CISSP Preparation Training - PowerPoint PPT Presentation

1 / 78
About This Presentation
Title:

CISSP Preparation Training

Description:

... security services for traffic at the IP layer, in both the IPv4 and IPv6 ... These services are provided at the IP layer, offering protection for IP and/or ... – PowerPoint PPT presentation

Number of Views:203
Avg rating:3.0/5.0
Slides: 79
Provided by: lorawoo
Category:

less

Transcript and Presenter's Notes

Title: CISSP Preparation Training


1
CISSP Preparation Training
  • Domain Six
  • Security Architecture and Design
  • July 18, 2007

Lora Woodworth, CISSP Northrop Grumman (719)
622-5655 lora.woodworth_at_ngc.com
2
Why do we study this section?
  • Utilize what is already built in.
  • Know where defense in depth is useful.
  • Understand how and why vulnerabilities work.
  • Protect information flow in a useful way.
  • Evaluate what is there in a repeatable process.

3
Domain Objective
  • The objective of this domain is to focus on what
    has and hasnt been done to secure the computing
    environment so that various levels of
    availability, integrity and confidentiality may
    be determined and enforced based upon the data
    present on the system, the security goals of the
    organization, and the needs of the users.

4
Agenda
  • Security Architectures
  • Security Models
  • Protection Mechanisms
  • Evaluation Standards and Methods

5
Key elements for the exam
  • Know how the different pieces of a computer
    system work together and process data
  • Understand how different vulnerabilities occur in
    a computer system
  • Know how different counter measures work to
    prevent, impede and hinder vulnerabilities
  • Know the major concepts associated with the
    different Security Models
  • Understand the common Evaluation methods and
    criteria

6
Security Architecture
  • Describes at an abstract level the relationships
    between key elements to protect the
    organizations interests
  • Official (ISC)2(R) Guide to the CISSP Exam page
    80

7
Computer Structure
User Call Interface
End User Applications
Library Call Interface
Standard utility programs (shell, editors,
compilers, etc)
System Call Interface
Standard Library (open, close, read, write, fork,
etc)
Operating system (process management, memory
management, file system, I/O, etc)
Kernel mode
Hardware (CPU, memory, disks, terminals, etc)
8
Objects and subjects
  • Object - a passive entity that contains or
    receives information
  • can be records, files, directories, processors,
    printers, etc., as well as system processes
  • Subject - is an active entity that causes
    information to flow among objects or changes the
    system state
  • can be a person, process, or device

9
Machine Types
  • Real (What you get is what you see) Physical
    computer in a virtual machine environment.
  • Virtual self contained operating system that
    behaves as if it were a separate computer
    functional simulation of a computer.
  • Multi-state operates in multiple states at the
    same time.
  • Multi-user - supports two or more simultaneous
    users, privileged and unprivileged.

10
CPU
  • A Central Processing Unit (CPU) contains a
    control unit, which controls the timing of the
    execution of application instructions, an
    Arithmetic logic unit (ALU) which performs
    mathematical functions and logical operations,
    and primary storage, which is where data is
    temporarily held before being processed.

11
CPU Modes
  • user (unprivileged) Processes that execute with
    limited privileges, access to the most critical
    resources are controlled through the Privileged
    processes and the user processes must operate
    through them.
  • superuser or privileged Processes that have the
    most direct or trusted access to the CPU.

12
Operating States
  • Operating States single-state, multi-state
  • ready state - ready to resume processing
  • problem state - executing an application
  • supervisory state - executing privileged
    instructions
  • wait state - waiting for completion of an event

13
Addressing
How do you distinguish between physical and
symbolic addresses?
Physical addresses are identified by a number,
e.g. memory address 0x47F0 or the 571st record on
a disk. Symbolic addresses are identified by a
name that may be more meaningful to the user. (A
file name, variable name in a program, or a
parameter.
14
Address Space Terms
  • Absolute actual physical address
  • Direct single address of an object
  • Indexed address of an object, modified by a
    displacement, typically the displacement is in a
    register, and specified an offset within a larger
    object, such as the subscripted address of a
    single array element
  • Indirect address of a pointer to an object
    accessing the object requires fetching the
    pointer, interpreting its value, and using that
    value as the objects address.
  • Indirection and indexing can be combined and
    repeated, so that an indirect object can be
    indexed, or an object can be accessed via an
    indirect indirect indirect object (i.e., pointer
    to a pointer to a pointer to the object

