Management of Information Security Chapter 6 Security Management Models PDF
Document Details
Uploaded by HumbleSugilite8011
Tags
Summary
This document provides an overview of security management models, including blueprints, frameworks, and access control models. It explores key concepts and categorizations within information security for IT professionals.
Full Transcript
Management of Information Security Chapter 6 Security Management Models Objectives Describe the dominant InfoSec blueprints, frameworks, and InfoSec management models, including U.S. government-sanctioned models Explain why access control is an essential element of InfoS...
Management of Information Security Chapter 6 Security Management Models Objectives Describe the dominant InfoSec blueprints, frameworks, and InfoSec management models, including U.S. government-sanctioned models Explain why access control is an essential element of InfoSec management Recommend an InfoSec management model and explain how it can be customized to meet the needs of a particular organization Describe the fundamental elements of key InfoSec management practices Discuss emerging trends in the certification and accreditation of U.S. federal information technology (IT) systems Blueprints, Frameworks, and Security Models Blueprint - describes existing controls and identifies other necessary security controls ﻣﺨﻄﻂ Framework - the outline of the more thorough blueprint ﻧﻄﺎق او اطﺎر ﻋﻤﻞ Sets out the model to be followed in the creation of the design, selection, and initial implementation of all subsequent security controls Security model - a generic blueprint offered by a service organization Free models are available from the National Institute of Standards and Technology (NIST) Blueprints, Frameworks, and Security Models (continued) Another way to create a blueprint: To look at the paths taken by other organizations This is a kind of benchmarking where recommended practices or industry standards are followed Benchmarking: the comparison of two related measurements Benchmarking can provide details on how controls are working Or which new controls should be considered Does not provide details on how controls should be put into action Access Control Models Part 1 Access controls - regulate the admission of users into trusted areas of the organization Access control is maintained by means of: A collection of policies Programs to carry out those policies Technologies to enforce policies Access Control Models Part 2 General application of access control comprises four processes: Identification - obtaining identity of the entity requesting access to a logical or physical area Authentication - confirming the identity Authorization - determining which actions an authenticated entity can perform in that physical or logical area Accountability - documenting the activities of the authorized individual and systems Access Control Models Part 3 Access control is built on several key principles: Least privilege - member of the organization can access the minimum amount of information for the minimum amount of time necessary Need-to-know - limits a user’s access to the specific information required to perform the currently assigned task Separation of duties - requires that significant tasks be split up in such a way that more than one individual is responsible for their completion Categories of Access Control A number of approaches are used to categorize access control methodologies One approach depicts controls by characteristics: Deterrent رادع Preventative وﻗﺎﺋﻲ Detective ﻣﺤﻘﻖ Corrective ﺗﺼﺤﯿﺤﻲ Recovery اﺳﺘﻌﺎدة Compensating ﺗﻌﻮﯾﺾ Categories of Access Control (continued) A second approach categorizes controls based on their operational impact on the organization: Management Operational (administrative) Technical A third approach describes the degree of authority under which the controls are applied Can be mandatory, nondiscretionary, or discretionary Table: Categories of access control Deterrent Preventative Detective Corrective Recovery Compensating Periodic Employee or Disaster Separation of Registration Management Policies violation account recovery duties, job procedures report reviews termination plan rotation Fire Disaster Warning Gates, fences, Sentries. Defense in Operational suppression recovery signs and guards CCTVs depth systems procedures Login Key logging Warning Log monitors Forensics Data Technical systems. and keystroke banners and IDPSs procedures backups Kerberos monitoring Data Classification Model The U.S. military uses a five-level classification scheme: Unclassified data Sensitive but unclassified (SBU) data Confidential data Secret data Top secret data Compartmentalization - the restriction of information to the very fewest people possible (Need-to-know) Data Classification Model (continued) An organization can protect its sensitive information with a simple scheme like the following: Public - for general public dissemination For official use only - not for public release but not sensitive Sensitive - important information that , if compromised, could embarrass the organization Classified - essential and confidential information Disclosure of which could severely damage the well-being of the organization Security Clearances Security clearance structure - each user of an information asset is assigned an authorization level that identifies the level of information classification he or she can access Usually accomplished by assigned each employee to a named role Data entry clerk, InfoSec analyst, etc. Most organizations have developed a set of roles and a corresponding security clearance Managing Classified Information Assets Managing an information asset includes all aspects of its life cycle From specification to design, acquisition, implementation, use, storage, distribution, backup, recovery, retirement, and destruction Classified documents must be accessible only to authorized individuals Usually requires locking file cabinets, safes, etc. “Clean desk policy” - requires each employee to secure all information in its appropriate storage container at the end of every business day Documents should be destroyed by means of shredding, burning, or transferred to a third-party document destruction service Dumpster diving - the retrieval of information from refuse or recycling bins Access Controls Methods A mandatory access control (MAC) - is required and is structured and coordinated within a data classification scheme ﻣﻨﻈﻤﺔ وﻣﻨﺴﻘﺔ ﺿﻤﻦ ﻣﺨﻄﻂ ﺗﺼﻨﯿﻒ اﻟﺒﯿﺎﻧﺎتthat rates each collection of information As well as each user Ratings are often referred to as sensitivity or classification levels When MACs are implemented: Users and data owners have limited control over access to information resources Access Controls Methods Lattice-based access control - assigns users a matrix of authorizations for particular areas of access Level of authorization may vary depending on classification authorizations Access Controls Methods Nondiscretionary controls - determined by a central authority in the organization and can be based on: Role-based controls - tied to the role that a user performs Task-based controls - tied to a particular assignment or responsibility Both controls make it easier to maintain controls and restrictions Rights are assigned to the role, not the person Access Controls Methods Discretionary access controls (DACs) - implemented at the discretion or option of the data user The ability to share resources in a peer-to-peer configuration allows users to control and possibly provide access to information or resources at their disposal Role-based models can be implemented under DAC If an individual system owner wants to create the rules For example, if someone is only allowed access to files during certain hours of the day, Rule-Based Access Control would be the tool of choice. Other Forms of Access Control Other models of access control include: Content-dependent access controls - access may be dependent on its content Constrained user interfaces - designed specifically to restrict what information an individual user can access Temporal (time-based) isolation - access to information is limited by a time- of-day constraint Security Architecture Models Security architecture models - illustrate InfoSec implementations and can help organizations quickly make improvements through adaptation Some models are: Implemented into computer hardware and software Implemented as policies and practices Focused on the confidentiality of information Focused on the integrity of the information as it is being processed Trusted Computing Base Part 1 Trusted Computer System Evaluation Criteria (TCSEC) - an older DoD standard that defines the criteria for assessing the access controls in a computer system TCSEC defines a trusted computing base (TCB) as the combination of all hardware, firmware, and software responsible for enforcing security policy Within TCP is a conceptual object known as the reference monitor It is the piece of the system that manages access controls Trusted Computing Base Part 2 Covert channels - unauthorized or unintended methods of communications hidden inside a computer system TCSEC defines two kinds of covert channels: Storage channels - communicate by modifying a stored object Timing channels - transmit information by managing the relative timing of events Trusted Computing Base Part 3 Products evaluated under TCSEC are assigned one of the following levels of protection D: Minimal protection C: Discretionary protection B: Mandatory protection A: Verified protection Information Technology System Evaluation Criteria Information Technology System Evaluation Criteria (ITSEC) - an international set of criteria for evaluating computer system Similar to TCSEC Target of Evaluation (ToE) are compared to detailed security function specifications ITSEC rates products on a scale of E1 (lowest level) to E6 (highest level) The Common Criteria Common Criteria for Information Technology Security Evaluation - an international standard for computer security certification Often called “Common Criteria” or “CC” Considered the successor to TCSEC and ITSEC CC terminology includes Target of Evaluation (ToE) Protection Profile (PP) Security Target (ST) Security Functional Requirements (SFRs) Evaluation Assurance Levels (EAL) The Common Criteria (continued) EAL is typically rated on the following scale: EAL1: Functionally Tested EAL2: Structurally Tested EAL3: Methodically Tested and Checked EAL4: Methodically Designed, Tested, and Reviewed EAL5: Semi-formally Designed and Tested