AB

Security Management Models - Chap 8

Security Framework, Model and Blueprint

  • Security Models: Standards used for reference or comparison in InfoSec.
  • Serve as starting points for emulation and adoption in an organization.
  • Can be adapted to fit unique organizational needs.

Key Terms

Framework

  • Definition: A broad set of best practices, standards, and guidelines that provide an overall structure for cybersecurity management.
  • Example: NIST Cybersecurity Framework (CSF) – Offers guidelines on managing cybersecurity risks.
  • Analogy: General House
    • High-level guidance on how to build a secure house, including best practices and regulations.
    • Building code that sets standards for home safety requiring fire exits and proper insulation

Model

  • Definition: A theoretical concept of how security should be implemented to achieve specific security objectives, such as confidentiality, integrity, or availability.
  • Example: Bell-LaPadula Model, Biba Integrity Model, Zero Trust Model
  • Analogy: General House
    • A house built with minimalist modern design or traditional colonial style.

Blueprint

  • Definition: A specific, detailed plan for implementing security controls in an organization, based on a chosen framework and model.
  • Example: Microsoft Security Development Lifecycle (SDL) – A security blueprint for secure software development. ISO 27001 might create a custom blueprint detailing specific encryption protocols, access control systems, and incident response procedures.
  • Analogy: Detailed House Plan
    • Specifies what materials to use (e.g., brick, wood, concrete).
    • Specifies where to place doors, windows, and rooms.
    • Specifies the exact security system (locks, cameras, access control).

Usable Security Blueprint

  • Most organizations draw on established security frameworks, models, and practices to generate a usable security blueprint.
  • Some of these frameworks, models, and practices are:
    • Proprietary (only available for a significant fee).
    • Relatively inexpensive (such as ISO and ISACA standards).
    • Free (available from NIST and a variety of other sources).
  • The chosen mode/framework/practices must be flexible, scalable, robust, and sufficiently detailed.

ISO 27000 Series

ISO/IEC 27002

  • Information Technology—Code of Practice for Information Security Management
  • One of the most widely referenced and often discussed security models/frameworks
  • Purpose: Offers guidance for the management of InfoSec to individuals responsible for their organization’s security programs.
  • Focused on a broad overview of the various areas of security, providing information on 127 controls over 10 areas.

ISO/IEC 27001

  • Provides information on how to implement ISO/IEC 27002
  • How to set up an information security management system (ISMS).

NIST Security Publications

  • NIST has published several special publications.
  • Advantages:
    • They are publicly available at no charge.
    • They have been available for some time.
    • They have been broadly reviewed (and updated) by government and industry professionals.
  • SP 800-12, Rev. 1: Computer Security Handbook
  • SP 800-14: Generally Accepted Security Principles and Practices
  • SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal IS
  • SP 800-30, Rev. 1: Guide for Conducting Risk Assessments
  • SP 800-34, Rev. 1: Contingency Planning Guide for Federal IS
  • SP 800-37, Rev. 1: Guide for Applying the Risk Management Framework to Federal IS
  • SP 800-39: Managing InfoSec Risk: Organization, Mission, and IS View
  • SP 800-53, Rev. 4: Security and Privacy Controls for Federal IS and Orgs
  • SP 800-53A, Rev. 4: Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
  • SP 800-55. Rev. 1: Performance Measurement Guide for InfoSec
  • SP 800-61, Rev. 2: Computer Security Incident Handling Guide
  • SP 800-100: Information Security Handbook: A Guide for Managers
  • SP 800-184: Guide for Cybersecurity Event Recovery

NIST Security Control Classes, Families, and Identifiers

  • AC: Access Control (Technical)
  • AT: Awareness and Training (Operational)
  • AU: Audit and Accountability (Technical)
  • CA: Security Assessment and Authorization (Management)
  • CM: Configuration Management (Operational)
  • CP: Contingency Planning (Operational)
  • IA: Identification and Authentication (Technical)
  • IR: Incident Response (Operational)
  • MA: Maintenance (Operational)
  • MP: Media Protection (Operational)
  • PE: Physical and Environmental Security (Operational)
  • PL: Planning (Management)
  • PS: Personnel Security (Management)
  • RA: Risk Assessment (Management)
  • SA: System and Services Acquisition (Technical)
  • SC: System and Communication Protection (Operational)
  • SI: System and Information Integrity (Management)
  • PM: Program Management (Management)

Control Objectives for Information and Related Technology (COBIT)

  • COBIT was created by the ISACA and the IT Governance Institute (ITGI) in 1992.
  • Provides advice about the implementation of sound controls.
  • COBIT 5 is the only business framework for the governance and management of enterprise IT.
  • COBIT 5 includes a framework to support InfoSec requirements and assessment needs.
  • Organizations that use COBIT 5 are better prepared for general InfoSec risk management operations.