15
Address Space vs Memory Space
  • An address space is a set of addresses, and
    consequently a means of specifying a set of
    locations
  • Memory space or memory address space is the
    actual location of the data in memory
  • Memory management describes the various
    techniques an Operating system translates the
    address generated by a CPU into the actual
    address of the data in memory

16
Memory Types
  • Random Access Memory (RAM) a type of temporary
    or volatile storage facility where data can be
    held and altered.
  • Cache part of RAM that is used for high-speed
    writing and reading activities.
  • CPU receives instructions that are stored in
    RAM
  • Read-Only memory (ROM) a nonvolatile storage
    facility. For the most part, when data is
    inserted into ROM memory chips it cannot be
    altered.
  • Nonvolatile Silicon memory holds data that can
    be electrically erased or written to.
  • Erasable and programmable read-only memory
    (EPROM) can be modified, deleted, or upgraded.
    Not used much anymore.
  • Flash same idea different technology that makes
    it more stable and faster. (Digital Camera
    memory sticks)

17
Real versus Virtual Memory
  • Real storage is memory allocation for programs.
  • Virtual memory is fictitious in that a small
    amount of primary storage plus a larger amount of
    secondary storage is used to give the effect of a
    large amount of primary storage. Data items are
    shuffled between primary and secondary storage as
    they are used.

18
Paging versus Segmentation
  • Paging the virtual program is divided into
    fixed-sized blocks, each of which is called a
    page.
  • Segmentation the virtual program is divided
    into varying-sized blocks, called, segments
    typically a segment will correspond to a logical
    unit within a program, such as a procedure or sub
    procedure, or an array.

19
Memory Mapping
  • Different types of memory holding different types
    of data means a computer needs something to
    control access to ensure that data does not get
    corrupted.
  • This control takes place through memory mapping
    and addressing.

20
Computer Firmware
  • Software permanently stored in a hardware device
  • Installed in programmable read-only memory (PROM)
    via a special interface
  • Printers, modems, bus interface units, adapter
    modules, etc. will generally contain firmware

21
Process versus Thread
  • A process is a program in execution that works in
    its own address space and can only communicate
    with other processes in a controlled manner
    handled by the operating system.
  • A thread represents a piece of code that is
    executed within a process

22
Primary versus Secondary storage
  • Primary internal, directly accessible (e.g.
    memory)
  • Secondary external, not necessarily directly
    accessible (e.g., disk, tape, cd) Secondary
    storage may be (but is not required to be)
    removable, meaning that the storage medium can be
    removed from the device and stored elsewhere.

23
Other Storage Terms
  • Random is accessible in any order also known a
    direct or direct access.
  • Sequential can be accessed only in sequence to
    access item 571, it is necessary to count through
    all preceding 570 memory items. Sequential
    memory is therefore less readily available.
    (Tape)
  • Volatile retains its data value only while power
    is supplied (most internal memory is volatile),
    in contrast to permanent or long-term storage,
    which retains its value even without power.
    Obviously a power loss can affect availability of
    data stored in volatile memory.

24
Operating System
  • Operating Systems have four components
  • process management - controls program execution
    to make sure that programs share resources
  • I/O device management - issues commands to
    devices that read and write to the system
  • memory management - keeps track of which parts of
    memory are in use or not in use
  • system file management - read, write, erase
    functions that the operating system uses to
    manage files

25
Multithreading, Multitasking, Multiprocessing
  • Multithreading an application that can make
    several calls to the system at one time or a
    system that can process more than one request at
    a time.
  • Multitasking a system capable of running 2 or
    more tasks in a concurrent performance or
    interleaved execution.
  • Multiprocessing- a simultaneous execution of 2
    programs by a processor. This can alternatively
    be done through parallel processing of a single
    program, or by two or more processors in a multi
    processor system.
  • Multiprocessor A computer that has two or more
    processors that all have common access to the
    main storage.

