How to Establish Efficient Security Architecture?
Effective system architecture never guaranteed maximum level of security though provide platform to implement security architecture over it. In order to securely monitor applications and processes always put efforts to establish solid security architecture that covers as below:
Just imagine your real life and interaction with other people; you are always surrounded by number of people like friends, coworkers, family members and others. The level of trust you defined varies relation to relation, like you will trust more on family members than coworkers or friends. These sorts of relations recognized as rings in Information Security those have different level of security at each layer. Though protection rings has great impact on overall security plan but in real it’s all conceptual as displayed in following picture.
Let’s define protection ring layers considering above diagram.
Layer 0 – offer extreme security and trusted level, this is a layer where OS kernel placed and runs in privileged mode.
Layer 1 – all non-privileged applications or processes of OS comprised in this layer.
Layer 2 – less secure and contains I/O drivers, utilities and low level operations.
Layer 3 – this is called user mode where end user interact with OS to execute applications.
Trusted Computer Base
Whatever protection method a certain system used TCB (trusted computer base) is combination of all and liable to implement policy regarding security. TCB in a system is highly trusted portion that provide integrity and confidentiality of hardware, control, processes and software. Following function TCB monitor in a system.
I/O Operations – as it operate on less trusted layer makes it security threat for entire system. So TCB ensures continuous monitoring of all I/O operations in any system.
Execution domain Switching – sometime application running in one domain or ring level often access sensitive information from other domains or ring that needs proper monitoring.
Memory Protection – CPU excessively approach memory for contents and its TCB responsibility to monitor all such activities.
Process Activation – within a multiprogramming environment registers, file access lists and process status information susceptible from confidentiality view. It is therefore such activities should be protected all the time.
TCB always monitor preceding list functions in order to verify that system is operating as per defined security policy. In this manner TCB uses reference monitor concept that is abstract machine to implement security plan. It operate in between trusted and untrusted areas of system by authorizing objects with subjects.
- Reference monitor unable to control entire access or bypass
- Reference monitor is close for modification therefore can’t be altered
- Reference monitor can be corrected after verification and testing
Following illustration depicts importance and workability of reference monitor.
Following are usage of reference monitor from design view:
Tokens – prior of requesting any access, it transfer security attributes.
Capability Lists – must be faster than tokens but not as flexible as tokens.
Security Labels – as label compromise performance and used by high security systems.
Every operating system (OS) have security kernel that consider as core of any OS. If any of application or user needs to access system resources these must be handled by security kernel. It follow verify, test and validate procedure to make it eventually secure. Some of processes reside on Security kernel for better performance that leads to bigger security kernel with lot of coding. To minimize this burden Windows and Linux rely on size to gain performance. Below illustrations of security kernel is in reference to Windows OS.
Open and Closed Systems
Open systems can accept any sort of input from other manufacturers by communicating on defined standards and using supported interfaces on computers. Whereas closed system do not accept any such input other than proprietary and known to be locked. Not only hardware can be open or closed but operation can also work on same analogy. For instance Android mobile OS is open source whereas Apple IOS is closed source.
Security Modes of Operation
Security modes during operation defined by Department of Defense as mentioned in table below based on information being processed and user authorization clearance.
Dedicated – every user should have access approval and must executed relevant agreements for information stored or processed. This level also restrict enforce system access procedures where all hardcopies or media should be removed against parameters set for the system. Though all user able to access all data.
System High – every user should have access approval and must executed relevant nondisclosure agreements for information stored or processed. Access to required object should be assigned by authorized user and also left audit rail information like time, data, user ID, terminal ID and name of file. Data can be access as per their needs by users in this mode.
Compartmented – highest level of clearance required to access data and user also have to sign nondisclosure agreements. After formal access approval any user can access required data.
Multilevel – formal access approval and nondisclosure agreements are required before need to know of information. Compulsory access controls to restrict access and protected restricted sensitive labels.
Security Modes of Operation
Systems used to store classified or sensitive information must adhere to security policy to avoid information leakage. Especially in government where information should be protected and categorized as sensitive, top secret and secret. These tasks can perform by administration or system itself.
Single State System – these systems are designed to access one category of information at a time. Administrator is responsible for implementation of all procedures and policy on system. Administrator further restrict users depend upon nature of business with such systems. These systems are dedicated to one task often called as dedicated system.
Multistate Systems – there is no need of administrator to put restriction on users based on their queries of data. Such systems have tendency of multi login facility where every user have different level of access on stored data. It means if one person login to system can access top secret information, other user login on same system can’t have same access for such information.
