Domain 3: Security Engineering and Architecture Flashcards
Common Criteria
Structured methodology for documenting security requirements, documenting and validating. Based on ISO 15408
Protection Profile
Specifies the security requirements and protections of a product that is to be evaluated. Organised around TCB entities. Evaluation Assurance Levels (EAL)
Evaluation Assurance Levels (EAL)
EAL0 - Inadequate assurance
EAL1 - Functionally tested
EAL2 - Structurally tested
EAL3 - Methodically tested and checked
EAL4 - Methodically designed, tested, and reviewed
EAL5 - Semi formally designed and tested
EAL6 - Semi formally verified design and tested
EAL7 - Formally verified design and tested
Target of Evaluation (TOE)
The target for the product
Protection Profile (PP)
Set of security requirements of TOE
Security Functional Requirements (SFRs)
Specific individual security functions
Engineering principles for IT Security
Use NIST SP 800-27
- Initiation; need expressed, purpose documented, impact assessment
- Development/Acquisition; system designed, purchased, programmed, developed or constructed
- Implementation; system tested and installed, certification
- Operation/Maintenance; performs function, security operations, audits
- Disposal; disposition of information, HW and SW
Physical controls are your first line of defense, and people are your last
OS Kernel
Loads and runs binary programs, schedules task swapping, allocated memory and tracks physical location of files on computers hard disk, manages IO/OP requests from software, and translates them into instructions for CPU
Primary storage
Temporary storage area for data entering and leaving the CPU
Random Access Memory
Temporary holding place for data used by the OS. It is volatile. Two types of RAM exist: Dynamic and Static. Dynamic RAM needs to be refreshed periodically, while Static RAM’s data does not need to be refreshed
ROM
Read only memory is non-volatile which means when a computer is turned off the data is not lost. EEPROM can be altered
Process States
- Stopped: process finishes or must be terminated
- Waiting: the process is ready for continued execution but is waiting for a device or access request
- Running: executes on the CPU and keeps going until it finishes; its time slice expires, or it is blocked
- Ready; process prepared to executve when CPU ready
Multitasking
Execute more than one task at the same time
Multitasking
More than one CPU is involved
Multiprocessing
More than one CPU is involved
Multi-Threading
Execute different parts of a program simultaneously
Single state machine
Operates in the security environment at the highest level of classification of the information within the computer. In other words, all users on that system must have clearance to access the info on that system.
Multi state machine
Can offer several security levels without risk of compromising the system’s integrity
CICS
Complex instructions. Many operations per instruction. Less number of fetches
RISC
Reduced instructions. Simpler operations per instructions. More fetches
Generations of Software
1st Gen: Machine Language 2nd Gen: Assembler 3rd Gen: FORTRAN: C++ 4th Gen: Natural/focus and SQL 5th Gen: Prolog, list artificial intelligence languages based on logic
Memory Segmentation
Dividing memory into segments
Protection Keying
Numerical values, divides physical memory up into particular sized blocks, each of which has an associated numerical value called a protection key
Paging
Divides memory address space into even sized blocks, called pages. To emulate that we have more RAM than we have. System kernel knows the location of the page file.
DEP
Data Execution Prevention: A system level memory protection feature that is built into the OS DEP prevents code from being run from different pages, such as default heap, stacks, and memory pools
ITIL
Best practices for IT operations, including change management and configuration management.
Security Models
Defines allowed interaction between subjects and objects at a particular moment in time
State Machine Model
Describes a system that is always secure no matter what state it is in. If all aspects of a state meet the requirements of the security policy, that state is considered secure. A transition occurs when accepting input or producing output. A transition always results in a new state (also called a state transition). A secure state machine model always boots into a secure state, maintains a secure state across all transitions, and allows subjects to access resources only in a secure manner compliant with the security policy.
Information Flow Model
Based on state machine model, the Bell LaPadula and Biba models are both information flow models. Information flow models are designed to prevent unauthorised, insecure, or restricted information flow, often between different levels of security (these are often to as multilevel models). The information flow model also addresses covert channels by specifically excluding all non-defined flow pathways.
Noninterference Model
Loosely based on information flow model. Focuses on actions of a subject at a higher security level affect the system state or the actions of a subject at a lower security level. Basically, the actions of subject A (high) should not affect the actions of subject B (low) or even be noticed by subject B. The noninterferance model can be imposed to provide a form of protection against damage caused by malicious programs such as trojan horses.
Confinement
Restricts actions of a program. Process confinement allows a process to read from and write to only certain memory locations and resources. This is known as sandboxing.
Bounds
A process consist of limit set on the memory addresses and resources it can access. The bounds state the area within which a process is confined or contained
Isolation
When a process is confined through enforcing access bounds that process runs in isolation. Process isolation ensures that any behaviour will affect only the memory and resources associated with the isolated process.
Matrix Model
Provides access rights to subjects for objects, access rights are read, write and executed. Columns are ACL’s, rows are capability lists, and supports discretionary access control
Bell LaPadula
Focused on preventing information flow from a high security level to a low security level. Confidentiality model, developed by DOD.
- Cannot read up, cannot write down
- Tranquillity principle prevents security levels of subjects from being changed once they are created
BIBA Model
Integrity model. Focused on protecting objects from external threat, by preventing information flow from a low security level to a high security level.
- Cannot read down
- Cannot write up
Clark Wilson
Integrity model, which enforces access to objects only through programs.
Information Flow Model
Each object is assigned a security class and value, and information is constrained to flow in the directions that are permitted by the security policy. Thus flow of information from one security level to another.
