Chapter 8
"federal agencies such as the FBI and CIA use specialty classification schemes, suchas "
""Need-to-Know" and "Named Projects."
"The eight primitive protection rights are:"
"1. Create object 2. Create subject 3. Delete object 4. Delete subject 5. Read access right 6. Grant access right 7. Delete access right 8. Transfer access right"
"Bell-LaPadula (BLP) confidentiality model:
"A confidentiality model or "state machinereference model" that ensures the confidentiality of the modeled system by using MACs, dataclassification, and security clearances." "is known as a state machine referencemodel—in other words, a model of an automated system that is able to manipulate itsstate or status over time. BLP ensures the confidentiality of the modeled system by usingMACs, data classification, and security clearances. The intent of any state machine modelis to devise a conceptual approach wherein the system being modeled can always be in aknown secure condition; in other words, this kind of model is provably secure. A systemthat serves as a reference monitor compares the level of classification of the data with theclearance of the entity requesting access; it allows access only if the clearance is equal to orhigher than the classification. BLP security rules prevent information from being movedfrom a level of higher security to a level of lower security. Access modes can be one oftwo types: simple security and the * (star) property."
"Documentation on COBIT was first published in1996 and most recently updated in 2012. According to ISACA:"
"COBIT 5 is the only business framework for the governance and management ofenterprise IT. This evolutionary version incorporates the latest thinking in enter-prise governance and management techniques, and provides globally acceptedprinciples, practices, analytical tools, and models to help increase the trust in,and value from, information systems. COBIT 5 builds and expands on COBIT4.1 by integrating other major frameworks, standards, and resources, includingISACA's Val IT and Risk IT, Information Technology Infrastructure Library®(ITIL®), and related standards from the International Organization for Stan-®), and related standards from the International Organization for Stan-dardization (ISO)."
"The framework specifies that each independent organizational unit should develop, docu-ment, and implement an "
"InfoSec program consistent with the guidance of accepted securitypractices such as ISO/IEC 27001. This program should provide security for the informationand information systems that support the operations and assets of the organizational unit,including those provided or managed by another organizational unit, contractor, or othersource. The document also recommends that each organization establish clear, effective, andperiodic reporting regarding its InfoSec program from each organizational unit and that eachunit perform a regular evaluation to validate the effectiveness of its InfoSec program."
"Simple security
"Simple security (also called the "read property") prohibits a subject of lower clearance fromreading an object of higher clearance but allows a subject with a higher clearance level toread an object at a lower level (read down)."
capabilities table"
"The row of attributes associated witha particular subject (such as a user) is referred to as a capabilities table"
""SP 800-12: Computer Security Handbook" is "
"anexcellent reference and guide for routine management of InfoSec. It provides little guidance,however, on the design and implementation of new security systems; use it as a supplementto gain a deeper understanding of the background and terminology of security. "
"Named Projects are"
"clearancelevels based on a scheme similar to Need-to-Know. When an operation, project, or set of clas-sified data is created, the project is assigned a code name. Next, a list of authorized individualsis created and assigned to either the Need-to-Know or the Named Projects category."
"nondiscretionary controls:
"nondiscretionary controls: Access controls that are implemented by a central authority.
"One discretionary model is "
"rule-based access controls, in which access is granted based on aset of rules specified by the central authority. This is a DAC model because the individualuser is the one who creates the rules. Role-based models, described in the previous section,can also be implemented under DAC if an individual system owner wants to create therules for other users of that system or its data."
"trusted computing base (TCB):
"trusted computing base (TCB): Under TCSEC, the combination of all hardware, firmware, andsoftware responsible for enforcing the security policy."
"The framework provides guidance in the development and implementation of anorganizational InfoSec governance structure and recommends the responsibilities that variousmembers should have toward an organization, including the following:"
"• Board of Directors/Trustees—Provide strategic oversight regarding InfoSec •Senior Executives—Provide oversight of a comprehensive InfoSec program for theentire organization • Executive Team Members Who Report to a Senior Executive—Oversee the organiza-tion's security policies and practices" "•Senior Managers—Provide InfoSec for the information and information systems thatsupport the operations and assets under their control" " All Employees and Users—Maintain security of information and information systems accessible to them
"The controls recommended by NIST in this family of SPs are organized into "
17 "families" ofcontrols, as mentioned earlier. These 17 families, along with a managerial family called "Pro-gram Management," are used to structure the protection of information and as part of theNIST security control assessment methodology. "
security clearance:
A personnel security structure in which each user of an information asset isassigned an authorization level that identifies the level of classified information he or she is"cleared" to access."
"lattice-based access control:
A variation on the MAC form of access control, which assignsusers a matrix of authorizations for particular areas of access, incorporating the informationassets of subjects such as users and objects."
"discretionary access controls (DACs):
Access controls that are implemented at the discretionor option of the data user."
"dumpster diving:
An information attack that involves searching through a target organization'strash and recycling bins for sensitive information."
"Common Criteria for Information Technology Security Evaluation:
An internationalstandard (ISO/IEC 15408) for computer security certification that is considered the successor toTCSEC and ITSEC." "(often called"Common Criteria" or "CC") is an international standard (ISO/IEC 15408) for computersecurity certification. It is widely considered the successor to both TCSEC and ITSEC in that"it reconciles some of the differences between the various other standards.
"Trusted Computer System Evaluation Criteria (TCSEC):
An older DoD system certificationand accreditation standard that defines the criteria for assessing the access controls in a computersystem. Also known as the rainbow series due to the color coding of the individual documentsthat made up the criteria."
"capabilities table:
In a lattice-based access control, the row of attributes associated with aparticular subject (such as a user)."
"security model:
See framework."
"least privilege:
The data access principle that ensures no unnecessary access to data exists byregulating members so they can perform only the minimum data manipulation necessary. Leastprivilege implies a need to know."