It doesn’t matter how well you crafted a system there is always a threat of unprecedented circumstances that can leads to system crash. If system crash and sensitive data has been lost it’s all about solid recovery plan that help retrieve lost information in no time at all.
Fail Safe – in the event of failure all services should be disabled and terminated to protect data.
Fail Soft – in the event of failure all those noncritical processes will be terminated and system keep on functioning.
Always follow proactive approach, act before system failure is consider efficient way of avoid trouble. Regularly backup important stuff because recovery gets you to the known state not that occur first time. Following are most common issues for recover mode:
- Unexpected System Reboot
- Auto System Restart
- System Cold start while failure of component
- System Compromise due to attack
If you want to achieve high level of system trust always maintain process isolation. In order to certify system as multilevel security, system process isolation must be supported by all means. There is no way you can control certain process not to engage other process memory, corrupt data or making system unstable. Operating system is responsible for process isolation and its purpose is to make memory boundaries.
To fully secure any system, operating system should discourage unauthorized user access to consume system resources. This can be done via Virtual Machine where users believe they have full access over entire system but in reality it’s not. Process isolation can also be achieved at hardware level therefore isolation can not only be logical but physical as well.
- TCB not only enforce security policy but also a sum of other system protection mechanism like hardware, software and firmware.
- People, processes or devices are subjects.
- Passive entities like processes, hardware or software are objects.
- Security labels terms actually referred as MAC based systems.
After gathering all necessary information of system in place next step involve implementing exact security plan. It defined what objects and subjects have privileges over certain contents. No matter what model any particular workplace chose but purpose remain same as enforcing integrity, control and confidentiality. Models we are about to discuss are in broader perspective because it all depend upon the implementer how they are going to use it.
State Machine Model
It is based on finite state machine as illustrated in figure below and used for relatively complex systems. State Machine model deals recognizer, acceptors, state variables and translation functions. All finite number states used in this model keep transitions and actions between these states.
State machine table below explains it in more detail:
State Machine Table
Job of state machine model is to monitor system activity restricting them from slipping in less secure state. System with state machine model should examined all their states and to verify that all processes are controlled. Many of security models exists based on state machine model concepts and tells what state particular system will fall in.
Information Flow Model
As name implies this model controlled flow of information at any direction. Information Flow Model is in fact an extension of state machine model and consist of state transition, flow policy (lattice) and objects. Ultimate goal is prevention of unauthorized flow of information within system by using guards.
This model came into existing by Meseguer and Goguen that works on objects and subjects. The purpose of noninterference model is to restrict interference of objects and subjects between different levels. Noninterference model set input and output sensitivity either low or high and data can’t travel across security boundaries.
Confidentiality of information is big concerns for major organization around, especially government agencies. Department of Defense (DoD) put forth certain parameters regarding confidentially that ease burden of managing data. DoD allow categorizing of whole data at different levels and put in place different access levels as classified , sensitive but classified , top secret and secret. Bell LaPadula model was first in this regard adhering all concerns of DoD towards confidentiality.
Use for confidentiality of information and enforced by DoD at multilevel bear following properties:
- If a user has been assigned a level he/she should not read information of other levels. This is called Simple security property also known as “no read up”
- If a user has been assigned a level he/she should not write anything to lower level of confidentiality. This is called Star * security property also known as “no write down”
- Strong star * property not allowed read or write objects of higher or lower sensitivity
Integrity is another important aspect in information security that is very important to secure data. Though government agencies are more concerns about confidentiality of information but other organization can be focused on data integrity. Its purpose is to restrict unauthorized user access to modify data, authorized user not able to change within unauthorized data and data should be consistent both internally and externally. Following are prime goals of integrity in any system:
- Restricting unauthorized users to modify data
- Restricting authorized users to modify unauthorized change
- Reflection of real world
- Maintaining internal and external consistency
Clark Wilson and Biba are two models those specifically target integrity feature in system.
As described earlier Biba model offer integrity and originally was defined in 1977 with following properties:
- In Simple integrity property objects are not allowed to read lower integrity objects
- In Star * integrity property objects are not allowed to write in higher integrity objects
- In Invocation property subjects are not allowed to invoke higher level of integrity subjects
Tibetan Monks and the Biba Model
If you really want to conceptualize Biba model then suppose you have visited a Tibet where you discovered Monks are fan of Biba’s model. Now you as commoner should follow certain rules set by monks.
- A prayer book written by monk can be read by commoners but high priest won’t use it to read
- A book written by high priest can be read by monk but monk can’t read book written by commoners
Now apply above story into real Biba Model whenever you feel uncomfortable while confronting with this model. It will make your task easier if you study all this in the light of above story.
