2019 FRSecure CISSP Mentor Program: Class Three

2019 CISSP MENTOR
PROGRAM
April 15, 2019
-----------
Class 3 – April 15, 2019
Instructors:
• Brad Nigh, FRSecure Director of Professional Services & Innovation
• Evan Francen, FRSecure & SecurityStudio CEO

• Every week goes so fast, it’s easy to forget what
happened. Same for you guys?
• Virginia won the NCAA Men’s BB Championship
(Class #1 night)
• Snowpocalypse (Class #2 night)
• Check-in.
• How many have read Chapter 1 & 2?
• Questions?
CISSP® MENTOR PROGRAM – SESSION THREE
1
GETTING GOING…
Great job last week! We’re through the introduction and the 1st Domain
(Security and Risk Management)
Let’s get going!

• Every week goes so fast, it’s easy to forget what
happened. Same for you guys?
• Virginia won the NCAA Men’s BB Championship
(Class #1 night)
• Snowpocalypse (Class #2 night)
• Check-in.
• How many have read Chapter 1 & 2?
• Questions?
2
GETTING GOING…
Great job last week! We’re through the introduction and the 1st Domain
(Security and Risk Management)
Let’s get going!
Other Updates:
• We’ve had a couple of people who told us that they are
interested in hosting/facilitating a study group.
• Email mentorprogram@frsecure.com if you’re interested
in hosting/facilitating/participating in a study group. We’ll
put the right people in touch.
• We’ve got a request to setup a Slack channel for the class.

• Assets – hardware, software, and information
• Vulnerability (or weakness)
• Threat
• Risk = Threat x Vulnerability (likelihood and impact)
• Risk = Threat × Vulnerability × Impact (another way to put
it)
3
GETTING GOING…
Let’s spend a little more time on risk analysis…
Human life trumps everything!

• Qualitative – based upon professional opinion; High,
Medium, Low…
• Quantitative – based on real values; dollars. Pure
quantitative analysis is nearly impossible (lack of data).
• Risk Analysis Matrix – Qualitative risk analysis table;
likelihood on one side, impact on the other.
4
GETTING GOING…
Qualitative & Quantitative Risk Analysis

• Quantitative – based on real values; dollars. Pure
quantitative analysis is nearly impossible (lack of data).
• Asset Value (AV) – Fair market value for an asset
• Exposure Factor (EF) - % of asset lost during an incident
(threat occurrence)
• Single Loss Expectancy (SLE) – AV x EF
• Annual Rate of Occurrence (ARO) – How many times a
bad thing is expected/year.
• Annualized Loss Expectancy (ALE) – SLE x ARO
5
GETTING GOING…
Qualitative & Quantitative Risk Analysis
If ALE exceeds Total Cost of Ownership (TCO), there is a positive Return on
Investment (ROI), or Return on Security Investment (ROSI).

There are only four; risk acceptance criteria should be
documented. Risk decisions should ALWAYS be made by
management, NOT information security.
• Accept – the risk is acceptable without additional control
or change.
• Mitigate – the risk is unacceptable (to high) and requires
remediation.
• Transfer – the risk can be transferred to someone else;
3rd-party provider, insurance.
• Avoid – the risk will be avoided by discontinuing the
action(s) that led to the risk.
6
GETTING GOING…
Risk Choices

There are dozens of risk management
processes or methodologies.
• United States National Institute of
Standards and Technology (NIST) Special
Publication 800-30, Risk Management
Guide for Information Technology Systems
(http://csrc.nist.gov/publications/nistpubs/8
00-30/sp800-30.pdf); Nine step process 
7
GETTING GOING…
Risk Management Process(es)
1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Results Documentation

1. Which of the following would be an example of a policy
statement?
A. Protect PII by hardening servers
B. Harden Windows 7 by first installing the pre-hardened OS image
C. You may create a strong password by choosing the first letter of
each word in a sentence and mixing in numbers and symbols
D. Download the CISecurity Windows benchmark and apply it
8
QUIZ!

1. Which of the following would be an example of a policy
statement?
A. Protect PII by hardening servers
B. Harden Windows 7 by first installing the pre-hardened OS image
C. You may create a strong password by choosing the first letter of
each word in a sentence and mixing in numbers and symbols
D. Download the CISecurity Windows benchmark and apply it
9
QUIZ!

2. Which of the following steps would be taken while
conducting a Qualitative Risk Analysis?
A. Calculate the Asset Value
B. Calculate the Return on Investment
C. Complete the Risk Analysis Matrix
D. Complete the Annualized Loss Expectancy
10
QUIZ!

