CISSP Preparation Training

1
CISSP Preparation Training

• Domain Six
• Security Architecture and Design
• July 18, 2007

Lora Woodworth, CISSP Northrop Grumman (719)
622-5655 lora.woodworth_at_ngc.com
2
Why do we study this section?

• Utilize what is already built in.
• Know where defense in depth is useful.
• Understand how and why vulnerabilities work.
• Protect information flow in a useful way.
• Evaluate what is there in a repeatable process.

3
Domain Objective

• The objective of this domain is to focus on what
  has and hasnt been done to secure the computing
  environment so that various levels of
  availability, integrity and confidentiality may
  be determined and enforced based upon the data
  present on the system, the security goals of the
  organization, and the needs of the users.

4
Agenda

• Security Architectures
• Security Models
• Protection Mechanisms
• Evaluation Standards and Methods

5
Key elements for the exam

• Know how the different pieces of a computer
  system work together and process data
• Understand how different vulnerabilities occur in
  a computer system
• Know how different counter measures work to
  prevent, impede and hinder vulnerabilities
• Know the major concepts associated with the
  different Security Models
• Understand the common Evaluation methods and
  criteria

6
Security Architecture

• Describes at an abstract level the relationships
  between key elements to protect the
  organizations interests
• Official (ISC)2(R) Guide to the CISSP Exam page
  80

7
Computer Structure
User Call Interface
End User Applications
Library Call Interface
Standard utility programs (shell, editors,
compilers, etc)
System Call Interface
Standard Library (open, close, read, write, fork,
etc)
Operating system (process management, memory
management, file system, I/O, etc)
Kernel mode
Hardware (CPU, memory, disks, terminals, etc)
8
Objects and subjects

• Object - a passive entity that contains or
  receives information
• can be records, files, directories, processors,
  printers, etc., as well as system processes
• Subject - is an active entity that causes
  information to flow among objects or changes the
  system state
• can be a person, process, or device

9
Machine Types

• Real (What you get is what you see) Physical
  computer in a virtual machine environment.
• Virtual self contained operating system that
  behaves as if it were a separate computer
  functional simulation of a computer.
• Multi-state operates in multiple states at the
  same time.
• Multi-user - supports two or more simultaneous
  users, privileged and unprivileged.

10
CPU

• A Central Processing Unit (CPU) contains a
  control unit, which controls the timing of the
  execution of application instructions, an
  Arithmetic logic unit (ALU) which performs
  mathematical functions and logical operations,
  and primary storage, which is where data is
  temporarily held before being processed.

11
CPU Modes

• user (unprivileged) Processes that execute with
  limited privileges, access to the most critical
  resources are controlled through the Privileged
  processes and the user processes must operate
  through them.
• superuser or privileged Processes that have the
  most direct or trusted access to the CPU.

12
Operating States

• Operating States single-state, multi-state
• ready state - ready to resume processing
• problem state - executing an application
• supervisory state - executing privileged
  instructions
• wait state - waiting for completion of an event

13
Addressing
How do you distinguish between physical and
symbolic addresses?
Physical addresses are identified by a number,
e.g. memory address 0x47F0 or the 571st record on
a disk. Symbolic addresses are identified by a
name that may be more meaningful to the user. (A
file name, variable name in a program, or a
parameter.
14
Address Space Terms

• Absolute actual physical address
• Direct single address of an object
• Indexed address of an object, modified by a
  displacement, typically the displacement is in a
  register, and specified an offset within a larger
  object, such as the subscripted address of a
  single array element
• Indirect address of a pointer to an object
  accessing the object requires fetching the
  pointer, interpreting its value, and using that
  value as the objects address.
• Indirection and indexing can be combined and
  repeated, so that an indirect object can be
  indexed, or an object can be accessed via an
  indirect indirect indirect object (i.e., pointer
  to a pointer to a pointer to the object