In 1987 the Clark Wilson model was published that differ from all other model exists now because it was for pure commercial activities. Basically uses integrity as prime goal focus on separation of duties, forcing subjects to access data via application and auditing is mandatory. Clark Wilson model accustoms users, transformation procedure (TP), unconstrained data item (UDI), constrained data item (CDI) and integrity verification procedure (IVP).
Take Grant Model is based on confidentiality and offer basic operations as take, grant, create and revoke. The Grant Model allows subject with take rights to remove similar rights from other subjects. Similarly subjects with grant, create and revoke right works in same fashion.
Brewer and Nash Model
Brewer and Nash Model is conflict of interest (COI) prevention model that act similarly to Bell LaPadula model also known as Chinese wall model. Suppose a firm is provide security services to other firms. One of employer working in the firm access to confidential data of other firms that he/she might use it for bad purposes. So Brewer and Nash Model prevent such things to access data belonging to other firms.
Apart from above stated security models following are few those fit in dissimilar situations across companies:
- Graham Denning Model offer protection that every object has owner and controller
- Harrison Ruzzo Ullman Model offer functionality of subjects and objects creation, deletion, accessing or changing
- Lattice Model allows subjects to access objects if the security level of subjects is equal or greater than of objects
- Focus on Simple Security and Star * Security of Bell LaPadula as they can be very confusing with Biba’s similar properties.
- Reading at higher level more than allowed in Bell LaPadula model would hurt confidentiality.
- Remember “It’s written in the stars” to memorize the writing property of Star Property both in Biba and LaPadula model.
- Biba deals integrity so ‘i’ in Biba denoted as integrity for easy remembrance.
- Writing at higher level more than allowed would hurt integrity in Biba’s Model.
- In Clark Wilson Model it allows user to modify data so remember three key terms used as Tempered, Logged and Consistent (TLC).
- For exam look closely the discussed Models regarding which one is based on integrity or confidentiality and distinguishing their properties.
DOCUMENTS AND GUIDELINES
The purpose of documents and guidelines we are about to discuss help evaluate and establishing system assurance. Being a CISSP candidate such level of trust is needed that system in place will contribute desirous output. It also ensure trusted system undergone enough testing and validation as per standards. When a manufacturer develop something to sell he has set of benchmark to evaluate abilities and features of product. Similarly when buyer needs to purchase something he evaluate commodity to make it standout. Following guidelines and documents serves same purpose.
The Rainbow Series
The name rainbow series was chose appropriately because each book in this series denoted with colors. These stack of books were developed by National Computer Security Center (NCSC) which is part of National Security Agency (NSA) organization. This series targets Trusted Product Evolution Program (TPEP) to test commercial products regarding possible security threats.
The Orange Book
Official name of Orange book is Trusted Computer system Evaluation Criteria (TCSEC) that help evaluate standalone systems. Being based on confidentiality closely related to Bell LaPadula model. It allows rating systems and placing them under following four categories:
A – Verified Protection.
B – Mandatory Security.
C – Discretionary Protection.
D – Minimal Protection.
Not only orange book in general have four types of rating but each rating further classified into four categories each as below:
- A being highest security division ensures system has verified protection and supports all mandatory access control (MAC).
- Under A1 proof of integrity of TCB and meeting formal methods in a system is necessary. Such system might not developed adhering strict guidelines but must be installed or delivered securely.
- B being mandatory protection design should support MAC to get a B rating.
- B1 known as labeled security protection requires from system that all subjects and storage objects have proper labeling.
- B2 known as Structured Protection rate system meeting the B1 requirements and labeling of hierarchical devices, trusted path communication between systems, users and secret storage analysis.
- B3 known as Security Domain meeting B2 requirements further requiring trusted path access, automatic security analysis and trusted recovery. B3 system also ensures covert timing vulnerabilities. B3 should be secure both in terms of operations and startup.
- C being Discretionary protection rating system supporting Discretionary Access Control (DAC).
- C2 known as Discretionary Security Protection don’t require distinction among types of access and individual users.
- C2 known as Controlled Access Protection meeting, C1 requirements additionally able to distinguish individual users and types of access. C2 systems should use object reuse protection.
- If any system fails to fall under any of above category, such system will be consider D rated system which means minimal protection.
Orange Book is no longer consider these days but still exam might ask questions regarding it so following table will give fine recap from exam viewpoint.
