Security Architecture and Engineering Flashcards
ISO 15288
Common for processes
TECHNICAL PROCESSES
Business and mission analysis process
Stakeholder needs and requirements definition process
System requirements definition process
Architecture definition process
Design definition process
System analysis process
Implementation process
Integration process
Verification process
Validation process
Operation process
Maintenance process
Disposal process
TECHNICAL MANAGEMENT PROCESSES
Project planning process
Project assessment and control process
Decision management process
Risk management process
Configuration management process
Information management process
Measurement process
Quality assurance process
ENABLING PROCESSES
Lifecycle model management process
Infrastructure management process
Portfolio management process
Human resources management process
Quality management process
Knowledge management process
SYSTEM AND SECURITY ENGINEERING PROCESSES
Commonly accepted sources for engineering processes:
International Council on Systems Engineering (INCOSE)
NIST SP800-160 System Security Engineering
ISO/IEC 15026 series-System and Software Engineering
ISO/IEC/IEEE 15288 Systems and Software Engineering
Systems and systems engineering processes have converged across major sources:
NIST and INCOSE recognize system security engineering as a specialty engineering function
AGREEMENT PROCESSES
Acquisition process
Supply process
KEY PRINCIPLES OF SYSTEM SECURITY
Confidentiality
Integrity
Availability
SECURITY MODELS
Purpose: the security models define rules of behavior for an information system to enforce policies related to system security but typically involving confidentiality and/or integrity policies of the system
BELL-LPADULA (BLP) MODEL
CONFIDENTIALITY MODEL
State machine level
Developed for the Department of Defense (DOD)
Used for multilevel security (MLS)
3 Properties defined:
No read-up (simple security property)
No write-down (star property)
Access matrix (discretionary property)
BIBA MODEL
INTEGRITY
State transition model
Focus on integrity vice confidentiality
Opposite rules from VBell-LaPadule (BLP)
Can read up (simple integrity property)
Can write down (star integrity property)
Lower level process cannot request higher access (invocation propoerty)
BREWER AND NASH MODEL
CONFIDENTIALITY
Designed to prevent conflict of interest
Information flow control model
Decomposes a company’s information into discrete datasets based on potential conflicts of interest
Defines rules for acceptable access to data objects by a particular subject(e.g person or process)
Accessing a data object excludes future access to potential conflict of interest objects
CLARK-WILSON MODEL
INTEGRITY
Introduces the concept of triples:
Subject
Program
Object
Subjects can only manipulate data objects though the use of a defined program
Set of rules designed to ensure data integrity for all operation
GRAHAM-DENNING (MODEL
CONFIDENTIALITY + INTEGRITY
Set of rules for creation, assignment of access rights, and deletion of objects and subjects
Eight rules (create/delete object/subject, assign, read, grant, delete, and transfer access rights)
Often used in distributed systems
HARRISON RUZZO ULLMAN (HRU)
INTEGRITY
Primarily for protection of access rights integrity
Confidentiality is protected by access rights, so HRU does provide secondary confidentiality protection
Extends Graham-Denning model
Defines a set of primitive allowable operations involving subjects and objects
AVAILABILITY MODELS
THERE ARE NONE
SECURITY CONTROLS
Safeguards or countermeasures that mitigate risks to confidentiality, integrity and availability in a system or operating environment
Controls may impact or modify the behavior of people, process or technology
TYPE OF CONTROLS
PREVENTATIVE - reduce the likelihood o impact of an undesirable event from happening.
