CH. 6 security management models

Controls that discourage an incipient incident are called

deterrent

Bell-LaPadula Confidentiality Model

-A state machine model that helps ensure the confidentiality of an information system Using mandatory access controls (MACs), data classification, and security clearances -A state machine model follows a conceptual approach in which the state of the content of the system being modeled is always in a known secure condition --This kind of model is provably secure -A system that serves as a reference monitor compares the level of classification of the data with the clearance of the entity requesting access --It allows access only if the clearance is equal to or higher than the classification -BLP security rules prevent information from being moved from a level of higher security level to a level of lower security

Lattice-Based Access Controls

-A variation on the MAC form of access control -Assigns users a matrix of authorizations for particular areas of access -The level of authorization can vary --Depending on individual's classification authorization for each group of information assets -Lattice structure contains subjects and objects --Boundaries associated with each subject/object pair are clearly demarcated

Bell-LaPadula Confidentiality Model (cont'd.)

-Access modes can be one of two types --Simple security Prohibits a subject of lower clearance from reading an object of higher classification, but allows a subject with a higher clearance level to read an object at a lower level (read down) --The * (star) property The * property (the write property) prohibits a high-level subject from sending messages to a lower-level object --Subjects can read down and objects can write or append up

Clark-Wilson Integrity Model

-Built upon principles of change control rather than integrity levels -Designed for the commercial environment -Its change control principles --No changes by unauthorized subjects --No unauthorized changes by authorized subjects --The maintenance of internal and external consistency

Primitive protection rights

-Create or delete object, create or delete subject -Read, grant, transfer and delete access rights

To create or maintain a secure environment

-Design a working security plan -Implement a management model to execute and maintain the plan

Security clearance structure

-Each user of an information asset is assigned an authorization level --Indicates the level of information classification they may access -Most organizations have developed roles and corresponding security clearances --Individuals are assigned into groups that correlate with the classifications of the of information assets they need for their work -In the need-to-know principle, regardless of one's security clearance, an individual is not allowed to view data simply because it falls within that individual's level of clearance --Must need to know the information

Clark-Wilson Integrity Model (cont'd.)

-Establishes a system of subject-program-object relationships --Such that the subject has no direct access to the object --The subject is required to access the object using a well-formed transaction using a validated program -Provides an environment where security can be proven through separated activities, each of which is provably secure

Security Architecture Models

-Illustrate InfoSec implementations -Can help organizations quickly make --improvements through adaptation --Some models are implemented into computer hardware and software --Some are policies and practices --Some are implemented in both --Some models focus on the confidentiality of information, while others focus on the integrity of the information as it is being processed

Discretionary Access Controls (DACs)

-Implemented at the option of the data user -Users can allow general, unrestricted access, or they can allow specific individuals or sets of individuals to access the resources -Most personal computer operating systems are designed based on the DAC model -One discretionary model is rule-based access controls where access is granted based on a set of rules specified by the central authority

Key principles of access control (Access control models)

-Least privilege -Need to Know -Separation of Duties

Access controls

-Regulate the admission of users into trusted areas of the organization -Both the logical access to the information systems and the physical access to the organization's facilities -Maintained by means of a collection of policies, programs to carry out those policies, and technologies that enforce policies

Biba Integrity Model

-Similar to Bell-LaPadula -Provides access controls to ensure that objects or subjects cannot have less integrity as a result of read/write operations -Ensures no information from a subject can be passed on to an object in a higher security level --This prevents contaminating data of higher integrity with data of lower integrity -Assigns integrity levels to subjects and objects using two properties The simple integrity (read) property --Permits a subject to have read access to an object only if the security level of the subject is equal to or lower than the level of the object -The integrity * (write) property --Permits a subject to have write access to an object only if the security level of the subject is equal to or higher than that of the object

Types of covert channels

-Storage channels, which communicate by modifying a stored object -Timing channels, which transmit information by managing the relative timing of events

Mandatory Access Controls (MACs)

-Structured and coordinated within a data classification scheme that rates each collection of information as well as each user -These ratings are often referred to as sensitivity levels -When MACs are implemented, users and data owners have limited control over access to information resources

CWI model controls

-Subject authentication and identification -Access to objects by means of well-formed transactions -Execution by subjects on a restricted set of programs -Elements of the CWI model -Constrained data item (CDI) --The integrity of this data item is protected

Trusted Computing Base Trusted Computer System Evaluation Criteria (TCSEC)

-U.S. Government Department of Defense standard that defines criteria for assessing access controls in a computer system -Part of a larger series of standards collectively referred to as the Rainbow Series, due to the color-coding used to uniquely identify each document --Also known as the "Orange Book" and is considered the cornerstone of the series

