Personnel Controls

Identity Theft
Supervisory Structure
Phishing
Administrative Security-Awareness Training
Spoofing at logon Threats Testing
Wardialing
Brute force attacks Network Segregation

Dictionary Attack Perimeter Security

Computer Controls
Physical Work Area Separation
Cabling
Pattern Matching Control Zone
Requires continual update System Access
Signature Based
Pattern & Stateful Network Architecture
Controls
Can detect new attacks Network Access
Technical or Logical
Statistical, Protocol and Traffic Anomaly Based Encryption and Protocols
Intrusion Detection Systems Auditing
Uses an Expert System
Rule Based Deterrent - Intended to discourage
Cannot detect new attacks
Preventative - prevent harmful occurrence
NIC in promiscuous mode
Network-Based - NIDS Corrective - restore after harmful occurrence
Host-Based - HIDS Recovery - Intended to bring controls back
Detective - detect after harmful occurrence
Compensating - Controls that provide for an alternative

False Rejection Rate - FRR = Type I error Directive - Mandatory controls,

regulations or environment
False Acceptance Rate - FAR = Type II error
Crossover Error Rate - CER = % when FRR = FAR
Acceptance
Privacy, Physical, Psychological
Time to authenticate is the main factor 1 Something you know (password)
Fingerprints
2 Something you have (token)
Retina Scans
3 Something you are (biometric)
Iris Scans Biometrics Access Controls Static
Mike Smith
Facial Scans 26/04/10 - Rev.27
Passwords Dynamic
Palm Scans Static Password
Three Factor Authentication
Hand Geometry Owner authenticates to token
Signature Dynamics Token authenticates to system

Keyboard Dynamics Tokens Dynamic Password

Smartcards Synchronous
Hand Topology
Asynchronous
Side-channel attacks

System-level events
Application-level events
User-level events
Symmetric Key Encryption
KDC - Kerberos-trusted Key Distribution Center
TGS - Ticket Granting Service
AS - Authentication Server
KDC knows secret keys of client and server
KDC exchanges info with the client and
server using symmetric keys
Using TGS grants temporary symmetric key
Client and server use temporary session key
Replay is possible with time frame
TGS and Auth server are vulnerable as they know all
Weaknesses
Initial exchange passed on password authentication
Keys are vulnerable
Needham-Schroeder Protocol
Supports MD5 and CRC32 Hashing
Accountability DAC - Data owners decide who has
access to resources and ACLs are used
to enforce security policy
MAC - Operating systems enforce the
system's security policy through the use of
Access Control Models security or sensitivity labels
RBAC - Access decisions are based on role
Lattice based - provides least access
privileges of the access pair - Greatest
lower bound and Lowest upper bound
Kerberos
RADIUS - incorporates an AS and
SSO dynamic password
TACACS - Terminal Access Controller
Access Control System - for network
Centralized applications - static password
Access Control
TACACS+ - supports tokens
CHAP - supports encryption
Operate and maintain
SESAME Monitor and evaluate
 row = tuple
Relational column = attribute
Hierarchical
Database Models
Network
Object Orientated
Smurf (ICMP) Object Relational
Fraggle (UDP)
SYN - TCP ACK
Attacks
DoS
Must implement access controls
D-DoS
Caution against data inferencing
Teardrop
Data definition language - DDL
Data manipulation language - DML
DBMS Query language - QL
1. Infrastructure Report generator
2. Research Views
3. Assess and Test Aggregation - combining information
Patch Management
4. Mitigation - Rollback Inference - deduce the full story
5. Deployment - Rollout
6. Validation, Reporting and Logging