2. Which of the following steps would be taken while
conducting a Qualitative Risk Analysis?
A. Calculate the Asset Value
B. Calculate the Return on Investment
C. Complete the Risk Analysis Matrix
D. Complete the Annualized Loss Expectancy
11
QUIZ!

Your company sells Apple iPods online and has suffered many denial-of-
service (DoS) attacks. Your company makes an average $20,000 profit per
week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS
attacks on average per year. A DoS-mitigation service is available for a
subscription fee of $10,000/month. You have tested this service, and believe it
will mitigate the attacks.
3. What is the Annual Rate of Occurrence in the above scenario?
A. $20,000
B. 40%
C. 7
D. $10,000
12
QUIZ!

3. What is the Annual Rate of Occurrence in the above scenario?
A. $20,000
B. 40%
C. 7
D. $10,000
13
QUIZ!

4. What is the annualized loss expectancy (ALE) of lost iPod sales due
to the DoS attacks?
A. $20,000
B. $8,000
C. $84,000
D. $56,000
14
QUIZ!

4. What is the annualized loss expectancy (ALE) of lost iPod sales due
to the DoS attacks?
A. $20,000
B. $8,000
C. $84,000
D. $56,000
15
QUIZ!

5. Is the DoS mitigation service a good investment?
A. Yes, it will pay for itself
B. Yes, $10,000 is less than the $56,000 Annualized Loss Expectancy
C. No, the annual Total Cost of Ownership is higher than the
Annualized Loss Expectancy
D. No, the annual Total Cost of Ownership is lower than the
16
QUIZ!

5. Is the DoS mitigation service a good investment?
A. Yes, it will pay for itself
B. Yes, $10,000 is less than the $56,000 Annualized Loss Expectancy
C. No, the annual Total Cost of Ownership is
higher than the Annualized Loss Expectancy
D. No, the annual Total Cost of Ownership is lower than the
17
QUIZ!

6. An attacker sees a building is protected by security
guards, and attacks a building next door with no guards.
What control combination are the security guards?
A. Physical/Compensating
B. Physical/Detective
C. Physical/Deterrent
D. Physical/Preventive
18
QUIZ!

6. An attacker sees a building is protected by security
guards, and attacks a building next door with no guards.
What control combination are the security guards?
A. Physical/Compensating
B. Physical/Detective
C. Physical/Deterrent
D. Physical/Preventive
19
QUIZ!

7. Which of the following proves an identity claim?
A. Authentication
B. Authorization
C. Accountability
D. Auditing
20
QUIZ!

7. Which of the following proves an identity claim?
A. Authentication
B. Authorization
C. Accountability
D. Auditing
21
QUIZ!
Piece of cake!

22
DOMAIN 2: ASSET SECURITY
Protecting Security of Assets
Easy chapter in theory, difficult in practice

• Classifying Data
• Ownership
• Memory and Remanence
• Data Destruction
• Determining Data Security Controls
23
Agenda – Domain 2: Asset Security
Short chapter; starting on page 81

• RAM - Random Access Memory, volatile hardware memory that loses
integrity after loss of power
• Remanence - Data that persists beyond noninvasive means to
delete it.
• Reference Monitor - Mediates all access between subjects and
objects
• ROM - Read Only Memory, nonvolatile memory that maintains
integrity after loss of power
• Scoping - The process of determining which portions of a standard
will be employed by an organization
• SSD - Solid State Drive, a combination of flash memory (EEPROM)
and DRAM
• Tailoring - The process of customizing a standard for an organization
24
Terms and Definitions to Memorize

Objects have labels – Subjects have clearances
• Data classification scheme
• Executive Order 12356 (http://www.archives.gov/federal-
register/codification/executive-order/12356.html) - Top
Secret, Secret, and Confidential
• Company/Private Sector – Confidential, Internal Use
Only, Public
• Security Compartments; documented need to know and
clearance
25
Classifying Data (or Data Classification) - Labels

Objects have labels – Subjects have clearances
• Formal approval/authorization to specific levels of
information
• Not really used as much in the private sector
• “All About Security Clearances” from the US Department
of State;
http://www.state.gov/m/ds/clearances/c10978.htm
• Standard Form 86 is a 127 page questionnaire!
26
Classifying Data (or Data Classification) - Clearance

Formal Access Approval
• Documented
• Access requests should be approved by the owner, not
the manager and certainly not the custodian (more to
follow)
• Approves subject access to certain objects
• Subject must understand all rules and requirements for
access
• Best practice is that all access requests and access
approvals are auditable
27
Classifying Data (or Data Classification)

• Three roles; data owner, data custodian, and data user
• Three classifications; Confidential, Internal Use, and
Public
• In real life; easy to document and hard to implement
• Data Classification defines sensitive information  data
handling requirements  data storage requirements and
in some cases data retention requirements
28

