ISA3300 chapter 8
Graham-Denning eight primitive protection rights are:
1. Create object 2. Create subject 3. Delete object 4. Delete subject 5. Read access right 6. Grant access right 7. Delete access right 8. Transfer access right
separation of duties
: The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them.
timing channels:
A TCSEC-defined covert channel that communicates by managing the relative timing of events.
storage channels:
A TCSEC-defined covert channel that communicates by modifying a stored object, such as in steganography.
Bell-LaPadula (BLP) confidentiality model:
A confidentiality model or "state machine reference model" that ensures the confidentiality of the modeled system by using MACs, data classification, and security clearances.
D: Minimal Protection
A default evaluation when a product fails to meet any of the other requirements.
security clearance:
A personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is "cleared" to access.
mandatory access control (MAC):
A required, structured data classification scheme that rates each collection of information as well as each user. These ratings are often referred to as sensitivity or classification levels.
lattice-based access control:
A variation on the MAC form of access control, which assigns users a matrix of authorizations for particular areas of access, incorporating the information assets of subjects such as users and objects.
discretionary access controls (DACs):
Access controls that are implemented at the discretion or option of the data user.
nondiscretionary controls:
Access controls that are implemented by a central authority.
Biba integrity model:
An access control model that is similar to BLP and is based on the premise that higher levels of integrity are more worthy of trust than lower levels.
dumpster diving:
An information attack that involves searching through a target organization's trash and recycling bins for sensitive information.
Information Technology System Evaluation Criteria (ITSEC):
An international set of criteria for evaluating computer systems, very similar to TCSEC. Targets of Evaluation (ToE) are compared to detailed security function specifications, resulting in an assessment of systems functionality and com- prehensive penetration testing.
Common Criteria for Information Technology Security Evaluation:
An international standard (ISO/IEC 15408) for computer security certification that is considered the successor to TCSEC and ITSEC. assures that the specification, implementation, and evaluation of computer security products are performed in a rigorous and standard manner.
Trusted Computer System Evaluation Criteria (TCSEC):
An older DoD system certification and accreditation standard that defines the criteria for assessing the access controls in a computer system. Also known as the rainbow series due to the color coding of the individual documents that made up the criteria.
NIST Special Publications 800-53, Rev. 4 and 800-53A, Rev. 4
Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans" is the functional successor to "SP 800-26: Security Self-Assessment Guide for Information Technology Systems." A companion guide to "SP 800-53, Rev. 4: Security and Privacy Controls for Federal Information Systems and Organizations," it provides a systems developmental life cycle (SDLC) approach to security assessment of information systems
A1: Verified Design—
B3 level certification plus formalized design and verification techniques, among other requirements.
NIST Special Publication 800-12
Computer Security Handbook" is an excellent reference and guide for routine management of InfoSec. it provides for: Accountability • Awareness • Ethics • Multidisciplinary • Proportionality • Integration • Timeliness • Reassessment • Democracy
HRU is built on an access control matrix and includes a set of generic rights and a specific set of commands. These include:
Create subject/create object Enter right X into Delete right X from Destroy subject/destroy object
Products evaluated under TCSEC are assigned one of the following levels of protection:
D: Minimal Protection C: Discretionary Protection C1: Discretionary Security Protection C2: Controlled Access Protection B: Mandatory Protection B1: Labeled Security Protection A: Verified Protection A1: Verified Design Beyond A1
COSO Definitions and Key Concepts
Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations
Confidential (or Sensitive)
Essential and protected information, disclosure of which could severely damage the financial well-being or reputation of the organization
Public
For general public dissemination, such as an advertisement or press release
NIST Special Publication 800-14
Generally Accepted Principles and Practices for Securing Information Technology Systems" describes recommended practices and provides information on commonly accepted InfoSec principles that can direct the secu- rity team in the development of a security blueprint. It also describes the philosophical prin- ciples that the security team should integrate into the entire InfoSec process, expanding on the components of SP 800-12.
NIST Special Publication 800-30, Rev. 1
Guide for Con- ducting Risk Assessments" provides a foundation for the development of an effective risk management program, and it contains both the definitions and the practical guidance neces- sary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations better manage IT-related mission risks.
NIST Special Publication 800-18, Rev. 1
Guide for Developing Security Plans for Federal Information Systems" provides detailed methods for assessing, designing, and implementing controls and plans for applications of various sizes. In addition, this document includes templates for major application security plans. As with any publication of this scope and magnitude, it must be customized to fit the particular needs of the organization.