15
Address Space vs Memory Space

• An address space is a set of addresses, and
  consequently a means of specifying a set of
  locations
• Memory space or memory address space is the
  actual location of the data in memory
• Memory management describes the various
  techniques an Operating system translates the
  address generated by a CPU into the actual
  address of the data in memory

16
Memory Types

• Random Access Memory (RAM) a type of temporary
  or volatile storage facility where data can be
  held and altered.
• Cache part of RAM that is used for high-speed
  writing and reading activities.
• CPU receives instructions that are stored in
  RAM
• Read-Only memory (ROM) a nonvolatile storage
  facility. For the most part, when data is
  inserted into ROM memory chips it cannot be
  altered.
• Nonvolatile Silicon memory holds data that can
  be electrically erased or written to.
• Erasable and programmable read-only memory
  (EPROM) can be modified, deleted, or upgraded.
  Not used much anymore.
• Flash same idea different technology that makes
  it more stable and faster. (Digital Camera
  memory sticks)

17
Real versus Virtual Memory

• Real storage is memory allocation for programs.
• Virtual memory is fictitious in that a small
  amount of primary storage plus a larger amount of
  secondary storage is used to give the effect of a
  large amount of primary storage. Data items are
  shuffled between primary and secondary storage as
  they are used.

18
Paging versus Segmentation

• Paging the virtual program is divided into
  fixed-sized blocks, each of which is called a
  page.
• Segmentation the virtual program is divided
  into varying-sized blocks, called, segments
  typically a segment will correspond to a logical
  unit within a program, such as a procedure or sub
  procedure, or an array.

19
Memory Mapping

• Different types of memory holding different types
  of data means a computer needs something to
  control access to ensure that data does not get
  corrupted.
• This control takes place through memory mapping
  and addressing.

20
Computer Firmware

• Software permanently stored in a hardware device
• Installed in programmable read-only memory (PROM)
  via a special interface
• Printers, modems, bus interface units, adapter
  modules, etc. will generally contain firmware

21
Process versus Thread

• A process is a program in execution that works in
  its own address space and can only communicate
  with other processes in a controlled manner
  handled by the operating system.
• A thread represents a piece of code that is
  executed within a process

22
Primary versus Secondary storage

• Primary internal, directly accessible (e.g.
  memory)
• Secondary external, not necessarily directly
  accessible (e.g., disk, tape, cd) Secondary
  storage may be (but is not required to be)
  removable, meaning that the storage medium can be
  removed from the device and stored elsewhere.

23
Other Storage Terms

• Random is accessible in any order also known a
  direct or direct access.
• Sequential can be accessed only in sequence to
  access item 571, it is necessary to count through
  all preceding 570 memory items. Sequential
  memory is therefore less readily available.
  (Tape)
• Volatile retains its data value only while power
  is supplied (most internal memory is volatile),
  in contrast to permanent or long-term storage,
  which retains its value even without power.
  Obviously a power loss can affect availability of
  data stored in volatile memory.

24
Operating System

• Operating Systems have four components
• process management - controls program execution
  to make sure that programs share resources
• I/O device management - issues commands to
  devices that read and write to the system
• memory management - keeps track of which parts of
  memory are in use or not in use
• system file management - read, write, erase
  functions that the operating system uses to
  manage files

25
Multithreading, Multitasking, Multiprocessing

• Multithreading an application that can make
  several calls to the system at one time or a
  system that can process more than one request at
  a time.
• Multitasking a system capable of running 2 or
  more tasks in a concurrent performance or
  interleaved execution.
• Multiprocessing- a simultaneous execution of 2
  programs by a processor. This can alternatively
  be done through parallel processing of a single
  program, or by two or more processors in a multi
  processor system.
• Multiprocessor A computer that has two or more
  processors that all have common access to the
  main storage.