Data Owner:
• Typically, the person responsible for, or dependent upon the business
process associated with an information asset. The Data Owner is
knowledgeable about how the information is acquired, transmitted, stored,
deleted, and otherwise processed.
• Determines the appropriate value and classification of information generated
by the owner or department;
• Must communicate the information classification when the information is
released outside of the department and/or organization;
• Controls access to his/her information and must be consulted when access is
extended or modified; and
• Must communicate the information classification to the Data Custodian so
that the Data Custodian may provide the appropriate levels of protection.
29
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)

Data Custodian:
• The Data Custodian maintains the protection of data
according to the information classification associated to it
by the Data Owner.
• The Data Custodian role is delegated by the Data Owner
and is usually Information Technology personnel.
30
(Sample)

Data User:
• The person, organization or entity that interacts with data
for the purpose of performing an authorized task. A Data
User is responsible for using data in a manner that is
consistent with the purpose intended and in compliance
with policy.
31
(Sample)

Confidential Data:
• Information protected by statutes, regulations, company policies or contractual
language. Data Owners may also designate data as Confidential.
• Sensitive in nature, and access is restricted. Disclosure is limited to individuals on a
“need-to-know” basis only.
• Disclosure to parties outside of the company must be authorized by Executive
Management, approved by the Information Security Committee, or be covered by a
binding non-disclosure or confidentiality agreement.
• Examples of Confidential Data include Protected Health Information (“PHI”)/Medical
records, Financial information, including credit card and account numbers, Social
Security Numbers, Personnel and/or payroll records, Any data identified by
government regulation to be treated as confidential, or sealed by order of a court of
competent jurisdiction, and any data belonging to a customer that may contain
personally identifiable information.
32
(Sample)

Minimum Protection Requirements for Confidential
Data
• When stored in an electronic format must be protected with a minimum level of
authentication to include strong passwords, wherever possible.
• When stored on mobile devices and media, protections and encryption measures
provided through mechanisms approved by organization IT Management must be
employed.
• Must be stored in a locked drawer, room, or area where access is controlled by a
guard, cipher lock, and/or card reader, or that otherwise has sufficient physical access
control measures to afford adequate protection and prevent unauthorized access by
members of the public, visitors, or other persons without a need-to-know.
• Must be encrypted with strong encryption when transferred electronically to any entity
outside of the organization (See Encryption Policy).
33
(Sample)

Data
• When sent via fax, must be sent only to a previously established and used address or
one that has been verified as using a secured location
• Must not be posted on any public website
• Must be destroyed when no longer needed subject to the FRSecure Sample Data
Retention Policy. Destruction may be accomplished by:
• “Hard Copy” materials must be destroyed by shredding or another approved process
that destroys the data beyond either recognition or reconstruction as per the FRSecure
Sample Data Destruction and Re-Use Standard.
• Electronic storage media that will be re-used must be overwritten according to the
FRSecure Sample Data Destruction and Re-Use Standard.
• Electronic storage media that will not be re-used must be physically destroyed
according to the FRSecure Sample Data Destruction and Re-Use Standard.
• Deleting files or formatting the media is NOT an acceptable method of destroying
Confidential Data.
34
(Sample)

Data
The FRSecure Sample Information Security Committee must be
notified in a timely manner if data classified as Confidential is lost,
disclosed to unauthorized parties or is suspected of being lost or
disclosed to unauthorized parties, or if any unauthorized use of
FRSecure Sample information systems has taken place or is suspected
of taking place.
35
(Sample)

Minimum Labeling Requirements for Confidential Data
If possible, all Confidential Data must be marked, regardless of the
form it takes. Confidential Data will be marked using the word
“Confidential” in bold, italicized, red font (i.e. Confidential). The
marking should be placed in the right corner of the document header or
footer.
36
(Sample)

Internal Data:
Internal Data is information that must be guarded due to proprietary,
ethical, or privacy considerations and must be protected from
unauthorized access, modification, transmission, storage or other use.
This classification applies even though there may not be a civil statute
requiring this protection. Internal Data is information that is restricted to
personnel designated by the company, who have a legitimate business
purpose for accessing such data.
Examples of Internal Data include Employment data, Business partner
information where no more restrictive non-disclosure or confidentiality
agreement exists, Internal directories and organization charts, Planning
documents, and Contracts
37
(Sample)

