Functional Levels, F1 to F10; Assurance ... F1 + E1 C1. EAL 2. F2 + E2 ... defined.
SABSA. 5 Rows. Operation in all rows. Similar to Zachman 5 Rows. Contextual ...
Security Models Evaluation Criteria and Frameworks Jerry Scott 2012 Product Evaluation Models TCSEC, A,B, C, D ITSEC, E0 to E6 Common Criteria EAL 1 to EAL 7 PP, TOE, ST EAL,
BLP, Biba, Clark Wilson, Brewer Nash, Non Interference Models
Security Model Names
CIA Triad
MAC Access / DAC Tuple
Bell ConfidentMAC LaPadula iality
Yes
Access Lattice Triple Model
No
Yes
No
Yes
Yes
Biba
Integrity
MAC Subject Object
Yes Clark Wilson
Information Flow
Integrity
DAC
No
Subject Program Object
No
DAC Object Object
No
No
No
No
Yes
Brewer Nash
DAC Subject Object
1) 3 Named Properties: Simple Security Policy, Star Security Policy, Strong Star policy and Directional permissions , such as no Read Up, but Read Down, Write UP, but no Write down, and Strong Star, where you can only read and write at your hierarchical level 2.) 1st Mathematical model dealing with Confidentiality 1) Names of each property 2.) Permissions (read / Write / Read and write) 3.) Directional 4.) Only meets the one goal of integrity by preventing unauthorized users from modifying data or programs 5. Also mathematical 1.) Meets the 3 goals of Integrity: 1) Prevents unauthorized users from modifying data and/or programs , 2) Maintains internal and external consistency, and 3) Prevents authorized users from improperly modifying data and/or programs
2.) Uses Well Formed Transactions to achieve the 3 integrity goals.
Yes
Integrity
Comments
1.) Convert Channels Information flow is the only model to discuss covert channels 2.) Timing 3.) Storage 1.) Sometimes called the Chinese Wall model. 2.) Information is held Mutually Exclusively 3.) Derived from the Information Flow Model 4) In the Brewer Nash model, no information can flow between the subjects and objects in such a way as to create a conflict of interest.
Security Model and Security Evaluation Criteria Jerry Scott 2012
2
The G&M Security Model 1982 In 1982, Goguen and Meseguer ,G&M , introduced an approach to secure systems based on automaton theory and domain separation. Their approach is divided into four stages: first, determining the security needs of a given community; second, expressing those needs as a formal security policy; third, modeling the system which that community is (or will be) using; and last, verifying that this model satisfies the policy. G&M distinguish sharply between a security policy and a security model. A security policy is defined as the security requirements for a given system (based on the needs of the community). Security policies can be simple and easy to state in an appropriate formalism. Goguen provides a simple requirement language for stating security policies, based on the concept of noninterference.
The G&M model is one of the first non-interference models. In the G&M noninterference model, the activities of one group of users, using a certain set of commands, is noninterfering with another group of users if what the first group does with those commands has no effect on what the second group of users can see. A security model is defined as an abstraction of the system itself; it provides a basis for determining whether or not a system is secure, and if not, for detecting its flaws. Security Model and Security Evaluation Criteria Jerry Scott 2012
3
The Graham Denning Security Model This model addresses how to define a set of basic rights on how specific subjects can execute security functions on an object. The model has eight basic protection rules or actions that outline: How to securely create an object. How to securely create a subject. How to securely delete an object. How to securely delete a subject. How to securely provide the read access right. How to securely provide the grant access right. How to securely provide the delete access right. How to securely provide the transfer access right.
Each object has an owner with special rights on it, and each subject has another subject (controller) that has special rights on it. The model uses an Access Control Matrix model where rows correspond to subjects and columns correspond to objects and subjects, each element contains a set of rights between subject S and object O. Security Model and Security Evaluation Criteria Jerry Scott 2012
4
Security Evaluation Models
TCSEC USDOD Evaluation Levels from worse to best D, C1 and C2, B1, B2, B3, and A
Evaluation Criteria
ITSEC European After US TCSEC Functional Levels, F1 to F10; Assurance Levels, E0 to E6. F6 to F10 not in TCSEC F Levels and E Levels evaluated separately. Introduced TOE.
ITSEC/TCSEC/CC Mapping ITSEC E0 F1 + E1 F2 + E2 F3 + E3 F4 + E4 F5 + E5 F5 + E6
TCSEC D C1 C2 B1 B2 B3 A1
CC
Vendor Security Target
Customer Protection Profile
Product or Target of Evaluation
Lab Testing EAL Levels
Common Criteria ISO Evolved from ITSEC and TCSEC
Protection profile Description of what is needed for the security solution. Target of evaluation Proposed Product that will provide the EAL 1 needed security solution. Security target Vendor explanation EAL 2 EAL 3 explaining security functionality and assurance mechanisms. “This is EAL 4 how our product works and meets the security need.” Packages— EAL 5 evaluation assurance levels (EALs) Functional and assurance EAL 6 requirements are bundled into packages for reuse. The EAL Level EAL 7 describes what must be met to achieve specific EAL ratings. 5 Security Model and Security Evaluation Criteria Jerry Scott 2012
Comparing the Evaluation Levels TCSEC US Government
ITSEC European
D -- minimal protection or untested MS DOS Solaris Many Linux versions
Common Criteria ISO
E0 EAL 1
C1: DAC
E1
EAL2
C2: Controlled Access Protection -- Windows NT server, a version of Solaris
E2
EAL3 Apple MAC OS X version 10.3.6
B1: Labeled Security Protection
E3
EAL 4 Trusted Solaris V8 Windows 2000, XP SP2 EAL 4+ BAE Stop 6.0 Checkpoint ME 4.5 Cisco ASA 5500 SUSE Linux Enterprise 9 Red Hat Enterprise 5
B2: Structured Protection
E4
EAL 5 BAE Stop 6.4
B3: Security Domains
E5
EAL 6
A1: Provably Correct Design
E6
EAL 7
Security Model and Security Evaluation Criteria Jerry Scott 2012
6
Frame work
Organization
What’s In It
Positives
Negatives
Zachman 6 by 6 matrix
6 Rows: Ballpark, Business, System, Tech, Builder, Implementation
6 Columns: Data, Function, Network, People, Time, Motivation
System Idea is that many people develop apps, each group must deal with 6 items
No Risk Analysis Some cell transitions in the 6 by 6 matrix not defined
SABSA 5 Rows Operation in all rows
Similar to Zachman 5 Rows Contextual, Conceptual, Logical, Physical, Component, Operational
Risk Analysis throughout. Model built up front from a security perspective.
Integration with other models, very scalable; lots of information about this model.
Lots of detail to learn to get started
COSO Five
Parent organization concerned with fraud in financial reporting Five Components Internal Control, Risk Assessment, Control Activities, information and Communication, Monitoring
8 RM concepts Internal environment, objective setting, Event ID, Risk assess, Risk Response, Control Activities, info, Monitoring
Overview organization to fight fraud in financial reporting. The Control process is ongoing; it must never be stopped.
COSO is a voluntary organization.
Five process stages: heroic, basic project management, defined, quantitatively managed, optimizing
Each level shows waste and risk.
Well defined steps to get your organization is to where it needs to go next.
Mostly Application driven. Not as broad as Zachman or SABSA.
Components,
Eight RM Concepts
CMMI Carnegie Mellon