CISSP Week 22


Published on

Published in: Education, Technology
  • Be the first to comment

CISSP Week 22

  1. 1. Security Architecture & Design Domain 6 Pages 902-1003 Official CISSP CBK Third Edition Jem Jensen & Tim Jensen StaridLabs
  2. 2. What is it? ● ● Lots of overlap with other domains (thankfully) Translate business requirements into solutions that provide security ● Unique – depends on business approach and assets ● Involves hardware, firmware, and software
  3. 3. Common System Components ● Processor: performs data processing, converts input to output – Central Processing Unit (CPU): Main processor. Performs system/OS/application processing – Graphics Processing Unit (GPU): Video processor – Controller: controls operation of an external device (Example: SCSI/IDE/SATA Controller)
  4. 4. Processor ● Traditionally one CPU which controls everything, including graphics and IO – ● Multitasking: CPU stops execution of one program, saves it, loads another, runs it for a while, then repeats for the other program Currently could have multiple processors treated as one CPU and additional processors on each IO device (GPU, Controllers) – Multiprocessing: Different processors run different tasks. Program 1 runs on procA, program 2 runs on procB – Multithreading: Execution is split up into time slices. Program 1 runs for 10ms, Program 2 runs for the next 10ms. Repeat for each program
  5. 5. Processor ● ● Register: memory located closer to the processor. Faster but more expensive Fetch, decode, execute, store (FDX) – Load instructions from memory into registers – Decode the instructions, fetch operands – Perform whatever operation was decoded and write the results to another register – Send the results from the register to memory
  6. 6. Processor ● ● Race conditions: happens when the order of processing determines the output. Can happen when multitasking, multiprocessing, or multithreading occur Atomic: when operations are guaranteed to run in their entirety before processing on them ends
  7. 7. Memory ● Very fast storage ● The closer to the CPU, the faster it is ● Register ● Cache ● Main memory ● Secondary Storage
  8. 8. Memory ● RAM – Random access memory (read/write) ● ROM – Read only memory (read) ● Virtual memory: simulate more “main memory” by storing part of it on disk. Allows the perception of “unlimited RAM” – ● Secondary storage is slow so relying too heavily on virtual memory causes poor system performance Firmware: instructions embedded into hardware – Usually ROM
  9. 9. Peripherals ● Data input – – Retina scanner – Mouse – Smart card reader – ● Keyboard Microphone Data output – Monitor – Printer – Speakers
  10. 10. Putting it all together ● I/O – input/output – The process of taking input, performing operations, and giving usable output
  11. 11. Operating Systems ● Software that controls: – – Provides file/data abstraction – Manages user access/processing – ● Program operation – ● I/O Manages scheduling Ex: Windows, Mac OSX, Linux, DOS, IOS Kernel: core of an OS. Provides vital operations and access to resources
  12. 12. Enterprise Security Architect ● Key goals: – Strategic design to address security requirements – A simple, long-term view of control: avoid unnecessary complexities & redundancies – Provides unified vision for common security controls – Leverages existing technology investments – Flexible to cover current and future threats/functions
  13. 13. Common Security Services ● ● ● ● ● Boundary Control: Whether and how information is allowed to flow between systems/companies/states/countries Access Control: Focus on identification, authentication, and authorization Integrity: Detect and correct corruption of data. Antivirus, content filtering, file integrity Cryptographic: Common services for encryption/decryption and key management. PKI Audit and Monitoring: Secure collection, storage, and analysis of audited events. Logging, SIEM
  14. 14. Common Architecture Frameworks ● Zachman: – John Zachman, IBM – Classification matrix
  15. 15. Common Architecture Frameworks ● Sherwood Applied Business Security Arch (SABSA) – Similar to Zachman – Assets (WHAT), Motivation (WHY), Process (HOW), People (WHO), Location (WHERE), Time (WHEN) – Chain of Tracability
  16. 16. Common Architecture Frameworks ● The Open Group Architecture Framework (TOGAF) – Inspired by DOD frameworks – Cyclical
  17. 17. Common Architecture Frameworks ● IT Infrastructure Library (ITIL) – CCTA (British) – Strongly focused on service delivery/management – Service Strategy: Services that are to be provided – Service Design: Creating the services design – Service Transition: Translating designs into operational services – Continual Service Improvement: Measure services, validate against service level. Improve as needed
