eight primitive protection rights are (commands):

-Create object -Create subject -Delete object -Delete subject -Read access right -Grant access right -Delete access right -Transfer access right

•Evaluation models: Trusted computing base. •Products evaluated under TCSEC are assigned one of the following levels of protection 4

-D: Minimal protection -C: Discretionary protection -B: Mandatory protection -A: Verified protection

Categories of Access Control: •One approach depicts controls by characteristics: 6

-Detective: Detects or identifies an incident or threat when it occurs -Corrective: Remedies a circumstance or mitigates damage done during an incident -Recovery: Restores operating conditions back to normal -Preventative: Helps an organization avoid an incident -Deterrent: Discourages or deters an incipient incident -Compensating: Resolves shortcomings

•According to COSO internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories: 3

-Effectiveness and efficiency of operations -Reliability of financial reporting -Compliance with applicable laws and regulations

Access Control four processes: 4

-Identification: obtaining identity of the entity requesting access to a logical or physical area -Authentication: confirming the identity -Authorization: determining which actions an authenticated entity can perform -Accountability: documenting the activities of the authorized individual and systems

Some Security Architecture Models are: 3

-Implemented into computer hardware and software -Implemented as policies and practices -Both

Access Control key principles?3

-Least privilege - member of the organization can access the minimum amount of information for the minimum amount of time necessary -Need-to-know- limits a user's access to the specific information required to perform the currently assigned task -Separation of duties - requires that significant tasks be split up in such a way that more than one individual is responsible for their completion

•A second approach categorizes controls based on their operational impact on the organization: 3

-Management: Controls that cover security processes that are designed by strategic planners. -Operational(administrative): Controls that deal with the operational functions -Technical:Controls that support the tactical portion of a security program and that have been implemented as reactive mechanisms to deal with the immediate needs of the organization as it responds to the realities of the technical environment

•COBIT 5 provides five principles focused on the governance and management of IT: 5

-Meeting Stakeholder Needs -Covering the Enterprise End-to-End -Applying a Single, Integrated Framework -Enabling a Holistic Approach -Separating Governance from Management

•NIST-SP 800-30, Rev. 1: "Guide for Conducting Risk Assessments" 4

-Provides a foundation for the development of an effective risk management program -Contains both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems -Organized into three chapters that explain the overall risk management process. As well as preparing for, conducting, and communicating a risk assessment -Replaced by "NIST-SP 800-53 Rev.3: Guide for assessing security controls in federal information systems and organizations"

•"Control Objectives for Information and related Technology" (COBIT)?

-Provides advice about the implementation of controls and control objectives for InfoSec. -Can be used as a planning model and as a control model. ---- •COBIT was created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992 -There have been many updates 98,2000,2003 ... 2012 -Latest version is COBIT 5 released in 2012

•NIST-SP 800-18 Rev.1: Guide for Developing Security Plans for Federal Information Systems: 3

-Provides detailed methods for assessing, designing, and implementing controls and plansfor applications of various sizes -Serves as a guide for security planning activities and for the overall InfoSec planning process. -Includestemplatesfor major application security plans.

•Evaluation models: The Common Criteria •CC terminology includes: 5 -Target of Evaluation (ToE) -Protection Profile (PP): -Security Target (ST): -Security Functional Requirements (SFRs): -Evaluation Assurance Levels (EAL):

-Target of Evaluation (ToE) :The system being evaluated -Protection Profile (PP): User-generated specification for security requirements -Security Target (ST): Document describing the ToE'ssecurity properties -Security Functional Requirements (SFRs):Catalog of a product's security functions -Evaluation Assurance Levels (EAL):The rating or grading of a ToEafter evaluation

How to create Blueprints?

-To look at the paths taken by other organizations -This is a kind of benchmarking where recommended practices or industry standards are followed

•Evaluation models: 3 things .. going to describe in detail later!

-Trusted computing base. -Information technology system evaluation criteria -The common criteria

-Implementation models: 6... explained in detail later!

