Security Architecture and Design Flashcards
Security Model Concepts
Confidentiality
Integrity
Availability
Defense in depth
System Architecture
Process of describing, representing components that make up the planned system and interrelationships between components.
Answer questions like:
what is the purpose of system?
who will use it?
what environment will it operate in?
System Architecture Steps
- System Design Phase - gather system requirements, and manner in which requirements will be met
- Development Phase - HW, SW components assigned for development
- Maintenance Phase - System and Security architecture are evaluated to ensure system operates properly and security is maintained
ISO / IEC 42010:2011 Terminology
Architecture
Describes organization of system including its components and their interrelationships along with principles that guide its design and evolution
ISO / IEC 42010:2011 Terminology
AD - Architectural Description
Set of documents that convey the architecture in a formal manner
ISO / IEC 42010:2011 Terminology
Stakeholder
Individuals, teams, departments including groups outside organization with interests or concerns to consider
ISO / IEC 42010:2011 Terminology
View
Representation of the system from the perspective of a stakeholder or set of stakeholders
ISO / IEC 42010:2011 Terminology
Viewpoint
Template used to develop individual views that establish the audience, techniques and assumptions made
Computing Platforms
Mainframe / Thin Clients
power is on mainframe, clients just used to access it
Computing Platforms
Distributed Systems (Client / Server)
devices have client software that interact with server software
Computing Platforms
Middleware
software that talks between two different systems
ex. Users connect to software that provides interface which accesses databases
Computing Platforms
Embedded Systems
Platform in another system.
System within a system
Embedded in hardware or software
Computing Platforms
Mobile Computing
software running on tablets, phones, etc
Virtual Computing and Security Services
Running multiple instances of operating system on a single server
Security Services
Boundary Control
Placing components in security zones and maintaining boundary control among them
Security Services
Access Control Services
Gives users only the access required to do their jobs
Security Services
Integrity Services
Ensures data moving through OS or application can be verified as not damaged or corrupted
Security Services
Cryptography Services
Encrypting information in transit
Security Services
Auditing and Monitoring Services
Method of tracking the activities of users and of the operations of the system processes
System Components
CPU
Executes all instructions in the code
Multiprocessing allows executing multiple instructions in parallel
CPUs have their own memory
Can work in user mode (user or app) or privileged mode (for operating system)
If instruction for CPU is marked to be performed in privileged mode, it must be a trusted OS Process and is given functionality not available in user mode
System Components
RAM
Desktop SDRAM - Synchronous Dynamic RAM DDR SDRAM - Double Data Rate SDRAM DDR 2 SDRAM - Double Data Rate 2 SDRAM DDR 3 SDRAM - Double Data Rate 3 SDRAM
Laptop
SODIMM - Small Outline DIMM
System Components
ROM
Flash Memory - electronically programmable ROM
PLD - Programmable Logic Device, integrated circuit with internal logic gates that can be changed programmatically
FPGA - Field Programmable Gate Array, a type of PLD programmed by blowing fuse connections on the chip, or using an antiques that makes connection when high voltage applied to junction
Firmware - type of ROM where a program or low-level instructions are installed
Memory Concepts
Associative Memory
Searches for specific data value in memory rather than by specific memory address
Memory Concepts
Implied Addressing
Refers to registers usually contained inside the CPU
Memory Concepts
Absolute Addressing
Addresses the entire primary memory space. CPU uses the physical memory addresses that are called absolute addresses
Memory Concepts
Cache
Small amount of high-speed RAM that holds the instructions and data from primary memory and that has high probability of being accessed during currently executed portion of a program
Memory Concepts
Indirect Addressing
The address location specified in the program instruction contains the address of the final desired location
Memory Concepts
Logical Address
Address at which a memory cell or storage element appears to reside from the perspective of an executing program
Memory Concepts
Relative Address
Specifies its locations by indicating its distance from another address
Memory Concepts
Virtual memory
Location on hard drive used for temporary storage when memory space is low
Memory Concepts
Memory Leak
Occurs when computer program incorrectly manages memory allocations which can exhaust available system memory as an application runs
Rings of privilege
0, 1, 2, 3, 4
Ring 0 - Most privileged Ring 1 Ring 2 Ring 3 Ring 4 - least privileged etc
Multitasking Types
Symmetric, Asymmetric
Symmetric Multitasking
Two processes divide the same work
Asymmetric Multitasking
One processor is dedicated to the OS, other(s) dedicated to user operations
System Security Architecture
Views components that comprise a system from a security perspective