DETECTIVE CONTROLS - identify an undesired event or collect information about it
CORRECTIVE CONTROLS - reduce or eliminate the impact of an undesirable event that has occurred
MEANS OF APPLICATION:
MANAGEMENT - policy or human driven controls
OPERATIONAL - process-driven controls
TECHNICAL - controls applied to technology
COMMON/INHERITABLE CONTROLS
Exist outside of a particular system but to provide some confidentiality, integrity and availability (firewall inherited by systems behind a firewall)
May include management, operational or technical controls
CONTROL SELECTION
Controls are selected to support the confidentiality, integrity and availability needs of the system
Control frameworks are often utilized to select appropriate controls and define controls
Inheritable controls that support the system are identified
CONTROL FRAMEWORKS
They define controls and control elements
frameworks allow for standardization of control implementation
Control frameworks often include evaluation criteria or mechanisms to verify controls are effective
EXAMPLE OF CONTROL FRAMEWORKS
ISO 27001 - industrial standard
NIST (SP800-52) - required for government use
COBIT - focused on business values
ISA/IEC 62443(ISA 99) - industrial automation and control systems
TAILORING CONTROLS
Control frameworks and standards are intended to be tailored to specific use-cases
Adjust control specifications or parameters to meet the needs of a specific system or environment
“Book” controls must be tailored to provide optimum value
Controls are not intended to be used as a checklists
EVALUATION CRITERIA
Each control should include specific evaluation methods and expected results
NIST Example:
TEST - coduct a direct test of the control
INTERVIEW - interview or question staff
EXAMINE - examine documentation or artifacts for evidence the control is properly employed
CONTROLS MAY BE EVALUATED BY MULTIPLE METHIDS
SYSTEM SECURITY CAPABILITIES
Access Control
Processor States
Memory Management
Process Isolation
Data Hiding
Abstraction Layers
Security Kernel
Encryption
Code Signing
Audit and Monitoring
Virtualization/ Sandbox
Hardware Security Modules
File System Attributes
GENERIC OPERATING SYSTEM (OS) MODEL
Application APPLICATION APPLICATION
API Services User Interface
Security Monitor Memory Mgr. Process Mgr.
I/O Mgr. Device Drivers Hardware Abstr. Layer
HARDWARE Trusted Platform Module (TPM)
TRUSTED PLATFORM MODULE
Encryption
REFERENCE OR SECURITY MANAGER
Theoretical
ACCESS CONTROL
OS controls access to objects
Rules defined allowable behavior
Security monitor or reference monitor enforces allowed behavior
File systems typically support by assigning security attributes to objects/files
PROCESSOR STATES
Processors typically support at least two states of operation: user and kernel modes.
User mode has limited access to ore functions or direct hardware access
MEMORY MANAGEMENT
Direct application access to system memory is restricted
Modern operation systems randomize memory location (address space)
Modern operating systems limit memory locations where code can execute - for example:
Data Execution Prevention (DEP) in Windows
PROCESS ISOLATION
Processes execute in separate memory space
Direct exchanges between processes is limited
Operating system (OS) manages inter-process exchanges through controlled interfaces
DATA HIDING
Typical with multi-level security (MLS) architectures using mandatory access control (MAC)
Data or objects at a higher security level cannot be seen by objects at a lower security level (BLP Model)
Also a coding practice where raw data is hidden from access and can only be obtained from a standardized interface.
ABSTRACTION LAYERS
Limits direct access to objects or entities
Defines allowable actions and interactions between layers
Protects against improper behavior or access between layers
SECURITY KERNEL
Also known as reference monitor
“Big brother” of kernel mode
Monitors and validates access control over system objects
Enforcement and validation component of all secure operating systems
REFERENCE MONITOR
Theoretical set of system tools which independently verify the actions of a system from a security standpoint.
Trusted Platform Module (TPM)
Hardware which provides cryptographic information and functions to enable the management and communications of sensitive information
ENCRYPTION
Can be applied to data at rest (hard-drive files) or in transit (communication channel)
May protect confidentiality and/or integrity of data
Protects data when OS features (security kernel) are not active or present
for example - Bitlocker protects data when the OS is not running
CODE SIGNING and VALIDATION
Cryptographic function
Executable code is digitally signed
OS validates signature before loading code
Unsigned code or code with a invalid signature is prevented from executing
May include OS internal code to prevent placement of OS components
AUDIT AND MONITORING
System actions are recorded and stored in a protected location
Specific actions that are recorded are typically customized
