What Security Gives Us

Confidentiality
• Probably what you think of with “security”. Prevents someone from
reading your messages.
Integrity
• Data protected by unauthorized modifications.

• We can have integrity without confidentiality.

Authentication
• Verifying someone’s (or something’s) identity

• We can have authentication without confidentiality or integrity.

Secure Transmission

Transmitting Over an Insecure Channel

• If two parties agree on a secret key, they can send messages to one another on a
medium that can be tapped, without worrying about eavesdroppers.

Secure Storage on Insecure Media

• Information can by encrypted using the key, then it can be stored anywhere and
remain safe so long as the key is not forgotten. Forgetting the key makes the data
irrevocably lost.
Availability
• System should remain available for user.

Unhackable server (not plugged in).

Cryptography isn’t concerned with availability,

but often a critical part of overall security.
Non-repudiation
• Cannot deny later having sent messages that you sent.

• Often a complex question – can you claim someone stole the secret
key you use?

See – everyone who claims their Twitter account was “hacked” after
posting something…
Security in Network
Architectures
INWK6115
Principles of Security Models, Design, and Capabilities

• A. Implement and manage engineering processes using secure design

principles
• B. Understand the fundamental concepts of security models
• C. Select controls and countermeasures based upon systems security
evaluation models
• D. Understand security capabilities of information systems
• E. Assess and mitigate the vulnerabilities of security architectures,
designs, and solution elements
Implement and manage
engineering processes using
secure design principles

10
Objects and Subjects

• Controlling access to any resource in a secure system involves two

entities.
• Subject is the user or process that makes a request to access a
resource.
• Object is the resource a user or process wants to access.
• The same resource can serve as a subject and an object in different
access requests.

11
Closed and Open Systems

• Closed system is designed to work well with a narrow range of other

systems, generally all from the same manufacturer.
• Open systems, on the other hand, are designed using agreed-upon
industry standards.
• Open systems are much easier to integrate with systems from
different manufacturers that support the same standards.
• Closed systems are harder to integrate with unlike systems, but they
can be more secure.
Techniques for Ensuring Confidentiality, Integrity,
and Availability
• Confinement
• Software designers use process confinement to restrict the actions of a program.
• Process confinement allows a process to read from and write to only certain memory
locations and resources.
• This is also known as sandboxing.
• Bounds
• The bounds of a process consist of limits set on the memory addresses and resources
it can access.
• The bounds state the area within which a process is confined or contained
• Isolation
• When a process is confined through enforcing access bounds, that process runs in
isolation.
• Isolation is an essential component of a stable operating system.
Controls

• A control uses access rules to limit the access of a subject to an object.

• There are both mandatory and discretionary access controls, often called MAC and
DAC, respectively.

• With mandatory controls, static attributes of the subject and the object are
considered to determine the permissibility of an access.

• Discretionary controls differ from mandatory controls in that the subject has some
ability to define the objects to access.

• Both mandatory and discretionary access controls limit the access to objects by
subjects.
Trust and Assurance

• Trusted system is one in which all protection mechanisms work together

to process sensitive data for many types of users while maintaining a
stable and secure computing environment.

• Assurance is simply defined as the degree of confidence in satisfaction

of security needs.
• Assurance must be continually maintained, updated, and reverified.
• Assurance varies from one system to another and must be
established on individual systems.
Understand the Fundamental
Concepts of Security Models

INWK6111 - Security 16
Tokens, Capabilities, and Labels

• A security token is a separate object that is associated with a resource

and describes its security attributes.

• A capabilities list maintains a row of security attributes for each

controlled object.

• Security label is generally a permanent part of the object to which it’s

attached.
Security Models
• Trusted computing base
• State machine model
• Information flow model
• Noninterference model
• Take-Grant model
• Access control matrix
• Bell-LaPadula model
• Biba model
• Clark-Wilson model
• Brewer and Nash model (also known as Chinese Wall)
• Goguen-Meseguer model
• Sutherland model
• Graham-Denning model
 Trusted Computing Base
• TCB is a combination of hardware, software, and
controls that work together to form a trusted base
to enforce your security policy.

• Security Perimeter is an imaginary boundary that

separates the TCB from the rest of the system

• Reference Monitors validates access to every

resource prior to granting access requests.

