3: Security Architecture & Engineering
security engineering ensures that systems meet business objectives and security requirements
-
security should be a design element
- bolt-on security rarely works
- can’t effectively retrofit after the fact
- should be a part of the design from the start
-
security requirements of information systems are driven by security policy of the org., using the system
- system: a group of components working together towards a goal
-
incorporate abstract goals of security policy into an info system’s architecture. will need to use security models.
- subject → object
- user → file
- process → memory
- clearly designating subjects and objects improves the design process
- fail open
- failed security controls automatically bypassed
- ex. fire doors, IDSs
- fail closed/secure
- failed security controls block access
- ex. firewall
- design where different components can’t communicate with each other unless absolutely necessary
- network segmentation
- process isolation
- memory segmentation
- virtual machine isolation
- systems designed to operate at different security levels at the same time
- enforces confidentiality and integrity
- restricts access between security levels
-
enforces confidentiality
- simple security rule
- no “read up”
- *-property
- no “write down”
exam tip:
Bell-LaPadula is rarely used outside of the DoD / government. - simple security rule
- enforces integrity
- simple integrity property
- no “read down”
- *-integrity property
- no “write up”
- simple integrity property
exam tip:
Bell-LaPadula and Bell models are needed for the exam, but rarely used in the real world.
- integrity model
- enforces well-formed transactions through the use of access triple:
user ➝ transformation procedure ➝ CDI- CDI
- constrained data item
- CDI
- deals with all three integrity goals
- has a separation of duties
- prevent unauthorized users from making modifications
- prevent authorized users from making improper modifications
- maintains internal and external consistency - reinforces separation of duties
- commercial model
- aka Chinese Wall — ethical wall
- developed to combat conflicts of interest in databases housing competitor information
- ex. stock exchange database with information about competing companies (i.e. Microsoft, Apple, Google)
- published in 1989 to ensure fair competition
- defines a wall and a set of rules to ensure that no subject has access objects on the other side of the wall
- way to separate competitor data within the same integrated database
-
cybersec programs first appeared w/in government agencies
-
why evaluate?
- to carefully examine security-related components of a system
-
trust
- function of the product — what does it do?
-
assurance
- reliability of the process
-
CMMI (Capability Maturity Model Integrated)
- evaluates developer’s processes, good developer processes lead to good products
- AKA the “Orange Book”
- contained DoD computer security requirement
- developed by National Computer Security Center (NCSC)
- based on Bell-Lapadula
- uses hierarchically ordered series of evaluation classes
- defines trust and assurance, but doesn’t allow for them to be evaluated independently
- evaluations:
- ratings — grade type system
- A: verified
- B: mandatory
- C: discretionary
- D minimal
- ratings — grade type system
ITSEC
- 1991, collection of European nations
- first criteria, to evaluate functionality (trust) and assurance separately
- ratings:
- F1 – F10 rates for functionality
- E1 – E6 rates for assurance
Common Criteria
-
ISO 15408
-
unified evaluation process
-
protection criteria (PC)
- requirements from an agency or a customer
-
target of evaluation (ToE)
- system designed by a vendor
-
security target (ST)
- documentation describing how the ToE meets the PP
-
evaluation assurance level (EAL 1-7)
- describes the level to which the ToE meets the PP
EAL Ratings | |
---|---|
EAL 1 | functionally tested |
EAL 2 | structurally tested |
EAL 3 | methodically tested and documented |
EAL 4 | methodically designed, tested and reviewed |
EAL 5 | semi-formally designed and tested |
EAL 6 | semi-formally verified, designed and tested |
EAL 7 | formally verified, designed and tested |
- certification
- determines that a system meets security criteria
- accreditation
- approves uses of a system in a specified environment
- accreditation decisions
- authorization to operate (ATO)
- interim authorization to operate (IATO)
- interim authorization to test (IATT)
- denial authorization to operate (DATO)
exam tip
certification and accreditation are different.
accreditation and authorization are the same.
- no individual should possess permissions that when combined allow them to perform a highly sensitive action
- ex. accountant creating a new vendor and cutting checks to that vendor
- infosec pros are often called on to create controls for separation of duties
- infosec pros are often the subject of separation of duties
-
aka dual control
-
requires authorization of two individuals to perform a sensitive action
- examples
- missile launches
- checks that require two signators
- examples
-
separation of duties and two person control reduce the likelihood of fraud
- must collude to commit fraud
- processes and mechanisms that an organization puts in place to manage security risks
- designed to keep risk profile in lines w/ risk appetite
-
multiple controls for one objective
-
controls can be categorized by purpose or mechanism of action
-
purpose
-
preventative controls
- stop a security issue from stopping in the first place
- ex. fences, gates, firewalls
-
detective controls
- identify a potential security issue that has already happened
- ex. log reviews, CCTV reviews
-
corrective controls
- remediate a security issue that has occured
- ex. AV software
-
deterrent controls
- prevent an attacker from seeking to violate security polices
- ex. guard dog, fences
-
physical controls
- impact the physical world
- ex. fence, gate, lighting
-
compensating controls
- designed to fill in a known gap in an environment
- ex. guard at a turnstile
-
-
mechanism of action
-
technical controls
- use technology to achieve security control objectives
-
operational controls
- human-driven procedures to manage technology in a secure manner
exam tip
technical controls are implemented by technology, operational controls are implemented by people. -
management controls
- improve the security of the risk management program itself
-
-
-
seeks to incorporate privacy practices into the design and implementation of systems
-
not bolting it on afterwards
-
seven foundational principles:
-
proactive, not reactive; prevent, not remediate
systems should be designed w/ privacy protections, not to respond to privacy issues -
privacy as a default setting
systems should default to protecting privacy unless the user opts to be less private -
privacy embedded into design
privacy should be a core requirement of a system, not a bolted on afterthought -
full functionality: positive sum, not zero sum
privacy should shouldn’t be a trade off -
end-to-end security — full life cycle protection
security practices should occur during all stages of the info lifecycle -
visibility and transparency — keep it open
components should be open to users and customers -
respect for user privacy — keep it user-centric
privacy should be focused on the user
-
- ensure that a system runs in a secure more unless we configure it not to
- default to secure
- example: a firewall defaults to deny all until configured
- complexity increases the likelihood of failure
- applies the least privilege concept to network access
- doesn’t grant access based on IP / MAC addresses
- replaces network-based focused access control w/ strong user focused authentication
- trust, but verify
- employees
- customers
- vendors
- Mike Chapple
- delivering computer resources to a remote customer over a network
- examples:
- accessing web-based email
- building servers in AWS
- running scripts on Salesforce
- NIST
a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be readily provisioned and released with minimal management effort or service provider interaction
people and orgs play different roles in cloud computing
- offers cloud computing services to third parties
- run infrastructure
- consumer of cloud services
- purchases cloud computing services from one or more cloud service provider
- nature of relationship with provider can vary
