Management of Information Security Chapter 6 Security Management Models PDF

Summary

This document provides an overview of security management models, including blueprints, frameworks, and access control models. It explores key concepts and categorizations within information security for IT professionals.

Full Transcript

Management of Information Security

Chapter 6
Security Management Models
Objectives

Describe the dominant InfoSec blueprints, frameworks, and InfoSec
management models, including U.S. government-sanctioned models
Explain why access control is an essential element of InfoSec
management
Recommend an InfoSec management model and explain how it can be
customized to meet the needs of a particular organization
Describe the fundamental elements of key InfoSec management practices
Discuss emerging trends in the certification and accreditation of U.S.
federal information technology (IT) systems
Blueprints, Frameworks, and Security Models

Blueprint - describes existing controls and identifies other necessary
security controls ‫ﻣﺨﻄﻂ‬
Framework - the outline of the more thorough blueprint ‫ﻧﻄﺎق او اطﺎر‬
‫ﻋﻤﻞ‬
Sets out the model to be followed in the creation of the design, selection, and
initial implementation of all subsequent security controls
Security model - a generic blueprint offered by a service organization
Free models are available from the National Institute of Standards and
Technology (NIST)
Blueprints, Frameworks, and Security Models
(continued)

Another way to create a blueprint:
To look at the paths taken by other organizations
This is a kind of benchmarking where recommended practices or industry
standards are followed
Benchmarking: the comparison of two related measurements
Benchmarking can provide details on how controls are working
Or which new controls should be considered
Does not provide details on how controls should be put into action
Access Control Models Part 1

Access controls - regulate the admission of users into trusted areas of
the organization

Access control is maintained by means of:
A collection of policies
Programs to carry out those policies
Technologies to enforce policies
Access Control Models Part 2

General application of access control comprises four processes:
Identification - obtaining identity of the entity requesting access to a logical
or physical area
Authentication - confirming the identity
Authorization - determining which actions an authenticated entity can
perform in that physical or logical area
Accountability - documenting the activities of the authorized individual and
systems
Access Control Models Part 3

Access control is built on several key principles:
Least privilege - member of the organization can access the minimum
amount of information for the minimum amount of time necessary
Need-to-know - limits a user’s access to the specific information required to
perform the currently assigned task
Separation of duties - requires that significant tasks be split up in such a way
that more than one individual is responsible for their completion
Categories of Access Control

A number of approaches are used to categorize access control
methodologies
One approach depicts controls by characteristics:
Deterrent ‫رادع‬
Preventative ‫وﻗﺎﺋﻲ‬
Detective ‫ﻣﺤﻘﻖ‬
Corrective ‫ﺗﺼﺤﯿﺤﻲ‬
Recovery ‫اﺳﺘﻌﺎدة‬
Compensating ‫ﺗﻌﻮﯾﺾ‬
Categories of Access Control (continued)

A second approach categorizes controls based on their operational
impact on the organization:
Management
Operational (administrative)
Technical

A third approach describes the degree of authority under which the
controls are applied
Can be mandatory, nondiscretionary, or discretionary
Table: Categories of access control

Deterrent Preventative Detective Corrective Recovery Compensating

Periodic Employee or Disaster Separation of
Registration
Management Policies violation account recovery duties, job
procedures
report reviews termination plan rotation

Fire Disaster
Warning Gates, fences, Sentries. Defense in
Operational suppression recovery
signs and guards CCTVs depth
systems procedures

Login Key logging
Warning Log monitors Forensics Data
Technical systems. and keystroke
banners and IDPSs procedures backups
Kerberos monitoring
Data Classification Model

The U.S. military uses a five-level classification scheme:
Unclassified data
Sensitive but unclassified (SBU) data
Confidential data
Secret data
Top secret data

Compartmentalization - the restriction of information to the very
fewest people possible (Need-to-know)
Data Classification Model (continued)

An organization can protect its sensitive information with a
simple scheme like the following:
Public - for general public dissemination
For official use only - not for public release but not sensitive
Sensitive - important information that , if compromised, could embarrass the
organization
Classified - essential and confidential information
Disclosure of which could severely damage the well-being of the organization
Security Clearances

Security clearance structure - each user of an information asset is
assigned an authorization level that identifies the level of information
classification he or she can access
Usually accomplished by assigned each employee to a named role
Data entry clerk, InfoSec analyst, etc.
Most organizations have developed a set of roles and a corresponding
security clearance
Managing Classified Information Assets