Minimum Protection Requirements for Internal Data
• Must be protected to prevent loss, theft, unauthorized access and/or unauthorized
disclosure
• Must be protected by a non-disclosure or confidentiality agreement before access is
allowed
• Must be stored in a closed container (i.e. file cabinet, closed office, or department
where physical controls are in place to prevent disclosure) when not in use
• Must be destroyed when no longer needed subject to the FRSecure Sample Data
Retention Policy. Destruction may be accomplished by:
• “Hard Copy” materials must be destroyed by shredding or another approved
process which destroys the data beyond either recognition or reconstruction as
per the FRSecure Sample Data Destruction and Re-Use Standard.
• Electronic storage media shall be sanitized appropriately by overwriting or
degaussing prior to disposal as per the FRSecure Sample Data Destruction and
Re-Use Standard.
• Is the “default” classification level if one has not been explicitly defined.
38
(Sample)

Minimum Labeling Requirements for Internal Data
If possible, all Internal Data should be marked, regardless of the form it
takes. Internal Data will be marked using the word “Internal” in bold,
italicized, blue font (i.e. Internal). The marking should be placed in the
right corner of the document header or footer.
39
(Sample)

Public Data:
Public data is information that may or must be open to the general
public. It is defined as information with no existing local, national, or
international legal restrictions on access or usage. Public data, while
subject to FRSecure Sample disclosure rules, is available to all
FRSecure Sample employees and all individuals or entities external to
the corporation.
Examples of Public Data include Publicly posted press releases,
Publicly available marketing materials, Publicly posted job
announcements, Disclosure of public data must not violate any pre-
existing, signed non-disclosure or confidentiality agreements.
40
(Sample)

Minimum Protection Requirements for Public Data
There are no specific protection requirements for Public
Data.
Minimum Labeling Requirements for Internal Data
If possible, all Public Data should be marked, regardless of
the form it takes. Public Data will be marked using the
word “Public” in bold, italicized, black font (i.e. Public).
The marking should be placed in the right corner of the
document header or footer.
41
(Sample)

Ownership
• Business Owners
• Data Owners
• System Owners
• Owner responsibilities must be documented and owners
must be trained
• Segregation of duties
42

Data Controllers and Data Processors
• Data controllers create and manage sensitive data
within an organization.
• Data processors manage data on behalf of data
controllers.
• Data Collection Limitation – organizations should
collect the minimum amount of sensitive information
necessary; OECD, Collection Limitation Principle –
GDPR Individual Rights
43

44
Shifting gears a little…
Questions?
How about a joke?

• Data Remanence
• Memory
• Cache Memory; fast and close to CPU
• Register file (contains multiple registers); registers
are small storage locations used by the CPU to
store instructions and small amounts of data
• Level 1 cache; located on the CPU
• Level 2 cache; connected to (but not on) the CPU
• SRAM (Static Random Access Memory)
45
Memory and Remanence

Memory
• RAM (Random Access Memory)
• Volatile
• Modules installed in slots on motherboard (traditionally)
• DRAM (Dynamic Random Access Memory)
• Slower and cheaper
• Small capacitors to store bits (data)
• Capacitors leak charge and must be continually refreshed
• SRAM (Static Random Access Memory)
• Fast and expensive
• Latches called “flip-flops” to store bits (data)
• Does not require refreshing
46

Memory
• ROM (Read Only Memory)
• Can be used to store firmware; small programs that don’t change
much and configurations
• PROM (Programmable Read Only Memory) – written to once;
usually by the manufacturer
• EPROM (Erasable Programmable Read Only Memory) – can be
“flashed”; usually with ultraviolet light
• EEPROM (Electrically Erasable Programmable Read Only
Memory) – can be “flashed”; electrically
• PLD (Programmable Logic Device) – field-programmable device;
EPROMs, EEPROMs, and Flash Memory are all PLDs
47

Memory
• Flash Memory
• Can be a security nightmare
• Specific type of EEPROM
• Written in larger sectors (or chunks) than other EEPROMs
• Faster than other EEPROMS, but slower that magnetic drives
48

• Deleting data and/or formatting a hard drive is not a
viable/secure method for destroying sensitive information.
• Deleting a file only removes the entry from the File
Allocation Table (FAT) and marks the block as
“unallocated”. The data is still there and often times it’s
retrievable.
• Reformatting only replaces the old FAT with a new FAT.
The data is still there and often times it’s retrievable.
• Data that is left over is called remnant data, or “data
remanence”.
49
Data Destruction

• Data that is left over is called
remnant data, or “data
remanence”.
• Hundreds of data recovery tools
available, one good resource to
check out is ForsensicsWiki.org
(http://www.forensicswiki.org/wiki/
Tools:Data_Recovery)
50
Data Destruction

Overwriting
• Also called shredding or wiping
• Overwrites the data and removes the FAT entry
• Secure overwriting/wiping overwrites each sector of a hard drive (or
media).
51
Data Destruction

