Chapter 6 Implement Threat Control Measures
Dec 30, 2015
Identify level of protection• Initial risk exposure – Factor 1• Vulnerability and threat analyses (chapter
5) produced the initial risk exposure, • Identify the severity and likelihood of each
vulnerability/threat pair with critical threat zones
• Threat control measures implemented to reduce the initial risk exposure to the desired target.
Identify level of protection
• Identify the IA-critical IA-related system entities and functions – Factor 2
• IA-critical – performance is essential to the safe, reliable, and secure operation and support of a system.
• IA-related - a system or entity that performs or controls functions which prevent or minimize the effect of failure of an IA-critical system or entity.
• See Exhibit 4 Page 132• Correlate to the initial risk exposure
– What is risk to IA critical and IA related functions
Identify level of protection
• Factor 3 – Specify Must Work Functions (MWF) and Must Not Work Functions (MNWF)
• MWF - software that if not performed or performed incorrectly inadvertently, or out of sequence could result in a hazard or allow a hazardous condition to exist.
• MNWF is a sequence of events or commands that is prohibited because it would result in a system hazard.
Identify level of protection
• Hazard and operability (HAZOP) study identifies MNWF’s
• Neglecting to specify MNWF’s creates an opportunity for serious vulnerabilities.
• See Exhibit 5. Page 134
• Factor 4 – Entity control analysis (exhibit 6 page 79)
• Carefully review entity-control analysis to eliminate any point of failure
• Review control of entities over MWFs and MNWFs
Level of protection
• Factor 5 - Time Element• Time element should not be ignored • Two aspects of the time element to
evaluate1) the time window during which the protection
is needed,
2) the time interval during which the proposed threat control measures will be effective.
Level of protection
• Factor 6 – Privacy• Re-examine privacy issues in light of
systems design, operation and operational environment
• Ensure that corporate or organizational assets, intellectual property and information is protected
Level of protection
• Analysis and synthesis of six factors– Risk exposure reduction needed is identified– Estimated level of protection is identified
• IA integrity level defined for the system
Level of protection
• IA integrity level represents the level of IA integrity that must be achieved or demonstrated to maintain the IA risk exposure at or below its acceptable level.
• There are five levels of IA integrity4 – Very High3 – High2 - Medium1 – Low0 – None
IA integrity levels• used to:
1) prioritize the distribution of IA resources2) to select appropriate threat control measures based
on the type, level, and extent of protection needed.• IA integrity levels reflect confidence that a
system will achieve and maintain required– safety, – Security– reliability under all stated conditions so that the risk exposure is
maintained at or below the target • a measure of the robustness of a system’s IA
features and the process(es)
Evaluate Controllability
• Any aspect that enhances safety, security and reliability must be considered for threat control
• Examine people• People have the potential to influence system integrity in
a positive manner.• Controllability is measure of the ability of human
action to control the situation following a failure.• Controllability
– human-assisted form of fault tolerance or failing safe/secure. – Design provisions such as manual override, emergency
shutdown, critical bypass, etc.• See Exhibit 6 page 138
Evaluate Operation Procedures
• Procedures are developed for each operational mode/state– normal operations, – abnormal operations, – and recovery,
• If developed and followed correctly operation procedures contribute to systems integrity.
• Opposite is also true
Contingency Planning and Disaster Recovery
• Integral part of risk management and implementing threat control measures
• Contingency plans identify – alternative strategies to be followed or actions to be
taken to ensure ongoing mission success – should unknown, uncertain, or unforeseen events
occur.
• Contingency planning assumes worst-case scenarios.
Contingency Planning
• Steps in Contingency Planning– Identify all internal and external system entities and the
degree of control: system definition and entity control analysis (Chapter4)
– Identify what would go wrong with a system and its entities: the failure points/ modes and loss/ compromise scenarios.
– Vulnerability/threat characterizations, transaction paths, and critical threat zones (chapter 5) are analyzed during the process.
• See exhibit 7 page 141 and Exhibit 8 page 142
Contingency Planning
• Appropriate response for each contingency is defined, consistent with the IA goals and IA integrity level.
• Alternative courses of actions and identifying alternative system resources.
