Security Architectures Flashcards
Threat Modeling
As the process of describing probable adverse effects on our assets caused by specific threats sources.
When we do threat modeling….what do we consider
- Important to only consider dangers
- Potential impact of those threats
- Specify threat sources
Attack Trees
Is a graph showing how individual actions by attackers can be chained together to achieve their goals.
Attack tree lend themselves to a methodology known as reduction analysis….there are 2 aspects:
- Reduce the number of attacks
- Reduce the threat posed by the attack
STRIDE
Developed by Microsoft in 1999
Is a threat modeling framework that evaluates a system’s design using flow diagrams, systems entities, and events related to a system.
The Lockheed Martin Cyber Kill Chain
- It is used to anticipate the intent and actions of an enemy and then develop a plan to get inside their decision loop and defeat them.
- The term kill chain evolved to describe the process of identifying a target, determining the best way to engage it, amassing the required forces against it, engaging it, and destroying it.
- It identifies the steps that threat actors generally must complete to achieve their objectives.
7 Stages of the Lockheed Martin Cyber Kill Chain
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and Control
- Action on Objective
STRIDE
Mnemonic
S - Spoofing
T - Tampering
R - Repudiation
I - information Disclosure
D - Denial of Service
E - Elevation of Privilege
Cyber Kill Chain is a high level framework
It is one of the most commonly used one for modeling threats
MIRATE Corporation developed a framework of…
Adversarial Tactics, Techniques & Common Knowledge called ATT&CK as a comprehensive tactics and techniques used by threat actors
- 14 Tactics contains a number of techniques—> sub-techniques
Why Bother with threat modeling
Threat modeling allows us to simplify some of the activities of our adversaries so we can drill into the parts that really matter to us as defenders.
Basic Security questions 3 questions:
- Why might someone want to target our organization (Motive)
- How could they go about accomplishing their objectives (Means)
- When and where would they attack us (Opportunity)
Defence in Depth
- Which is the coordinated use of multiple security controls in a layered approach.
- Multilayered defence systems
Zero Trust
- The Zero Trust model is one in which every entity is considered hostile until proven otherwise.
- Built inside out.
- this is not 100% practical as it may impact productivity
Trust But Verify
Basically mean that, even when an entity and its behaviours are trusted, we should double-check both
Shared Responsibility
Refers situation in which a service provider is responsible for certain security controls, while the customer is responsible for others.
Separation of Duties
SoD, in which important functions are divided among multiple individuals to ensure that no one person has the ability to intentionally or accidentally cause serious losses to the organization.
Least Privilege
- Least Privilege, states that people are granted exactly the access and authority that they require to do their jobs, and nothing more.
- Need-to-know principle is similar to the least privilege principle
Authorization Creep
As Employees work at an organization over time and move from one department to another, they often are assigned more and more access rights and permissions.
Keep it Simple
The more complex a system is, the more difficult it is to understand and protect it. Simplicity is the key.
Secure Defaults
- Means that every system starts off in a state where security trumps use friendliness and functionality.
- the goal of secure defaults is to start everything in a place of extreme security and then intentionally loosen things until users can get their jobs done, but no further.
Fail Securely
In the even of an error, information systems ought to be designed to behave in a predictable and non compromising manner.
Privacy by design
- The best way to ensure privacy of user data is to incorporate data protection as an integral part of the design of an information system, not as an afterthought or later-stage feature
- 7 foundational principle
Security Model
A Security model is a more formal way to capture secure principles. Where a principle is a rule of thumb that can be adapted to different situations, the security models we describe here are very specific and verifiable.
Bell-LaPadula Model developed in 1970s
-Enforces the confidentiality aspects of access control.
- Prevent secret information from being accessed in an unauthorized manner.
- First mathematical model of multilevel security policy used to define the concept of secure modes of access and outlined rules of access.
- a system that employs this model is called multilevel security system
3 main rules are used and enforced in Bell-LaPadula model:
- Simple Security rule: Subject given security level cannot read data readies at a higher security level.
- *- Property (star property) rule: Subject given in a security level cannot write information to a lower security level
- Strong star property rule: A subject who has read and write capabilities can only perform both of those functions at the same security level. Nothing higher, nothing lower
Biba Model
- The Biba model is a security model that addresses the integrity of data within a system. It is not concerned with security levels and confidentiality.
3 Main rules of Biba Model
-*-integrity axiom: A subject cannot write data to an object at a higher integrity level.