Overwriting
• One pass is enough (as long as each sector is overwritten).
• Tools include Darik's Boot And Nuke (DBAN), CBL Data Shredder,
HDDErase, KillDisk and others.
• Windows built-in cipher command.
52
Data Destruction

Deguassing
• Destroys the integrity of magnetic media using a strong
magnetic field
• Most often destroys the media itself, not just the data
53
Data Destruction

Destruction (Physical)
• The most secure method of destroying data.
• Physical destruction of the media.
• Incineration, pulverization, shredding, and acid.
• A hammer to the spindle works, and so does a rifle.
• Pretty cheap nowadays. Look for a National Association of
Information Destruction (NAID) certified vendor and get a certificate
of destruction.
• Onsite vs. offsite
54
Data Destruction

Shredding
• Most people think of paper.
• Strip-cut vs. Cross-cut
• A determined attacker can defeat (maybe)
• Easy to audit
• Many breaches attributed to poor document disposal
• Dumpster diving
55
Data Destruction

• Two related but entirely different terms.
• Certification is the validation that certain (owner-
specified) security requirements have been met.
• Accreditation is a formal acceptance of the certification by
the owner.
• In an ideal world, certification and accreditation would be
required before production deployment.
56
Certification and Accreditation

PCI-DSS
• PCI-DSS only applies to the Cardholder Data Environment (CDE), so scope
is really important
• Core principles of the PCI-DSS include:
• Build and Maintain a Secure Network and Systems
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
• Version 3.2 released (April, 2016), see
https://www.pcisecuritystandards.org/security_standards/index.php
• Major breaches include Target, Home Depot, Heartland Systems, Dairy
Queen, etc.
57
Determining Data Security Controls - Standards and Control Frameworks

OCTAVE®
• Operationally Critical Threat, Asset, and Vulnerability Evaluation(sm)
• Risk management framework developed by Carnegie Mellon
University (see: http://www.cert.org/resilience/products-
services/octave/)
• Three phase process for managing risk (latest version actually has
four, but for the test three is good):
• Phase 1 – staff knowledge, assets and threats
• Phase 2 – identify vulnerabilities and evaluate safeguards (or
controls)
• Phase 3 – risk analysis and risk mitigation strategy
58

ISO 17799 and 27000 Series
• Broad and flexible information security standards maintained by the
International Organization for Standardization (ISO) – based in
Geneva
• Derived from the British Standard (BS) 7799 Part 1, renamed to
ISO/IEC 27001 to align with the 27000 series of standards.
• There are more than 30 ISO/IEC 27000 standards, the main ones
being:
• ISO 27001 (Information technology - Security Techniques)
• ISO 27002 (Code of practice for information security
management)
• ISO 27005 (Information security risk management)
• ISO 27799 (Information security management in health using
ISO/IEC 27002)
59

ISO 17799 and 27000 Series
• ISO 27002:2005 is mentioned in the book
as the latest; however, ISO 27002:2013 is
actually the latest
• Copyrighted and licensed standard
• See:
http://www.iso.org/iso/home/standards/ma
nagement-standards/iso27001.htm
60

COBIT
• Control Objectives for Information and related Technology, current
version is v5
• Developed and maintained by the Information Systems Audit and
Control Association (ISACA; www.isaca.org)
• 34 Information Technology Processes across four domains
• Four domains:
• Plan and Organize
• Acquire and Implement
• Deliver and Support
• Monitor and Evaluate
61

ITIL
• Information Technology Infrastructure Library
• Best services in IT Service Management (ITSM)
• See: www.itil-officialsite.com
• Five “Service Management Practices – Core Guidance” publications:
• Service Strategy
• Service Design
• Service Transition
• Service Operation
• Continual Service Improvement
62

NIST CSF
• National Institute of Standards and Technology (NIST) Cybersecurity
Framework (CSF)
• Probably not testable, but certainly applicable
• Result of Executive Order (EO) 13686, Improving Critical
Infrastructure Cybersecurity
• Gaining in popularity. See: http://www.nist.gov/cyberframework/
• Core, Implementation Tiers, and Framework Profile
• Core is comprised of five Functions (Identify, Protect, Detect,
Respond, and Recover), Categories, and Subcategories
• Major frameworks and standards are represented
• Voluntary
63

NIST SP 800-53
• Not mentioned in the book yet, but this is a big deal for
FISMA and government systems.
• Usually goes hand-in-hand with FIPS 199, FIPS 200, and
NIST SP 800-60
• Just mentioning now, more later
64

• Rule of thumb… If I cannot be assured of physical
security, I should consider encryption.
• Data in transit – if I cannot be assured of physical security
(routers, switches, firewalls, transmission media, etc.), I
should consider encryption
• Data at rest – if I cannot be assured of physical security
(flash drives, laptops, poorly secured datacenters,
insecure office spaces, backup tapes, etc.), I should
consider encryption
• Encryption is your friend!
65
Determining Data Security Controls - Protecting Data in Motion & Data at
Rest Encryption and Physical Security

Questions?
66
That does it for Chapter 3 – Domain 2: Asset Security
Ready for Chapter 4 – Domain 3: Security
Engineering?

