Skip to main content

Miscellaneous Concepts

IT Security Evaluation Standards (unfinished)

Frameworks
Common Criteria (CC) - ISO/IEC 15408:15408
  • Overview:
    Overview: The Common Criteria for Information Technology Security Evaluation providesProvides a framework for evaluating the security propertiesevaluation of software and hardware products.
  • Key Point:Point: It allows for anAllows objective evaluation,evaluation ensuring aproducts/systems productmeet or system meets a particular set ofspecific security standards.
  • Relevance: Internationally recognized, acting as a bridge between national criteria.

Many viewregard itISO-IEC 15408 as the current "gold standard" in IT security evaluation.

  • Relevance: CC is internationally recognized and serves as a bridge between various national criteria by providing a common standard for security evaluations.
    • Trusted Computer System Evaluation Criteria (TCSEC) - often called the "Orange Book":
    • Overview: Developed in the U.S. during the 1980s, TCSEC was a set of criteria used for evaluating computer security within products.
    • Key Point: It introduced security levels (from D to A) that represented increasing levels of security assurance and capability.
    • Relevance: While it was groundbreaking in its time and influenced many future standards, it became somewhat outdated due to its focus on standalone systems and the rapid evolution of IT.
    Information Technology Security Evaluation Criteria (ITSEC):
    • Overview: Developed in Europe, ITSEC aimed to establish a standardized security evaluation.
    • Key Point: It expanded on the ideas of TCSEC but was more flexible and comprehensive. It evaluated both the security functionality and the assurance levels of products.
    • Relevance: ITSEC was an important step forward from TCSEC and laid groundwork for more international collaboration on security standards.

    Why Remember TCSEC and ITSEC?

    • Historical Importance: Understanding the progression of security standards is crucial. TCSEC and ITSEC represent significant milestones in the evolution of IT security evaluation criteria. They inform how and why modern standards, like the Common Criteria, have been shaped.
    • Foundational Concepts: Many concepts and terminologies in modern standards can trace their roots back to TCSEC and ITSEC. Understanding them can provide deeper insights into the underpinnings of current practices.
    Focus on

    Common Criteria (CC):

    Process
    While
      TCSEC and ITSEC are historically vital, the Common Criteria has effectively replaced them as the international standard for IT security evaluation. As a CISSP candidate, while it's essential to be aware of TCSEC and ITSEC, most of your attention should be on understanding the intricacies and applications of the Common Criteria, given its current global relevance and adoption.

    CC:
    1
  • Description of assets (Assumptions and Security Policies)

    • 2
  • Identification of threats

  • Threat
    3 Analysisanalysis and rating  of threats (Safety Risk Analysis)

    • 4
  • Determination of Security Objectives
    • (System & Environment objectives)

    5
  • Selection of security requirements

  • Repeat
    • 6 Repeat

    image.png


    Image


    Two

    Types of CC:

    Common

    Criteria
    1. Community Protection Profile (cPP):
      • Nature:Nature: Black-box evaluation.
      • Description:Description: cPPs come with predefined requirements. It’s a sort of "off-the-shelf" security evaluation based on standardized needs for a particular community or sector.

       

      Relevance for CISSP:CISSP: WhilecPP is foundational knowledge is useful, cPPbut might not be asless frequently referencedfrequent in the examexam.

      as the more detailed aspects of CC.

    1. Evaluation Assurance Level (EAL):

      • Nature:Nature: White-box evaluation.
      • Description:Description: EAL offers a more detailed, flexible approach. Instead of using preset requirements like cPP, EAL allows for a tailored examination, where the specific claims and requirements can be set based on the unique needs of the product or system.
      • Relevance for CISSP: It's essential to understand the different EAL levels (EAL1 to EAL7) and what each represents in terms of depth and rigor of evaluation.
    Comparison of Security Evaluation standards

    Standards
    Evaluation Level
    TCSEC
    ITSEC
    Common Criteria (CC)
    Description
    Lowest Assurance
    D
    F-D+E0
    EAL1 - Functionally Tested
    Mild protection against casual or inadvertent attempts to breach the system's security.
    Basic Assurance
    C1
    F-C1+E1
    EAL2 - Structurally Tested
    As above, with a focus on more structured security evaluation processes.

