Skip to main content

Frameworks

Common Criteria (CC) - ISO/IEC 15408

  • Overview: Provides a framework for the security evaluation of software and hardware products.
  • Key Point: Allows objective evaluation ensuring products/systems meet specific security standards.
  • Relevance: Internationally recognized, acting as a bridge between national criteria.

Many regard ISO-IEC 15408 as the current "gold standard" in IT security evaluation.

Common Criteria Process

  1. Description of assets (Assumptions and Security Policies)
  2. Identification of threats
  3. Threat analysis and rating (Safety Risk Analysis)
  4. Determination of Security Objectives
  5. Selection of security requirements
  6. Repeat

image.png

Image source: https://www.youtube.com/watch?v=mLuLtIsDjK8&list=PL7XJSuT7Dq_XPK_qmYMqfiBjbtHJRWigD&index=10 

Types of Common Criteria

Community Protection Profile (cPP)
  • Nature: Black-box evaluation.
  • Description: cPPs come with predefined requirements. It’s a sort of "off-the-shelf" security evaluation based on standardized needs for a particular community or sector.

Relevance for CISSP: cPP is foundational but might be less frequent in the exam.

Evaluation Assurance Level (EAL)
  • Nature: White-box evaluation.
  • Description: EAL offers a more detailed, flexible approach. Instead of using preset requirements like cPP, EAL allows for a tailored examination, where the specific claims and requirements can be set based on the unique needs of the product or system.
Comparison of Evaluation Standards
Evaluation Level
TCSEC
ITSEC
Common Criteria (CC)
Description
Lowest Assurance
D
F-D+E0
EAL1 - Functionally Tested
Mild protection against casual or inadvertent attempts to breach the system's security.
Basic Assurance
C1
F-C1+E1
EAL2 - Structurally Tested
As above, with a focus on more structured security evaluation processes.

C2
F-C2+E2
EAL3 - Methodically Tested & Checked
As above, but with more refined controls and checks.
Medium Assurance
B1
F-B1+E3
EAL4 - Methodically Designed, Tested, and Reviewed
Advanced protection with more comprehensive testing and detailed security design practices.

B2
F-B2+E4
EAL5 - Semi-Formally Designed and Tested
More rigorous requirements with vulnerability analysis and further development controls.
High Assurance
B3
F-B3+E5
EAL6 - Semi-Formally Verified Design and Tested
Full or near-full assurance with very detailed security engineering practices.

A1
F-B3+E6
EAL7 - Formally Verified Design and Tested
The highest level of security assurance, with extremely strict formal methods and specifications.

Relevance for CISSP: Essential to know EAL levels (EAL1 to EAL7) and their depth.

Trusted Computer System Evaluation Criteria (TCSEC)

Often called the "Orange Book"

  • Overview: U.S. developed criteria from the 1980s for computer security evaluations.
  • Key Point: Introduced security levels (D to A) for increasing security assurance.
  • Relevance: Influential in its time but became outdated.

Information Technology Security Evaluation Criteria (ITSEC)

  • Overview: European standard aiming to standardize security evaluation.
  • Key Point: Expanded upon TCSEC and provided a more flexible, comprehensive approach.
  • Relevance: Laid groundwork for global security standard collaboration.

Security Models

  • Maps abstract security statements into a security policy.
  • Implement security.
  • Define access for subjects and objects.

Subjects = people accessing, Objects = resources accessed.

The properties in Security Models that we will talk about below include:

  • Simple security property: Rules for reading.
  • Star (*) security property: Rules for writing.
  • Invocation property: Rules around invocations (calls).

Confidentiality

Bell-LaPadula

Bell-LaPadula Model: This Lattice-based model primarily focuses on maintaining data confidentiality and has two main properties:

  • Simple Security Property (ss-property): AKA "No Read Up" (NRU).

    • Subjects at a lower security classification cannot read data at a higher security classification.
    • Example: An employee with a 'Confidential' clearance cannot read 'Top Secret' documents.

  • Star Security Property (*-property): AKA "No Write Down" (NWD).