Audit records MUST be reviewed or monitored to be effective
Monitoring and review may include both automated and manual elements
Audit records are typically transferred off a system for protection and long term storage
VIRTUALIZATION / SANDBOX
Executing code is”wrapped” in a virtualization or sandbox layer
Code executing within the environment is strictly limited from direct interaction outside the environment
Permissions for a system access may be restricted independently for each virtualized or sandbox instance
May be an OS native function or function provided by a third party software
HARDWARE SECURITY MODULES
Hardware components that provide security services
Trusted Platform Module (TPM)
most common security module
provides secure storage and crypto functions
typically used to generate and store crytpo keys
keys or stored data cannot be accessed without permissions
Specialized modules may contain multiple hardware security modules
FILE SYSTEM ATTRIBUTES
Various file systems may store security attributes or provide security functions
A critical component to employing access control models in operating systems
File systems may include journaling that can provide data integrity
HOST PROTECTION SOFTWARE
Antivirus
Host based intrusion prevention (HIPS)
Host firewall
File integrity monitoring
Configuration and policy monitor
HIPS
Host Based Intrusion Prevention
NIPS
Network Based Intrusion Prevention
TOP THREAT / MITIGATIONS
TOP THREAT ACTIONS Hacking Social Engineering Malware Distribution Phishing
TOP MITIGATIONS Know what you have Patch and manage what you have Assess, monitor, log Educate users
COMMON SYSTEM VULNERABILITIES -
HARDWARE
HARDWARE
Hardware components may fail at any time
Mean-time-between-failure (MTBF)
Failure rates higher during initial system operation
Supply chain issues may introduce technical
flaws/vulnerabilities or malicious modifications
Old hardware may be difficult to repair or replace
COMMON SYSTEM VULNERABILITIES -
COMMUNICATIONS
COMMUNICATIONS:
Can fail
Can be blocked (DDoS)
Can be intercepted
Can be counterfeited (replayed)
Can be modified
Characteristics can expose information about the sender/receiver (address/location)
COMMON SYSTEM VULNERABILITIES -
ABUSE BY USER
Can be intentional or accidental
Can degrade or bypass security controls
Increases the likelihood as difficulty to operate increases
COMMON SYSTEM VULNERABILITIES -
CODE FLAWS
CODE FLAWS
Exist in all software with more than trivial complexity
May be introduced accidentally or intentionally
TYPICAL RISK CONDITIONS
Known flaws, patch available, systems not patched, exploit available
Known flaws, patch not available, exploit available
Unknown flaws, exploit available (zero-day attack possible )
COMMON SYSTEM VULNERABILITIES -
EMANATIONS
Hardware/physical elements may radiate information
- Radio frequency
- Visible or non-visible spectrum
Can be used to discern system functions
Can be used to locate systems/components
CLIENT BASED SYSTEMS
Desktops, laptops, thin client terminals
Typically represent larger quantities
Continuous state of adding new and decommissioning old in most organizations
General purpose devices with inconsistent usage patterns across the install base
THIN CLIENT
PC Without Storage
CLIENT BASED SYSTEM VULNERABLITIES
Physically under user’s control
Susceptible to user misuse (intent. or accidental)
May be lost / stolen
Monitoring may be difficult
100% update may be difficult
CLIENT BASED SYSTEM MITIGATIONS
Patch/Update - continuous action
General network protections (network segmentation,firewall devices, IDS, IPS)
Host protections (anti virus, hist IPS, host firewall, disk encryption)
Monitor (log alerts, track location)
Educate users (anti-phishing campaign, detecting attacks)
SERVER BASED SYSTEMS
Application servers, file servers, domain controllers, print servers, network service servers (DNS, DHCP)
Centrally managed / controlled
Limited access / functionality
Likely to be in a tightly controlled network segment
SERVER BASED VULNERABILITIES
May be exposed to external communications / services
Updates may be delayed due to operational need
May exist for long periods (risk of being outdated)
High traffic volume makes monitoring more difficult
SERVER BASED MITIGATIONS
Targeted network protections (server specific rules, restricted ports/protocols
Strong remote access mechanisms
Configurations and change management
Monitor: logs, alerts- targeted to server functions
DATABASE SYSTEMS
Hosted on servers, cloud, distributed etc.
Typically contains large quantities of valuable information
Typically requires high-speed operation with large number of transactions
DATABASE SYSTEM VULNERABILITIES
Inference
Aggregations
Data mining
High-value target
DATABASE SYSTEM MITIGATIONS
Input validation
Robust authentication/access control
Output throttling
Anonymization
Tokenization
INDUSTRIAL CONTROL SYSTEMS (ICS)
Typically embedded, limited function hardware
Interfaces between logical (computer) space and physical world
Includes sensors, motors, actuators, valves, gauges etc.