- self-service
- one-on-one support w/ managed account
- provides add-on services
- might assist org in implementing cloud for org
- might offer security monitoring
-
provide IAM services
-
can add a third party security layer between an org. and their cloud service provider
-
network-based CASBs
- intercepts network traffic between the org and cloud
- monitors traffic for security issues
- can block access if issue discovered
-
API-based CSABs
- queries cloud service by API and monitors
- may be limited by API access and what information is available from API
-
-
on-demand self-service
- resources are available when the org needs them
- can spin up servers on demand using preconfigured images
-
scalability
- can increase capacity on demand
- horizontal scaling
- adding additional servers to a pool to meet increased demand
- vertical scaling
- adding more resources (CPU, memory, storage) to a server on demand
-
elasticity
- the ability to expand and contract quickly
-
broad network access
- provide anywhere anytime access
-
measured service
- pay only for what you consume
-
multitenancy
- sharing computing resources
- allows for oversubscription
- oversubscription
- when sold capacity exceeds total available capacity
- oversubscription
-
isolation
- users don’t impact one another
- users can’t see other users’ information
- when isolation breaks down, performance suffers
- mainframes dominated data centers of past decades
- client/server model emerged in the ’80s / ’90s as desktop machines became more powerful
- now, data centers are leveraging virtualization technolgies
-
a host machine runs on physical hardware
-
the host machine provides services to multiple virtualized guest machines
-
a hypervisor on the host machine tricks each virtual machine into thinking that it is running on real hardware
-
Hypervisor types
-
Type 1 hypervisor
- runs on bare metal server
-
Type 2 hypervisor
- runs as a program on an OS
-
-
VM isolation is critical to security
-
each VM must only have access to its own memory and storage
-
VM escape attacks
- attempt to break out of the guest environment
-
virtualuzation platforms must be patched against vulnerabilities to protect all guest machines
- it is easy to spin up a virtual machine and forget about it
- unused and unmaintained servers are…
- wasteful
- security risk
- provides network-based access to a desktop computing environment
-
streams an application to a user’s desktop
-
both VDIs and application virtualization all users to use thin clients with minimal specs
-
virtualized servers run in cloud data centers
-
high availability
- can use resources across multiple zones
- ex. DigitalOcean NYC and San Fransisco
-
instance awareness
- reduce VM sprawl
- lightweight application virtualization
- alternate to virtual servers
- contain application code and dependencies
- run on a containerization platform
- ex. Docker
- containerization platform runs on host machine OS
- isolation is the most important security issue for containers
-
ISO 17789: Cloud Computing Reference Architecture
exam tip
the reference architecture is a helpful framework, but is just a starting point. -
defines cloud computing activities
-
customer activities
- user cloud services
- perform service trials
- monitor services
- administer security
- provide billing reports
- handle problems
- administer tenancies
- perform business admin
- select services
- request audit reports
-
cloud service provider activities
- prepare systems and services
- monitor services
- manage assets
- provide audit data
- manage customer relationships
- perform peering
- ensure compliance
- provide connectivity
-
partner activities
- design, create, maintain services
- test services
- perform audits
- set up legal agreements
- acquire and assess customers
- assess the market
-
- designed to help cloud providers and customers understand the detailed security controls that may be used to achieve cloud security objectives
- org uses a dedicated cloud infrastructure
- org uses multitenancy info structure
- public cloud computing uses a shared responsibility model
- org uses both private and public cloud
- cloud created by a consortium or group or orgs
- example: PASSHE makes a cloud for all state universities
exam tip
no cloud model is superior, it all depends on context and the org’s needs.
- XaaS
- x as a service
- customers purchase an entire application
- often run through a browser
- compatibility is less of an issue
- example: Gmail, Boxer, O365, OneDrive, etc.
- can be specialized
- example: credit card processing software, Square, etc.
- customer runs functions
- What is FaaS (IBM)
- depends on the level of the service
IaaS | PaaS | SaaS | |
---|---|---|---|
data | customer | customer | customer |
app | customer | customer | vendor |
OS | customer | vendor | vendor |
hardware | vendor | vendor | vendor |
data center | vendor | vendor | vendor |
exam tip
understanding the shared responsibility model is important for infosec professionals.
- IoT and embedded systems are transforming computing
- industries are starting to use both in new ways
- however this can have issues in remote areas
- computing at the endpoint
- data is processed by remote sensor prior to being sent
- allows for small bursts of pre-computed data to be sent to the cloud
- useful when bandwidth limitations are a concern
- monitor and control industrial processes
- utilities such as electrical, gas, water, sewage treatment
- manufacturing, industrial facilities, production operations
- building automation systems
- workflow automation systems
- process automation systems
- ICS are lucrative targets
- attacks have dramatic, high visibility outcomes
- systems are usually not well secured
- systems are less likely to be current on patches
- a city can’t turn off the water for an hour to patch the water treatment plant’s ICS
-
supervisory control and data acquisition (SCADA)
- remote monitoring
- gas lines, power lines
- remote telemetry
- report back to control systems
- multiple points of attack
- remote monitoring
-
distributed control system (DCS)
- focus on controlling processes
- use sensors and feedback systems
- multiple points of attack
-
programmable logic controller (PLC)
- handles specialized input / output
- rugged
- ensures uninterrupted processing
- connects to human-machine interface
-
modbus protocol
- serial interface communication
- computer controlled and network connected
- began w/ desire to have wireless network connectivity for devices
- example: printers, Xboxes, etc.
- hospital/medical facilities
- utilities and smart meters
- aircraft and drones
- difficult to update software and OS
- updates can be disruptive to service provided by smart device
- devices connect to same wifi in the home as other personal devices such as laptops, desktops, etc.
- hacked smart devices have access to personal devices on the network
- devices connect back to cloud services for command and control
- attackers can expolit this and move from the cloud into homes/businesses via smart devices
-
regular updates
- automatic updates
- manual updates
- need to know which devices get automatic vs. manual updates
-
weak default admin and system passwords
- change admin/password!
-
(for orgs):
-
firmware version control
- updates should be applied in an orderly fashion
- use change management for smart devices
-
security wrappers
- vet requests for embedded systems
- like a mini firewall for the device
-
-
use diverse and redundant security controls to protect embedded devices
-
smart devices require secure networks
-
segmenting smart devices increases network security
- isolated DMZ w/ restricted access
exam tip
network segmentation is the most important control for embedded devices. -
application firewalls provide added protections for embedded devices
- can help protect against web attacks (SQL injection, XSS, etc.)
-
embedded device controls are also effective for mainframes
- tech components of an IoT device that place a full computer inside a larger system
- examples
- printers and mulitfunction devices contain embedded systems
- print server, scanner/image processing, email server, web server, etc.
- cameras
- embedded system w/ image processing software, networking software
- cars
- self-driving “smart” cars
- modern vehicles with OBDII and embedded systems controlling engine management, lighting, braking, radio, etc.