Should be derived from the organization security policy
System-specific policy must be more detailed. It addresses level security required on a device, OS or application
Trusted Computer System Evaluation Criteria
(Orange Book Concepts)
TCB - Trusted Computer Base
Composed of components (HW, firmware, SW) that are trusted to enforce the security policy of the system
Security Perimeter - dividing line between trusted parts of system and untrusted parts
Reference Monitor - any system component that enforces access controls on an object
Security Kernel - The HW, firmware, SW elements of a TCB that implements the reference monitor concept
Security Architecture Frameworks
Zachman Framework
2D model that intersects communication interrogatives (what, why, where, etc) with viewpoints like planner, owner, designer, etc
Security Architecture Frameworks
SABSA - Sherwood Applied Business Security Architecture
Attempts to enhance communication process between stakeholders
Security Architecture Frameworks
ITIL - IT Infrastructure Library
Set of best practices which have become de facto standard for IT Service Management
TOGAF
The Open Group Architecture Framework
Calls for an ADM (architectural development method) that uses an iterative process which continuously monitors and updates individual requirements
Security Architecture Documentation
ISO / IEC 27000 Series
Establishes information security standards published jointly by the International Organization for Standardization (ISO) and the Electrotechnical Commission (IEC)
Security Architecture Documentation
CobiT
Control Objectives for Information and Related Technology
Derived from the COSO framework created by the Committee of Sponsoring Organizations of the Treadway Commission.
Deals with IT Governance
Security Models
State Machine Model
Examines every possible state that system could be in and ensures the system maintains proper security relationships between objects and subjects in each state
Security Models
Multilevel Lattice Models
Assigns each security subject a label defining upper and lower bounds of the subjects access to the system.
Applies controls to all objects by organizing them into levels or lattices
Security Models
Matrix-based models
Organizes tables of subjects and objects indicating what actions individual subjects can take upon individual objects, often implemented as a control matrix
Security Models
Non-Interference Models
Concerned with subject’s knowledge of the state of the system at a point in time.
Concentrates on preventing actions that take place at one level from altering state presented to another level
Security Models
Information Flow Models
Attempts to prevent flow of information from one entity to another that violates or negates the security policy
Security Models
Bell-LaPadula Model
Incorporates 3 basic rules regarding flow of information in a system
Simple Security Rule
A subject cannot read data located at higher security level than that possessed by the subject (aka no read up)
- Property Rule
A subject cannot write to a lower level than that possessed by the subject (aka no write down or confinement rule)
- Property Rule
Strong Star Property Rule
A subject can perform both read and write functions only at the same level possessed by the subject
Security Models
Bell-LaPadula Model Limitations
No provision for changing data access control. Only works well with access systems that are static in nature
Doesn’t address covert channels. Low-level subject can sometimes detect existence of a high-level object when it’s denied access. Sometimes it’s not enough to hide the content of an object, the existence may also need to be hidden
Main contribution at expense of other concepts is confidentiality
Security Models
Biba Model
Applies series of properties or axioms to guide protection of integrity
Integrity Axiom
A subject cannot write to a higher integrity level than that which he has access (no write up)
Simple Integrity Axiom
Subject cannot read to a lower integrity level than that which he has access (no read down)
Invocation Property
A subject cannot invoke (request service) of higher integrity
Security Models
Clark-Wilson Integrity Model
Describes series of elements used to control integrity of data
User - an active agent
TP (Transformation Procedure) - An abstract operation like read, write, modify implemented via programming
CDI (Constrained Data Item) - Item that can be manipulated only through a TP
UDI (Unconstrained Data Item) - An item that can be manipulated by a user via read and write operations
IVP (Integrity Verification Procedure) - A check of the consistency of data with the real world
Security Models
Clark-Wilson Integrity Model part 2
Enforces its elements by allowing data to be altered only through programs and not directly by users. Goals are separation of duties and well-formed transactions
Separation of duties - ensures certain operations require additional verification
Well-Formed Transaction - Ensures all values checked before and after transaction by carrying out particular operations to complete change of data from one state to another
Security Models
Lipner Model
Combines elements of Bell-LaPadula and Biba
Security Models
Brewer-Nash (Chinese Wall) Model
If users accesses data set A, then set B is now unavailable
Goal is to protect against conflicts of interests by tracking previous requests.