"separation of duties:
The information security principle that requires significant tasks to besplit up so that more than one individual is required to complete them."
"covert channels:
Unauthorized or unintended methods of communications hidden inside acomputer system."
"InfoSec models
are standards that are used for reference or comparison and often serve as thestepping-off point for emulation and adoption. "
"task-based con-trols
are tied to a particular assignment or responsibility.
blueprint
includes information on how to get there, and is customized to a specific organization." "Another way to create a blueprint is to look at the paths taken by other organizations."
"bench-marking
is the comparison of two related measurements—for example, comparing how manyhours of unscheduled downtime your company had last year with the average hours ofunscheduled downtime in all the companies in your industry. Is your performance better orworse than that average? Benchmarking can provide details on how controls are working orwhich new controls should be considered, but it does not provide implementation details thatexplain how controls should be put into action."
"The role-based and task-based controls "
make it easier to maintain controls and restrictions,especially if the person performing the role or task changes often. Instead of constantly assign-ing and revoking the privileges of people who come and go, the administrator simply assignsthe associated access rights to the role or task. The person assigned to that role or task auto-matically receives the corresponding access. The administrator can easily remove people'sassociations with roles and tasks, thereby revoking their access."
""SP 800-14: Generally Accepted Principles andPractices for Securing Information Technology Systems" describes "
recommended practicesand provides information on commonly accepted InfoSec principles that can direct the secu-rity team in the development of a security blueprint. It also describes the philosophical prin-ciples that the security team should integrate into the entire InfoSec process, expanding onthe components of SP 800-12.
Access control enables organizations to
restrict access to information, information assets, andother tangible assets to those with a bona fide business need.
"Products evaluated under TCSEC are assigned one of the following levels of protection:"
" D: Minimal Protection—A default evaluation when a product fails to meet any of theother requirements. • C: Discretionary Protection" "• C1: Discretionary Security Protection—Product includes DAC with standard identi-fication and authentication functions, among other requirements." "controlled Access Protection—Product includes improved DAC with account-""ability and auditability, among other requirements." "B: Mandatory Protection" "B1: Labeled Security Protection—Product includes MAC over some subjects andobjects, among other requirements." "B2: Structured Protection—Product includes MAC and DAC over all subjects andobjects, among other requirements." "B3: Security Domains—The highest mandatory protection level; meets referencemonitory requirements and clear auditability of security events, with automatedintrusion detection functions, among other requirements." "A: Verified Protection" "A1: Verified Design—B3 level certification plus formalized design and verificationtechniques, among other requirements." Beyond A1—Highest possible protection level; reserved only for systems that dem-onstrate self-protection and completeness of the reference monitor, with formal top-level specifications and a verified TCB down to the source code level, among otherrequirements."
"A second approach, described in the NIST Special Publication series, categorizes controlsbased on their operational impact on the organization:"
" Management—""Controls that cover security processes designed by strategic planners,""integrated into the organization's management practices, and routinely used by securityadministrators to design, implement, and monitor other control systems" " Operational (or Administrative)—Controls that deal with the operational functions ofsecurity that have been integrated into the repeatable processes of the organization" "• Technical—""Controls that support the tactical portion of a security program and that""have been implemented as reactive mechanisms to deal with the immediate needs of theorganization as it responds to the realities of the technical environment"
"Lattice-based access control, "
" variation on this form of access control, assigns users amatrix of authorizations for particular areas of access. The level of authorization may varydepending on the classification authorizations that individuals possess for each group ofinformation assets or resources. The lattice structure contains subjects and objects, and theboundaries associated with each subject/object pair are clearly demarcated. Lattice-basedaccess control then specifies the level of access each subject has to each object, if any. Withthis type of control, the column of attributes associated with a particular object (such as aprinter) is referred to as an access control list (ACL). "
"The Brewer-Nash model, commonly known as a"
""Chinese Wall," is designed to prevent aconflict of interest between two parties. Imagine that a law firm represents two individuals""who are involved in a car accident. One sues the other, and the firm has to representboth. To prevent a conflict of interest, the individual attorneys should not be able toaccess the private information of both litigants. The Brewer-Nash model requires usersto select one of two conflicting sets of data, after which they cannot access the conflict-ing data."
"The COSO framework is built on five interrelated components.Again, while COSO is designed to serve as a framework that can describe and analyze inter-nal control systems, some of those internal control systems are on IT systems that incorpo-rate InfoSec controls. COSO's five components are:"
"Control enviroment: This is the foundation of all internal control components. The""environmental factors include integrity, ethical values, management's operating style,delegation of authority systems, and the processes for managing and developing peoplein the organization." "Risk Assessment—""assists in the identification and examination of valid""risks to the defined objectives of the organizations. It can also include assessment ofrisks to information assets." "Control Activities—This includes those policies and procedures that support manage-ment directives. These activities occur throughout the organization and includeapprovals, authorizations, verifications, reconciliations, reviews of operating perfor-mance, security of assets, and segregation of duties." "Information and Communication—This encompasses the delivery of reports—regulatory, financial, and otherwise. Effective communication should also include thosemade to third parties and other stakeholders." "Monitoring—""Continuous or discrete activities to ensure internal control systems are""functioning as expected; internal control deficiencies detected during these monitoringactivities should be reported upstream, and corrective actions should be taken to ensurecontinuous improvement of the system."