Managing an information asset includes all aspects of its life cycle
From specification to design, acquisition, implementation, use, storage,
distribution, backup, recovery, retirement, and destruction
Classified documents must be accessible only to authorized
individuals
Usually requires locking file cabinets, safes, etc.
“Clean desk policy” - requires each employee to secure all
information in its appropriate storage container at the end of every
business day
Documents should be destroyed by means of shredding, burning, or
transferred to a third-party document destruction service
Dumpster diving - the retrieval of information from refuse or recycling bins
Access Controls Methods

A mandatory access control (MAC) - is required and is structured
and coordinated within a data classification scheme
‫ ﻣﻨﻈﻤﺔ وﻣﻨﺴﻘﺔ ﺿﻤﻦ ﻣﺨﻄﻂ ﺗﺼﻨﯿﻒ اﻟﺒﯿﺎﻧﺎت‬that rates each collection of
information
As well as each user
Ratings are often referred to as sensitivity or classification levels
When MACs are implemented:
Users and data owners have limited control over access to information
resources
Access Controls Methods

Lattice-based access control - assigns users a matrix of
authorizations for particular areas of access
Level of authorization may vary depending on classification authorizations
Access Controls Methods

Nondiscretionary controls - determined by a central authority in the
organization and can be based on:
Role-based controls - tied to the role that a user performs
Task-based controls - tied to a particular assignment or responsibility
Both controls make it easier to maintain controls and restrictions
Rights are assigned to the role, not the person
Access Controls Methods

Discretionary access controls (DACs) - implemented at the
discretion or option of the data user
The ability to share resources in a peer-to-peer configuration allows users to
control and possibly provide access to information or resources at their
disposal
Role-based models can be implemented under DAC
If an individual system owner wants to create the rules
For example, if someone is only allowed access to files during certain hours
of the day, Rule-Based Access Control would be the tool of choice.
Other Forms of Access Control

Other models of access control include:
Content-dependent access controls - access may be dependent on its content
Constrained user interfaces - designed specifically to restrict what
information an individual user can access
Temporal (time-based) isolation - access to information is limited by a time-
of-day constraint
Security Architecture Models

Security architecture models - illustrate InfoSec implementations
and can help organizations quickly make improvements through
adaptation

Some models are:
Implemented into computer hardware and software
Implemented as policies and practices
Focused on the confidentiality of information
Focused on the integrity of the information as it is being processed
Trusted Computing Base Part 1

Trusted Computer System Evaluation Criteria (TCSEC) - an older
DoD standard that defines the criteria for assessing the access controls
in a computer system
TCSEC defines a trusted computing base (TCB) as the combination
of all hardware, firmware, and software responsible for enforcing
security policy
Within TCP is a conceptual object known as the reference monitor
It is the piece of the system that manages access controls
Trusted Computing Base Part 2

Covert channels - unauthorized or unintended methods of
communications hidden inside a computer system
TCSEC defines two kinds of covert channels:
Storage channels - communicate by modifying a stored object
Timing channels - transmit information by managing the relative timing of
events
Trusted Computing Base Part 3

Products evaluated under TCSEC are assigned one of the
following levels of protection
D: Minimal protection
C: Discretionary protection
B: Mandatory protection
A: Verified protection
Information Technology System Evaluation
Criteria

Information Technology System Evaluation Criteria (ITSEC) - an
international set of criteria for evaluating computer system
Similar to TCSEC
Target of Evaluation (ToE) are compared to detailed security function
specifications
ITSEC rates products on a scale of E1 (lowest level) to E6 (highest
level)
The Common Criteria
Common Criteria for Information Technology Security Evaluation
- an international standard for computer security certification
Often called “Common Criteria” or “CC”
Considered the successor to TCSEC and ITSEC

CC terminology includes
Target of Evaluation (ToE)
Protection Profile (PP)
Security Target (ST)
Security Functional Requirements (SFRs)
Evaluation Assurance Levels (EAL)
The Common Criteria (continued)

EAL is typically rated on the following scale:
EAL1: Functionally Tested
EAL2: Structurally Tested
EAL3: Methodically Tested and Checked
EAL4: Methodically Designed, Tested, and Reviewed
EAL5: Semi-formally Designed and Tested
EAL6: Semi-formally Verified Design and Tested
EAL7: Formally Verified Design and Tested
Bell-LaPadula Confidentiality Model