• Kernels is the collection of components in the

TCB that work together to implement reference
monitor function.
State Machine Model

• The state machine model describes a system that is always secure no

matter what state it is in.

• It’s based on the computer science definition of a finite state machine

(FSM).

• According to the state machine model, a state is a snapshot of a system

at a specific moment in time.

• If all aspects of a state meet the requirements of the security policy, that
state is considered secure.
Information Flow Model

• The information flow model focuses on the flow of information.

• Information flow models are based on a state machine model.

• Information flow models are designed to prevent unauthorized,

insecure, or restricted information flow, often between different levels
of security.
Noninterference Model

• The noninterference model is loosely based on the information flow

model.

• The noninterference model is concerned with how the actions of a

subject at a higher security level affect the system state or the actions of
a subject at a lower security level.

• The noninterference model can be imposed to provide a form of

protection against damage caused by malicious programs such as Trojan
horses.
 Take-Grant Model
• The Take-Grant model employs a
directed graph to dictate how
rights can be passed from one
subject to another or from a
subject to an object.

• The key to this model is that

using these rules allows you to
figure out when rights in the
system can change and where
leakage can occur.
Access Control Matrix

• Access control matrix is a table of subjects and objects that indicates the
actions or functions that each subject can perform on each object.

• Each column of the matrix is an access control list (ACL).

• Each row of the matrix is a capabilities list.

• An ACL is tied to the object; it lists valid actions each subject can perform.

• A capability list is tied to the subject; it lists valid actions that can be taken on
each object.
 Bell-LaPadula Model
• Developed the Bell-LaPadula model in the 1970s to address concerns
about protecting classified information.
• The multilevel security policy states that a subject with any level of
clearance can access resources at or below its clearance level.
• By design, the Bell-LaPadula model prevents the leaking or transfer of
classified information to less secure clearance levels.
• The Bell-LaPadula properties are in place to protect data
confidentiality.
 Biba Model
• Biba model addresses integrity.
• The Biba model is also built on a state machine concept, is based on
information flow, and is a multilevel model.
• Biba was designed to address three integrity issues:
• Prevent modification of objects by unauthorized subjects.
• Prevent unauthorized modification of objects by authorized subjects.
• Protect internal and external object consistency.
Clark-Wilson Model
• The Clark-Wilson model uses a multifaceted approach to enforcing data
integrity.
• Instead of defining a formal state machine, the Clark-Wilson model
defines each data item and allows modifications through only a small set
of programs.
• It uses a three-part relationship of subject/program/object (or
subject/transaction/object) known as a triple or an access control triple.
• Subjects do not have direct access to objects. Objects can be accessed
only through programs.
Brewer and Nash Model (aka Chinese Wall)

• This model was created to permit access controls to change dynamically

based on a user’s previous activity (making it a kind of state machine
model as well).

• This model also uses the principle of data isolation within each conflict
class to keep users out of potential conflict-of-interest situations.

• Because company relationships change all the time, dynamic updates to

members of and definitions for conflict classes are important.
Sutherland Model

• The Sutherland model is an integrity model. It focuses on preventing

interference in support of integrity.

• It is formally based on the state machine model and the information

flow model.

• The model is based on the idea of defining a set of system states, initial
states, and state transitions. Through the use of only these
predetermined secure states, integrity is maintained and interference is
prohibited.
Graham-Denning Model
• The Graham-Denning model is focused on the secure creation and
deletion of both subjects and objects.

• Graham-Denning is a collection of eight primary protection rules or

actions that define the boundaries of certain secure actions:
• Securely create an object.
• Securely create a subject.
• Securely delete an object.
• Securely delete a subject.
• Securely provide the read access right.
• Securely provide the grant access right.
• Securely provide the delete access right.
• Securely provide the transfer access right.
Select Controls and Countermeasures
Based on Systems
Security Evaluation Models

INWK6111 - Security 32
 Rainbow Series
• The first such set of standards resulted in the creation of the Trusted Computer
System Evaluation Criteria (TCSEC) in the 1980s, as the US Department of Defense
(DoD) worked to develop and impose security standards for the systems it purchased
and used.

• Since these publications were routinely identified by the color of their covers, they
are known collectively as the rainbow series.

• Following in the DoD’s footsteps, other governments or standards bodies created

computer security standards that built and improved on the rainbow series
elements.

