Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017

FRSecure 2017 CISSP
Mentor Program
EVAN FRANCEN, PRESIDENT & CEO – FRSECURE
BRAD NIGH, SENIOR INFORMATION SECURITY ANALYST - FRSECURE
CLASS SESSION #4

CISSP Mentor Program Session #4
Domain 2: Asset Security - Review
• Classifying Data
• Ownership
• Memory and Remanence
• Data Destruction
• Determining Data Security Controls

Domain 2: Asset Security – Quiz Review

D
A

C
A

D
D

B
B

A
D

B
C

A
Piece of cake!

Domain 2: Asset Security – Current Events
http://www.nytimes.com/2016/01/30/us/politics/22-clinton-emails-
deemed-too-classified-to-be-made-public.html?_r=0
http://www.usnews.com/news/articles/2016-05-04/panama-papers-
revelation-we-must-rethink-data-security-systems
http://www.databreaches.net/centene-discloses-missing-hard-drives-
contain-personal-information-of-950000-people/

Domain 3: Security Engineering (Engineering and Management of
Security)
• Security Models
• Evaluation Methods, Certification and Accreditation
• Secure System Design Concepts
• Secure Hardware Architecture
• Secure Operating System and Software Architecture
• Virtualization and Distributed Computing
• System Vulnerabilities, Threats and Countermeasures
Formerly separate domains: Security Architecture, Cryptography, and Physical Security

Security Models
What subjects and objects are permitted to
do (within a model or framework)
• Subject (often a user)
• Object (a resource)
• Managing relationship between subject
and object is access control
• Understand concepts of read up, read
down, write up, write down

Security Models
Controls
• Discretionary access control (DAC)
• Defined in the Trusted Computer System Evaluation Criteria (TCSEC); Orange Book
• Means of restricting access to objects based on the identity of subjects and/or groups to which they belong
• A subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject
• Mandatory access control (MAC)
• Type of access control where the operating system constrains the ability of a subject to access or perform some sort of operation on an
object
• Authorization rule enforced by the operating system kernel
• Security policy is centrally controlled by a security policy administrator
• Rule-based access control (RBAC)
• Access is allowed or denied to objects based on a set of rules defined by a system administrator
• Access properties are stored in Access Control Lists (ACL) associated with each object
• Role-based access control (also RBAC)
• Also known as Non-discretionary Access Control
• Assigns permissions to particular roles in an organization

Security Models
Understand the Fundamental Concepts of Security Models
• State Machine Model
• Bell-LaPadula Model
• Lattice-Based Access Controls
• Biba Model
• Clark-Wilson Model
• Information Flow Model
• Brewer and Nash Model (aka Chinese Wall)
• Take-Grant Model
• Access Control Matrix
• Zachman Framework for Enterprise Architecture
• Graham-Denning Model
• Harrison-Ruzzo-Ullman Model

Security Models
State Machine Model
• State of a machine is captured in order to verify the security of a system
• State consists of all current permissions and all current instances of subjects
accessing the objects. If the subject can access objects only by means that are
concurrent with the security policy, the system is secure
• Always secure no matter what state it is in
• Finite state machine (FSM)
• State transition
• Secure state machine
• The basis for most other security models

Security Models
Bell-LaPadula Model
• Originally developed for the U.S. Department of Defense
• Focused on maintaining the confidentiality of objects
• Two Access Rules:
• Simple Security Property – no read up
• * Security Property (“Star” Security Property) – no write down
• Two Object Label Rules:
• Strong and Weak Tranquility Property - security labels will not change while the system is
operating
• Weak Tranquility Property - security labels will not change in a way that conflicts with defined
security properties

Security Models
Lattice-Based Access Controls
• Security controls for complex environments
• For every relationship between a subject and an
object, there are defined upper and lower access
limits implemented by the system
• Subjects have a Least Upper Bound (LUB) and
Greatest Lower Bound (GLB) of access to the objects
based on their lattice position
• A security lattice model combines multilevel and
multilateral security

Security Models
Biba Model
• Developed after Bell-LaPadula model
• Focused on maintaining the integrity of objects
• Uses a lattice of integrity levels unlike Bell-LaPadula which
uses a lattice of security levels
• Two primary rules
• Simple Integrity Axiom – no read down
• * Integrity Axiom (“Star” Integrity Axiom) – no write up
• Essentially the reverse of Bell-LaPadula