Bell-LaPadula (BLP) confidentiality model - a model of an
automated system that is able to manipulate its state or status over
time
BLP ensures confidentiality by using MACs, data classification, and
security clearances

Access modes can be one of two types:
Simple security - prohibits a subject of lower clearance form reading an object
of higher clearance
* (Star) property - prohibits a high-level subject from sending messages to a
lower-level object
Biba Integrity Model

Biba integrity model - is based on the premise that higher levels of
integrity are more worthy of trust than lower ones
Biba model assigns integrity levels to subjects and objects using two
properties:
Simple integrity property (read) - permits a subject to have read access to an
object only if its security level is lower or equal to that object
Integrity * property (write) - permits a subject to have write access to an
object if its security level is equal to or higher than that object
Clark-Wilson Integrity Model
Clark-Wilson integrity model - built upon principles of change control
rather than integrity levels

Change control principles upon which it operates:
No changes by unauthorized subjects
No unauthorized changes by authorized subjects
The maintenance of internal and external consistency
Internal consistency means that the system does what it is expected to do every time
External consistency means that the data in the system is consistent with similar data in the
outside world
Clark-Wilson Integrity Model (continued)

Clark-Wilson model controls:
Subject authentication and identification
Access to objects by means of well-formed transactions
Execution by subjects on a restricted set of programs

Elements of the Clark-Wilson model:
Constrained data item (CDI)
Unconstrained data item
Integrity verification procedure (IVP)
Transformation procedure (TP)
Graham-Denning Access Control Model

Graham-Denning access control model has three parts:
A set of objects
A set of subjects
A set of rights

Subjects are composed of: a process and a domain
Domain is the set of constraints controlling how subjects may access objects
Set of rights governs how subjects may manipulate the passive objects
Graham-Denning Access Control Model
(continued)

The eight primitive protection rights are:
Create object
Create subject
Delete object
Delete subject
Read access right
Grant access right
Delete access right
Transfer access right
Harrison-Ruzzo-Ullman Model

Harrison-Ruzzo-Ullman (HRU) model - defines a method to allow
changes to access rights and the addition and removal of subjects and
objects
HRU is built on an access control matrix and includes a set of
generic rights and a specific set of commands:
Create subject/create object
Enter right X into
Delete right X from
Destroy subject/destroy object
Brewer-Nash Model (Chinese Wall)

Brewer-Nash model - designed to prevent a conflict of interest
between two parties
Commonly known as a “Chinese Wall”

The Brewer - Nash model requires users to select one of two
conflicting sets of data
After which they cannot access the conflicting data
Security Management Models

U.S. federal agencies and international standard-setting organizations:
Offer quality security management models
Organizations wanting to adopt proprietary models must purchase the
right to do so
Some public domain sources for security management models offer
free documentation
The ISO 27000 Series

Information Technology - Code of Practice for Information Security
Management - one of the most widely referenced InfoSec
management models
The Code of Practice was adopted as an international standard framework for
InfoSec by the ISO and the IEC as ISO/IEC 17799
It was revised in 2005 and in 2007 was renamed ISO 27002
Was intended to provide a common basis for developing organizational
security standards
NIST Security Models

Advantages of NIST security models over many other sources of
security information:
They are publicly available at no charge
They have been available for some time and have been broadly reviewed by
the government and industry professionals
NIST Special Publication 800-12

SP 800-12: Computer Security Handbook - an excellent reference and
guide for routine management of InfoSec
SP 800-12 provides for:
Accountability
Awareness
Ethics
Multidisciplinary
Proportionality
Integration
Timeliness
Reassessment
Democracy
NIST Special Publication 800-12 (continued)

SP 800-12 organizes controls into three categories:
Management controls
Operational controls
Technical controls
NIST Special Publication 800-14 Part 1

SP 800-14: Generally Accepted Principles and Practices for Securing
Information Technology Systems - describes recommended practices
and provides information on commonly accepted InfoSec principles
Can direct the security team in the development of a security blueprint
Also describes the philosophical principles that the security team should
integrate into the entire InfoSec process
NIST Special Publication 800-14 Part 2

Significant points made in NIST SP 800-14:
Security supports the mission of the organization
Security is an integral element of sound management
Security should be cost-effective
Systems owners have security responsibilities outside their own organizations
Security responsibilities and accountability should be made explicit
Security requires a comprehensive and integrated approach
NIST Special Publication 800-14 Part 2