• Significant standards in this group include a European model called the Information
Technology Security Evaluation Criteria (ITSEC), which was developed in 1990 and
used through 1998.
TCSEC Classes and Required Assurance and Functionality
• TCSEC combines the functionality and
assurance rating of the confidentiality
protection offered by a system into four
major categories.

• Category A Verified protection. The

highest level of security.
• Category B Mandatory protection.
• Category C Discretionary protection.
• Category D Minimal protection.
Reserved for systems that have been
evaluated but do not meet requirements
to belong to any other category.
Other Colors
• Red Book was developed to interpret the TCSEC in a networking context.
In fact, the official title of the Red Book is Trusted Network
Interpretation of the TCSEC so it could be considered an interpretation
of the Orange Book with a bent on networking.

• The Green Book, or the Department of Defense Password Management

Guidelines, provides password creation and management guidelines; it’s
important for those who configure and manage trusted systems.
ITSEC Classes and Required Assurance and Functionality

• The ITSEC represents an initial attempt to create security evaluation

criteria in Europe.

• It was developed as an alternative to the TCSEC guidelines. The ITSEC

guidelines evaluate the functionality and assurance of a system using
separate ratings for each category.

• ITSEC refers to any system being evaluated as a target of evaluation

(TOE). All ratings are expressed as TOE ratings in two categories. ITSEC
uses two scales to rate functionality and assurance.
Common Criteria
• The Common Criteria represents a more or less global effort that
involves everybody who worked on TCSEC and ITSEC as well as other
global players.

• Recognition of Common Criteria

• Structure of the Common Criteria

Industry and International Security
Implementation Guidelines
• In addition to overall security access models, such as Common Criteria, there
are many other more specific or focused security standards for various
aspects of storage, communication, transactions, and the like.

• Two of these standards you should be familiar with are Payment Card
Industry–Data Security Standard (PCI-DSS) and International Organization for
Standardization (ISO).

• PCI-DSS is a collection of requirements for improving the security of electronic

payment transactions.

• ISO is a worldwide standards-setting group of representatives from various

national standards organizations.
Certification and Accreditation
• Organizations that require secure systems need one or more methods to
evaluate how well a system meets their security requirements. The formal
evaluation process is divided into two phases, called certification and
accreditation.

• Certification is the comprehensive evaluation of the technical and

nontechnical security features of an IT system and other safeguards made in
support of the accreditation process to establish the extent to which a
particular design and implementation meets a set of specified security
requirements.

• Accreditation is the formal declaration by the designated approving authority

(DAA) that an IT system is approved to operate in a particular security mode
using a prescribed set of safeguards at an acceptable level of risk.
Understand Security Capabilities of Information Systems
• Memory Protection
• Memory protection is a core security component that must be designed and
implemented into an operating system.
• Virtualization
• Virtualization technology is used to host one or more operating systems within the
memory of a single host computer.
• Trusted Platform Module
• The Trusted Platform Module (TPM) is both a specification for a cryptoprocessor chip
on a mainboard and the general name for implementation of the specification.
• Interfaces
• A constrained or restricted interface is implemented within an application to restrict
what users can do or see based on their privileges.
• Fault Tolerance
• Fault tolerance is the ability of a system to suffer a fault but continue to operate.
Assess and mitigate the vulnerabilities
of security architectures, designs, and
solution elements

INWK6111 - Security 41
Assess and Mitigate Security Vulnerabilities
• Hardware
• Processor
• Execution Types
• Multitasking
• Multiprocessing
• Multiprogramming
• Multithreading
Processing Types
• Single State
• Single-state systems require the use of policy mechanisms to manage
information at different levels.
• In this type of arrangement, security administrators approve a
processor and system to handle only one security level at a time.

• Multistate
• Multistate systems are capable of implementing a much higher level
of security.
 Protection Mechanisms
• Protection Rings, the ring protection scheme is an oldie but a
goodie.

• From a security standpoint, protection rings organize code and

components in an operating system (as well as applications,
utilities, or other code that runs under the operating system’s
control) into concentric rings.

• In the commonly used four-ring model, protection rings segregate

the operating system into kernel, components, and drivers in rings
0 through 2 and applications and programs run at ring 3.

• The essence of the ring model lies in priority, privilege, and

memory segmentation.