• Priorities are established for restoring and maintaining critical functionality
• The availability alternatives sources, services, and resources are specified
• See exhibit 9 page 144
Contingency Planning
• Assign responsibility for deploying the alternative course of action and resources.
• Next, the maximum time interval during which the responsive action can be invoked is defined.
• Identify secondary courses of action/resources to invoke, if the maximum time interval for the primary response is exceeded.
Contingency Planning
• Plans must be communicated and staff must be trained.
• Practice drills should be conducted regularly to– familiarize staff with the plan’s provisions– uncover any defects in the plan.
• Contingency plans should be revived, updated,
and revalidated at fixed intervals.
Perception Management
• Systems owners want users to perceive that the system is safe, secure and reliable
• Obvious benefits to the organization• Also serves as a deterrent to potential attackers• System is perceived to be difficult to attack• Do not go overboard and make it challenging to
the attacker
Perception Management
• Deploy Decoys that look authentic– decoy servers– decoy screens– decoy files/data– decoy passwords
• Security trap to lure would be attackers• Lure attackers away from critical data• Effective method of blocking a DoS attack
IA Design Techniques and Features
• Threat control measures are primarily implemented through – design techniques and features – operational procedures – contingency plans– physical security practices
IA Design Techniques and Features• Threat control measures chosen in response to
specific vulnerabilities, hazards, and threats.
• Goal of threat control measures - reduce the initial risk exposure to at or below the target.
• Design techniques and features are a collection of methods by which a system (or component) is – designed – and capabilities are added to a system to enhance IA
integrity.• See Exhibit 10 – page 146
Access control• Access control
– a design feature that prevents unauthorized and unwarranted access to • Systems • applications • data • resources
• Access controls should be operative at all layers of the OSI and networking protocols.
• Access control mechanisms are activated immediately after authentication.
IA Design Technique - Access control
• An initiator (person or process) request to perform an operation on a target resource.
• Access control mechanisms mediate requests based on predefined access control rules.
• Access control rights – initiator/ resource combination
• access privileges– initiator/operation combination
Access controlAccess control can be defined in 3 ways• Access control lists
– specify the approved initiator(s) for each (group of) target(s)
• Access capability lists – specify the target(s) accessible to a (group of)
initiator(s)
• Security labels, – each initiator and target is assigned to one or more
security label (confidential, secret, top secret, etc.) Labels define access control rights and privileges
Access control
• Develop Access control rules– First start with a general list of all Initiators, their
operations and the resources each uses– Develop a matrix of initiators and resources
indicating operations performed on a particular resource – Control List
– Rotate the matrix to develop Access Capability list – Operations and initiators
– Security Labels – group initiators with certain security clearance have same access control rights/privileges
See Exhibit 14 – page 157
Access control
• Invoke default “access denied” if the system encounters an unknown or undefined state.
• Access control rules should be regularly reviewed, updated and revalidated.
• Protect files defining access control rules from unauthorized access and modification.
• Define who has the right to update/modify the access control rules, in both normal and abnormal situations.
Access control
• Access control rights - time of access:– User/process may be allowed to access certain
system resources only at certain times during the day.– User/process may only be allowed to access system
resources during a specified time interval after their identity has been authenticated.
– Time-sensitive information may only be accessed “not before” or “not after” specific dates and times.
– E-mail, public keys, and other security tokens may have built-in (hidden) self-destruct dates and macros.
Access control
• Access control - physical access control– control of and accountability for portable systems and
media– physical access to
• desktop PC’s • Servers• cable • Plants• shared printers• Archives• hardcopy outputs
IA Design Technique - Account for all possible logic states
• Method to prevent a system from entering unknown or undefined states – potentially unstable, – compromise IA integrity
• All logical states are defined for each critical decision point or command
• Once the logic states have been identified, an appropriate response is defined for each of the following states– continue normal operations– trigger alarm– request further input/clarification– emergency shutdown
Account for all possible logic states
• Implementing an OTHERWISE or default clause to trap exceptions or transient faults
• This technique should be applied to all types of software: System software, application software, firmware, etc.
• Useful for uncovering missing and incomplete requirements
• See Exhibit 15 Page 160
IA Design Technique - Audit trail
• Provides several IA integrity functions– Capturing information about
• which people/processes accessed • what system resources• when.