Information Technology Infrastructure Library (ITIL)

  • ITIL is a collection of methods and practices useful for managing the development and operation of IT infrastructures
  • The ITIL has been produced as a series of books, each of which covers an IT management topic
  • Since it includes a detailed description of a many significant IT-related practices, it can be tailored to many IT organizations

Information Security Governance Framework

  • This Framework is a managerial model.
  • Developed by National Cyber Security Summit Task Force
  • Provides guidance in the development and implementation of an organizational information security governance structure
  • The core of this framework includes recommendations for the responsibilities of members of an organization including:
    • Board of directors/trustees
    • Senior executives
    • Executive team members who report to a senior executive
    • Senior managers
    • All employees and users

Security Architecture Models

  • Security architecture models illustrate how InfoSec is implemented in systems.

Types of Security Models

  • Implementation Areas:
    • Computer Hardware & Software – Security mechanisms built into system components.
    • Policies & Practices – Organizational security frameworks and best practices.
  • Focus Areas of Different Models:
    • Confidentiality-focused models – Protect data secrecy.
    • Integrity-focused models – Ensure data accuracy and trustworthiness.

TCSEC and the Trusted Computing Base (TCB)

TCSEC (Trusted Computer System Evaluation Criteria)

  • Definition: An older DoD standard for evaluating computer system security.
  • Also Known As: "Orange Book" – The cornerstone of the Rainbow Series (color-coded security documents).
  • Replaced in 2005 by Common Criteria, but still referenced in older documents and certification programs.

Trusted Computing Base (TCB)

  • Definition: The hardware, firmware, and software responsible for enforcing a system’s security policy.
  • Includes:
    • Operating System Kernel – The core of system security.
    • Security Utilities – Example: User login subsystem.
  • Security Policy: Refers to technical rules governing a system’s security, not managerial guidelines.
  • Effectiveness Factors:
    • Strength of internal control mechanisms.
    • Quality of system administration and configuration management.

Trusted vs. Trustworthy

  • "Trusted" does not mean "trustworthy."
  • Even TCB components may have security flaws requiring patches and updates.
  • Example: Frequent vulnerabilities in modern operating systems and software.

Reference Monitor Concept

  • Definition: A conceptual component of TCB that manages access controls.
  • Role: Ensures subjects (users/processes) can only access authorized objects (files/data).
  • Auditability:
    • Must be regularly reviewed to ensure security.
    • Should be protected from unauthorized modifications.

Covert Channels in TCB

  • Definition: Unauthorized or hidden methods of data transfer that bypass security policies.
  • Types Defined in TCSEC:
    • Storage Channels – Use modified stored objects to transfer data (e.g., steganography).
    • Timing Channels – Use timing of events to transmit information (e.g., long vs. short network packet delays).
  • Example: Some network routers had indicator lights flashing in sync with data transmission, unintentionally revealing data content.

TCSEC Security Protection Levels

  • Products evaluated under TCSEC were categorized based on security protection levels:
    • D – Minimal Protection: Default level if the system fails to meet other security criteria.
    • C – Discretionary Protection:
      • C1: Discretionary Security Protection.
        • Implements DAC (Discretionary Access Control).
        • Basic identification and authentication functions.
      • C2: Controlled Access Protection.
        • Enhanced DAC with auditability and accountability.
    • B – Mandatory Protection:
      • B1: Labeled Security Protection.
        • Implements MAC (Mandatory Access Control) over some subjects and objects.
      • B2: Structured Protection.
        • MAC and DAC over all subjects and objects.
      • B3: Security Domains.
        • Highest mandatory protection level.
        • Includes reference monitor requirements and automated intrusion detection.
    • A – Verified Protection:
      • A1: Verified Design.
        • B3 level security with formalized design and verification techniques.
      • Beyond A1: Highest Possible Protection.
        • Requires formal top-level specifications.
        • Verified TCB (Trusted Computing Base) down to source code level.
        • Ensures self-protection and complete security verification.