  18. 18. Types of Security Models ● State Machine Model – – ● Describes a system as it moves from state to state Define what actions are permitted at what point in time to still guarantee a secure state Multilevel Lattice Model – Layers of subjects and objects with clear rules defining which interactions are allowed – Clearance levels, security labels
  19. 19. Types of Security Models ● Noninterference Model – – ● Label everything as high or low security inputs Restrict flows between high and low level users Matrix-based Model – – ● One-to-one relationships between subjects/objects Example: Access Control Matrix Information Flow Model – Object-to-object – Determine if information is being protected throughout a process (can find covert channels)
  20. 20. Examples of Security Models ● Bell–LaPadula Confidentiality Model (BLP) – State machine model – Only concerned with confidentiality – Subject can access data at same and lower levels – “* property” - can write at or above their level – “Strong * property” – can only write at their level
  21. 21. Examples of Security Models ● Biba Integrity Model – Similar enough to Bell-LaPadula to be confusing – Inversed flows – beware on test! Focused on integrity ● – Subject can access data at same and higher integrity levels (can't access inaccurate) – “* property” - can write at or below their level
  22. 22. Examples of Security Models ● Clark-Wilson Integrity Model – – Evaluation/approval step for separation of duties – ● Improves on Biba model Transactions – steps must be followed for changes to be made. Ensures certain quality Lipner Model – Combines BLP and Biba with job roles – Provides confidentiality and integrity – BLP first – classification levels of manager, low – Bipa as necessary – integrity levels of system program, other program, low
  23. 23. Examples of Security Models ● Brewer-Nash Model (Chinese Wall) – – ● Focuses on preventing conflict of interest Once you access data from one side of the wall, you can't get back to data on the other Graham-Denning Model – Focuses on object creation, user privileges – Set of objects, set of subjects, set of rights – Create objects, create subjects, delete objects, delete subjects, read access rights, grant access rights, delete access rights, transfer access rights
  24. 24. Examples of Security Models ● Harrison-Ruzzo-Ullman Model – Extension to Graham-Denning Model – Protection system – subjects are prevented from access programs which can execute certain commands
  25. 25. Defining an Architecture ● Capturing and analyzing requirements – – Refine into detailed functional/nonfunctional reqs – ● Work with stakeholders to define requirements Vulnerability/risk assessments, threat modeling Creating and documenting security architecture – Provide designs that appeal to stakeholders – May use reference models as starting points – Use international standards, best practices – Check legislation and regulations
  26. 26. Infosec Evaluation Models ● Evaluate the architecture to ensure it addresses the requirements – Peer review – Formal verification ● – Third party evaluation Certification/accreditation ● ● ● ● Choose evaluation criteria Run evaluation, storing results as a baseline Compare baseline against security requirements Evaluate the system as to whether it meets the needs of the organization and for how long (accreditation expires each year? Each product release?)
  27. 27. EVERYBODY CHANGE PLACES!!! Switch to Tim
  28. 28. Product Evaluation Models ● Several security architecture models have been created: – Trusted Computer System Evaluation Criteria (TCSEC) ● – For classified systems Common Criteria ● Generic security and applicable internationally
  29. 29. Trusted Computer System Evaluation Criteria (TCSEC) ● Published in 1983 and updated in 1985 ● The “Orange Book” ● ● ● US Department of Defense standard which set basic security implimentation guidelines. Used to evaluate, classify, and select computer systems being considdered for processing and storage of classified materials. Strongly enforces confidentiality – ● IE: Screw integrity and availability Superceded by Common Criteria
  30. 30. TSEC Continued ● Primarily uses the idea of Trusted Computing Base (TCB) to evaluate products. – ● ● Certain functions must exist and work properly for security to be possible. Must be able to be validated. Primarily identified systems with discretionary vs mandatory access controls (DAC, MAC) Most commercial systems did not implement MAC and as such could only receive a C2 rating at best.