• From a security standpoint, the ring model enables an operating

system to protect and insulate itself from users and applications.
 Security Modes
• Dedicated Mode
• Each user must have a security clearance that permits access to all
information processed by the system.
• Each user must have access approval for all information processed by the
system.
• Each user must have a valid need to know for all information processed by the
system.

• System High Mode

• Each user must have a valid security clearance that permits access to all
information processed by the system.
• Each user must have access approval for all information processed by the
system.
• Each user must have a valid need to know for some information processed by
the system but not necessarily all information processed by the system.
 Security Modes (cont.)
• Compartmented mode
• Each user must have a valid security clearance that permits access to all information
processed by the system.
• Each user must have access approval for any information they will have access to on
the system.
• Each user must have a valid need to know for all information they will have access to
on the system.

• Multilevel Mode
• Some users do not have a valid security clearance for all information processed by
the system. Thus, access is controlled by whether the subject’s clearance level
dominates the object’s sensitivity label.
• Each user must have access approval for all information they will have access to on
the system.
• Each user must have a valid need to know for all information they will have access to
on the system.
Client-Based
• Applets
• Java Applets
• ActiveX Controls

• Local Caches
• ARP cache
• DNS cache
Server-Based
• An important area of server-based concern, which may include clients
as well, is the issue of data flow control.

• Data flow is the movement of data between processes, between

devices, across a network, or over communication channels.
 Database Security
• Aggregation: SQL provides a number of functions that combine records
from one or more tables to produce potentially useful information.

• Inference: Inference attacks involve combining several pieces of

nonsensitive information to gain access to information that should be
classified at a higher level.

• Data Mining and Data Warehousing:

• Many organizations use large databases, known as data warehouses, to store large
amounts of information from a variety of databases for use with specialized analysis
techniques.
• Data mining techniques allow analysts to comb through data warehouses and look
for potential correlated information.
Distributed Systems

• Distributed architectures are prone to vulnerabilities unthinkable in

monolithic host/terminal systems.

• Communications equipment can also provide unwanted points of entry into a

distributed environment.

• You should see that the foregoing litany of potential vulnerabilities in

distributed Architectures means that such environments require numerous
safeguards to implement appropriate security and to ensure that such
vulnerabilities are eliminated, mitigated, or remedied.
Cloud Computing
• Platform-as-a-Service
• Platform-as-a-Service (PaaS) is the concept of providing a computing platform
and software solution stack as a virtual or cloud-based service.
• The primary attraction of PaaS is the avoidance of having to purchase and
maintain high-end hardware and software locally.

• Software-as-a-Service
• Software-as-a-Service (SaaS) is a derivative of PaaS. SaaS provides on-demand
online access to specific software applications or suites without the need for
local installation.
• In many cases, there are few local hardware and OS limitations. SaaS can be
implemented as a subscription service a pay-as-you-go service, or a free
service.
Cloud Computing(cont.)

• Infrastructure-as-a-Service
• Infrastructure-as-a-Service (IaaS) takes the PaaS model yet another step
forward and provides not just on-demand operating solutions but complete
outsourcing options. This can include utility or metered computing services,
administrative task automation, dynamic scaling, virtualization services, policy
implementation and management services, and managed/filtered Internet
connectivity.
• Ultimately, IaaS allows an enterprise to scale up new software or data-based
services/solutions through cloud systems quickly and without having to install
massive hardware locally.
Grid Computing
• Grid computing is a form of parallel distributed processing that loosely
groups a significant number of processing nodes to work toward a
specific processing goal.

• Members of the grid can enter and leave the grid at random intervals.

• The biggest security concern with grid computing is that the content of
each work packet is potentially exposed to the world.

• Grid computing often uses a central primary core of servers to manage

the project, track work packets, and integrate returned work segments.
Peer to Peer
• Peer-to-peer (P2P) technologies are networking and distributed application solutions
that share tasks and workloads among peers.

• This is similar to grid computing; the primary differences are that there is no central
management system and the services provided are usually real time rather than as a
collection of computational power.

• Common examples of P2P include many VoIP services, such as Skype, BitTorrent, and
Spotify.

• Security concerns with P2P solutions include a perceived inducement to pirate

copyrighted materials, the ability to eavesdrop on distributed content, a lack of
central control/oversight/management/filtering, and the potential for services to
consume all available bandwidth.