The Common Criteria (CC) for Information Technology Security Evaluation

Overview of Common Criteria (CC)

  • Definition: An international standard (ISO/IEC 15408) for computer security certification.
  • Successor to TCSEC and ITSEC:
    • Unifies various security evaluation standards.
    • Adopted by most governments in place of older standards.
  • Contributors: Developed by nations including the USA, UK, Canada, Germany, France, Japan, Australia, and more.
    • In the U.S., NSA and NIST were key contributors.

Purpose & Recognition of Common Criteria

  • Establishes a standard process for evaluating IT security products.
  • Common Criteria Recognition Agreement (CCRA):
    • Ensures international recognition of evaluated security products.
    • Enables mutual acceptance of security certifications across participating countries.
  • Companion Methodology – Common Methodology for IT Security Evaluation (CEM):
    • Defines evaluation procedures for Common Criteria certification.
    • Used for assessing non-high-level security systems.

Key Common Criteria Terminology

  • Target of Evaluation (ToE) – The system or product being evaluated.
  • Protection Profile (PP) – A user-generated security requirements specification.
  • Security Target (ST) – A document detailing the ToE’s security properties.
  • Security Functional Requirements (SFRs) – A catalog of security functions provided by a product.
  • Evaluation Assurance Level (EAL) – Grading scale for security assurance.

Evaluation Assurance Levels (EALs)

  • EAL1: Functionally Tested – Basic security testing; defends against non-serious threats.
  • EAL2: Structurally Tested – Comparable to good business practices.
  • EAL3: Methodically Tested & Checked – Provides moderate security assurance.
  • EAL4: Methodically Designed, Tested & Reviewed – Rigorous security assurance but still economically viable.
  • EAL5: Semiformally Designed & Tested – Requires specialized development beyond standard commercial products.
  • EAL6: Semiformally Verified, Designed & Tested – Designed for high-security needs.
  • EAL7: Formally Verified, Designed & Tested – Used for extremely high-risk and high-value systems.

Access Control Models

What is Access Control?

  • Definition: The method of regulating who can access specific resources and how they can use them.
  • Scope:
    • Logical Access – Access to information systems and data.
    • Physical Access – Access to facilities and physical assets.
  • Components of Access Control:
    • Policies – Define security rules for access.
    • Programs – Implement access control policies.
    • Technologies – Enforce access control mechanisms.

Four Main Access Control Processes

  • Identification – Capturing the identity of the entity requesting access (e.g., username, ID card).
  • Authentication – Verifying the identity using credentials (e.g., passwords, biometrics).
  • Authorization – Granting specific permissions and access levels based on the entity’s role.
  • Accountability – Logging and tracking all access activities for auditing and compliance.

Principles of Access Control

  • Least Privilege
    • Users are granted the minimum access necessary for their job.
    • Example: If a task only requires reading data, the user gets read-only access (no edit or delete permissions).
  • Need-to-Know
    • Users are only given access to specific information needed for their current task.
    • Example: A manager updating an employee’s pay rate can only modify that employee's record, not see all employee salaries.
  • Separation of Duties
    • Significant security tasks are divided among multiple individuals to prevent fraud and insider threats.
    • Example:
      • One person sets up a vendor.
      • A second person requests payment.
      • A third person authorizes the payment.

Categories of Access Controls

  • Approaches to Categorizing Access Controls
  • Access controls regulate who can access resources and how they can use them.
  • Three main approaches to categorizing access controls:
    • By inherent characteristics (Directive, Deterrent, Preventative, etc.).
    • By operational impact (Managerial, Operational, Technical).
    • By authority type (Mandatory, Nondiscretionary, Discretionary).

Access Control Categories by Characteristics

  • Directive – Policies and training to guide user behavior.
    • Example: Appropriate use policy prohibiting personal use of company resources.
  • Deterrent – Discourages security violations.
    • Example: Signs indicating video surveillance.
  • Preventative – Stops incidents before they happen.
    • Example: Strong authentication requirements.
  • Detective – Identifies security incidents when they occur.
    • Example: Anti-malware software detecting viruses.
  • Corrective – Responds to and mitigates security breaches.
    • Example: Updating firewall rules after an attack.
  • Recovery – Restores systems to normal operations after an incident.
    • Example: Data backups and disaster recovery.
  • Compensating – Provides alternative security measures when primary controls are insufficient.
    • Example: Encrypting classified data sent over unsecured networks.