- printers and mulitfunction devices contain embedded systems
- combine a processor, memory, other system components on a single chip
- examples: Raspberry Pi, Arduinos
- integrated circuit designed to be configured by a customer or a designer after manufacturing
- allows dynamic reprogramming
- example: IBM’s eFUSE
- provide reliable and secure computing for IoT devices
- CAN: controller area network
- robust vehicle bus standard
- allows microcontrollers and devices to communicate with each other’s applications without a host computer
-
limited power
-
limited computing capacity
- makes cryptography difficult or impossible
-
limited network capacity
-
patching
-
assess embedded devices authentication practices carefully
- devices often have to connect under conditions
- many different solutions are used in lieu of traditional wired / wireless connections
-
cell networks
- provide 4G / 5G when wifi / network not available
- SIM cards (traditional or eSIM) are required to communicate over cellular network
- can be expensive
- provide 4G / 5G when wifi / network not available
-
Zigbee/Zwave
- provides short distance communication / mesh networks for home automation
-
radio frequency
- provide near communications when cellular is not available
-
satellite
- provide communications almost anywhere
- can be extremely expensive
- provide communications almost anywhere
-
memory is a shared resource that must be protected
-
memory types
-
ROM (read only memory)
- written to memory chip
- cannot be changed by applications or OS
-
RAM (random access memory)
- contents may be changed by applications or OS
-
-
OSes need to have memory management
- tracks which applications are using what memory
- grants requests from applications for additional memory
- frees up memory that’s no longer in use
restricts access to memory segments
-
segmentation faults
- error when an application tries to request access to a memory segment that it’s not authorized to use
-
memory leaks
- application accumulate memory over time
- application fail to release memory when no longer needed
- application proceeds to slowly take up all memory on the system
protects sensitive data by transforming it so it can’t be read w/o a decryption key
-
AES crypt
- open source file encryption
-
full disk encryption (FDE)
- protects entire drive
-
hardware security module (HSM)
- dedicated hardware to perform encryption
- trusted platform module (TPM)
- brings hardware encryption to typical consumer computers
-
self-encrypting drives (SED)
- performs encryption automatically
- Trusted Computing Group (TCG) produces a Opal Storage Spec for SEDs
-
OSs must be loaded from disk during the boot process
-
this is done via the use of BIOS or UEFI
-
BIOS (basic input/output system)
- lightweight OS stored in firmware
- provides basic functionality needed to load the full OS from disk
- BIOS attacks can give attackers full control of a device
-
UEFI (unified extensible firmware interface)
- replaced BIOS with a flexible alternative
- secure boot
- reads bootloader from disk
- computes a hash of the bootloader
- decrypts bootloader’s digital signature
- verifies that the signature is accurate
- booting will abort if bootloader’s signature fails verification
-
measured boot
- definititions don’t match notes… (Wikipedia)
require careful attention as both store and handle massive amounts of sensitive data
- controlling bandwidth consumption
- use network devices and server OSes to control or limit resources
- understand sensitive data flow
- need to know where sensitive data is flowing
- use data flow maps to know where to apply security controls
-
aggregation
- putting together low-level facts to determine more high-level / sensitive info
-
inference
- figuring out sensitive facts with facts available to an individual
- relational databases rely on SQL to manage
-
NoSQL databases use key-value stores
-
key
- unique value used to identify and locate info stored in the table
-
value
- data stored for later retrieval that is associated with the key
-
each key may have a different structure of values (int, string, etc.)
- examples from DynamoDB:
AllItemAction
(\*
): full databases accessGetItem
: retrieve a single itemBatchGetItem
: retrieve multiple itemsPutItem
: store a single item- etc.
- other NoSQL databases have similar permissions
- important for admins to ensure that applications and users have the appropriate permissions
used for specialized applications
- client makes requests to server
- server takes requests, performs actions and calculations, retrieves data and sends info back to the client
- some computing problems are too big for a single server or set of servers
- these problems are broken down into pieces and handled by distributed computing systems
- examples
- SETI: search for extraterrestrial intelligence
- BOINC: Berkley Open Infrastructure for Network Computing
- assembles unused processing power of many computers (CPU-scavenging)
- form a virtual supercomputer with a centralized controller
-
diverse network of computers offering services without a centralized controller
-
nodes have an equal importance
-
examples
- Bittorrent
- Bitcoin
- Tor
-
security concerns
- untrusted P2P participants could gain access to sensitive info
- participants could lose control of systems to a malicious P2P agent
- P2P nodes could be subject to law enforcement investigations
-
other high performance computing (HPC) applications take advantage of super computer technologies
Open Web Application Security Project maintains a list of common web security issues
-
Injection flaws
- attacker inserts unwanted transacation code
-
Broken authentication
- exploitation of session management
-
Sensitive data exposure
- disclosure of sensitive info
-
XML external entities
- allows for remote code execution
-
Broken access control
- allows unauthoritzed access
-
Security misconfigurations
- occurs in many locations (Apache, PHP, Python, firewall, etc.)
-
Cross-site scripting
- inserts malicious scripts onto sites
-
Insecure deserialization
- allows for API exploitation
-
Using vulnerable components
- jeopardizes web application security
-
Insufficient logging * prevents security analysis
-
dynamic web applications rely on backend databases to store user info, product info, etc.
-
attackers can exploit input fields to inject SQL commands into a database as part of a normal action
-
Bobby Tables!