"Management"
"Deterrent": policies Preventative: registration procedures Detective: periodic violation report reviews Corrective: employee or account termination Recovery: disaster recovery plan Compensating: separation of job duties, job rotation
technical
"Deterrent": warning banners Preventative: login systems, kerberos Detective: log monitors and idps Corrective: forensic procedure Recovery: data backup Compensating: key logging and keystroke monitoring
operational
"Deterrent": warning signs Preventative: gates, fences, and guards Detective: sentries, cctv Corrective: fire suppression system Recovery: disaster recovery procedures Compensating: defense in depth
EAL is typically rated on the following scale:"
"EAL1: Functionally Tested: "Confidence in operation against nonserious threats" "EAL2: Structurally Tested—""More confidence required but comparable with good business practices "EAL 3: Methodically Tested and Checked—""Moderate level of security assurance" "EAL4: Methodically Designed, Tested, and Reviewed—"rigorous level of security"assurance but still economically feasible without specialized development" "EAL5: Semiformally Designed and Tested—"Certification requires specialized develop-"ment above standard commercial products" "EAL6: Semiformally Verified Design and Tested—""Specifically designed security ToE" "EAL7: Formally Verified Design and Tested""Developed for extremely high-risk situa-"tions or for high-value systems"
"For information that is not part of NSI, the federal government recently went from a sim-plistic approach of
"For Official Use Only (FOUO)," "Sensitive But Unclassified (SBU),"and "Law Enforcement Sensitive (LES)" categories to a rather complex collection of 23 spe-cialized categories, many with multiple subcategories, in spite of the declaration of the exec-utive order that it was simplifying and standardizing the process."
"Security architecture models illustrate
"InfoSec implementations and can help organizationsquickly make improvements through adaptation. Formal models do not usually find theirway directly into usable implementations; instead, they form the basic approach that an imple-mentation uses. These formal models are discussed here so that the reader can become famil-iar with them and see how they are used in various security architectures. When a specificimplementation is put into place, noting that it is based on a formal model may lend credibil-ity, improve its reliability, and lead to improved results. Some models are implemented intocomputer hardware and software, some are implemented as policies and practices, and someare implemented in both. Some models focus on the confidentiality of information, whileothers focus on the integrity of the information as it is being processed."
"Internal consistency
"Internal consistency means that the system does what it is expected to do every time, withoutexception. External consistency means that the data in the system is consistent with similardata in the outside world."
"For most information, the U.S. military uses a three-level classification scheme for informa-tion deemed to be National Security Information (NSI), as defined in Executive Order12958 in 1995 and Executive Order 13526 in 2009. Here are the classifications along withdescriptions from the document:"
"Sec. 1.2. Classification Levels. (a) Information may be classified at one of the follow-ing three levels: 1) "Top Secret" shall be applied to information, the unauthorized disclosure ofwhich reasonably could be expected to cause exceptionally grave damage tothe national security that the original classification authority is able to iden-tify or describe. 2) "Secret" shall be applied to information, the unauthorized disclosure of whichreasonably could be expected to cause serious damage to the national securitythat the original classification authority is able to identify or describe. 3) "Confidential" shall be applied to information, the unauthorized disclosure ofwhich reasonably could be expected to cause damage to the national securitythat the original classification authority is able to identify or describe. (b) Except as otherwise provided by statute, no other terms shall be used to iden-tify United States classified information." "(c) If there is significant doubt about the appropriate level of classification, itshall be classified at the lower level."
(continuos)"The more significant points made in NIST SP 800-14 are as follows:"
"Security Is Constrained by Societal Factors—Many factors influence the implementa-tion and maintenance of security. Legal demands, shareholder requirements, and evenbusiness practices affect the implementation of security controls and safeguards. Whilesecurity professionals prefer to isolate information assets from the Internet—the majorsource of threats to those assets—the business requirements of the organization maypreclude this control measure."
"This model establishes a system of subject-program-object relationships such that the subjecthas no direct access to the object. Instead, the subject is required to access the object using awell-formed transaction via a validated program. The intent is to provide an environmentwhere security can be proven through the use of separated activities, each of which is prov-ably secure. The following controls are part of the Clark-Wilson model:"
"Subject authentication and identification" "Access to objects by means of well-formed transactions" "Execution by subjects on a restricted set of programs"
"The * property
"The * property (the "write property"), on the other hand, prohibits a high-level subject fromsending messages to a lower-level object. In short, subjects can read down and objects can writeor append up. BLP uses access permission matrices and a security lattice for access control."
"The Biba model ensures that
"The Biba model ensures that no information from a subject can be passed on to an object ina higher security level. This prevents contaminating data of higher integrity with data oflower integrity."
"COSO describes its key concepts as follows:"
"The COSO Internal Control-Integrated Framework (the Framework) outlinesthe components, principles, and factors necessary for an organization to effec-tively manage its risks through the implementation of internal control. Thereshould be neither "gaps"gaps" in addressing risk and control, nor unnecessary or"unintentional duplication of effort. The Three Lines of Defense (the Model) addresses how specific duties related torisk and control could be assigned and coordinated within an organization,regardless of its size or complexity. In particular, the Model clarifies the differ-ence and relationship between the organizations' assurance and other monitoring—activities which can be misunderstood if not clearly defined.activities—activities which can be misunderstood if not clearly defined."
"The simple integrity property
"The simple integrity property permits a subject to have read access to an object only if thesecurity level of the subject is either lower or equal to the level of the object. The integrity *property permits a subject to have write access to an object only if the security level of thesubject is equal to or higher than that of the object.
"Compartmentalization
"The useof such specialty classification schemes" is the restriction of information, such as a secret military operation orcorporate research project, to the very fewest people possible—those with a need to know—those with a need to know to—to—those with a need to know—prevent compromise or disclosure to unauthorized individuals. "
"Other approaches to structuring InfoSec management are found in the many documentsavailable from NIST's Computer Security Resource Center."
"These documents, which areamong the references cited by the U.S. government as reasons not to adopt ISO/IEC 17799standards, enjoy two notable advantages over many other sources of security information:(1) They are publicly available at no charge, and (2) they have been available for some time;thus, they have been broadly reviewed by government and industry professionals. You canuse the NIST SP documents listed earlier, along with the discussion provided in this book, tohelp design a custom security framework for your organization's InfoSec program."