67
DOMAIN 3 SECURITY ENGINEERING
Engineering and Management of Security
Easy chapter…

• Security Models
• Evaluation Methods, Certification and Accreditation
• Secure System Design Concepts
• Secure Hardware Architecture
• Secure Operating System and Software Architecture
• Virtualization and Distributed Computing
• System Vulnerabilities, Threats and Countermeasures
Formerly separate domains: Security Architecture, Cryptography, and Physical Security
68
Agenda – Domain 3: Security Engineering
We will take three classes to get through this domain…
LONG chapter; starting on page 103

• Asymmetric Encryption - encryption that uses two keys: if you
encrypt with one you may decrypt with the other
• Hash Function - one-way encryption using an algorithm and no
key
• Hypervisor - Allows multiple virtual operating system guests to
run on one host
• Mantrap - A preventive physical control with two doors. Each
door requires a separate form of authentication to open
• Tailgating - Following an authorized person into a building
without providing credentials
• TCSEC - Trusted Computer System Evaluation Criteria, also
known as the Orange Book
• Symmetric Encryption - encryption that uses one key to encrypt
and decrypt
69
Terms and Definitions to Memorize

• What subjects and objects are
permitted to do (within a model or
framework)
• Subject (often a user)
• Object (a resource)
• Managing relationship between
subject and object is access control
• Understand concepts of read up, read
down, write up, write down
70
Security Models

• Discretionary access control (DAC)
• Defined in the Trusted Computer System Evaluation Criteria
(TCSEC); Orange Book
• Means of restricting access to objects based on the identity of
subjects and/or groups to which they belong
• A subject with a certain access permission is capable of passing
that permission (perhaps indirectly) on to any other subject
• Mandatory access control (MAC)
• Type of access control where the operating system constrains
the ability of a subject to access or perform some sort of
operation on an object
• Authorization rule enforced by the operating system kernel
• Security policy is centrally controlled by a security policy
administrator
71
Security Models

• Rule-based access control (RBAC)
• Access is allowed or denied to objects based on a set of rules
defined by a system administrator
• Access properties are stored in Access Control Lists (ACL)
associated with each object
• Role-based access control (also RBAC)
• Also known as Non-discretionary Access Control
• Assigns permissions to particular roles in an organization
72
Security Models

Understand the Fundamental Concepts of Security
Models
• State Machine Model
• Bell-LaPadula Model
• Lattice-Based Access Controls
• Biba Model
• Clark-Wilson Model
• Information Flow Model
• Brewer and Nash Model (aka Chinese Wall)
• Take-Grant Model
• Access Control Matrix
• Zachman Framework for Enterprise Architecture
• Graham-Denning Model
• Harrison-Ruzzo-Ullman Model
73
Security Models

State Machine Model
• State of a machine is captured in order to verify the security of a
system
• State consists of all current permissions and all current instances of
subjects accessing the objects. If the subject can access objects only
by means that are concurrent with the security policy, the system is
secure
• Always secure no matter what state it is in
• Finite state machine (FSM)
• State transition
• Secure state machine
• The basis for most other security models
74
Security Models

Bell-LaPadula Model
• Originally developed for the U.S. Department of Defense
• Focused on maintaining the confidentiality of objects
• Two Access Rules:
• Simple Security Property – no read up
• * Security Property (“Star” Security Property) – no write down
• Two Object Label Rules:
• Strong Tranquility Property - security labels will not change while
the system is operating
• Weak Tranquility Property - security labels will not change in a way
that conflicts with defined security properties
75
Security Models

Lattice-Based Access Controls
• Security controls for complex environments
• For every relationship between a subject and an object, there are
defined upper and lower access limits implemented by the
system
• Subjects have a Least Upper Bound (LUB) and Greatest Lower
Bound (GLB) of access to the objects based on their lattice
position
• A security lattice model combines multilevel and multilateral
security
76
Security Models

Biba Model
• Developed after Bell-LaPadula model
• Focused on maintaining the integrity of objects
• Uses a lattice of integrity levels unlike Bell-LaPadula
which uses a lattice of security levels
• Two primary rules
• Simple Integrity Axiom – no read down
• * Integrity Axiom (“Star” Integrity Axiom) – no write up
• Essentially the reverse of Bell-LaPadula
77
Security Models

