Lecturer: Lynn AcklerDate:10/28/081 Information Assurance IATF IATF Information Assurance Technical Framework Security System Engineering methodology

Lecturer: Lynn Ackler Date:10/28/08 1

Information AssuranceIATF

IATF Information Assurance Technical Framework Security System Engineering methodology


Information Systems Security Engineering

ISSEArt and science of discovering users' information

protection needs.Designing systems with economy and elegance,

so that safely resists the forces to which they will be subjected.

Building and testing such systems.


SE versus ISSE

SE Activities ISSE Activities

Discover needs Discover information protection needsDefine system requirements Define system security requirementsDesign system architecture Design system security architectureDevelop detailed design Develop detailed security designImplement system Implement system securityAssess effectiveness Assess system security effectiveness


Technical Security Countermeasures

Determination of the appropriate technical security measures to address attacks at all layers in the information system.


Security Services

Services that safeguard information and information systems. Authentication Confidentiality Integrity Availability Non-repudiation Robustness Interoperability


Potential Adversaries

Nation States Hackers Terrorists Organized crime Other criminal elements International press Industrial competitors Disgruntled employees Careless employees


Motivations

Access to sensitive information Track operations Disrupt operations Steal money, products or services Free use Embarrassment Overcome technical challenge Compromise


Classes of Attacks

Passive attacks Active attacks Close-in attacks Insider attacks Distribution attacks


Passive Attacks

Monitoring open communication Ethernet sniffing

Decrypting weak encryption WEP

Password sniffing Traffic analysis


Active Attacks

Modify data in transit Modify financial transactions

Replay Session hijacking

Privileges of established session Masquerading

Unauthorized access


Active Attacks (cont'd)

Exploiting app's or OS Outlook Express

Exploit trust Transitive trust, e.g. PGP


Active Attacks (cont'd)

Data execution Open an attachment that is a script

Inserting and exploiting code Trojan horse, back door

Denial of service


Close-in Attacks

Access to comm's wires, RF, visual, etc. Information gathering

IP addresses, IDs, passwords System tampering

Bugging, keyboard sniffing SW Physical compromise


Insider Attacks

Malicious Modify/destroy data and security mechanisms Establish unauthorized access Cover channels Physical damage/alteration

Non-malicious Modification of data/configuration Physical damage


Distribution Attacks

Attacks on the distribution chain of products or services

Modification at vendor's facility Modification during distribution


Primary Security Services

Access control Confidentiality Integrity Availability Nonrepudiation


Access Control Limiting access to information, services and

communications Identity and authentication

You are who you say you are. Authorization

Access rights Decision

Rights match demand Enforcement

Grant/deny and log/notify


Confidentiality

Information state Transmission, storage, proccessing

Data type Crypto keys, config files, text

Amounts or parts of data Value and life of data


Elements of Confidentiality

Data protection Data separation Traffic flow protection


Integrity

Prevention of unauthorized data modification

Detection and notification of unauthorized modification

Logging all modifications


Availability

Protection from attack Protection from unauthorized use Resistance to routine failures


Non-repudiation

Repudiation:Denial by one entity in a multi-entity exchange that it

participated. Non-repudiation:

Proof of origin, proof of identity, time of originationProof of delivery, time of deliveryAudit trail


Security Technologies

APIs CryptoAPI Cryptographic Service Providers File Encryptors Hardware tokens Intrusion detectors IPSec IKE


Security Technologies(cont'd)

Packet filter Stateful packet filter PKI SSL S/MIME Trusted Computing Base Virus detectors Tripwire


Robustness Strategy

Determine the Degree of Robustness

Strength of Mechanism Levels of Assurance


Purpose

Security engineering guidance Levels of security mechanisms Security services appropriate to mission Levels of assurance


Robustness Strategy Functions

Assessment of strength mechanisms Definition of product requirements Subsequent risk assessments Recommend security requirements


Robustness Strategy Process

1. Assess value2. Assess threat3. Determine strength level appropriate4. Determine implementation necessary


Degree of Robustness


Degree of Robustness Determination

Level of strength and assurance recommended for a potential security mechanism

Depends on:1. Value of information2. Perceived threat environment


Information Value Levels

.VI. Violation of the information protection policy would have negligible adverse effectsor consequences..V2. Violation of the information protection policy would adversely affect and/or causeminimal damage to the security, safety, financial posture, or infrastructure of theorganization..V3. Violation of the information protection policy would cause some damage to thesecurity, safety, financial posture, or infrastructure of the organization..V 4. Violation of the information protection policy would cause serious damage to thesecurity, safety, financial posture, or infrastructure of the organization..V5. Violation of the information protection policy would cause exceptionally gravedamage to the security, safety, financial posture, or infrastructure of the organization.


Threat Levels

.TI. Inadvertent or accidental events ( e.g., tripping over a power cord).

.T2. Passive, casual adversary with minimal resources who is willing to take little risk( e.g., listening)..T3. Adversary with minimal resources who is willing to take significant risk ( e.g.,unsophisticated hackers)..T4. Sophisticated adversary with moderate resources who is willing to take little risk(e.g., organized crime, sophisticated hackers, international corporations)..T5. Sophisticated adversary with moderate resources who is willing to take significantrisk (e.g., international terrorists)..T6. Extremely sophisticated adversary with abundant resources who is willing to takelittle risk (e.g., well-funded national laboratory, nation-state, international corporation).

.T7. Extremely sophisticated adversary with abundant resources who is willing to takeextreme risk (e.g., nation-states in time of crisis).


Strength of Mechanism Levels

.SMLl is defined as basic strength or good commercial practice. It is resistant tounsophisticated threats (roughly comparable to TI to T3 threat levels) and is used toprotect low-value data. Examples of countered threats might be door rattlers, anklebiters, and inadvertent errors..SML2 is defined as medium strength. It is resistant to sophisticated threats (roughlycomparable to T4 to TS threat levels) and is used to protect medium-value data. It wouldtypically counter a threat from an organized effort (e.g., an organized group of hackers)..SML3 is defined as high strength or high grade. It is resistant to the national laboratoryor nation-state threat (roughly comparable to T6 to T7 threat levels) and is used to protecthigh-value data. Examples of the threats countered by this SML are an extremelysophisticated, well-funded technical laboratory and a nation-state adversary.


Assurance Levels

EAL 1 Functionally TestedEAL 2 Structurally TestedEAL 3 Methodically Tested and CheckedEAL 4 Methodically Designed, Tested and ReviewedEAL 5 Semiformally Designed and TestedEAL 6 Semiformally Verified Design and TestedEAL 7 Formally Verified Design and Tested


Security Mechanisms

1. Security Management2. Confidentiality3. Integrity4. Availability5. Identification & Authentication6. Access Control7. Accountability8. Non-repudiation


Security Management Mechanisms


Confidentiality Mechanisms


Integrity Mechanisms


Availability Mechanisms


Identification & Authentication Mechanisms


Access Control Mechanisms


Accountability Mechanisms


Non-Repudiation Mechanisms


Interoperability

Contemporary Systems involve multiple networks as well as multiple heterogeneous computer systems

All systems depend on communication Security must be as transparent as

possible in such a compute environment


Elements of Interoperability

1. Architecture2. Security Protocols3. Standards Compliance4. Interoperable Certificate Management5. Agreement on Security Policies


Interoperability Strategy

1. Foster Standards2. Security Negotiation3. Support Open Standards

Documents

Lecturer: Lynn AcklerDate:10/28/081 Information Assurance IATF IATF Information Assurance Technical Framework Security System Engineering methodology