Lesson 2-General Security Concepts

Objectives

Upon completion of this lesson, the learner will be able to:

Define basic terminology associated with computer and

information security.
Describe the basic approaches to computer and information security. Describe various methods to implement access controls. Identify and explain methods used to verify the identity and authenticity of an individual. Describe some of the basic models of security used when implementing security in operating systems.

Information Assurance Is Everyones Responsibility

Basic Security Terms

A hacker refers to an individual who attempts to gain unauthorized access to computer systems or networks.

Cracker and cracking refer to the nefarious type of activity

the terminology generally accepted by the public is that of hacker and hacking.

Phreaking refers to the hacking of computers and systems

used by a telephone company.

Network Security

Network security refers to the protection of multiple computers and the devices that are connected.

Information Security and Assurance

Information security and assurance place the focus of the security process on the data they process and not on the

hardware and software being used.

Assurance introduces another concept, that of the availability of the systems and the information when people

want them.

Computer and Network Security

Computer and network security is essential for individuals to function effectively and safely in today's highly

automated environment.
From its inception, the goal of computer security has been threefold:
Confidentiality
Integrity Availability

The CIA of Security

Confidentiality ensures that only authorized individuals are able to view information.

Integrity ensures that only authorized individuals are able to

change (or delete) information. Availability ensures that the data, or the system, is available

for the authorized user when required.

CIA Extensions

The increased use of networks for commerce requires two additional security goals for the CIA of security.
Authentication
Nonrepudiation

Operational Security

For many years, protection was equated with prevention. Regardless of how well people seem to do in prevention

technology, somebody always seems to find a way around

safeguards. Therefore, multiple prevention techniques and technology

are required to alert when prevention has failed and to

provide ways to address the problem.

Operational Model of Computer Security

The operational model of computer security includes two additions to the original security equation:
Protection = Prevention + (Detection + Response)

Every security technique and technology falls into at least one of the three elements of the equation.

Operational Model of Computer Security

Sample technologies in the operational model of computer security

Security Principles

There are three ways an organization can address the protection of its networks:
Ignore security issues.
Provide host security. Approach security at a network level.

Ignore Security Issues

If an organization decides to ignore security, it chooses to use the minimal security provided with its workstations,

servers, and devices.

Each out of the box system has certain security settings that can be configured.

Host Security

Host security focuses on protecting each computer and device individually instead of addressing protection of the

network as a whole.
If an organization decides to implement only host security and does not include network security, there is a high

probability of introducing or overlooking vulnerabilities.

Host Security

Host Security Problem

Ensuring that every computer is locked down to the same

degree as every other system in the environment can be

overwhelming. Moreover, this often results in an unsuccessful and frustrating effort.

Host Security

Host security is a complementary process to be combined with network security.

If individual host computers have vulnerabilities, then network
security can provide another layer of protection that may stop any intruders.

Network Security

Network security emphasizes controlling access to internal computers from external entities.

This control can be through devices such as:

Routers Firewalls

Authentication hardware and software

Encryption Intrusion detection systems (IDSs)

Least Privilege

Least privilege means that a subject should have only the necessary rights and privileges to perform its task with no

additional permissions. A subject may include a user,

application, or process. Limiting an object's privileges limits the amount of harm

that can be caused, thus limiting an organization's exposure

to damage.

Least Privilege

Least privilege:
Protects its most sensitive resources.

Ensures that whoever is interacting with these resources has a

valid reason to do so.

Configuration Plan

Before operating systems are configured, an overall plan should be devised.

Standardized methods should be developed to ensure that a

solid security baseline is implemented.

Trust Relationships

When trust relationships are created, they should not be implemented in such a way that everyone trusts each other

simply because it is easier.

One domain should trust another for specific reasons, and the implementers should have an understanding the trust

relationship.
Another issue that falls under the least privilege concept is the security context in which an application runs.