1-Bell-LaPadula 2- Graham-Denning 3-Biba 4- Harrison 5-Ruzzo 6-Ullman 7-Clark-Wilson 8- Brewer-Nash

•Elements of the Clark-Wilson model: 4

1-Constrained data item (CDI): Data item with protected integrity 2-Unconstrained data item: Data not controlled by Clark-Wilson; non-validated input or any output 3-Integrity verification procedure (IVP): Procedure that scans data and confirms its integrity 4-Transformation procedure (TP): Procedure that only allows changes to a constrained data item

•Security model:

a generic blueprint offered by a service organization -Free models are available from the National Institute of Standards and Technology (NIST)

•Evaluation models: Information Technology System Evaluation Criteria (ITSEC)?

an international set of criteria for evaluating computer system -Similar to TCSEC -Target of Evaluation (ToE) are compared to detailed security function specifications •ITSEC rates products on a scale of E1 (lowest level) to E6 (highest level) • •Resulting in an assessment of systems functionality and comprehensive penetration testing. • •Replaced by "The common criteria" (next).

•Evaluation models: Trusted computing base. •Trusted Computer System Evaluation Criteria (TCSEC) ?

an older DoD standard that defines the criteria for assessing the access controls in a computer system. -Part of "Rainbow series" standards. -TCSEC (orange book) the corner stone of the series -Rainbow series was replaced in 2005

•Clark-Wilson integrity model - •Change control principles of the model: 3

built upon principles of change control rather than integrity levels. • •Change control principles of the model: -No changes by unauthorized subjects -No unauthorized changes by authorized subjects -The maintenance of internal and external consistency •Internal consistency means that the system does what it is expected to do every time •External consistency means that the data in the system is consistent with similar data in the outside world --- •Subject-program-object relationship system.

Data Classification: •Organizations can protect its sensitive information with a simple scheme like: 3 •Other organization can use: 4

confidential, internal, and external. --- -Public- for general public dissemination -For official use only - not for public release but not sensitive -Sensitive- important information that , if compromised, could embarrass the organization -Classified- essential and confidential information Disclosure of which could severely damage the well-being of the organization

•Security clearance structure ? Usually accomplished by assigned each employee to a named role:

each user of an information asset is assigned an authorization level that identifies the level of information classification he or she can access • •Usually accomplished by assigned each employee to a named role: Data entry clerk, InfoSec analyst, etc. • •Most organizations have developed a set of roles and a corresponding security clearance

•Security architecture models ?

illustrate InfoSec implementations and can help organizations quickly make improvements through adaptation • •Formal base gives credibility and reliability. •Formal do not usually find their way directly into useable implementations; instead, they form the basic approach that an implementation uses. •Focused on the confidentiality of information • •Focused on the integrity of the information

•Discretionary access controls (DACs) ? .......... models can be implemented under DAC, If an individual system owner wants to create the rules

implemented at the discretion or option of the data user -Access Control List (ACL). -The ability to share resources in a peer-to-peer configuration allows users to control and possibly provide access to information or resources at their disposal • •Role-based models can be implemented under DAC, If an individual system owner wants to create the rules

•ISO/IEC 27001 provides ...? ISO/IEC 27002 and how to ...?

information on how to implement --- set up an information security management system. -Plan-Do-Check-Act cycle

•Biba integrity model - •Biba model assigns integrity levels to subjects and objects using two properties:

is based on the premise that higher levels of integrity are more worthy of trust than lower ones •Biba model assigns integrity levels to subjects and objects using two properties: -Simple integrity property (read):permits a subject to have read access to an object only if its security level is lower or equal to that object -Integrity * property (write):permits a subject to have write access to an object if its security level is equal to or higher than that object - •No write up & no read down

•A mandatory access control (MAC) ?

is required and is structured and coordinated within: -a data classification scheme that rates each collection of information. -As well as each user. • •MAC mostly used by military. • •When MACs are implemented: -Users and data owners have limited control over access to information resources

•The Information Security Governance Framework is a? •

managerial modelprovided by an industry working group -National Cyber Security Partnership • •The framework provides guidance in the development and implementations of an organizational InfoSec governance structure

•Management models are used to ... •

mange the overall information security systems, processes, and models. ----- -So many Security management models -U.S. federal agencies and international standard-setting organizations offer quality security management models. •Some security management models offer free documentation (e.g. NIST), others are proprietary and must purchase.

•ISO/IEC 17799 was "intended to ...?• •ISO/IEC 27002 continues that focus with a .....?

provide a common basis for developing organizational security standardsand effective security management practice and to provide confidence in interorganizational dealings". ----- broad overview of the various areas of security, providing information on 127 controls over 10 areas.