Open Database Connectivity - ODBC

Interfaces Object Linking and Embedding - OLE DB
Worm - replicates without a host Java Database Connectivity - JDBC
Virus - needs an application
Rootkit
Botnets, RATs, Logic Bomb
Malware Modularity - Autonomous objects and
Trogan Horses cooperation through messages
Mobile Code / Java Applets / ActiveX Controls
Application Deferred Commitment - Internals of
Security objects can be changed independently
Insertion - Avoidance - Eradication - Mike Smith Benefits of OOP
Replication - Trigger - Payload Reusability - reuse objects from other programs
26/04/10 - Rev.12
OOP Naturalness - maps to business processes
OOA - Process of classifying objects
OOD - Create a representation of the real-world problem
CORBA Multiple copies from the same class
COM / DCOM - GUID Polyinstantiation Government or military used to hide covert operations

SOAP Distributed Computing

EJB
DCE - UUID I/LDAP/SDx2/II/OM/D
Initiation
Fuctional Design Analysis and Planning

Atomicity - divide transactions into units of work System Design

Consistency - follow integrity policy

SDLC Verification - meets spec?
OLTP - ACID Software Development Validation - meets project goal?
Isolation - execute in isolation
Installation/Implementation
Durable - Once verified, committed on all systems
Operational/Maintenance
Disposal

1 - Initial
2 - Repeatable
Capability Maturity Model - CMM Waterfall
3 - Defined
I Regularly Drink My Orangejuice Spiral
4 - Managed
Joint Analysis Development - JAD
5 - Optimizing
Rapid Application Development - RAD
SDLC Methodologies
Cleanroom
Iterative
Reuse
Extreme

Personnel Safety is highest priority
Software escrow used to protect
investment in outsourced company
Salvage Team
Protect from looting Recovery
Full, Differential, Incremental
Disk duplexing
Electronic Vaulting
Backup
Tape Vaulting
Insurance
NIST Continuity Planning Guide
Understand the organization - Zachman Poster
1. Develop the continuity planning statement
Other
2. Conduct the business impact analysis - BIA
Business
Continuity 3. Identify preventative controls
Steps 4. Develop recovery strategies
5. Develop the contingency plan
6. Test the plan and conduct training and exercises
7. Maintain the plan
1. Select individuals to interview for data gathering

Service Bureaus 2. Create data-gathering techniques

3. Identify company's critical business functions
4. Identify resources these functions depend upon

BIA Steps 5. Calculate how long these functions can

At least once a year survive without these resources
- Maximum Tolerable Downtime - MTD
Checklist Test Business Continuity
and 6. Identify vulnerabilities and threats to these functions
Structured Walk-Through Test Testing and
Simulation Test Revising the Plan Disaster Recovery 7. Calculate the risk for each different business function
Mike Smith 8. Document findings and report to management
Parallel Test 26/04/10 - Rev.25

Full-Interruption Test

Fully configured
File and print services
Initiation Phase
Applications are installed
Activation Phase Hot site Workstations kept up to date
Recovery Phase Business Continuity Plan Available but expensive
Reconstruction Phase Security must be duplicated

Appendices Facility with power and HVAC

Facility File and print services may not have workstations

Recovery Warm site External communications should be installed
More time to get up and running but lower cost
Nonessential - 30 days
Facility with power and HVAC
Normal - 7 days Maximum No computer hardware on site
Tolerable Cold site
Important - 72 hours Communications not ready
Downtime
Urgent - 24 hours - MTD Least cost but false sense of security, most common