-
prevention
-
input validation
- checks user input on server prior to executing SQL commands
- checks must be server-side; attackers can easily bypass client-side checks
-
parameterized SQL
- precompiles SQL code on the database server
- prevents user input from altering query structure
-
-
attacker embed malicious code into third party websites that is later run by innocent users
-
XSS attackers commonly embed scripts into sites via user input
- via
<script>
tags
- via
-
prevention
- use input validation
- don’t allow users to submit fields with
<script>
tags
- don’t allow users to submit fields with
- use input validation
-
similar to XSS, but more dangerous
-
use one site to trick browsers into sending malicious requests to another site
-
leverage the fact that users are logged into multiple websites
- persistant cookies keep users logged in for periods of time
-
XSRF secretly send requests to other websites
- usually through images
-
prevention
- orgs:
- rearchitect websites
- prevent HTTP GET requests
- leverage Access-Control-Allow-Origin
- educate users
- auto-log users out of site after period of time
- users
- log out of sites
- orgs:
-
server-side request forgery
- manipulate servers into retrieving malicious data from what it thinks is a reputable source
attack allows an attacker to manipulate a web server’s file directory
-
Unix file system directory referneces
./
current directory../
one directory up
-
attacker users file system references to look for files on the server
-
prevention
- input validation
- strict file system access controls — user running web server should only have access to web server files
-
developers often set aside memory buffers for user input when developing applications
-
attackers input a string much larger than the buffer
-
the server can then inadvertantly return information outside of the buffer
-
prevention
- input validation
-
cookies are used for web authentication
-
cookie guessing
- guessable cookie jeopardize security
- cookie values (such as session ID) should be random, not based on a guessable pattern
-
session replay
- cookies are susceptible to replay attacks
- cookies should be sent over an encrypted connection to prevent eavesdropping
-
gain admin access
-
often exploit buffer overflow attacks
-
prevention
- input validation
- enforce least privilege
- keep OS, platform, apps patched
- use data execution prevention (DEP) and address space layout randomization (ASLR) technology
- very testable subject area
- cryptography can be difficult, but there is always a “right” answer and “wrong” answers. there are no “given x_, which is the best…” questions._
- simple substitution cipher (see below)
- used by the Spartans
- wrapped tape around a rod
- secret key is to know the diameter of the rod
- key is out of band
- first polyalphabetic cipher
- keyword is agreed upon beforehand
- first letter of the key is matched with the first letter of the message
- used by the Nazis / Japanese in WWII
- machine based on rotary spool
- breaking codes used by these machines is credited with shortening the length of WWII
- one time keypad
- keypad…
- is only used once
- must be…
- as long as the message
- statistically unpredictable
- delivered / stored securely
-
cryptography is used to protect sensitive info from unauthorized disclosure
-
uses mathematical algorithms to transform info (plaintext) into an encrypted form (ciphertext)
-
encryption
- transforming plaintext into ciphertext
-
decryption
- transforming ciphertext into plaintext
-
algorithms
- set of mathemathical steps used to reach a result
- a “math recipe”
- i.e. the steps to convert F to C
-
encryption algorithms
- input: plaintext P, encryption key K
- performs encryption using P and K
- output: ciphertext C
-
decryption algorithms
- input: ciphertext C, decryption key K
- performs decryption using C and K
- output: plaintext P
-
think of encrytion as:
encrypt (plaintext, key): // encryption algorithms happen return(cyphertext);
remember:
symmetry refers to the keys.
encrypts and decrypts using the same key
- need a shared secret key between two people
- number of keys need represented by the formula:
n(n - 1) / 2 - the number of keys required for large groups becomes unmanageable
- asymmetric crytography solves this problem using key pairs
encrypts and decrypts using different keys from the same pair
- key pairs
- public key
- freely distributed to communications partners
- private key
- kept secret
- public key
- anything encrypted w/ one key from a pair can be decrypted w/ the other key from the pair
exam tip
keys used to encrypt/decrypt using asymmetric cryptography must be from the same pair.
- asymmetric encryption is slower
- however, only two keys are needed per user
-
confidentiality
- no unauthorized access
- no one can read messages w/o keys
-
integrity
- no unwanted changes
- messages can’t be changed while encrypted
-
authentication
- proof of identity claims
-
obfuscation
- hiding of sensitive data
- taking sensitive data and representing it in a less sensitive manner
-
non-repudiation
- verfication of origin
- provided by digital certificates
- only possible w/ asymmetric encryption
- verfication of origin
exam tip
codes and ciphers are related concepts, but different.
- system that substitutes one word or phrase for another
- intended to provide secrecy and/or efficiency
- examples:
- “10” codes: 10-4, 10-7, 10-9, etc. provide efficiency
- “pretty good” provided secrecy
-
system that uses math algorithms to encrypt / decrypt messages
-
stream cipher
- operate on one char or bit of a message at a time, one after the next
-
block cipher
- operate on large segments (blocks) of a message at the same time
-
substitution cipher
- changes characters in a message
- also known as a rotation cipher
- usually designated by “ROT” and the number of letters to rotate to, i.e. ROT13
- ex. ABC → NOP
- subject to pattern analysis
- ex. E is the most common letter in the English language, can look for the most common letter in the cipher text
-
transposition cipher
- rearrange characters in a message
- ex. ABC → CAB
math plays a critical role
evaluates as true when one and only one variable is true
X | Y | X ⊕ Y |
---|---|---|
T | T | F |
T | F | T |
F | T | T |
F | F | F |
- cryptography relies on pseudorandom numbers
- we lack a real source of random numbers
- a random number generator has to start from somewhere… which isn’t random
- confusion
- every bit of the ciphertext must depend on more than one bit of the encryption key
- diffusion
- changing one single bit of plaintext should change about 50% of the ciphertext
- obfuscation
- using crytography to hide source code from users
- avalanche
- chaining
- output from one function is the input for the next function
- used in CBC mode (see below)
- permutations
- multiple rounds
- going through algorithms multiple times
- encrypting multiple times
- used by 3DES (see below)
requires careful thought
exam tip
don’t try to build your own encryption algorithm.
you’re really dumb and don’t know what you’re doing.same thing goes for vendors.
if they have their own in-house custom encryption algorithim, that’s pretty sus.
-
security through obscurity
- when the security of an algorithm depends on the secrecy of the approach
-
select and use an encryption algorithm that’s proven to be secure
-
openness
-
algorithm used is open to the public
-
community is invited to make the algorithm stronger.
-
Kerchhoff’s Principle
- you need to only keep either the algorithm or the key secret
- US military doesn’t believe in this principle
- the public doesn’t know how anything above Sensitive is encrypted
-
-
choosing key lengths
- longer is better and stronger
- longer is also slower
- must balance security w/ performance
- perform cost-benefit analysis to find the sweet spot for the org
unbreakable encryption algorithm
-
aka Vernam Cipher
-
sender and reciever have identical pads
- pads have multiple keys
- keys must be at least as long as the messages
-
treat the plaintext message and key as numbers (i.e. A=1, B=2, … Z=26) and add the plaintext to the key to generate the ciphertext
-
decryption works by using the same process, but subtracting the key from the ciphertext to generate the plaintext
-
encryption is unbreakable becuase the pad is totally random
-
using it in practice is very difficult
- pad exchange is a pain
manages the use of encryption materials over time
- as cryptographic algorithms age, they often become insecure
-
initiation
- org gathers requirements for new cryptography system
-
development and acquisition
- org finds an appropriate combination of hardware, software, algorithm the meets org’s requirements/needs
-
implementation and assessment
- org configures and tests cryptography system
-
operations and maintenance
- org ensures that continued secure operation of the cryptography system
-
sunset
- org phases out the cryptography system and destroys/archives old keys
Key facts | |
---|---|
symmetric | 56-bit key |
64-bit block | not secure |
- designed by IBM in the ’70s
- federal standard for unclassified encryption
- replaced untested standards used by agencies
- enhanced interoperability of agencies
- uses 16 rounds of encryption operation called Feistel function
- each F-box performs a combination of substitution and transposition operations
- no longer considered secure
Key facts | |
---|---|
symmetric | 112-bit key |
64-bit block | weak |
allowed for use of old DES cryptographic equipment once DES was dicovered to be insecure
-
applies DES encryption three times
-
uses three keys: K1, K2, K3
- P → DES(P, K1) → C1 → DES(C1, K2) → C2 → DES(C2, K3) → C
-
keying options
-
K1 ≠ K2 ≠ K3
- effectively 112-bit key
-
K1 = K3, K1 ≠ K2, K2 ≠ K3
- 80-bit key
-
K1 = K2 = K3
- just an insecure as DES
- only used for backwards compatibility
-
-
3DES is considered weak and is being phased out
exam tip:
double DES isn’t more secure than DES. it’s susceptible to meet-in-the-middle attacks
Key facts | |
---|---|
symmetric | 128/192/256-bit key |
128-bit block | secure |
- competition was held to replace DES
- Rijndael algorithm won and became AES
- in the public domain
- use substitution and transcription
- doesn’t use Feistel cipher
Key facts | |
---|---|
symmetric | 32-448-bit key (variable length) |
64-bit block | not secure |
- uses Feistel network
- in the public domain
- use substitution and transcription
- no longer considered secure
Key facts | |
---|---|
symmetric | 128/192/256-bit key |
128-bit block | secure |
- in the public domain
- use substitution and transcription
describes how an algorithm encrypts / decrypts plaintext
- breaks plaintext into blocks that are the same length as the key
- encrypts blocks w/ the same key
- using the same block w/ the same key results in the same ciphertext block
- makes cryptanalytic attacks easier
- using the same block w/ the same key results in the same ciphertext block
-
still breaks plaintest into key-length blocks
-
first plaintext block is XORed with an initialization vector
- XORed plaintext block is encrypted with key to create the first ciphertext block
-
all subsequent plaintext blocks use the previous ciphertext block as an initialization vector
- all subsequent plaintext is XORed with previous ciphertext block
- XORed plaintext is then encrypted with key to create next ciphertext block
exam tip:
CTR mode allows a block cipher to act more like a stream cipher.