Domain Trusts

All applications, scripts, and batch files run in the security context of a specific user on an operating system.

This means they will execute with specific permissions as if

they were a user. Programs should execute only in the security context

needed to perform their duties successfully.

Layered Security

Layered security architecture employs several security methods to accomplish a compromise that consumes more

time and effort than it is worth to a potential attacker.

It is important to implement different layers so that if intruders succeed at one layer, they could be stopped at the

next.
The redundancy of different layers assures that there is no one single point of failure pertaining to security.

Coordinating Layered Security

Security at each layer can be very complex, and grouping different layers can increase the complexity exponentially.

The layers need to work in a coordinated manner so that

one does not obstruct another's functionality and introduce a security hole.

The Layered Model

Various layers of security

The Layered Model

The top-layer protection mechanism is responsible for controlling traffic.

It would be overwhelming and cause performance

degradation if each aspect of the packet were inspected. Instead, each layer usually digs deeper into the packet and

looks for specific items.

The Layered Model

Layers closer to the resource deal with only a fraction of the traffic than the top-layer security mechanisms do.

As a result, it will not cause as much of a performance hit to

look deeper and at more granular aspects of the traffic.

Diversity of Defense

Diversity of defense involves making different layers of security dissimilar.

Even if attackers know how to get through a system making up
one layer, they may not know how to get through a different type of layer employing a different system for security.

Diversity of Defense

When applying the diversity of defense concept:

Set up security measures that protect against the different

types of attacks.
Use products from different vendors.

Every product has its own security vulnerabilities that an

experienced attacker knows.

Trade-off

Trade-offs must be considered before implementing diversity of security using different vendor products.
Doing so usually increases operational complexity, and security
and complexity are seldom a good mix.

Security Through Obscurity

Security through obscurity uses the approach of protecting something by hiding it.

Security through obscurity is considered effective if the

environment and protection mechanisms are confusing or are generally not known.

However, this is a poor approach, especially if it is the only

approach to security.

Security Through Obscurity

An organization can use security through obscurity measures to hide critical assets.

Other security measures should be employed to provide a

higher level of protection.

Keep It Simple

Security processes and tools should be as simple and elegant as possible.

They should be simple to troubleshoot, use, and administer.

Troubleshooting

When something goes wrong with security mechanisms, a troubleshooting process is used to identify the actual issue.

If a mechanism is overly complex, identifying the root of the

problem can be overwhelming if not nearly impossible.

Services on the System

Another application of the principle of keeping things simple concerns the number of services that can run on the

system.
Default installations of computer operating systems often leave many services running.

The general rule of thumb is to eliminate all nonessential services and protocols.

Access Control

Access Authentication

Access control matrix

Access control lists Discretionary access control Mandatory access control Role-based access control

Access Control and Authentication

Access control describes all security features to prevent unauthorized access to a computer system or network.

Access is the ability of a subject, such as an individual or a

process running on a computer system, to interact with an object, such as a file or a hardware device.

Authentication deals with verifying the identity of a subject.

Access Control Matrix

An Access Control Matrix

Access Control List

An ACL is a list that contains the subjects with access rights to a particular object.

The list identifies not only the subject but also the specific
access the subject has for the object. Types of access include read, write, and execute.

Discretionary Access Control (DAC)

The Orange Book discretionary access controls restrict access to objects based on the identity of subjects and/or

groups to which they belong.

The controls are discretionary, which means a subject with certain access permission is capable of passing that

permission (perhaps indirectly) on to any other subject.

In systems that employ discretionary access controls, the owner of an object decides which other subjects may have access to the object and what specific access they may have.

Mandatory Access Control

Mandatory access controls (MAC) is a means of restricting access to objects based on the sensitivity of the information

contained in the objects and the formal authorization of

subjects to access information of such sensitivity.

Mandatory Access Control

With MAC, the owner or the subject cannot determine whether access is to be granted to another subject.
The operating system decides whether access is to be granted
to another subject.

