📝 Determining and applying the appropriate balance of confidentiality, integrity, and availability (CIA)
Although different, they are not necessarily contradictory - but they all require resources (money) and so the balance should be determined early on in the design process
- Prevent disclosure of information to unauthorized parties
- Numerous methods for keeping data confidential: e.g. access controls, encryption
- Access Controls: Preferred for data in use and at rest
- Encryption: Data at rest and in transit
- Protect data from unauthorized alteration
- e.g. Read-only, Read-and-write, write-only, delete access, etc
- Integrity contributes to a system's stability and reliability as well as the authenticity of data
- Availability needed is determined by criticality of data and purpose in the overall system
-
Determining the identity of a user. A user is authenticated before their authorization can be determined.
-
To verify identity, a user can provide:
- Something you know - e.g. username/password (not very reliable)
- Something you have - e.g. token
- Something about you (something you are) e.g. biometrics
- ❗ Requires extra hardware, lacks specificity
-
New categories
- what users do (dynamic biometrics such as typing patterns, gait)
- where a user is (physical location)
-
ATMs use combination of something you know (PIN) and something you have (card) so if the card is lost, someone cannot authenticate as you
- Applies predetermined access levels to the user
- Three elements are used
- Requestor (subject) - already known due to authentication system
- Object
- file, program, data, other resource
- Type/level of access to be granted
- Read, write, create, delete, right to grant access rights to other objects
-
Accounting is a means of measuring activity, auditing is the verification of what actual happened and allows management to observe in a nonpartisan manner
-
Accounting can be done in IT systems by logging crucial activity as it occurs
-
Accounting is needed when activity of specific data elements is crucial enough that it may be audited at a later date and time
-
Security level auditing can be performed at several levels:
- analysis of logging function
- verification of existence and operation of specific controls
- etc
-
Auditing takes resources to create, store, and review. Typically defaulted to minimal level so system operator must determine correct level based on system criticality.
-
System criticality is determined by information criticality associated with information manipulated/stored with the system
- Preventing a subject from denying a previous action with an object
- When authentication, authorization, and auditing are properly configured, non-repudiation is ensured
- Security requirements must specify the subjects, objects, and events for which non-repudiation is desired
- Design and implementation of controls to ensure that communication channels are secured from unauthorized access and disruption
- TCP (Transmission Control Protocol)
- sequential numbering of packets and retransmission for missing packets
- Prevents unauthorized packets and session hijacking
- Has overhead
- UDP (User Datagram Protocol)
- connection-less/session-less
- All exceptions must be detected and handled
- System should not fail in an insecure state
- Exception should not be leaked
- Configuration should be protected from unauthorized changes
- e.g. separation of duties between production/non-prod personnel
- Don't spend $10,000 to protect a $20 bill
- Trade-offs exist between security and other aspects
- If a subject may require different levels of security for different tasks, better to switch security levels with specific tasks than run all the time at higher privilege
- No single individual can abuse the system
- i.e. layered security/defense and diversity defense
- Multiple, overlapping defenses
- No system is 100% secure - true goal of security is to make cost of compromising greater in time/effort/resources than it is worth
- Diversity of defense - layers should be dissimilar in nature
- When a system experiences a failure, it should fail to a safe state
- Example: explicit deny
- CIA need to be appropriately maintained - availability causes the greatest design difficulties
- Higher complexity generally results in less security due to lack of understanding and more attack vectors
- Root cause analysis, especially for potential security issues, is much more difficult in complex systems
- Rule of thumb: eliminate all nonessential services and protocols
- Authorization is never circumvented, even with repeated access
- Example: security kernel
- Don't rely on security by obscurity
- Example: modern cryptography relies on the secrecy of the key, not secrecy of the algorithm
- Prevent inadvertent sharing of information by using separate processes when possible
- Users will try to get around security if it is seen as an obstacle
