SECURITY ENGINEERING Objectives of Domain:
Understand the engineering lifecycle and apply security design principles.
Understand the fundamental concepts of security models.
Select controls and countermeasures based upon systems security standards.
Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements, mobile systems, and embedded devices.
Apply cryptographyApply secure principles to site and facility design.
1
SECURITY ENGINEERING The Engineering Lifecycle Using
Security Design principles Systems engineering models and processes usually
organize themselves around the concept of lifecycle. Concept of operations Requirements Design Integration, Test, and Verification Verification and Validation Operation and Maintenance Retirement
2
SECURITY ENGINEERING Fundamental principles of Security
Models Common system components Processors Memory and storage
Primary storage Memory protection Secondary storage Virtual memory Firmware Peripherals and other I/O devices Operating system
3
SECURITY ENGINEERING• Security architecture is part of the overall
architecture of an information system. It directs how the components included in the system architecture should be organized to ensure that security requirements are met. The security architecture of an information system should include:
A description of the locations in the overall architecture where security measures should be placed.
A description of how various components of the architecture should interact to ensure security.
The security specifications to be followed when designing and developing the system.
4
SECURITY ENGINEERING
Computer ArchitectureIt comprises all the parts in a computer system that are
necessary for it to function. Such parts include the operating system, memory chips, logic circuits, storage devices, I/O devices, security components, buses, and networking components.
The Central Processing Unit (CPU) – Processes the instructions provided by the various applications/programs. To do this the CPU needs to access such instructions from their memory locations.
The CPU can access the memory locations in its cache, along with memory locations in the random access memory (RAM). These types of memory are called primary memory.
The major components.The Arithmetic Logic Unit (ALU) Control Unit (coordinates instruction execution)Registers that act as temporary memory locations and store
the memory addresses of the instructions and data that needs processing by the CPU. 5
SECURITY ENGINEERING
Computer Architecture
Multiprocessing – more than one CPUOperating System ArchitectureProcess ActivityMemory ManagementMemory Types – RAM, ROM, etc.Virtual MemoryCPU Modes & Protection Rings
6
SECURITY ENGINEERING CPU Modes & Protection rings
Protection Rings provide a security mechanism for an operating system by creating boundaries between the various processes operating on a system and also ensures that processes do not affect each other or harm critical system components.
Ring 0 – Operating system kernel (supervisor /privilege mode)
Ring 1 – Remaining parts of the operating system (OS)Ring 2 – Operating system and I/O drivers and OS utilitiesRing 3 – Applications (Programs) and user activity
7
SECURITY ENGINEERINGRecognizing access permissions
Let us evaluate access control mechanism provided by the protection rings:
Suppose a subject is located in ring 3. Which of the ring levels can this subject access?
A subject located in ring 3 can directly access objects in its own ring.Most applications running on a system operate from ring 3 which has
the least access to system components.On the contrary, a subject in a lower numbered ring can directly
access objects in higher numbered rings.
Suppose an application located in ring 3 has directly sends an instruction to the CPU. What would be the result of this instruction (choose one)?
A. The CPU executes the instruction.B. The CPU raises an exception error.C. The operating systems uses a system call to handle the instruction
Answer: B. In case an application located in ring 3 directly sends an instruction directly to the CPU, the CPU raises an exception error!
When an application needs to perform an operation that requires access to the CPU – which is only accessible from ring 0 – the application needs to send a request to the OS. The OS then executes the instruction on behalf of the application by using system calls. 8
SECURITY ENGINEERING
Computer Architecture
•Domains• Layering & Data Hiding• Virtual Machines• A virtual machine is a simulated real machine
environment created to simultaneously run multiple applications on a computer.
• Additional Storage Devices• Input/Output Device Management
9
SECURITY ENGINEERING• System Architecture
Defined Subset of Subjects and ObjectsTrusted Computing Base (TCB)
Originated from the Orange Book and deals with the protection mechanisms within a computer. It addresses hardware, software, and firmware.
Security Perimeter It delineates the trusted and the untrusted components within a computer
system.Reference Monitor
The reference monitor is an abstract machine concept that mediates all access between subjects and objects.
Security KernelThe Security kernel enforces the reference monitor concept.
Must facilitate isolation of processesMust be invoked at every access attempt.Must be small enough to be tested and verified in a comprehensive
manner.Security Policy – a set of rules on how resources are managed
within a computer system.Least Privilege – one process has no more privileges than it
needs. 10
SECURITY ENGINEERING• Security Models
The function of a Security Model is toMap the abstract goals of a security policies to an information
system.Specify mathematical formulae and data structures for
implementing security policy goals.While a security policy states goals without specifying how
to accomplish them, a security model specifies a framework to implement these goals.