Clark-Wilson Model
• Real-world integrity model
• Requires subjects to access objects via programs
• Programs have specific limitations to what they can and cannot
do to objects
• Two primary concepts
• Well-Formed Transactions - ability to enforce control over
applications; comprised of the “access control triple:” user,
transformation procedure (TP/well-formed transaction), and
constrained data item (CDI/data that requires integrity) - integrity
verification procedures (IVPs) ensure that data are kept in a valid
state
• Separation of Duties - ensures that authorized users do not change
data in an inappropriate way
78
Security Models
Separation of duties and transformation procedures.
1) Authorized access and
2) Modification only in an authorized manner

Information Flow Model
• In this model, data is thought of as being held in
individual discrete compartments
• Information is compartmentalized based on two
factors; classification and need to know
• Subject clearance has to dominate the object
classification and the subject security profile must
contain the one of the categories listed in the object
label, which enforces need to know
79
Security Models

Brewer and Nash Model (aka Chinese Wall)
• Designed to avoid conflicts of interest by prohibiting one
person, such as a consultant, from accessing multiple conflict of
interest categories (CoIs)
• Provides access controls that can change dynamically depending
upon a user’s previous actions
• Model states that a subject can write to an object if, and only if,
the subject can not read another object that is in a different data
set
• Initially designed to address the risks inherent with employing
consultants working within banking and financial institutions
80
Security Models

Noninterference Models
• Model ensures that any actions that take place at a
higher security level do not affect, or interfere with,
actions that take place at a lower level
• Not concerned with the flow of data, but rather with
what a subject knows about the state of the system
• Addresses the inference attack that occurs when
some one has access to some type of information and
can infer(guess) something that he does not have the
clearance level or authority to know.
• Covert Channel – policy violation hidden from the
system owner
81
Security Models

Take-Grant Model
• Contains rules that govern the interactions between subjects and
objects, and permissions subjects can grant to other subjects
• Two rights occur in every instance of the model: take and grant
• Rules include take, grant, create, and remove
• take rule allows a subject to take rights of another object (add an
edge originating at the subject)
• grant rule allows a subject to grant own rights to another object (add
an edge terminating at the subject)
• create rule allows a subject to create new objects (add a vertex and
an edge from the subject to the new vertex)
• remove rule allows a subject to remove rights it has over on another
object (remove an edge originating at the subject)
82
Security Models

Access Control Matrix
• Commonly used in OS and applications
• Table that defines access permissions between
specific subjects and objects
83
Security Models

Zachman Framework
for Enterprise
Architecture
• Six frameworks for
providing information
security, asking what,
how, where, who, when,
and why
84
Security Models

Graham-Denning Model
• Defines a set of basic rights in terms of commands that a specific
subject can execute on an object
• Three parts; objects, subjects, and rules; focus on the eight (8)
rules:
• R1: Transfer Access
• R2: Grant Access
• R3: Delete Access
• R4: Read Object
• R5: Create Object
• R6: Destroy Object
• R7: Create Subject
• R8: Destroy Subject
85
Security Models

Modes of Operation
• There are four (4) modes of system/access control
operation:
1. Dedicated:
• Only one classification (label) for all objects in the system
• Subject must possess a clearance equal or greater than the
system label
• Subjects must have 1) appropriate clearance, 2) formal
access approval, and 3) a need to know for all the objects in
the system
86
Security Models

Modes of Operation
operation:
2. System High:
• System contains objects of mixed labels
• Subjects must possess a clearance equal to (or greater than)
the highest object label
87
Security Models

Modes of Operation
operation:
3. Compartmented:
• Objects are placed into “compartments”
• Subjects must have a formal (system-enforced) need to know
to access data in compartment
• All subjects must have:
• 1) Signed NDA for ALL information on the system
• 2) clearance for ALL information on the system
• 3) formal access approval for SOME objects on the
system, and
• 4) valid need to know for SOME objects on the system
88
Security Models

Modes of Operation
operation:
4. Multilevel:
• System contains objects of varying labels
• Subjects with varying clearances can access the system
• Reference Monitor mediates access between subjects
and objects
• All subjects must have 1) Signed NDA for ALL information on
the system, 2) clearance for SOME information on the
system, 3) formal access approval for SOME objects on the
system, and 4) valid need to know for SOME objects on the
system
89
Security Models

Trusted Computer System Evaluation Criteria
(TCSEC or Orange Book)
• Developed by the federal government; National
Computer Security Center (NCSC), part of the
National Institute of Standards and Technology
(NIST), and the National Security Agency (NSA)
• Developed in 1983 as part of the Rainbow Series
• One of the 1st evaluation frameworks
• Now used as part of U.S. Government Protection
Profiles within the International Common Criteria
framework
90
Evaluation Methods, Certification and Accreditation