– Capturing information about system states and transitions and triggering alarms if necessary.
– Developing normal system and user profiles for intrusion detection systems.
– Providing information with which to reconstruct events during accidents/ incident investigation.
Audit trail• Audit trail provides real-time and historical logs
of – system states– Transitions– resource usage.
• When a system compromise is expected, a security alarm is triggered.
• Alarm contents and primary and secondary recipients are defined during implementation.
Audit trail
• Components of a security alarm– Identity of the resource experiencing the security event– Date/ timestamp of the security event– Security event type (integrity violation, operational violation,
physical violation, security features violations, etc.)– Parameters triggering the alarm– Security alarm severity (indeterminate, critical, major, minor,
warning)– Source that detected the event– Service user who requested the service that led to the
generation of the alarm– Service provider that provided the service that led to the
generation of the alarm
Audit trail
• An audit trail consumes system resources; thus, carefully determine what events to record and how frequently they should be recorded.
• Determination also has to be made about the interval at which audit trail should be archived and overwritten.
• Protect Audit trails from unauthorized access.
IA Design Feature - Authentication
• Accurate authentication is an essential first layer of protection.
• Access control, audit trail, and intrusion detection functions depend on authentication.
• Authentication methods: – Unilateral– Mutual– digital certificates– Kerberos – Data origin– Peer entity– Smartcards– Biometrics.
Authentication
• Unilateral Authentication– When a user logs onto a system, the user is
authenticated to the system but the system is not authenticated to the user.
• Mutual authentication– mutual authenticated in which both parties (users,
processes, or systems) are authenticated to each other before any transactions take place. E.g. E-Commerce
• A challenge-response protocol is commonly used to perform mutual authentication.
Authentication
• Data origin authentication ensures that messages received are indeed from the claimed senders and not an intruder who hijacked the session.
• Data origin authentication is initiated after an association setup is established and may be applied to all or selective messages.
• Smartcards are a physical security token that a user presents during the authentication process.
Authentication
• Biometric system is a pattern recognition system • Establishes the authenticity of a specific
physiological or behavior characteristic possessed by a user.
• Nine types of biometric systems: – Fingerprints– Iris– Retina– Face– Hand– Ear– Body odor– Voice– Signature.
IA Design Technique - Block Recovery
• Provides correct functional operation in the presence of one or more errors.
• Implemented to increase the integrity of modules that perform critical functions.
• Each critical module has a primary and secondary module
• See Exhibit 17 Page 168
• After the system has been reset, normal operation continues.
• Forward block recovery for anticipated errors• Backward block recovery for unanticipated errors.
IA Design Feature - Confinement• Restricts an un-trusted program from accessing
systems resources and executing systems processes
• Goal – Non-interference between independent functions that utilize shared resources and unintended inter-component communication
• Interference:– Data Corruption – overwriting vital data stored in
common memory and used by trusted components– Denial of service to critical resources – Untrusted
components prevent or delay execution of critical shared resources, take too much CPU processing time
Confinement• Implement confinement by
– Restrict a process from reading data it has written
– Limit executable privileges to the minimum need to perform functions. Example: child processes do not inherit privileges of the parent
– Mandatory Access Control (MAC)
– Domain and type enforcement (DTE)• Domain associated with each subject (user or process)• Type is associated with each object (systems resource)• Matrix is defined
– Wrappers • encapsulates data from view to anyone other than the intended
recipient.
IA Design - Defense in Depth
• Providing several overlapping subsequent limiting barriers
• Threshold can only be passed if all barriers fail
• Reflects common sense• Everything is done to prepare for known
potential hazards and vulnerabilities• See Exhibit 18. Page 171
IA Design – Defensive programming
• Prevents systems failures or compromises by detecting errors in control flow, data flow and data during execution
• Reaction in a predetermined and acceptable manner
• Applied to all IA-critical and IA-related functions
Defensive programming
• Approached from 2 directions• Potential software design errors are
compensated– Range, plausibility and dimension checks are
performed at procedure entry and before executing critical commands
– Separate read-only and read-write parameters to prevent overwriting
Defensive programming
• Anticipate failures in the operating environment– perform control flow sequence checks to detect
anomalous behavior : state transitions– regular verification of hardware and software
procedures– conduct plausibility checks on critical input,
intermediate and output variables before acting upon them
• All actions and transitions are verified beforehand are a preventive strategy
Plausibility Checks
• Enhances IA integrity by verifying the validity and legitimacy of critical parameters before acting upon them
• Detects faults in the execution cycle and prevents them from progressing into failures
• Value of parameters that affect IA critical and IA related functions are checked.