    C2
    F-C2+E2
    EAL3 - Methodically Tested & Checked
    As above, but with more refined controls and checks.
    Medium Assurance
    B1
    F-B1+E3
    EAL4 - Methodically Designed, Tested, and Reviewed
    Advanced protection with more comprehensive testing and detailed security design practices.

    B2
    F-B2+E4
    EAL5 - Semi-Formally Designed and Tested
    More rigorous requirements with vulnerability analysis and further development controls.
    High Assurance
    B3
    F-B3+E5
    EAL6 - Semi-Formally Verified Design and Tested
    Full or near-full assurance with very detailed security engineering practices.

    A1
    F-B3+E6
    EAL7 - Formally Verified Design and Tested
    The highest level of security assurance, with extremely strict formal methods and specifications.

    Relevance for CISSP: Essential to know EAL levels (EAL1 to EAL7) and their depth.

    Trusted Computer System Evaluation Criteria (TCSEC)

    Often called the "Orange Book"

    • Overview: U.S. developed criteria from the 1980s for computer security evaluations.
    • Key Point: Introduced security levels (D to A) for increasing security assurance.
    • Relevance: Influential in its time but became outdated.

    Information Technology Security Evaluation Criteria (ITSEC)

    • Overview: European standard aiming to standardize security evaluation.
    • Key Point: Expanded upon TCSEC and provided a more flexible, comprehensive approach.
    • Relevance: Laid groundwork for global security standard collaboration.

    Security Models

    • Maps abstract security statements into a security policy.
    • Implement security.
    • Define access for subjects and objects.

    Subjects = people accessing, Objects = resources accessed.

    The properties in Security Models that we will talk about below include:

    • Simple security property: Rules for reading.
    • Star (*) security property: Rules for writing.
    • Invocation property: Rules around invocations (calls).

    Confidentiality

    Bell-LaPadula

    Bell-LaPadula Model: This Lattice-based model primarily focuses on maintaining data confidentiality and has two main properties:

    • Simple Security Property (ss-property): AKA "No Read Up" (NRU).

      • Subjects at a lower security classification cannot read data at a higher security classification.
      • Example: An employee with a 'Confidential' clearance cannot read 'Top Secret' documents.

    • Star Security Property (*-property): AKA "No Write Down" (NWD).

      • Subjects at a higher security classification cannot write to a location (or objects) at a lower security classification.
      • Example: A 'Top Secret' user cannot write or save a document at a 'Confidential' level because this could lead to the unintentional downgrade of classified information.

    BPL is designed to prevent the leak of sensitive information, hence emphasizing confidentiality. BPL's "No Read Up" and "No Write Down" principles prevent users from accessing overly sensitive data and from downgrading data, respectively.

    Users are restricted where they write data, ensuring they don't accidentally leak information to lower classified areas.

    Take Grant

    Focuses on four operations - take, grant, create, and revoke. This model can be used for confidentiality as it dictates how rights can be transferred between subjects and objects. However, its focus is more on the operations themselves than on a specific security attribute.

    Brewer and Nash

    Also known as the Chinese Wall model, it prevents Conflict Of Interest (COI) problems. The model's name, "Chinese Wall", metaphorically represents a barrier against the flow of information.

    Integrity

    Biba

    This is the integrity counterpart to Bell-LaPadula. Biba can be uniquely defined as the State Machine Model (SMM). It focuses on preventing unauthorized changes to data:

    Biba ensures that lower quality (or corrupted) data doesn't pollute or overwrite higher quality data, highlighting integrity. 

    • Simple Integrity Property (si-property): AKA "No Read Down" (NRD).