• Developed by the federal government; National
Computer Security Center (NCSC), part of the
National Institute of Standards and Technology
(NIST), and the National Security Agency (NSA)
• Developed in 1983 as part of the Rainbow Series
• One of the 1st evaluation frameworks
• Now used as part of U.S. Government Protection
Profiles within the International Common Criteria
framework
91

• Download here http://csrc.nist.gov/publications/history/dod85.pdf
• Division D is the lowest form of security, and A is the highest:
• D: Minimal Protection
• C: Discretionary Protection
• C1: Discretionary Security Protection
• C2: Controlled Access Protection
• B: Mandatory Protection
• B1: Labeled Security Protection
• B2: Structured Protection
• B3: Security Domains
• A: Verified Protection
• A1: Verified Design
92

Trusted Network Interpretation (TNI)/Red Book
• Sort of like the Orange Book for network systems
• Can download it here
http://ftp.fas.org/irp/nsa/rainbow/tg011.htm
• All of the Rainbow Books can be accessed here
http://ftp.fas.org/irp/nsa/rainbow.htm
93

Information Technology Security Evaluation
Criteria (ITSEC)
• Used extensively in Europe (where it was developed)
• 1st successful international evaluation criteria
• References to the Orange Book, but added:
• F – Functionality
• Q – Effectiveness (part of assurance)
• E – Correctness (also part of assurance)
94

Information Technology Security Evaluation
Criteria (ITSEC)
• Assurance correctness ratings range from E0 (inadequate) to E6
(formal model of security policy)
• Functionality ratings range include TCSEC equivalent ratings (F-
C1, F-C2, etc.)
• The equivalent ITSEC/TCSEC ratings are:
• 0: D
• F-C1,E1: C1
• F-C2,E2: C2
• F-B1,E3: B1
• F-B2,E4: B2
• F-B3,E5: B3
• F-B3,E6: A1
95
Additional functionality ratings include:
• F-IN: High integrity requirements
• AV: High availability requirements
• DI: High integrity requirements for networks
• DC: High confidentiality requirements for networks
• DX: High integrity and confidentiality requirements for networks

International Common Criteria (“Common
Criteria”)
• Internationally agreed upon standard for describing and testing
the security of IT products
• Primary objective of the Common Criteria is to eliminate known
vulnerabilities of the target for testing
• Terms:
• Target of Evaluation (ToE): the system or product that is being
evaluated
• Security Target (ST): the documentation describing the TOE
• Protection Profile (PP): an independent set of security requirements
and objectives for a specific category of products or systems
• Evaluation Assurance Level (EAL): the evaluation score of the
tested product or system
96

Criteria”)
• There are seven (7) Levels of Evaluation (EALs):
• EAL1: Functionally tested
• EAL2: Structurally tested
• EAL3: Methodically tested and checked
• EAL4: Methodically designed, tested, and reviewed
• EAL5: Semi-formally designed, and tested
• EAL6: Semi-formally verified, designed, and tested
• EAL7: Formally verified, designed, and tested
• Latest version of Common Criteria (July 2009, Version 3.1,
Rev.3);
http://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R
3.pdf
97

Criteria”)
• There are seven (7) Levels of Evaluation (EALs):
• EAL1: Functionally tested
• EAL2: Structurally tested
• EAL3: Methodically tested and checked
• EAL4: Methodically designed, tested, and reviewed
• EAL5: Semi-formally designed, and tested
• EAL6: Semi-formally verified, designed, and tested
• EAL7: Formally verified, designed, and tested
• Latest version of Common Criteria (July 2009, Version 3.1,
Rev.3);
http://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R
3.pdf
98
STOP!!! THAT’S ENOUGH ALREADY!

• Yes it is…
• We’ll continue from here on Wednesday.
• Please spend time reading Chapters 1 - 3, if you haven’t
already.
• If you have time to delve into Chapter 4, please do so.
• Please come with questions on Wednesaday (4/17). We
will recap some of today’s material and cover questions in
the next class.
99
STOP!!! THAT’S ENOUGH ALREADY!
Looking ahead, we won’t have class next
Monday (4/22). It’s our first break

2019 FRSecure CISSP Mentor Program: Class Three

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 2019 FRSecure CISSP Mentor Program: Class Three

Similar to 2019 FRSecure CISSP Mentor Program: Class Three (20)

More from FRSecure

More from FRSecure (6)

Recently uploaded

Recently uploaded (20)

2019 FRSecure CISSP Mentor Program: Class Three