-
uses a nonce and a counter
-
plaintext is still broken into key-length blocks
-
a nonce and counter are added together, then encrypted with the key
-
the plaintext and the encrypted nonce/counted are then XORed to create a ciphertext block
-
the counter is incremented and the process is completed again for the next plaintext block
hiding data inside large files
- often use innocent looking high-resolution photos
- can also be used with audio or video files
- can slightly modify pixels in an image to hide info in the file
- because modifications are only minor, they are not visible to the naked eye
- images can then be posted in plainsight w/ embedded info
Key facts | |
---|---|
asymmetric | 1024-4096-bit key (variable) |
secure |
-
developed by Rivest, Shamir and Adelman in 1971
-
RSA keys
- users create key pairs using long prime numbers
- can distribute public key freely, but keep the private key secure
- senders encrypt messages w/ the recipient’s public key
- recipients decrypt messages w/ their own private key
-
prime factorization
- remember that primes are numbers that are divisible only by themselves and 1
- prime factorization is the process of attempting to determine what two prime numbers were multiplied together to create a much larger number
- finding a way to efficiently do this would break modern cryptography
-
RSA drawbacks
- it’s slow
- more commonly used to exchange symmetric keys
- was patented
- patent has expired
- it’s slow
-
PGP
- developed by Zimmerman in 1991
- uses public and private keys
- combines symmetric and asymmetric cryptography
- framework
- relies on other encryption algorithms
-
PGP encryption
- plaintext message is encrypted with a randomly generated key
- the randomly generated key is encrypted with the recipient’s public key
- the ciphered message and key are both sent to the recipient
-
PGP decryption
- recipient decrypts the ciphered key with their own private key
- recipient decrypts the ciphered message with the now decrypted randomly generated key
-
PGP is a commercial product
-
OpenPG is open source and freely available for use
- use elliptic-curve discrete logarithm problems
exam tip
you don’t need to know how ECC works, just that it doesn’t use primes.
-
symmetric algorithms depend on shared keys
- users need to agree upon and share those keys
-
out-of-band key exchange
- use different communications channels
- in-person meetings
- voice calls
- snail mail
- can be difficult and time consuming
- use different communications channels
-
in-band key exchange
- securely exchanges keys digitally
-
provides a means of exchanging symmetric keys digitally
-
ECDH
- elliptic-curve Diffie-Hellman
- similar approach to D-H, but uses an EC problem
-
strong encryption presents a problem for law enforcement
-
encryption key escrows:
- allow the government to have access to keys
- no reasonable wat to securely implement
- Clipper chip included technology that would allow the government to access encryption keys
- EFF and other security firms/groups fought against use
- they won
- was later found to not be effective
- EFF and other security firms/groups fought against use
-
recovery agents
- allow internal access to lost keys
-
takes a relatively insecure value
- like a password
-
uses math techniques to strengthen
- makes it harder to crack
-
salting
- adding a value to an encryption key to make it more complex
-
hashing
- adds time to the verification process by requiring more mathematical operations
-
verifying one key is fast, however, guessing millions is slow
-
PBKDF2
- password-based key derivation function version 2
- uses hashing and salting to stretch keys
- should be used 4,000+ times
-
Bcrypt
- key stretching w/ Blowfish algorithm
-
cryptography uses significant computing power
-
HSMs:
- manage cryptography keys
- perform cryptpgraphic operations
- can create and manage keys w/o human interaction
- cloud service providers can also provide cloud-based HSMs
-
FIPS 140-2
- detailed requirements for government use of HSMs
- has three different security levels
- useful for guaging cloud provider’s HSMs
Level | Controls |
---|---|
Security Level 1 | standard operating systems; no physical security |
Security Level 2 | EAL2 software and firmware; tamper-evident seals |
Security Level 3 | EAL3 software and firmware; tamper-resistant controls |
Security Level 4 | EAL4 software and firmware; strict physical security |
-
strong cryptography depends on some degree of trust
-
requirements of a key exchange
- confidence that users are really connecting w/ each other
- neither one is an imposter
- confience that no one is eavesdropping on the key exchange
- Diffe-Hellman helps, but not enough…
- confidence that users are really connecting w/ each other
-
asymmetric cryptography
- users don’t need to share private keys
- users can instead share public keys
- eavesdropping protection isn’t needed during the key exchange
- still needs protection against imposters
-
trust models
- personal knowledge
- web of trust
- PKI
-
web of trust
- relies on indirect relationships
- participants digitally sign public keys of people that they know personally
- trust is built on people vouching for one another
- issues
- decentralized approach
- high burden to entry
- requires technical knowledge
-
PKI
- build on the idea of web of trust
-
PKI depends on trusted certificate authorities (CAs)
-
CAs
- trusted third party orgs
- verify the identity of individuals and orgs
- issue digital certificates to those individuals and orgs
-
digital certificates
- contain identification info and the subject’s public key
- like an ID card for the digital world
- anyone recieving a digital certificate can verify the authenticity of it by checking for the CA’s digital signature
-
one-way functions that take a variable length input to make a fixed length output
-
output is the hash value
-
message digest is another term for hash
-
requirements
- one way function that can’t be reversed
- output must always be fixed length
- no two outputs should create the same output (hashing collision)
- SHA-1
- produces 160-bit hash
- no longer considered secure
- SHA-2
- produces 224, 256, 384, 512-bit hashes
- similar to SHA-1 and MD5
- considered weak
- SHA-3
- uses different hash generation approach than SHA-2
- produces user-slected hashes
-
hash-based message authentication code
-
combines cryptography and hashing
-
provides authentication and integrity
-
creates and verifies message authentication codes by using a secret key with a hashing function
-
hashing functions used w/ asymmetric cryptography for digital signatures and digital certificates
-
use asymmetric cryptography to acheive integrity, authentication and non-repudiation
-
signed message reciepients know that:
- owner of the public key is the person that signed the message (authentication)
- the message wasn’t altered after it was signed (integrity)
- that they can prove those facts to a third party (non-repudiation)
-
digitial signatures depend on a
- collission-reistant hashing function
- asymmetric cryptography
-
sender uses their private key to create a digitial signature
- the digitial signature is an encrypted version of the hash of the message
-
recipients user the sender’s public key to confirm that the message was sent by the sender
- remember: digital signatures don’t provide confidentiality
- FIPS std 186-4
- NIST
- approved digitial signature standards
-
DS
- digitial signature standard
- similar to ElGamal
-
RSA
- ANSI X9.31
- PKCS 1 (public key cryptography standard)
-
ECDSA
- elliptic-curve digital signature algorithm
- ANSI X9.62
-
all three are considered secure
-
-
digital certificates follow X.509 standard
-
process:
-
subject
- creates a public/private key pair
- creates a certificate signing request (CSR)
- CSR countains public key and subject info (CN, OU, O, etc.)