Orange Book Levels
The Red Book: Trusted Network Interpretation
Official name of Red Book is Trusted Network Interpretation (TNI) responsible for examining network security and associated components. As Orange Book was only target confidentiality however Red Book observes integrity and availability. Furthermore it also scrutinize network devices operation regarding possible security vulnerabilities. Following are target areas of Red Book:
- Provide efficient management and continuity of operations by preventing DoS attacks
- Provide confidentiality of data and traffic as well as selective routing comprise protection
- Provide nonrepudiation, integrity and authentication of communication
Information Technology Security Evaluation Criteria
To bring whole Europe under one set of security guidelines, in 1980s developed European standard known as ITSEC. The goal of this criteria was to evaluate confidentiality, integrity and availability of a system as whole. According to ITSEC target system denoted as Target of Evaluation (TOE). Evaluation of system further divided into two parts one evaluates functionality and other assurance. There are about 10 classes of Functionality (F) and about 7 classes of assurance (E). Following table sum up all ratings fall under ITSEC and their comparison with TCSEC:
ITSEC Functionality Ratings and Comparison to TCSEC
After handful discussion on various standards of information security you probably get an idea how difficult is it to choose right one. Bearing same thought International Standard Organization (ISO) eventually decided to bring one common criteria fits in every situation as depicted below:
Back in 1997 ISO-15408 called Common Criteria officially released that incorporates standards such as TCSEC, CTCPEC and ITSEC. It is designed on TCB entities those includes physical and logical controls, startup and recovery, reference mediation and privileged states. Evaluation under Common Criteria ensures via EALs (Evaluation Assurance Levels). The target system which needs to be evaluated is called Target of Evolution (TOE). Following are 7 levels of assurance:
- Inadequate assurance – EAL 0
- Functionality Tested – EAL 1
- Structurally Tested – EAL 2
- Methodically Checked and Tested – EAL 3
- Semiformally designed and Tested – EAL 5
- Semiformally verified designed and tested – EAL 6
- Formally verified designed and tested – EAL 7
Some more properties of Common Criteria regarding security requirement:
- Functional requirement defines operation of product of system as well as system capabilities
- For evaluation assurance requirement and specification are used for Security Target (ST)
- Protection profile set forth description on system and its control, protection profile further classified in following 5 sections:
- Evaluation assurance requirements
- Descriptive elements
- Functional requirements
- Development assurance requirements
- There is no need to remember systems which meet Orange Book Rating in fact levels of MAC and DAC should be well understood from CISSP exam perspective.
- For high level of EAL 6 operating system find Integrity 178B by Green Hills Software.
- Common Criteria’s two security requirements and 7 level of assurance are important exam subjects.
There is always have a margin of risk involve no matter how secure system architecture is. All security professionals should keep this reality in mind to mitigate and resolve security breaches. Documents and guidelines we just discussed dealt mainly to assess risks in given environment. Once we know the weak areas we better able to fill gaps in efficient way. Certification and Accreditation is next step towards using system. As per U.S law, federal agencies of country are bound to certify and accredited their IT systems before using it. Following methodologies are used mostly largely depend on agency you are interacting with.
DIACAP (DoD Information Assurance Certification and Accreditation Process) – used for accredited IT system of agencies having DITSCAP (Defense Information Technology Systems Certification and Accreditation Process). DIACAP actually superseded already in use DITSCAP within agencies.
NIACAP (National Information Assurance Certification and Accreditation Process) – this certification method was established by National Security Telecommunications and Information System Security Instruction.
NIST (National Institute of Standards and Technology) 800-37 – this certification method used mostly by Government and civilian organizations.
Above methodologies help achieve level of trust by auditing whole system against any loophole left in implementation, configuration and operations as per set policies and procedures.
Certification and Accreditation
Certification process involve:
- Validate already configure system operations as expected
- System able to communication with other systems in secure manner
- Certification process can be carried out by dedicated security team or staff member
- Highlight vulnerabilities exist during implementation of system
- Findings should be reported to upper management for approval
Once the formal approval given the process is called Accreditation:
- Formal issuance that system is certified and approved
- In case changes need to be adjusted system will be reconfigured
- If other changes required in a system whole certification and accreditation process will repeated
- Entire process must be repeated as per defined rules and regulations
Governance and Enterprise Architecture
Governance of Information Security not purely depend on certification and accreditation but more focus on integrity, availability and confidentiality of information. In this age of advancement companies business grow beyond one geographic location and internet provide global presence of same company at multiple locations. Attack can not only be originate within system but outside forces might be influential in this manner to disrupt working.
