Security Management Models - Chap 8

Security Framework, Model and Blueprint

• Security Models: Standards used for reference or comparison in InfoSec.
• Serve as starting points for emulation and adoption in an organization.
• Can be adapted to fit unique organizational needs.

Key Terms

Framework

• Definition: A broad set of best practices, standards, and guidelines that provide an overall structure for cybersecurity management.
• Example: NIST Cybersecurity Framework (CSF) – Offers guidelines on managing cybersecurity risks.
• Analogy: General House
  • High-level guidance on how to build a secure house, including best practices and regulations.
  • Building code that sets standards for home safety requiring fire exits and proper insulation

Model

• Definition: A theoretical concept of how security should be implemented to achieve specific security objectives, such as confidentiality, integrity, or availability.
• Example: Bell-LaPadula Model, Biba Integrity Model, Zero Trust Model
• Analogy: General House
  • A house built with minimalist modern design or traditional colonial style.

Blueprint

• Definition: A specific, detailed plan for implementing security controls in an organization, based on a chosen framework and model.
• Example: Microsoft Security Development Lifecycle (SDL) – A security blueprint for secure software development. ISO 27001 might create a custom blueprint detailing specific encryption protocols, access control systems, and incident response procedures.
• Analogy: Detailed House Plan
  • Specifies what materials to use (e.g., brick, wood, concrete).
  • Specifies where to place doors, windows, and rooms.
  • Specifies the exact security system (locks, cameras, access control).

Usable Security Blueprint

• Most organizations draw on established security frameworks, models, and practices to generate a usable security blueprint.
• Some of these frameworks, models, and practices are:
  • Proprietary (only available for a significant fee).
  • Relatively inexpensive (such as ISO and ISACA standards).
  • Free (available from NIST and a variety of other sources).
• The chosen mode/framework/practices must be flexible, scalable, robust, and sufficiently detailed.

ISO 27000 Series

ISO/IEC 27002

• Information Technology—Code of Practice for Information Security Management
• One of the most widely referenced and often discussed security models/frameworks
• Purpose: Offers guidance for the management of InfoSec to individuals responsible for their organization’s security programs.
• Focused on a broad overview of the various areas of security, providing information on 127 controls over 10 areas.

ISO/IEC 27001

• Provides information on how to implement ISO/IEC 27002
• How to set up an information security management system (ISMS).

NIST Security Publications

• NIST has published several special publications.
• Advantages:
  • They are publicly available at no charge.
  • They have been available for some time.
  • They have been broadly reviewed (and updated) by government and industry professionals.
• SP 800-12, Rev. 1: Computer Security Handbook
• SP 800-14: Generally Accepted Security Principles and Practices
• SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal IS
• SP 800-30, Rev. 1: Guide for Conducting Risk Assessments
• SP 800-34, Rev. 1: Contingency Planning Guide for Federal IS
• SP 800-37, Rev. 1: Guide for Applying the Risk Management Framework to Federal IS
• SP 800-39: Managing InfoSec Risk: Organization, Mission, and IS View
• SP 800-53, Rev. 4: Security and Privacy Controls for Federal IS and Orgs
• SP 800-53A, Rev. 4: Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
• SP 800-55. Rev. 1: Performance Measurement Guide for InfoSec
• SP 800-61, Rev. 2: Computer Security Incident Handling Guide
• SP 800-100: Information Security Handbook: A Guide for Managers
• SP 800-184: Guide for Cybersecurity Event Recovery

NIST Security Control Classes, Families, and Identifiers

• AC: Access Control (Technical)
• AT: Awareness and Training (Operational)
• AU: Audit and Accountability (Technical)
• CA: Security Assessment and Authorization (Management)
• CM: Configuration Management (Operational)
• CP: Contingency Planning (Operational)
• IA: Identification and Authentication (Technical)
• IR: Incident Response (Operational)
• MA: Maintenance (Operational)
• MP: Media Protection (Operational)
• PE: Physical and Environmental Security (Operational)
• PL: Planning (Management)
• PS: Personnel Security (Management)
• RA: Risk Assessment (Management)
• SA: System and Services Acquisition (Technical)
• SC: System and Communication Protection (Operational)
• SI: System and Information Integrity (Management)
• PM: Program Management (Management)

Control Objectives for Information and Related Technology (COBIT)

• COBIT was created by the ISACA and the IT Governance Institute (ITGI) in 1992.
• Provides advice about the implementation of sound controls.
• COBIT 5 is the only business framework for the governance and management of enterprise IT.
• COBIT 5 includes a framework to support InfoSec requirements and assessment needs.
• Organizations that use COBIT 5 are better prepared for general InfoSec risk management operations.