The first models discussed here—specifically, the"
"Trusted Computing Base (TCB), Trusted Com-puter System Evaluation Criteria (TCSEC), the Information Technology System Evaluation Cri-teria, and the Common Criteria—are used as evaluation models and are also used todemonstrate the evolution of trusted system assessment. The later models—Bell-LaPadula, Biba,and so forth—are used as demonstrations of models implemented in some computer securitysystems to ensure that the confidentiality, integrity, and availability of information is protected."
"According to COSO:"
"[I]nternal control is a process, effected by an entity's board of directors, manage-ment, and other personnel, designed to provide reasonable assurance regardingthe achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations"
"The Harrison-Ruzzo-Ullman (HRU) model defines"
"a method to allow changes to accessrights and the addition and removal of subjects and objects, a process that the BLP modeldoes not. Since systems change over time, their protective states need to change. HRU isbuilt on an access control matrix and includes a set of generic rights and a specific set ofcommands. These include:" "• Create subject/create object • Enter right X into • Delete right X from • Destroy subject/destroy object" "By implementing this set of rights and commands and restricting the commands to a singleoperation each, it is possible to determine if and when a specific subject can obtain a particu-lar right to an object."
"Another control-based model is that of the Committee of Sponsoring Organizations (COSO) ofthe Treadway Commission, "
"a private-sector initiative formed in 1985. Its major objective is toidentify the factors that cause fraudulent financial reporting and to make recommendations toreduce its incidence. COSO has established a common definition of internal controls, standards,and criteria against which companies and organizations can assess their control systems.32COSO helps organizations comply with critical regulations like the Sarbanes-Oxley Act of 2002."
"The Graham-Denning access control model has three parts:"
"a set of objects, a set of subjects,and a set of rights. The subjects are composed of two things: a process and a domain. Thedomain is the set of constraints controlling how subjects may access objects. The set of rightsgoverns how subjects may manipulate the passive objects. This model describes eight primi-tive protection rights, called commands, which subjects can execute to have an effect onother subjects or objects. Note that these are similar to the rights a user can assign to anentity in modern operating systems."
"Need-to-Know authorization allows"
"access to information by individuals who need the information to perform their work."
"Classified documents must be"
"accessible only to authorized individuals, which usuallyrequires locking file cabinets, safes, or other such protective devices for hard copies and systems.When someone carries a classified report, it should be concealed, kept in a locked briefcase orportfolio, and in compliance with appropriate policies (requirements for double-sealed envel-opes, tamper-proof seals, etc.). Operational controls need to take into account these classifica-tion systems and their associated control mechanisms, which, despite their simplicity, can havesignificant impact. In April 2009, a British military operation was compromised when a pressphotographer photographed a secret document that was not properly covered."
"Access controls regulate the "
"admission of users into trusted areas of the organization—bothlogical access to information systems and physical access to the organization's facilities. Accesscontrol is maintained by means of a collection of policies, programs to carry out those poli-cies, and technologies that enforce policies."
one way to select a methodology
"adopt an existing security management model or set of practices. "
""Control Objectives for Information and Related Technology" (COBIT) provides "
"adviceabout the implementation of sound controls and control objectives for InfoSec. This docu-ment can be used not only as a planning tool for InfoSec but also as a control model.COBIT was created by the Information Systems Audit and Control Association (ISACA) andthe IT Governance Institute (ITGI) in 1992. "
"Managing an information asset includes"
"all aspects of its life cycle—from specification to design, acquisition, implementation, use, stor-age, distribution, backup, recovery, retirement, and destruction. An information asset, such as areport, that has a classification designation other than unclassified or public must be clearlymarked as such. The U.S. government, for example, uses color-coordinated cover sheets to pro-tect classified information from the casual observer, as shown in Figure 8-1. Every classifieddocument should also contain the appropriate security designation at the top and bottom ofeach page. "
"The ISO/IEC 27000 series of standards forms"
"an increasingly important framework for themanagement of InfoSec. It is rapidly becoming increasingly significant to U.S. organizations,especially those that are large to very large in size, are obligated to follow certain industrystandards that leverage the ISO/IEC 27000 series of standards, and/or operate in the Euro-pean Union (or are otherwise obliged to meet its terms). Table 8-3 illustrates the sections ofISO 27001:2013."
The Information Security Governance Framework is a managerial model provided by
"anindustry working group, National Cyber Security Partnership (www.cyberpartnership.org),and is the result of developmental efforts by the National Cyber Security Summit TaskForce."
"Nondiscretionary controls "
"are determined by a centralauthority in the organization and can be based on roles—called role-based access controls(RBAC)—or on a specified set of tasks—called task-based controls. Task-based controlscan, in turn, be based on lists maintained on subjects or objects. "
"Role-based controls"
"aretied to the role that a particular user performs in an organization"
"TCSEC defines a trusted computing base (TCB)"
"as the combination of all hardware, firmware,and software responsible for enforcing the security policy. In this context, "security policy" refersto the rules of configuration for a system rather than a managerial guidance document. TCB isonly as effective as its internal control mechanisms and the administration of the systems beingconfigured. TCB is made up of the hardware and software that has been implemented to providesecurity for a particular information system. This usually includes the operating system kerneland a specified set of security utilities, such as the user login subsystem."
"Discretionary access controls (DACs)"
"at the discretion or option of the data user. The ability to share resources in a peer-to-peerconfiguration allows users to control and possibly provide access to information or resourcesat their disposal. Users can allow general, unrestricted access, or they can allow specific indivi-duals or sets of individuals to access these resources. For example, suppose a user has a harddrive containing information to be shared with office coworkers. This user can allow specificindividuals to access this drive by listing their names in the share control function. Most per-sonal computer operating systems are designed based on the DAC model."
