Security Models Flashcards
Notes at the start of lecture
- We now have some conceptual terminology at our disposal with which to think about security.
- But there are clearly a lot of moving parts.
- Different aspects interact
- For example, you want very strong authentication before you allow an agent to perform certain risky or expensive operations.
- We need a model to structure the issues
What is a security model?
Meaning: A precise statement of the rules that the system should implement and the properties it should maintain.
Note: Flow of information between agents and assets.
Note: Outline possible threats – or at least those that it considers.
Note: Information access rules
Note: (Possibly) data structures, cryptographic protocols, network protocols.
Summary: Models are typically about what is allowed, but sometimes also go into how these rules should be implemented.
Notes on Security Model?
Why is a security model needed?
- Security is a whole-system issue
- Affects and is affected by everything and everyone in an organisation.
- Therefore everyone needs awareness
- The risks and threats
- The acceptable and unacceptable behaviours – policies
- The warning signs – monitoring
What are the consequences of cyber attacks?
Technical:
- Being locked-out of systems
- Damage, time taken to re-build and check integrity (Ensure there are no surprises left, like new back-doors)
Social:
- Reputational damage amongst users.
Legal:
- Fines for loss of data, loss of service
- A duty to demonstrate “due care” has been taken (One way to do this is to follow a standard approach or a recognised “best practice”).
Example of a security model?
The University
Risk and Threats?
- We hold a lot of personal data
- Severe penalties if we don’t take appropriate care
Acceptable and unacceptable behaviours?
- Use your own credentials, don’t share them
- Carry a phone/dongle for two-factor authentication
- Don’t browse dodgy sites on work machines
Warning Signs?
- Weird or repeated mails from unexpected sources (or, worse, from just slightly wrong addresses)
Notes on Security
Usually try to expose users to as little new technology as possible
- Mostly in the back-end, i.e., virus checking email
Be very careful with the front-end
- Two-factor authentication requires a change of behaviour and some extra technology (app, dongle, …)
Anything that makes access more complicated will be unpopular
- and thus will be circumvented where possible.
Name all parts of the high-level model
Security Model
Security Policies : The rules and practices needed to implement the model.
Reference Model : The components of the system and how the policies apply to them.
Security Kernel : The low-level systems activities that enable actions on the assets.
Hardware
Notes on Security Models
Are the policies implementable?
Does the model identify all the threats?
Can we actually list all the system components? Are people allowed to introduce new ones?
How do rules and policies map to files and permissions?
Does the operating system provide the services needed?
Key Note : Focusing on different aspects (Information access: Who can see (and do) what?, and Policy: What happens when?)
Name examples of Security Models
Military classifications / Model
Access control lists
Role-based access control
NIST’s five functions
Describes the features of a Military Model?
- Individuals and assets have a sensitivity level
- Can read anything at or below your sensitivity level, and nothing higher
- May write at your own level or higher
Problems
1. Treats security as intrinsic to particular information, not to the uses to which it may be being put
2. Some people may need access to some parts but not others (which might force you to fragment documents)
3. A fixed number of levels? (Not Dynamic)
Solutions:
1. Compartments attempt to address some of these issues
2. Sub-divisions of a clearance level - May also cross levels in some models, May even specify the locations where documents can be read and legitimately reside – SCIFs.
Describe the features of an Access control List (ACLs)
Meaning: a list of permissions that determines who can access a system resource and what operations they can perform.
- To each asset, associate a list of users and their permissions
- Assume that anyone not listed has some “default” rights (which might be none), All interactions with the asset consult the ACL.
Problems:
1. Relies on identity, and therefore on authentication
2. Looks at assets independently
3. What is in the permission set?
- Are all the permissions orthogonal (Independent)? – what’s the difference between “write” and “append”?
- Can the permissions change over time?
4. How do we represent an ACL?
5. Do all interactions go through the ACL?
Describe the features of a Role-Based Access Control (RBAC)?
Meaning: Limits access to systems, data and applications based on a user’s role.
- Permissions are associated with roles, not with users
- A user “adopts” a role, and then (assuming it’s allowed) acquires permissions
Problems:
1. Similar to ACLs, and thus inherent s the same issues.
2. What happens if a role is revoked from someone?
Describe the features of NIST’s (five functions)
Five functions:
Identify: (People, assets, policies)
Protect: (Select the appropriate socio-technical approaches)
Detect: Determine when an attack has occurred
Respond: Do what’s necessary to maintain integrity and service
Recover: Recover from any damage, update policies for next time.
Problems:
1. Focuses on the process rather than the mechanism
2. Lots of mechanisms could be used in each of the functions
3. Emphasise the operational side
Notes on Threat Models
What do we regard as in - and - out - of scope?
What are the consequences of these decisions?
Notes: Some things simply have to be out of scope
* Identify the threats (Assets, value that can be obtained from them)
* How can these threats be realised?
- Attack vectors
- Exploits and vulnerabilities
* How can the attacks be thwarted?
- Finding the attack vectors and vulnerabilities, on an ongoing basis
For each in-scope threat, what are the attacks?
What specific policies and/or technologies reduce or close-off each attack?
* Be clear how we’re going to identify new threats and attacks going forward
Key Note: The answer to the question “are we secure?” is always “no”, no matter how much we spend.
Summary on Security Models
A security model is a way to think through how you want to implement the security you need
- At the policy level
- At the policy level
Need to reconcile all elements
- Are they all implementable?
- What are the tool and mechanism supports?