Information Technology Infrastructure Library (ITIL)

• ITIL is a collection of methods and practices useful for managing the development and operation of IT infrastructures
• The ITIL has been produced as a series of books, each of which covers an IT management topic
• Since it includes a detailed description of a many significant IT-related practices, it can be tailored to many IT organizations

Information Security Governance Framework

• This Framework is a managerial model.
• Developed by National Cyber Security Summit Task Force
• Provides guidance in the development and implementation of an organizational information security governance structure
• The core of this framework includes recommendations for the responsibilities of members of an organization including:
  • Board of directors/trustees
  • Senior executives
  • Executive team members who report to a senior executive
  • Senior managers
  • All employees and users

Security Architecture Models

• Security architecture models illustrate how InfoSec is implemented in systems.

Types of Security Models

• Implementation Areas:
  • Computer Hardware & Software – Security mechanisms built into system components.
  • Policies & Practices – Organizational security frameworks and best practices.
• Focus Areas of Different Models:
  • Confidentiality-focused models – Protect data secrecy.
  • Integrity-focused models – Ensure data accuracy and trustworthiness.

TCSEC and the Trusted Computing Base (TCB)

TCSEC (Trusted Computer System Evaluation Criteria)

• Definition: An older DoD standard for evaluating computer system security.
• Also Known As: "Orange Book" – The cornerstone of the Rainbow Series (color-coded security documents).
• Replaced in 2005 by Common Criteria, but still referenced in older documents and certification programs.

Trusted Computing Base (TCB)

• Definition: The hardware, firmware, and software responsible for enforcing a system’s security policy.
• Includes:
  • Operating System Kernel – The core of system security.
  • Security Utilities – Example: User login subsystem.
• Security Policy: Refers to technical rules governing a system’s security, not managerial guidelines.
• Effectiveness Factors:
  • Strength of internal control mechanisms.
  • Quality of system administration and configuration management.

Trusted vs. Trustworthy

• "Trusted" does not mean "trustworthy."
• Even TCB components may have security flaws requiring patches and updates.
• Example: Frequent vulnerabilities in modern operating systems and software.

Reference Monitor Concept

• Definition: A conceptual component of TCB that manages access controls.
• Role: Ensures subjects (users/processes) can only access authorized objects (files/data).
• Auditability:
  • Must be regularly reviewed to ensure security.
  • Should be protected from unauthorized modifications.

Covert Channels in TCB

• Definition: Unauthorized or hidden methods of data transfer that bypass security policies.
• Types Defined in TCSEC:
  • Storage Channels – Use modified stored objects to transfer data (e.g., steganography).
  • Timing Channels – Use timing of events to transmit information (e.g., long vs. short network packet delays).
• Example: Some network routers had indicator lights flashing in sync with data transmission, unintentionally revealing data content.

TCSEC Security Protection Levels

• Products evaluated under TCSEC were categorized based on security protection levels:
  • D – Minimal Protection: Default level if the system fails to meet other security criteria.
  • C – Discretionary Protection:
    • C1: Discretionary Security Protection.
      • Implements DAC (Discretionary Access Control).
      • Basic identification and authentication functions.
    • C2: Controlled Access Protection.
      • Enhanced DAC with auditability and accountability.
  • B – Mandatory Protection:
    • B1: Labeled Security Protection.
      • Implements MAC (Mandatory Access Control) over some subjects and objects.
    • B2: Structured Protection.
      • MAC and DAC over all subjects and objects.
    • B3: Security Domains.
      • Highest mandatory protection level.
      • Includes reference monitor requirements and automated intrusion detection.
  • A – Verified Protection:
    • A1: Verified Design.
      • B3 level security with formalized design and verification techniques.
    • Beyond A1: Highest Possible Protection.
      • Requires formal top-level specifications.
      • Verified TCB (Trusted Computing Base) down to source code level.
      • Ensures self-protection and complete security verification.