Enterprise Architecture (EA) plan is a technique that improves security and governance within a system. EA involves organization and documenting all Company’s IT appliances within Information Technology in order to improve management, expansion and planning. The purpose of implementing EA is to confirm everything is aligned in between business strategy and IT investment. EA provide traceability at highest level business strategy down below to fundamental technologies. First version of EA was established back in 1980 , Zachman model in same series designed for policy structuring of information system and also focus on How, Why, When, What, Where and who, as described in below figure.
To govern federal law, EAs are required to be setup by the government agencies. In this regards they should adhere Federal Enterprise Architecture (FEA) model in order to smoothen their governance. Following five models are used to implement FEA:
Performance reference model – It measures key IT investments for their performance.
Business reference model – It helps to build organized hierarchical model for daily business of operations.
Service component reference model – support business or performance objectives with the help of service components.
Technical reference model – define standards, specifications and technologies for effective delivery of component services and capabilities.
Data reference model – Define standards for describing, categorizing and sharing of data.
Sherwood Applied Business Security Architecture (SABSA) that was integrated with Zachman framework offer risk driven information security at enterprise level. Same like Zachman framework it also asks why, who, where and how.
In England a dedicated British Standard (BS) 7799 was established to calculate risk. As this document targets wide audience both businesses and organizations later evolved into ISO 17799 that eventually formed as ISO 27005 standard.
ISO 17799 designed for individuals to initiate, implement or maintain information security systems. The goal of this standard is to achieve integrity, availability and confidentiality. It is known to be guidance for information security management and further divided in 12 main sections:
- Risk assessment and treatment
- Security policy
- Organization of information security
- Asset management
- Human resources security
- Physical and environmental security
- Communications and operations management
- Access control
- Information systems acquisition, development, and maintenance
- Information security incident management
- Business continuity management
ISO 27000 standards includes following:
27001 – Requirements gathering of ISMS (information security management system).
- Follow Plan-Do-Check-Act Model
27002 – Development of security program in an organization, this model is based on BS7799.
27003 – Focus on implementation.
27004 – Ensures effectiveness of information security program.
27005 – Ensures risk management.
The last thing that you must know is information technology infrastructure library (ITIL). It ensures identification, planning, delivering and support of IT services in business. ITIL service lifecycle includes following:
- Continual service improvement
- Service strategy
- Service design
- Service transition
- Service operation
If you look closely all of security procedures is based on layers more you learn a way as discussed in this section more secure system will be formed.
- Remember Certification is a validation process where Management approval of same certification is called accreditation.
SECURITY ARCHITECTURE THREATS
This chapter like others focus on reviewing possible threats and vulnerabilities that security professionals might establish in any system. As risk involvement is always there, proper implementation of practices and procedures help remove such anomalies. To be aware of these threats an effective protection mechanism will be discussed in this chapter.
Buffer Overflow is coding technique that used to store some sort of data in separate buffer called temporary storage. If data fed to that particular buffer more than its capacity, results into overflow that might corrupt other buffers. In that case attacker can inject their own code to infiltrate system. Following is an example of buffer overflow:
In order to eradicate possible threats in the event of buffer overflow should be mitigated by continuous monitoring of code passes to program. Proper training of coders and applying all defenses for buffer overflow before use is imperative. Defenses can be achieved by code reviews, usage of safe programming languages, applying patches and installing updates.
Back Doors concept is used in software development that often referred as maintenance hooks. Sometime developers want to access part of software without executing whole code and forget to cover these back doors at the time final touch. These back door can be used by hackers to bypass all security parameters to access system.
It targets timing as attacks came in between time of check (TOC) and time of use (TOU). Such attacks are also called race conditions because attackers rush to make changes before system uses it. Suppose a data file is created to hold client information like how much he owes? Now if attacker change this value before program reads it could affect immensely.
Moving information in a way that was supposed to be is called covert channels. It is favorite way around for attackers because request can’t be deny as you may permit. This terms was first used in TCSEC documentation as transferring of information form a higher classification to lower classification. Following are two main types of Cover channels:
- Covert timing channel attacks
- · Covert storage channel attacks
Suppose company you are working with allowed in/out ping (ICMP protocol) traffic on their network. Attacker might inject Loki program on same network that use ping payload portion to move data into the network. In this case network administrator only view normal ping traffic that is not altered, in fact attacker is busy stealing company data secretly.
During incremental attacks attacker able to change in data slowly over time. After making that much small changes for long period of time hoping to remain undetected. Two major incremental attacks are Data Diddling and Salami Attack. First attacks give full access of system to attacker to make changes in files or data. Second type of attack has same function of Data Diddling but mainly focus on financial records.
- Under CISSP exam make sure you have clear understanding of covert channel attacks
- You should expect to see discussed attacks in real exam those are actually items