• See examples on page 191
IA Design Technique Degraded-mode Operations
• Purpose to ensure functionality of critical functions is maintained in the presence of one or more failures
• In the event of anomalous behavior, suspected attacks or compromise IA-critical and IA-related functions can rarely cease to operate
• Priorities are established for maintaining critical functions and dropping less critical ones
• Total system (hardware, software and communication equipment) is considered for planning degraded-mode operations
Degraded-mode Operations
• Tied directly to operational procedures of contingency plan
• Specify IA-critical and related functions during requirements and design phase
• Criteria for transitioning in degraded-mode• Define maximum time period system is
allowed in degraded mode
Degraded-mode Operations
• Intermediate state between full operation and total system shutdown
• Another preventive strategy to plan response for potential crisis situations
Digital Signatures
• Provide nonrepudiation of origin• Created using public key encryption• Involves a signature generation and
signature verification algorithm
Digital Signatures
• Consists of a fixed length string of bits that is derived from the original message
• Message is encrypted, signature attached and message is transmitted
• Recipient decrypts the string to verify the string reflects the original message
• Recipient signs the message and returns it to the sender – roundtrip confirmation
• Used in e-commerce
Diversity
• Enhances IA integrity by detecting and preventing systematic failures
• Implemented in hardware and software• Software diversity – n-version
programming– More than one algorithm is developed to
solve the same problem– Same input and outputs are compared– Agreement can be 100% or majority –
depends on the criticality of application
Diversity
• Software diversity (continued)– Error detection and recovery algorithms – if
results don’t agree– Diverse software can execute in parallel on
different processors or sequentially on the same processor
Diversity
• Hardware diversity– Multiple, different components and modules
to perform the same function– Not hardware redundancy – multiple units of
the same hardware are employed– Components and modules are chosen that
have different rates and types of failures
Encryption
• Provides confidentiality of data while stored and transmitted
• Manipulating string of data (clear text) according to a specific algorithm to produce cipher text
• What data needs encryption – derived from IA goals
• Identify data that does not need encryption – only certain fields in a database may be encrypted
Encryption
• Where is the Data stored, created and transmitted?– for efficient and effective encryption strategy
• Encryption strength needed?– low to medium for random office e-mails– high to very high for defense or intelligence
applications
Encryption
• At what level of the OSI or TCP/IP reference model should encryption take place?– Encryption can be implemented at the
physical, data link, network, transport and application layers
– See Exhibit 20 page 176
Encryption
• Hardware or software encryption?• Hardware encryption for critical
applications• Hardware encryption
– designed to be tamperproof– erase keys if tampering is detected– eliminate examinations through shielding– faster than software encryptions: offloads
intensive calculation from the CPU
Encryption
• Software encryption– easy to use and upgrade– Vulnerability – can be preempted by a high-
priority task. Data and key exposed– Key management is an issue
Encryption
• Block or stream ciphers?• Block ciphers
– operate on a fixed number of bits or bytes– cipher text and clear text have the same block size– can be implemented in hardware or software
• Stream Ciphers– operate on asynchronous bit streams– Transform a single bit or byte of data at a time– Implemented in hardware at the data link level
Encryption
• Mode of block or stream cipher operation?• Five most common modes
– Electronic code book (ECB)– Cipher Block chaining (CBC)– Output feedback (OFB)– Cipher feedback (CFB)
Encryption• Choice of encryption key type – symmetric or
asymmetric?• Symmetric or secret key – same key used for
encryption and decryption– Sender and receiver known to each other– Sender and receiver remain constant for a fixed
period of time– Sender and receiver nodes remain constant– Long-term relationship anticipated – regular need for
exchange of sensitive information– sender and receiver have the ability to co-operate on
key management and encryption issues.