Critical - Minutes to Hours Multiple Sites / Rolling hot site

Reciprocal Agreements
 Authentication Header - AH - used for authentication protocol
Encapsulating Security Payload - ESP
- used for authentication and encryption
Transport Mode - payload of the message is protected
Tunnel Mode - both payload and routing are protected
Security Association - SA - Simplex, keeps record of parameters
Hash for message digest provides integrity
HMAC - used with secret key to provide
integrity and data origin authentication
CBC-MAC - uses symmetric block
algorithm, provides integrity and data
origin authentication
CMAC - same as CBC-MAC but uses complex logic
MD2, MD4, MD5, SHA, HAVAL, Tiger
Also called Public Key Cryptography
Each person has private and public key
For Confidentiality - Sender encrypts with receivers public key
- secure message format
For Authentication - Sender encrypts with their private key
- open message format
Better key distribution than symmetric
Better scalability than symmetric
Can provides authentication and Strengths
nonrepudiation
Much slower than symmetric
Mathematically intensive Weaknesses
Rivest-Shamir-Adleman - RSA
Elliptic Curve Cryptosystem - ECC
Diffie-Hellman
El Gamal Examples
Digital Signature Algorithm - DSA
Merkle-Hellman Knapsack
Also called secret keys
For n people, requires n(n-1)/2 keys
Same key to encrypt/decrypt at both ends
Block and Stream types
Much faster than asymmetric
Hard to break if using a large key size
Requires secure mechanism to deliver keys
Each pair need a unique key
Weaknesses
Confidentiality, but not authenticity or nonrepudiation
Electronic Code Book - ECB
Cipher Block Chaining - CBC
Cipher Feedback - CFB Data Encryption Standard - DES
Output Feedback - OFB
Counter - CTR
DES-EEE3
DES-EDE3
Triple-DES (3DES)
DES-EEE2
DES-EDE2
Blowfish
International Data Encryption Algorithm - IDEA
RC4, RC5 and RC6
Rijndael Advanced Encryption Standard - AES
IPSec
2000 BC Egypt - atbash - substitution
400 BC Sparta - scytale cipher - wooden rods
100 - 44 BC Caesar cipher
16th Century - Vigenere Polyalphabetic cipher
History 1917 - Gilbert Vernam - Vernam cipher - one-time pad
1920 - William Friedman - Father of Modern Cryptography
WW II - German Enigma
1970 - Lucifer - IBM
Hashing
1976 - DES
Confidentiality - cryptography protects confidentiality
Integrity - cryptography helps with hashing algorithms and message digests
Services Authentication - used for this too
Authorization - upon proving identity can then have key to some resource
Nonrepudiation - cannot deny sending message
End-to-end encryption happens within the application
Encryptions at SSL encryption takes place at the transport layer
Asymmetric various levels PPTP encryption takes place at the data link layer
Link encryption takes place at the data link and physical layer
Cryptography
Mike Smith
26/04/10 - Rev.31
Software
Protocols
Cryptosystem
Algorithms - Kerckhoffs' Principle - Publicly known
Keys
Carrier - signal, data stream or file
Steganography Stego-medium - medium in which hidden
Payload - concealed information
Strengths
Takes liability for the authenticity of the individual
Binds the individuals identity to the public key
Certificate Authority - CA Requires cross certification with other CAs
Maintains Certificate Revocation Lists - CRLs
Public Key
Infrastructure Performs certificate registration duties
Registration Authority - RA Broker between user and CA
Symmetric
Certificate Repository, Certificate revocation system, OCSP
Provides all services
Examples
Confusion - carried out using substitution
Strong Cipher
Diffusion - carried out using transposition