26
Network Protocol Stack Functions
  • OSI 7 layer Model
  • (1) Physical layer (raw bits over
    communications channel)
  • (2) Data link layer (data frames)
  • (3) Network layer (communication subnet layer -
    packets) (IP)
  • (4) Transport layer (host-host layer divides
    data into smaller units ensures all data
    arrives end-to-end layer) (TCP)
  • (5) Session layer (users interface into the
    network session established, management)
  • (6) Presentation layer (common user functions
    via library routines data compression/transformat
    ion/encryption)
  • (7) Application layer (determined by each
    user/program)
  • Covered better in Domain 2

27
Operating System Design
  • Open based upon accepted standards and employs
    standard interfaces to allow connections between
    different systems.
  • Closed Proprietary use of specific operating
    system and hardware to perform and generally lack
    standard interfaces to allow connection to other
    systems.

28
Security Policy
  • A set of rules, practices, and procedures
    dictating how sensitive information is managed,
    protected, and distributed.
  • Sets the goals of what the security mechanisms
    are to accomplish.
  • Must indicate
  • What subjects can access which objects
  • What actions are acceptable
  • What level of trust is required

29
Enterprise Architecture
  • IETF Security Architecture for IP (IPsec)
  • Zachman Framework
  • 6 perspectives with 6 abstractions
  • Other Frameworks
  • see description of Frameworks at
    http//www.software.org/pub/architecture/fwhome.as
    p

30
IETF Security Architecture for IP
  • The goal of this architecture is to provide
    various security services for traffic at the IP
    layer, in both the IPv4 and IPv6 environments.
  • IPsec
  • The set of security services offered includes
    access control, connectionless integrity, data
    origin authentication, protection against replays
    (a form of partial sequence integrity),
    confidentiality (encryption), and limited traffic
    flow confidentiality.
  • These services are provided at the IP layer,
    offering protection for IP and/or upper layer
    protocols.
  • Utilizes two traffic security protocols,
  • Authentication Header (AH)
  • Encapsulating Security Payload (ESP)
  • Security Associations (SA)
  • a simplex "connection" that affords security
    services to the traffic carried by it.
  • IETF security working group http//sec.ietf.org/

31
Zachman Framework
  • More info http//www.zifa.org, with an overview
    at http//www.software.org/pub/architecture/zachm
    an.asp

32
Security Models
  • A security policy provides abstract goals and the
    security model provides the dos and donts
    necessary to fulfill these goals

33
Security Models
  • Consistent and understandable
  • Represents the security policy and no more
  • Facilitates mapping the security policy to
    implementation (Formal or Informal)
  • Generic vs. system specific (depends on security
    policy)

34
State Machine Model
  • All current permissions and all current instances
    of subjects accessing objects must be captured.
  • A state of a system is a snapshot of a system in
    one moment of time
  • State transitions activities that alter the
    state of a system.

35
Bell-LaPadula
  • Formal-state transition model that describes a
    formal set of access controls based on
    information sensitivity and subject
    authorizations
  • Developed for the U.S. military in the 1970s
  • Main goal is to prevent secret information from
    being accessed in an unauthorized manner.
  • Lattice based access control has an upper and a
    lower bound of authorized access.
  • Also an information flow security model
  • Developed to make sure secrets stay secret does
    not address integrity.

36
Bell-LaPadula
  • Two major rules used and enforced
  • Simple security rule a subject at a given
    security level cannot read data that resides at a
    higher security level. (no read up)
  • Property (Confinement Property) a subject at
    a given security level cannot write information
    to a lower security level. (no write down)
  • These rules indicate what states the system can
    go into.

37
Basic Security Theorem
  • If a system initializes in a secure state and all
    state transitions are secure, then every
    subsequent state will be secure no matter what
    inputs occur.

38
Bell-LaPadula
  • Criticism towards the Bell-LaPadula model
  • It deals only with confidentiality and does not
    address integrity.
  • It does not address management of access control
    no mechanism to modify access rights
  • Does not prevent or address covert channels
  • Does not address file sharing used in modern
    systems.