Security Models
Clark-Wilson Model
• Real-world integrity model
• Requires subjects to access objects via programs
• Programs have specific limitations to what they can and cannot do to objects
• Two primary concepts
• Well-Formed Transactions - ability to enforce control over applications; comprised of the “access
control triple:” user, transformation procedure (TP/well-formed transaction), and constrained
data item (CDI/data that requires integrity) - integrity verification procedures (IVPs) ensure that
data are kept in a valid state
• Separation of Duties - ensures that authorized users do not change data in an inappropriate way
Separation of duties and transformation procedures.
1) Authorized access and 2) Modification only in an authorized
manner

Security Models
Information Flow Model
• In this model, data is thought of as being held in individual discrete
compartments
• Information is compartmentalized based on two factors; classification and
need to know
• Subject clearance has to dominate the object classification and the subject
security profile must contain the one of the categories listed in the object
label, which enforces need to know

Security Models
Brewer and Nash Model (aka Chinese Wall)
• Designed to avoid conflicts of interest by prohibiting one person, such as a
consultant, from accessing multiple conflict of interest categories (CoIs)
• Provides access controls that can change dynamically depending upon a user’s
previous actions
• Model states that a subject can write to an object if, and only if, the subject
can not read another object that is in a different data set
• Initially designed to address the risks inherent with employing consultants
working within banking and financial institutions

Security Models
Noninterference Models
• Model ensures that any actions that take place at a higher security level do
not affect, or interfere with, actions that take place at a lower level
• Not concerned with the flow of data, but rather with what a subject knows
about the state of the system
• Addresses the inference attack that occurs when some one has access to
some type of information and can infer(guess) something that he does not
have the clearance level or authority to know.
• Covert Channel – policy violation hidden from the system owner

Security Models
Take-Grant Model
• Contains rules that govern the interactions between subjects and objects, and
permissions subjects can grant to other subjects
• Two rights occur in every instance of the model: take and grant
• Rules include take, grant, create, and remove
• take rule allows a subject to take rights of another object (add an edge originating at the subject)
• grant rule allows a subject to grant own rights to another object (add an edge terminating at the
subject)
• create rule allows a subject to create new objects (add a vertex and an edge from the subject to
the new vertex)
• remove rule allows a subject to remove rights it has over on another object (remove an edge
originating at the subject)

Security Models
Access Control Matrix
• Commonly used in OS and applications
• Table that defines access permissions between specific subjects and objects

Security Models
Zachman Framework for
Enterprise Architecture
• Six frameworks for providing
information security, asking what,
how, where, who, when, and why

Security Models
Graham-Denning Model
• Defines a set of basic rights in terms of commands that a specific subject can execute
on an object
• Three parts; objects, subjects, and rules; focus on the eight (8) rules:
• R1: Transfer Access
• R2: Grant Access
• R3: Delete Access
• R4: Read Object
• R5: Create Object
• R6: Destroy Object
• R7: Create Subject
• R8: Destroy Subject

Security Models
Harrison-Ruzzo-Ullman Model
• HRU is an operating system level computer security model which deals with the integrity of access
rights in the system
• Based around the idea of a finite set of procedures being available to edit the access rights of a
subject on an object
• Maps subjects, objects, and access rights to an access matrix
• Variation to the Graham-Denning Model
• Six primitive operations:
• Create object
• Create subject
• Destroy subject
• Destroy object
• Enter right into access matrix
• Delete right from access matrix

Security Models
Modes of Operation
• There are four (4) modes of system/access control operation:
• Dedicated:
• Only one classification (label) for all objects in the system
• Subject must possess a clearance equal or greater than the system label
• Subjects must have 1) appropriate clearance, 2) formal access approval, and 3) a need to
know for all the objects in the system

Security Models
Modes of Operation
• System High:
• System contains objects of mixed labels
• Subjects must possess a clearance equal to (or greater than) the highest object label

