information systems security security architecture domain #5
Post on 21-Dec-2015
216 views
TRANSCRIPT
![Page 1: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/1.jpg)
Information Systems Security
Security Architecture
Domain #5
![Page 2: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/2.jpg)
Hardware Components
CPU– Primary Storage– Control Unit
Coordinates activities during instruction execution Does not process data
– Arithmetic Logic Unit (ALU) Perform mathematical functions on data
![Page 3: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/3.jpg)
Memory Types
Primary Memory (RAM/ROM/EPROM/EE) Real Memory
– Available to users Cache Memory
– Buffers used to increase performance– Holds data that is accessed often
Virtual Memory– Combination of real and secondary storage
![Page 4: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/4.jpg)
Memory Management
Keep track of used memory segments Assign memory to processes Manage swapping Memory protection Access control Control virtual memory addressing
![Page 5: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/5.jpg)
Protection Rings
Organize Code and components in an operating system into concentric rings
Modern OS’s use a 4-ring model Ring 0 – highest privilege – kernel Ring 1 – remainder of the OS Ring 2 – drivers and utilities Ring 3 – applications and programs – user
mode
![Page 6: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/6.jpg)
Hardware Bus
Data Bus– Transfers instructions and data – Differs based on architectures
EISA – 8/16 MCA – 16/32 VLB – 32 PCI – 32/64 AGP - 32
![Page 7: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/7.jpg)
Process and Threads
Process– Application and users run as processes in OS– Process can contain several threads of code– Thread are individual instruction sets
![Page 8: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/8.jpg)
Threads
Advantages– Much quicker to create than a process– Much quicker to switch between threads– Share data easier– Used in browsers and windowing systems
Disadvantages– No security between threads– If one user thread blocks, all are blocked
![Page 9: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/9.jpg)
Process States
Stopped – not running
Waiting – waiting for interrupt
Running – being executed by the CPU
Ready – available and waiting for instruction
![Page 10: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/10.jpg)
System Functionality
Multithreading– Several threads processing at one time
Multitasking– Several processes at one time
Multiprocessing– Multiple CPU available
![Page 11: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/11.jpg)
System Security Modes
Dedicated Security Mode– All users have clearance and need-to-know to
access all information on the system– Does not require complex methods of
controlling access between different levels Multilevel Security Mode
– All users have clearance but not need-to-know– Two of more levels of classification– Data is compartmentalized in containers
![Page 12: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/12.jpg)
Security Modes
Dedicated Mode– Single state system– All have need to know and clearance
System High Mode– All have need-to-know for ‘some’ material
Compartmented Mode– Not all have access for all information
Multilevel Mode– Not all have clearance or need-to-know
![Page 13: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/13.jpg)
Levels of System Trust
Processes with higher trust can access more system instructions
CPU architecture dictates the levels of trust available and the rights of access
CPU executes instructions in different states depending upon the process trust level– User mode – less trusted– Privilege mode – most trusted
![Page 14: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/14.jpg)
Trusted Computing Base
All mechanisms that provide protection for the system– Software, firmware, hardware
Made up of processes that executed in privileged mode
Term originated from the Orange Book
![Page 15: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/15.jpg)
System Protection
Reference Monitor– Access control concept that is referred to as an
abstract machine that mediates all accesses– Controls relationship between subjects and
objects Security Kernel
– Enforces the reference monitors rules– Physical implementation of reference monitor– Part of TCB concerned with access control
![Page 16: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/16.jpg)
Access Control Models
Provides rules and structures used to control access and shows how decisions are made
Main components are subjects, objects, operations, and their relationships
Goal is to control how objects are accessed and ensure a security principle– Confidentiality, integrity
![Page 17: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/17.jpg)
Finite State Machine
Execution sequence for each possible state transformation
Mappings for each state change Does not specify protection mechanisms or
means of enforcing model If system comes up in a secure state and
shuts down in a secure state, the system is secure
![Page 18: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/18.jpg)
Information Flow
Information must flow securely through the system– Bell – Lapadula– Biba– Clark-Wilson– Take-Grant– Access Control Matrix– Noninterference
![Page 19: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/19.jpg)
Bell LaPadula
Confidentiality Model Information cannot flow to an object of
lesser classification Mathematical model uses a set theory to
define access rights Maps a subject’s clearance and an object’s
classification and creates a relationship
![Page 20: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/20.jpg)
Rules
Subjects cannot read data from an object in a higher security level– “No Read Up” – simple security property– “No Write Up” – star property– “No Write Up and No Read Down” – strong star
![Page 21: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/21.jpg)
Biba
Integrity Model– No subject can depend on an object of lesser
integrity– Based on hierarchical lattice – Prevents modification of objects by
unauthorized subjects– Prevents unauthorized modification by
authorized users
![Page 22: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/22.jpg)
Rules of Biba
“No Write Up” – integrity axiom– No writing data at a higher integrity level
“No Read Down” – simple axiom– No reading data from a lower integrity level
Disadvantages– Does not address confidentiality– Does not address control management nor
provide a way to change classification levels
![Page 23: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/23.jpg)
Clark - Wilson
Integrity Model– Model for commercial integrity– Requires well formed transactions and
separation of duties– Does not use lattice approach, partitions objects
into programs and data– Access triple – subject must go through a
program to access and modify data– Separation of duties with auditing required
![Page 24: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/24.jpg)
Non-Interference
Based on theory where users are separated into different domains
An output stream remains unchanged when inputs come from levels that are less dominant
Subject cannot be influenced by the behavior of other subjects at higher security levels
![Page 25: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/25.jpg)
Lattice Based
Every subject and object relationship has a partially ordered set with a lower and upper bounds
Rules are set that dictate how information can flow from one class to another– Confidential can flow to secret but secret cannot
flow to confidential
![Page 26: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/26.jpg)
Access Control
Relational table Specifies the operations and rights allowed
for each subject Access Control Lists – DACL, trustees
![Page 27: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/27.jpg)
Brewer - Nash
Also known as “Chinese Wall” Mathematical theory used to implement
dynamically changing access permissions Defines a wall and develops a set of rules
that ensures no subject accesses objects on the other side
Enforces “no conflict of interest” rules Allows separation of competitors’ data
![Page 28: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/28.jpg)
Take Grant
Mathematical framework for granting and revoking access authorization
Analytical tool for auditors to test software security
Rules for how users transfer their permissions to others
![Page 29: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/29.jpg)
Trusted Computer System Evaluation Criteria (TCSEC)
Developed by National Security Computer Center
Based on the Bell-LaPadula model Uses a series of evaluation classes “Orange Book”
![Page 30: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/30.jpg)
Requirements of TCSEC
Security Policy Marking – labels associated with objects Identification – individual ID of subjects Accountability – audit data collected Assurance – each mechanism evaluated Continuous protection – mechanisms
always protected against unauthorized changes
![Page 31: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/31.jpg)
TCSEC Ratings
A1 – Verified Protection B3,B2,B1 – Mandatory Protection C2,C1 – Discretionary Protection D – Minimal Security Red Book – Trusted Network Interpretation
![Page 32: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/32.jpg)
Layers of TCSEC
C1 – Discretionary Security Protection C2 – Controlled Access Protection B1 – Labeled Security B2 – Structured Security (covert channels) B3 – Security Domains (covert timing) A1 – Verified Protection
![Page 33: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/33.jpg)
Information Technology Security Evaluation Criteria (ITSEC)
Evaluates functionality and assurance separately – F1 to F10 for functionality– E0 to E6 for assurance
E0 = D F1+E1 = C1 F2+E2 = C2 F3+E3 = B1 etc
![Page 34: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/34.jpg)
ITSEC
Advantages– More granular approach– Goes beyond the Orange Book
Disadvantages– Increased amount of rating combinations– Still does not provide all the answers
![Page 35: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/35.jpg)
Common Criteria
ISO created in 1993 TCSEC was too rigid ITSEC added too much complexity Target of Evaluation (TOE) Security Target (ST) EALs – E1 (functionally tested only) –
E7(formally verified, designed, and tested)
![Page 36: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/36.jpg)
Covert Channels
Timing Channels – conveys information by altering the performance of a system component in a predictable manner
Storage Channels – conveys information by writing data to a common storage area where another process can read it.
Level B2 address covert channels Level B3 address covert timing
![Page 37: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/37.jpg)
Certification and Authentication
Certification– 1st phase – comprehensive evaluation of the
security features of an IT system Accreditation
– Management decides the certification of the system satisfies their needs
Definition, Verification, Validation, Post Accreditation
![Page 38: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/38.jpg)
Other Threats
Back Doors Maintenance Hooks Asynchronous Attack – TOC/TOU Race Attacks Data Validation (Unicode attack) Buffer Overflow (Use input controls) SYN Flood Ping of Death
![Page 39: Information Systems Security Security Architecture Domain #5](https://reader037.vdocument.in/reader037/viewer/2022103123/56649d6d5503460f94a4ce3f/html5/thumbnails/39.jpg)
More Attacks
TCP Session Hijacking Web Spoofing DNS Poisoning