  31. 31. Used internationally
  32. 32. Information Technology Security Evaluation Criteria (ITSEC) ● ● ● ● ● Not widely accepted outside of the US due to perceived limitations and inflexibility Lack of international standardization required vendors to build and document the same product in different ways. Unlike TCSEC, the consumer or vendor defines a set of requirements from a menu of possible requirements into a Security Target (ST). The vendor develops the product (Target of Evaluation ToE) and compares the end product with the Security Target (ST) Provides 10 functional levels (F1-F10). Levels are a guideline and not a strict requirement since the vendor/consumer creates their own security target. Provides 6 levels of assurance (E1-E6)
  33. 33. Common Criteria ● ISO/IEC 15408 – International standard ● Superseded all other criteria ● ● Standardizes the general approach to product evaluation. Introduced protection profiles (PP). – Common set of functional and assurance requirements for a category of vendor products deployed in a particular environment. IE: Personal firewalls for Home Internet Use
  34. 34. Comparison of the different models
  35. 35. Industry/International Security Implementation Guides
  36. 36. ISO 27001 ● Standardization and certification of an organization's information security management system (ISMS) ● Focuses on security governance ● 5 key areas: – General requirements of the ISMS – Management Responsibility – Internal ISMS Audits – Management review of the ISMS – ISMS improvement
  37. 37. ISO 27002 ● ● ● ● “Code of Practice for Information Security Management” Lists security control objectives Recommends a range of specific security controls according to industry best practice ISO 27002 is a guideline, and not a rigid standard. The business can implement controls based on risk analysis
  38. 38. ISO 27002 Part 2 ● Contains 11 focus areas: – Security Policy – Organization and Information Security – Asset Management – Human Resources Security – Physical and Environmental Security – Communications and Operations Management – Access Control – Information Systems Acquisitions, Development, and Maintenance – Information Security Incident Management – Business Continuity Management – Compliance
  39. 39. ISO ● ● Organizations are only able to become certified with ISO27001. This is because the ISMS can be compared with other organizations/customers. ISO27002 is very specific to the organization and wouldn't be shared, and as such isn't certifiable.
  40. 40. Control Objects for Information and Related Technology (COBIT) ● Created by ISACA and ITGI in the early 90's ● Provides a set of generally accepted processes ● Describes “base minimum” security controls ● 5 key principals – Meeting Stakeholder Needs – Covering the Enterprise End-to-End – Applying a single integrated framework – Enabling a holistic approach – Separating Governance from Management ● Auditors love COBIT ● Has NOTHING to do with Hobbits
  41. 41. Payment Card Industry Data Security Standard (PCI-DSS) ● Ensures the safe processing, storing, and transmission of cardholder information ● Includes prevention, detection, and reaction to security incidents ● Six goals – Build and Maintain a Secure Network – Protect Cardholder Data – Maintain a Vulnerability Management Program – Implement Strong Access Control Measures – Regularly Monitor and Test Networks – Maintain an Information Security Policy
  42. 42. PCI Part 2 ● Each requirement has several sub objectives. PCI is audited by an independent 3rd party
  43. 43. Security capabilities of Information Systems ● Primary challenge is to provide security without compromising the primary function of the system(s)
  44. 44. Access Control Mechanisms ● ● ● ● ● ● All systems need to be able to distinguish between individual subjects and objects managed by the system and determine how they will be allowed to interact with each other. Authentication must occur before access is allowed to system resources This is one of the most fundamental security controls and should be thoroughly vetted and validated. When no subject can gain access to an object without authorization, this is referred to as complete mediation. A Reference Monitor will examine all attempts by subjects to access objects and will determine if it should be allowed. The reference monitor checks the Security Kernel Database which stores access control lists and logs its decisions into the secure audit log.
  45. 45. Secure Memory Management ● ● ● ● Ideally we could easily separate memory used by subjects (running processes and threads) from objects (data in storage) Modern computer systems used a shared memory location which is not ideal. As such the system has to manage the separation. This allows for buffer overflows and other vulnerabilities Technologies such as Address Space Layout Randomization (ASLR) combat this weakness.
