CYBR 3300 - Chapter 8

Ace your homework & exams now with Quizwiz!

Four processes of access controls

1. Obtaining the identity of the entity request access to a logical or physical area (identification) 2. Confirming the identity of the entity seeking access to a logical or physical area (authentication) 3. Determining which actions an authenticated entity can perform in that physical or logical area (authorization) 4. Documenting the activities of the authorized individual and systems (accountability)

timing channels

A TCSEC-defined covert channel that communicates by managing the relative timing of events.

security clearance

A personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is "cleared" to access.

mandatory access control (MAC)

A required, structured data classification scheme that rates each collection of information as well as each user. These ratings are often referred to as sensitivity or classification levels.

lattice-based access control

A variation on the MAC form of access control, which assigns users a matrix of authorizations for particular areas of access, incorporating the information assets of subjects such as users and objects.

discretionary access controls (DACs)

Access controls that are implemented at the discretion or option of the data user.

nondiscretionary controls

Access controls that are implemented by a central authority.

dumpster diving

An information attack that involves searching through a target organization's trash and recycling bins for sensitive information.

Information Technology System Evaluation Criteria (ITSEC)

An international set of criteria for evaluating computer systems, very similar to TCSEC Targets of Evaluation (ToE) are compared to detailed security function specifications, resulting in an assessment of systems functionality and comprehensive penetration testing was, for the most part, functionally replaced by the Common Criteria rates products on a scale of E1 (lowest) to E6 (highest)

Common Criteria for Information Technology Security Evaluation

An international standard (ISO/IEC 15408) for computer security certification that is considered the successor to TCSEC and ITSEC reconciles some of the differences between the various other standards This and CEM are the technical basis for CCRA Seeks the widest possible mutual recognition of secure IT products process assures that the specification, implementation, and evaluation of computer security products are performed in a rigorous and standard manner

Security Clearances

Another component of a data classification scheme each user of an information asset is assigned an authorization level that identifies the level of information classification he or she can access Accomplished by assigning each employee to a names role Most organizations have developed roles and corresponding _________ so individuals are assigned into authorization levels correlating with the classifications of the information assets

ISO/IEC 27001's primary purpose

Be used as a standard so organizations can adopt it to obtain certification and build an info sec program Serves better as an assessment tool than as an implementation framework

ISO/IEC 27000:2013

Broad overview of the various areas of security Provides information on 14 security control clauses and addresses 35 control objectives and more than 110 individual controls

Security functional requirements (SFRs)

Catalog of a product's sec functions

Clean desk policy

Control that managers can use to maintain the confidentiality of classified documents Risk management control Requires each employee to secure all information in its appropriate storage container at the end of every business day

Managerial

Controls that cover security processes designed by strategic planners, integrated into the organization's management practices, and routinely used by security administrators to design, implement, and monitor other control systems

Operation (or administrative)

Controls that deal with the operational functions of security that have been integrated into the repeatable processes of the organization

EAL Scale

EAL1: Functionally tested EAL2: Structurally tested EAL3: Methodically tested and checked EAL$: Methodically designed, tested, and reviewed EAL5: Semiformally designed and tested EAL6: Semiformally verified design and tested EAL7: Formally verified design and tested

Directive

Employs administrative controls such as policy and training designed to proscribe certain user behavior in the organization

Non-NSi Government classification

For Official Use Only (FOUO) Sensitive but Unclassified (SBU) Law Enforcement Sensitive (LES)

Preventative

Helps an organization avoid an incident

Dumpster bins

If located on public property, individuals may not be violating the law to search through them If located on private property, individuals may be charged with trespassing

blueprint

In Information security, a framework or security model customized to an organization, including implementation details includes information on how to get to the end product

capabilities table

In a lattice-based access control, the row of attributes associated with a particular subject (such as a user).

framework

In infosec, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including infoSec policies, security education and training programs, and technological controls. AKA security model

Temporal (time-based) isolation

In some cases, access to information is limited by a time-of-day constraint Physical example: time-release safe

Internal benchmarking

Known as baselining Involves comparing organizational performance at some defined state against current or expected performance

Key principles of access control

Least privilege Need-to-know Separation of duties

Organizational classification scheme

Most orgs working outside of national security don't need the detailed level of classification Confidential, internal, and external •Data owners must classify the information assets for which they are responsible and review the classifications periodically •Public - for general public dissemination •For official (or internal) use only - not for public release but not sensitive •Confidential (or Sensitive) - essential and protected information, could severely damage the finances or reputation