26
Network Protocol Stack Functions

• OSI 7 layer Model
• (1) Physical layer (raw bits over
  communications channel)
• (2) Data link layer (data frames)
• (3) Network layer (communication subnet layer -
  packets) (IP)
• (4) Transport layer (host-host layer divides
  data into smaller units ensures all data
  arrives end-to-end layer) (TCP)
• (5) Session layer (users interface into the
  network session established, management)
• (6) Presentation layer (common user functions
  via library routines data compression/transformat
  ion/encryption)
• (7) Application layer (determined by each
  user/program)
• Covered better in Domain 2

27
Operating System Design

• Open based upon accepted standards and employs
  standard interfaces to allow connections between
  different systems.
• Closed Proprietary use of specific operating
  system and hardware to perform and generally lack
  standard interfaces to allow connection to other
  systems.

28
Security Policy

• A set of rules, practices, and procedures
  dictating how sensitive information is managed,
  protected, and distributed.
• Sets the goals of what the security mechanisms
  are to accomplish.
• Must indicate
• What subjects can access which objects
• What actions are acceptable
• What level of trust is required

29
Enterprise Architecture

• IETF Security Architecture for IP (IPsec)
• Zachman Framework
• 6 perspectives with 6 abstractions
• Other Frameworks
• see description of Frameworks at
  http//www.software.org/pub/architecture/fwhome.as
  p

30
IETF Security Architecture for IP

• The goal of this architecture is to provide
  various security services for traffic at the IP
  layer, in both the IPv4 and IPv6 environments.
• IPsec
• The set of security services offered includes
  access control, connectionless integrity, data
  origin authentication, protection against replays
  (a form of partial sequence integrity),
  confidentiality (encryption), and limited traffic
  flow confidentiality.
• These services are provided at the IP layer,
  offering protection for IP and/or upper layer
  protocols.
• Utilizes two traffic security protocols,
• Authentication Header (AH)
• Encapsulating Security Payload (ESP)
• Security Associations (SA)
• a simplex "connection" that affords security
  services to the traffic carried by it.
• IETF security working group http//sec.ietf.org/

31
Zachman Framework

• More info http//www.zifa.org, with an overview
  at http//www.software.org/pub/architecture/zachm
  an.asp

32
Security Models

• A security policy provides abstract goals and the
  security model provides the dos and donts
  necessary to fulfill these goals

33
Security Models

• Consistent and understandable
• Represents the security policy and no more
• Facilitates mapping the security policy to
  implementation (Formal or Informal)
• Generic vs. system specific (depends on security
  policy)

34
State Machine Model

• All current permissions and all current instances
  of subjects accessing objects must be captured.
• A state of a system is a snapshot of a system in
  one moment of time
• State transitions activities that alter the
  state of a system.

35
Bell-LaPadula

• Formal-state transition model that describes a
  formal set of access controls based on
  information sensitivity and subject
  authorizations
• Developed for the U.S. military in the 1970s
• Main goal is to prevent secret information from
  being accessed in an unauthorized manner.
• Lattice based access control has an upper and a
  lower bound of authorized access.
• Also an information flow security model
• Developed to make sure secrets stay secret does
  not address integrity.

36
Bell-LaPadula

• Two major rules used and enforced
• Simple security rule a subject at a given
  security level cannot read data that resides at a
  higher security level. (no read up)
• Property (Confinement Property) a subject at
  a given security level cannot write information
  to a lower security level. (no write down)
• These rules indicate what states the system can
  go into.

37
Basic Security Theorem

• If a system initializes in a secure state and all
  state transitions are secure, then every
  subsequent state will be secure no matter what
  inputs occur.

38
Bell-LaPadula

• Criticism towards the Bell-LaPadula model
• It deals only with confidentiality and does not
  address integrity.
• It does not address management of access control
  no mechanism to modify access rights
• Does not prevent or address covert channels
• Does not address file sharing used in modern
  systems.