- responds to any requests from the CA for more info
-
CA
- recieves CSR
- requests info from the subject to verify their ID
- takes the subject’s public key and info, and adds to the cert
- signs the cert by using the CA’s private key (adds CA’s digital signature to the key)
-
-
digitial certs will include:
- subject’s public key
- cert expiration date
- cn
- SANS (subject alternative names) for the subject
-
one of two methods (both maintained by the CA)
-
CRL (certificate revocation list)
- CA maintains a list of the serial numbers of revoked certs
- users download CRL lists
- is time-consuming
- has a large overhead for the CA
-
OCSP (online cert status protocol)
- provides realtime cert status
- most browsers use OCSP
- except Chrome, which uses its own cert verification technology
-
- allows web servers to attach an OCSP validation to the certificate they send to users
- OCSP places burden on CA’s OCSP servers
- certificate stapling reduces this burden
- web server makes request to CA to have cert stapled
- CA provides staples cert which can be provided to users
- future users can reuse the stapled cert
- stapled cert is frequently valid for 24 hours
-
charge fees for their services when creating a new cert
-
self-signed certs
- issued by an internal CA
-
cert chaining
- allows the use of intermediate CAs
- browsers verify each CA in the chain
-
offline CAs
- protect sensitive root keys
- owner of the public key
- can be:
- most common: web servers
- any server: SSH, web, file, email
- devices: SAN devices, routers, switches, VPNs, wireless APs
- individuals: name, email
- developers: for use in signing code
exam tip
you may find questions about cert object identifiers (OIDs).
- cert pinning
- ties a subject to a cert for a period of time
-
root certs
- protect the CA’s private keys
-
wildcard certs
- cover an entire domain
- *.jpmck.com → mail.jpmck.com, cool.jpmck.com, cissp.jpmck.com
- only goes one level deep
- won’t cover www.cool.guy.jpmck.com
- commonly used for load balancers
-
CAs issuing certs are vouching for the subject’s identification
-
DV
- domain validation
- verifies domain ownership (I’ve got this one)
-
OV
- organization validation
- verifies the business name
-
EV
- extended validation
- requires an extensive validation
-
distinguished encoding rules
- binary format
.der
,.crt
,.cer
file extensions
privacy enhanced email
- ASCII version of DER certs
- can be converted to/from DER w/ tools like SSL
.pem
,.crt
file extensions
personal info exchange
- binary
- commonly used by Windows
.pfx
,.p12
file extensions
- ASCII version of PFX
- commonly used by Windows
.p7b
file extension
exam tip
you can’t tell if a.crt
file is a PEM or DER file without looking at it.
binary version | binary file extension | text version | text file extension |
---|---|---|---|
DER | .der , .crt , .cer |
PEM | .pem , .crt |
PFX | .pfx , .p12 |
P7B | .p7b |
- also known as known ciphertext attacks
- simplest form of attack: attacker repeatedly guesses keys
-
set of all possible keys usable w/ an algorithm
- example: rotation ciphers’ keyspace are only 25
-
modern algorithms are really susceptible to this kind of attack because of their keyspaces
-
example:
- 56-bit DES’s keyspace is 72,057,594,037,927,936 (72 quadrillion)
- 128-bit AES’s keyspace is 340,282,366,920,938,463,463,374,607,431,768,211,456 (340 undecillion)
-
one caveat: flawed algorithms may be more vulnerable to bruteforce attacks
- if the algorithm inadvertantly limits the keyspace
attacks can be more effective with some knowledge
- detects patterns in ciphertext
- certain letters are more common than others (R, S, T, L, N, E)
- certain pairs of letters (digraphs) are more common: TH, HE, IN, ER
- attackers can use these common factors to look at frequently occuring letters in a ciphertext
- attacker has access to plaintext and ciphertext
- attacker can create a message of their choice
- tries to find two inputs w/ the same hash value
- rely on compromised communications pathways
- network device tapping
- DNS or ARP poisoning
-
tricks a sender at the beginning of communications w/ a recipient
- user unknowingly sets up commincations w/ attacker
- attacker acts a relay between the sender and reciever, taking all data along the way
-
man-in-the-browser attacks
- similar to MitM attacks, but w/ browser plugins
-
uses previously captured data
-
attacker can’t see the actual credentials, just encoded version
-
prevention
- include unique characteristics in communications
- tokens
- timestamps
- include unique characteristics in communications
- variation of eavesdropping
- tricks a browser into downgrading to using unencrypted communications
- cryptography systems can have implementation flaws that can be exploited
- use external forces to cause an error
- RFI, EMI, etc.