Introduced concept of allowing access controls to change dynamically based on user’s previous actions
Security Models
Graham-Denning Model
Attempts to address issue ignored by Bell-LaPadula - Deals with delegate and transfer rights.
Security Models
Harrison-Ruzzo-Ullman Model
Restricts set of operations that can be performed on an object to a finite set to ensure integrity
Security Modes
Dedicated Security Mode
Employs single classification level
All users can access all data, but they must sign NDA and be formally approved for access on need-to-know basis
Security Modes
System High Security Mode
All users have same security clearance.
They do not all have a need-to-know clearance for all the information in the system
Security Modes
Compartmented Security Mode
All users must have the highest security clearance (as in both dedicated and system high security)
They must also have valid need-to-know clearance, signed NDA and formal approval for information they have access
Security Modes
Multilevel Security Mode
Allows two or more classifications levels of information to be processed at same time
System Evaluation and Assurance Levels
TCSEC
Trusted Computer System Evaluation Criteria
Developed by National Computer Security Center for the DoD to evaluate products
System Evaluation and Assurance Levels
Orange Book
Collection of criteria based on Bell-LaPadula model used to grade the security of a computer system
System Evaluation and Assurance Levels
Red Book
Addresses network security
System Evaluation and Assurance Levels
ITSEC
Addresses integrity and availability plus confidentiality
Mainly set of guidelines used in Europe
System Evaluation and Assurance Levels
Common Criteria
Uses EAL’s (Evaluation Assurance Levels) to rate systems with each representing successively higher level of security testing and design in a system
TCSEC Classes
A
B
C
D
A - Verified protection
A1 - Verified design
B - Mandatory Protection
B1 - labeled security protection
B2 - structured protection
B3 - security domains
C - discretionary protection
C1 - discretionary security protection
C2 - controlled access protection
D - Minimal protection
ITSEC Ratings
functional requirements
assurance requirements
10 classes
F1 to F10 to evaluate functional requirements
7 classes E0-E6 to evaluate assurance requirements
Common Criteria Assurance Levels
EAL 1-7
EAL1 - Functionally tested
EAL2 - Structurally tested
EAL3 - Methodically tested and checked
EAL4 - Methodically designed, tested and reviewed
EAL5 - Semi-formally designed and tested
EAL6 - Semi-formally verified design and tested
EAL7 - Formally verified design and tested
Common Criteria
Uses Protection Profile during the evaluation process
Protection profile contains these elements
descriptive elements
rationale
functional requirements
development assurance requirements
evaluation assurance requirments
Certification vs Accreditation
Certification evaluates technical system components. comes before accreditation
Accreditation occurs when adequacy of a system’s overall security is accepted by management
Accreditation process by NIACAP has 4 phases
Phase 1 - definition
Phase 2 - Verification
Phase 3 - validation
Phase 4 - Post accreditation
Types of accreditation
Type accreditation - evaluates application or system distributed to different locations. Not accredited by location, but by type
System accreditation - evaluates application or support system
Site accreditation - evaluates application or system at a specific self-contained location
Security Architecture Threats
Maintenance Hooks
built into code (aka back door) that allows developers access without normal controls
Security Architecture Threats
Time of check / time of use attacks
attempt to take advantage of sequence of events that occur as the system completes common tasks
Security Architecture Threats
Web based attacks
operate by making normal or modified requests aimed at taking advantage of inadequate input validation and parameters, or instruction spoofing
Security Architecture Threats
Server based attacks
focuses on operations of the server OS, rather than web applications
Addressing concerns with XML
Define SAML and OWASP
SAML