39
Covert Channels

• Covert channel unintended and/or unauthorized
  communications path that can be used to transfer
  information in a manner that violates IS security
  policy
• Storage - direct or indirect writing to storage
  location by one process direct or indirect
  reading by another process
• Timing - one process signals information to
  another process by modulating its own use of
  system resources in such a way that this
  manipulation affects the real response time
  observed by the second process
• Memory
• Communications

40
Biba

• Developed after Bell-LaPadula
• Also a state machine model
• First to address integrity in computers
• Addresses the integrity of data being threatened
  when subjects at lower security levels are able
  to write to objects at higher security levels and
  when subjects can read data at lower levels.
• Newspaper example.

41
Biba

• Protects the integrity of the information within
  a system.
• Simple integrity axiom A subject cannot read
  data at a lower integrity level (no read down)
• integrity axiom A subject cannot modify an
  object in a higher integrity level. (no write
  up)

42
Bell-LaPadula versus Biba

• Bell-LaPadula provides confidentiality and
  written for the government
• Biba provides integrity and written for
  commercial industry
• Both state and informational flow models.
• Mainly concerned with data flowing from one
  security level to another.

43
Clark-Wilson

• Developed after Biba
• Focused on preventing authorized users from
  making unauthorized modification of data, fraud,
  and errors within mainly commercial applications.
• Uses separation of duties divides an operation
  into different parts and requires different users
  to perform each part.
• Protects integrity

44
Clark-Wilson

• Prevents authorized users from making
  unauthorized modification to data
• Subjects can only access objects through
  authorized programs
• Separation of duties is enforced
• Auditing is required

45
Information Flow

• Information is restricted in its flow to only go
  to and from approved security levels.
• Not a state model
• Helps in Covert Channel Identification.
• Used in research only

46
Chinese Wall model

• Proposed by Brewer and Nash in 1989
• Avoids conflicts of interest
• Prevents information flow across projects
• Access control rules restrict access to only
  authorized individuals

47
Non-interference

• Commands and activities performed at one security
  level should not be seen or affect subjects or
  objects at a different security level.

48
System Architecture Protections
Protection can control the operations between the
user and the data
Protection can happen at the datas end
Protection can happen at the users end
Taken from CISSP All-in-One certification exam
guide Shon Harris 2002
49
Security controls

• Preventative controls
• design to policy, appropriate protection meeting
  degree of risk
• strong authentication/access controls, isolation,
  firewalls, encryption
• configured properly and verified
• virus protection system backup/recovery
• Detective controls
• audits and logs audit reduction tools
• operations monitoring
• Corrective controls
• clean (remove) and restore
• block unauthorized access, messages, etc.

50
Trusted Computing Base (TCB)

• Trusted Computing Base (TCB) Criteria Areas
• Enforces explicit Security Policy
• Marking Access control labels for Objects
• Identification of Subjects
• Accountability Subject actions can be traced
• Assurance Confidence that policy is enforced
• Continuous Protection Enforcement mechanisms
  are always operating

51
Trusted Computing Base (TCB)

• The TCB is the total combination of protection
  mechanisms within a computer system.
• This includes Hardware, Software, and Firmware.
• The system is sure that these components will
  enforce the security policy not violate it.
• Trust level rating is dependent on the size of
  the subset of subjects and objects within the TCB
  and how stringent the rules are being enforced
• Does not address the level of security but the
  level of trust. not every part of a system
  needs to be in the TCB.

52
Reference Monitor

• An abstract access control device that mediates
  all accesses to objects by subjects to ensure
  that the subjects have the necessary access
  rights and to protect the objects from
  unauthorized access and destructive modification.
• Not an actual physical component.