Encryption
• Asymmetric keys uses a pair of public and private keys.
• Public key used for encryption is shared• Private key used for decryption is not
shared• Both keys are mathematically related but
not feasible to uncover private key from public key
Encryption
• Asymmetric keys – A wants to send B a sensitive message– A encrypts the message with B’s public key– B decrypts the message with their private
keys• Most organizations employ a combination
of symmetric and asymmetric keys
Encryption
• Key Management ?• Most encryption algorithms are publicly
available• Keys must be protected• Protection proportional to the sensitivity of
information
Encryption• Key management procedures for
– Key generation– Key distribution– Key verification– Controlling the use of keys– responding to key compromise– Changing keys – Storing keys – Key recovery, backup– Destroying old keys
• Policies must be established with involvement of all stakeholders
• Adequate training• Periodic audits and review of established procedures
and policies
Encryption
• Encryption algorithms?• Strength of encryption depends on the
strength and sophistication of encryption algorithm and length of key
Error detection/Correction
• Algorithms used to – increase data integrity during transmission– Increase systems integrity during execution of
application software
• At network level error detection/correction algorithms examine data – for accidentally lost or corrupted data– for intentional unauthorized changes to data
• Self correcting codes or requests for retransmission are initiated if errors are detected
Error detection/Correction
• At application software level error detection/correction algorithms – detect anomalous or illegal modes/states,
parameters– initiate appropriate error handling routines
Fail safe/secure
• Ensures that a system remains in a known safe/secure state following an irrecoverable failure
• A component automatically places itself in a known secure state in the event of a failure
• Safe default values are assumed• System is brought in a safe/secure state
by shutting it down
Fail operational
• System or components continue to provide limited critical functionalities in even of failure – e.g. aircraft flight control system
• Fail safe/secure and fail operational are proactive features to respond to predictable failures
• See fail operations – Page 182
Fault tolerance
• Increases IA integrity by providing continuous correct execution in the presence of a limited number of hardware and software faults
• Focuses on containing the mitigating consequences of faults – not preventing them
• Error (correct value or condition) or mistake (error in human action) leads to a fault which leads to a failure
Fault tolerance
• Fault tolerance attempts to prevent faults from progressing to a failure
• Three types of fault tolerance– Hardware: generated by design errors,
environmental factors, physical degradation– Software: design errors and runtime errors– Systems: combination of hardware and
software
Firewalls, Filters
• Firewalls control access between one network and another
• Firewalls monitor both incoming and outgoing traffic
• Three types of firewalls– Packet filters– Application level gateway– Circuit level gateway
Firewalls, Filters
• Packet filters– determine is a packet should be allowed to
enter the network depending on the destination address, source
– Enabled by filtering rules• Application Gateways
– Protect specific applications – e.g. e-mail servers
– All traffic logged
Firewalls, Filters
• Circuit level gateways– also called proxy firewalls– mediate between two devices trying to communicate
between firewalls– A caller connects to a port on the outside gateway. If
session approved, gateway forwards information to the destination that is connected to the internal gateway port.