Security Models
Modes of Operation
• Compartmented:
• Objects are placed into “compartments”
• Subjects must have a formal (system-enforced) need to know to access data in
compartment
• All subjects must have 1) Signed NDA for ALL information on the system, 2) clearance for
ALL information on the system, 3) formal access approval for SOME objects on the system,
and 4) valid need to know for SOME objects on the system

Security Models
Modes of Operation
• Multilevel:
• System contains objects of varying labels
• Subjects with varying clearances can access the system
• Reference Monitor mediates access between subjects and objects
• All subjects must have 1) Signed NDA for ALL information on the system, 2) clearance for
SOME information on the system, 3) formal access approval for SOME objects on the
system, and 4) valid need to know for SOME objects on the system

Evaluation Methods, Certification and
Accreditation
Trusted Computer System Evaluation
Criteria (TCSEC or Orange Book)
• Developed by the federal government; National
Computer Security Center (NCSC), part of the
National Institute of Standards and Technology
(NIST), and the National Security Agency (NSA)
• Developed in 1983 as part of the Rainbow Series
• One of the 1st evaluation frameworks
• Now used as part of U.S. Government Protection
Profiles within the International Common Criteria
framework

Evaluation Methods, Certification and Accreditation
Trusted Computer System Evaluation Criteria (TCSEC or Orange Book)
• Download here http://csrc.nist.gov/publications/history/dod85.pdf
• Division D is the lowest form of security, and A is the highest:
• D: Minimal Protection
• C: Discretionary Protection
• C1: Discretionary Security Protection
• C2: Controlled Access Protection
• B: Mandatory Protection
• B1: Labeled Security Protection
• B2: Structured Protection
• B3: Security Domains
• A: Verified Protection
• A1: Verified Design

Trusted Network Interpretation (TNI)/Red Book
• Sort of like the Orange Book for network systems
• Can download it here http://ftp.fas.org/irp/nsa/rainbow/tg011.htm
• All of the Rainbow Books can be accessed here
http://ftp.fas.org/irp/nsa/rainbow.htm

Information Technology Security Evaluation Criteria (ITSEC)
• Used extensively in Europe (where it was developed)
• 1st successful international evaluation criteria
• References to the Orange Book, but added:
• F – Functionality
• Q – Effectiveness (part of assurance)
• E – Correctness (also part of assurance)

• Assurance correctness ratings range from E0 (inadequate) to E6 (formal model of
security policy)
• Functionality ratings range include TCSEC equivalent ratings (F-C1, F-C2, etc.)
• The equivalent ITSEC/TCSEC ratings are:
• 0: D
• F-C1,E1: C1
• F-C2,E2: C2
• F-B1,E3: B1
• F-B2,E4: B2
• F-B3,E5: B3
• F-B3,E6: A1

• Additional functionality ratings include:
• F-IN: High integrity requirements
• AV: High availability requirements
• DI: High integrity requirements for networks
• DC: High confidentiality requirements for networks
• DX: High integrity and confidentiality requirements for networks

International Common Criteria (“Common Criteria”)
• Internationally agreed upon standard for describing and testing the security of IT
products
• Primary objective of the Common Criteria is to eliminate known vulnerabilities of the
target for testing
• Terms:
• Target of Evaluation (ToE): the system or product that is being evaluated
• Security Target (ST): the documentation describing the TOE
• Protection Profile (PP): an independent set of security requirements and objectives for a specific
category of products or systems
• Evaluation Assurance Level (EAL): the evaluation score of the tested product or system

International Common Criteria (“Common Criteria”)
• There are seven (7) Levels of Evaluation (EALs):
• EAL1: Functionally tested
• EAL2: Structurally tested
• EAL3: Methodically tested and checked
• EAL4: Methodically designed, tested, and reviewed
• EAL5: Semi-formally designed, and tested
• EAL6: Semi-formally verified, designed, and tested
• EAL7: Formally verified, designed, and tested
• Latest version of Common Criteria (July 2009, Version 3.1, Rev.3);
http://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R3.pdf

Secure System Design Concepts
Layering
• Separates hardware and software functionality into modular tiers
• Actions that take place at one layer do not directly affect components in
another
• For networking types; OSI is an example of layering (covered later)
• Generic list of security architecture layers:
• Hardware
• Kernel (and system/device drivers)
• Operating system
• Applications

