security
CIA Triad From Data Protection perspective:
Confidentiality ensures that data is protected from unauthorized disclosure. Integrity ensures that data is accurate and reliable. Availability ensures that data is accessible when and where it is needed.
Confidentiality Information confidentiality e.g., encrypting a medical record database and granting access only in the presence of proper authorization Information existence confidentiality e.g., juvenile record
Integrity Must protect against changes to information by unauthorized agents e.g., unauthorized change to a bank balance by a hacker Must protect against changes to information by authorized agents in unauthorized ways e.g, a bank programmer who changes the round() function to transfer funds to an offshore account
Availability Be able to provide information when being attacked. e.g., use redundancy control to ensure that online services are still available even if there is a denial of service attack going on. Be able to provide information after being attacked. E.g. Use data backup controls to ensure that data or information is still available even if the primary data center is compromised.
From Service/Function Perspective Identification: Be able to identify yourself to someone else. E.g. User Name, User ID Authentication: Be able to prove your identify to someone else. E.g. Password, your driver license Authorization: be able to control who can do what action. E.g. Access Control List (ACL), role-based access control Accountability/Nonrepudiation” Be able to track who did what action. E.g. Logs, digital-signed document.
Common Security Terms/Definitions Vulnerability: An absence of a countermeasure or a weakness in a system. Threat: Any potential danger that is associated with the exploitation of a vulnerability. Exposure: An instance of a threat exploiting vulnerability and causing losses. Exploit: A program or a process to make an exposure. Control/Countermeasure/Safeguard: A control or mechanism that reduces the
potential risk. Risk: The evaluation on the severity of an potential exposure. Two factors are usually used for risk evaluation: The probability that a potential exposure can happen. The impact that a potential exposure can cause..
Common Security Control Types and Functionalities Control types: Administrative, technical, and physical Control functionalities: Deterrent Discourage a potential attacker Preventive Stop an incident from occurring Corrective Fix items after an incident has occurred Recovery Restore necessary components to return to normal operations Detective Identify an incident’s activities after it took place Compensating Alternative control that provides similar protection as the original control
Common Approach to Provide Security Fortress Model Original Approach Build a series of defenses Operation Model Modern Approach
Protection = Prevention + (Detection + Response) Prevention = firewalls, access controls, encryption Detection = intrusion detection systems, honeypots, audit logs Response = backups, incident response teams, computer forensics
Know The “Enemy” Vast majority are so-called script kiddies; they do not write attacks or discover new
ones, but leverage existing tools (the latter being very capable) Keeping out script kiddies is feasible for the average organization. Some are script writers; they exploit known vulnerabilities Keeping out script writers is more of a challenge A select few are the elite; they discover new vulnerabilities Zero-Day Vulnerability Many attacks today come from the organized criminal world. In some cases, nation
states are involved as part of information warfare. Fending off attacks sponsored by nation states is in another league
Remember: Not all threats are on the outside; insiders can be more dangerous!
Security Dilemma: A defender must protect against all kind of attacks, known and
unknown An attacker only needs to find one weak spot.No Absolut secure systems! Security issues can come from deficiencies in technology , People management and processes management.
Information Security is about Risk Management
Does it make sense to buy a $1000 safe to protect $100 worth of goods?
Information Security is not about protecting against all potential risks but
about taking proper actions to known risks. Risk Mitigation: Use more or better controls to lower the risk level. (e.g.
replace single factor authentication with 2-factor authentication) Risk Transfer: transfer the risk to other parties. (e.g. Buy insurance) Risk Elimination: Get rid of the risk. (e.g. remove the services that bring the risks) Risk Acceptance: Do nothing, just accept it. (e.g. if the risk is minor impact
to business)
Information Security Domains
(From CISSP – The World’s Premier Cybersecurity Certification)
Security and Risk Management This domain provides a comprehensive overview of the things you need to
know about information systems management. The confidentiality, integrity and availability of information; Security governance principles;
Compliance requirements; Legal and regulatory issues relating to information security; IT policies and procedures; and Risk-based management concepts.
Asset Security This domain addresses general requirements of information security: Data Privacy; Data classification and handling security controls;
Security Architecture and Engineering This domain covers several important information security concepts, including: Engineering processes using secure design principles; Fundamental concepts of security models; Assessing and mitigating vulnerabilities in systems; Cryptography; Designing and implementing physical security.
Communications and Network Security This domain covers the design and protection of an organization’ s networks. Secure design principles for network architecture; Secure network components; Secure communication channels.
Identity and Access Management This domain helps information security professionals understand how to
control the way users can access data. Physical and logical access to assets; The identity and access provisioning lifecycle. Identification and authentication; Authorization mechanisms; Accountability mechanism;
Security Assessment and Testing This domain focuses on the design, performance and analysis of security
testing. It includes: Designing and validating assessment and test strategies; Security testing techniques; Internal and third-party security audits.
Security Operations
This domain addresses the actions/activities related to information security in
an organization operation. Foundational security operations concepts; Logging and monitoring activities; Incident management; Disaster recovery; Business continuity.
Software Development Security This domain addresses security concerns involved in software development. It
covers: Security in the software development life cycle; Security controls in development environments; Secure coding guidelines and standards.
Principle of Complete Mediation All access to objects must be checked to ensure they are allowed. All Access means every single access request.
E.g. a file can be opened, then read a few times, and then write a few times. All access requests should be checked. Good Example: Web applications check each individual web request using session tokens. Failure Example: Earlier UNIX versions check access rights only when a file is opened, but not when it is read after; should a file be open for a long time, and the user lose rights to that file, the system will not enforce the access rights check until the next open.