An organization can use different types of security models. However, it is very important for security personnel to understand the different security models to protect the organization’s resources.
For example the security model that a military organization uses is quite different from that of a commercial entity, due to the variations in the types of data.
Security Model can be formal when it is based on pure mathematical implementation of security policies and assure high security. For example in military systems, air controller systems, etc.
Security Model is informal when it merely describes how to express and execute security policies.
11
SECURITY ENGINEERING Enterprise Security Architecture (ESA) Implements the building blocks of information
security infrastructure across the entire organization. It focuses on a strategic design for a set of security
services that can be leveraged by multiple applications, systems, or business processes
Key goals and objectives of an ESA includes, Long term view of controls A unified vision for common security controls Leverages existing technology investments Provides a flexible approach to current and future threats
12
SECURITY ENGINEERINGCommon Security Services Boundary control services – firewalls, border
routers, etc. Access control services – authentication, SSO,
etc. Integrity services – antivirus, content filtering,
file integrity services, etc. Cryptographic services – encryption services,
PKI, etc Audit and monitoring services – log collection
and management, analytics (SEIM – Security Event Information Management)
13
SECURITY ENGINEERINGSecurity Zones of Control Area or grouping within which a defined set of
security policies and measures are applied to achieve a specific level of security.
Ensures that systems in a more secured zone do not leak through to a less secured zone.
Zones are tightly controlled with mechanisms such as firewalls, authentication services, proxies, etc.
14
SECURITY ENGINEERINGCommon Architecture Frameworks An architecture framework is a structure that
can further be used to develop a broad range of architectures.
It describes a method of designing an integrated set of systems or system components.
It may include a set of recommended standards and operational practices.
15
SECURITY ENGINEERINGZachman Framework Developed as a common context for
understanding complex architectures. Allows for the communication and collaboration
of all entities in the development of architectures.
It provides a logical structure for integrating the plan, design, and build aspects of an architecture.
16
CISSPSECURITY ENGINEERINGASM EDUCATIONAL CENTER INC. (ASM)WHERE TRAINING, TECHNOLOGY & SERVICE CONVERGEWWW.ASMED.COMPHONE: (301)984-7400
17
SECURITY ENGINEERINGSherwood Applied Business Security Architecture (SABSA) Framework A holistic lifecycle for developing a
security architecture that considers business requirements.
It creates a chain of traceability through the phases of strategy, concept, design, implementation, and metric.
18
SECURITY ENGINEERING
The Open Group Architecture Framework (TOGAF) It is an open framework for organizations
to design and build enterprise architectures.
It provides an architecture development method that describes the step-by-step process.
19
SECURITY ENGINEERINGIT Infrastructure Library (ITIL) Developed by the Central Computer and
Telecommunications Agency (CCTA), an agency under the British Government.
ITIL defines the organizational structure and skill requirements and operational procedures with practices that direct IT operations and infrastructure, including security.
What sets ITIL apart is the strong focus on end-to-end service delivery and management.
20
SECURITY ENGINEERING Types of Security Models State Machine Model. Multilevel Lattice Model Non-interference Model Information Flow Model
21
SECURITY ENGINEERING•Security ModelsState Machine ModelsThe Bell-LaPadula ModelThe Biba ModelThe Clark-Wilson ModelThe Brewer & Nash ModelTake-Grant ModelAccess Control MatrixThe Graham-Denning ModelThe Information Flow ModelThe Non-Interference ModelThe Harrison-Ruzzo-Ulman Model
22
SECURITY ENGINEERINGSecurity ModelsState Machine Models
The state of a system is its snapshot at any one particular moment. The state machine model describes subjects, objects, and sequences in a system. The focus of this model is to capture the system’s state and ensure its security.
When an object accepts input, the value of the state variable is modified. For a subject to access this object or modify the object value, the subject should have appropriate access rights.
State transitions refer to activities that alter a systems state.
23
24
SECURITY ENGINEERING
Confidentiality models: Bell & LaPadula)
Developed by David Elliot Bell and Len LaPadula This model focuses on data confidentiality and
access to classified information. A Formal Model developed for the DoD multilevel
security policy This formal model divides entities in an information
system into subjects and objects. Model is built on the concept of a state machine with
different allowable states (i.e. Secure state)
25
SECURITY ENGINEERING Bell & LaPadula Confidentiality Model
Has 3 rules: Simple Security Property – “no read up”
A subject cannot read data from a security level higher than subject’s security level.