  46. 46. Processor States ● ● ● ● Processors and their supporting chipsets provide one of the first layers of defense in a computing system. Provide specialized security functions (cryptographic coprocessors) Processors ahve states that can be used to distinguish between privileged/unprivileged instructions Most processors support at least two states: a supervisor state (kernel mode) and a problem state (user mode)
  47. 47. Processor Layers ● ● Operating systems have been developed to control access to kernel mode and require access to pass through security layers. An example of this is ring protection. Ring 0 is core system functions where Ring 3 is end user application functions. Privileges get higher the closer you get to 0.
  48. 48. Process Isolation ● ● ● Process isolation is used to prevent individual processes from interacting with each other, even when they are assigned to the same ring. This is done by allocating a specific memory space for a process and preventing other processes from accessing this space. Shared resources can be managed So only one processes can access Them at a time.
  49. 49. Data Hiding ● Data hiding maintains activities at different security levels to separate these levels from each other. This assists in preventing data at one security level from being seen by processes operating at other security levels.
  50. 50. Abstraction ● ● Abstraction involves the removal of characteristics from an entity in order to easily represent it's essential properties. Example: Provide permissions to a group container “Admins” and then place users in the group, instead of individually assigning permissions.
  51. 51. Cryptographic Protections ● Sensitive data can be encrypted and the keys can be protected, hiding data from less privileged parts of the system.
  52. 52. Host Firewalls and Intrusion Prevention ● ● Host based firewalls and host based Intrusion Prevention systems can be used to protect a host in the event of network security failure. Often done in software but hardware hostbased firewalls exist (Approximately $100 built into network card) but can also buy wireless router and configure to be only a firewall. (Approximately $20 dollars)
  53. 53. Audit and Monitoring Controls ● ● Secure systems must have the ability to provide administrators with evidence of their correct operation through logging and application messages. Host/network intrusion detection systems may also be considered types of auditing and monitoring controls.
  54. 54. Virtualization ● ● ● ● ● ● Virtualization offers numerous security advantages Virtual machines are isolated in a sandbox environment and if infected can quickly be removed or shutdown and replaced. Virtual machines have limited access to hardware resources VM's require strong configuration management control and versioning to ensure good copies are available for restoration. VM's still require anti-malware, encryption, HIDS, firewalls and patching Viruses are becoming more Virtual Machine aware and can break out. (Tim Note: Some viruses can detect running in a VM and refuse to run, since they don't want malware researchers to reverse engineer them)
  55. 55. Vulnerabilities in Security Architectures ● ● Security architects must familiarize themselves with well known attacks and vulnerabilities in their industry (and keep up with them). Some of the most challenging attacks to security architecture are emanations, state attacks, and cover channels
  56. 56. Emanations ● ● ● System emanations are unintentional electrical, mechanical, optical, or acoustical energy signals that contain information or metadata about information being processed, stored, or transmitted in a system If intercepted and recorded, it is possible to analyze and recover the intelligence that was being processed. The problem of compromising radiation has been given the name TEMPEST
  57. 57. Emanations in Reality ● Cost of hardware: $10-30 dollars
  58. 58. Chrome open on a Mac...
  59. 59. Tempest ● ● ● The best protection against emanation in high security environments is to use the red/black separation Shielding is put in place between unclassified circuits/equipment and classified equipment. Once implemented the configuration is validated. Nothing can be moved, at all, or the validation is void. Known attacks include ATM attacks where keypress noises were different, and sensitive microphones could listen accurately at 15 meters and capture PINS.
  60. 60. State Attacks AKA Race Conditions ● ● ● Race conditions are caused by poorly written code. Race conditions occur when it's possible to execute instructions out of order. Example: A user logs into a system. The login system is kernel mode. Before the system can complete login, the user is able to open a command window. The login process then completes and puts the user in user mode. The command window could still have kernel mode permissions.
