Updated: Sep 15, 2020
Understanding the philosophy behind security solutions helps to limit your search for the best controls for specific security needs. In this domain we
Discuss security models, including state machine, Bell-LaPadula, Biba, Clark-Wilson, Take-Grant, and Brewer and Nash.
Describe Common Criteria and other methods governments and corporations use to evaluate information systems from a security perspective; and
Discuss commonly encountered design flaws and other issues that can make information systems susceptible to attack.
Objects and Subjects
Controlling access to any resource in a secure system involves two entities:
The subject is the user or process that makes a request to access a resource. Access can mean reading from or writing to a resource.
The object is the resource a user or process wants to access.
For example, process A may ask for data from process B. To satisfy process A's request, process B must ask for data from process C. In this example
subject = process A
object = process B
subject = process B
object = process C
Transitive trust is the concept that if A trusts B and B trusts C, then A inherits trust of C through the transitive property.
Transitive trust is a serious security concern because it may enable bypassing restrictions or limitations between A and C, especially if A and C both support interaction with B.
To ensure the security of a system, you need to allow subjects to access only authorised objects. A control uses access rules to limit the access of a subject to an object.
Access rules state which objects are valid for each subject. Further, an object might be valid for one type of access and be invalid for another type of access. For example, a file can be protected from modification by making it read-only for most users but read-write for a small set of users who have the authority to modify it.
There are both
Mandatory access controls (MAC) and
Discretionary access controls (DAC)
Static attributes of the subject and object are considered to determine the permissibility of an access.
Each subject possesses attributes that define its clearance, or authority, to access resources.
Each object possesses attributes that define its classification.
Differ from MACs in that the subject has some ability to define the objects to access. This access control list serves as a dynamic access rule set that the subject can modify.
Both MAC and DAC controls limit the access to objects by subjects. The primary goal of controls is to ensure the confidentiality and integrity of data by disallowing unauthorised access by authorised or unauthorised subjects.
In information security, models provide a way to formalise security policies. They provide a way for designers to map abstract statements into a security policy that prescribes the algorithms and data structures necessary to build hardware and software. Thus, a security model gives software designers something against which to measure their design and implementation.
Trusted Computing Base (TCB)
A TCB is a combination of hardware, software, and controls that work together to form a trusted base to enforce your security policy.
It is the only portion of that system that can be trusted to adhere to and enforce the security policy.
TCB components in a system are responsible for controlling access to the system. It is the responsibility of TCB components to ensure that a system behaves properly in all cases and that it adheres to the security policy under all circumstances.
State Machine Model
The state machine model describes a system that is always secure no matter what state it is in. It is based on a the computer science definition of a finite state machine (FSM).
An FSM combines an external input with an internal machine state to model all kinds of complex system. Given an input and a state, an FSM transitions to another state and may create an output.
According to the state machine model, a state is a snapshot of a system at a specific moment in time. If all aspects of the state meet the requirements of the security policy, that state is considered secure.
A transition always results in a new state called a state transition. If each possible state transition results in another secure state, the system can be called a secure state machine.
A secure state machine model system always
boots into a secure state
maintains a secure state across all transitions; and
allows subjects to access resources only in a secure manner compliant with the security policy.
Information Flow Model
The information flow model focuses on the flow of information. It is based on a state machine model. The Bell-LaPadula and Biba models are both information flow models, but
Bell-LaPadula is concerned with preventing information flow from a high security level to a low security level
Biba is concerned with preventing information flow from a low security level to a high security level
Information flow models
Do not necessarily deal with only the direction of information flow; they can also address the type of flow.
Are designed to prevent unauthorised, insecure, or restricted information flow, often between different levels of security.
Information flow can be between subjects and objects at the same classification level as well as between subjects and objects at different classification levels.
Are used to establish a relationship between two versions or states of the same object when those two versions or states exist at different points in time.
The noninterference model is loosely based on the information flow model. However, instead of being concerned about the flow of information, the noninterference model is concerned with how the actions of a subject at a higher security level affects the system state or the actions of a subject at a lower security level.