- Simple Integrity Axiom: A subject cannot read data from a lower integrity level
- Invocation property: A subject cannot request service (invoke) at a higher integrity
Examples of Informational flow models
- Bell-LaPadula
- Biba
Clark-Wilson Model
(Integrity of Information)
Uses the following 5 elements
- Users: Active agents
- Transformation procedures (TPs): Programmed abstract operations, such as read, write, and Modify
- Constrained data items (CDIs): can be manipulated by TPs
- Unconstrained data items (UDI): can be manipulated by users via primitive read and write operations
- Integrity verification procedures (IVPs): Check the consistency of CDI with external reality
Clark-Wilson Model
Focuses on well-formed transactions and SoD. Why called ‘access triple’:
- One subset of highly protected Constrained Data Items
- Subset Unconstrained data items does not require high level of protection
- Users cannot modify Critical data
Noninterference Model
- Multilevel security properties can be expressed in many ways, one being noninterference.
- Action that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level.
- not about flow of data but rather with what subject knows about the state of the system.
Covert Channels
A covert channel is a way for an entity to receive information in an unauthorized manner.
Covert Channels are of 2 Types
- Storage: processes are able to communicate through some type of storage space on the system
- Timing: one process relays information to another by modulating its use of system resources.
Brewer and Nash Model (aka Chinese Wall Model)
Main goal: Potect from conflict of interest and dynamically changing access controls
States that:
- A subject can write to an object
- If and only if,
- the subject cannot read another object that is in a different dataset.
Graham-Denning Model
Addresses some of these issues and defines a set of basic rights in terms of commands that a specific subject can execute on an object
Graham-Denning Model
8 Primitive Protection Rights
- How to securely create an object
- How to securely create a subject
- How to securely delete an object
- How to securely delete a subject
- How to securely provide the read access right
- How to securely provide the grant access right
- How to securely provide the delete access right
- How to securely provide the transfer access right
Harrison-Russo-Ullman Model
Deals with access rights of subjects and the integrity of those rights.
Trusted Platform Module (TPM)
- Is a hardware component installed on the motherboard of modern computers that is dedicated to carrying out security functions involving the storage of cryptographic key and digital certificates, symmetric and asymmetric encryption, and hashing.
- TPM was devised by the Trusted Computing Group (TCG)
Use cases of Trusted Platform Module (TPM
- encrypting the content of the hard drive
- Sealing a system’s state to a particular hardware and software configuration. Hash value generated store in its memory. A sealed system will be activated only after the TPM verifies the integrity of system’s configuration by comparing it with the original “sealing” value.
Trusted Platform Module (TPM) internal memory is divided into 2 different segments:
- Persistent (static) memory
1. Endorsement Key (EK): A public/ private key pair that is installed in the TPM at the time of manufacture and cannot be modified.
2. Storage Root Key (SRK): The master wrapping key used to secure the keys stored in the TPM - Versatile (dynamic) memory
1. Platform Configuration Registers (PCRs): Used to store cryptographic hashes of data used for TPM’s sealing functionality
2. Attestation Identity Keys (AIKs): Used for the attestation of TPM chip itself to service providers
3. Storage keys: Used to encrypt the storage media of the computer system
Hardware Security Module (HSM)
(The U.S. Federal Information Processing Standard (FIPS) 140-2 is the widely recognized standard for evaluating the security of an HSM)
HSM is a removable expansion card or external device that can generate, store, and manage Cryptographic keys
Self-Encryption Drive (SED)
- Full-disk encryption (FDE) refers to approaches used to encrypt the entirety of data at rest on a disk drive
- SED is a hardware-based approach to FDE in which a cryptographic module is integrated with the storage media into one package
Why need Bus Encryption?
(While the self-encrypting drive protects the data as it rests on the drive, it decrypts the data prior to transferring in to memory use) Possible 3 attacks:
- On the external bus connecting the drive to the motherboard,
- In Memory
- On the bus between motherboard and CPU
Bus Encryption means:
(User in ATM machines)
Data and instructions are encrypted prior to being put on the internal bus, which means they are also encrypted everywhere else except when data is being processed.
- this require Cryptoprocessor.
3 ways to Secure Processing:
- Create a specifically protected part of the computer in which only trusted applications can run with little or no interaction with each other or those outside the trusted environment
- Build extensions into the processors that enable them to create miniature protected environment for each application
- Write application temporarily lock processor and/or other resources to ensure nobody interferes with them until they’re down with a specific task
Trusted Execution Environment (TEE)
(Used in apple products are Secure Enclaves)
Is a software environment in which special applications and resources have undergone rigorous checks to ensure they are trustworthy and remain protected
- TEE exists with untrusted rich execution environments (REE) on the same platform
Process Security Extensions
Are instructions that provide these security features in the CPU and can be used to support a TEE.
Atomic Execution
- Atomic Execution is an approach to controlling the manner in which certain sections of a program run so that they cannot be interpreted between the start and end of a section
- Atomic execution protects against a class of attacks called time-of-check to time-of-use (TOC/TOU).