Diligence - Do Detect - Steps to identify risks using best practices
Care - Do Correct - Steps taken to correct identified risks to a minimum
Standards - Specify use of technology in a
uniform way, compulsory
Guidelines - similar to standards but not
compulsory, more flexible
Procedures - Detailed steps, required, lowest level
Baselines - minimum standard and/or point in time
1. Assign Value to Assets
2. Estimate Potential Loss per Threat
3. Perform a Threat Analysis
4. Derive the Overall Annual Loss Potential per Threat
5. Reduce, Transfer, Avoid or Accept the Risk
ALE = SLE x ARO = AV x EF x ARO
Total Risk = threats x vulnerability x asset value
Residual Risk = total risk x control gap
Anonymous groupthink
Delphi Technique
Subjective only
Eliminates $ amounts for cost benefit
Difficult to track
Standards not available
Major project
Calculations are more complex
Laborious
Quantitative
More info gathering
Standards not available
False alarms
Insufficient error handling
Sequencing or order
Incorrect timing outputs
Valid but not expected outputs
Block diagram of system or control
Consider what happens if each block fails
Tabulate failures and effects
Correct the design
Have engineers review
Administrative - Policies & Procedures
Technical /Logical - Restricted Access
Due ... Physical - Locked doors
Controls
Preventative - prevent harmful occurrence
Detective - detect after harmful occurrence
Corrective - restore after harmful occurrence
Standards, Guidelines and
Procedures
Confidentiality - prevent disclosure of data
Integrity - prevent modification of data
C.I.A Availability - ensure reliable timely access
Government - Unclassified/Sensitive/Confidential/Secret/Top Secret
Classification Commercial - Public/Sensitive/Private/Confidential
Steps
Asset - resource, product, data
Threat - action with a negative impact
Vulnerability - absence of control
Safeguard - control or countermeasure
Exposure Factor (EF) = % of asset loss
caused by threat
Risk Analysis Terms
Risk Analysis Information Single Loss Expectancy (SLE) = Asset
Value x Exposure Factor
Security and Risk
Management Annualized Rate of Occurrence (ARO) -
represents estimated frequency in which
Qualitative Mike Smith
threat will occur within one year
25/04/10 - Rev.20
Annualized Loss Expectancy (ALE) - annually
expected financial loss: ALE = SLE x ARO
Plan & Organize
Acquire and Implement
Control Objectives for Information
and related Technology (CobiT) Deliver and Support
Monitor and Evaluate
Control environment
Risk assessment
Security Frameworks
Committee of Sponsoring Control activities
Fault Logic Tree Analysis Organizations (COSO) Information and communication
Monitoring
BS7799
ISO 17799
Standards
ISO/IEC 27000
Failure Modes and Effect
Plan and organize
Analysis - FMEA
Implement
Security Program
Operate and maintain
Monitor and evaluate
 Computer-assisted
Cybercrime Computer-targeted
Diligence - Do Detect - Steps to identify risks using best practices
- investigated weaknesses Computer is incidental

Care - Do Correct - Steps taken to correct identified risks to a Due ...

minimum - did all it could to prevent security breaches with proper
controls and countermeasures
Collection should be limited and lawful
Personal data should be complete and current
Subjects should be notified of the reason for collection
Best - primary, original, not oral
Disclosure only with consent
Secondary - copies of documents and oral evidence OECD 7 Principles
Reasonable safeguards in place
Direct - does not need backup - witness account
Practices and policies openly communicated
Conclusive - irrefutable
Evidence Subjects should be able to find and correct personal info
Circumstantial - prove an intermediate fact
Organizations should be accountable
Corroborative - supplementary
Opinion - only the facts not opinions
Hearsay - oral or written too far removed
Civil (Code) Law - continental Europe

Criminal jail

1. Triage Common Law - England damages

Civil/tort
2. Investigation Types of Law
Legal, Regulations,
3. Containment Customary Law
Compliance
Steps Religious Law Systems
4. Analysis and Investigations
5. Tracking Mike Smith Mixed Law Systems
26/04/10 - Rev.25
6. Recovery
Incident
Various BUs
Response
Virtual
Permanent Trade Secret - important for company survival

Hybrid Develop a Team Copyright - protects the expression of the

Intellectual idea of the resource not the resource itself
CERT Mailing List e.g. computer programs and manuals
Property Law
CERT Documents
Trademark - word, name, symbol, sound, shape
Management decide on calling Cops
Patent - novel invention