Beyond A1
Highest possible protection level; reserved only for systems that dem- onstrate self-protection and completeness of the reference monitor, with formal top- level specifications and a verified TCB down to the source code level, among other requirements.
capabilities table:
In a lattice-based access control, the row of attributes associated with a particular subject (such as a user).
blueprint:
In information security, a framework or security model customized to an organization, including implementation details.
framework:AKA security model.
In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including InfoSec policies, security education and training programs, and technological controls.
Temporal (Time-Based) Isolation—
In some cases, access to information is limited by a time-of-day constraint. A physical example is a time-release safe, found in most con- venience and fast-food establishments. The safe can only be opened during a specific time frame, even by an authorized user (e.g., the store manager).
For Official (or Internal) Use Only
Not for public release but not particularly sensi- tive, such as internal communications
C1: Discretionary Security Protection
Product includes DAC with standard identi- fication and authentication functions, among other requirements.
B2: Structured Protection— •
Product includes MAC and DAC over all subjects and objects, among other requirements.
B1: Labeled Security Protection
Product includes MAC over some subjects and objects, among other requirements.
C2: Controlled Access Protection
Product includes improved DAC with account- ability and auditability, among other requirements
Constrained User Interfaces—
Some systems are designed specifically to restrict what information an individual user can access. The most common example is the bank automated teller machine (ATM), which restricts authorized users to simple account queries, transfers, deposits, and withdrawals.
least privilege:
The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary. implies a need to know.
B3: Security Domains—
The highest mandatory protection level; meets reference monitory requirements and clear auditability of security events, with automated intrusion detection functions, among other requirements.
need-to-know:
The principle of limiting users' access privileges to only the specific information required to perform their assigned tasks.
covert channels:
Unauthorized or unintended methods of communications hidden inside a computer system.
trusted computing base (TCB):
Under TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy.
reference monitor:
Within TCB, a conceptual piece of the system that manages access controls—in other words, it mediates all access to objects by subjects.
The Information Security Governance Framework
a managerial model provided by an industry working group, National Cyber Security Partnership The framework provides guidance in the development and implementation of an organizational InfoSec governance structure and recommends the responsibilities that various members should have toward an organization, including the following: • Board of Directors/Trustees—Provide strategic oversight regarding InfoSec • Senior Executives—Provide oversight of a comprehensive InfoSec program for the entire organization • Executive Team Members Who Report to a Senior Executive—Oversee the organization's security policies and practices • Senior Managers—Provide InfoSec for the information and information systems that support the operations and assets under their control • All Employees and Users—Maintain security of information and information systems accessible to them
Committee of Sponsoring Organizations (COSO)
a private-sector initiative formed in 1985. Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems. helps organizations comply with critical regulations like the Sarbanes-Oxley Act of 2002.
Graham-Denning access control model has three parts:
a set of objects, a set of subjects, and a set of rights. The subjects are composed of two things: a process and a domain. The domain is the set of constraints controlling how subjects may access objects. The set of rights governs how subjects may manipulate the passive objects. This model describes eight primi- tive protection rights, called commands, which subjects can execute to have an effect on other subjects or objects.
Under latticed based access controls, the column of attributes associated with a particular object such a printer is referred to as
access control list
Content-Dependent Access Controls—
access to a specific set of information may be dependent on its content. For example, the marketing department needs access to marketing data, the accounting department needs access to accounting data, and so forth.
Information Technology Infrastructure Library (ITIL)
collection of methods and practices for managing the development and operation of IT infrastructures.
Harrison-Ruzzo-Ullman (HRU) model 8
defines a method to allow changes to access rights and the addition and removal of subjects and objects, a process that the BLP model does not. Since systems change over time, their protective states need to change.
The Brewer-Nash model, commonly known as a "Chinese Wall," is
designed to prevent a conflict of interest between two parties. requires users to select one of two conflicting sets of data, after which they cannot access the conflict- ing data.
