Chapter 08: Security Management Models
The Common Criteria:
(CC) international standard (ISO/IEC 15408) for computer security certification -widely considered successor to both TCSEC and ITSEC
COSO's framework is built on five components:
-Control environment -Risk assessment -Control activities -Information and communication -Monitoring
NIST Documents have two advantages
-They are publicly available at no charge -they have been available for some time and broadly reviewed by government
general application of access control comprises four processes:
-obtaining identity of the entity requesting access -confirming identity -determining which actions an authenticated entity can perform -documenting the activities of authorized individual and systems
COBIT 5 provides five principles:
1. Meeting Stakeholder needs 2. covering enterprise end-to-end 3. applying a single, integrated framework 4. enabling a holistic approach 5. separating governance from management
BLP
Bell-LaPadula Confidentiality Model -state machine reference model helps ensure confidentiality of info system by means of MACs, data classification, and security clearances
Core of infosec governance fraemwork includes:
Board of directors/trustees -senior executives -executive team members who report to senior exec -senior managers -all employees and users
COSO
Committee of sponsoring organizations -private sector initiative formed in 1985 -major objective to identify the factors that cause fraudulent financial reporting -helps orgs comply with critical regulations like Sarbanes-Oxley
Benchmarking
Comparison of two related measurements -describes both internal and external comparisons
CDI
Constrained data item: data item with protected integrity
COBIT
Control Objectives for Information and Related Technology -provides advice about implementation of sound controls and control objectives for infosec -created by information Systems audit and control association (ISACA) and IT governance institute (ITGI) in 1992
categories of access controls:
Directive deterrent preventative detective corrective recovery compensating
DACs
Discretionary access controls -implemented at the discretion of the data user -most personal computer systems designed based on DAC model
ITIL
Information Technology Infrastructure Library -collection of methods and practices useful for managing the development of information technology infrastrcutures
ITSEC
International standard information technology system evaluation criteria -Targets of evaluationj (ToE) are compared to detailed security function specs, resulting in assessment of systems fucntionality and pen testing -Replaced by "Common Criteria"
organizational structures
Key tdecision making entities in an enterprise
Information Security Governance Framework
Managerial model providing guidance in devlopment of organizational information security governance structure
MACs
Mandatory access controls -required and structured within data classification scheme that rates each collection of info -ratings are referred as sensitivity levles or classification levels
COBIT 5 principle "enablers"
Principles, policies and frameworks are vehicle to translate behavior into practical guidance
Internal Control process
Provide reasonable assurance regarding the achievement of objectives in following categories: -effectiveness and efficiency of operations -reliability of financial reporting -compliance with applicable laws and regulations
RBAC
Role-based access controls -tied to the role that a particular user performs in an org whereas task based controls are tied to particular assignment
TP
Transofrmation procedure: only allows changes to constrained data item
TCSEC
Trusted Computer System Evaluation Criteria -older DoD standard defines criteria for assessing access controls in a computer system -part of larger series referred as "rainbow series" -known as the organge book and cornerstone of series -replaced by the "common criteria" in 2005
TCB
Trusted computing Base -combination of all hardware, firmware, and software responsible for enforcing security policy
how to determine how closely an org is complying with ISO 27002
Use SANS SCORE (Security Consensus Operational Rediness Evaluation) Audit checklist, based on 17799:2005
content dependent access controls
access to a specific set of info may be dependent on its content
temporal (time-based) isolation
access to info is limited by a time-of-day constraint (time release safes)
Clark-Wilson Integrity Model
built upon principles of change control, designed for commercial environment
external benchmarking
comparing one's org results against other similar orgs
separation of duties:
control requiring that significan tasks be split up in such a way that more than one individual is responsible for completion
eight primitive protection rights
create object create subject delete object delete subject read access right grant access right delete access right transfer access right
Harrison-Ruzzo-Ullman (HRU) model
defines a method to allow changes to access rights and the addition and removal of subjects and objects
Processes:
describe an organized set of practices and activities to achieve certain objectives
Brewer Nash (Chinese Wall)
designed to prevent a conflict of interest between two parties -requires users to select on of two conflicting sets of data, after which they cannot access the conflicting data
detective
detects or identifies incident when it occurs
nondiscretionary controls
determined by central authority in org and can be based on roles: RBAC
deterrent:
discourages or deters an incipient incident
directive
employs admin controls such as policy and training
preventative
helps org avoid an incident
security architecture models
illustrate information security implementations -help orgs quickly make improvements through adaptation -some models implemented in computer hardware/software -some implemented as policies and practices
IVP
integrity verification procedure: scans data and confirms integrity
internal benchmarking
known as baselining, involves comparing org performance at some defined state against current performance
access control key principles:
least privilege need to know separation of duties
need to know:
limits user's access to specific info required to perform duties
least privilege:
members of org can access minimum amount of info for min amount of time necessary to perform duties
ISO 27000 Series
most widely referenced and discussed security models
Purpose of ISO/IEC 27002
offer guidance for management of infosec to individuals responsible for their org's security programs -focused on broad overview of various areas of security -providing information on 127 controls over 10 areas
Framework or security model:
outline of the more thorough and organization-specific blueprint -for basis for design, selection and implementation of all security controls including policy, SETA, and technologies
Biba Integrity Model
provide access controls to ensure objects cannot have less integrity -ensures no info from a subject can be passed on to an object in a higher security level
ISO/IEC 27001
provides information how to implement ISO/IEC 27002 and how to set up an infosec managemtn system (ISMS)
Access Controls:
regulate admission of users into trusted areas of organization: both logical or physical access
corrective
remedies a circumstance or mitigates damage done during incident
compensating
resolves shortcomings
recovery
restores operating conditions back to normal
constrained user interfaces
some systems designed specific to restrict what info an indivudal user can access (ATMs)
state machine model
the design follows conceptual approach -always in a known secure condition
Graham-Denning Access Control Model
three parts: Set of subjects, set of rights, and set of objects -composed of process and domain
Lattice based access controls
variation on the MAC form, assigns users matrix of authorizations for particular areas of access -contains subjects and objects and the boundaries associated with each