- may cause a system to not encrypt or encrypt incorrectly
- measure encryption footprint
- how much power is used, frequencies released by chips
- measures encryption times
-
all encryption algorithms have weaknesses
-
some are faster than others
- asymmetric is slower
-
keys
- longer keys
- provide stronger encryption
- use more computing power and time
- some key choices may have inherent flaws
- reusing the same keys facilitate cryptanalitic analysis
- longer keys
-
cryptography algorithms and keys have a limited longevity
-
entropy reduces the predictability of a cryptography method
- high entropy → less predictable algorithm
-
downgrade attacks can remove or weaken encryption
- example: POODLE attack
-
attack that encrypts data
-
makes a system unusable by regular users
-
attackers demand payment in exchange for the encryption keys
-
highly orchestrated by human attackers
-
target characteristics
- orgs w/ vulnerable systems, and
- orgs w/ the ability to pay ransom
-
typical attack process
- attackers perform recon on the org
- probe systems
- use mimikatz
- steals passwords from memory
- find domain admin passwords
- use mimikatz
- probe systems
- use gathered accounts and passwords to grain control over a large portion of the network
- attack all at once, encrypting as many systems as possible
- demand payout for decryption keys
- attackers perform recon on the org
-
lessons learned
- backups
- provide a safety net for data
- paying ransoms
- rewards criminal activity
- no guarantee that the key will be delivered
- generally, keys are delivered
- may encourage others to perfrom attack again
- paying sometimes may be the most expedient solution for the org
- antimalware
- protects against infections
- backups
exam tip
specific call out on exam objectives, expect some questions on ransomware.
- physical security is important to protecting info and systems
- data centers contain massive amounts of sensitive data and computing resources
- server rooms
- usually less secure than data centers
- often grow organically in small orgs
- media storage locations
- especially if media / backups are stored off-site
- locations should have at least equal — if not better — physical security than a data center
- evidence storage locations
- chain of custody must be preserved
- wiring closets
- unauthorized access can result in eavesdropping and network device tampering
- distribution cabling should be protected as well
- operations centers and other sensitive areas
- data centers have significant cooling requirements
- excessive heat can reduce the life of equipment
- old school data centers used to be very cool
- great expense to the org and environment
- equipment is now less sensitive
- explanded environmental envelope
- 64.4°F – 80.6°F
-
HVAC systems keep temperature and humidity in control
-
hot aisle/cold aisle
- servers draw in cool air from the front and expel hot air out the back
- using this idea, one can line up server racks back to back, creating cool air aisles and hot air aisles
exam tip
watch for questions that indirrectly ask about hot aisle/cold aisle strategies.
natural disasters put data centers at risk
- fire is a grave threat
- fire requires:
- oxygen
- heat
- fuel
- depriving a fire of any of these three requirements will extinguish it
Class | Type | Examples |
---|---|---|
A | common combustibles | wood, cloth, trash, paper, etc. |
B | flammable liquids | gasoline, kerosene, oil |
C | electrical | wiring, server racks |
D | heavy metal | iron, nickle, Metallica |
K | kitchen | fats, oil, grease |
- labels on fire extinguishers contain info about the class and type of fires it can extinguish
exam tip
be able to identify fire extinguisher classes.
- building-wide fire suppression systems
-
wet pipe approach
- contain water in pipes that are ready to deploy in a fire
- can be dangerous to data centers if they leak
-
dry pipe approach
- contain pipes that only fill if a valve opens during a fire alarm
-
chemical fire suppression systems
- deprive a fire of oxygen of fire
- dangerous to humans!
-
-
fire detection sensors
- temperature sensors
- smoke detectors
- incipient detectors
-
moisture sensors
- data centers should be protected against the risk of flooding
- natural
- flood plains, location w/in the building
- man-made
- burst pipes, etc.
- consider layout of pipes w/in building if possible
- natural
- generated by all electrical equipment
- can interfere w/ other equipment
- can be used by attackers to eavesdrop
- faraday cages can protect against EMI
data centers rely on massive amounts of power
-
UPS
- uninterruptible power supply
- contains batteries which can power equipment for a short amount of time
-
backup generators
- supply power during a longer outage
- usually powered by gas, diesel, etc.
-
undervoltage conditions
-
blackout
- complete service disruption
-
sag
- momentary voltage drop
- can usually handled by equipment
-
brownout
- longer voltage drop
-
-
overvoltage conditions
-
spike
- brief period of high voltage
- can usually be handled by equipment
-
surge
- longer period of high voltage
-
-
power conditioning
- manages under- and overvoltage conditions
-
locks
-
restrict access through a portal (i.e. a window or door)
-
preset lock
- use a hardware lock
- need correct key to open
- should use key management to keep track of keys
-
cipher lock
- use a physical or electronic keypads
-
biometric locks
- use a person’s physical features
- fingerprint, voice, retina
- use a person’s physical features
-
card-based locks
- use a card
- magstripe, RFID, smart
- use a card
-
-
tailgating
- following another authorized user into an area
-
mantraps *
-
remember to carefully maintain ACLs!
- use motion and noise detection systems
- video surveillance systems
- act as deterrent and detective controls
- IR video may be useful in dark environments
- can play an important role in investigations
- fences can block traffic on foot or vehicles
- bollards can allow foot traffic but protects entrances from vehicles
- cages can be used to protect equipment
- important in shared data centers
- lighting increases intruder detection and acts as a deterrent
- signage can provide legal recource
- inducstrial camoflauge
- useful for making data centers non-descript
- drones and UAVs make it important that buildings are camoflauged from the ground and from the air
- visitor management procedures protect against intrusions
- visitor procedures should
- describe allowable visit purposes
- explain visitation approval authority
- describe requirements for unescorted access
- role of vistor escorts
- all visitors should be logged
- all visitors should be idendified w/ distinct badges
- if necessary badges should include “ESCORT REQUIRED”
- cameras can provide extra monitoring of visitor areas
-
security guards are important to physical security
- receptionists can act as security guards
- menacing looking guards can also be used
-
robotic sentinels may be used in place of humans
-
two-person integrity
- requires two people to enter a sensitive are together
- discourages malicious activity in that area
- requires collusion with other person
- think of two people needing to enter a bank vault
-
two-person control
- aka dual control
- requires authorization of two individuals to perform a sensitive action
- examples
- missile launches
- checks that require two signators
- examples
- set of activities that an org takes to…
- educate itself about the threat landscape
- adapt security controls to threats
- allows the security team to stay current on cybersec threats
- uses publicly available info from various open sources
- security websites
- vulnerability databases
- news media
- social media
- darkweb
- info sharing centers
- file repos
- code repos
- security researchers
- many security companies offer proprietary threat intel solutions
- these solutions may feed into firewalls, proxy servers, IDSs, etc.