INDUSTRIAL CONTROL SYSTEMS (ICS) TYPES
Supervisory control and data acquisition (SCADA)
Distributed control systems (DCSs)
Programmable logic controllers (PLCs)
INDUSTRIAL CONTROL SYSTEMS VULNERABILITIES
Limited functionality
Limited protections
Long lifespan (become outdated)
Susceptible to misuse/error
Highly susceptible to Denial of Service (DoS) attacks
Attacks can produce physical effects
Often unattended in remote locations
INDUSTRIAL CONTROL SYSTEMS (ICS) MITIGATIONS
Isolated network infrastructure
Robust network connection restrictions and monitoring
Highly segmented network
Protect communications channels
Robust configuration control
CLOUD BASED SYSTEMS
Components hosted by a cloud service provider (CSP)
CSP assumes specific security responsibilities, the remainder stay with the data owner
Typically high reliability, speed, capacities
CSP to data owner relationship is governed by a contract and/or service-level agreements (SLAs)
CLOUD-BASED SYSTEM CHARACTERISTICS
On-demand self service
Broad network access
Resource pooling
Rapid elasticity
Measured service
Multi-Tenancy
CLOUD-BASED SYSTEM TYPES
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Network as a Service (NaaS)
CLOUD-BASED SYSTEM DEVELOPMENT
Private - exclusive use by one organization / on or off premise
Community - Provisioned for exclusive use by a community of users
Public - Open use by general public
Hybrid - combination of two or more
CLOUD-BASED VULNERABILITIES
Inherently exposed to external communications / access
Misconfiguration a major risk
May exist for long periods (risk of being outdated)
Gap between CSP and data owner security controls
CLOUD-BASED SYSTEM MITIGATIONS
Reputable loud service provider that supplies security/ information testing results
Well trained system administrators
Robust configuration/change control
File and communication encryption
Well managed identity and access controls
DISTRIBUTED SYSTEMS
Nodes and processors operate independently
Storage and processing spread across multiple components
Nodes “pass messages” to coordinate and communicate
Example: traditional telephone
Switches operate independently
Coordinate to pass calls between them
DISTRIBUTED SYSTEMS VULNERABILITIES
Lack of central control/monitoring
Data elements may be lost if nodes fail
Inconsistent security levels between nodes is possible
Susceptible to communication failures, compromise, or denial of service (DoS)
DISTRIBUTED SYSTEMS MITIGATIONS
Standard security rules for nodes to enter distributed network
Communication control, encryption, and redundancy
Node backup and data sharing between nodes
INTERNET-OF-THINGS (IOT) SYSTEMS
Generally small form factor, embedded hardware
Limited functionality OS
May interface with the physical world
Pervasive and often connected to general purpose networks
Functions /accessibility may be unclear to owner/user
INTERNET-OF-THINGS (IOT) SYSTEMS VULNERABILITIES
Limited vendor support for updates
Limited to no onboard security capability
Poor code management due to rapid development cycles
May contain limited or weak security implementation on standard protocols (Bluetooth, WiFi)
INTERNET-OF-THINGS (IOT) SYSTEMS MITGATIONS
Isolated on private networks with controlled access
Products selected for security features and update-ability
Product security/penetration testing
Disable unneeded functions
WEB-BASED SYSTEMS
Application or data accessible and manipulated through a web browser or web service
Often connects to a data source (database) that may be on or off platform
Uses standard protocols and interface languages
Connections are typically dynamic
WEB-BASED SYSTEM VULNERABILITIES
Accessibility to network communications/access
Use of obsolete protocols/encryption
Code/Configuration errors that expose components to data
WEB-BASED SYSTEM MITIGATIONS
Protect system behind firewalls and access controls
Limit and monitor communications protocols
Scan,evaluate, and assess interfaces and code (HTML, Java, scripts etc.)
Tightly control configuration and change management
Ensure platform is securely configured
MOBILE SYSTEMS
PHONE TABLETS WEARABLE DEVICES
Portable small form factor
Limited functionality
Embedded OS
Typically contains limited amounts of data
Connected (cellular, WIFI, Bluetooth, tethering)
Designed for single user
LAPTOPS PERSONAL COMPUTERS Portable - medium form factor Full featured operating system Capability similar to desktop May contain large amounts of data Multi-user capable Connected (WI-FI, Bluetooth, tethering, possibly cellular)
MOBILE SYSTEMS VULNERABILITIES
Loss or theft
Weak access controls configured
Un-Encrypted data
Communications interception or eavesdropping
Limited onboard security services and monitoring
MOBILE SYSTEMS MITIGATIONS
Mobile device management (MDM) installed (device tracking, wiping, software control, policy enforcement)
Activate screen lock and high complexity pass-codes or biometrics
Ensure device is encrypted
Tunnel communications through VPN architecture
Limit software / apps installed to trusted packages
Prevent jailbreak or rooting devices
Do not connect to public networks (coffee shop, hotel)
MOBILE SYSTEM MITIGATIONS (LAPTOPS)
Apply all traditional computer system protections (AV, FW, Host IPS etc.)