Abstraction – Complexity is the enemy of security
• Unnecessary details are hidden from the user
• Good example from the book:
A user double-clicks on an MP3 file containing music, and the music plays via the
computer speakers. Behind the scenes, tremendously complex actions are taking
place: the operating system opens the MP3 file, looks up the application associated
with it, and sends the bits to a media player. The bits are decoded by a media player,
which converts the information into a digital stream, and sends the stream to the
computer’s sound card. The sound card converts the stream into sound, sent to the
speaker output device. Finally, the speakers play sound. Millions of calculations are
occurring as the sound plays, while low-level devices are accessed.
Abstraction means the user simply presses play and hears music.

Security Domains
• A security domain is the list of objects a subject is allowed to access.
• A security domain is also a groups of subjects and objects with similar security
requirements
• Kernel - the central core of a computer's operating system; two domains (or modes)
• User mode – user accounts and processes
• Kernel mode (or supervisor mode) – the kernel itself; low-level access to memory and hardware
components
• The two domains are separated – an error in user mode should not affect kernel mode operation
• Operating systems run entirely in kernel mode

The Ring Model
• Form of CPU hardware layering used to separate and protect domains (user mode from kernel mode)
• Most CPUs (including Intel x86) have four rings
• Ring 0 – Kernel
• Ring 1 – Operating system components outside of Ring 0
• Ring 2 - Device drivers
• Ring 3 – User applications
• Processes communicate between the rings via system calls
• System calls are slow (compared to performing work within one ring), but provide security
• Ring model also provides abstraction
• Linux and Windows use rings 0 and 3 only
• Hypervisor mode allows virtual guests to operate in ring 0, controlled by the hypervisor one ring “below” (ring
-1)

The Ring Model

Secure Hardware Architecture
Open and Closed Systems
• Open systems use open hardware and
standards, using standard components from
various vendors
• IBM-compatible PCs
• Closed systems use proprietary hardware or
software

System Unit and Motherboard
• System unit is the computer case and
everything in it.
• The motherboard is the hardware board that
typically includes the Central Processing Unit
(CPU), memory slots, firmware, and peripheral
slots such as PCI (Peripheral Component
Interconnect) slots.

Computer Bus
• Primary communication channel
on a computer system
• Communication between the
CPU, memory, and input/output
devices such as keyboard,
mouse, display, etc., occur via
the bus

Computer Bus
• Northbridge – also called the Memory
Controller Hub (MCH), connects the
CPU to RAM and video memory;
directly connected to CPU, so it’s
faster
• Southbridge - also called the I/O
Controller Hub (ICH), connects
input/output (I/O) devices, such as
disk, keyboard, mouse, CD drive, USB
ports, etc.

The Central Processing Unit (CPU)
• The “brains” - capable of controlling and performing mathematical
calculations
• Everything a computer does is mathematical
• Rated by the number of clock cycles per second; a 2.4 GHz Pentium 4 CPU has
2.4 billion clock cycles per second.

• Arithmetic Logic Unit (ALU) -
performs mathematical calculations
• Control Unit (CU) – controls and send
instructions to the ALU

• Fetch & Execute, process actually takes
four steps (one CPU or clock cycle):
• Fetch Instruction 1
• Decode Instruction 1
• Execute Instruction 1
• Write (save) result 1

• Pipelining combines multiple steps into one combined process; simultaneous
fetch, decode, execute, and write steps
• Each part is called a pipeline stage

• Interrupts cause the CPU to stop processing its current task, save the state,
and process a new request. Once the interrupt task is complete, the CPU will
start where it left off.
• Interrupts are typically hardware related.