Role-based controls

Nondiscretionary controls that are based on a role are tied to the role that a particular user performs in an organization, whereas task-based controls are tied to a particular assignment or responsibility

Task-based controls

Nondiscretionary controls that are based on a specified set of tasks Can be based on lists maintained on subjects or objects Tied to a particular assignment, project, or responsibility

Rule-based access control

One discretionary model access is granted based on a set of rules specified by the central authority The individual user is the one who creates the rule

ISO/IEC 27001:2013

Provides information for how to implement ISO/IEC 27002 and set up an ISMS

Corrective

Remedies a circumstance or mitigates damage done during an incident

Compensating

Resolves shortcomings

Recovery

Restores operating conditions back to normal

Constrained user interfaces

Some systems are designed specifically to restrict what information an individual user can access The most common example: ATMs

TCSEC defined two types of channels

Storage channels Timing channels

Categories of Access Conrols

Table 8-6, pg. 441

Access control list (ACL)

The column of attributes associated with a particular object within lattice-based access control

Benchmarking

The comparison of two related measures Describes both internal and external comparisons Can provide details on how controls are working or which new controls should be considered, but it does not provide implementation details that explain how controls should be put into action

least privilege

The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation needed. Least privilege implies a need to know. The principle by which members of the organization can access the min amount of info for the min amount of time necessary Presumes a need to know and implies restricted access to the level required

separation of duties

The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them Reduces the chance of an individual violating InfoSec policy and breaching the confidentiality, integrity, and availability of the information

need-to-know

The principle of limiting users' access privileges to only the specific information required to perform their assigned tasks. This principle limits a user's access to only the specific information required to perform the currently assigned task

Evaluation assurance lev

The rating or grading of a ToE after evaluation

access control

The selective method by which systems specify who may use a particular resource and how they may use it. regulate the admission of users into trusted areas of the organization—both the logical access to the information systems, or the physical access to the organization's facilities maintained by means of a collection of policies, programs to carry out those policies, and technologies that enforce policies enables the organization to restrict access to information, information assets, and other tangible assets to those with a bona fide business need

Target of Evaluation (TOE)

The system being evaluated

Compartmentalization

The use of specialty classification schemes The restriction of information to the very fewest people possible to prevent compromise or disclosure to unauthorized people

Protection Profile (PP)

User-generated specification for sec reqs

ISO/IEC 27002 is focused on

a broad overview of the various areas of security, providing information on 127 controls over 10 areas,

A collection of users with access to the same data typically has

a centralized access control authority

Methodology

a formal way of accomplishing a task Usually recommended or endorsed by an organization or group of experts in a particular field

state machine model

a model in which the design follows a conceptual approach in which the state of the content of the system being modeled is always in a known secure condition, in other words, this kind of model is provably secure Provably secure

Lattice-Based Access Controls

a variation on the MAC form of access control •assigns users a matrix of authorizations for particular areas of access contains subjects and objects, and the boundaries associated with each subject/object pair are clearly demarcated Then specifies the level of access each subject has to each object, if any

Content-dependent access controls

access to a specific set of information may be dependent on its content

One way to select a methodology is to

adapt or adopt an existing security management model or set of practices •Because each InfoSec environment is unique, you may need to modify or adapt portions of several frameworks; what works well for one organization may not precisely fit another

Simple security

also called the read property •prohibits a subject of lower clearance from reading an object of higher classification, but allows a subject with a higher clearance level to read an object at a lower level (read down)

Nondiscretionary Controls

are determined by a central authority in the organization and can be based on roles—called role-based access controls or RBAC—or on a specified set of tasks—called task-based controls Make it easier to maintain controls and restrictions

Classified documents must be accessible only to

authorized individuals, which usually requires locking file cabinets, safes, or other such protective devices for hard copies ad physical systems

An information asset that has a classification designation other than unclassified or public must

be clearly marked as such - with a cover page and headers & footers

Clark-Wilson Integrity Model

built upon principles of change control rather than integrity levels was designed for the commercial environment

When copies of classified information are no longer valuable or too many copies exist

care should be taken to destroy them properly to discourage dumpster diving

Brewer-Nash Model (Chinese Wall)

commonly known as a Chinese Wall designed to prevent a conflict of interest between two parties requires users to select one of two conflicting sets of data, after which they cannot access the conflicting data

A system that serves as a reference monitor

compares the level of classification of the data with the clearance of the entity requesting access; it allows access only if the clearance is equal to or higher than the classification

When someone carries a classified report, it should be

concealed, kept in a locked briefcase or portfolio and in compliance with appropriate policies