* Security Property – “no write down” A subject cannot write data to a security level
lower than the subject’s security level. Strong * Property – “no write up and no
read down”. A subject with read/write privilege can perform
read/write functions only at the subject’s security levels.
26
SECURITY ENGINEERING
Integrity models (e.g., Biba, Clark and Wilson)
Biba Integrity Model Developed by Kenneth J. Biba in 1977 based
on a set of access control rules designed to ensure data integrity
No subject can depend on an object of lesser integrity
Based on a hierarchical lattice of integrity levels
Authorized users must perform correct and safe procedures to protect data integrity
27
SECURITY ENGINEERING
Biba Integrity Model The Rules:Simple integrity axiom – “no read down” – A
Subject cannot read data from an object of lower integrity level.
* Integrity axiom – “no write up” – A Subject cannot write data to an object at a higher integrity level.
Invocation property – A subject cannot invoke (call upon) subjects at a higher integrity level.
28
SECURITY ENGINEERING
Commercial ModelsIntegrity models – Clark-Wilson ModelModel Characteristics:Deals with all three integrity goalsPrevents unauthorized users from making
modificationsPrevents authorized users from making
improper modificationsMaintain internal and external consistency
– reinforces separation of duties
29
SECURITY ENGINEERING
Commercial Models – cont’d
Brewer-Nash Model – a.k.a. Chinese WallDeveloped to combat conflict of interestPublish in 1989 to ensure fair competition Defines a wall and a set of rules to ensure that no
subject accesses objects on the other side of the wall
Way of separating competitors data within the same integrated database
30
SECURITY ENGINEERING
Commercial Models
Take-Grant ModelModel CharacteristicsMathematical framework used for granting
and revoking access rightsThe take rule allows a subject to take the
rights of another subjectThe grant rule allows a subject to grant
rights to another subject.
31
SECURITY ENGINEERING Commercial ModelsAccess Control Matrix Model (ACL)Model CharacteristicsImplemented using an Access Control ListSpecifies access rights for each subject as it relates to
objectsTwo dimensional matrix representing subjects in rows and
objects in columnsSubjects & Objects
Admin Directory
Payroll File
Pay Process
Kwame Read Read/Write NoneDan Read Read None
Angela Read Delete ExecuteJuan Read Read/Write ExecuteLee Read Update Delete
32
SECURITY ENGINEERING
Commercial ModelsGraham Denning ModelModel CharacteristicsDefines the commands that a subject
can execute to securelySuch as
Create and delete an objectCreate and delete a subjectProvide read, grant, delete, and transfer access
rights
33
SECURITY ENGINEERINGInformation flow modelModel Characteristics:Hold data in distinct compartmentsData is compartmentalized based on
classification and the need to knowModel seeks to eliminate covert channelsModel ensures that information always flows
from a low security level to a higher security level and from a high integrity level to a low integrity level.
Whatever component directly affects the flow of information must dominate all components involved with the flow of information
34
SECURITY ENGINEERING
Noninterference ModelModel Characteristics:Model ensures that actions at a higher
security level does not interfere with the actions at a lower security level.
The goal of this model is to protect the state of an entity at the lower security level by actions at the higher security level so that data does not pass through covert or timing channels.
35
SECURITY ENGINEERINGHarrison-Russo-Ulman ModelModel Characteristics
Harrison-Ruzzo-Ullman Model is a security model that provides policies for changing access rights and rights for the creation and deletion of subjects and objects. It is generally considered to be one of the more complex security models.
SECURITY ENGINEERINGSecurity Modes of Operation
Dedicated Security ModeWhere all users have a clearance for, and a formal need to know
about, all data processed within a system.System High-Security Mode
Where all users have security clearance to access information but not necessarily a need to know all the information processed on a system.
Compartmented Security ModeWhere all users have security clearance to access all the
information processed on a system in a high security mode, but not the need to know or formal access approval.
Multilevel Security ModeWhen it permits two or more classification levels of information to
be processed at the same time when not all users have the clearance or approval to access the info being processed. All users must have the right approval to access what they need to perform their duties.
Trust & AssuranceTrust levels give a customer how much protection is being offered.
This leads to the expectation of assurance that the system will act in a predictable manner.
36
SECURITY ENGINEERINGCapturing & Analyzing Requirements Functional requirements Nonfunctional requirements
37
SECURITY ENGINEERINGCreating & Documenting Security
Architecture Requirement capturing is paramount
to the architecture and design of every system .