  61. 61. Covert Channels ● ● a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy Types of channels: – Storage Channel – two processes can communicate with a stored object – Timing Channel – Modify the timing of events relative to each other
  62. 62. Technology and Process Integration
  63. 63. Mainframes ● ● ● Mainframes used to be large centralized distributed computing platforms. Current mainframes are mostly virtual hosts, hosting multiple virtual machines. Often Linux/Unix based. Other uses are data warehouses, web apps, financial apps, and middleware
  64. 64. Thinclients ● Thinclients use a central server for processing, and have diskless workstations as user terminals.
  65. 65. Middleware ● ● ● ● Middleware is a connectivity software that enables multiple processes running on one or more machines to interact. Solves interoperability and connectivity issues Middleware systems are common in Service Oriented Architectures (SOA). Unfortunately many SOA implementations were not developed with end-to-end security as a requirement.
  66. 66. Embedded Systems ● ● ● Embedded systems are small form factor, limited processing power, machines. They offer a limited range of computing serves usually around a single application. They usually feature a limited OS with minimal functionality. Have disadvantages – Patching is difficult – Processing power makes security functions limited
  67. 67. Pervasive Computing and Mobile Devices ● ● ● Mobile phones, ultrabooks, tablets, Google Goggles,ipods, god knows what, are being carried by EVERYONE nowadays. Security has often been sacrificed due to limited computing power. Mobility is a prime factor for data loss since they can be used to transmit and store information in ways that may be difficult to control.
  68. 68. Software and System Vulnerabilities and Threats
  69. 69. Web Based ● Web applications are subject to all threats and protection mechanisms discussed elsewhere. The disadvantage to web based systems is that they are more accessible. ● Harden the OS ● Remove unnecessary applications ● Change default accounts/configurations ● Configure permissions properly ● Keep up to date on patching ● Run web/network vulnerability scans prior to deployment (baseline) ● Implement IDS/IPS ● Use application proxy firewalls ● Disable unnecessary documentation ● Remove Administrative Interfaces ● Limit who can access the hosts/networks ● Use Strong Authentication & Account lockout ● Use strong input validation
  70. 70. XML ● ● XML is a formatting standard. It formats and tags data to allow for easy information exchange between systems. XML is vulnerable to injection attacks (So use data validation, dummy!)
  71. 71. SAML ● ● ● Security Assertion Markup Language (SAML) XML based standard used to exchange authentication and authorization information. Advantages: – – Loose coupling of directories – Improved online experience for end users – Reduced administrative costs for service providers – ● Platform neutral Risk transference (Use a 3rd party identity provider and make them responsible for proper management of identities) SAML is only as strong as the implementation Poor coding can cause severe authentication vulnerabilities.
  72. 72. OWASP ● ● Open Web Application Security Project (OWASP) is a nonprofit focused on improving security in software. Has created: – OWASP Top 10 security flaws and how to mitigate them (yearly) – OWASP Guide Project (Architects manual for designing secure web applications and services) – OWASP Software Assurance Maturity Model (SAMM) – Framework used to design software – OWASP Mobility Project – Provides resources for developers and architects to develop and maintain secure mobile applications
  73. 73. Client Based Vulnerabilities ● ● ● The client is often a foothold into an organization who uses the client to attack other servers and services. Security cannot force customers/employees to use virus/malware free workstations. We must assume that the client is infected. One time pad tokens can be used to ensure that loss and exposure is limited for both the customer and the organization.
  74. 74. Organization's client system security ● Systems should include: – A supported and licensed operating system – Updated, verified, and supported anti-malware and anti-virus capabilities – Host based intrusion detection system – Whole drive encryption or sensitive information on the drive be encrypted with strong encryption – Whenever possible the client operates in limited user mode (Not as Admin) – Client is part of a continuous monitoring program which monitors for vulnerabilities and patches when needed without interaction of the end user. – Changes to the OS or new software are validated through an assessment process to determine any security impacts.
  75. 75. Mobile Devices ● ● ● Many organizations are allowing tablets and smartphones on their networks. Bring your own Device (BYOD) is also growing. Most mobile devices are not designed with enterprise security in mind.
