Models Summary - CISSP Materials TJ Scott 2013

85 downloads 370 Views 667KB Size Report
Functional Levels, F1 to F10; Assurance ... F1 + E1 C1. EAL 2. F2 + E2 ... defined. SABSA. 5 Rows. Operation in all rows. Similar to Zachman 5 Rows. Contextual ...
Security Models Evaluation Criteria and Frameworks Jerry Scott 2012 Product Evaluation Models TCSEC, A,B, C, D ITSEC, E0 to E6 Common Criteria EAL 1 to EAL 7 PP, TOE, ST EAL,

BLP, Biba, Clark Wilson, Brewer Nash, Non Interference Models

Security Model Names

CIA Triad

MAC Access / DAC Tuple

Bell ConfidentMAC LaPadula iality

Yes

Access Lattice Triple Model

No

Yes

No

Yes

Yes

Biba

Integrity

MAC Subject Object

Yes Clark Wilson

Information Flow

Integrity

DAC

No

Subject Program Object

No

DAC Object Object

No

No

No

No

Yes

Brewer Nash

DAC Subject Object

1) 3 Named Properties: Simple Security Policy, Star Security Policy, Strong Star policy and Directional permissions , such as no Read Up, but Read Down, Write UP, but no Write down, and Strong Star, where you can only read and write at your hierarchical level 2.) 1st Mathematical model dealing with Confidentiality 1) Names of each property 2.) Permissions (read / Write / Read and write) 3.) Directional 4.) Only meets the one goal of integrity by preventing unauthorized users from modifying data or programs 5. Also mathematical 1.) Meets the 3 goals of Integrity: 1) Prevents unauthorized users from modifying data and/or programs , 2) Maintains internal and external consistency, and 3) Prevents authorized users from improperly modifying data and/or programs

2.) Uses Well Formed Transactions to achieve the 3 integrity goals.

Yes

Integrity

Comments

1.) Convert Channels Information flow is the only model to discuss covert channels 2.) Timing 3.) Storage 1.) Sometimes called the Chinese Wall model. 2.) Information is held Mutually Exclusively 3.) Derived from the Information Flow Model 4) In the Brewer Nash model, no information can flow between the subjects and objects in such a way as to create a conflict of interest.

Security Model and Security Evaluation Criteria Jerry Scott 2012

2

The G&M Security Model 1982 In 1982, Goguen and Meseguer ,G&M , introduced an approach to secure systems based on automaton theory and domain separation. Their approach is divided into four stages: first, determining the security needs of a given community; second, expressing those needs as a formal security policy; third, modeling the system which that community is (or will be) using; and last, verifying that this model satisfies the policy. G&M distinguish sharply between a security policy and a security model. A security policy is defined as the security requirements for a given system (based on the needs of the community). Security policies can be simple and easy to state in an appropriate formalism. Goguen provides a simple requirement language for stating security policies, based on the concept of noninterference.

The G&M model is one of the first non-interference models. In the G&M noninterference model, the activities of one group of users, using a certain set of commands, is noninterfering with another group of users if what the first group does with those commands has no effect on what the second group of users can see. A security model is defined as an abstraction of the system itself; it provides a basis for determining whether or not a system is secure, and if not, for detecting its flaws. Security Model and Security Evaluation Criteria Jerry Scott 2012

3

The Graham Denning Security Model This model addresses how to define a set of basic rights on how specific subjects can execute security functions on an object. The model has eight basic protection rules or actions that outline: How to securely create an object. How to securely create a subject. How to securely delete an object. How to securely delete a subject. How to securely provide the read access right. How to securely provide the grant access right. How to securely provide the delete access right. How to securely provide the transfer access right.

Each object has an owner with special rights on it, and each subject has another subject (controller) that has special rights on it. The model uses an Access Control Matrix model where rows correspond to subjects and columns correspond to objects and subjects, each element contains a set of rights between subject S and object O. Security Model and Security Evaluation Criteria Jerry Scott 2012

4

Security Evaluation Models

TCSEC USDOD Evaluation Levels from worse to best D, C1 and C2, B1, B2, B3, and A

Evaluation Criteria

ITSEC European After US TCSEC Functional Levels, F1 to F10; Assurance Levels, E0 to E6. F6 to F10 not in TCSEC F Levels and E Levels evaluated separately. Introduced TOE.

ITSEC/TCSEC/CC Mapping ITSEC E0 F1 + E1 F2 + E2 F3 + E3 F4 + E4 F5 + E5 F5 + E6

TCSEC D C1 C2 B1 B2 B3 A1

CC

Vendor Security Target

Customer Protection Profile

Product or Target of Evaluation

Lab Testing EAL Levels

Common Criteria ISO Evolved from ITSEC and TCSEC

Protection profile Description of what is needed for the security solution. Target of evaluation Proposed Product that will provide the EAL 1 needed security solution. Security target Vendor explanation EAL 2 EAL 3 explaining security functionality and assurance mechanisms. “This is EAL 4 how our product works and meets the security need.” Packages— EAL 5 evaluation assurance levels (EALs) Functional and assurance EAL 6 requirements are bundled into packages for reuse. The EAL Level EAL 7 describes what must be met to achieve specific EAL ratings. 5 Security Model and Security Evaluation Criteria Jerry Scott 2012

Comparing the Evaluation Levels TCSEC US Government

ITSEC European

D -- minimal protection or untested MS DOS Solaris Many Linux versions

Common Criteria ISO

E0 EAL 1

C1: DAC

E1

EAL2

C2: Controlled Access Protection -- Windows NT server, a version of Solaris

E2

EAL3 Apple MAC OS X version 10.3.6

B1: Labeled Security Protection

E3

EAL 4 Trusted Solaris V8 Windows 2000, XP SP2 EAL 4+ BAE Stop 6.0 Checkpoint ME 4.5 Cisco ASA 5500 SUSE Linux Enterprise 9 Red Hat Enterprise 5

B2: Structured Protection

E4

EAL 5 BAE Stop 6.4

B3: Security Domains

E5

EAL 6

A1: Provably Correct Design

E6

EAL 7

Security Model and Security Evaluation Criteria Jerry Scott 2012

6

Frame work

Organization

What’s In It

Positives

Negatives

Zachman 6 by 6 matrix

6 Rows: Ballpark, Business, System, Tech, Builder, Implementation

6 Columns: Data, Function, Network, People, Time, Motivation

System Idea is that many people develop apps, each group must deal with 6 items

No Risk Analysis Some cell transitions in the 6 by 6 matrix not defined

SABSA 5 Rows Operation in all rows

Similar to Zachman 5 Rows Contextual, Conceptual, Logical, Physical, Component, Operational

Risk Analysis throughout. Model built up front from a security perspective.

Integration with other models, very scalable; lots of information about this model.

Lots of detail to learn to get started

COSO Five

Parent organization concerned with fraud in financial reporting Five Components Internal Control, Risk Assessment, Control Activities, information and Communication, Monitoring

8 RM concepts Internal environment, objective setting, Event ID, Risk assess, Risk Response, Control Activities, info, Monitoring

Overview organization to fight fraud in financial reporting. The Control process is ongoing; it must never be stopped.

COSO is a voluntary organization.

Five process stages: heroic, basic project management, defined, quantitatively managed, optimizing

Each level shows waste and risk.

Well defined steps to get your organization is to where it needs to go next.

Mostly Application driven. Not as broad as Zachman or SABSA.

Components,

Eight RM Concepts

CMMI Carnegie Mellon