The security mechanism controls access to all objects, and

individual subjects cannot change that access.

The label attached to every subject and object identifies the level of classification for that object and the level that the

subject is entitled.

Role-Based Access Control

In RBAC, a user is assigned a set of roles that may be performed.

The roles are assigned the access permissions needed to

perform tasks associated with the role. Users are granted permissions to objects in terms of the

specific duties requirednot of a security classification

associated with individual objects.

Authentication

Kerberos CHAP

Certificates
Tokens Multifactor Mutual authentication

Authentication

Authentication deals with verifying the identity of a subject. Access controls define what actions a user can perform or

what objects a user can have access to, because these

controls assume that the identity of the user has been verified.

Authentication mechanisms should be used to admit only

valid users.

Authentication Methods

To verify their identity, users can provide:

Something they know.

Something they have.

Something about them (something they are).

Authentication Method

The most common authentication mechanism is to provide something that only the valid user should know.
The most frequently used example of this is the userid (or
username) and password.

Since users are not supposed to share passwords with

anybody else, only they should know their passwords.

By providing the userid and password, users are proving to the system that they are who they claim to be.

Authentication Method

A second method of providing authentication is by using something that only valid users should have in their

possession.
In the same way that a key works with a lock, a similar method can be used to authenticate users for a computer

system or network (though the key may be electronic and

may reside on a smart card or similar device).

The Problem

If people lose their keys or cards, they cannot log on to the system.

Somebody who finds the key may then be able to access the
system.

The Solution

A combination of the something-you-know and somethingyou-have methods is often used so that the individual with

the key may also be required to provide a password or

passcode. The key is useless unless users know this code.

Authentication and Biometrics

The third method of providing authentication involves something that is unique about users.

The field of authentication that uses something about users

or something that users are is known as biometrics.

Kerberos

Kerberos is a network authentication protocol designed for a client/server environment.

Kerberos uses strong encryption so that clients can prove

their identity to a server and the server can in turn authenticate itself to the clients.

The basis for authentication in a Kerberos environment is a

ticket.

Tickets

Tickets are granted by the authentication server. It is an entity trusted by both the client and the server the

client wishes to access.

The client can present this ticket to the server to provide proof of identity.

The entire session may be encrypted.

It eliminates the inherently insecure transmission of items such as a password that can be intercepted on the network.
Tickets are time-stamped, and cannot be reused.

CHAP

Challenge Handshake Authentication Protocol (CHAP):

Provides authentication across a point-to-point link using the

Point-to-Point Protocol (PPP).

Authentication after the link has been established is not mandatory.

CHAP

CHAP provides authentication periodically through the use of a challenge/response system a three-way handshake.
The initial challenge (a randomly generated number) is sent to
the client. The client uses a one-way hashing function to calculate the response and then sends this back. The server compares the response with the response calculated by it. If it matches, the communication continues. If the two values do not match, the connection is terminated.

CHAP

This mechanism relies on a shared secret between the two entities so that the correct values can be calculated.

Certificates

Certificates are a method of establishing authenticity of specific objects such as an individual's public key or

downloaded software.
A digital certificate is an attachment to a message. It verifies that the message came from the entity it claims to

have come from.

The digital certificate can contain a key that can be used to encrypt further communication.

Multifactor

Multifactor is a term used to describe the use of more than one authentication mechanism at the same time.

Multifactor authentication increases the level of security.

It requires more than one mechanism to be spoofed for an unauthorized individual to gain access to a computer system or

network.

Mutual Authentication

Mutual authentication:
Describes a process in which each side of an electronic

communication verifies the authenticity of the other.

Provides a mechanism for each side of a client/server relationship to verify the authenticity of the other to address this issue.

Security Models

Confidentiality models Integrity models

Security Models

The security model implements the security policy that has been chosen, and enforces the security characteristic that

has been deemed most important by the designers of the

system.