International Organization on Computer Evidence - IOCE

Freeware
Scientific Working Group on Digital Evidence - SWDGE
Shareware or trialware
MOM - Motive, Opportunity and Means Software
Commercial
Locard's Principle of Exchange Computer Academic
Identification - Preservation - Collection - Forensics
Examination - Analysis - Presentation - Decision
Primary / Working Image - First thing make a bit mirror copy
Chain of Custody - Evidence labeled indicating who Government Regs - SOX, HIPPA, GLBA, BASEL
secured and validated it Dealing with
Self-regulation - Payment Card Industry - PCI
Privacy
Individual user - Passwords, encryption, awareness
 Spread spectrum - distributed across frequency range
Frequency Hopping Spread Spectrum - FHSS - portion
Direct Sequence Spread Spectrum - DSSS - all
Need an Access Point - AP
Hosts in group must use Service Set ID - SSID
Open System Authentication - OSA - in clear
Shared Key Authentication - SKA = WEP
Wired Equivalent Privacy - WEP - weak Authentication Australia Post Sucks It Never Delivers Parcels

Wi-Fi Protected Access - WPA, WPA2 - uses TKIP Application - FTP, TFTP, SNMP, SMTP, Telnet, HTTP

Enable 802.11i e.g. WPA
Change default SSID
Disable broadcast SSID
Add RADIUS or Kerberos
Put AP at centre of building and in DMZ
Implement VPN for wireless devices
Configure AP to allow only known MAC addresses
Disable DHCP
Presentation - ASCII, EBCDIC, TIFF, JPEG, MPEG, MIDI
Wireless
Session - NFS, NetBIOS, SQL, RPC
OSI Model Transport - TCP, UDP, SSL/TLS, SPX
Network - IP, ICMP, IGMP, RIP, OSPF, IPX
Best Practice
Data Link - ARP, RARP, PPP, SLIP
Physical - HSSI, X.21, EIA/TIA-232, EIA/TIA-449
List of Protocols

WAP
i-Mode - Japan, Asia, Europe
Mobile Phones
Bluetooth - 802.15
Australian Trains Never Late
TCP - Stream
Application UDP - Message

Channel Service Unit/Data Service Unit - CSU/DSU TCP/IP TCP - Segment

Transport UDP - Packet
BRI ISDN = 2 x B + 1 x D
PRI ISDN = 23 x B + 1 B ISDN Network - TCP and UDP Datagram
Circuit
Broadband ISDN Data Link - TCP and UDP Frame
PSTN
Switching
X.25
Packet
Frame Relay
Well-known ports 0 - 1023
Cell - ATM
Switched Multimegabit Data Service - SMDS TCP: Sequence and Acknowledgement numbers

Synchronous Data Link Control - SDLC UDP: Source, Destination, Length, Checksum, Data

High-level Data Link Control - HDLC Packets 23 - Telnet

WAN
Technologies Telecommunications and Ports 25 - SMTP
High-Speed Serial Interface - HSSI
and 80 - HTTP
SS7, VoIP, Session Initiation Protocol - SIP
Network Security 161, 162 - SNMP
IPSec Mike Smith
PPP 26/04/10 - Rev.33 20, 21 - FTP
Tunneling
PPTP Protocols
L2TP

Password Authentication Protocol -

PAP - least secure IPv4 - 32 bits, IPv6 - 128 bits
Challenge Handshake Authentication Class A: 0.0.0.0 - 127.255.255.255
Protocol - CHAP Authentication
Class B: 128.0.0.0 - 191.255.255.255
Extensible Authentication Protocol - EAP Protocols
RADIUS, Diameter, TACACS IP Addressing Class C: 192.0.0.0 - 223.255.255.255
Class D - Multicast: 224.0.0.0 - 239.255.255.255
Class E - Reserved: 240.0.0.0 - 255.255.255.255
Subnetting
Works at Physical Layer
Amplify signal
Clean up signal
Repeaters
Hub = multiport repeater
Ring, Bus, Star, Mesh Topology
Hub also known as a concentrator
Ethernet - 10Base2, 10Base5, 10Base-T
Works at Data Link Layer
LAN Networking Fast Ethernet
Connect LAN segments
Token Ring
Filters based on MAC address
Bridges FDDI
Retains same broadcast domain
Isolates collision domains
Can translate between protocols