EAL6: Semi-formally Verified Design and Tested EAL7: Formally Verified Design and Tested Bell-LaPadula Confidentiality Model Bell-LaPadula (BLP) confidentiality model - a model of an automated system that is able to manipulate its state or status over time BLP ensures confidentiality by using MACs, data classification, and security clearances Access modes can be one of two types: Simple security - prohibits a subject of lower clearance form reading an object of higher clearance * (Star) property - prohibits a high-level subject from sending messages to a lower-level object Biba Integrity Model Biba integrity model - is based on the premise that higher levels of integrity are more worthy of trust than lower ones Biba model assigns integrity levels to subjects and objects using two properties: Simple integrity property (read) - permits a subject to have read access to an object only if its security level is lower or equal to that object Integrity * property (write) - permits a subject to have write access to an object if its security level is equal to or higher than that object Clark-Wilson Integrity Model Clark-Wilson integrity model - built upon principles of change control rather than integrity levels Change control principles upon which it operates: No changes by unauthorized subjects No unauthorized changes by authorized subjects The maintenance of internal and external consistency Internal consistency means that the system does what it is expected to do every time External consistency means that the data in the system is consistent with similar data in the outside world Clark-Wilson Integrity Model (continued) Clark-Wilson model controls: Subject authentication and identification Access to objects by means of well-formed transactions Execution by subjects on a restricted set of programs Elements of the Clark-Wilson model: Constrained data item (CDI) Unconstrained data item Integrity verification procedure (IVP) Transformation procedure (TP) Graham-Denning Access Control Model Graham-Denning access control model has three parts: A set of objects A set of subjects A set of rights Subjects are composed of: a process and a domain Domain is the set of constraints controlling how subjects may access objects Set of rights governs how subjects may manipulate the passive objects Graham-Denning Access Control Model (continued) The eight primitive protection rights are: Create object Create subject Delete object Delete subject Read access right Grant access right Delete access right Transfer access right Harrison-Ruzzo-Ullman Model Harrison-Ruzzo-Ullman (HRU) model - defines a method to allow changes to access rights and the addition and removal of subjects and objects HRU is built on an access control matrix and includes a set of generic rights and a specific set of commands: Create subject/create object Enter right X into Delete right X from Destroy subject/destroy object Brewer-Nash Model (Chinese Wall) Brewer-Nash model - designed to prevent a conflict of interest between two parties Commonly known as a “Chinese Wall” The Brewer - Nash model requires users to select one of two conflicting sets of data After which they cannot access the conflicting data Security Management Models U.S. federal agencies and international standard-setting organizations: Offer quality security management models Organizations wanting to adopt proprietary models must purchase the right to do so Some public domain sources for security management models offer free documentation The ISO 27000 Series Information Technology - Code of Practice for Information Security Management - one of the most widely referenced InfoSec management models The Code of Practice was adopted as an international standard framework for InfoSec by the ISO and the IEC as ISO/IEC 17799 It was revised in 2005 and in 2007 was renamed ISO 27002 Was intended to provide a common basis for developing organizational security standards NIST Security Models Advantages of NIST security models over many other sources of security information: They are publicly available at no charge They have been available for some time and have been broadly reviewed by the government and industry professionals NIST Special Publication 800-12 SP 800-12: Computer Security Handbook - an excellent reference and guide for routine management of InfoSec SP 800-12 provides for: Accountability Awareness Ethics Multidisciplinary Proportionality Integration Timeliness Reassessment Democracy NIST Special Publication 800-12 (continued) SP 800-12 organizes controls into three categories: Management controls Operational controls Technical controls NIST Special Publication 800-14 Part 1 SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems - describes recommended practices and provides information on commonly accepted InfoSec principles Can direct the security team in the development of a security blueprint Also describes the philosophical principles that the security team should integrate into the entire InfoSec process NIST Special Publication 800-14 Part 2 Significant points made in NIST SP 800-14: Security supports the mission of the organization Security is an integral element of sound management Security should be cost-effective Systems owners have security responsibilities outside their