"ISO/IEC 27002 is focused on a"
"broad overview of the various areas of security, providinginformation on 127 controls over 10 areas, ISO/IEC 27001 provides information on how toimplement ISO/IEC 27002 and how to set up an information security management system"
"One area of discussion among practitioners is whether access controls should be centralized ordecentralized. A collection of users with access to the same data typically has a "
"centralized access""control authority, even under a DAC model. The level of centralization appropriate to a givensituation varies by organization and the type of information protected. The less critical the pro-tected information, the more controls tend to be decentralized. When critical information assetsare being protected, the use of a highly centralized access control toolset is indicated. "
"General Bell,whose thoughts and actions are "
"classified at the highest possible level, and Private LaPadula,who has the lowest security clearance in the military. It is prohibited for Private LaPadula toread anything written by General Bell and for General Bell to write in any document that Pri-vate LaPadula could read. In short, the principle is "no read up, no write down."
"The Information Technology Infrastructure Library (ITIL) is a"
"collection of methods andpractices for managing the development and operation of IT infrastructures. It has been pro-duced as a series of books, each of which covers an IT management topic. The names "ITIL"and "IT Infrastructure Library" are registered trademarks of the United Kingdom's Office ofGovernment Commerce (OGC). Since ITIL includes a detailed description of many significantIT-related practices, it can be tailored to many IT organizations."
A " general data classification scheme might havethree categories:"
"confidential, internal, and external. Data owners must classify the informa-tion assets for which they are responsible, reviewing these classifications to ensure that thedata are still classified correctly and the appropriate access controls are in place. Many com-mercial organizations have procedures that call for this review to be done at least annually."
"CC is a combined effort of "
"contributorsfrom Australia, New Zealand, Canada, France, Germany, Japan, the Netherlands, Spain, theUnited Kingdom, and the United States. In the United States, the National Security Agency(NSA) and the NIST were the primary contributors. CC and its companion, the CommonMethodology for Information Technology Security Evaluation (CEM), are the technicalbasis for an international agreement, the Common Criteria Recognition Agreement (CCRA),which ensures that products can be evaluated to determine their particular security proper-ties. CC seeks the widest possible mutual recognition of secure IT products.9 The CC processassures that the specification, implementation, and evaluation of computer security productsare performed in a rigorous and standard manner.1"
"A third approach describes the "
"degree of authority under which the controls are applied.They can be mandatory, nondiscretionary, or discretionary. Each of these categories of con-trols regulates access to a particular type or collection of information, as explained in the fol-lowing sections."
"These documents set out the structure andpath to be followed during the"
"design, selection, and initial and ongoing implementation of allsubsequent security controls, including InfoSec policies, security education and training pro-grams, and technological controls."
""NIST SP 800-18, Rev. 1: Guide forDeveloping Security Plans for Federal Information Systems" provides "
"detailed methods forassessing, designing, and implementing controls and plans for applications of various sizes.It serves as a guide for the security planning activities described later and for the overallInfoSec planning process. In addition, this document includes templates for major applica-tion security plans. As with any publication of this scope and magnitude, SP 800-18 mustbe customized to fit the particular needs of the organization."
"Another data classification scheme is the personnel security clear-ance structure, in which "
"each user of an information asset is assigned an authorization levelthat identifies the level of information classification he or she can access. This is usuallyaccomplished by assigning each employee to a named role, such as data entry clerk, develop-ment programmer, InfoSec analyst, or even chief information officer (CIO). Most organiza-tions have developed a set of roles and corresponding security clearances so that individualsare assigned authorization levels correlating with the classifications of the information assets."
"Aframework or model describes what the "
"end product should look like,"
""NIST SP 800-30, Rev. 1: Guide for Con-ducting Risk Assessments" provides a "
"foundation for the development of an effective riskmanagement program, and it contains both the definitions and the practical guidance neces-sary for assessing and mitigating risks identified within IT systems. The ultimate goal is tohelp organizations better manage IT-related mission risks. It is organized into three chaptersthat explain the overall risk management process as well as preparing for, conducting, andcommunicating a risk assessment. The original document, SP 800-30, was functionallyreplaced by "SP 800-53, Rev. 3: Guide for Assessing the Security Controls in Federal Informa-tion Systems and Organizations." The document was substantially revised, and SP 800-30(Revision 1) became a process document for the subtask of conducting risk assessment. "
""NIST SP800-53A, Rev. 4: Assessing Security and Privacy Controls in Federal Information Systemsand Organizations: Building Effective Assessment Plans" is the"
"functional successor to "SP800-26: Security Self-Assessment Guide for Information Technology Systems." A companionguide to "SP 800-53, Rev. 4: Security and Privacy Controls for Federal Information Systemsand Organizations," it provides a systems developmental life cycle (SDLC) approach tosecurity assessment of information systems."
"Beyond a simple reliance on the security clearance is the"
"incorporation of the need-to-knowprinciple, based on the requirement that people are not allowed to view data simply because itfalls within their level of clearance; they must also have a business-related need to know. Thisextra requirement ensures that the confidentiality of information is properly maintained."
"Trusted Computer System Evaluation Criteria (TCSEC)"
"is an older DoD standard thatdefines the criteria for assessing the access controls in a computer system. This standard is partof a larger series of standards collectively referred to as the "Rainbow Series" because of thecolor-coding used to uniquely identify each document. TCSEC is also known as the "OrangeBook" and is considered the cornerstone of the series. As described later in this chapter, thisseries was replaced in 2005 with a set of standards known as the "Common Criteria," but Info-Sec professionals should be familiar with the terminology and concepts of this legacy approach."
"One way to determine how closely an organization"
"is complying with ISO 27002 is to usethe SANS SCORE (Security Consensus Operational Readiness Evaluation) Audit Checklist,which is based on 17799:2005. Even though the standard's number changed, the contenthas not been substantially modified since the original 17799 was published."