•TCSEC defines a trusted computing base (TCB) as ? • •For example access control system in TCB is called .....?

the combination of all hardware, firmware, and software responsible for enforcing security policy -"security policy" refers to the rules of configuration for a system ---- reference monitor

•Benchmarking: •Benchmarking can provide details ....

the comparison of two related measurements ••Benchmarking can provide details on how controls are working -Or which new controls should be considered -Does not provide details on how controls should be put into action

•Framework:

the outline of the more thorough blueprint -Sets out the model to be followed in the creation of the design, selection, and initial implementation of all subsequent security controls

-Dumpster diving -

the retrieval of information from refuse or recycling bins• Documents should be destroyed by means of shredding, burning, or transferred to a third-party document destruction service

•A third approach describes the degree of authority under which the controls are applied: • 3

ØMandatory (MAC) ØDiscretionary (DAC) ØNondiscretionary (NDAC)

•"NIST SP 800-53A, Rev. 1: •NIST-SP 800-53 Rev.3: •Both publications cover recommended security controls for Federal Information Systems.

•"NIST SP 800-53A, Rev. 1: Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans. • •NIST-SP 800-53 Rev.3: Guide for assessing security controls in federal information systems and organizations: recommendedsecurity controls for federal information systems".

Nondiscretionary Controls? and can be based on: 2

•- determined by a central authority in the organization and can be based on: 1-Role-based controls - tied to the role that a user performs 2-Task-based controls - tied to a particular assignment or responsibility • •Both controls make it easier to maintain controls and restrictions -Rights are assigned to the role, not the person

Access controls

•- regulate the admission of users into trusted areas of the organization

Bell-LaPadula Confidentiality Model? •Access modes depend on two properties:

•BLP ensures confidentiality by using MACs, data classification, and security clearances •Access modes depend on two properties: -Simple security - prohibits a subject of lower clearance form reading an object of higher clearance -* (Star) property - prohibits a high-level subject from sending messages to a lower-level object •No read up & no write down

Clark-Wilson integrity model controls: 3

•Clark-Wilson model controls: -Subject authentication and identification -Access to objects by means of well-formed transactions -Execution by subjects on a restricted set of programs

The ISO 27000 Series?

•ISO = International Organization for Standardization. • One of the most widely referenced Security management models:Information Technology - Code of Practice for Information Security Management --- -Details of ISO27002 only available to those who purchasethe standard.

NIST Security Models? •Advantages of NIST security models over many other sources of security information:2

•NIST = National Institute of Standards and Technology. •NIST has a comprehensive security control assessment program that guides organizations through the: Preparation for, assessment of, and remediation of critical security controls •Advantages of NIST security models over many other sources of security information: -They are publicly available at no charge. -They have been available for some time and have been broadly reviewed by the government and industry professionals.

•NIST-SP 800-12 provides for: -Accountability: -Awareness: -Ethics: -Multidisciplinary: -Proportionality: -Integration: -Timeliness: -Reassessment: -Democracy:

•NIST-SP 800-12 provides for: -Accountability: responsibilities and accountability should be explicit. -Awareness: gain appropriate knowledge. -Ethics: rights and interests are respected. -Multidisciplinary: address all relevant considerations and viewpoints. -Proportionality: appropriate to the extent of potential harm. -Integration: coordinated and integrated to have a coherent system of security. -Timeliness: act in a timely, coordinated manner to respond to breaches -Reassessment: reassessed periodically. -Democracy: compatible with the legitimate use of information in a democratic society

A number of approaches are used to categorize access control methodologies: 3 .. each explained in detail LATER.

•One approach depicts controls by characteristics •A second approach categorizes controls based on their operational impact on the organization: •A third approach describes the degree of authority under which the controls are applied:

NIST Special Publication •SP 800-12: • •SP 800-12 ... 3 categories?

•SP 800-12: Computer Security Handbook - an excellent reference and guide for routine management of InfoSec • •SP 800-12 identifies 17 control, organized into three categories: -Management controls -Operational controls -Technical controls

Data Classification Model ex?

•The U.S. military uses a five-level classification scheme: -Unclassified data -Sensitive but unclassified (SBU) data -Confidential data -Secret data -Top secret data

Blueprint:

•describes existing controls and identifies other necessary security controls

Brewer-Nash Model (Chinese Wall)?

•designed to prevent a conflict of interest between two parties -Commonly known as a "Chinese Wall" • •The Brewer-Nash model requires users to select one of two conflicting sets of data -After which they cannot access the conflicting data

Information Security Governance Framework..specifies that each independent organizational unit should: 4

•specifies that each independent organizational unit should: develop, document, and implement an InfoSec program consistent with accepted security practices