Ensure encryption is activated
Ensure strong passwords, biometrics, or two factor authentication on all user accounts
Activate anti-theft function or tracking functions if available
Tunnel mobile communications through VPN
Do not connect to public networks
EMBEDDED SYSTEMS
Computing platform with a dedicated function
Limited function / specialized OS
Limited processing power
Long service life in many applications
Includes a system on a chip (SoC) architectures
Typically includes special device categories : IoT, ICS, mobile devices
Highly diverse in nature (specialized computing vs general purpose computing)
EMBEDDED SYSTEMS VULNERABILITIES
Limited function design doe not include all full monitoring and security control implementation
Limited access controls
Limited ability to update, vendor support, often time-limited
EMBEDDED SYSTEMS MITIGATIONS
Limited access to devices
Limit communications to devices
Disable unnecessary /unneeded/ components/ features/communications
Isolate on dedicated networks, if connected
Monitor external communications with exterior sensors
Apply vendor updates when available
CRYPTOGRAPHY SERVICES
CONFIDENTIALITY
INTEGRITY
AUTHENTICITY
NON-REPUDIATION
ACCESS CONTROL
DATA PROTECTION
DATA AT REST
Backup tapes, off-site storage, password files
DATA IN TRANSIT
Provide secure and confidential methods to transmit data .
Allows the verification of the integrity of the message so that any changes to the message itself can be detected
LINK ENCRYPTION
Encrypts all of the data along a communication path
Communications nodes need to decrypt the data t continue routing
END-TO-END ENCRYPTION
Generally performed by the end user within an organization
Encrypted at start and not decrypted until the end user
Routing information remains visible
CRYPTOGRAPHIC EVOLUTION
Manual
Mechanic
Electro-Mechanical
Electronic
Quantum
CAESAR CIPHER
Shifting letters by a certain number
SPARTAN BELT SETTLE
Wrap belt around settle to read text
BOOK CIPHER
Pages numbers
WORK FACTOR
The level of difficulty in cracking a code
STREAM CIPHERS
A key-stream (sequence of bits used as a key) is generated and combined with plain text using an exclusive -or (XOR)
Statistically unpredictable
Not linearly related to the key
Operated on individual bites or bytes
Functionally complex
Long periods with no repeats
Seemingly random due to the generation of the key-stream is usually controlled by the key
EXCLUSIVE-or XOR
If both values are the same = 0
If values are different = 1
BLOCK CIPHERS
Uses fixed-sized blocks of text
The size of the blocks affects the strength of the crypto implementation
As plain-text is fed into the crytposystem, it’s divided into blocks of a preset size
Often a multiple of the ASCII character size: 64, 128, 192 bits etc.
INITIALIZATION VECTORS - WHY NEEDED
Encrypting the same text with the same key produces the same cipher-text
Encrypting the same message with different keys may produce detectable patters
An IV is a random value added to plain-text message before encrypting so that each cipher-text will be ubstantially different
KERCKHOFF’s PRINCIPLE
A cryptosystem should be secure even if everything about the system, except the key , is public knowledge
HIGH WORK FACTOR
Measured in units such as:
Hours of computing time
Cost in dollars of breaking the encryption
If the work factor is substantially high, the encryption system is considered to be practically or economically unbreakable
SUBSTITUTION CIPHERS
The process of substituting one letter fr another based upon a crypto-variable
Involves shifting positions in the alphabet of a defined number of characters (Caesars cipher and Vigenere cipher)
Involves using a scrambled alphabet to substitute one letter for another (Enigma Machine)
TRANSPOSITION CIPHERS
Cryptosystems that use transposition or permutation
rely on concealing the message through transposing of or interchanging the order of the letters
