Domain 6 Security Architecture and Models
Domain Objective The objective of this domain is to understand: security models in terms of confidentiality, integrity, availability, operations, and government versus commercial requirements system models and the different industry standards that apply to them the technical platforms that security operates on in terms of hardware, firmware, and software
Availability ConfidentialityIntegrity A-I-C Triad
Domain Summary The information for this domain represents 10% of the CISSP exam content. This domain contains information on security architecture concepts, principles, structures, and standards. Computer and network organizations that work with the security architecture. Also, architecture along with some of the common security issues pertaining to security models and system application.
Information Technology Technical Platforms
Operating System Utilities and Software Application Programs Utilities Operating System Computer Hardware
Computer Hardware (SRV Theory 601.1) Central Processing Unit (CPU) – the control unit, arithmetic and logic unit, and primary storage unit -Supervisor state – program can access entire system -Problem state – only non-privileged instructions executed Memory Types -real – main storage area in virtual computer memory, real and main storage are identical -virtual – storage space on a computer used as addressable memory -random memory – all of the computer’s primary working memory
Computer Hardware (SRV Theory 601.1) Bus - the internal connection inside the computer between devices, power, and internal circuit boards Channels - the path which data can be sent between main memory and a peripheral device Storage - computer memory, disks, or tapes used for holding data during processing
10 Computer Software (SRV Theory 601.2) Operating System Software four components: process management - controls program execution to make sure that programs share resources I/O device management - issues commands to devices that read and write to the system memory management - keeps track of which parts of memory are in use or not in use system file management - read, write, erase functions that the operating system uses to manage files
System Recovery (SRV Theory 601.3) There are three general operating system failure recovery actions: system reboot - system is shutdown in a controlled manner and is restarted to free up resources emergency system restart - system is locked and is unresponsive; a system maintenance mode is started and system is recovered with a restart system cold start - system is locked and will not restart; physical intervention is needed to reset system and load system from bootstrap
Information Security Architecture Framework and Concepts
IT Architecture (SRV Theory 602.2) Information Technology (IT) architecture is an integrated framework for managing IT goals and business Logical architecture - provides high-level description of a company’s functional requirements for information and system processing Technical architecture - defines specific IT standards and rules that are physically used to implement the logical architecture
Security System Architecture Execution domain – OS system area protected from both deliberate tampering and inadvertent modification Enforcement of least privilege: -processes have no more privilege than needed to perform functions -only modules needing complete system privileges are located in kernel -other modules call on more privileged routines only as needed and as long as needed
Security System Architecture Protection mechanisms: -layering – processes constructed in layers where each layer deals with specific activity -abstraction – establishment of specific set of permissible values and operations -data hiding – layer in one hierarchy has no access to data in another layer Process isolation – ensures multiple processes run concurrently without conflicting with each other Resource access control - process of limiting access to resources of a system
Security System Architecture Token – a specific privilege or capability conferred based on authentication from an electronically coded device (SRV Theory 602.2) Capability – a defined representation (i.e. token) of the resource and access rights to a resource (SRV Theory 602.2) Security labels - a designation assigned to a resource used to identify a security purpose (SRV Theory 602.2)
Open and Closed Systems (SRV Theory 602.4) Open system - is not a secure system -system employing standard user interfaces -user provided with access to total system capability -system open to spiteful acts -most computer systems operate in a open environment Closed system - is a secure system -system without standard user interfaces -user limited to single proprietary language or application -Lacks interoperability with other vendor systems
Objects and Subjects (SRV Theory ) Important concepts to remember for this domain: Object - a passive entity that contains or receives information –can be hardware, software, and well as system processes Subject - is an active entity that causes information to flow among objects –can be a person, process, or device
Access Controls (SRV Theory 602.5) Mandatory - restrict access to objects based on sensitivity of information and subject’s authorization –mandatory access is usually controlled through security labels –a subject cannot delegate their access to another Discretionary - restrict access to objects based on subject’s identity and need-to-know –a subject can delegate their access to another –system has the ability to control information on an individual basis
Reference Monitor (SRV Theory ) Reference monitor – conceptual access control device that mediates all accesses to objects by subjects; a kernel –security kernel – the hardware, firmware, and software elements of a trusted computing base that implement the reference monitor concept –Trusted Computing Base (TCB) – all protection mechanisms within a computer system used for enforcing a security policy Security perimeter - a boundary in which a reference monitor operates -the security kernel as well as other security related system functions, are within the (imaginary) boundary of the TCB -system elements outside the security perimeter need not be trusted (SRV Theory 602.1)