The Common Criteria (CC) for Information Technology Security Evaluation

Overview of Common Criteria (CC)

• Definition: An international standard (ISO/IEC 15408) for computer security certification.
• Successor to TCSEC and ITSEC:
  • Unifies various security evaluation standards.
  • Adopted by most governments in place of older standards.
• Contributors: Developed by nations including the USA, UK, Canada, Germany, France, Japan, Australia, and more.
  • In the U.S., NSA and NIST were key contributors.

Purpose & Recognition of Common Criteria

• Establishes a standard process for evaluating IT security products.
• Common Criteria Recognition Agreement (CCRA):
  • Ensures international recognition of evaluated security products.
  • Enables mutual acceptance of security certifications across participating countries.
• Companion Methodology – Common Methodology for IT Security Evaluation (CEM):
  • Defines evaluation procedures for Common Criteria certification.
  • Used for assessing non-high-level security systems.

Key Common Criteria Terminology

• Target of Evaluation (ToE) – The system or product being evaluated.
• Protection Profile (PP) – A user-generated security requirements specification.
• Security Target (ST) – A document detailing the ToE’s security properties.
• Security Functional Requirements (SFRs) – A catalog of security functions provided by a product.
• Evaluation Assurance Level (EAL) – Grading scale for security assurance.

Evaluation Assurance Levels (EALs)

• EAL1: Functionally Tested – Basic security testing; defends against non-serious threats.
• EAL2: Structurally Tested – Comparable to good business practices.
• EAL3: Methodically Tested & Checked – Provides moderate security assurance.
• EAL4: Methodically Designed, Tested & Reviewed – Rigorous security assurance but still economically viable.
• EAL5: Semiformally Designed & Tested – Requires specialized development beyond standard commercial products.
• EAL6: Semiformally Verified, Designed & Tested – Designed for high-security needs.
• EAL7: Formally Verified, Designed & Tested – Used for extremely high-risk and high-value systems.

Access Control Models

What is Access Control?

• Definition: The method of regulating who can access specific resources and how they can use them.
• Scope:
  • Logical Access – Access to information systems and data.
  • Physical Access – Access to facilities and physical assets.
• Components of Access Control:
  • Policies – Define security rules for access.
  • Programs – Implement access control policies.
  • Technologies – Enforce access control mechanisms.

Four Main Access Control Processes

• Identification – Capturing the identity of the entity requesting access (e.g., username, ID card).
• Authentication – Verifying the identity using credentials (e.g., passwords, biometrics).
• Authorization – Granting specific permissions and access levels based on the entity’s role.
• Accountability – Logging and tracking all access activities for auditing and compliance.

Principles of Access Control

• Least Privilege
  • Users are granted the minimum access necessary for their job.
  • Example: If a task only requires reading data, the user gets read-only access (no edit or delete permissions).
• Need-to-Know
  • Users are only given access to specific information needed for their current task.
  • Example: A manager updating an employee’s pay rate can only modify that employee's record, not see all employee salaries.
• Separation of Duties
  • Significant security tasks are divided among multiple individuals to prevent fraud and insider threats.
  • Example:
    • One person sets up a vendor.
    • A second person requests payment.
    • A third person authorizes the payment.

Categories of Access Controls

• Approaches to Categorizing Access Controls
• Access controls regulate who can access resources and how they can use them.
• Three main approaches to categorizing access controls:
  • By inherent characteristics (Directive, Deterrent, Preventative, etc.).
  • By operational impact (Managerial, Operational, Technical).
  • By authority type (Mandatory, Nondiscretionary, Discretionary).

Access Control Categories by Characteristics

• Directive – Policies and training to guide user behavior.
  • Example: Appropriate use policy prohibiting personal use of company resources.
• Deterrent – Discourages security violations.
  • Example: Signs indicating video surveillance.
• Preventative – Stops incidents before they happen.
  • Example: Strong authentication requirements.
• Detective – Identifies security incidents when they occur.
  • Example: Anti-malware software detecting viruses.
• Corrective – Responds to and mitigates security breaches.
  • Example: Updating firewall rules after an attack.
• Recovery – Restores systems to normal operations after an incident.
  • Example: Data backups and disaster recovery.
• Compensating – Provides alternative security measures when primary controls are insufficient.
  • Example: Encrypting classified data sent over unsecured networks.