- Adding to the security of a system is most effective when applied to the weakest link
- Pros: increase efficiency and security
- Cons: monoculture environment (failures have a larger footprint)
No one single piece should be able to cause the whole system to fail
- Three key elements: people, processes, and technology
- Controls using 2-3 elements are more effective
- rarely used
- originated in military
- restrict based on information sensitivity and clearance to access that information
- system designers have to determine object/subject relationships before they can be used
- most common
- originated in military
- restrict based on identity of subjects/groups they belong to
- If a subject has permission, it is capable of passing that permission onto any other subject
- ACLs are the most common mechanism used to implement this control
- Strength: simplicity
- Weakness: security is optional, owner has to define access for potentially a plethora of objects
pretty common for active directory
- much less common than role-based
- Use ACLs that have rules baked in such as only allow access during a certain time-of-day
- strength: simplicity
- weakness: difficult to implement due to no constraints, doesn't scale well
- Example: doctor getting one set of access for a specific patient vs a different patient
- Represented via eXtensible Access Control Markup Language (XACML)
- also works for policy-based access control
- Two principles
- Simple Security Rule - in order to see something, you have to be authorized
- Used to preserve confidentiality - e.g. subject with medium clearance can't ready information with high sensitivity, only medium sensitivity
- No-read-up
- * property (star property)
- No-write-down
- Subjects can only write to an object if the object has equal or higher classification - e.g. medium clearance can only write to medium sensitivity and above
- Simple Security Rule - in order to see something, you have to be authorized
- Uses graph theory based on mathematical representation of controls
- Can be used to definitively determine rights
- Not typically used to implement access control but rather to analyze implementations
- Separate groups have labels, groups act as containers, can be hierarchical
- Depending on type of information, can be just as important or more important than confidentiality. e.g. stock prices (public but integrity is crucial)
- Preserves information integrity
- Integrity levels separate permissions
- Low water mark policy, i.e. no-write-up rule
- lower integrity subjects can't write up to higher integrity subjects
- Integrity level of a subject is lowered if it acts on a subject with lower integrity
- Uses transactions
- Two levels:
- Constrained data items (CDI)
- Subject to integrity controls
- Constrained data items (CDI)
- Unconstrained data items (UDI)
- Two types of processes:
- Integrity verification processes (IVPs)
- Ensure CDI data meets constraints
- Transformation processes (TPs)
- Change state of data from one to another
- Data can only be changed by trusted TPs, not users
- Integrity verification processes (IVPs)
Example:
- A bank account balance is a CDI since integrity is important
- TP is the only way changes can be made
- IVP ensures balance is correct
- Technology employed to prevent access
- People trained not to compromise information
- Policies/processes put in place to ensure technology/people are properly used
- Main security issue is protecting information when stored, in transit, and being processed
- Multiple levels - Level 0 (high level), level 1, level 2 (lowest level)
-
Functional perspective - how the system uses data
-
Use cases for normal and abnormal use
- Very important to security to understand use cases and misuse cases
- Software assurance - level of confidence that software is free from intentional and accidental vulnerabilities, software functions as intended
Three methods of managing security:
- prevention - access control, firewall, encryption
- detection - audit logs, intrusion detection, honeypots
- response - backups, incident response teams, forensics
Standards, guidelines, best practices
5 main categories:
- Identify
- Protect
- Detect
- Respond
- Recover
Includes mother nature :)
- Based on skill level
- Script Kiddie - 80-85% of adversaries
- Hacker - explorer - 15-20% key adversary due to skill/motivation
- Cracker - hacker with malicious intent
- Elite - 1-3%
- completely underground
- Unstructured threat - little or no resources, no specific motivation, typically only an annoyance
- Structured threat - specific mission, time and resources
- Highly structured threat - organized crime, crimeware
- Nation-state threat
- Advanced persistent threat (APT) - multiple methods to penetrate and then live undetected
- Insider vs outsider
- Around 2005 - criminalization of cyberspace allowing monetization
- Market for exploits