own organizations Security responsibilities and accountability should be made explicit Security requires a comprehensive and integrated approach NIST Special Publication 800-14 Part 2 Significant points made in NIST SP 800-14 (cont’d): Security should be periodically reassessed Security is constrained by societal factors NIST Special Publication 800-18 Rev. 1 NIST Special Publication 800-18 Rev.1: Guide for Developing Security Plans for Federal Information Systems - provides detailed methods for assessing, designing, and implementing controls and plans for applications of various sizes Serves as a guide for security planning activities and for the overall InfoSec planning process Includes templates for major application security plans NIST Special Publication 800-30 Rev. 1 NIST SP 800-30, Rev. 1: Guide for Conducting Risk Assessments Provides a foundation for the development of an effective risk management program Contains both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems Organized into three chapters that explain the overall risk management process As well as preparing for, conducting, and communicating a risk assessment NIST Special Publications 800-53 Rev. 3 and 800-53A Rev. 1 Both publications cover recommended security controls for Federal Information Systems SP 800-53, Revision 3 provides a systems development life cycle (SDLC) approach to security assessment of information systems NIST has a comprehensive security control assessment program that guides organizations through the: Preparation for, assessment of, and remediation of critical security controls Control Objectives for Information and Related Technology “Control Objectives for Information and Related Technology” (COBIT) Provides advice about the implementation of sound controls and control objectives for InfoSec COBIT was created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992 There have been many updates Latest version is COBIT 5 released in 2012 Control Objectives for Information and Related Technology (continued) COBIT 5 provides five principles focused on the governance and management of IT: Meeting Stakeholder Needs Covering the Enterprise End-to-End Applying a Single, Integrated Framework Enabling a Holistic Approach Separating Governance from Management Committee of Sponsoring Organizations Committee of Sponsoring Organizations (COSO) of the Treadway Commission Another control-based model Major objective of COSO is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence COSO helps organizations comply with critical regulations like the Sarbanes-Oxley Act of 2002 COSO Definitions and Key Concepts According to COSO internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Committee of Sponsoring Organizations (continued) The COSO framework is built on five interrelated components: Control environment Risk assessment Control activities Information and communication Monitoring Information Technology Infrastructure Library Information Technology Infrastructure Library (ITIL) A collection of methods and practices for managing the development and operation of IT infrastructures ITIL has produced a series of books Each of which covers an IT management topic Since ITIL includes a detailed description of many significant IT- related practices It can be tailored to many IT organizations Information Security Governance Framework The Information Security Governance Framework is a managerial model provided by an industry working group National Cyber Security Partnership The framework provides guidance in the development and implementations of an organizational InfoSec governance structure The framework also specifies that each independent organizational unit should develop, document, and implement in InfoSec program consistent with accepted security practices Summary Part 1 A framework is the outline of a more thorough blueprint, used in the creation of the InfoSec environment Access controls regulate the admission of users into trusted areas of the organization Access control is built on the principles of least privilege, need-to-know, and separation of duties Approaches to access control include preventative, deterrent, detective, corrective, recovery, and compensating Mandatory access controls (MACs) are required by the system that operate within a data classification and personnel clearance scheme Summary Part 2 Nondiscretionary controls are determined by a central authority in the organization and can be based on roles or on a specified set of tasks Security architecture models illustrate InfoSec implementations and can help organizations make quick improvements through adaptation One of the most widely referenced security models is “ISO/IEC 27001: 2005 Information Technology - Code of Practice for InfoSec Management” Designed to give recommendations for InfoSec management Summary Part 3 “Control Objectives for Information and Related Technology” (COBIT) provides advice about the implementation of sound controls and control objectives for InfoSec The Information Security Governance Framework is a managerial model provided by an industry working group that provides guidance in the development and implementation of an organizational InfoSec governance structure Management of Information Security Thank you For listening