Principles of NIST SP 800-14

1. Establish a sound security policy as the foundation for design 2. Treat security as an integral part of the overall system design 3. Clearly delineate the physical and logical security boundaries governed by associated security policies 4. Reduce risk to an acceptable level 5. Assume that external systems are insecure

COSO

A U.S. private-sector initiative Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence Has established a common definition of internal controls, standards and criteria Helps organizations comply with critical regulations like Sarbanes-Oxley

Information Technology Infrastructure Library

A collection of methods and practices useful for managing the development and operation of information technology infrastructures Has been produced as a series of books Each of which covers an IT management topic Includes a detailed description of many significant IT-related practices Can be tailored to many IT organizations

Reference monitor

A conceptual object The piece of the system that manages access controls It mediates all access to objects by subjects Systems administrators must be able to audit or periodically review the reference monitor to ensure it is functioning effectively, without unauthorized modification

Separation of Duties

A control requiring that significant tasks be split up in such a way that more than one individual is responsible for their completion

Information Security Governance Framework

A managerial model Provides guidance in the development and implementation of an organizational information security governance structure Includes recommendations for the responsibilities of members of an organization

Brewer-Nash Model (Chinese Wall)

Also known as a Chinese Wall Designed to prevent a conflict of interest between two parties Requires users to select one of two conflicting sets of data, after which they cannot access the conflicting data

The ___ or Chinese Wall model is designed to prevent a conflict of interest between two parties.

Brewer-Nash

NIST access control

Categories are based on operational impact to the organization -Management -Operational (or administrative) -Technical

Graham-Denning Access Control Model

Composed of three parts A set of objects A set of subjects (a process and a domain) The domain is the set of constraints controlling how subjects may access objects A set of rights

Managing an information asset

Considering its storage, distribution, portability, and destruction -An information asset that has a classification designation other than unclassified or public must be clearly marked as such --Must be available only to authorized individuals -To maintain the confidentiality of classified documents, managers can implement a clean desk policy -When copies of classified information are no longer valuable or too many copies exist, care should be taken to destroy them properly to discourage dumpster diving

Other forms of access control

Content-dependent access controls Constrained user interfaces Temporal (time-based) isolation

COSO Built on five interrelated components

Control environment Risk assessment Control activities Information and communication Monitoring

creating or validating a security framework

Create an information security blueprint to describe existing controls and identify other necessary security controls

Data classification model

Data owners must classify the information assets for which they are responsible and review the classifications periodically Example of classification types: -Public -For official use only -Sensitive -Classified The U.S. military classification scheme relies on a more complex five-level classification scheme as defined in Executive Order 12958: Unclassified data Sensitive but unclassified (SBU) data Confidential data Secret data Top secret data

Harrison-Ruzzo-Ullman Model

Defines a method to allow changes to access rights and the addition and removal of subjects and objects A process that the Bell-LaPadula model does not have Since systems change over time, their protective states need to change Built on an access control matrix Includes a set of generic rights and a specific set of commands

NIST Special Publication 800-14:Generally Accepted Principles and Practices for Securing Information Technology Systems

Describes best practices useful in the development of a security blueprint Describes principles that should be integrated into information security processes Documents 8 points and 33 principles

Nondiscretionary controls

Determined by a central authority in the organization Can be role-based or task-based

NIST SP 800-12: Computer Security Handbook

Excellent reference and guide for the routine management of information security Little guidance provided on design and implementation of new security systems Use as supplement to gain a deeper understanding of background and terminology

Acquire and implement

Focuses on specification of requirements Acquisition of needed components Component integration Examines ongoing maintenance and change requirements 7 controlling objectives (AI1 - AI7)

Delivery and support

Focuses on the functionality of the system and its use to the end user Examines systems applications: including input, processing, and output components Examines processes for efficiency and effective of operations 13 high-level controlling objectives (DS1 - DS13)

Claims of fundamental flaws

Global InfoSec community has not defined any justification for the code of practice identified Model lacks the necessary measurement precision of a technical standard No reason to believe the model is more useful than any other approach -Not as complete as other frameworks Perceived as being hurriedly prepared, given the tremendous impact that its adoption could have on industry information security controls

The ISO 27000 Series The InfoSec Management System - Do

ISO/IEC 27001:2005 -The InfoSec Management System - Plan 1. Define the scope of the ISMS 2. Define an ISMS policy 3 Define the approach to risk assessment 4 Identify the risks 5 Assess the risks 6 dentify and evaluate options for the treatment of risk 7 Select control objectives and controls 8 Prepare a statement of applicability (SOA) 9 Formulate a risk treatment plan 10 Implement the risk treatment plan 11 Implement controls 12 Implement training and awareness programs 13 Manage operations 14 Manage resources 15 Implement procedures to detect and respond to security incidents

The ISO 27000 Series (cont'd.)