The actions of Subject A (high) should not affect the actions of Subject B (low), or even be noticed by Subject B. If this occurs, Subject B may be placed in an insecure state or be able to deduce or infer information from a higher level of classification. This is a type of information leakage and implicitly creates a covert channel.
The noninterference model can be imposed to provide a form of protection against damage caused by malicious programs such as Trojan horses.
**In computer security, a covert channel is a type of attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy.
Some other models that fall into the information flow category build on the notion of how inputs and outputs between multiple systems relate to one another - which follows how information flows between systems rather than within an individual system. These are called composite theories because they explain how outputs from one system relate to inputs to another system:
Input for one system comes from the output of another system.
One system provides input to another system, which reciprocates by reversing those roles.
One system sends input to another system but also sends input to external entities.
The Take-Grant model employs a directed graph to dictate how rights can be passed from one subject to another or from a subject to an object. There are two primary rules:
A subject with the grant right can grant another subject or object any other right they possess.
A subject with the take right can take a right from another subject.
In addition to these two primary rules, the Take-Grant model may adopt a create rule and a remove rule to generate or delete rights.
The create rule allows a subject to create new rights.
The remove rule allows a subject to remove rights it has.
Access Control Matrix
An access control matrix is a table of subjects and objects that indicates the actions or functions that each subject can perform on an object.
Each column of the matrix is an access control list (ACL).
Each row is a capabilities list.
An ACL is tied to the object: it lists valid actions each subject can perform.
A capability list is tied to the subject; it lists valid actions that can be taken on each object.
Access control matrixes are used by systems to quickly determine whether the requested action by a subject for an object is authorised.
The Bell-LaPadula model is focused on maintaining the confidentiality of objects. It does not address the aspects of integrity or availability for objects.
This model is built on a state machine concept and the information flow model.
There are three basic properties of this state machine:
The Simple Security Property states that a subject may not read information at a higher sensitivity level (no read up).
The *(star) Security Property states that a subject may not write information to an object at a lower sensitivity level (no write down). This is known as the Confinement Property.
The Discretionary Security Property states that the system uses an access matrix to enforce discretionary access control.
A subject cannot read an object that is classified at a higher level than it is cleared for.
Because objects at one level have data that is more sensitive or secret than data in objects at a lower level, a subject (who is not a trusted subject) cannot write data from one level to an object at a lower level. That action action would be similar to pasting a top-secret document into an unclassified document file.
An exception states that a "trusted subject" is not constrained or restricted by the *(star) Security Property. The trusted subject is allowed to perform a write-down.
The third property (Discretionary Security Property) enforces a subject's need-to-know in order to access an object.
The Biba model addresses integrity. It is also
built on a state machine concept
based on information flow; and is
a multilevel model.
Biba appears to be pretty similar to the Bell-LaPadula model, except inverted.
The Simple Integrity Property states that a subject cannot read an object at a lower integrity level (no read-down).
The *(star) Integrity Property states that a subject cannot modify an object at a higher integrity level (no write-up).
** Simple is always about reading, and star is always about writing.
In summary, Biba was designed to address three integrity issues:
Prevent modification of objects by unauthorised subjects.
Prevent unauthorised modification of objects by authorised subjects.
Protect internal and external object consistency.
The Clark-Wilson model uses three-part relationship of subject/project/object (or subject/transaction/object) known as a triple or an access control triple.
Subjects do not have direct access to objects.
Objects can be accessed only through programs. Each program has specific limitations on what it can and cannot do to an object (such as a database or other resource). This effectively limits the subject's capabilities. This is known as a constrained interface.
Through the use of two principles - well-formed transactions and separation of duties - the Clark-Wilson model provides an effective means to protect integrity.
Clark-Wilson defines the following items and procedures:
A constrained data item (CDI) is any data whose integrity is protected by the security model.
An unconstrained data item (UDI) is any data item that is not controlled by the security model. Any data that is to be input and hasn't been validated, or any output, would be considered an unconstrained data item.