53
Security Kernel

• The hardware, firmware, and software elements of
  a trusted computing base that implement the
  reference monitor concept.
• Three main requirements
• isolation kernel itself protected from any form
  of unauthorized access, tampering, changes.
• foolproof The reference monitor must be invoked
  for every access attempt and must be impossible
  to circumvent.
• verifiability The kernel must be small, simple
  enough that it can be proven to meet design
  specifications

54
Security Perimeter and DMZ

• Security perimeter the boundary where security
  controls are in effect to protect assets
• the security kernel as well as other security
  related system functions, are within the
  (imaginary) boundary of the TCB
• system elements outside the security perimeter
  need not be trusted
• DMZ - area within the systems security perimeter
  but outside the inner protection ring to restrict
  routine access to the systems primary resources

55
Layering

• Each layer deals with a specific activity where
  the lower (outer) layers perform basic tasks,
  while the higher (inner) layers perform more
  complex or protected tasks.
• During Testing, it should be verified that the
  security mechanisms in any layer can not be
  bypassed.

56
The TCB and The Security Kernel

• The TCB is the totality of protection mechanisms
  within a computer system that work together to
  enforce a security policy. The TCB contains the
  security kernel and all other security protection
  mechanisms.

57
Protection mechanisms

• Layering the process operation is divided into
  layers by function.
• Abstraction Involves the definition for a
  specific set of permissible values for an object,
  and the operations that are permissible on that
  object. This involves ignoring or separating the
  details in order to concentrate on what is
  important.
• Data hiding (information hiding) Information
  that is available at one processing level is not
  available in another regardless if it is higher
  or lower.
• Process isolation separate processes so that
  none is affected by any others
• Also covered in domain 4

58
Timing

• Asynchronous attacks - an attack that exploits
  the interval between a defensive act and a normal
  operation in order to gain operational control
• TOC/TOU - Time of check vs. time of use Prevent
  by applying task sequencing rules and by
  encryption
• State changes
• Communication disconnects
• Also covered in Domain 4

59
Process Isolation

• Each process has its own distinct address space
  for its application code and data.
• Prevents each process from accessing another
  process data
• Prevents data leakage
• Prevents modification to the data while it is in
  memory.
• Allows the system to keep track of the relevant
  information when it switches from one process to
  another

60
Least Privilege

• A resource, or process, has no more privileges
  than is necessary to be able to fulfill its
  functions.
• Protects against poorly written or misbehaving
  code

61
Tokens, capabilities and labels

• Token - a specific privilege or capability
  conferred based on authentication from an
  electronically coded device
• Capability - protected identifier that both
  identifies the object and specifies the access
  rights to be allowed to the subject who possesses
  the capability
• Labels - information that represents the security
  level of an object and that describes the
  sensitivity of the information in the object

62
Virtual Memory Protection

• Virtual memory provides strong access control
• Only those pages or memory locations
  corresponding to segments in the accessible
  program can be reached.
• Use of translation or paging table (Memory
  Mapping)
• Impossible for a program to access memory out of
  its allowable region

63
Confinement

• Provide security protection to prevent breaches
  using
• Confinement - restrict access to prevent leaking
  of sensitive data from a program
• Bounds - edge of protected area need to prevent
  access to storage outside authorized limits
• Isolation - contain subjects and objects in a
  system in such as way that they are separated
  from one another, as well as from the protection
  controls of the operating system

64
Virtual Machine

• A virtual machine operating system is a
  collection of real or simulated hardware
  facilities
• Central Processing Unit (CPU)
• Directly addressable storage
• I/O devices
• The operating system provides the virtual
  resources to the user, and hence the operating
  system can control user accesses precisely to
  these virtual resources.

65
Protection Rings
Process in inner rings can directly access
processes in outer modes but not vice versa
66
Domains

• A set of objects that a subject is able to
  access.
• A privileged mode will have a much larger domain
  than a unprivileged user.
• A security domain has a direct correlation to the
  protection ring that a subject or object is
  assigned to.