Principle of Economy of Mechanism Security mechanisms should be as designed as simple & Small as possible. Simple & small designs are easy to understand and easy to analyze, which leads to Fewer chances for error. E.g. we can analyze and prove that a small program is free of problems,
but this task is impossible for even the simplest desktop systems today. (Windows XP consists of at least 40 million lines of code) Failure Example: Windows OS provides hundreds of security-related policies depending on the version of Windows, which makes it hard to understand, hard to analyze, as a result, increasing the likelihood of misconfiguration.
Principle of Fail-secure Defaults By default, no access should be granted in abnormal system states, Access must be granted explicitly. E.g, when there is a fire hazard, the door to restricted area should be locked by Fail-secure default principle; When there is a system error, users should be logoff in exception handling procedures. Fail-Secure Vs. Fail-Safe Unlike Fail-secure, which is concerned about protection of information asset, Fail-Safe is more concerned about people safety. So the door to restricted area should be opened under emergency situations if following fail-safe principle.
Principle of Least Common Mechanism Avoid having multiple subjects sharing the same mechanisms to grant access to a resource. Every shared mechanism represents a potential information path between users and must be designed with great care to be sure it does not unintentionally compromise security. Good Examples: Avoid sharing variables in different processes in programming; Avoid sharing services between super user and regular user; Use sandboxing to isolate processes of different users; Security Vs. Convenience Security and convenience are usually against with each other. Sharing may be preferred by convenience, but usually increase security risks.
Principle of Least Privilege Only the minimum necessary rights should be assigned to a subject that requests access to a resource . Every program and every user of the system should operate using the least set of privileges necessary to complete the job. so that unintentional, unwanted, or improper uses of privilege are less likely to occur. Good Examples: Review user access periodically; Update user access when changing job roles; Remove access that are not used for more than 30-days, etc. Failure Example: Use super user account all the time for everything. (do you always use local admin account on your personal computer?)
Principle of Open Design The security of a mechanism should not depend on the secrecy of its design or implementation. Open design will allow the design to be examined by more domain experts leading to less design errors. Good Example: Industry standard encryption algorithms do not use secret algorithms, but reply on the possession of specific, more easily protected, parameter (keys) to provide security. Failure Example: Some technologies use “security through obscurity” (implementing security within a system by enforcing secrecy and confidentiality of the system’s internal design architecture). E.g. Hiding account passwords in binary files or scripts with the presumption that “nobody will ever find it”
Principle of Psychological Acceptability Security mechanisms should be user-friendly with the best efforts. Beware of the uncooperative users. Security mechanisms will not provide protection if not accepted by users. Good Example: Use user-transparent security mechanisms (e.g. verifying
user machine MAC address) to detect abnormal user access; User-friendly security mechanisms (CAPTCHA) to detect bots. Bad Example: A 25 random-character password requirement will most likely be circumvented in an insecure manner such as sticky notes; Many Users of Windows Vista OS turns off User account control (UAC) because it is annoying behavior.
Principle of Separation of Privilege
More than one authorities should be involved in granting access to critical system operations. More scrutinization, less chances of fraud. Good Example: two people are required to transfer organization funds; one person orders, another writes the cheque. Failure Example: A security administrator is allowed to manage the roles of his own organization account.
Principle of Defense in Depth
Use multiple layers and multiple technologies defensive measures to provide protection. Layering security defenses in an application can reduce the chance of a successful attack. Good Example: computer systems these days are protected by firewall, intrusion detection, anti-malware, incidence response , cryptography, audits controls etc.
Information Security Models
Bell-LaPadula Model Security requirements: Secret information must be prevented from being leaked to unauthorized parties. In the 1970s, the U.S. military used time-sharing mainframe systems and was mostly concerned about leakage of classified information. The Bell-LaPadula model was developed to address these concerns. This model requires both subjects and objects in the system assigned with classification
levels. It incorporates the following rules with respect to the flow of information in a system: The simple security rule: A subject cannot read data located at a higher security level than that possessed by the subject (also called no read up). The *- property rule: A subject cannot write to a lower level than that possessed by the subject (also called no write down or the confinement rule). The strong star property rule (Alternative to the * Rule): A subject can write only at the same level possessed by the subject . Limitations: Only addresses Data confidentiality Do not address data existence confidentiality
Information Security Models
Biba Model Security requirements : no one can mess up the data. The Biba model was developed after the Bell-LaPadula model, but focuses on
information integrity. This model requires both subjects and objects in the system assigned with integrity levels, and has three main rules to provide integrity protection: * (Star) Integrity Rule: A subject cannot write to a higher integrity level than that to which he has access (no write up). Simple integrity Rule: A subject cannot read to a lower integrity level than that to which he has access (no read down). Invocation Rule: A subject cannot invoke (request service) of higher integrity.
Information Security Models
Goals of Integrity Models Prevent unauthorized users from making modifications. Prevent authorized users from making improper modifications.
Maintaining internal and external consistency of data and programs. Does Biba Model address all three goals?
Information Security Models
– Clark-Wilson Model
The Clark-Wilson model was developed after Biba and takes some different approaches to protecting the integrity of information. This model uses the following elements: Users: Active agents Transformation procedures (TPs): Programmed abstract operations, such as read, write, and modify.
Constrained data items (CDIs): data items that can be manipulated only by TPs. Unconstrained data items (UDIs): data items that can be manipulated by users via primitive read and write operations. Integrity verification procedures (IVPs): Check the consistency of CDIs with external reality Clark-Wilson Model address all three Integrity goals, which enforces the three goals of integrity by using well-formed transactions (through access triple subject, software [TP], object) and separation of duties.
Information Security Models
-Chinese Wall Model Security requirements : Conflict of Interest access should be prevented. Unethical actions are not allowed. The Brewer and Nash model, also called the Chinese Wall model, was created to provide access controls that can change dynamically depending upon a user’s previous actions.