Skip to main content

Miscellaneous Concepts

IT Security Evaluation Standards (unfinished)

Frameworks
Common Criteria (CC) - ISO/IEC 15408
  • Overview: Provides a framework for the security evaluation of software and hardware products.
  • Key Point: Allows objective evaluation ensuring products/systems meet specific security standards.
  • Relevance: Internationally recognized, acting as a bridge between national criteria.

Many regard ISO-IEC 15408 as the current "gold standard" in IT security evaluation.

Common Criteria Process

  1. Description of assets (Assumptions and Security Policies)
  2. Identification of threats
  3. Threat analysis and rating (Safety Risk Analysis)
  4. Determination of Security Objectives
  5. Selection of security requirements
  6. Repeat

image.png

Image source: https://www.youtube.com/watch?v=mLuLtIsDjK8&list=PL7XJSuT7Dq_XPK_qmYMqfiBjbtHJRWigD&index=10 

Types of Common Criteria

Community Protection Profile (cPP)
  • Nature: Black-box evaluation.
  • Description: cPPs come with predefined requirements. It’s a sort of "off-the-shelf" security evaluation based on standardized needs for a particular community or sector.

 

Relevance for CISSP: cPP is foundational but might be less frequent in the exam.

Evaluation Assurance Level (EAL)

  • Nature: White-box evaluation.
  • Description: EAL offers a more detailed, flexible approach. Instead of using preset requirements like cPP, EAL allows for a tailored examination, where the specific claims and requirements can be set based on the unique needs of the product or system.
Comparison of Evaluation Standards
Evaluation Level
TCSEC
ITSEC
Common Criteria (CC)
Description
Lowest Assurance
D
F-D+E0
EAL1 - Functionally Tested
Mild protection against casual or inadvertent attempts to breach the system's security.
Basic Assurance
C1
F-C1+E1
EAL2 - Structurally Tested
As above, with a focus on more structured security evaluation processes.

C2
F-C2+E2
EAL3 - Methodically Tested & Checked
As above, but with more refined controls and checks.
Medium Assurance
B1
F-B1+E3
EAL4 - Methodically Designed, Tested, and Reviewed
Advanced protection with more comprehensive testing and detailed security design practices.

B2
F-B2+E4
EAL5 - Semi-Formally Designed and Tested
More rigorous requirements with vulnerability analysis and further development controls.
High Assurance
B3
F-B3+E5
EAL6 - Semi-Formally Verified Design and Tested
Full or near-full assurance with very detailed security engineering practices.

A1
F-B3+E6
EAL7 - Formally Verified Design and Tested
The highest level of security assurance, with extremely strict formal methods and specifications.

Relevance for CISSP: Essential to know EAL levels (EAL1 to EAL7) and their depth.

Trusted Computer System Evaluation Criteria (TCSEC)

Often called the "Orange Book"

  • Overview: U.S. developed criteria from the 1980s for computer security evaluations.
  • Key Point: Introduced security levels (D to A) for increasing security assurance.
  • Relevance: Influential in its time but became outdated.

Information Technology Security Evaluation Criteria (ITSEC)

  • Overview: European standard aiming to standardize security evaluation.
  • Key Point: Expanded upon TCSEC and provided a more flexible, comprehensive approach.
  • Relevance: Laid groundwork for global security standard collaboration.

Security Models

  • Maps abstract security statements into a security policy.
  • Implement security.
  • Define access for subjects and objects.

Subjects = people accessing, Objects = resources accessed.

The properties in Security Models that we will talk about below include:

  • Simple security property: Rules for reading.
  • Star (*) security property: Rules for writing.
  • Invocation property: Rules around invocations (calls).

Confidentiality

Bell-LaPadula

Bell-LaPadula Model: This Lattice-based model primarily focuses on maintaining data confidentiality and has two main properties:

  • Simple Security Property (ss-property): AKA "No Read Up" (NRU).

    • Subjects at a lower security classification cannot read data at a higher security classification.
    • Example: An employee with a 'Confidential' clearance cannot read 'Top Secret' documents.

  • Star Security Property (*-property): AKA "No Write Down" (NWD).

    • Subjects at a higher security classification cannot write to a location (or objects) at a lower security classification.
    • Example: A 'Top Secret' user cannot write or save a document at a 'Confidential' level because this could lead to the unintentional downgrade of classified information.

BPL is designed to prevent the leak of sensitive information, hence emphasizing confidentiality. BPL's "No Read Up" and "No Write Down" principles prevent users from accessing overly sensitive data and from downgrading data, respectively.

Users are restricted where they write data, ensuring they don't accidentally leak information to lower classified areas.