67
Initialization and failure states

• Initialization Process of clearing computer
  storage areas, addresses, or memory in the
  beginning of a program routine or job start up.
• Failure System should provide automatic
  termination and protection of programs or other
  processing operations when a hardware or software
  failure is detected in a computer system. The
  goal is to avoid compromise in the event of a
  failure.
• Also covered in domain 4

68
Programming

• Techniques - KISS, document thoroughly
• Compilers - remove from operational systems, or
  you wont have a chance at proper configuration
  management
• APIs - documented interfaces so that higher level
  programs can safely/securely use lower level
  services (i.e., write a file in proprietary
  format SQL database access)
• Libraries - verify library functions and protect
  from unauthorized modification remove any debug
  test code on ops systems

69
Input and parameter checking

• Many security problems can be avoided by doing
  thorough input and parameter checks prior to
  execution. Results of improper or non-existent
  checking are buffer overflows and stack errors.
• Also covered in domain 4

70
Maintenance hooks and privileged programs

• Maintenance Hooks
• Special Instructions to allow easy maintenance
  and additional feature development
• Frequently allow entry into the code at unusual
  points or without usual checks
• Special type of trap door should be removed
  before operational implementation
• Privileged Programs (superzap/su)
• Provide capabilities to manipulate the system
  without performing any security checks JUST DO
  IT!
• Extremely powerful and dangerous in the wrong
  hands

71
Data Transmission Controls

• Hash totals
• Transmission logging
• Error corrections
• Retransmission Control
• Other Controls

72
Security Evaluations

• Evaluation examines the security-relevant parts
  of a system.
• Certification The technical evaluation of the
  security components and their compliance for the
  purpose of accreditation.
• Accreditation is the formal acceptance of the
  adequacy of a systems overall security by the
  management.

73
Certification and Accreditation Processes

• Commercial
• ISO 17799/BS 7799/ISO 27000/ISO 27001
• Federal
• NIACAP
• NIST SP 800-37
• NSA IAM/IEM

• DoD
• DITSCAP
• CND
• DIACAP
• DODIIS
• NISPOM
• Intelligence Community
• DCID 6/3 JDCSISSS
• NISCAP

74
TCSEC (Orange Book)

• Trusted Computer System Evaluation Criteria
  (TCSEC) - US DoD standard for security criteria
  (Orange Book)
• Scope - six fundamental security requirements and
  four evaluation criteria divisions
• standard has been superseded But, still the
  common reference point and still has some uses
• Classes
• D - minimal protection, has only one class
• C - discretionary protection, has two classes
• B - mandatory protection, has three classes
• A - verified protection, has only one class

75
ITSEC

• Information Technology Security Evaluation
  Criteria (ITSEC) - European standard for IT
  security criteria
• Scope - addresses three basic threats, has three
  functional levels, eight basic security
  functions, ten functionality classes, eight
  hierarchical assurance levels, and seven levels
  of correctness of security mechanisms
• IT product - off-the-shelf hardware or software
  package
• IT system - designed and built product for
  specific needs
• Target of Evaluation (TOE) - refers to product or
  system to be evaluated
• criteria is not a design guide for secure
  products or systems
• closely maps to Orange Book criteria

76
Common Criteria

• NIST and NSA established program to evaluate IT
  product conformance using international standards
  -
• to help consumers select commercial off the shelf
  (COTS) products that meet their security
  requirements, and
• to help manufacturers of products gain acceptance
  in market place.
• National Information Assurance Partnership (NIAP)
  Common Criteria Evaluation and Validation Scheme
  (CCEVS), or Common Criteria Scheme
• Sponsors of IT Security Evaluations
• NIAP Validation Body (NIST/NSA)
• Common Criteria Testing Labs (CCTLs)
• Evaluation Assurance Levels (EALs)
• seven levels EAL1-EAL7

77
References

• Harris, Shon, All-In-One CISSP Certification Exam
  Guide, McGraw Hill 1st and 2nd edition
• ISC2 CBK
• ISC2 Official Guide to the CISSP Exam
• www.cccure.org

78
Questions