    • Subjects at a higher security classification cannot write to a location (or objects) at a lower security classification.
    • Example: A 'Top Secret' user cannot write or save a document at a 'Confidential' level because this could lead to the unintentional downgrade of classified information.

image.png

BPL is designed to prevent the leak of sensitive information, hence emphasizing confidentiality. BPL's "No Read Up" and "No Write Down" principles prevent users from accessing overly sensitive data and from downgrading data, respectively.

Users are restricted where they write data, ensuring they don't accidentally leak information to lower classified areas.

Take Grant

Focuses on four operations - take, grant, create, and revoke. This model can be used for confidentiality as it dictates how rights can be transferred between subjects and objects. However, its focus is more on the operations themselves than on a specific security attribute.

Brewer and Nash

Also known as the Chinese Wall model, it prevents Conflict Of Interest (COI) problems. The model's name, "Chinese Wall", metaphorically represents a barrier against the flow of information.

Integrity

Biba

This is the integrity counterpart to Bell-LaPadula. Biba can be uniquely defined as the State Machine Model (SMM). It focuses on preventing unauthorized changes to data:

Biba ensures that lower quality (or corrupted) data doesn't pollute or overwrite higher quality data, highlighting integrity. 

  • Simple Integrity Property (si-property): AKA "No Read Down" (NRD).

    • Subjects at a higher integrity level cannot read objects at a lower integrity level.
    • Example: A software update system designed to pull only from reputable, high-integrity sources will not accept updates from unknown, potentially malicious sources.

  • Star Integrity Property (*-property): AKA "No Write Up" (NWU).

    • Subjects at a lower integrity level cannot write to an object at a higher integrity level.
    • Example: A general user (with lower integrity) cannot modify a system configuration file (with higher integrity).

image.png

Clark-Wilson

Principle: This model focuses on real-world business transaction integrity and enforces well-formed transaction concepts. It doesn't use the same labels of high or low integrity like Biba does; instead, it uses access control triples.

Components:

  1. ⬇️ Authenticated Principal: The end user or entity accessing the data.
  2. ⬇️ Transformational Procedures (TP): Programs or methods that execute operations or changes on data.
  3. ⬇️ Data Items: Two main types:
    • UDIs (Unconstrained Data Items): Raw data without integrity controls.
    • CDIs (Constrained Data Items): Data with specific integrity constraints.

Example: Consider an accounting system. Here, the Clark-Wilson model might dictate that only specific applications (TPs) can modify certain data items (e.g., account balances). A cashier (Authenticated Principal) can't directly modify an account balance (Data Item) but must go through an approved application (TP) that ensures well-formed transactions (e.g., valid sales receipts).

Control triples were designed to protect identity and prevent fraud so that users cannot change data inappropriately. 

Goguen-Meseguer

  • Known as the noninterference model.
  • Focuses on ensuring actions at a high security level do not interfere with actions at a lower security level.
Sutherland
  • Concentrates on preventing interference.
  • Uses concepts from both information flow and the state machine model.

Others

Graham-Denning

  • Each object has an owner and controller.
  • Focuses on eight rules:
    • Secure creation/deletion of subjects and objects.
    • Read, grant, delete, and transfer access rights. 

State Machine Model

  • System remains secure regardless of its state.

  • Based on computer science's finite state machine (FSM).

  • A system snapshot at any moment is its 'state'.

If a bank's system ensures user data is encrypted both before and after a transaction, it's a secure state machine.

Information Flow Models

  • Focus on information flow based on state machine models.
  • Biba and Bell-LaPadula are both information flow models.
  • Bell-LaPadula: Prevents information flow from high to low security level (focus on confidentiality).
  • Biba: Focuses on flow from low to high security level (focus on integrity).

Open System

  • Definition: Systems that are constructed using widely recognized and accepted industry standards, promoting easy integration with other similarly designed systems.
  • In simpler terms: Like playing with LEGO bricks made by different manufacturers but all following the same design rules, ensuring they fit together.

Closed System

  • Definition: Systems that rely on proprietary hardware or software, often without publicly available documentation. This often makes integration with other systems more challenging.
  • In simpler terms: It's like trying to fit blocks from a specialized toy set into a generic set; they might not fit because they follow their own unique rules.
    Back to top