39
Covert Channels
  • Covert channel unintended and/or unauthorized
    communications path that can be used to transfer
    information in a manner that violates IS security
    policy
  • Storage - direct or indirect writing to storage
    location by one process direct or indirect
    reading by another process
  • Timing - one process signals information to
    another process by modulating its own use of
    system resources in such a way that this
    manipulation affects the real response time
    observed by the second process
  • Memory
  • Communications

40
Biba
  • Developed after Bell-LaPadula
  • Also a state machine model
  • First to address integrity in computers
  • Addresses the integrity of data being threatened
    when subjects at lower security levels are able
    to write to objects at higher security levels and
    when subjects can read data at lower levels.
  • Newspaper example.

41
Biba
  • Protects the integrity of the information within
    a system.
  • Simple integrity axiom A subject cannot read
    data at a lower integrity level (no read down)
  • integrity axiom A subject cannot modify an
    object in a higher integrity level. (no write
    up)

42
Bell-LaPadula versus Biba
  • Bell-LaPadula provides confidentiality and
    written for the government
  • Biba provides integrity and written for
    commercial industry
  • Both state and informational flow models.
  • Mainly concerned with data flowing from one
    security level to another.

43
Clark-Wilson
  • Developed after Biba
  • Focused on preventing authorized users from
    making unauthorized modification of data, fraud,
    and errors within mainly commercial applications.
  • Uses separation of duties divides an operation
    into different parts and requires different users
    to perform each part.
  • Protects integrity

44
Clark-Wilson
  • Prevents authorized users from making
    unauthorized modification to data
  • Subjects can only access objects through
    authorized programs
  • Separation of duties is enforced
  • Auditing is required

45
Information Flow
  • Information is restricted in its flow to only go
    to and from approved security levels.
  • Not a state model
  • Helps in Covert Channel Identification.
  • Used in research only

46
Chinese Wall model
  • Proposed by Brewer and Nash in 1989
  • Avoids conflicts of interest
  • Prevents information flow across projects
  • Access control rules restrict access to only
    authorized individuals

47
Non-interference
  • Commands and activities performed at one security
    level should not be seen or affect subjects or
    objects at a different security level.

48
System Architecture Protections
Protection can control the operations between the
user and the data
Protection can happen at the datas end
Protection can happen at the users end
Taken from CISSP All-in-One certification exam
guide Shon Harris 2002
49
Security controls
  • Preventative controls
  • design to policy, appropriate protection meeting
    degree of risk
  • strong authentication/access controls, isolation,
    firewalls, encryption
  • configured properly and verified
  • virus protection system backup/recovery
  • Detective controls
  • audits and logs audit reduction tools
  • operations monitoring
  • Corrective controls
  • clean (remove) and restore
  • block unauthorized access, messages, etc.

50
Trusted Computing Base (TCB)
  • Trusted Computing Base (TCB) Criteria Areas
  • Enforces explicit Security Policy
  • Marking Access control labels for Objects
  • Identification of Subjects
  • Accountability Subject actions can be traced
  • Assurance Confidence that policy is enforced
  • Continuous Protection Enforcement mechanisms
    are always operating

51
Trusted Computing Base (TCB)
  • The TCB is the total combination of protection
    mechanisms within a computer system.
  • This includes Hardware, Software, and Firmware.
  • The system is sure that these components will
    enforce the security policy not violate it.
  • Trust level rating is dependent on the size of
    the subset of subjects and objects within the TCB
    and how stringent the rules are being enforced
  • Does not address the level of security but the
    level of trust. not every part of a system
    needs to be in the TCB.

52
Reference Monitor
  • An abstract access control device that mediates
    all accesses to objects by subjects to ensure
    that the subjects have the necessary access
    rights and to protect the objects from
    unauthorized access and destructive modification.
  • Not an actual physical component.