ISO/IEC 27002 has 133 possible controls Not all of which must be used Need to identify which are relevant Each section includes four categories of information: One or more objectives Controls relevant to the achievement of the objectives Implementation guidance Other information

Technical controls

Identification and authentication Logical access controls Audit trails

The ISO 27000 Series

Information Technology - Code of Practice for Information Security Management One of the most widely referenced and discussed security models Originally published as British Standard 7799 and then later as ISO/IEC 17799 Since been renamed ISO/IEC 27002 Establishes guidelines for initiating, implementing, maintaining, and improving information security management

Need to Know

Limits a user's access to the specific information required to perform the currently assigned task, and not merely to the category of data required for a general work function

All employees and users

Maintain security of information and information systems accessible to them

Plan and organize

Makes recommendations for achieving organizational goals and objectives through the use of IT 10 controlling objectives (PO1 - PO10)

The ISO 27000 Series (cont'd.)

Many countries did not originally adopted the model Including the US, Germany, and Japan

Which of the following is NOT a change control principle of the Clark-Wilson model?

No changes by authorized subjects without external validation

NIST Security Models

Notable advantages of NIST documents Publicly available at no charge Have been available for some time Have been broadly reviewed by government and industry professionals Examples SP 800-12, Computer Security Handbook SP 800-14, Generally Accepted Security Principles & Practices

Executive team members

Oversee the organization's security policies and practices

Operational controls

Personnel security Physical security Production, input/output controls Contingency planning Hardware and systems software Data integrity Documentation Security awareness, training, and education Incident response capability

Categories of Access Control

Preventative Deterrent Detective Corrective Recovery Compensating

Senior managers

Provide information security for the information and information systems that support the operations and assets under their control

Senior executives

Provide oversight of a comprehensive information security program for the entire organization

Board of directors/trustees

Provide strategic oversight for information security

NIST Special Publication 800-30:Risk Management Guide for Information Technology Systems

Provides a foundation for the development of an effective risk management program Contains the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems Strives to enable organizations to better manage IT-related risks

RFC 2196 Site Security Handbook

Provides a functional discussion of important security issues along with development and implementation details Covers security policies, security technical architecture, security services, and security incident handling Includes discussion of the importance of security policies, and an examination of services, access controls, and other relevant areas

Control Objectives for Information and Related Technology (COBIT)

Provides advice about the implementation of sound controls and control objectives for InfoSec Created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992 COBIT presents 34 high-level objectives that cover 215 control objectives Objectives categorized into four domains: Plan and organize Acquire and implement Deliver and support Monitor and evaluate

NIST Special Publication 800-18, Rev. 1: A Guide for Developing Security Plans for Federal Information Systems

Provides detailed methods for assessing, designing, and implementing controls and plans for various sized applications Serves as a guide for the activities described in this chapter, and for the overall information security planning process Includes templates for major application security plans

Management controls

Risk management Review of security controls Life cycle maintenance Authorization of processing (certification and accreditation) System security plan

____ specifies the authorization classification of information asset an individual user is permitted to access, subject to the need-to-know principle.

Security clearances

Monitor and evaluate

Seeks to examine the alignment between IT systems usage and organizational strategy Identifies the regulatory requirements for which controls are needed Monitors the effectiveness and efficiency of IT systems against the organizational control processes in the delivery and support domain 4 high-level controlling objectives (ME1 - ME4)

Trusted computing base (TCB)

The combination of all hardware, firmware, and software responsible for enforcing the security policy In this context, security policy refers to the rules of configuration for a system, rather than a managerial guidance document Made up of the hardware and software that has been implemented to provide security for a particular information system

Framework

The outline of the more thorough blueprint Which is the basis for the design, selection, and implementation of all subsequent security controls

Least privilege

The principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties

Trusted Computing Base Covert channels

Unauthorized or unintended methods of communications hidden inside a computer system

Elements of the CWI model

Unconstrained data item Data not controlled by Clark-Wilson Non-validated input or any output Integrity verification procedure (IVP) Procedure that scans data and confirms its integrity Transformation procedures (TPs) Procedures that only allow changes to a constrained data item

security model

a generic blueprint offered by a service organization

Task-based controls

are tied to a particular assignment or responsibility

Role-based controls

are tied to a particular user's role in an organization

An Automated Teller Machine (ATM) is an example of ____.

constrained user interfaces

An outline of an information security blueprint is called a

framework

Which of the following is not an element of the Clark-Wilson model?

internal consistency validation items

Under TCSEC, the ____ is the piece of the system that manages access controls—in other words, it mediates all access to objects by subjects.

reference monitor

One discretionary model is ____, in which access is granted based on a set of rules specified by the central authority.

rule-based access controls

Under the Bell-LaPadula model, the ____ property prohibits a subject of lower clearance from reading an object of higher classification, but allows a subject with a higher clearance level to read an object at a lower level.

simple security