Confidentiality Models

Data confidentiality has been the chief concern of the military.

As a result, they developed the Bell-LaPadula security model

to address data confidentiality in computer operating systems. This model was useful in designing multilevel

security systems that implemented the militarys

hierarchical security scheme. The security scheme included levels of classification such as

Unclassified, Confidential, Secret, and Top Secret.

The Bell-LaPadula Security Model

The Bell-LaPadula security model employed both mandatory and discretionary access control mechanisms when

implementing its two basic security principles.

The Simple Security Rule states that no subject could read information from an object with a security classification

higher than that possessed by the subject itself.

This rule is the no-read-up rule.

Bell-LaPadula Star Property

The Bell-LaPadula security model is also known as the *property (pronounced star property).
A subject may write to an object only if its security
classification was less than or equal to the objects security classification.

Bell-LaPadula Star Property

Writing to a file which a user cannot view is an integrity issue.

The *-property does not allow users to write to a file of

equal or greater security classification. It also does not allow users to write to a file with a lower

security classification. This is known as the no-write-down

rule.

Integrity Models

The Biba security model The Clark-Wilson Security Model

Biba Security Model

In the Biba security model, instead of security classifications, integrity levels are used.

A principle of integrity levels is that data with a higher

integrity level is believed to be more accurate or reliable than data of a lower integrity level.

Biba Model

Integrity levels indicate the level of trust that can be placed in information at different levels while at the same

time limiting the modification of information as opposed to

the flow of information. An initial attempt at implementing an integrity-based model

is the Low Water Mark.

Low-Water-Mark Policy

This policy is the opposite of the *-property. It prevents subjects from writing to objects of a higher integrity level.

The policy contains a second rule:

The integrity level of a subject will be reduced if it reads an object of a lower integrity level.

Low-Water-Mark Policy

The amount of trust placed in data formed from data at a specific integrity level cannot be higher than the level of

trust you have in the subject creating the new data object.
The level of trust you have in the subject can only be as high as the level of trust you had in the original data.

The policy does not describe a way to raise the subjects

integrity level back to its original value.

Low-Water-Mark Policy

The final rule in the Low-Water-Mark policy states that a subject can only execute a program if the programs

integrity level is equal to or less than the integrity level of

the subject. This ensures that data modified by a program will only have

the level of trust (integrity level) that can be placed in the

individual who executed the program.

Low-Water-Mark Ring Policy

Another policy the Ring Policy addresses the reduction of trust issue by allowing any subject to read any object

regardless of the objects level of integrity and without

lowering the subjects integrity level. This could lead to a situation where data created by a

subject after reading data of a lower integrity level could

end up having a higher level of trust placed in it than it should.

Biba and Low Water Mark

The Biba security model implements a hybrid of the Ring and Low-Water-Mark policies.

Bibas model is the opposite of the Bell-LaPadula model in

which it enforces the no-read-down and no-write-up policies.

It implements a third rule that prevents subjects from

executing programs of a higher level.

The Clark-Wilson Security Model

The Clark-Wilson security model uses transactions as the basis to derive its rules.
The Clark-Wilson model defines only two levels of integrity,
constrained data items (CDI) and unconstrained data items (UDI). CDI data is subject to integrity controls while UDI data is not.

The Clark-Wilson Security Model

This model defines two types of processes:

Integrity verification processes (IVP), which ensure that CDI

data meet integrity constraints (to ensure the system is in a

valid state). Transformation processes (TP), which change the state of data from one valid state to another.

The Clark-Wilson Security Model

Data in this model cannot be modified directly by a user. It must be modified by the trusted transformation

processes, access to which can be restricted (thus

restricting the ability of a user to perform certain activities). Certain critical functions may be split into multiple TPs to

enforce separation of duties.

Enforcing separation of duties limits the authority of an individual so that multiple individuals will be required for

certain critical functions.