Control Objectives for Information and Related Technology" (COBIT)
provides advice about the implementation of sound controls and control objectives for InfoSec. This docu- ment can be used not only as a planning tool for InfoSec but also as a control model. is the only business framework for the governance and management of enterprise IT. T
Clark-Wilson integrity model,
which is built upon principles of change control rather than integrity levels, was designed for the commercial environment. The change control prin- ciples upon which it operates are: • No changes by unauthorized subjects • No unauthorized changes by authorized subjects • The maintenance of internal and external consistency
The elements of the Clark-Wilson model are:
• Constrained Data Item (CDI)—Data item with protected integrity • Unconstrained Data Item—Data not controlled by Clark-Wilson; nonvalidated input or any output • Integrity Verification Procedure (IVP)—Procedure that scans data and confirms its integrity • Transformation Procedure (TP)—Procedure that only allows changes to a constrained data item
COSO Framework is built on five interrelated components:
• Control Environment—This is the foundation of all internal control components. The environmental factors include integrity, ethical values, management's operating style, delegation of authority systems, and the processes for managing and developing people in the organization. • Risk Assessment—Risk assessment assists in the identification and examination of valid risks to the defined objectives of the organizations. It can also include assessment of risks to information assets. • Control Activities—This includes those policies and procedures that support management directives. These activities occur throughout the organization and include approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties. • Information and Communication—This encompasses the delivery of reports— regulatory, financial, and otherwise. Effective communication should also include those made to third parties and other stakeholders. • Monitoring—Continuous or discrete activities to ensure internal control systems are functioning as expected; internal control deficiencies detected during these monitoring activities should be reported upstream, and corrective actions should be taken to ensure continuous improvement of the system.
One approach used to categorize access control methodologies and depicts the controls by their inherent characteristics and classifies each control as one of the following:
• Directive—Employs administrative controls such as policy and training designed to proscribe certain user behavior in the organization • Deterrent—Discourages or deters an incipient incident; an example would be signs that indicate video monitoring • Preventative—Helps an organization avoid an incident; an example would be the requirement for strong authentication in access controls • Detective—Detects or identifies an incident or threat when it occurs—for example, anti-malware software • Corrective—Remedies a circumstance or mitigates damage done during an incident— for example, changes to a firewall to block the reoccurrence of a diagnosed attack • Recovery—Restores operating conditions back to normal—for example, data backup and recovery software • Compensating—Resolves shortcomings, such as requiring the use of encryption for transmission of classified data over unsecured networks
EAL is typically rated on the following scale:
• EAL1: Functionally Tested—Confidence in operation against nonserious threats • EAL2: Structurally Tested—More confidence required but comparable with good busi- ness practices • EAL 3: Methodically Tested and Checked—Moderate level of security assurance • EAL4: Methodically Designed, Tested, and Reviewed—Rigorous level of security assurance but still economically feasible without specialized development • EAL5: Semiformally Designed and Tested—Certification requires specialized develop- ment above standard commercial products • EAL6: Semiformally Verified Design and Tested—Specifically designed security ToE • EAL7: Formally Verified Design and Tested—Developed for extremely high-risk situa- tions or for high-value systems
SP 800-12 also lays out NIST's philosophy on security management by identifying 17 con- trols organized into the three categories
• Management controls • Operational controls • Technical controls
A second approach, described in the NIST Special Publication series, categorizes controls based on their operational impact on the organization:
• Management—Controls that cover security processes designed by strategic planners, integrated into the organization's management practices, and routinely used by security administrators to design, implement, and monitor other control systems • Operational (or Administrative)—Controls that deal with the operational functions of security that have been integrated into the repeatable processes of the organization • Technical—Controls that support the tactical portion of a security program and that have been implemented as reactive mechanisms to deal with the immediate needs of the organization as it responds to the realities of the technical environment
COBIT 5 provides five principles focused on the governance and management of IT in an organization:
• Principle 1: Meeting Stakeholder Needs • Principle 2: Covering the Enterprise End-to-End • Principle 3: Applying a Single, Integrated Framework • Principle 4: Enabling a Holistic Approach • Principle 5: Separating Governance from Management
TCSEC defines two kinds of covert channels:
• Storage channels, which communicate by modifying a stored object—for example, in steganography, • Timing channels, which transmit information by managing the relative timing of events—for example, in a system that places a long pause between packets to signify a 1 and a short pause between packets to signify a 0.
CC terminology includes:
• Target of Evaluation (ToE)—The system being evaluated • Protection Profile (PP)—User-generated specification for security requirements • Security Target (ST)—Document describing the ToE's security properties • Security Functional Requirements (SFRs)—Catalog of a product's security functions • Evaluation Assurance Level (EAL)—The rating or grading of a ToE after evaluation