The less critical the protected information, the more

controls tend to be decentralized

Harrison-Ruzzo-Ullman (HRU) model

defines a method to allow changes to access rights and the addition and removal of subjects and objects, a process that the Bell-LaPadula model does not •Since systems change over time, their protective states need to change built on an access control matrix and includes a set of generic rights and a specific set of commands By implementing this set of rights and commands and restricting the commands to a single operation each, it is possible to determine if and when a specific subject can obtain a particular right to an object

The communities of interest accountable for the security of an organization's information assets must

design a working security plan and then implement a management model to execute and maintain that plan •This may begin with the creation or validation of a security framework, followed by an InfoSec blueprint that describes existing controls and identifies other necessary security controls Framework > blueprint

To generate a usable security blueprint, most organizations

draw on established security frameworks, models, and practices The model you choose must be flexible, scalable, robust, and sufficiently detailed

U.S. government's three-level classification scheme

for information deemed to be National Security Information (NSI), Executive Order 13526 •Top Secret - could be expected to cause exceptionally grave damage to the national security •Secret - could be expected to cause serious damage to the national security •Confidential - could be expected to cause damage to the national security

aspects of information asset life cycle

from specification to design, acquisition, implementation, use, storage, distribution, backup, recovery, retirement, and destruction

Discretionary Access Controls (DACs)

implemented at the discretion or option of the data user The ability to share resource in a peer-to-peer configuration allows users to control and possible provide access to information or resources at their disposal Users can allow general, unrestricted access, or they can allow specific individuals or sets of individuals to access these resources Most personal computer operating systems are designed bsed on this model

The original purpose of ISO/IEC 27002

offer guidance for the management of InfoSec to individuals responsible for their organization's security programs the standard was "intended to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings"

The level of centralization appropriate to a given situation varies by

organization and the type of information protected

simple integrity property

permits a subject to have read access to an object only if the security level of the subject is either lower or equal to the level of the object

Every classified document should also contain the appropriate

security designation in its headers at the top of each page and at the bottom of each page

ISO 27002 is for organizations

that want information about implementing sec controls Not a standard used for certification

elements of the Clark-Wilson model

•Constrained data item (CDI)—Data item with protected integrity •Unconstrained data item—Data not controlled by Clark-Wilson; nonvalidated input or any output •Integrity verification procedure (IVP)—Procedure that scans data and confirms its integrity •Transformation procedure (TP)—Procedure that only allows changes to a constrained data item. All subjects and objects are labelled with TPs. Operate as the intermediate layer between subjects and objects

eight primitive protection rights

•Create object •Create subject •Delete object •Delete subject •Read access right • Grant access right •Delete access right Transfer access right

One of the most widely referenced and often discussed security models is

•Information Technology - Code of Practice for Information Security Management, originally published as British Standard BS 7799 - later published as ISO/IEC 17799, then as ISO/IEC 27002

Three approaches to categorize access controls

1. Inherent characteristics - directive, deterrent, preventative, detective, etc. 2. Operational impact - managerial, operational, technical 3. Degree of authority - mandatory, nondiscretionary, or discretionary

storage channels

A TCSEC-defined covert channel that communicates by modifying a stored object, such as in steganography.

Technical

Controls that support the tactical portion of a sec program and that have been implemented as reactive mechanisms to deal with the immediate needs of the organizations as it responds to the realities of the technical environment

TCSEC Levels of Protection

D: Minimal protection - Default evaluation when a product fails to meet any of the other requirements C: Discretionary protection B: Mandatory protection A: Verified protection pg. 436

Detective

Detects or identifies an incident or threat when it occurs

Deterrent

Discourages or deters an incipient incident

Security Target (ST)

Document describing the ToE's sec properties

External benchmarking

Involves comparing one's organizational results against other similar organizations

The states purpose of ISO/IEC 27002, as derived from its ISO/IEC 17799 origins

Offer guidelines and voluntary directions for information security management Meant to provide a high level, general descriptiong of the areas currently considered important when initiating, implementing, or maintaining information security Specifically identifis itself as a starting point for developing organization specific guidance Not all guidance control in it may be applicable Not intended to give definitive how-tos.