Works at Network Layer Network Fractional = 1/24th x T1, 1 voice channel, 0.06Mbps
Can connect different networks Devices
T1 = 24 voice channels, 1.544Mbps
Uses routing protocols: RIP, BGP, OSPF Routers
Can filter based on IP address and protocols
T- Carriers T2 = 4 x T1, 96 voice channels, 6.312Mbps
T3 = 28 x T1, 672 voice channels, 44,736Mbps
Combine functionality of a repeater and bridge
T4 = 168 x T1, 4032 voice channels, 274,760Mbps
Can work at layer 3 and 4, can use tags = MPLS
Switches
Used to provide QoS
Other: VLANs, Gateways, PBXs
Packet Filtering & Dynamic Packet Filtering
Stateful
Proxy & Kernel Proxy
Firewalls
Dual-Homed
Screened Host & Screened Subnet
 Separation of duties
Job rotation
Administrative Least privilege

Controls Mandatory vacations

Limit boot sequent

1. Discovery - Footprinting and info gathering
Technical /Logic Harden Remote Access
2. Enumeration - port scans and resource identification
Penetration Physical - System Hardening
3. Vulnerability mapping - identify vulnerabilities
Testing
4. Exploitation - attempt to gain access
5. Report to management
1. Request for a change to take place
2. Approval of the change

Change Control 3. Documentation of the change

Personnel testing
Vulnerability Process 4. Tested and presented
Physical testing
Testing 5. Implementation
System and network testing
6. Report change to management

POP
Operations New computers or applications installed
SMTP
Security Different configurations implemented
Mike Smith Change Control
IMAP - can leave on server E-mail
26/04/10 - Rev.26 Documentation New technologies integrated
Replaying - Often left enabled - SPAM redirection
etc.
Fax - use an encryptor

Purging
Disk shadowing
Zeroization
Redundant servers
Data remanence
RAID, MAIT, RAIT Media Controls
Degaussing generates a coercive magnetic force
Clustering
Physical destruction
Backups Contingency
Care with object reuse
Dual backbones
Direct Access Storage Device
Redundant power
Mesh network topology - not star Block diagram of system or control
Consider what happens if each block fails
Failure Modes and Effect
Tabulate failures and effects
Analysis - FMEA
Correct the design
Have engineers review
 3 - 4 feet deter casual trespassers
6 - 7 feet too high to climb easily
8 feet - serious protection Fences
Natural environmental
Gauges 11, 9, 6 lower number = thicker
Supply system
Mesh 2", 1", 3/8" Threats
Manmade
Politically motivated

Beams of light
Sounds and vibration
Fences
Motion IDS
Warning signs
Different types of field Deterrence Security guards
Electrical circuit Dogs

Locks
Defense in depth measures
Delaying
Access Controls
Class I - Residential
Defense in Layers
Class II - Commercial External intruder sensors
Gates Detection Internal intruder sensors
Class III - Industrial, e.g. Warehouse
Security guard procedures
Class IV - Restricted, e.g. Prison
Assessment Communication structure

Response force
Emergency procedures
Response
Smoke activated Police, Fire, Medical
Heat activated
Plenum area - special cabling
Detection
4. Derive the Overall Annual Loss Potential per Threat Physical and
5. Reduce, Transfer, Avoid or Accept the Risk Environmental Limited entry points