38
SECURITY ENGINEERINGInformation Systems Security
Evaluation Models Common formal security methods. Evaluation criteria
39
SECURITY ENGINEERINGProduct Evaluation Models Trusted Computer System Evaluation
Criteria (TCSEC). ITSEC The Common Criteria
40
41
SECURITY ENGINEERINGTrusted Computer Security Evaluation Criteria
(TCSEC)Developed by the National Computer Security Center (NCSC) for the DODAlso known as the Orange BookBased on the Bell-LaPadulla model (deals with only confidentiality)Uses a hierarchically ordered series of evaluation classes
Fundamental RequirementsSecurity policy – evaluated to check if it is well-defined and enforced in the
systemMarking/Labels – evaluated to ensure availability of access control for all objects Identification – evaluated to check if all individual subjects are uniquely
identified. Accountability – evaluated to check if security audit data is logged and protected.Life-cycle Assurance – evaluated by separately testing software, hardware, and
firmware to ascertain if they implement the security policy.Continuous protection – if designs support continuous protection.Documentation – evaluated for completeness and should include user guides;
manuals; and test, design, and specification documents.
42
SECURITY ENGINEERINGTrusted Computer Security Evaluation
Criteria (TCSEC)Ratings:A1 – Verified ProtectionB1, B2, B3 – Mandatory ProtectionC1, C2 – Discretionary ProtectionD – Minimal Security
43
SECURITY ENGINEERINGInformation Tech Security Evaluation Criteria (ITSEC)Created by some European nations in
1991 as a standard to evaluate security attributes of computer systems
Evaluates functionality and assurance separately
E1 to E6 for assuranceFunctional levels of F1 to F10 are not
strictly required
44
SECURITY ENGINEERINGInformation Technology Security Evaluation
criteria (ITSEC):Functionality ratings areF1 to F5 – Maps to the TCSEC ratings C1 to A1F6 - For systems that require high levels of integrity for data and
programsF7 - For systems that require high levels of availability of their functionsF8 - For systems that require high levels of data integrity during
communicationsF9 - For systems that require high levels of data confidentiality during
communicationsF10 – For networks that require high levels of data confidentiality and
integrity
45
SECURITY ENGINEERINGInformation Technology Security Evaluation Criteria (ITSEC):Assurance ratings areE0 – Indicates inadequate assurance and assigned to systems that fail to meet the E1
criteriaE1 - Rating includes functional testing to verify if TOE meets its security targetE2 - Includes the evaluation of testing evidence, configuration controls, and distribution
processesE3 - Evaluates the source code and hardware drawings of the security mechanism and
also the testing of the mechanisms.E4 - Verifies the availability of a formal model of the security policy. Also verifies
semiformal specifications of security mechanisms, architectural design and detailed design
E5 - Evaluates whether there is close correspondence between the detailed design and the source code or hardware drawings
E6 – Verifies whether the security mechanisms and the architectural design are consistent with the security policy
46
SECURITY ARCHITECTURE & DESIGNInformation Technology Security
Evaluation criteria (ITSEC) ITSEC TCSEC
E0 DF1 + E1 C1F2 + E2 C2F3 + E3 B1F4 + E4 B2F5 + E5 B3F5 + E6 A1
47
SECURITY ENGINEERINGCommon Criteria (CC) ISO Standard created in 1993 for global security evaluationMade up from TCSEC, ITSEC, and the Canadian version
ComponentsProtection profile
a set of security requirements and objectives for the system
A Protection Profile consists of Descriptive elements – contains the name of the profile and the description of
the security problem to solved. Rationale – justifies the profile and provides a detailed description of the real-
world problems that need to be solved. Functional requirements – establishes a protection boundary that the product
must provide. Development assurance requirements – Identify the requirements for the
various development phases of the product. Evaluation assurance requirements – establish the type and intensity of the
evaluation.
49
SECURITY ENGINEERINGCommon Criteria (CC) RatingsRated as Evaluation Assurance Level (EAL) 1 through 7
EAL 1 – Functionally testedEAL 2 – Structurally testedEAL 3 – Methodically tested and checkedEAL 4 – Methodically designed, tested, and reviewedEAL 5 – Semi formally designed and testedEAL 6 – Semi-formally verified designed and testedEAL 7 – Formally verified designed and tested
SECURITY ENGINEERINGIndustry & International Security
Implementation Guidelines ISO/IEC 27001 and 27002 Security Standards Control Objectives for Information & Related
Technology (COBIT) Payment Card Industry Data Security
Standard (PCI-DSS)
50
GOOD LUCK!ASM EDUCATIONAL CENTER INC.
(ASM)WHERE TRAINING, TECHNOLOGY & SERVICE
CONVERGEWWW.ASMED.COM
PHONE: (301)984-740051