– Logs the number of bytes sent by the TCP address– Not effective against insider attacks
Formal specifications, Animated specifications
• Mathematical techniques in specification, design and verification of hardware and software
• Formal notations based on discrete mathematics to specify and verify systems requirements and design
• Subject to rigorous mathematical analysis to detect inconsistencies, incorrectness and incompleteness
• Similar to a compiler for checking syntax errors, analysis performed with toolsets
Formal specifications, Animated specifications
• Can be animated to illustrate specified systems behavior, validate requirements or need for clarifications and correctness
• Compensate the weakness inherent in natural language specifications – ambiguity, misunderstanding due to multiple interpretations
• Primary use – to verify the security kernel correctly implements a specified policy and model
• Advantages– Incorrect specifications lead to vulnerabilities– Serious errors corrected in the design phase– Formal specifications for access control and operational states
of IA critical and IA related functions
Information hiding
• A software development technique in which– each modules interface reveal a little as possible about
the module’s innerworkings– other modules are prevented from using information about
the module that is not in the module’s interface specifications
• Can be applied to data and programming logic• Data structures are localized and as self-contained
as possible• Data and programming logic can be changed without
affecting other modules
Intrusion Detection, Response
• Recognize and respond to security breach– as it is happening – immediately after it has happened
• Operate behind a firewall• Part of defense in depth• Detect insider and outside attacks
Intrusion Detection, Response
• Three types of ID/R systems– Statistical anomaly detection
• Analyzes audit trail data for abnormal user or system behavior
• Compares current audit trail data against historic data
• Disadvantages – historical data contains undetected intrusion, anomaly
treated as normal.– Attacker knows the normal behavior and fools the
system– Normal profiles are defined too loose or tight, false
positives or false negatives may be triggered
Intrusion Detection, Response
• Types of ID/R– rule based detection
• Monitors audit trail data for patterns of activity that match known attack profiles
• Weakness– only know attacks are identified– Library of know attacks must be frequently updated
– Hybrid• Combination of statistical anomaly and rule based
Intrusion Detection, Response
• How to respond in an attack– Option 1: system could automatically respond
with no human intervention– Option 2: Like audit trail, security alarm that
requires human intervention. Primary and secondary receipts must be defined and the time interval for action to be taken
– Option 3: System automatically responds if no human action occurs within a specified time interval.
Partitioning• Prevents
– non IA-critical functions/entities from accidentally corrupting or interfering IA critical and IA related functions
– non IA-critical functions/entities from being used a vehicle for intentionally corrupting IA critical and IA related functions
• Advantages– reduces efforts required to verify IA critical and
related functions– resources can be focused on the most critical
elements– Minimizes potential faults from affecting the system
Redundancy
• Fault tolerance technique to increase hardware reliability and system availability
• Identical components are used to perform identical functions
• Hardware redundancy implemented in three ways– Active
• multiple identical secondary units operating simultaneously
• If fault detected in primary, operations switched to “hot” secondary
Redundancy
• Hardware Redundancy– Standby
• Redundant “cold” secondary is operational only after fault has been detected in the primary
– Monitored redundancy • A variation of active redundancy• monitors the output from all parallel components• if discrepancies are found, voting logic is activated
to determine which output is correct and what action should be taken (switching)
Reliability allocation• Distributes reliability and maintainability
requirements among systems entities• First Step
– Assign a numerical reliability requirement to systems entities and components
– Consider sub-systems, components and sub-components
– factors to be considered• operational mode (continuous or demand)• Duty cycle• Criticality in relation to stated IA integrity level• Complexity• Uncertainty of operating environment• historical experience
Reliability allocation
• Step 2– Determine the maintainability requirements needed
to support the reliability requirements– consider same factors
• Step 3– Calculate systems reliability and maintainability from
individual components– Reverse of first step (only systems reliability was
calculated)– Combine the values of each component and
compare with the value of the system reliability
Reliability allocation
• Step 4– Component reliability and maintainability
requirements are refined by an iterative process of reallocation and recalculation until the IA goals are met
– Reliability prediction models, block diagrams and BBN’s are used
Secure protocols
• Enhance confidentiality of distributed data communications
• Provide security services not available through basic communication protocols such as TCP, IP etc
• Address interoperability issues related to implementing security features such as digital signatures, algorithms to sign and encrypt messages, key sharing and authentication
• Current secure protocols – IPSec, NLS, TLS1, SSL3, SET, PEM, PGP etc.
Virus Scanners
• Automatically detect and remove viruses• Virus classifications
– Boot virus: attack the boot sector of the hard disk or floppy disk when powered on
– Macro virus: embedded in word processing documents or spreadsheets as macros. Activated when macros are executed
– Program viruses: viruses that attach to and attack *.exe, *.com, *.sys, and *.dll files when executed
– Transient viruses: viruses that are active only when the infected program is executing
– Resident viruses: viruses that remain in memory and link themselves to the execution of other programs
Virus Scanners
• Types of Virus Scanners– Activity monitors
• similar to intrusion detection systems they look for suspicious activity patterns that could indicate the presence of virus activity
– Change Detection or integrity monitors• flag systems and user files that have been
changed• Generate a lot of positive flags unless provided a
legitimate method for flagging changes