Significant points made in NIST SP 800-14 (cont’d):
Security should be periodically reassessed
Security is constrained by societal factors
NIST Special Publication 800-18 Rev. 1

NIST Special Publication 800-18 Rev.1: Guide for Developing
Security Plans for Federal Information Systems - provides detailed
methods for assessing, designing, and implementing controls and
plans for applications of various sizes
Serves as a guide for security planning activities and for the overall InfoSec
planning process
Includes templates for major application security plans
NIST Special Publication 800-30 Rev. 1

NIST SP 800-30, Rev. 1: Guide for Conducting Risk Assessments
Provides a foundation for the development of an effective risk management
program
Contains both the definitions and the practical guidance necessary for
assessing and mitigating risks identified within IT systems
Organized into three chapters that explain the overall risk
management process
As well as preparing for, conducting, and communicating a risk assessment
NIST Special Publications 800-53 Rev. 3 and
800-53A Rev. 1

Both publications cover recommended security controls for Federal
Information Systems
SP 800-53, Revision 3 provides a systems development life cycle
(SDLC) approach to security assessment of information systems
NIST has a comprehensive security control assessment program that
guides organizations through the:
Preparation for, assessment of, and remediation of critical security controls
Control Objectives for Information and Related
Technology

“Control Objectives for Information and Related Technology”
(COBIT)
Provides advice about the implementation of sound controls and control
objectives for InfoSec
COBIT was created by the Information Systems Audit and Control
Association (ISACA) and the IT Governance Institute (ITGI) in 1992
There have been many updates
Latest version is COBIT 5 released in 2012
Control Objectives for Information and
Related Technology (continued)

COBIT 5 provides five principles focused on the governance and
management of IT:
Meeting Stakeholder Needs
Covering the Enterprise End-to-End
Applying a Single, Integrated Framework
Enabling a Holistic Approach
Separating Governance from Management
Committee of Sponsoring Organizations

Committee of Sponsoring Organizations (COSO) of the Treadway
Commission
Another control-based model
Major objective of COSO is to identify the factors that cause
fraudulent financial reporting and to make recommendations to
reduce its incidence
COSO helps organizations comply with critical regulations like the
Sarbanes-Oxley Act of 2002
COSO Definitions and Key Concepts

According to COSO internal control is a process designed to provide
reasonable assurance regarding the achievement of objectives in the
following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
Committee of Sponsoring Organizations
(continued)

The COSO framework is built on five interrelated components:
Control environment
Risk assessment
Control activities
Information and communication
Monitoring
Information Technology Infrastructure Library

Information Technology Infrastructure Library (ITIL)
A collection of methods and practices for managing the development and
operation of IT infrastructures
ITIL has produced a series of books
Each of which covers an IT management topic
Since ITIL includes a detailed description of many significant IT-
related practices
It can be tailored to many IT organizations
Information Security Governance Framework

The Information Security Governance Framework is a managerial
model provided by an industry working group
National Cyber Security Partnership
The framework provides guidance in the development and
implementations of an organizational InfoSec governance structure
The framework also specifies that each independent organizational
unit should develop, document, and implement in InfoSec program
consistent with accepted security practices
Summary Part 1
A framework is the outline of a more thorough blueprint, used in the creation of
the InfoSec environment
Access controls regulate the admission of users into trusted areas of the
organization
Access control is built on the principles of least privilege, need-to-know, and
separation of duties
Approaches to access control include preventative, deterrent, detective,
corrective, recovery, and compensating
Mandatory access controls (MACs) are required by the system that operate
within a data classification and personnel clearance scheme
Summary Part 2
Nondiscretionary controls are determined by a central authority in the
organization and can be based on roles or on a specified set of tasks
Security architecture models illustrate InfoSec implementations and can
help organizations make quick improvements through adaptation
One of the most widely referenced security models is “ISO/IEC 27001:
2005 Information Technology - Code of Practice for InfoSec Management”
Designed to give recommendations for InfoSec management
Summary Part 3
“Control Objectives for Information and Related Technology” (COBIT)
provides advice about the implementation of sound controls and control
objectives for InfoSec
The Information Security Governance Framework is a managerial model
provided by an industry working group that provides guidance in the
development and implementation of an organizational InfoSec governance
structure
Management of Information Security

Thank you For
listening