A - Common combustibles - water or soda acid Security Force guests to front desk
Mike Smith Crime Prevention
B - Liquids - CO2, soda acid or Halon 26/04/10 - Rev.25 Through Reduce entry points after hours
C - Electrical - CO2 or Halon Fire Environmental Guard validates photo id
Class
D - Combustable metals - total immersion Design - CPTED
Guest sign in
K - Kitchens (commercial)
Question Strangers
Fuel - Soda acid - removes fuel
Oxygen - CO2 - Removes oxygen
Temperature - Water - reduces temperature
Suppression
Chemical - Gas Halon or FM-200 - Interferes Standard
Wet pipe, dry pipe, preaction, deluge Tempered
Acrylic
Windows Wired
Spike Laminated
Surge Excess Solar Window Film
Fault Security Film
Blackout Loss Power
Sag/dip
Brownout Degradation
Antistatic flooring
In-rush current
Ensure proper humidity 40 - 60%
Proper grounding
Static
Avoid carpeting
Grade 1 - 3, Commercial, Heavy Duty, Residential
Antistatic bands when working on hardware
Warded lock - Padlock
Temperature 50 - 80 F (10 - 26 C)
Tumbler lock Locks
Combination lock
Cipher lock
 Arithmetic Logic Unit - ALU - Performs computation
Bus Interface Unit - BIU - I/O to CPU
Uses an Evaluation Assurance Level - EAL Control Unit - Coordinates other CPU components
EAL1 - Functionally Tested CPU Components Floating Point Unit - FPU
EAL2 - Structurally Tested Memory Management Unit - MMU
EAL3 - Methodically tested and checked Pre-Fetch Unit
Common Criteria
EAL4 - Methodically designed, tested and reviewed Protection Test Unit
EAL5 - Semi-formally designed and tested
EAL6 - Semi-formally verified design and tested
EAL7 - Formally verified design and tested
Operating (or Run)
Problem (or Application)
CPU States
Supervisory - Privileged Instruction
Evaluates on Functionality and Assurance Wait
Functionality rating F1 - F10 ITSEC
Assurance rating E0 - E6

Multiprogramming - can load more than one program in memory at one time
Multitasking - can handle requests from several different processes loaded
OS Terms into memory at the same time
Trusted Computer Systems Evaluation Criteria - TCSEC
Multithreading - can run multiple threads simultaneously
A1 - Verified Design
A - Verified Protection Multiprocessing - has more than one CPU
B1 - Labeled Security - Objects are classified
B2 - Structured Protection
B - Mandatory Protection
TCSEC
B3 - Secure Domains Orange Security
C1 - Discretionary Security
Book Architecture 1973 - First formal confidentiality model

C2 - Controlled Access - reasonable

and Design State-machine model
C - Discretionary Protection Mike Smith Simple security property - no read up
commercial apps
26/04/10 - Rev.28 Bell-LaPadula * property - no write down
Evaluated but fail
D - Minimal Security Strong star property - subject's = object's clearance for RW
Discretionary property and trusted subject

1977 - First integrity lattice based model

Simple integrity property - no read down
Biba
Covert channels * integrity property - no write up
Race conditions
1987 - commercial, e.g. banking
Emanations Unconstrained Data Item - UDI
Maintenance hooks Issues Constrained Data Item - CDI
Clarke-Wilson
Reveal as little as possible Integrity Verification Procedures - IVPs
Access
Limit access - need to know Transformation Procedures - TPs
Control
Disable unused services and accounts Countermeasures Models Object access rights to subjects
Use strong authentication Access Matrix

Rights a subject can transfer to/from another subject or object

Take Grant create, revoke, take, grant
Information Flow Model
Trusted Computer Base - TCB - the total combination of protection mechanisms within a
computer system, including hardware, firmware and software to enforce security policy. Noninterference Model

Access Control - ability to permit or deny the use of an object by a subject Brewer and Nash Model - dynamically changing access controls

Reference Monitor - system component that enforces access controls on an object Terms Graham-Denning Model - How subjects and objects should be created and deleted - access rights
Mediate all accesses Confidentiality - Bell-LaPadula, Access Matrix and Take-Grant
Be protected from modification Security Kernel - hardware, firmware and software that Integrity - Biba and Clarke-Wilson
Be verified as correct implement the reference monitor concept
1. Prevent unauthorized modifications
2. Prevent authorized users from improper modifications
Three goals of integrity
3. Maintain internal and external consistency - well-formed transaction