Security System and COntrol 1

Transcription

1 Security System and COntrol 1

2 Security Management By: Joseph Ronald Canedo

3 It is a Risky World

4 Vulnerabilities Security objectives: Prevent attacks Detect attacks Recover from attacks Attacks: against weaknesses in the information systems Need: find weaknesses Control 4

5 Identifying and Eliminating Weaknesses I. Vulnerability monitoring II. III. IV. Secure system development User training and awareness Avoiding single point of failure Control 5

6 I. Vulnerability Monitoring Identify potential weaknesses in existing information systems Reveal wide-range of vulnerabilities Control 6

7 I. Security Flaws Secure software installation Correct installation of software Change default settings Validate upgrades/changes Patch new security flaws Control 7

8 I. Vulnerability Detection Tools Computer Oracle and Password System (COPS) FREE Checks vulnerabilities of UNIX systems Secure Analysis Tool for Auditing Networks (SATAN) FREE SAFEsuite (Internet Security Systems, Inc.) Family of network security assessment tools (web security scanner, firewall scanner, intranet scanner, system security scanner) Keyed to the IP address of the customer Control 8

9 I. Keeping up with Security Publications Legal publications: how to remove vulnerabilities CERT advisories SANS Security Digest Hacker publications: how to exploit known vulnerabilities Security mailing lists Control 9

10 II. Building Secure Systems 1960s: US Department of Defense (DoD) risk of unsecured information systems 1981: National Computer Security Center (NCSC) at the NSA DoD Trusted Computer System Evaluation Criteria (TCSEC) == Orange Book Control 10

11 II. Orange Book Orange Book objectives: Guidance of what security features to build into new products Provide measurement to evaluate security of systems Basis for specifying security requirements Security features and Assurances Trusted Computing Base (TCB) security components of the system Control 11

12 II. Orange Book Levels Highest Security A1 Verified protection B3 Security Domains B2 Structured Protection B1 labeled Security Protections C2 Controlled Access Protection C1 Discretionary Security Protection D Minimal Protection No Security Control 12

13 II. Security Policy C1 C2 B1 B2 B3 A1 DAC + + nc nc + nc Object Reuse 0 + nc nc nc nc Labels nc nc Label integrity nc nc nc Exploration of labeled info nc nc nc Labeling human-readable output nc nc nc MAC nc nc Subject sensitive labels nc nc Device Labels nc nc 0 no requirements MAC + added requirement (from lecture notes of Jajodia nc no change Control 13

14 II. Accountability C1 C2 B1 B2 B3 A1 Identification and Authentication nc nc nc Audit nc Trusted Path nc 0 no requirements + added requirement nc no change Assurance changes (from lecture notes of Jajodia Control 14

15 II. Assurance C1 C2 B1 B2 B3 A1 System Architecture nc System Integrity + nc nc nc nc nc Security Testing Design Specification and Verification Covert Channel Analysis Trusted Facility Management nc Configuration Management nc + Trusted Recovery nc Trusted Distribution no requirements No covert channel + added requirement (from lecture notes of Jajodia nc no change Control 15

16 II. Documentation C1 C2 B1 B2 B3 A1 Security Features User s Guide + nc nc nc nc nc Trusted Facility Manual nc Test Documentation + nc nc + nc + Design Documentation + nc no requirements + added requirement nc no change (from lecture notes of Jajodia Control 16

17 II. Covert Channel Analysis B1: no requirements B2: covert storage channels B3: covert channels (timing and storage channels) A1: formal methods (proof of covert channel analysis) (from lecture notes of Jajodia Control 17

18 II. Design Specifications and Verification C2: no requirement B1: informal or formal model of the security policy B2: formal model of the security policy that is proven consistent with its axioms, DTLS (descriptive top-level specification) of the TCB) B3: convincing argument shall be given that the DTLS is consistent with the model A1: FTLS (formal top-level specification) of the TCB Formal and informal techniques to show that FTLS is consistent with the model Convincing argument the DTLS is consistent with the model (from lecture notes of Jajodia Control 18

19 II. Orange Book Classes C1, C2: simple enhancement of existing systems. Does not break applications. B1: relatively simple enhancement of existing system. May break some of the applications. B2: major enhancement of existing systems. Will break many applications. B3: failed A1 A1: top-down design and implementation of a new system from scratch. (from lecture notes of Jajodia Control 19

20 II. Orange Book Criticisms Mixes various levels of abstraction in a single document Does not address integrity of data Combines functionality and assurance in a single linear rating scale (from lecture notes of Jajodia Control 20

21 II. Functionality vs Assurance functionality is multidimensional assurance has a linear progression functionality C2 B1 B2 B3 A1 C1 assurance (from lecture notes of Jajodia Control 21

22 II. NCSC Rainbow Series Orange: Trusted Computer System Evaluation Criteria Yellow: Guidance for applying the Orange Book Red: Trusted Network Interpretation Lavender: Trusted Database Interpretation (from lecture notes of Jajodia Control 22

23 II. European Criteria German Information Security Agency: German Green Book (1988) British Department of Trade and Industry and Ministry of Defense: several volumes of criteria Canada, Australia, France: works on evaluation criteria 1991: Information Technology Security Evaluation Criteria (ITSEC) For European community Decoupled features from assurance Introduced new functionality requirement classes Accommodated commercial security requirements Control 23

24 II. United State January 1996: Common Criteria Joint work with Canada and Europe Separates functionality from assurance Nine classes of functionality: audit, communications, user data protection, identification and authentication, privacy, protection of trusted functions, resource utilization, establishing user sessions, and trusted path. Seven classes of assurance: configuration management, delivery and operation, development, guidance documents, life cycle support, tests, and vulnerability assessment. Control 24

25 II. Common Criteria Evaluation Assurance Levels (EAL) EAL1: functionally tested EAL2: structurally tested EAL3: methodologically tested and checked EAL4: methodologically designed, tested and reviewed EAL5: semi-formally designed and tested EAL6: semi-formally verified and tested EAL7: formally verified design and tested Control 25

26 II. National Information Assurance Partnership (NIAP) 1997: National Institute of Standards and Technology (NIST), National Security Agency (NSA), and Industry Aims to improve the efficiency of evaluation Transfer methodologies and techniques to private sector laboratories Functions: developing tests, test methods, tools for evaluating and improving security products, developing protection profiles and associated tests, establish formal and international schema for CC. Control 26

27 III. Security Awareness and Training Major weakness: users unawareness Organizational effort Educational effort Customer training Federal Trade Commission: program to educate customers about web scams Control 27

28 IV. Avoid Single Point of Failure Critical information resources Identification Backup Hiding Separation of duties Multi-person requirements Limit temptations Control 28

29 Security System and COntrol 29