Take Grant

Focuses on four operations - take, grant, create, and revoke. This model can be used for confidentiality as it dictates how rights can be transferred between subjects and objects. However, its focus is more on the operations themselves than on a specific security attribute.

Brewer and Nash

Also known as the Chinese Wall model, it prevents Conflict Of Interest (COI) problems. The model's name, "Chinese Wall", metaphorically represents a barrier against the flow of information.

Integrity

Biba

This is the integrity counterpart to Bell-LaPadula. Biba can be uniquely defined as the State Machine Model (SMM). It focuses on preventing unauthorized changes to data:

Biba ensures that lower quality (or corrupted) data doesn't pollute or overwrite higher quality data, highlighting integrity. 

  • Simple Integrity Property (si-property): AKA "No Read Down" (NRD).

    • Subjects at a higher integrity level cannot read objects at a lower integrity level.
    • Example: A software update system designed to pull only from reputable, high-integrity sources will not accept updates from unknown, potentially malicious sources.

  • Star Integrity Property (*-property): AKA "No Write Up" (NWU).

    • Subjects at a lower integrity level cannot write to an object at a higher integrity level.
    • Example: A general user (with lower integrity) cannot modify a system configuration file (with higher integrity).
Clark-Wilson
  • Lattice-based, designed to protect identity and prevent fraud.
    • Different from Biba as it uses access control triples, ensuring users can't change data inappropriately.

Control triples were designed to protect identity and prevent fraud so that users cannot change data inappropriately. 

Goguen-Meseguer

  • Known as the noninterference model.
  • Focuses on ensuring actions at a high security level do not interfere with actions at a lower security level.
Sutherland
  • Concentrates on preventing interference.
  • Uses concepts from both information flow and the state machine model.

Others

Graham-Denning

  • Each object has an owner and controller.
  • Focuses on eight rules:
    • Secure creation/deletion of subjects and objects.
    • Read, grant, delete, and transfer access rights. 

State Machine Model

  • System remains secure regardless of its state.

  • Based on computer science's finite state machine (FSM).

  • A system snapshot at any moment is its 'state'.

If a bank's system ensures user data is encrypted both before and after a transaction, it's a secure state machine.

Information Flow Models

  • Focus on information flow based on state machine models.
  • Biba and Bell-LaPadula are both information flow models.
  • Bell-LaPadula: Prevents information flow from high to low security level (focus on confidentiality).
  • Biba: Focuses on flow from low to high security level (focus on integrity).

Open System

  • Definition: Systems that are constructed using widely recognized and accepted industry standards, promoting easy integration with other similarly designed systems.
  • In simpler terms: Like playing with LEGO bricks made by different manufacturers but all following the same design rules, ensuring they fit together.

Closed System

  • Definition: Systems that rely on proprietary hardware or software, often without publicly available documentation. This often makes integration with other systems more challenging.
  • In simpler terms: It's like trying to fit blocks from a specialized toy set into a generic set; they might not fit because they follow their own unique rules.

      Embedded Systems & Static Environments

      1. Embedded Systems:
        • Motion systems (e.g., anti-lock braking system in cars)
        • Lighting systems
        • Cash registers
        • Digital signature pads
        • Wi-Fi routers
      • Definition: These systems are designed for a specific function or set of functions within a larger system.
      • Examples:
      • They're integral to many devices and can be found in everyday appliances as well as specialized equipment.
    1. Static Environments:
      • Definition: Configurations like OSs, hardware, or networks set up for a particular purpose and remain unchanged despite interaction. They are resistant to alterations, even by authorized personnel like administrators.
      • Example: An industrial control system (like those used in manufacturing plants) that's configured to manage machinery operations. Changes could disrupt the production process, so the environment remains static to ensure consistent performance.
    2. Management & Security:
      • Network Segmentation: Dividing network into various segments to keep critical systems separate and secure.
      • Security Layers: Using multiple security measures to protect systems, akin to having multiple barriers.
      • Application Firewalls: Protects against malicious inputs or attacks targeted at applications.
      • Manual Updates: Due to the sensitivity and specificity, updates might need to be manually reviewed and applied.
      • Firmware Version Control: Ensures only approved and tested firmware versions are in use.
      • Wrappers: Additional security layers around an application or system to shield it from potential threats.
      • Control Redundancy and Diversity: Having multiple controls in place, so if one fails, another can take over or compensate.
      • Both embedded systems and static environments, due to their specialized nature, require targeted security measures.
      • Security Measures:

      Remember: As technology evolves, the line between embedded systems and more flexible environments may blur, but the fundamental principles of securing these systems remain the same. Always prioritize the integrity and security of the system while accommodating for its intended function.

      Back to top