Several countries refused to adoppt it, claiming that it had the following fundamental problems

The global information sec community had not defined any justification for a code of practice identified in ISO/IEC 17799 The standard lacked the measurement precision associated with a technical standard There was no reason to believe that ISO/IEC 17799 was more useful than any other approach It was not as complete as other frameworks The standard was hurriedly prepared given the tremendous impact its adoption could have on industry information security controls

security model

see framework standards that are used for reference or comparison and often serve as the stepping-off point for emulation and adoption

Documents should be destroyed by means of

shredding, burning, or transfer to a service offering authorized document destruction policy should ensure that no classified information is inappropriately disposed of in trash

One way to determine how closely an organization is complying with ISO 27002 is to use

the SANS SCORE (Security Consensus Operational Readiness Evaluation) Audit Checklist, which is based on 17799:2005

California v. Greenwood

the Supreme Court ruled that there is no expectation of privacy for items thrown away in trash or refuse containers 1998

The level of authorization may vary depending on

the classification authorizations that individuals possess for each group of information assets or resources

We distinguish between framework, security model, and blueprint predominantly on

the level of detail provided

A framework or security model

the outline of the more thorough and organization-specific blueprint form the basis for the design, selection, and initial and ongoing implementation of all subsequent security controls, including policy, SETA and technologies describes what the end product should look like

Another way to create a blueprint is to look at

the paths taken by other organizations •In this kind of benchmarking, you follow the recommended practices or industry standards

capabilities table

the row of attributes associated with a particular subject (such as a user) in lattice-based access control.

The * property

the write property prohibits a high-level subject from sending messages to a lower-level object

Graham-Denning Access Control Model

three parts: a set of objects, a set of subjects, and a set of rights subjects are composed of two things: a process and a domain

ISO 27000 Series current and planned (Table 8-3, pg. 419)

•27000:2016 Series Overview and Terminology •27001:2013 InfoSec Mgmt System Specification •27002:2013 Code of Practice for InfoSec Mgmt •27003:2017 InfoSec Mgmt Systems Implementation Guidance •27004:2016 InfoSec Measurements •27005:2011 ISMS Risk Management •27006:2015 Requirements for Bodies Providing Audit and Certification of an ISMS •27007:2011 Guidelines for ISMS Auditing •27008:2011 Guidelines for InfoSec Auditing •27010:2015 Guidelines for Inter-sector and Inter-organizational Communications •27011:2016 Guidelines for Telecomm orgs •27013:2015 Guideline on the Integrated Implementation of ISO/IEC 20000-1 and ISO/IEC 27001 •27014:2013 InfoSec Governance Framework •27015:2012 InfoSec Mgmt Guidelines for Financial Services •27016: 2014 InfoSec and Organizational Economics •27017:2015 Code of practice for InfoSec controls for cloud computing services based on ISO/IEC 27002 •27018:2014 Code of practice for PII protection in public clouds acting as PII processors •27019:2013 InfoSec Mgmt guidelines for process control systems specific to the energy industry •27023:2015 Mapping the revised editions of ISO/IEC 27001 and 27002 •27031:2012 Guidelines for information and communication technology readiness for business continuity •27032:2012 Guidelines for cybersecurity

Clark-Wilson Integrity Model change control principles

•No changes by unauthorized subjects •No unauthorized changes by authorized subjects •The maintenance of internal and external consistency

Clark-Wilson Integrity Model controls

•Subject authentication and identification •Access to objects by means of well-formed transactions •Execution by subjects on a restricted set of programs

Bell-LaPadula Confidentiality Model

•a state machine reference model that helps ensure the confidentiality of an information system by means of mandatory access controls (MACs), data classification, and security clearances Its security rules prevent infromation from being moved from a level of higher security to a level of lower security the principle is "no read up, no write down"

ISO/IEC 27001 provides information on

•how to implement ISO/IEC 27002 and how to set up an information security management system (ISMS)

integrity * property

•permits a subject to have write access to an object only if the security level of the subject is equal to or higher than that of the object

Mandatory Access Control (MAC)

•required and is structured and coordinated within a data classification scheme that rates each collection of information as well as each user •These ratings are often referred to as sensitivity levels or classification levels users and data owners have limited control over access to information resources

Biba Integrity Model

•similar to BLP based on the premise that higher levels of integrity are more worthy of trust than lower levels •The intent is to provide access controls to ensure that objects or subjects cannot have less integrity as a result of read/write operations Assigns integrity levels to subjects and objects using the simple integrity property (read) and the integrity (*) property (write) •ensures that no information from a subject can be passed on to an object in a higher security level •This prevents contaminating data of higher integrity with data of lower integrity •In short "no write up, no read down"


Related study sets

Data Communications and Network Services

View Set

AP Psychology Unit 4 Practice Test

View Set

Introduction to Management Exam #2 (Ch. 3 - 5)

View Set

FIS 201 Exam 2 - Emailed Study Guide

View Set

Intermediate Accounting I Exam 1

View Set

General Psychology Post Test Study Guide

View Set