• Process – an executable program and its data loaded and running in memory
• Thread (also called a lightweight process or “LWP”) – a child process; where one
process has “spawned” another process. A heavyweight process (or “HWP”) is called
a task; one big advantage for threads is that they can share memory.
• Process states:
• New: a process being created
• Ready: process waiting to be executed by the CPU
• Running: process being executed by the CPU
• Blocked: waiting for I/O
• Terminate: a completed process
A zombie or orphan is a
process (or thread) where
the parent is terminated

• Multitasking allows multiple tasks (heavy weight processes) to run
simultaneously on one CPU
• Multiprocessing - multiple processes running on multiple CPUs
• Symmetric Multiprocessing (SMP) - one operating system to manage all CPUs
• Asymmetric Multiprocessing (AMP) - one operating system image per CPU
• Multiprogramming - multiple programs running simultaneously on one CPU
• Multithreading - multiple threads (light weight processes) running
simultaneously on one CPU

• Watchdog Timers are designed to recover a system by rebooting after critical
processes hang or crash
• Complex Instruction Set Computer (CISC)
• Reduced Instruction Set Computer (RISC)

Memory Protection
• Preventing processes from accessing memory space belonging to another
• Memory protection is required for multi-user systems
Process Isolation
• Logical control that attempts to prevent one process from interfering with
another
• Object encapsulation - treats a process as a “black box”
• Time multiplexing - multiplexes system resources between multiple processes,
each with a dedicated slice of time

Memory Protection
Hardware Segmentation
• Completely separate hardware
Virtual Memory
• Virtual address mapping between applications and hardware memory

Memory Protection
Swapping and Paging
• Uses virtual memory to copy contents in primary memory (RAM) to or from
secondary memory (not directly addressable by the CPU, on disk)
• Kernel accessing memory in swap space results in a page fault

BIOS
• Basic Input Output System
• contains code in firmware that is executed when a PC is powered on
• 1st thing it does is run the Power On Self-Test (POST)
• POST finds the boot sector that contains machine code for the OS kernel
• Kernel loads and executes into the OS

In general, the MBR consists of 512 or more bytes located
in the first sector of the drive.

WORM Storage
• Write Once Read Many
• Usually used for record retention and high integrity information
• CD-Rs, DVD-Rs, etc.
• Not CD-RWs or DVD-RWs

Secure Operating System and Software Architecture
Trusted Platform Module (or TPM)
• Developed and updated by the Trusted Computing Group; international
standard
• Processor that can provide additional security capabilities in hardware
• Usually on the motherboard
• Hardware-based encryption (fast)
• Boot integrity – protecting against rootkits and kernel bypass attacks
• Platform integrity and disk encryption (primary uses)

Trusted Platform Module (or TPM)
Tidbit
The United States Department of Defense (DoD) specifies that "new computer assets
(e.g., server, desktop, laptop, thin client, tablet, smartphone, personal digital assistant,
mobile phone) procured to support DoD will include a TPM version 1.2 or higher where
required by DISA STIGs and where such technology is available."

Kernel
• Heart (or core) of the operating system, usually running at ring 0
• Interface between the operating system and hardware
• Monolithic kernel - compiled into one static executable and the entire kernel
runs in supervisor mode; requires recompiling to add new features
• Microkernel – a modular kernel; can add functionality via loadable kernel
modules

Secure Operating System and
Software Architecture
Kernel
• Reference monitor – core function of
the kernel; mediates all access between
subjects and objects
• Always enabled and cannot be
bypassed

Users and File Permissions
• Types of permissions available depend on the file system being used
• Linux and UNIX permissions
• Read (“r”)
• Write (“w”)
• Execute (“x”)
• permissions may be set separately to the owner, group, or world

Linux and UNIX permissions - output of a Linux “ls –la /etc”

• Types of permissions available depend on the file system being used
• Microsoft NTFS Permissions
• Read
• Write
• Read and execute
• Modify
• Full control (read, write, execute, modify, and in addition the ability to change the
permissions.)

Questions?
We made it through Class #4!
We’re leaving off at “Virtualization and Distributed Computing”
No Quiz, so we’ll have no problem catching up…
Homework for Tuesday (4/11)
◦ Continue reading Chapter 4/Domain 3: Security Engineering (Engineering and
Management of Security) – We will cover the rest of this chapter and it will be
a lot of information!
◦ Come with questions!
Have a great evening, talk to you Tuesday!

Questions?
Hopefully about security.
Thank you!
Evan Francen
◦ FRSecure
◦ efrancen@frsecure.com
◦ 952-467-6384

Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017

More Related Content

What's hot (20)

Viewers also liked (10)

Similar to Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017 (20)

More from FRSecure (20)

Recently uploaded (20)

Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017