An integrity verification procedure (IVP) is a procedure that scans data items and confirms their integrity.
Transformation procedures (TPs) are the only procedures that are allowed to modify a CDI. The limited access to CDIs through TPs forms the backbone of the Clark-Wilson integrity model.
The Clark-Wilson model uses security labels to grant access to objects, but only through transformation procedures and a restricted interface model.
The restricted interface model uses classification-based restrictions to offer only subject-specific authorised information and functions. This ensures that data is protected from unauthorised changes from any user; enforcing separation of duties.
Brewer and Nash Model (aka Chinese Wall)
The Brewer and Nash model was created to permit access controls to change dynamically based on a user's previous activity - making it a kind of state machine model as well.
It seeks to create security domains that are sensitive to the notion of conflict of interest.
This model is known as the Chinese wall because it creates a class of data that defines which security domains are potentially in conflict and prevents any subject with access to one domain that belongs to a specific conflict class from accessing any other domain that belongs to the same conflict class.
Thus, this model uses the principle of data isolation within each conflict class to keep users out of potential conflict-of-interest situations.
Because company relationships change all the time, dynamic updates to members of and definitions for conflict classes are important.
This is an integrity model and said to be the foundation of noninterference conceptual theories.
It is based on predetermining the set or domain - a list of objects that a subject can access. This means
Subjects are allowed only to perform predetermined actions against predetermined objects.
When similar users are grouped into their own domain, the members of one subject domain cannot interfere with the members of another subject domain.
It is an integrity model. It focuses on preventing interference in support of integrity.
It is formally based on the state machine model and the information flow model.
It is based on the idea of defining a set of system states, initial states, and state transitions. Through the use of these predetermined secure states, integrity is maintained and interference is prohibited.
A common example is its use to prevent a covert channel from being used to influence the outcome of a process or activity.
This model is focused on the secure creation and deletion of both subjects and objects. It is a collection of eight primary rules or actions that define the boundaries of certain secure actions:
Securely create an object
Securely create a subject
Securely delete an object
Securely delete a subject
Securely provide the read access right
Secure provide the grant access right
Securely provide the delete access right
Securely provide the transfer access right
Question #1 Matthew is the security administrator for a consulting firm and must enforce access controls that restrict users’ access based upon their previous activity. For example, once a consultant accesses data belonging to CloudTAC, a consulting client, they may no longer access data belonging to any of CloudTAC's competitors. What security model best fits Matthew’s needs?
The Brewer-Nash model allows access controls to change dynamically based upon a user’s actions. It is often used in environments like Matthew’s to implement a “Chinese wall” between data belonging to different clients.
Referring to the figure shown here, what is the earliest stage of a fire where it is possible to use detection technology to identify it?
The topic of physical and environmental security is referenced in several domains but the two primary occurrences are in
Domain 3: Security Architecture and Engineering; and
Domain 7: Security Operations
The purpose of physical security is to protect against physical threats. The most common physical threats are
fire and smoke
earth movement (earthquakes, landslides, volcanoes)
storms (wind, lightning, rain, snow, sleet, ice)
utility loss (power, heating, cooling, air, water)
personnel loss (strikes, illness, access, transport)
Fire Prevention, Detection, and Suppression
Protecting personnel from harm should always be the most important goal of any security or protection system. In addition to protecting people, fire detection and suppression is designed to keep damage caused by fire, smoke, heat, and suppression materials to a minimum.
The three corners of the triangle represent fire, heat, and oxygen. The center of the triangle represents the chemical reaction among these three elements. The point of the fire triangle is to illustrate that if you remove any of these elements from the fire triangle, the fire can be extinguished:
Water suppresses the temperature (heat).
Soda acid and other dry powders suppress the fuel supply.
CO2 suppresses the oxygen supply.
Halon substitutes and other nonflammable gases interfere with the chemistry of combustion and/or suppress the oxygen supply.