53
Security Kernel
  • The hardware, firmware, and software elements of
    a trusted computing base that implement the
    reference monitor concept.
  • Three main requirements
  • isolation kernel itself protected from any form
    of unauthorized access, tampering, changes.
  • foolproof The reference monitor must be invoked
    for every access attempt and must be impossible
    to circumvent.
  • verifiability The kernel must be small, simple
    enough that it can be proven to meet design
    specifications

54
Security Perimeter and DMZ
  • Security perimeter the boundary where security
    controls are in effect to protect assets
  • the security kernel as well as other security
    related system functions, are within the
    (imaginary) boundary of the TCB
  • system elements outside the security perimeter
    need not be trusted
  • DMZ - area within the systems security perimeter
    but outside the inner protection ring to restrict
    routine access to the systems primary resources

55
Layering
  • Each layer deals with a specific activity where
    the lower (outer) layers perform basic tasks,
    while the higher (inner) layers perform more
    complex or protected tasks.
  • During Testing, it should be verified that the
    security mechanisms in any layer can not be
    bypassed.

56
The TCB and The Security Kernel
  • The TCB is the totality of protection mechanisms
    within a computer system that work together to
    enforce a security policy. The TCB contains the
    security kernel and all other security protection
    mechanisms.

57
Protection mechanisms
  • Layering the process operation is divided into
    layers by function.
  • Abstraction Involves the definition for a
    specific set of permissible values for an object,
    and the operations that are permissible on that
    object. This involves ignoring or separating the
    details in order to concentrate on what is
    important.
  • Data hiding (information hiding) Information
    that is available at one processing level is not
    available in another regardless if it is higher
    or lower.
  • Process isolation separate processes so that
    none is affected by any others
  • Also covered in domain 4

58
Timing
  • Asynchronous attacks - an attack that exploits
    the interval between a defensive act and a normal
    operation in order to gain operational control
  • TOC/TOU - Time of check vs. time of use Prevent
    by applying task sequencing rules and by
    encryption
  • State changes
  • Communication disconnects
  • Also covered in Domain 4

59
Process Isolation
  • Each process has its own distinct address space
    for its application code and data.
  • Prevents each process from accessing another
    process data
  • Prevents data leakage
  • Prevents modification to the data while it is in
    memory.
  • Allows the system to keep track of the relevant
    information when it switches from one process to
    another

60
Least Privilege
  • A resource, or process, has no more privileges
    than is necessary to be able to fulfill its
    functions.
  • Protects against poorly written or misbehaving
    code

61
Tokens, capabilities and labels
  • Token - a specific privilege or capability
    conferred based on authentication from an
    electronically coded device
  • Capability - protected identifier that both
    identifies the object and specifies the access
    rights to be allowed to the subject who possesses
    the capability
  • Labels - information that represents the security
    level of an object and that describes the
    sensitivity of the information in the object

62
Virtual Memory Protection
  • Virtual memory provides strong access control
  • Only those pages or memory locations
    corresponding to segments in the accessible
    program can be reached.
  • Use of translation or paging table (Memory
    Mapping)
  • Impossible for a program to access memory out of
    its allowable region

63
Confinement
  • Provide security protection to prevent breaches
    using
  • Confinement - restrict access to prevent leaking
    of sensitive data from a program
  • Bounds - edge of protected area need to prevent
    access to storage outside authorized limits
  • Isolation - contain subjects and objects in a
    system in such as way that they are separated
    from one another, as well as from the protection
    controls of the operating system

64
Virtual Machine
  • A virtual machine operating system is a
    collection of real or simulated hardware
    facilities
  • Central Processing Unit (CPU)
  • Directly addressable storage
  • I/O devices
  • The operating system provides the virtual
    resources to the user, and hence the operating
    system can control user accesses precisely to
    these virtual resources.

65
Protection Rings
Process in inner rings can directly access
processes in outer modes but not vice versa
66
Domains
  • A set of objects that a subject is able to
    access.
  • A privileged mode will have a much larger domain
    than a unprivileged user.
  • A security domain has a direct correlation to the
    protection ring that a subject or object is
    assigned to.

