Title: CISSP Preparation Training
1CISSP Preparation Training
- Domain Six
- Security Architecture and Design
- July 18, 2007
Lora Woodworth, CISSP Northrop Grumman (719)
622-5655 lora.woodworth_at_ngc.com
2Why do we study this section?
- Utilize what is already built in.
- Know where defense in depth is useful.
- Understand how and why vulnerabilities work.
- Protect information flow in a useful way.
- Evaluate what is there in a repeatable process.
3Domain Objective
- The objective of this domain is to focus on what
has and hasnt been done to secure the computing
environment so that various levels of
availability, integrity and confidentiality may
be determined and enforced based upon the data
present on the system, the security goals of the
organization, and the needs of the users.
4Agenda
- Security Architectures
- Security Models
- Protection Mechanisms
- Evaluation Standards and Methods
5Key elements for the exam
- Know how the different pieces of a computer
system work together and process data - Understand how different vulnerabilities occur in
a computer system - Know how different counter measures work to
prevent, impede and hinder vulnerabilities - Know the major concepts associated with the
different Security Models - Understand the common Evaluation methods and
criteria
6Security Architecture
- Describes at an abstract level the relationships
between key elements to protect the
organizations interests - Official (ISC)2(R) Guide to the CISSP Exam page
80
7Computer Structure
User Call Interface
End User Applications
Library Call Interface
Standard utility programs (shell, editors,
compilers, etc)
System Call Interface
Standard Library (open, close, read, write, fork,
etc)
Operating system (process management, memory
management, file system, I/O, etc)
Kernel mode
Hardware (CPU, memory, disks, terminals, etc)
8Objects and subjects
- Object - a passive entity that contains or
receives information - can be records, files, directories, processors,
printers, etc., as well as system processes - Subject - is an active entity that causes
information to flow among objects or changes the
system state - can be a person, process, or device
9Machine Types
- Real (What you get is what you see) Physical
computer in a virtual machine environment. - Virtual self contained operating system that
behaves as if it were a separate computer
functional simulation of a computer. - Multi-state operates in multiple states at the
same time. - Multi-user - supports two or more simultaneous
users, privileged and unprivileged.
10CPU
- A Central Processing Unit (CPU) contains a
control unit, which controls the timing of the
execution of application instructions, an
Arithmetic logic unit (ALU) which performs
mathematical functions and logical operations,
and primary storage, which is where data is
temporarily held before being processed.
11CPU Modes
- user (unprivileged) Processes that execute with
limited privileges, access to the most critical
resources are controlled through the Privileged
processes and the user processes must operate
through them. - superuser or privileged Processes that have the
most direct or trusted access to the CPU.
12Operating States
- Operating States single-state, multi-state
- ready state - ready to resume processing
- problem state - executing an application
- supervisory state - executing privileged
instructions - wait state - waiting for completion of an event
13Addressing
How do you distinguish between physical and
symbolic addresses?
Physical addresses are identified by a number,
e.g. memory address 0x47F0 or the 571st record on
a disk. Symbolic addresses are identified by a
name that may be more meaningful to the user. (A
file name, variable name in a program, or a
parameter.
14Address Space Terms
- Absolute actual physical address
- Direct single address of an object
- Indexed address of an object, modified by a
displacement, typically the displacement is in a
register, and specified an offset within a larger
object, such as the subscripted address of a
single array element - Indirect address of a pointer to an object
accessing the object requires fetching the
pointer, interpreting its value, and using that
value as the objects address. - Indirection and indexing can be combined and
repeated, so that an indirect object can be
indexed, or an object can be accessed via an
indirect indirect indirect object (i.e., pointer
to a pointer to a pointer to the object
15Address Space vs Memory Space
- An address space is a set of addresses, and
consequently a means of specifying a set of
locations - Memory space or memory address space is the
actual location of the data in memory - Memory management describes the various
techniques an Operating system translates the
address generated by a CPU into the actual
address of the data in memory
16Memory Types
- Random Access Memory (RAM) a type of temporary
or volatile storage facility where data can be
held and altered. - Cache part of RAM that is used for high-speed
writing and reading activities. - CPU receives instructions that are stored in
RAM - Read-Only memory (ROM) a nonvolatile storage
facility. For the most part, when data is
inserted into ROM memory chips it cannot be
altered. - Nonvolatile Silicon memory holds data that can
be electrically erased or written to. - Erasable and programmable read-only memory
(EPROM) can be modified, deleted, or upgraded.
Not used much anymore. - Flash same idea different technology that makes
it more stable and faster. (Digital Camera
memory sticks)
17Real versus Virtual Memory
- Real storage is memory allocation for programs.
- Virtual memory is fictitious in that a small
amount of primary storage plus a larger amount of
secondary storage is used to give the effect of a
large amount of primary storage. Data items are
shuffled between primary and secondary storage as
they are used.
18Paging versus Segmentation
- Paging the virtual program is divided into
fixed-sized blocks, each of which is called a
page. - Segmentation the virtual program is divided
into varying-sized blocks, called, segments
typically a segment will correspond to a logical
unit within a program, such as a procedure or sub
procedure, or an array.
19Memory Mapping
- Different types of memory holding different types
of data means a computer needs something to
control access to ensure that data does not get
corrupted. - This control takes place through memory mapping
and addressing.
20Computer Firmware
- Software permanently stored in a hardware device
- Installed in programmable read-only memory (PROM)
via a special interface - Printers, modems, bus interface units, adapter
modules, etc. will generally contain firmware
21Process versus Thread
- A process is a program in execution that works in
its own address space and can only communicate
with other processes in a controlled manner
handled by the operating system. - A thread represents a piece of code that is
executed within a process
22Primary versus Secondary storage
- Primary internal, directly accessible (e.g.
memory) - Secondary external, not necessarily directly
accessible (e.g., disk, tape, cd) Secondary
storage may be (but is not required to be)
removable, meaning that the storage medium can be
removed from the device and stored elsewhere.
23Other Storage Terms
- Random is accessible in any order also known a
direct or direct access. - Sequential can be accessed only in sequence to
access item 571, it is necessary to count through
all preceding 570 memory items. Sequential
memory is therefore less readily available.
(Tape) - Volatile retains its data value only while power
is supplied (most internal memory is volatile),
in contrast to permanent or long-term storage,
which retains its value even without power.
Obviously a power loss can affect availability of
data stored in volatile memory.
24Operating System
- Operating Systems have four components
- process management - controls program execution
to make sure that programs share resources - I/O device management - issues commands to
devices that read and write to the system - memory management - keeps track of which parts of
memory are in use or not in use - system file management - read, write, erase
functions that the operating system uses to
manage files
25Multithreading, Multitasking, Multiprocessing
- Multithreading an application that can make
several calls to the system at one time or a
system that can process more than one request at
a time. - Multitasking a system capable of running 2 or
more tasks in a concurrent performance or
interleaved execution. - Multiprocessing- a simultaneous execution of 2
programs by a processor. This can alternatively
be done through parallel processing of a single
program, or by two or more processors in a multi
processor system. - Multiprocessor A computer that has two or more
processors that all have common access to the
main storage.
26Network Protocol Stack Functions
- OSI 7 layer Model
- (1) Physical layer (raw bits over
communications channel) - (2) Data link layer (data frames)
- (3) Network layer (communication subnet layer -
packets) (IP) - (4) Transport layer (host-host layer divides
data into smaller units ensures all data
arrives end-to-end layer) (TCP) - (5) Session layer (users interface into the
network session established, management) - (6) Presentation layer (common user functions
via library routines data compression/transformat
ion/encryption) - (7) Application layer (determined by each
user/program) - Covered better in Domain 2
27Operating System Design
- Open based upon accepted standards and employs
standard interfaces to allow connections between
different systems. - Closed Proprietary use of specific operating
system and hardware to perform and generally lack
standard interfaces to allow connection to other
systems.
28Security Policy
- A set of rules, practices, and procedures
dictating how sensitive information is managed,
protected, and distributed. - Sets the goals of what the security mechanisms
are to accomplish. - Must indicate
- What subjects can access which objects
- What actions are acceptable
- What level of trust is required
29Enterprise Architecture
- IETF Security Architecture for IP (IPsec)
- Zachman Framework
- 6 perspectives with 6 abstractions
- Other Frameworks
- see description of Frameworks at
http//www.software.org/pub/architecture/fwhome.as
p
30IETF Security Architecture for IP
- The goal of this architecture is to provide
various security services for traffic at the IP
layer, in both the IPv4 and IPv6 environments. - IPsec
- The set of security services offered includes
access control, connectionless integrity, data
origin authentication, protection against replays
(a form of partial sequence integrity),
confidentiality (encryption), and limited traffic
flow confidentiality. - These services are provided at the IP layer,
offering protection for IP and/or upper layer
protocols. - Utilizes two traffic security protocols,
- Authentication Header (AH)
- Encapsulating Security Payload (ESP)
- Security Associations (SA)
- a simplex "connection" that affords security
services to the traffic carried by it. - IETF security working group http//sec.ietf.org/
31Zachman Framework
- More info http//www.zifa.org, with an overview
at http//www.software.org/pub/architecture/zachm
an.asp
32Security Models
- A security policy provides abstract goals and the
security model provides the dos and donts
necessary to fulfill these goals
33Security Models
- Consistent and understandable
- Represents the security policy and no more
- Facilitates mapping the security policy to
implementation (Formal or Informal) - Generic vs. system specific (depends on security
policy)
34State Machine Model
- All current permissions and all current instances
of subjects accessing objects must be captured. - A state of a system is a snapshot of a system in
one moment of time - State transitions activities that alter the
state of a system.
35Bell-LaPadula
- Formal-state transition model that describes a
formal set of access controls based on
information sensitivity and subject
authorizations - Developed for the U.S. military in the 1970s
- Main goal is to prevent secret information from
being accessed in an unauthorized manner. - Lattice based access control has an upper and a
lower bound of authorized access. - Also an information flow security model
- Developed to make sure secrets stay secret does
not address integrity.
36Bell-LaPadula
- Two major rules used and enforced
- Simple security rule a subject at a given
security level cannot read data that resides at a
higher security level. (no read up) - Property (Confinement Property) a subject at
a given security level cannot write information
to a lower security level. (no write down) - These rules indicate what states the system can
go into.
37Basic Security Theorem
- If a system initializes in a secure state and all
state transitions are secure, then every
subsequent state will be secure no matter what
inputs occur.
38Bell-LaPadula
- Criticism towards the Bell-LaPadula model
- It deals only with confidentiality and does not
address integrity. - It does not address management of access control
no mechanism to modify access rights - Does not prevent or address covert channels
- Does not address file sharing used in modern
systems.
39Covert Channels
- Covert channel unintended and/or unauthorized
communications path that can be used to transfer
information in a manner that violates IS security
policy - Storage - direct or indirect writing to storage
location by one process direct or indirect
reading by another process - Timing - one process signals information to
another process by modulating its own use of
system resources in such a way that this
manipulation affects the real response time
observed by the second process - Memory
- Communications
40Biba
- Developed after Bell-LaPadula
- Also a state machine model
- First to address integrity in computers
- Addresses the integrity of data being threatened
when subjects at lower security levels are able
to write to objects at higher security levels and
when subjects can read data at lower levels. - Newspaper example.
41Biba
- Protects the integrity of the information within
a system. - Simple integrity axiom A subject cannot read
data at a lower integrity level (no read down) - integrity axiom A subject cannot modify an
object in a higher integrity level. (no write
up)
42Bell-LaPadula versus Biba
- Bell-LaPadula provides confidentiality and
written for the government - Biba provides integrity and written for
commercial industry - Both state and informational flow models.
- Mainly concerned with data flowing from one
security level to another.
43Clark-Wilson
- Developed after Biba
- Focused on preventing authorized users from
making unauthorized modification of data, fraud,
and errors within mainly commercial applications. - Uses separation of duties divides an operation
into different parts and requires different users
to perform each part. - Protects integrity
44Clark-Wilson
- Prevents authorized users from making
unauthorized modification to data - Subjects can only access objects through
authorized programs - Separation of duties is enforced
- Auditing is required
45Information Flow
- Information is restricted in its flow to only go
to and from approved security levels. - Not a state model
- Helps in Covert Channel Identification.
- Used in research only
46Chinese Wall model
- Proposed by Brewer and Nash in 1989
- Avoids conflicts of interest
- Prevents information flow across projects
- Access control rules restrict access to only
authorized individuals
47Non-interference
- Commands and activities performed at one security
level should not be seen or affect subjects or
objects at a different security level.
48System Architecture Protections
Protection can control the operations between the
user and the data
Protection can happen at the datas end
Protection can happen at the users end
Taken from CISSP All-in-One certification exam
guide Shon Harris 2002
49Security controls
- Preventative controls
- design to policy, appropriate protection meeting
degree of risk - strong authentication/access controls, isolation,
firewalls, encryption - configured properly and verified
- virus protection system backup/recovery
- Detective controls
- audits and logs audit reduction tools
- operations monitoring
- Corrective controls
- clean (remove) and restore
- block unauthorized access, messages, etc.
50Trusted Computing Base (TCB)
- Trusted Computing Base (TCB) Criteria Areas
- Enforces explicit Security Policy
- Marking Access control labels for Objects
- Identification of Subjects
- Accountability Subject actions can be traced
- Assurance Confidence that policy is enforced
- Continuous Protection Enforcement mechanisms
are always operating
51Trusted Computing Base (TCB)
- The TCB is the total combination of protection
mechanisms within a computer system. - This includes Hardware, Software, and Firmware.
- The system is sure that these components will
enforce the security policy not violate it. - Trust level rating is dependent on the size of
the subset of subjects and objects within the TCB
and how stringent the rules are being enforced - Does not address the level of security but the
level of trust. not every part of a system
needs to be in the TCB.
52Reference Monitor
- An abstract access control device that mediates
all accesses to objects by subjects to ensure
that the subjects have the necessary access
rights and to protect the objects from
unauthorized access and destructive modification. - Not an actual physical component.
53 Security Kernel
- The hardware, firmware, and software elements of
a trusted computing base that implement the
reference monitor concept. - Three main requirements
- isolation kernel itself protected from any form
of unauthorized access, tampering, changes. - foolproof The reference monitor must be invoked
for every access attempt and must be impossible
to circumvent. - verifiability The kernel must be small, simple
enough that it can be proven to meet design
specifications
54Security Perimeter and DMZ
- Security perimeter the boundary where security
controls are in effect to protect assets - the security kernel as well as other security
related system functions, are within the
(imaginary) boundary of the TCB - system elements outside the security perimeter
need not be trusted - DMZ - area within the systems security perimeter
but outside the inner protection ring to restrict
routine access to the systems primary resources
55Layering
- Each layer deals with a specific activity where
the lower (outer) layers perform basic tasks,
while the higher (inner) layers perform more
complex or protected tasks. - During Testing, it should be verified that the
security mechanisms in any layer can not be
bypassed.
56The TCB and The Security Kernel
- The TCB is the totality of protection mechanisms
within a computer system that work together to
enforce a security policy. The TCB contains the
security kernel and all other security protection
mechanisms.
57Protection mechanisms
- Layering the process operation is divided into
layers by function. - Abstraction Involves the definition for a
specific set of permissible values for an object,
and the operations that are permissible on that
object. This involves ignoring or separating the
details in order to concentrate on what is
important. - Data hiding (information hiding) Information
that is available at one processing level is not
available in another regardless if it is higher
or lower. - Process isolation separate processes so that
none is affected by any others - Also covered in domain 4
58Timing
- Asynchronous attacks - an attack that exploits
the interval between a defensive act and a normal
operation in order to gain operational control - TOC/TOU - Time of check vs. time of use Prevent
by applying task sequencing rules and by
encryption - State changes
- Communication disconnects
- Also covered in Domain 4
59Process Isolation
- Each process has its own distinct address space
for its application code and data. - Prevents each process from accessing another
process data - Prevents data leakage
- Prevents modification to the data while it is in
memory. - Allows the system to keep track of the relevant
information when it switches from one process to
another
60Least Privilege
- A resource, or process, has no more privileges
than is necessary to be able to fulfill its
functions. - Protects against poorly written or misbehaving
code
61Tokens, capabilities and labels
- Token - a specific privilege or capability
conferred based on authentication from an
electronically coded device - Capability - protected identifier that both
identifies the object and specifies the access
rights to be allowed to the subject who possesses
the capability - Labels - information that represents the security
level of an object and that describes the
sensitivity of the information in the object
62Virtual Memory Protection
- Virtual memory provides strong access control
- Only those pages or memory locations
corresponding to segments in the accessible
program can be reached. - Use of translation or paging table (Memory
Mapping) - Impossible for a program to access memory out of
its allowable region
63Confinement
- Provide security protection to prevent breaches
using - Confinement - restrict access to prevent leaking
of sensitive data from a program - Bounds - edge of protected area need to prevent
access to storage outside authorized limits - Isolation - contain subjects and objects in a
system in such as way that they are separated
from one another, as well as from the protection
controls of the operating system
64Virtual Machine
- A virtual machine operating system is a
collection of real or simulated hardware
facilities - Central Processing Unit (CPU)
- Directly addressable storage
- I/O devices
- The operating system provides the virtual
resources to the user, and hence the operating
system can control user accesses precisely to
these virtual resources.
65Protection Rings
Process in inner rings can directly access
processes in outer modes but not vice versa
66Domains
- A set of objects that a subject is able to
access. - A privileged mode will have a much larger domain
than a unprivileged user. - A security domain has a direct correlation to the
protection ring that a subject or object is
assigned to.
67Initialization and failure states
- Initialization Process of clearing computer
storage areas, addresses, or memory in the
beginning of a program routine or job start up. - Failure System should provide automatic
termination and protection of programs or other
processing operations when a hardware or software
failure is detected in a computer system. The
goal is to avoid compromise in the event of a
failure. - Also covered in domain 4
68Programming
- Techniques - KISS, document thoroughly
- Compilers - remove from operational systems, or
you wont have a chance at proper configuration
management - APIs - documented interfaces so that higher level
programs can safely/securely use lower level
services (i.e., write a file in proprietary
format SQL database access) - Libraries - verify library functions and protect
from unauthorized modification remove any debug
test code on ops systems
69Input and parameter checking
- Many security problems can be avoided by doing
thorough input and parameter checks prior to
execution. Results of improper or non-existent
checking are buffer overflows and stack errors. - Also covered in domain 4
70Maintenance hooks and privileged programs
- Maintenance Hooks
- Special Instructions to allow easy maintenance
and additional feature development - Frequently allow entry into the code at unusual
points or without usual checks - Special type of trap door should be removed
before operational implementation - Privileged Programs (superzap/su)
- Provide capabilities to manipulate the system
without performing any security checks JUST DO
IT! - Extremely powerful and dangerous in the wrong
hands
71Data Transmission Controls
- Hash totals
- Transmission logging
- Error corrections
- Retransmission Control
- Other Controls
72Security Evaluations
- Evaluation examines the security-relevant parts
of a system. - Certification The technical evaluation of the
security components and their compliance for the
purpose of accreditation. - Accreditation is the formal acceptance of the
adequacy of a systems overall security by the
management.
73Certification and Accreditation Processes
- Commercial
- ISO 17799/BS 7799/ISO 27000/ISO 27001
- Federal
- NIACAP
- NIST SP 800-37
- NSA IAM/IEM
- DoD
- DITSCAP
- CND
- DIACAP
- DODIIS
- NISPOM
- Intelligence Community
- DCID 6/3 JDCSISSS
- NISCAP
74TCSEC (Orange Book)
- Trusted Computer System Evaluation Criteria
(TCSEC) - US DoD standard for security criteria
(Orange Book) - Scope - six fundamental security requirements and
four evaluation criteria divisions - standard has been superseded But, still the
common reference point and still has some uses - Classes
- D - minimal protection, has only one class
- C - discretionary protection, has two classes
- B - mandatory protection, has three classes
- A - verified protection, has only one class
75ITSEC
- Information Technology Security Evaluation
Criteria (ITSEC) - European standard for IT
security criteria - Scope - addresses three basic threats, has three
functional levels, eight basic security
functions, ten functionality classes, eight
hierarchical assurance levels, and seven levels
of correctness of security mechanisms - IT product - off-the-shelf hardware or software
package - IT system - designed and built product for
specific needs - Target of Evaluation (TOE) - refers to product or
system to be evaluated - criteria is not a design guide for secure
products or systems - closely maps to Orange Book criteria
76Common Criteria
- NIST and NSA established program to evaluate IT
product conformance using international standards
- - to help consumers select commercial off the shelf
(COTS) products that meet their security
requirements, and - to help manufacturers of products gain acceptance
in market place. - National Information Assurance Partnership (NIAP)
Common Criteria Evaluation and Validation Scheme
(CCEVS), or Common Criteria Scheme - Sponsors of IT Security Evaluations
- NIAP Validation Body (NIST/NSA)
- Common Criteria Testing Labs (CCTLs)
- Evaluation Assurance Levels (EALs)
- seven levels EAL1-EAL7
77References
- Harris, Shon, All-In-One CISSP Certification Exam
Guide, McGraw Hill 1st and 2nd edition - ISC2 CBK
- ISC2 Official Guide to the CISSP Exam
- www.cccure.org
78Questions