Security Assertion Markup Language - XML based open standard data format for exchanging authentication and authorization data, mainly between identity provider and service provider
OWASP
Open Web Application - open source application security project. They create guidelines, testing procedures and tools to help web security. Maintain top-ten list of web application security risks
Database Security Concepts
Inference
Occurs when someone has access to info at one level that allows them to infer info about another level
Database Security Concepts
Polyinstantiation
Main mitigation technique for inference
Development of a detailed version of an object from another object using different values in the new object
Database Security Concepts
Aggregation
Assembling or compiling units of information at one sensitivity level and having the resultant totality of data being of a higher sensitivity level than the individual components
Database Security Concepts
Contamination
mixing of data with one sensitivity level, with another
Data Mining Warehouse
repository of information from various databases
lets multiple data sources to be stored in one place and organized so that redundancy is reduced (aka data normalizing)
data mining tools used to manipulate data and discover relationships
Distributed Systems Security
Special cases where extra security concerns may be needed
Cloud Computing
Grid Computing
Peer to Peer Computing
Cloud - centralizing data in web environment
Grid - harnessing power of multiple computers to perform a job
P2P - any client-server solution where any platform can be a client or server or both
4 Characteristics of ActiveX Data Objects (ADO)
high-level programming interface to an underlying data access technology like OLE DB
set of COM objects for accessing data sources (not just database access)
Allows developers to write programs that access data without knowing how database is implemented
SQL Commands not required to access database when using ADO
In computer crime, what does MOM stand for?
Means
Opportunity
Motives
What does the Operating System’s Control Unit do?
fetches programming code, interprets it, oversees execution of the instruction sets.
It manages and synchronizes the system while different applications’ code is being executed
What are 3 types of Digital Forensic Science?
Media Analysis
Software Analysis
Network Analysis
What type of DFS is referred to as “computer forensics”
media analysis
What encrypts all the data in a communication path including the header, trailer and routing information?
End to End Encryption
Link Encryption
Link Encryption
What generation does machine language exist in?
generation one
1 - machine 2 - assembly 3 - high level 4 - very high level 5 - natural
What is least important when quantifying risks associated with a potential disaster?
a. gathering information from agencies that report on disasters
b. ID company’s key functions
c. ID critical systems
d. estimating potential loss and impact
gathering information from agencies that report probability of certain natural disasters is the least important
What is key clustering?
when different keys generate the same ciphertext for the same message
The 5 defined maturity levels of the CMMI (Capability Maturity Model)
I R D M O
Initial Repeatable Defined Managed Optimizing
Are increased developmental testing and using only operational data - good remedies to buffer overflows?
yes
Do stateful inspection firewalls pay attention to previous packets and monitor the sequence and acknowledgement numbers of a connection, to understand when a packet could be out of sequence?
yes
Should you put smoke detectors near exterior rear doorways?
No
Do block ciphers perform substitution by using S-Boxes? (substitution boxes)
yes
they use lookup tables to determine how a block is encrypted or decrypted, the key is used to decide on the s-box to use for each block
Does parallel computing happen at these 3 levels?
user mode, kernel mode, or OS level
or these 3 levels? bit, instruction, task
bit, instruction, task
identifying openings in a target’s network is called what?
port scanning
not fingerprinting
What is a B3 TCSEC rating? What are its requirements?