      • Subjects at a higher integrity level cannot read objects at a lower integrity level.
      • Example: A software update system designed to pull only from reputable, high-integrity sources will not accept updates from unknown, potentially malicious sources.

    • Star Integrity Property (*-property): AKA "No Write Up" (NWU).

      • Subjects at a lower integrity level cannot write to an object at a higher integrity level.
      • Example: A general user (with lower integrity) cannot modify a system configuration file (with higher integrity).
    Clark-Wilson
    • Lattice-based, designed to protect identity and prevent fraud.
      • Different from Biba as it uses access control triples, ensuring users can't change data inappropriately.

    Control triples were designed to protect identity and prevent fraud so that users cannot change data inappropriately. 

    Goguen-Meseguer

    • Known as the noninterference model.
    • Focuses on ensuring actions at a high security level do not interfere with actions at a lower security level.
    Sutherland
    • Concentrates on preventing interference.
    • Uses concepts from both information flow and the state machine model.

    Others

    Graham-Denning

    • Each object has an owner and controller.
    • Focuses on eight rules:
      • Secure creation/deletion of subjects and objects.
      • Read, grant, delete, and transfer access rights. 

    State Machine Model

    • System remains secure regardless of its state.

    • Based on computer science's finite state machine (FSM).

    • A system snapshot at any moment is its 'state'.

    If a bank's system ensures user data is encrypted both before and after a transaction, it's a secure state machine.

    Information Flow Models

    • Focus on information flow based on state machine models.
    • Biba and Bell-LaPadula are both information flow models.
    • Bell-LaPadula: Prevents information flow from high to low security level (focus on confidentiality).
    • Biba: Focuses on flow from low to high security level (focus on integrity).

    Open System

    • Definition: Systems that are constructed using widely recognized and accepted industry standards, promoting easy integration with other similarly designed systems.
    • In simpler terms: Like playing with LEGO bricks made by different manufacturers but all following the same design rules, ensuring they fit together.

    Closed System

    • Definition: Systems that rely on proprietary hardware or software, often without publicly available documentation. This often makes integration with other systems more challenging.
    • In simpler terms: It's like trying to fit blocks from a specialized toy set into a generic set; they might not fit because they follow their own unique rules.

        Embedded Systems & Static Environments

        1. Embedded Systems:
          • Motion systems (e.g., anti-lock braking system in cars)
          • Lighting systems
          • Cash registers
          • Digital signature pads
          • Wi-Fi routers
          • Definition: These systems are designed for a specific function or set of functions within a larger system.
          • Examples:
          • They're integral to many devices and can be found in everyday appliances as well as specialized equipment.
        2. Static Environments:
          • Definition: Configurations like OSs, hardware, or networks set up for a particular purpose and remain unchanged despite interaction. They are resistant to alterations, even by authorized personnel like administrators.
          • Example: An industrial control system (like those used in manufacturing plants) that's configured to manage machinery operations. Changes could disrupt the production process, so the environment remains static to ensure consistent performance.
        3. Management & Security:
          • Network Segmentation: Dividing network into various segments to keep critical systems separate and secure.
          • Security Layers: Using multiple security measures to protect systems, akin to having multiple barriers.
          • Application Firewalls: Protects against malicious inputs or attacks targeted at applications.
          • Manual Updates: Due to the sensitivity and specificity, updates might need to be manually reviewed and applied.
          • Firmware Version Control: Ensures only approved and tested firmware versions are in use.
          • Wrappers: Additional security layers around an application or system to shield it from potential threats.
          • Control Redundancy and Diversity: Having multiple controls in place, so if one fails, another can take over or compensate.
          • Both embedded systems and static environments, due to their specialized nature, require targeted security measures.
          • Security Measures:

        Remember: As technology evolves, the line between embedded systems and more flexible environments may blur, but the fundamental principles of securing these systems remain the same. Always prioritize the integrity and security of the system while accommodating for its intended function.

        Back to top