Access Control Categories by Operational Impact (NIST Model)

  • Managerial Controls – Designed by strategic planners, implemented by security administrators.
    • Example: Security policies, risk assessments.
  • Operational (Administrative) Controls – Integrated into daily business operations.
    • Example: Warning signs, security guards, disaster recovery procedures.
  • Technical Controls – Automated security mechanisms.
    • Example: Login authentication, IDPS (Intrusion Detection and Prevention Systems), encryption.

Access Control Categories by Authority Type

  • Mandatory Access Control (MAC)
    • Enforces strict classification levels on data and users.
    • Users have no control over access permissions.
    • Example: Government Top Secret, Secret, Confidential classifications.
  • Discretionary Access Control (DAC)
    • Data owners control who can access resources.
    • Users can share or restrict access at their discretion.
    • Example: A user granting access to a shared network drive.
  • Nondiscretionary Access Control (NDAC)
    • Controlled by a central authority, not individual users.
    • Two main types:
      • Role-Based Access Control (RBAC) – Access tied to job roles.
        • Example: HR employees can access payroll records, but not IT system logs.
      • Task-Based Access Control (TBAC) – Access tied to specific tasks or projects.
        • Example: A contractor gets access only for the duration of a project.

Bell-LaPadula Confidentiality Model

  • The Bell-LaPadula (BLP) confidentiality model is a state machine reference model that helps ensure the confidentiality of an information system by means of mandatory access controls (MACs), data classification, and security clearances.
  • A system that serves as a reference monitor compares the level of classification of the data with the clearance of the entity requesting access; it allows access only if the clearance is equal to or higher than the classification
  • BLP security rules prevent information from being moved from a level of higher security level to a level of lower security
  • Access modes can be one of two types: simple security and the * (star) property
  • Simple security (also called the read property) prohibits a subject of lower clearance from reading an object of higher classification, but allows a subject with a higher clearance level to read an object at a lower level (read down)
  • The * property (the write property) prohibits a high-level subject from sending messages to a lower-level object
  • In short, the principle is “no read up, no write down”

Biba Integrity Model

  • The Biba integrity model is similar to BLP
  • The intent is to provide access controls to ensure that objects or subjects cannot have less integrity as a result of read/write operations
  • The Biba model ensures that no information from a subject can be passed on to an object in a higher security level
  • This prevents contaminating data of higher integrity with data of lower integrity
  • The Biba Model assigns integrity levels to subjects and objects using two properties: the simple integrity (read) property or the integrity * property (write)
  • The simple integrity property permits a subject to have read access to an object only if the security level of the subject is either lower or equal to the level of the object
  • The integrity * property permits a subject to have write access to an object only if the security level of the subject is equal to or higher than that of the object
  • In short “no write up, no read down”

Clark-Wilson Integrity Model

  • The Clark-Wilson integrity model, which is built upon principles of change control rather than integrity levels, was designed for the commercial environment
  • The change control principles upon which it operates are:
    • No changes by unauthorized subjects
    • No unauthorized changes by authorized subjects
    • The maintenance of internal and external consistency
  • These controls are part of the CWI model:
    • Subject authentication and identification
    • Access to objects by means of well-formed transactions
    • Execution by subjects on a restricted set of programs
  • The elements of the Clark-Wilson model are:
    • Constrained data item (CDI)—Data item with protected integrity
    • Unconstrained data item—Data not controlled by Clark-Wilson; nonvalidated input or any output
    • Integrity verification procedure (IVP)—Procedure that scans data and confirms its integrity
    • Transformation procedure (TP)—Procedure that only allows changes to a constrained data item

Graham-Denning Access Control Model

  • The Graham-Denning access control model has three parts: a set of objects, a set of subjects, and a set of rights; subjects are composed of two things: a process and a domain
  • The eight primitive protection rights are:
    • Create object
    • Create subject
    • Delete object
    • Delete subject
    • Read access right
    • Grant access right
    • Delete access right
    • Transfer access right

Brewer-Nash (Chinese Wall)

  • The Brewer-Nash model—commonly known as a Chinese Wall—is designed to prevent a conflict of interest between two parties
  • The Brewer-Nash model requires users to select one of two conflicting sets of data, after which they cannot access the conflicting data