B3 requires:
trusted recovery
monitors events and notifies appropriate personnel
security administrator role defined
(doesn’t require formal methods and procedures)
Class A rated product requires all of B3 plus formal methods and procedures
Does the Clark-Wilson model address confidentiality?
No
It’s an integrity model. It’s better suited for the commercial industry than Bell-LaPadula which is a confidentiality model.
It prevents unauthorized users from changing data
Provides internal and external consistency
prevents authorized users from improperly changing data
Key features of the Caesar Cipher
ROT 3
what percentage of businesses would go out of business if they had to close for only one week?
65%
Are products that pass through the Trusted Products Evaluation Program (TPEP) published in the List of Evaluated Products?
yes
Do you use CGI scripts or executables in a website to respond dynamically to code?
yes
CGI scripts or executables translate, respond to requests, build new web pages and send them to the user.
Federal Sentencing Guidelines of 1991
Specifically for white collar crime
Detailed specific responsibilities of senior executives
Encouraged implementing security policies and a security program
What happens in the acceptance testing/implementation phase?
QA does testing
Product is integrated into desired network
Product is given to customer for certification and accreditation
(But the product is NOT used in intended environment)
define a disaster in terms of length of time
disasters affect a business for one day or more
define a catastrophe in terms of length of time
catastrophes affect a business for weeks, months or years
Data mart
collection of data that fulfills a specific need / is targeted at one group or for a specific objective
What’s so special about ISO/IEC 15408?
used as the basis for evaluating security products under the CC framework (common criteria)
Is DEA the algorithm used in DES?
yes
Are locks considered delaying devices?
yes
What are the 3 ways a computer can react to a problem / failure?
emergency system restart
system reboot
system cold start
How much stronger is 3DES than DES?
2^56
Why is computer generated or electronic information often categorized as hearsay (secondhand) evidence?
Because computer files and systems can be modified after the fact without others being aware
What happens in the project initiation phase?
formal introduction of project to participating parties
entire scope is overviewed
initial risk analysis performed
(customer requirements are too granular and are performed in second phase)
Is tort law the same as civil law?
yes
they typically don’t require same degree of burden of proof that criminal cases require
multithreading
processing more than one request or thread at once
multitasking
processing more than one task or process at once
multiprocessing
multiple CPU’s and processing separate instructions in parallel
Maximum Tolerable Downtime for:
critical urgent important normal non-essential
critical - minutes to hours urgent - 24 hours important - 72 hours normal - 7 days non-essential - 30 days
Define domain
set of resources available to a subject
subject can be a user, process, application
Define security domain
resources in the domain are working under the same security policy and managed by the same group
Why does the Internet Architecture Board sound like a bunch of wankers?
They state the “internet is a privilege and should be treated and used with respect”
What was cool about the Gramm-Leech-Bliley act of 1999?
Required financial institutions to tell customers their privacy rights
requires Sr. executives to be accountable for security issues and provide training to employees about security
Chosen ciphertext
attackers possesses ciphertext and chooses which parts are decrypted.
Those decrypted portions are analyzed to find the key
Why is computer generated or electronic information often categorized as hearsay (secondhand) evidence?
Because computer files and systems can be modified after the fact without others being aware
It is admissible when the output is generated as part of normal business activities and not just once for the court, and has testimony of the person who generated them
When do you apply corrective controls?
when a situation needs correcting (fixing)! For instance, after an attack occurred, or after a vulnerability was found
Is accountability a characteristic of an identity?
no
to hold a person accountable, do you need uniqueness or accountability
uniqueness because accountability isn’t a characteristic
Enticement vs Entrapment
Enticement - Honeypot that records attacker
Entrapment - tricking attacker into committing a crime
Polymporphism
two different objects responding to same command in different ways
objects are derived from different classes, so the respond differently to same command.