  76. 76. Mobile Device Security ● Enterprise should be capable of performing: – – Account Management – GPS location of device – Patching/updating – App management – Device authentication/enrollment – ● Whole drive wipe Information Archive for legal situations System should have: – Secure web browser – VPN capabilities – Organization Application repository ● Device should have whole drive encryption ● Should not be rooted/jailbroken (the state should be verifiable)
  77. 77. EVERYBODY CHANGE PLACES!!! Switch to Jem
  78. 78. Server-based Vulnerabilities ● Determine how remote access will be achieved – – Multifactor authentication? One-time passwords? – ● Out of band communication? Separate VLANs? Disable built-in remote access in new software? Determine how configuration management will be performed – – ● Who will be responsible? Are they capable? Vulnerability scanning/management Determine business continuity requirements
  79. 79. Server-based Vulnerabilities ● Data Flow Control – Data flow diagram (DFD) – how data flows in/out – Break down into data, processes, and windows a user might see – Implement least privilege – Review technologies in use to ensure they are or can be supported under the security architecture
  80. 80. Data Flow Diagram (Example)
  81. 81. Database Security ● Warehousing – Repository for information gathered from a number of data sources – Used for analytical purposes – Data marts: smaller warehouse containing data about a specific function or division – Confidentiality is critical – prone to leaks/breaches – Integrity is critical – loss of compiled data
  82. 82. Database Security ● Inference – ● Aggregation – ● Ability to deduce confidential information from observing available information Combining nonsensitive data from separate sources into sensitive information Data Mining – Querying data in a data warehouse to find hidden relationships, patterns and trends
  83. 83. Distributed Systems ● Need to share common protocols/interfaces ● Coordinate resources – UUID: universally unique identifiers 17014a58-bd1a-4b6b-8757-adecee9cc99d ● Authorization is a challenge
  84. 84. Distributed Systems ● Grid Computing – – ● Sharing system resources like CPU across a network so that the machines all act together as one large machine Heterogeneous – can be different OS, software Cluster Computing – Similar to grid computing – Homogeneous – must be identical and devoted to a single task
  85. 85. Distributed Systems ● Cloud Computing – Ambiguous but generally have the following: ● ● ● ● ● – On-Demand Self-Service: a customer can provision as needed without human interaction at the provider Broad Network Access: Available over a wide network Resource Pooling: Provider's resources are pooled among multiple customers Rapid Elasticity: Can scale rapidly Measured Service: Usage is metered so usage is monitored, controlled, and reported for transparency Limited ability to define security controls
  86. 86. Distributed Systems ● Cloud Computing cont'd – Software as a service (SaaS): Application running on a cloud. Customer does not manage the underlying infrastructure – Platform as a service (PaaS): Customer can deploy applications, libraries, and tools onto the cloud. Customer does not manage the infrastructure – Infrastructure as a service (IaaS): Customer is provisioned a full OS and can install or deploy any software they like
  87. 87. Countermeasure Principles ● Defense in Depth – ● Apply multiple layers of controls between an attacker and the data they want Maintaining Security Architecture – Continually evolve – Get feedback through metrics or as part of the security model (ex: ITIL) – CMM² – Capability Maturity Model ● Initial, Managed, Defined, Quantitatively Managed, Optimizing
  88. 88. Countermeasure Principles ● COBIT Maturity Model 0 – Incomplete/ Nonexistant The process is not implemented or fails to achieve its goals. General lack of awareness that a problem exists 1 – Initial/Ad Hoc Organization recognizes that a problem exists. There is no coherent process yet 2 – Repeatable Processes are implemented but lacking organized standards. Mostly reactive. Relies on individuals. Prone to inconsistency 3 – Defined Processes in place, some awareness and training programs. Compliance still left up to individuals. Deviations could be undetected 4 – Managed Formal proactive approach exists. Controls are based on business requirements. Monitoring is in place. Automation is lacking 5 – Optimized Processes have been streamlined. Security is integrated into the organization. Regular improvement process to stay ahead of emerging threats and changes
  89. 89. Next week: Security Operations New offices in the Black Building (118 N Broadway #615, Fargo, ND) Meet in King House at 3pm? We'll head upstairs as a group and break in the new conference room!