In addition to understanding the fire triangle, you should understand the four most vital stages of fire:
Stage 1: The Incipient Stage
At this stage, there is only air ionisation but no smoke. Ionisation of the air atoms occurs because the temperature is high enough to cause the atoms to knock into each other and rip off electrons. Therefore, in a flame, the amount of ionisation depends on the temperature.
Stage 2: The Smoke Stage
Smoke is visible from the point of ignition.
Stage 3: The Flame Stage
This is when a flame can be seen with the naked eye.
Stage 4: The Heat Stage
There is an intense heat buildup and everything in the area burns.
The earlier a fire is detected, the easier it is to extinguish and the less damage it and its suppression mediums can cause.
To properly protect a facility from fire requires installing an automated detection and suppression system. There are many types of fire detection systems:
Fixed-temperature detection systems
Trigger suppression when a specific temperature is reached.
Rate-of-rise detection systems
Trigger suppression when the speed at which the temperature changes reaches a specific level.
Trigger suppression based on the infrared energy of flames.
Use photoelectric or radioactive ionisation sensors as triggers.
Incipient smoke detection systems (aspirating sensors)
Detect the chemicals typically associated with the very early stages of combustion before a fire is otherwise detectible via other means.
Fires may be detected as early as the incipient stage. During this stage, air ionisation takes place, and specialised incipient fire detection systems can identify these changes to provide early warning of a fire.
Question #2 Ralph is designing a physical security infrastructure for a new computing facility that will remain largely unstaffed. He plans to implement motion detectors in the facility but would also like to include a secondary verification control for physical presence. Which one of the following would best meet his needs?
The use of physical access controls and monitoring personnel and equipment entering and leaving; as well as auditing/logging all physical events are key elements in maintaining overall organisational security.
Perimeter Security Controls
Fence, gates, turnstiles, and mantraps
Fences are used to clearly differentiate between areas that are under a specific level of security protection and those that aren't.
A gate is a controlled exit and entry point in a fence. When a gate is closed, it should not offer any additional access vulnerabilities. When they are not protected by guards, use of dogs or CCTV is recommended.
A turnstile is a form of gate that prevents more than one person at a time from gaining entry and often restricts movement in one direction.
A mantrap is a double set of doors that is often protected by a guard. Its purpose is to immobilise a subject until their identity and authentication is verified.
Security guards and dogs
Internal Security Controls
Keys and combination locks
Badges, identification cards, and security IDs
Infrared motion detector - monitors for significant or meaningful changes in the infrared lighting pattern of a monitored area
Heat-based motion detector - monitors for significant or meaningful changes in the heat levels and patterns in a monitored area
Wave pattern motion detector - transmits a consistent low ultrasonic or high microwave frequency signal into a monitored area and monitors for significant changes or disturbances in the reflected pattern
Capacitance motion detector - senses changes in the electrical or magnetic field surrounding a monitored object.
Deterrent alarms may engage additional locks, shut doors, and so on; making further intrusion or attack more difficult
Repellant alarms usually sound an audio siren or bell and turn on lights
Notification alarms are often silent but record data about the incident and notify administrators, security guars, and law enforcement.
Local alarm systems must broadcast an audible alarm that can be heard up to 400 feet away and must be protected from tampering and disablement.
Central station system - this alarm is usually silent locally, but offsite monitoring agents are notified so they can respond to the security breach.
Auxiliary alarm systems can be added to either local or centralised alarm systems. When the security is breached, emergency services are notified to respond to the incident and arrive at the location.
Secondary verification mechanisms
When motion detectors, sensors, and alarms are used, secondary verification mechanisms should be in place.
CCTV is a security mechanisms related to motion detectors, sensors, and alarms. It requires personnel to watch the captured video to detect suspicious and malicious activities and to trigger alarms. It is a preventive measure, whereas reviewing recorded events is a detective measure.
Question #3 Harry would like to retrieve a lost encryption key from a database that uses m of n control, with m = 4 and n = 8. What is the minimum number of escrow agents required to retrieve the key?