"mandatory access control (MAC):
"mandatory access control (MAC): A required, structured data classification scheme that rateseach collection of information as well as each user. These ratings are often referred to assensitivity or classification levels."
dumpster diving
"may compromise the security of the organization's information assets. If dumpster binsare located on public property, such as a public street or alley, individuals may not be violat-ing the law to search through these receptacles. However, if the bin is located on private prop-erty, individuals may be charged with trespassing, although prosecution is unlikely. In its1998 decision California v. Greenwood, the Supreme Court ruled that there is no expectationof privacy for items thrown away in trash or refuse containers"
"When copies of classified information are no longer valuable or too many copies exist, careshould be taken to destroy them properly, usually after double signature verification. Docu-ments should be destroyed by "
"means of shredding, burning, or transfer to a service offeringauthorized document destruction. Policy should ensure that no classified information is inap-propriately disposed of in trash or recycling areas. "
"The general application of accesscontrol comprises four processes:"
"obtaining the identity of the entity requesting access to alogical or physical area (identification); confirming the identity of the entity seeking access toa logical or physical area (authentication); determining which actions an authenticated entitycan perform in that physical or logical area (authorization); and finally, documenting theactivities of the authorized individual and systems (accountability)."
"The original purpose of ISO/IEC 17799 was to"
"offer guidance for the management of InfoSecto individuals responsible for their organization's security programs. According to 27000.org,the standard was "intended to provide a common basis for developing organizational secu-rity standards and effective security management practice and to provide confidence in inter-organizational dealings."18 ISO 27002, the successor to 17799, continues that focus."
"The stated purpose of ISO/IEC 27002, as derived from its ISO/IEC 17799 origins, is to:"
"offer guidelines and voluntary directions for information security management.It is meant to provide a high level, general description of the areas currentlyconsidered important when initiating, implementing, or maintaining informa-tion security in an organization... The document specifically identifies itself as'a starting point for developing organization specific guidance.'a starting point for developing organization specific guidance.' It states that'not all of the guidance and controls it contains may be applicable and thatadditional controls not contained may be required. It is not intended to givedefinitive details or 'how-to's"
"Within TCB is a conceptual object known"
"reference monitor to mediate access to"objects by subjects. Systems administrators must be able to audit or periodically review thereference monitor to ensure it is functioning effectively, without unauthorized modification."
"reference monitor:
"reference monitor: Within TCB, a conceptual piece of the system that manages accesscontrols—in other words, it mediates all access to objects by subjects."
"As the name indicates, a mandatory access control(MAC) is "
"required and is structured and coordinated within a data classification schemethat rates each collection of information as well as each user. These ratings are oftenreferred to as sensitivity or classification levels. When MACs are implemented, users anddata owners have limited control over access to information resources."
Among the many controls that managers can use to maintain the confidentiality of classifieddocuments is a"
"risk management control known as the "clean desk policy." This policy usu-ally meets with resistance because it requires each employee to secure all information in itsappropriate storage container at the end of every business day."
"Orga-nizations wanting to adopt proprietary models must purchase the right to do so. Alterna-tively,"
"some public domain sources""forsecurity management models offer free"documentation. In the forefront of this category are those documents provided by NIST'sComputer Security Resource Center (http://csrc.nist.gov). This Web resource houses manypublications, including some containing various security management models and prac-tices. Earlier chapters of this book made reference to some of these publications. Otherorganizations provide freely accessible documentation for review to various professionalgroups. Other open source and proprietary sources are described in the rest of thischapter.
"To generate a usable security blueprint, most organizations draw on "
"stablished security fra-meworks, models, and practices. Some of these models are proprietary and are only availablefor a significant fee; others are relatively inexpensive, such as International Organization forStandardization (ISO) standards; and some are free. Free models are available from theNational Institute of Standards and Technology (NIST) and a variety of other sources. Themodel you choose must be flexible, scalable, robust, and sufficiently detailed."
"storage channels:
"storage channels: A TCSEC-defined covert channel that communicates by modifying a storedobject, such as in steganography."
"A number of access control models were initially designed to teach"
"system designers to buildoperating systems with security built in, by controlling the confidentiality or integrity of datawithin the software. Some of these were built into actual OSs, but most were used simply tobetter understand how systems should or could function."
m"ost organizations working outside the realm of national security do not need "
"the detailedlevel of classification used by military or federal agencies. Nevertheless, they may find it nec-essary to classify data to provide protection. "
"the U.S. military clas-sification scheme is a more complex categorization system than "
"the schemes of mostcorporations. The military is perhaps the best-known user of data classification schemes. Ithas invested heavily in InfoSec, operations security (OpSec), and communications security(ComSec). In fact, many developments in data communications and InfoSec are the resultof Department of Defense (DoD) and military-sponsored research and development."
"timing channels:
"timing channels: A TCSEC-defined covert channel that communicates by managing the relativetiming of events."
"ISO/IEC 27002:2013 is a broad overview of the "
"various areas of security. It providesinformation on 14 security control clauses and addresses 35 control objectives and morethan 110 individual controls. Its companion document, ISO/IEC 27001:2013, providesinformation for how to implement ISO/IEC 27002 and set up an ISMS. ISO/IEC 27001'sprimary purpose is to be used as a standard so organizations can adopt it to obtain certifi-cation and build an information security program; ISO 27001 serves better as an assess-ment tool than as an implementation framework. ISO 27002 is for organizations thatwant information about implementing security controls;it is not a standard used forcertification."
"One ofthe most widely referenced InfoSec management models is the InformationTechnology—Code of Practice for Information Security Management,"
"which was originallypublished as British Standard BS7799. In 2000, the Code of Practice was adopted as an inter-national standard framework for InfoSec by the International Organization for Standardiza-tion (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 17799. Thedocument was revised in 2005 (becoming ISO 17799:2005), and in 2007 it was renamedISO 27002 to align it with the document ISO 27001 (discussed later in this chapter). Whilethe details of ISO/IEC 27002:2013 (the most recent version) are only available to those whopurchase the standard, its structure and general organization are well known. "
"The elements of the Clark-Wilson model are:"
"• Constrained Data Item (CDI)—Data item with protected integrity • Unconstrained Data Item—Data not controlled by Clark-Wilson; nonvalidated inputor any output—Procedure that scans data Integrity Verification Procedure (IVP)—Procedure that scans data—and confirms its integrity• • Transformation Procedure (TP)—Procedure that only allows changes to a constraineddata item"
"Access control is an area that is developing rapidly in both its principles and technologies.Other models of access control include the following:"
"• Content-Dependent Access Controls—As the name suggests, access to a specific setof information may be dependent on its content. For example, the marketingdepartment needs access to marketing data, the accounting department needs accessto accounting data, and so forth." "Constrained User Interfaces—Some systems are designed specifically to restrict whatinformation an individual user can access. The most common example is the bankautomated teller machine (ATM), which restricts authorized users to simple accountqueries, transfers, deposits, and withdrawals." "Temporal (Time-Based) Isolation—In some cases, access to information is limited bya time-of-day constraint. A physical example is a time-release safe, found in most con-venience and fast-food establishments. The safe can only be opened during a specifictime frame, even by an authorized user (e.g., the store manager)."
"A number of approaches are used to categorize access control methodologies. One approachdepicts the controls by their inherent characteristics and classifies each control as one of thefollowing:"
"• Directive—Employs administrative controls such as policy and training designed toproscribe certain user behavior in the organization" "Deterrent: Discourages or deters an incipient incident; an example would be signs that indicate video monitoring "• Preventative—Helps an organization avoid an incident; an example would be therequirement for strong authentication in access controls" "• Detective—Detects or identifies an incident or threat when it occurs—for example,anti-malware software" "• Corrective—Remedies a circumstance or mitigates damage done during an incident—for example, changes to a firewall to block the reoccurrence of a diagnosed attack" "• Recovery—Restores operating conditions back to normal—for example, data backupand recovery software" • Compensating:"Resolves shortcomings, such as requiring the use of encryption for transmission of classified data over unsecured networks"
Access control is built on severalkey principles, including the following
"• Least privilege—This is the principle by which members of the organization can accessthe minimum amount of information for the minimum amount of time necessary toperform their required duties. Least privilege presumes a need to know and also impliesrestricted access to the level required for assigned duties. For example, if a task requiresonly the reading of data, the user is given read-only access, which does not allow thecreation, updating, or deletion of data. • Need-to-know—This principle limits a user's access to only the specific informationrequired to perform the currently assigned task, and not merely to the category of datarequired for a general work function. For example, a manager who needs to change aspecific employee's pay rate is granted access to read and update that data but isrestricted from accessing pay data for other employees. This principle is most fre-quently associated with data classification. Separation of duties—This principle requires that significant tasks be split up in such away that more than one individual is responsible for their completion. For example, inaccounts payable situations, one person may set up a vendor, another may requestpayment to the vendor, and a third person may authorize the payment. Separation ofduties, which you will learn more about in Chapter 11, reduces the chance of an indi-vidual violating InfoSec policy and breaching the confidentiality, integrity, and avail-ability of the information."
"SP 800-12 also lays out NIST's philosophy on security management by identifying 17 con-trols organized into the three categories discussed earlier:"
"• Management controls • Operational controls • Technical controls"
"The Clark-Wilson integrity model, which is built upon principles of change control ratherthan integrity levels, was designed for the commercial environment. The change control prin-ciples upon which it operates are:"
"• No changes by unauthorized subjects" "• No unauthorized changes by authorized subjects" "• The maintenance of internal and external consistency"
"In COBIT 5, ISACA incorporates an approach based on five principles and seven enablers.COBIT 5 provides five principles focused on the governance and management of IT in anorganization:"
"• Principle 1: Meeting Stakeholder Needs • Principle 2: Covering the Enterprise End-to-End • Principle 3: Applying a Single, Integrated Framework • Principle 4: Enabling a Holistic Approach • Principle 5: Separating Governance from Management"
"The COBIT 5 framework also incorporates a series of "enablers" to support the principles:"
"• Principles, policies, and frameworks are the vehicle to translate the desired behaviorManagementTechnicalinto practical guidance for day-to-day management. • Processes describe an organized set of practices and activities to achieve certainOperationalManagementobjectives and produce a set of outputs in support of achieving overall IT-relatedgoals. • Organizational structures are the key decision-making entities in an enterprise." • Culture, ethics, and behavior of individuals and of the enterprise are very often under-estimated as a success factor in governance and management activities. Information is required for keeping the organization running and well governed, but atthe operational level, information is very often the key product of the enterprise itself. Services, infrastructure, and applications include the infrastructure, technology, and appli-cations that provide the enterprise with information technology processing and services."
"With a simple scheme like the following, an organization can protect its sensitive informa-tion, such as marketing or research data, personnel data, customer data, and general inter-nal communications:"
"• Public—""For general public dissemination, such as an advertisement or press release" "For Official (or Internal) Use Only""Not for public release but not particularly sensi-tive, such as internal communications" " Confidential (or Sensitive)—Essential and protected information, disclosure of which""could severely damage the financial well-being or reputation of the organization"
"CC terminology includes:"
"• Target of Evaluation (ToE)—The system being evaluated—User-generated specification for security requirements • Protection Profile (PP)—User-generated specification for security requirements— Security Target (ST)—Document describing the ToE's security properties Security Functional Requirements (SFRs)—Catalog of a product's security functions• • Evaluation Assurance Level (EAL)—The rating or grading of a ToE after evaluation"
"In the United Kingdom, correct implementation of both volumes of these standards had to bedetermined by a BS7799-certified evaluator before organizations could obtain ISMS certifica-tion and accreditation. When the standard first came out, several countries, including theUnited States, Germany, and Japan, refused to adopt it, claiming that it had the followingfundamental problems:"
"• The global information security community had not defined any justification for a codeof practice identified in ISO/IEC 17799. • The standard lacked the measurement precision associated with a technical standard. • There was no reason to believe that ISO/IEC 17799 was more useful than any otherapproach. It was not as complete as other frameworks.• • The standard was hurriedly prepared given the tremendous impact its adoption couldhave on industry information security controls."
"The more significant points made in NIST SP 800-14 are as follows:"
"•Security Supports the Mission of the Organization—The implementation of InfoSec isnot independent of the organization's mission. On the contrary, it is driven by it. AnInfoSec system that is not grounded in the organization's mission, vision, and culture isguaranteed to fail. The InfoSec program must support and further the organization'smission, which means that it must include elements of the mission in each of its poli-cies, procedures, and training programs." "Security Is an Integral Element of Sound Management—"effective management includes "planning, organizing, leading, and controlling activities. Security supports the planningfunction when InfoSec policies provide input into the organization initiatives, and itsupports the controlling function when security controls enforce both managerial andsecurity policies." "Security Should Be Cost-Effective—The costs of InfoSec should be considered part ofthe cost of doing business, much like the cost of the computers, networks, and voicecommunications systems. None of these systems generates any profit, and they may not lead to competive advantages. "Systems Owners Have Security Responsibilities Outside Their Own Organizations—Whenever systems store and use information from customers, patients, clients, partners,or others, the security of such data becomes a serious responsibility for the owners ofthe systems. Also, the owners have the general duty to protect information assets onbehalf of all stakeholders of the organization. These stakeholders may include share-holders in publicly held organizations, and the government and taxpayers in the case ofpublic agencies and institutions." "Security Responsibilities and Accountability Should Be Made Explicit—countability Should Be Made Explicit——"policy documents "should clearly identify the security responsibilities of users, administrators, and managers.To be legally binding, such documents must be disseminated, read, understood, and agreedto. As discussed in Chapter 5, ignorance of the law is no excuse, but ignorance of policycan be. Any relevant legislation must also become part of the security program." "Security Requires a Comprehensive and Integrated Approach—As emphasized""throughout this book, security is everyone's responsibility. Throughout each stage ofthe SecSDLC, the three communities of interest—IT management and professionals,InfoSec management and professionals, and the nontechnical general business man-agers and professionals of the broader organization—should participate in all aspectsof the InfoSec program." "Security Should Be Periodically Reassessed—""InfoSec that is implemented and then""ignored lacks due diligence and is considered negligent. Security is an ongoing process.To remain effective in the face of a constantly shifting set of threats and a constantlychanging user base, the security process must be periodically repeated. Continuous anal-yses of threats, assets, and controls must be conducted and new blueprints developed."
"Biba integrity model:
An access control model that is similar to BLP and is based on the premisethat higher levels of integrity are more worthy of trust than lower levels." "The Biba integrity model is another state machine model similar to BLP. It is based on thepremise that higher levels of integrity are more worthy of trust than lower ones. The intentis to provide access controls to ensure that objects or subjects cannot have less integrityas a result of read/write operations. The Biba model assigns integrity levels to subjectsand objects using two properties: the simple integrity (read) property and the integrity *property (write)."
"blueprint:
In information security, a framework or security model customized to anorganization, including implementation details."
"framework:
In information security, a specification of a model to be followed during the design,selection, and initial and ongoing implementation of all subsequent security controls, includingInfoSec policies, security education and training programs, and technological controls. Alsoknown as a security model." "is a generic outline of themore thorough and organization-specific blueprint."
"need-to-know:
The principle of limiting users' access privileges to only the specific informationrequired to perform their assigned tasks."
"All subjects and objects are labeled
with TPs. The TPs operate as the intermediate layerbetween subjects and objects. Each data item has a set of access operations that can be performedon it. Each subject is assigned a set of access operations that it can perform. The system thencompares these two parameters and either permits or denies access by the subject to the object."
"SP 800-12 draws upon the OECD's Guidelines for the Security of Information Systems,which was endorsed by the United States. It provides for:"
• Accountability—The responsibilities and accountability of owners, providers, and usersof information systems and other parties [...] should be explicit." • Awareness—Owners, providers, users, and other parties should readily be able, consis-tent with maintaining security, to gain appropriate knowledge of and be informed aboutthe existence and general extent of measures [...] for the security of information systems." Ethics—The information systems and the security of information systems should beprovided and used in such a manner that the rights and legitimate interests of othersare respected." "• Multidisciplinary—Measures, practices, and procedures for the security of informationsystems should address all relevant considerations and viewpoints. [...]" "• Proportionality—Security levels, costs, measures, practices, and procedures shouldbe appropriate and proportionate to the value and degree of reliance on the""information systems, and to the severity, probability, and extent of potentialharm. " "Integration—Measures, practices, and procedures for the security of information sys-tems should be coordinated and integrated with each other and other measures, prac-tices, and procedures of the organization so as to create a coherent system of security." "Timeliness—Public and private parties, at both national and international levels,should act in a timely, coordinated manner to prevent and to respond to breaches ofsecurity of information systems." Reassessment The security of information systems should be reassessed periodically,as information systems and the requirements for their security vary over time." "Democracy—The security of information systems should be compatible with the legiti-mate use and flow of data and information in a democratic society."
"One of the biggest challenges in TCB is the existence of covert channels. For example, someresearchers discovered that the indicator lights blinking on the face of some network routerswere flashing in sync with the content of the data bits being transmitted, thus unintentionallydisplaying the contents of the data. TCSEC defines two kinds of covert channels:"
•Storage channels, which communicate by modifying a stored object—for example, insteganography, which is described in Chapter 12. • Timing channels, which transmit information by managing the relative timing ofevents—for example, in a system that places a long pause between packets to signify a1 and a short pause between packets to signify a 0."