Access Control Categories by Operational Impact (NIST Model)

• Managerial Controls – Designed by strategic planners, implemented by security administrators.
  • Example: Security policies, risk assessments.
• Operational (Administrative) Controls – Integrated into daily business operations.
  • Example: Warning signs, security guards, disaster recovery procedures.
• Technical Controls – Automated security mechanisms.
  • Example: Login authentication, IDPS (Intrusion Detection and Prevention Systems), encryption.

Access Control Categories by Authority Type

• Mandatory Access Control (MAC)
  • Enforces strict classification levels on data and users.
  • Users have no control over access permissions.
  • Example: Government Top Secret, Secret, Confidential classifications.
• Discretionary Access Control (DAC)
  • Data owners control who can access resources.
  • Users can share or restrict access at their discretion.
  • Example: A user granting access to a shared network drive.
• Nondiscretionary Access Control (NDAC)
  • Controlled by a central authority, not individual users.
  • Two main types:
    • Role-Based Access Control (RBAC) – Access tied to job roles.
      • Example: HR employees can access payroll records, but not IT system logs.
    • Task-Based Access Control (TBAC) – Access tied to specific tasks or projects.
      • Example: A contractor gets access only for the duration of a project.

Bell-LaPadula Confidentiality Model

• The Bell-LaPadula (BLP) confidentiality model is a state machine reference model that helps ensure the confidentiality of an information system by means of mandatory access controls (MACs), data classification, and security clearances.
• A system that serves as a reference monitor compares the level of classification of the data with the clearance of the entity requesting access; it allows access only if the clearance is equal to or higher than the classification
• BLP security rules prevent information from being moved from a level of higher security level to a level of lower security
• Access modes can be one of two types: simple security and the * (star) property
• Simple security (also called the read property) prohibits a subject of lower clearance from reading an object of higher classification, but allows a subject with a higher clearance level to read an object at a lower level (read down)
• The * property (the write property) prohibits a high-level subject from sending messages to a lower-level object
• In short, the principle is “no read up, no write down”

Biba Integrity Model

• The Biba integrity model is similar to BLP
• The intent is to provide access controls to ensure that objects or subjects cannot have less integrity as a result of read/write operations
• The Biba model ensures that no information from a subject can be passed on to an object in a higher security level
• This prevents contaminating data of higher integrity with data of lower integrity
• The Biba Model assigns integrity levels to subjects and objects using two properties: the simple integrity (read) property or the integrity * property (write)
• The simple integrity property permits a subject to have read access to an object only if the security level of the subject is either lower or equal to the level of the object
• The integrity * property permits a subject to have write access to an object only if the security level of the subject is equal to or higher than that of the object
• In short “no write up, no read down”

Clark-Wilson Integrity Model

• The Clark-Wilson integrity model, which is built upon principles of change control rather than integrity levels, was designed for the commercial environment
• The change control principles upon which it operates are:
  • No changes by unauthorized subjects
  • No unauthorized changes by authorized subjects
  • The maintenance of internal and external consistency
• These controls are part of the CWI model:
  • Subject authentication and identification
  • Access to objects by means of well-formed transactions
  • Execution by subjects on a restricted set of programs
• The elements of the Clark-Wilson model are:
  • Constrained data item (CDI)—Data item with protected integrity
  • Unconstrained data item—Data not controlled by Clark-Wilson; nonvalidated input or any output
  • Integrity verification procedure (IVP)—Procedure that scans data and confirms its integrity
  • Transformation procedure (TP)—Procedure that only allows changes to a constrained data item

Graham-Denning Access Control Model

• The Graham-Denning access control model has three parts: a set of objects, a set of subjects, and a set of rights; subjects are composed of two things: a process and a domain
• The eight primitive protection rights are:
  • Create object
  • Create subject
  • Delete object
  • Delete subject
  • Read access right
  • Grant access right
  • Delete access right
  • Transfer access right

Brewer-Nash (Chinese Wall)

• The Brewer-Nash model—commonly known as a Chinese Wall—is designed to prevent a conflict of interest between two parties
• The Brewer-Nash model requires users to select one of two conflicting sets of data, after which they cannot access the conflicting data