Architectural Foundation (SRV Theory 602.1) Elements of computer trustworthiness –trusted computing base –enforcement of security policy –domain separation domain is the set of objects that a subject can access separation is the mechanism that protects objects in the system –defined subset - only TCB controlled subjects can access all objects –resource isolation - the containment of subjects and objects to assure TCB control is maintained
Architectural Foundation (SRV Theory 602.1) Elements of computer trustworthiness (continued) –hardware isolation – TCB separated from untrusted parts of the system –software isolation – containment of subjects and objects to an application –software meditation – control of subject access to system resources
Modes of Operation (SRV Theory ) Operation modes are the conditions a computer security system functions based on authorization and data sensitivity: Dedicated security mode - all users have access to all data System high mode – all personnel have passed clearance and formal access approval but not necessarily the need-to-know for all data Partitioned (compartmented) mode – each user with access needs must meet security criteria for area Multilevel secure (MLS) mode – not all personnel have the same clearance or formal access approval, individuals have the multiple levels of clearance to information
Certification and Accreditation (SRV Theory 602.3) Certification and accreditation – are a set of procedures and judgements regarding suitability of a system to securely operate in its intended environment Certification - technical evaluation of system security features for the purpose of accreditation –ideally it is an ongoing set of validation processes –should be reviewed whenever a major change occurs Accreditation - official management decision to operate the system -approval of given operational concept and environment -risks formally accepted
Information Security Structures Standards and Models
IETF Security Architecture (SRV Theory 602.6) IP security architecture (IPSEC) RFC IP security is designed to provide interoperable, high-quality, cryptographical based security for IP v4 and v6 -Not developed as an overall Internet security architecture -Addresses security at the Internet protocol layer – gateway and firewall systems -Critically dependent on security of environment -operating system security -system management -random number sources -system time variations
IETF Security Architecture (SRV Theory 602.6) IPSEC protocols for communications security: IP Authentication Header (AH) -provides connectionless integrity, data origin authentication, and an optional anti-replay service Encapsulating Security Payload (ESP) -provides confidentiality (encryption) and limited traffic flow confidentiality -may provide connectionless integrity, data origin authentication, and anti-replay service
Security Association (SA) All IPSEC implementations must support a security association Simplex - (one-way) connection that affords security services to the IP traffic carried by it Security services are afforded by the use of AH or ESP protocol but not both A security association is uniquely identified by a triple relationship -security parameter index (SPI), an IP destination address, and a security protocol (AH or ESP)
Security Association (SA) Security associations may be combined in 2 ways -transport adjacency – applying more than one security protocol to the same IP datagram, without invoking tunneling -allows for only one level of combination -processing is performed at one IPSec instance -iterated tunneling – application of multiple layers of security protocols -allows for multiple levels of security protocol nesting -each tunnel can originate or terminate at a different IPSec site along the transmission path
ITSEC Standard (SRV Theory 602.7) Information Technology Security Evaluation Criteria (ITSEC) - European standard for IT security criteria Scope - addresses three basic threats, has three functional levels, eight basic security functions, ten functionality classes, eight hierarchical assurance levels, and seven levels of correctness of security mechanisms –IT product - off-the-shelf hardware or software package –IT system - designed and built product for specific needs –criteria is not a design guide for secure products or systems –Target of Evaluation (TOE) - refers to product or system to be evaluated –closely maps to Orange book criteria
TCSEC Standard (SRV Theory 602.8) Trusted Computer System Evaluation Criteria (TCSEC) - US DoD standard for security criteria (Orange book) Scope - six fundamental security requirements and four evaluation criteria divisions –standard has been superseded, no longer in use –Classes: D - minimal protection, has only one class C - discretionary protection, has two classes B - mandatory protection, has three classes A - verified protection, has only one class
Security Models (SRV Theory ) Bell – LaPadula - information flow security model -abstract formal treatment of DoD security policy -uses mathematics and set theory to define concept of secure state -explicitly defines fundamental modes of access (read, write) -rules for controlling subjects access to objects -information will not flow to an object of lesser classification
Security Models (SRV Theory ) Biba - integrity model in which no subject may depend on a less trusted object, including another subject -first to address integrity in computer systems -based on hierarchical lattice of integrity levels -elements -set of subjects (active, information processing) -set of objects (passive, information repository) -addresses first goal of integrity – prevent unauthorized users from making modifications -mathematical dual confidentiality policy
Security Models (SRV Theory ) Clark & Wilson - data integrity model for common commercial activities -addresses all 3 integrity goals -preventing unauthorized users from making modifications -maintaining internal and external consistency -preventing authorized from making improper modifications -well-formed transaction -preserve/ensure internal consistency -user can manipulate data only in ways that ensure internal consistency
Common Flaws (SRV Theory 603) Security flaws within system architectures and designs: Covert channels - a valid communication path misused by a subject to cover an unauthorized transfer of information Asynchronous attacks - an attack that exploits the interval between a defensive act and a normal operation in order to gain operational control –TOCTOU - Time of check vs. time of use – a class of asynchronous attack