- criteria for evaluating these solutions
- timeliness
- accuracy
- reliability
-
properties that describe a threat
- example: IP address, malicious file signatures
-
threat info is only useful if it can be shared
-
CybOX
- common structure for representing cyber observables across and among the operational areas of enterprise cybersecurity
-
STIX
- language for having a standardized communication for the representation of cyberthreat information
-
TAXII
- specifications for exchanging cyberthreat information
-
all three work together
-
facilitated by the Department of Homeland Security
-
OpenIOC
- open indicators of compromise framework
- Mandient
-
security tools and services should support these info exchange standards
- use TAXII, STIX, CybOX
- functions supported by intelligence:
- incidence response
- vulnerability management
- risk management
- security engineering
- detection and monitoring
- bring together teams from competing businesses to share intelligence
- usually non-profit organizations
-
uses threat intel to get inside the mind of attackers
-
reputational threat research
- identifies potential attackers based on past use of IP addresses, domains, email addresses
-
behavioral threat research
- identifies potential attackers based on past behaviors
-
research sources
- vendor websites
- vulnerability feeds
- threat feeds
- cybersec conferences
- academic journals
- RFCs
- local industry groups
- social media
- adversary tactics, techniques and procedures (TTPs)
-
threat modeling identifies and prioritizes threats
-
use a structured approach for identification
- don’t just think of ways that things can go wrong
-
ways to approach:
-
asset-focsued
- use asset inventory for basis
- go through each asset and identify threats to it
-
threat-focused
- identify specific threats that may affect each info. system
- think of threats (known agents, contractors, etc) and how they might affect org
-
service-focused
- identify impact of threats on a specific service
- think of each API and threats that could occur to them
-
-
automating blacklisting of IP addresses from threat feeds
-
automating blocking can disrupt services
- start in alert-only mode
- after testing, then can move to a blocking mode
-
combinging different threat feeds into intelligence
-
incident response
- can be a manual process
- can be aided with data enrichment
- data enrichment
- automated supplements to incident data
- examples
- perform source address recon
- retrieve related logs
- trigger vulnerability scans
- all done in realtime at the time of the incident
-
SOAR (security, orchestration, automation and response) frameworks enhance SIEM capabilities
-
machine learning allows for automated creation of malware signatures
-
cybersec used to see role as building an impenetrable defense
- that’s a naïve approach
- need to make the assumption of compromise
- accept it as a given that systems are compromised and search for signs of suspicious activity
-
threat hunting
- organized systemic approach to seeking out indicators of compromise using expertise and analytic techniques
- threat hunters must think like attacker
- develop a hypothesis, then think of indicators of compromise
-
indicators of a compromise
- unusual binary files
- unexpected processes running or system consumption (CPU, RAM)
- deviation in network traffic
- unexplained log entries
- unapproved configuration changes
-
after discovering a compromise, move into incident response
-
APIs
- application programming interface
- interface that allows users and programs to interact with a service programmatically
-
API standards
-
SOAP
- XML format
- no longer popular or widely used
-
REST
- uses HTTPS protocol
- overwhelmingly popular
-
-
API security
- API communications should be encrypted w/ HTTPS
- API keys should be securely distributed, stored and transmitted
-
design philosophy encourages orgs to create discrete services
-
services may be accessed by customers and other users
- but in a black box fashion
- users don’t need to know how service works
- just need to know what the service does and how to access it
-
characteristics
- logical representation of repeatable business processes w/ specific outcomes
- self-contained
- may be composed of other services
- black-box nature
-
popular w/ developers because they facilitate integration of services
- fine grained services
- common w/ FaaS
- privacy: prevents unauthorized disclosure of information
- authenticity: verification of a claimed identity
- integrity: detects modification / corruption of information
- non-repudiation: a combination of authenticity and integrity. a sender can’t deny sending a message or it’s contents.
- privacy, integrity and authenticity do not guarantee each other… for example, the knowing the authenticity of a sender doesn’t guarentee that the message is private.
- adding randomness at the beginning
- math functions that transform text
- key aligns with the functions
- long key = perform more functions on the text
- lays out a framework and mathematical models that act as security-related specs for a system architecture
- think of it as a book on a shelf telling you how to implement a part of a System
- overall design of the components — hardware, software, applications, network, etc. — of an information system
- design should meet what is laid out in the security model
-
State Machine
-
Bell-LaPadula
-
Biba
-
Clark-Wilson
-
Brewer & Nash
-
Information Flow
-
Non-Interference
-
Lattice
Bell-LaPadula and Biba are 100% going to be on the exam and are testable.
Clark-Wilson and Brewer & Nash are very testable as well
(the basis of other models)
- a system/machine can be thought of being in a certain state
- start-up, functioning, shut-down
- start-up is the most vulnerable: all security modules haven’t loaded yet
- confidentiality model
- designed by the US government to protect state secrets
- model focuses on data confidentiality and access to classified information
- divides an information system into subjects and objects
- built on the concept of a state machine with different allowable states
- three rules to enforce confidentiality:
- Simple Security Property: “no read up”
subject can’t read data from a security level higher than the subject’s security level - * Security Property**: “no write down”**
subject can’t write data to a security level lower than the subject’s security level
use “it is written in the stars_” to remember * Security Property._ - Strong * Property: “no read/write up or down”
subject can’t read/write data on a security level lower than the subject’s security level
- Simple Security Property: “no read up”
- tranquility property: security labels can’t be arbitrarily changed
- model only applies once a user/subject has been authenticated
- integrity model
- no subject can depend on an object of lesser integrity
- based on a hierarchical lattice of integrity levels
- users must perform correct and safe procedures to ensure data integrity
- three rules to enforce integrity:
- Simple Integrity Rule: “no read down”
- * Integrity Rule: “no write up”
- Invocation Property: a subject cannot invoke (call upon) subjects at a higher integrity level
- data compartmentalized based on classification and a need to know
- seeks to eliminate covert channels
- ensures that information always flows from lower security or integrity levels to higher levels
- whatever component directly affects information flow must dominate all components involved with the flow
- encourages isolation / separation
(insert more from slides)
- directs how components in the system architecture should be organized to meet security requirements
- should include:
- description of locations where security measures should be placed
- description of how components should interact to ensure security
- security specifications to follow when designing and delivering the system
-
program: an application
-
process: a program loaded into memory
-
thread: each individual instruction in a process
-
program → process → thread
-
multiprogramming: appearance of multiple programs running. no true isolation. ex. Windows 3.1
-
multitasking: multiple processes running. isolation. each program has its own stuff — memory, processing time, etc.
-
multiprocessing: more than one CPU
-
multithreading: in the past more than one CPU was required. now handled by multi-core CPUs
- protection rings
- ring 0: trusted computing base (TCB) — OS kernel
- ring 1: remaining parts of the OS
- ring 2: OS and I/O drivers and OS utilities
- ring 3: applications and user activity
(insert drawing…)
- defined subset of subjects and objects
- trusted computing base (TCB)
- security perimeter (TCB is inside the perimeter)
- reference monitor: law of the system
- security kernel: police of the system
- enforces the reference monitor
- must…
- facilitate the isolation of processes
- be invoked at every access attempt
- be small enough to be tested and verified
- security policy: set of rules on how resources are managed within a computer system
- least privilege: processes have no more privileges then they need
- when you see the word “state” think “classification”
- single state: system that handles one classification — think of a lockbox
- multiple state: a system that handles more than one classification — think of a filing cabinet
- compartmented: handling need to know information — think of inboxes for people
- dedicated:
- you can combine modes:
- single-state, compartmented
- single-state, dedicated
- multi-state, compartmented
- multi-state, dedicated