Brewer and Nash
Provides dynamic access control based on user’s previous actions. Prevents conflict of interests from members of the same organisation to look at information that creates a conflict of another member of that organisation. THINK OF STOCK MARKETS
Lipner Model
Combines Bell LaPadula and Biba model
Graham-Denning
Focused on relationship between subjects and objects
Take Grant
Uses a direct graph to specify the rights that subjects can transfer to objects or that subjects can take from other objects.
Uses STATES and STATE Transitions
- Take Rule: Allows a subject to take rights over an object
- Grant Rule: Allows a subject to grant rights to an object
- Create Rule: Allows a subject to create new rights
- Remove Rule: Allows a subject to remove its own rights
Composition Theory
Three recognised types of composition theories:
- Cascading: input for one system comes from the output of another system
- Feedback: One system provides input to another system, which reciprocates by reversing those roles (so that system A first provides input for system B and then system B provides input to system A).
- Hookup: One system sends input to another system but also sends input to external entities.
MAC
Subjects are labelled as to their level of clearance. Objects are labelled as to their level of classification or sensitivity.
Subjects
Entity who can perform work tasks, such as users, data owners (protect data), and data custodian (classify and protect data)
ITSEC
The Information Technology Security Evaluation Criteria refers to any system being evaluated as a target of evaluation. It is used in Europe only. Addresses CIA. It evaluates functionality and assurance separately. Assurance from E0 to E6 (highest), and F1 to F10 (highest). Therefore, a system can provide low assurance and high functionality or vice-versa.
Does not rely on the notion of a TCB, and it doesn’t require that a system’s security components be isolated within a TCB. Includes coverage for maintaining targets of evaluation after changes occur without requiring a new formal evaluation.
Certification
Is evaluation of security features and safeguards if it meets the requirements. Certification is the comprehensive evaluation of the technical and nontechnical security features of an IT system and other safeguards made in support of the accreditation process to establish the extent to which a particular design and implementation meets a set of specified security requirements.
Accreditation
The formal declaration by the designated approving authority (DAA) that an IT system is approved to operation in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. Once accreditation is performed, management can formally accept the adequacy of the overall security performance of an evaluated system.
System Accreditation
A major application or general support system is evaluated
Site Accreditation
The applications and systems at a specific, self-contained location are evaluated
Type Accreditation
An application or system that is distributed to a number of different locations is evaluated
TCSEC: Orange Book
Trusted Computer System Evaluation Criteria. From the US DoD, it evaluates operating systems, application, and systems. It doesn’t touch the network part. It only addresses confidentiality.
- ITSEC: 1, TCSEC: D: Minimal protection, any system that fails higher levels
- ITSEC 2, TCSEC C1: DAC (identification, authentication, and resource protection).
- ITSEC 3, TCSEC C2: DAC (controlled access protection (object reuse, protect audit trail))
- ITSEC 4, TCSEC B1: MAC (security labels, based on Bell LaPadula security model. Labeled security process, isolation, devices.
- ITSEC 5, TCSEC B2: MAC, strucutred protection. Seperate operation/admin roles. Configuration management.
- ITSEC 6, TCSEC B3: MAC, security domain (trusted recovery), monitor event and notification.
- ITSEC 7, TCSEC A; mac; formal verified protection
Rainbow Series
Red= trusted network, Orange = TCSEC evaluation, Brown = trusted facilities management, Tan=audit, Aqua=glossary, Green=password management
ISO 27001
Focused on the standardisation and certification of an organisation’s information security management system (ISMS), security governance, a standard, ISMS. Info security minimum systems
ISO 27002
A guideline which lists security control objectives and recommends a range of specific controls.
COBIT 5
Based on five key principles for governance and management of enterprise IT:
- Meeting stakeholder needs
- Covering the enterprise end-to-end
- Applying a single, integrated framework
- Enabling a holistic approach
- Separating governance from management. COBIT is used not only to plant the IT security of an organisation but also as a guideline for auditors.
Virtualisation
Used to host one or more OS’s within memory of a single host computer. Such an OS is also known as a guest OS. From the perspective that there is an orgiinal or host OS installed directly on the hardware, the additional OS’s hosted by the hypervisor are guests.
VM
Virtual Machine. Simulated environment created by the OS to provide a safe and efficient place for programs to execute.
Virtual SAN
Software defined shared storage system is a virtual re-creation of a SAN on top of a virtualised network or an SDN.
TOCTTOU Attack
Race condition exploits, and communication disconnects are known as state attacks because they attack timing, data flow control, and transition between one system state to another.
RACE
Two or more processes require access to the same resource and must complete their tasks in the proper order for normal functions.
Register - Memory
Small memory in CPU that directly provide accessible memory locations that the brain of the CPU (ALU) uses when performing calculations
Stack Memory Segment
Used by processors to communicate instructions and data to each other
Monolithic OS Architecture
All the code working in kernel mode in an ad hoc and non-modularised OS
Memory Addressing
When using memory resources, the processor must have some means of referring to various locations in memory. The solution to this problem is known as addressing.
Register Addressing
When the CPU needs information from one of its registers, it uses a register address (e.g. register 1) to access its content
Immediate Addressing
A way to refer to data, such as immediate addressing where the CPU is told to add 2 to the value in the register
Direct Addressing
The CPU is provided with actual address of the memory location to access. The address must be located on the same memory page as the instruction being executed.
Indirect Addressing
Similar to direct addresing. However, the memory address supplied to the CPU as part of the instruction doesnt contain the actual value that the CPU is to use as an operand. The CPU reads the indirect address to learn the address where the desired data resides and then retrieves the actual operation from that address.
Base + Offset Addressing
Uses a value stored in one of the CPU’s registers as the base location from which to begin counting. The CPU then adds the offset supplied with the instruction to that base address and retrieves the operaand from that computed memory location.
PaaS
Platform as a Service.