67
Initialization and failure states
  • Initialization Process of clearing computer
    storage areas, addresses, or memory in the
    beginning of a program routine or job start up.
  • Failure System should provide automatic
    termination and protection of programs or other
    processing operations when a hardware or software
    failure is detected in a computer system. The
    goal is to avoid compromise in the event of a
    failure.
  • Also covered in domain 4

68
Programming
  • Techniques - KISS, document thoroughly
  • Compilers - remove from operational systems, or
    you wont have a chance at proper configuration
    management
  • APIs - documented interfaces so that higher level
    programs can safely/securely use lower level
    services (i.e., write a file in proprietary
    format SQL database access)
  • Libraries - verify library functions and protect
    from unauthorized modification remove any debug
    test code on ops systems

69
Input and parameter checking
  • Many security problems can be avoided by doing
    thorough input and parameter checks prior to
    execution. Results of improper or non-existent
    checking are buffer overflows and stack errors.
  • Also covered in domain 4

70
Maintenance hooks and privileged programs
  • Maintenance Hooks
  • Special Instructions to allow easy maintenance
    and additional feature development
  • Frequently allow entry into the code at unusual
    points or without usual checks
  • Special type of trap door should be removed
    before operational implementation
  • Privileged Programs (superzap/su)
  • Provide capabilities to manipulate the system
    without performing any security checks JUST DO
    IT!
  • Extremely powerful and dangerous in the wrong
    hands

71
Data Transmission Controls
  • Hash totals
  • Transmission logging
  • Error corrections
  • Retransmission Control
  • Other Controls

72
Security Evaluations
  • Evaluation examines the security-relevant parts
    of a system.
  • Certification The technical evaluation of the
    security components and their compliance for the
    purpose of accreditation.
  • Accreditation is the formal acceptance of the
    adequacy of a systems overall security by the
    management.

73
Certification and Accreditation Processes
  • Commercial
  • ISO 17799/BS 7799/ISO 27000/ISO 27001
  • Federal
  • NIACAP
  • NIST SP 800-37
  • NSA IAM/IEM
  • DoD
  • DITSCAP
  • CND
  • DIACAP
  • DODIIS
  • NISPOM
  • Intelligence Community
  • DCID 6/3 JDCSISSS
  • NISCAP

74
TCSEC (Orange Book)
  • Trusted Computer System Evaluation Criteria
    (TCSEC) - US DoD standard for security criteria
    (Orange Book)
  • Scope - six fundamental security requirements and
    four evaluation criteria divisions
  • standard has been superseded But, still the
    common reference point and still has some uses
  • Classes
  • D - minimal protection, has only one class
  • C - discretionary protection, has two classes
  • B - mandatory protection, has three classes
  • A - verified protection, has only one class

75
ITSEC
  • Information Technology Security Evaluation
    Criteria (ITSEC) - European standard for IT
    security criteria
  • Scope - addresses three basic threats, has three
    functional levels, eight basic security
    functions, ten functionality classes, eight
    hierarchical assurance levels, and seven levels
    of correctness of security mechanisms
  • IT product - off-the-shelf hardware or software
    package
  • IT system - designed and built product for
    specific needs
  • Target of Evaluation (TOE) - refers to product or
    system to be evaluated
  • criteria is not a design guide for secure
    products or systems
  • closely maps to Orange Book criteria

76
Common Criteria
  • NIST and NSA established program to evaluate IT
    product conformance using international standards
    -
  • to help consumers select commercial off the shelf
    (COTS) products that meet their security
    requirements, and
  • to help manufacturers of products gain acceptance
    in market place.
  • National Information Assurance Partnership (NIAP)
    Common Criteria Evaluation and Validation Scheme
    (CCEVS), or Common Criteria Scheme
  • Sponsors of IT Security Evaluations
  • NIAP Validation Body (NIST/NSA)
  • Common Criteria Testing Labs (CCTLs)
  • Evaluation Assurance Levels (EALs)
  • seven levels EAL1-EAL7

77
References
  • Harris, Shon, All-In-One CISSP Certification Exam
    Guide, McGraw Hill 1st and 2nd edition
  • ISC2 CBK
  • ISC2 Official Guide to the CISSP Exam
  • www.cccure.org

78
Questions
Write a Comment
User Comments (0)
About PowerShow.com