The following sections review the goals of cryptography, an overview of the basic concepts of cryptographic technology, and look at the major mathematical principles used by cryptographic systems.
Goals of Cryptography
Security practitioners use cryptographic systems to meet four fundamental goals:
Before a message is put into a coded form, it is known as a plaintext message and is represented by the letter P when encryption functions are described.
The sender of a message uses a cryptographic algorithm to encrypt the plaintext message.
The encryption of the plaintext message by the algorithm produces a ciphertext message, represented by the letter C.
The ciphertext message is transmitted by some physical or electronic means to the recipient.
The recipient then uses a predetermined algorithm to decrypt the ciphertext message and retrieve the plaintext version.
All cryptographic algorithms rely on keys to maintain their security. Every algorithm has a specific key space which is defined by its bit size.
It is absolutely critical to protect the security of secret keys.
The art of creating and implementing secret codes and ciphers.
The study of methods to defeat codes and ciphers.
Refers to cryptography and cryptanalysis.
Specific implementations of a code or cipher in hardware and software.
Boolean mathematics defines the rules used for the bits and bytes that form the nervous system of any computer. The Boolean mathematics of cryptography uses a variety of logical functions to manipulate data
The AND operation checks to see whether two values are true.
The OR operation checks to see whether at least one of the input values is true.
The NOT operation reverses the value of an input variable.
It returns a true value when only one of the input values is true. It is perhaps the most important and most commonly used in cryptographic applications.
It is the remainder value left over after a division operation is formed. Used by algorithms such as the RSA public key encryption algorithm.
It is a mathematical operation that easily produces output values for each possible combination of inputs but makes it impossible to retrieve the input values.
A nonce is a random number that acts as a placeholder variable in a mathematical function. When the function is executed, the nonce is replaced with a random number generated at the moment of processing for one-time use.
The nonce must be a unique number each time it is used.
One of the more recognisable examples of a nonce is an initialisation vector (IV), a random bit string that is the same length as the block size and is XORed with the message, creating a unique ciphertext every time the same message is encrypted using the same key.
When the information or privilege required to perform an operation is divided among multiple users, no single person has sufficient privileges to compromise the security of an environment.
This separation of duties and two-person control contained in a single solution is called split knowledge.
The concept of key escrow is an example of split knowledge:
Using key escrow, cryptographic keys, digital signatures, and even digital certificates can be stored or backed up in a special database called the key escrow database.
In the event a user loses or damages their key, that key can be extracted from the backup in the key escrow database. However, if only a single key escrow agent exists, there is an opportunity for fraud and abuse of this privilege.
M of N Control
M of N Control requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks.
Implementing three of eight controls would require three people out of the eight with the assigned work task of key escrow recovery agent, to work together to pull a single key out of the key escrow database.
Question #4 Bob is a security administrator with the federal government and wishes to choose a digital signature approach that is an approved part of the federal Digital Signature Standard under FIPS 186-4. Which one of the following encryption algorithms is not an acceptable choice for use in digital signatures?
Symmetric Key Algorithms
Symmetric key algorithms rely on a "shared secret" encryption key that is distributed to all members who participate in the communications.
This key is used by all parties to both encrypt and decrypt messages, so the sender and the receiver both possess a copy of the shared key.
It is primarily employed to perform bulk encryption and provides only for the the security service of confidentiality.
Symmetric key cryptography can also be called secret key cryptography and private key cryptography (with symmetric key cryptography, the word private refers to two people sharing a secret that they keep confidential. This is different from the word private used with asymmetric key algorithms).
Asymmetric Key Algorithms
In these systems, each user has two keys:
A public key which is shared with all users; and
A private key which is kept secret and known only to the user.
Opposite keys must be used in tandem to encrypt and decrypt.
Hash functions take a potentially long message and generate a unique output value derived from the content of the message. This value is commonly referred to as the message digest. Message digests can be generated by the sender of a message and transmitted to the recipient along with the full message for two reasons: