engineering information security the application of systems engineering concepts to achieve information assurance

Piscataway, NJ 08854IEEE Press Editorial BoardLajos Hanzo, Editor in ChiefKenneth Moore, Director of IEEE Book and Information Services BIS IEEE PRESS SERIES ON INFORMATION & COMMUNICATI

ENGINEERING INFORMATION

SECURITY

Piscataway, NJ 08854IEEE Press Editorial BoardLajos Hanzo, Editor in Chief

Kenneth Moore, Director of IEEE Book and Information Services (BIS)

IEEE PRESS SERIES ON INFORMATION & COMMUNICATION

NETWORKS SECURITYSERIES EDITORStamatios KartalopoulosSecurity of Information and Communication Networks

Stamatios KartalopoulosEngineering Information Security: The Application of Systems Engineering

Concepts to Achieve Information Assurance

Stuart Jacobs

ENGINEERING INFORMATION SECURITY The Application of Systems Engineering Concepts to

Achieve Information

Assurance Stuart Jacobs

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form

or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken,

NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose No warranty may be created or extended by sales representatives or written sales materials The advice and strategies contained herein may not be suitable for your situation You should consult with a professional where appropriate Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats Some content that appears in print may not be available in electronic formats For more information about Wiley products, visit our web site

ePDF ISBN: 978-0-470-94783-8

ePub ISBN: 978-1-118-00901-7

Printed in Singapore.

rather than with her.

1.2.3 The Common Body of Knowledge (CBK) Security Domains 7

1.2.3.2 Application and Systems Development Security 91.2.3.3 Business Continuity Planning and

1.2.3.10 Telecommunications and Network Security 14

1.3.2 What Actually Occurred 17

2.1.1.2 Investigate Alternatives and Model the System 33

2.3.2.2 Residential 51

3.1.6.7 Service Mapping and Application of Services 72

3.2.5.3 Digital Signature Authentication Technique 110

4.1.2.5 Digital Certificate Revocation and

4.2.6 Example Detailed Security Requirements

4.2.7 Proxies for Humans 156

5.3.1.5 Physical and Environmental Security (Section 9) 1765.3.1.6 Communications and Operations Management

5.3.1.8 Information Systems Acquisition, Development, and

5.4 Information Security Systems Engineering Methodology 185

5.4.2 Vulnerabilities, Threats, and Risk 189

5.6.5 Administrative Tasks in Access Control Methods 225

5.7.1 Confidentiality Policies and Integrity Policies 228

5.7.8.3 Third-Generation Partnership Project 2 2385.7.8.4 Alliance for Telecommunications Industry Solutions 238

5.7.8.6 European Telecommunications Standards Institute 2395.7.8.7 International Organization for Standardization 2395.7.8.8 ITU Telecommunication Standardization Sector 239

5.7.8.11 Organization for the Advancement of Structured

5.7.8.14 World Wide Web Consortium 241

6.3.2.5 Asynchronous Transfer Mode and Frame Relay 267

6.3.3.4 IPv4 Fragmentation and Related Attacks 285

6.3.4.2 User Datagram Protocol 294

6.3.4.6 Example Detailed Security Requirements

6.3.5.1 Initial Internet User Application Protocols 303

6.3.5.5 Security in User Application Protocols 3086.3.5.6 Example Detailed Security Requirements

6.3.6 Layer 5—Signaling and Control Application Protocols 310

6.3.6.9 Security in Signaling and Control Application

6.3.6.10 Example Detailed Security Requirements for Layer 5

Signaling and Control Application Protocols 323

6.3.7.2 Customer Premise Equipment WAN

7 NEXT-GENERATION NETWORKS 335

7.1.4 Protocol Layers, Functional Planes, and Interfaces 340

7.2.6 The Service Stratum and the IP Multimedia

7.3 Relationship between NGN Transport and Service Domains 351

7.5 Security Allocation within the NGN Transport

8.1.2.6 Combining Segmentation and

8.3.3.5 Device Management Functions and

8.5 Security Mechanisms for Deployed Operating Systems (OSs) 399

8.5.1.2 Software Functional Entities for General

8.5.2.1 Hardware Mechanisms for

8.5.2.2 Software Mechanisms for

8.5.3 Embedded (“Real-Time”) Operating Systems 4138.5.3.1 Hardware Mechanisms for Embedded OS Usage 4138.5.3.2 Software Mechanisms for Embedded OS Usage 415

9.1.3.13 Windows Server 2003—Role-Based

9.2 Applications 459

9.2.1.2 Exception Handling, Bounds Checking,

9.2.2.3 Trojan Horses, Rootkits, and Backdoors 466

9.3 Example Detailed Security Requirements for Specific Operating

10.3.4 Example Detailed Security Requirements for

10.4 Security Design for Protocol Layer 3 493

10.4.1.2 IPsec Key Management and Key Exchange 500

10.4.1.6 IPsec Authentication Header (AH) Transform 50710.4.1.7 The IPsec Encapsulating Security Payload (ESP)

10.4.1.11 IPsec and Network Address Translation 51410.4.1.12 Example Detailed Security

10.4.1.13 IPsec Implementation Availability 52010.4.1.14 IPsec and Fault-Tolerant Network Designs 521

10.5.5 Example Detailed Security Requirements

11.1.2 Secure Shell (SSH) 551

11.1.4 Example Detailed Security Requirements

11.2.1.2 Secure/Multipurpose Internet Mail

11.2.2 World Wide Web (Web) and Identity Management 558

11.2.2.1 eXtensible Markup Language Security (XML) 56011.2.2.2 Service-Oriented Architecture (SOA) 561

11.2.2.5 Security Assertion Markup Language (SAML) 564

11.2.3.6 Example Detailed Security Requirements

11.2.10 Common Object Request Broker Architecture (CORBA) 595

11.2.12 Dynamic Host Configuration Protocol Security 601

11.3 Chapter Summary 603

12.1.2.1 Telecommunications Management Network

12.1.2.2 Element, Network Management Systems,

12.1.6 Example Detailed Security Requirements

12.2 Operation, Administration, Maintenance, and Decommissioning 625

12.2.1.2 Operational Guidelines, Procedures 627

Appendix D: Significant Standards and Recommendations

PREFACE AND ACKNOWLEDGMENTS

APPROACH

This book focuses on information security (information assurance) from the viewpoint ofhow to control access to information in a systematic manner Many books on securityprimarily cover specific security mechanisms such as authentication protocols, encryp-tion algorithms, and security related protocols Other books on security are use caseoriented, providing specific contexts for discussing vulnerabilities, threats, and counter-measures Few books on security consider the planning, operations, and managementaspects of protecting information Unlike these other books that focus on securitymechanisms, threats, and vulnerabilities, this book presents a methodology for addres-sing security concerns in any organization The methodology is based on a set of conceptscalled systems engineering that are designed to methodologically examine, analyze, anddocument objectives and the functional and performance capabilities (requirements) thatneed exist to achieve the stated goals Systems engineering concepts provide:

. a framework for developing capabilities and solutions that ensure compliance withthe aforementioned requirements;

. traceability starting at objectives, progressing through requirements development,solution design/development/procurement into, and during, operation and ad-ministration; and

. support for compliance evaluation of deployed systems and how these systems areused

Another critical aspect of the systems methodology is the necessity to consider allaspects of a system, not just the technical components All information processinginfrastructures (networks and computing devices) exist within a context defined by:

. how the deploying organization operates,

. what the deploying organization provides as services or products,

. who competes with the deploying organization,

. what legal and regulatory burdens the deploying organization has to date, and

accommo-. who may target the deploying organization with the intent of personal or financialgain, political advantage, or ideological objectives

Over time the technologies used for the processing, storage, and communicating ofinformation have changed dramatically and rapidly By presenting a systems engineering

xxiii

approach to information security, this book will assist security practitioners to cope withthese rapid changes Achieving information security is not a matter of dealing withspecific technologies, rather information security is a process of managing technologies

to ensure that information is only accessible to valid users

. Chapter 2 discusses the many legal, technical, competitive, criminal and sumer forces, and influences that are rapidly changing our information dependentsociety, along with exploring the concepts of systems engineering and the valuethese concepts provide to the development of new products and services alongwith the maintenance and evolution to existing products and services

con-. Chapter 3 reviews fundamental security concepts of subjects, objects, securityservices, and the role of cryptography in information security

. Chapter 4 considers different approaches for achieving authentication of duals and systems

indivi-. Chapter 5 delves into how to establish and manage an information securityprogram, evaluate vulnerabilities, threats, and risks, and develop security require-ments, and the chapter considers the value and impact of security standards and themajor organizations involved with developing these standards

. Chapter 6 describes the different forms and types of networks currently in usealong with the protocols relied upon that are the cause of many security problems.All protocol layers are considered, and any security capabilities are analyzed foreffectiveness and usability

. Chapter 7 focuses on the near future of next-generation network concepts andservices defined within the developing Internet multimedia services framework.. Chapter 8 provides an in-depth discussion of computer hardware that impactsinformation security and the role of operating systems in supporting informa-tion security, and what security mechanisms an operating system shouldinclude

. Chapter 9 provides an examination of security capabilities in the major mercially available operating system (unix variants, Windows variants, and realtime) and then considers security issues within applications software This chapterconcludes with a review of the different forms of malicious software (malware)encountered today and a number of anti-malware applications currently available.. Chapters 10 and 11 provide descriptions and analysis of the available networkingsecurity mechanisms within each protocol layer of networks Both stand-alone

com-applications (including their associated protocols) and the major applicationframeworks (e.g., Java, NET, CORBA, and DCE) are discussed from a securitycapabilities perspective.

. Chapter 12 explores the security issues within the management of networks,especially the management of security, considers the organizational needs foreffective security management, operational security mechanisms, security opera-tions, and other life-cycle security issues This chapter concludes with consid-eration of security within development, integration, and component purchasingactivity areas

. All appendices are available on the CD included with this book

. Color versions of all figures presented in this book can be found on the enclosedCD

. A solutions manual is available to accompany this book To request a copy pleasevisit ieeepress@ieee.org

TARGET AUDIENCE

The major audience for this book include graduate and undergraduate students studying,but not limited to, computer/information sciences/engineering systems engineering,technology management, and public safety The book also is written for professionals inthe sciences, engineering, communications, and other fields that rely on reliable andtrustable information processing and communications systems and infrastructures.The subject of information security (information assurance, computer security, andnetwork security) is routinely covered as a set of individual subjects and rarely addressedfrom an engineering perspective Most professional and academic books focus on thecommon body of knowledge promulgated by organizations, such as the (ISO)2and ISSA,

or target specific subjects (database management systems, incident response/forensics,common criteria, risks, encryption, Java, windows, etc.)

This book considers the complete security life cycle of products and services startingwith requirements and policy development and progressing through development,deployment, and operations, and concluding with decommissioning

ACKNOWLEDGMENTS

I would like to thank Thomas Plevyak for encouraging me to write this book, all of myformer Verizon co-workers who routinely challenged my opinions regarding security,and Verizon’s management who, over the years, provided me with many challenging andinteresting security-related assignments I also need to recognize four people, Allen

H Levesque, Richard Stanley, Fred Kotler, and George Wilson, who were instrumental

in my mastering systems engineering concepts

of the people who worked on it through background checks and screening procedures.What has radically changed and made the physical and administrative approaches tocomputer security insufficient is the interconnectedness of computers and informationsystems Highly sensitive economic, financial, military, and personal information isstored and processed in a global network that spans countries, governments, businesses,organizations, and individuals Securing this cyberspace is synonymous with securingthe normal functioning of our daily lives.

Engineering Information Security: The Application of Systems Engineering Concepts to Achieve

Information Assurance, First Edition Stuart Jacobs.

Ó 2011 Institute of Electrical and Electronics Engineers Published 2011 by John Wiley & Sons, Inc.

1

Secure information systems must work reliably despite random errors, disturbances,and malicious attacks Mechanisms incorporating security measures are not just hard todesign and implement but can also backfire by decreasing efficiency, sometimes to thepoint of making the system unusable This is why some programmers used to look atsecurity mechanisms as an unfortunate nuisance; they require more work, do not add newfunctionality, and slow down the application and thus decrease usability The situation issimilar when adding security at the hardware, network, or organizational level: increasedsecurity makes the system clumsier and less fun to use; just think of the current airportsecurity checks and contrast them to the happy (and now so distant) pre–September 11,

2001 memories of buying your ticket right before boarding the plane Nonetheless,systems must work, and they must be secure; thus there is a fine balance to maintainbetween the level of security on one side and the efficiency and usability of the system onthe other One can argue that there are three key attributes of information systems:

1 Processing capacity—speed

2 Convenience—user friendliness

3 Secure—reliable operation

The process of securing these systems is finding an acceptable balance of these attributes

1.2 THE SUBJECT OF SECURITY

Security is a word used to refer to many things, so its use has become somewhatambiguous Here we will try to clarify just what security focuses on Over the years thesubject of information security has been considered from a number of perspectives, as aconcept, a function, and a subject area We will discuss each of these perspectives andexamine their value

1.2.1 Branches of Security

A concept approach treats security as a set of related activity areas, or branches.Figure 1.1 shows the security-related areas typically considered Note that all the areasare mutually dependant on each other

Each security area focuses on a specific need to erect a barrier against inappropriateuse of, or access to, the assets (information, capabilities, property, equipment, personnel,processes, etc.) considered valuable to an organization Since there are now multipleavenues (approaches) by which assets can be targeted, multiple security area activitiesare necessary Physical security capabilities are necessary to control physical access to:

. buildings, rooms, and offices;

. equipment used for the processing, storing, transferring, or accessing information;and

. the cables used for communicating information between facilities, buildings, andeven between individual systems within a building floor of rooms

Personnel security processes and procedures are necessary to:

. ensure that an organization’s employees have been accurate in representing whothey are and that academic or professional credentials and past experience arevalid;

. verify the identities and validate the reasons for nonemployee (guests, visitors,service/supply personnel) access to the organization’s facilities or other assets;. ensure that the organization’s security-related policies and procedures conform tolegal constrains for employment, document disciplinary activities, and conditionsfor termination of employment; and

. inform both new and continuing, employees as to what the organization considersnecessary, acceptable, and unacceptable behavior

Network security technology, processes, and procedures are necessary to ensure that:

. data transferred between networked devices is adequately protected from pering, misuse, or destruction;

. networked devices are appropriately managed, monitored, and utilized; and. that networking resources are used only for acceptable activities.

Computer security spans all aspects of computing equipment hardware, software, usage,and administration (e.g., device, data, applications/operating systems, operations anddatabase subareas), and is necessary to ensure that they are:

. adequately protected from tampering, misuse, or destruction;

. appropriately managed and monitored;

. utilized for organization sanctioned activities and purposes; and

. available to support organization activities, processes and functions

Frequently security discussions focused primarily on networks, their links andinterconnecting equipment, and on securing operating systems and applications However,providing network security is just not enough Attackers can leverage other weaknesses tobypass the network security mechanisms in place Network and computer security bothneed to be considered along with the other branches of security The reader needs toremember that the term “information security” is generally used to refer to concepts,mechanisms, activities, and objectives that span all of the security areas mentioned above.Regardless of what security area/branch is under discussion, the following threeviews of security measures can be applied to any situation: defense, deterrence, anddetection These are known as the three Ds of security

. Defense—protect assets first Network areas should be analyzed before adoptingany protective efforts Defense measures reduce the likelihood of an attack andlessen the risk of damage Lack of defensive measures will leave sensitiveinformation exposed and lead to losses For example, installing a firewall is agood defensive measure But, this may not be enough The other two modes ofsecurity—deterrence and detection—should not be ignored

. Deterrence—reduce the frequency of security compromises With deterrencemechanisms and policies in place, attackers have to expend more effort, and thusrisk discovery Deterrence policies within an organization are enforced by usingthreats of discipline and termination of the employee if any company policies areviolated (email, web browsing, etc.) Entering a computer network withoutcompany authorization is illegal, and laws are in place to prosecute and punishintruders Intruders who know that their activities are being monitored will likelythink twice before attacking a system

. Detection—sound the alarm Unfortunately, in practice, security control is the leastimplemented policy and often neglected When the security is violated, without thesecurity enforcers in place, the security breach could go unnoticed for a long time

Each of the three Ds is important and complements the others A security program thatspans all three D categories provides strong protection The following are examples ofhow each strategy can be implemented:

. Defensive controls—firewalls, access lists in routers, spam filters, virus filters,etc.

. Deterrent controls—email messages to employees, posting of internet sitesvisited, display of IP addresses to external visitors, etc

. Detective controls—audit trails, log files, intrusion detection systems, summaryreports, etc

1.2.2 Defining Security by Function

Alternatively security can be categorized under the following functional areas:

in the organization

1.2.2.2 Deterrence Deterrence is a common method of control used bygovernments, businesses, and individuals to scare people into thinking twice beforeperforming an action For example, a person’s actions could be manipulated by thenegative motivational influence of displaying a message, such as

Your IP address 132.208.213.4 has been recorded and all activity is subject tomonitoring and logging Unauthorized access is subject to civil and criminalprosecution

when any unauthorized person logs into a server or accesses a system The individualmay then reconsider proceeding further There are, of course, individuals who will notcomply, and this mechanism will not deter a worm, virus, or an automated attacker.Nevertheless, such notice at least informs an intruder that further activity is comparable

to trespassing Posting such a notice is a component, but not the sole component, of anorganization’s effort at ensuring “due diligence.” Due diligence is a concept that applies

in both civil and criminal contexts In the civil litigation arena, due diligence refers to theeffort made by a prudent or reasonable party to avoid harm to another party, and failure tomake this effort could be considered negligence In the criminal arena, due diligence is anavailable defense to a crime; however, defendants must prove beyond a reasonable doubtthat they took every reasonable precaution.1

1.2.2.3 Prevention From a business perspective, there is no product, or set ofproducts, that will completely eliminate the chance of a security-related incident Theseare two obvious explanations for this:

. The expense of such a set of products, and their likely negative impact(s) onoperational usefulness and life-cycle costs, will undoubtedly outweigh theeconomic damages suffered from the loss(es) caused by an incident Unless acost-benefit analysis is performed, more money may be expended to protect anasset then is justified by the asset’s value For example it does not make economicsense to spend $10,000,000 to protect an asset with a replacement cost of

$1,000,000

. Business systems routinely interact with humans who may have motives contrary

to an organization’s interests Humans are the least dependable component inany system dedicated to ensuring the security of an organization’s assets History

is full of examples where “highly trusted” people engaged in unauthorized, evencriminal, activities

There are certain situations where a security-related incident can result in the loss oflife or equivalent harm Law enforcement organizations, branches of the military, andother governmental and nongovernmental groups work under such circumstances Thesecurity breaches the military, security, and law enforcement type of organizations faceare frequently measured in people dying This type of loss cannot be consideredacceptable at any cost, and consequently what the community considers affordablebecomes a social/political issue as to priorities, philosophy, and ethics

However, most mishaps can be prevented by employing both procedural andtechnical security mechanisms that enforce authentication, authorization, confidential-ity, and integrity based on well-thoughtout planning Procedural mechanism encompassunderstanding what needs protection, who needs access, who is responsible for differentthings, and what management and administrative responsibilities need to be considered.Procedural mechanisms can include separation of duties, mandated auditing separation

of operational from development environments Technical mechanisms include ing packet filtering, strong authentication, encryption, virus prevention, malicious codefiltering, and so forth Each product provides a degree of protection and, when deployed

deploy-in combdeploy-ination, can provide cost-effective layers of protection

1 This observation is not intended to provide the reader with legal advice The reader should consult legal counsel regarding civil or criminal issues.

1.2.2.4 Detection Despite the best prevention measures, a system is prone to

be attacked2 at some time Measures should be in place to detect and record thepresence and activities of not just the suspected attacker, but any administrativepersonnel, service users, subscribers, or customers as the conditions change Mostorganizations are allowed by law to monitor activity within their networks formaintenance purposes Commercial organizations may control any activity withintheir internal networks Telecommunications service providers (TSPs) who offertelephone (telecommunications) services and web/data (information) services tothe general public are also required to support law enforcement agencies (LEAs) in

“wire-taps” and “intercepts” of criminal suspects Organizations, both large and small,should make use of intrusion detection (IDS) mechanisms, auditing and log analysis,virus/spy/mal-ware scanners, and file-monitoring programs

1.2.2.5 Recovery Recovery considers how an organization is able to perform itsprimary functions and operations even in the face of natural or human-created situations.This area has been typically referred to as “disaster recovery” although the term

“business continuity” is becoming more common today Unfortunately, businesscontinuity planning too frequently focuses primarily on natural disasters Human-created situations, including security-oriented attacks, necessitate consideration inany business continuity plan A physical recovery plan is important Such a planshould include a solid backup and recovery system, procedures for secure off-sitestorage, contact lists, and so forth Some plans should have a section dealing withbusiness continuity using such mechanisms as geographic facility and systemredundancy, redundant links and servers, and distributed load-sharingimplementations A logical recovery plan should include discussion of how torestore organizational capabilities even when some form of security related attack isoccurring Planning for these situations need to consider how:

. assets under attack can be isolated from “healthy” enterprise resources, therebylimiting the scope of an attack and minimize the extent of damage or loss;. services or functions remain available to legitimate users while an attack isoccurring; and

. damaged or destroyed assets will be restored upon cessation of an attack

1.2.3 The Common Body of Knowledge (CBK) Security Domains

Over 20 years ago many organizations recognized that geographically distributedinterconnected systems were much more vulnerable than mainframe systems withminimal connectivity At that time few educational institutions offered any form ofinformation security curricula, let alone academic degrees This deficiency led to the

2

The term “attack” here is used to refer to some action by a human, or initiated by a human, that is intended to cause some form of damage or loss to assets of an organization A key component of what constitutes an attack is motivation The author does not consider an unintentional act to constitute an attack, even though such act or action may increase the likelihood of an attack occurring.

establishment of the International Information Systems Security Certification tium (ISC)2, a nonprofit organization with the purpose of educating and certifyinginformation security professionals (ISC)2certifications are based on a compendium ofinformation security topics called the “common body of knowledge” (CBK) The CBK isthe critical body of knowledge that serves as a common framework of security concepts,definitions, and principles that foster understanding of best practices among thoseengaged in activities related to information assurance/security.

Consor-The CBK categorizes security issues in terms of its elements in the followingdomains (areas):

. Access control systems and methodology

. Applications and systems development security

. Business continuity planning and disaster recovery planning

. Cryptography

. Information security and risk management

. Legal, regulations, compliance, and investigations

. Operations security

. Physical security

. Security architecture and models

. Telecommunications and network security

Confidentiality, integrity, and availability (CIA) are the core tenets of informationsecurity and are widespread over all the domains of the Common Body of Knowledge.Confidentiality is the measure of the secrecy of information An organization deter-mines how data are to be used and assigns a confidentiality level to that data Iftransmitted from one place to the other, it ensures that the data were not observed bythose who are not entitled to know about those contents Integrity ensures that theinformation is accurate and reliable If transmitted from one place to the other, itensures that the data were not tampered with Availability deals with the ability of users

to access the information It is commonly achieved through access control systems,redundant links and servers, and also with policies that take natural disasters intoconsideration

1.2.3.1 Access Control Systems and Methodology By the CBK definition,access control refers to a collection of mechanisms that allow the user/administrator of asystem to have a directing or restraining influence over the behavior, use, and content ofthe system Consequently access controls are enforcement mechanisms that determinewhether an action is authorized to occur Access control methods determine what a usercan access in the system User’s actions can be monitored for accountability There aretwo main types of access control methods:

. Discretionary access control (DAC)—the access control decision is made by theindividual user For example, the user creates a file, defines an access control list

specifying who can access the file and how much access (read, write, etc.) eachuser can have.

. Mandatory access control (MAC)—access control is imposed by categorizingresources and users based on a predetermined set of established criteria Forexample, in military and government organizations dealing with sensitive data,the users and resources may be organized into the following categories: unclas-sified, confidential, secret, and top secret

Based on these two broad types of access control, several other methods have beendeveloped to make them more comprehensive Some of these are described below:

. Lattice based—defines the relationships within a MAC system Usually, groupsexist within each category and the access control method determines how controlflows from one group to the other

. Rule based—again a MAC-based system which uses a strict set of rules butrequires a lot of management and administration

. Role based—a DAC-based system where various roles are defined and usersassigned to these roles Permissions are now based on the job roles rather than by aspecific user Examples of roles include system administrators, backup operators,and printer managers

. Access control list (ACL)—often used to define rules in firewalls and routers based

on IP addresses Also used by some operating systems to define the accessesbetween the users and resources

The CBK access control domain not only focuses on access control mechanisms, it alsoincludes:

. identification and authentication mechanisms and techniques,

. administration of access control mechanisms, and

. mechanisms/methods for attacking information systems

1.2.3.2 Application and Systems Development Security By the CBKdefinition, this domain refers to the controls that are included within systems andapplications software in centralized and distributed environments and the steps used intheir development Applications are vulnerable through buffer overflow attacks, cross-site attacks, SQL injection attacks, and so forth Software security should be considered

at the beginning of the design and implementation phases Developers should understandhow to produce secure, stable, and efficient software that is not vulnerable to knowncommon types of attacks Development projects, being under time pressure, oftenoverlook these security aspects This domain educates programmers and users aboutthese inherent threats that their developed applications could face at a later time.The CBK Application and Systems Development Security domain not only focuses

on system internal security mechanisms, it also includes:

. data warehousing and data mining,

. risks associated with various software development practices,

. vulnerabilities within software components, and

. malicious software used for attacking information systems

1.2.3.3 Business Continuity Planning and Disaster Recovery Planning.This domain addresses the continuation of the business in the event of a majordisruption to normal business operations In the event of a natural disaster or amajor calamity, the entire company’s resources could be lost Whether thecompany survives or not depends on how the company prepares for those types ofevents Having a disaster recovery plan determines what is required to keep thebusiness functioning These items should be prepared ahead of time and the proceduresrequired to get the necessary data back online should be thought of This plan is ashort-term plan Its objectives include:

. protecting the organization from major systems failure,

. minimizing the risk to the organization from delays in providing services,. guaranteeing the reliability of standby systems through testing and simulation,and

. minimizing the decision-making required by personnel during a disaster

The business continuity plan is a long-term plan that looks at recovery frombeginning to end It incorporates the disaster recovery plan and takes over when thethreat occurs It is essential to keep the recovery plans up to date, monitoring criticalassets, and so forth This helps reduce damage in the long run The major components ofthis process are:

. Scope and plan initiation—to create the scope and define the parameters of theplan

. Business impact assessment—to understand the impact of a disruptive event.. Business continuity plan development—include plan implementation, testing andmaintenance

Plan approval and implementation is another component that involves getting the planapproved and making the people aware of the plan Also important is implementing amaintenance procedure for updating the plan as needed

1.2.3.4 Cryptography By the CBK definition, this domain addresses theprinciples, means, and methods of disguising information to ensure its integrity,confidentiality, and authenticity Data are encrypted and validated to ensure that thedata remain secure and intact Only authorized people can access the encrypted datathrough the process of decryption Cryptography can also provide nonrepudiation

(irrefutable proof that a message was created by a given person) Two types of encryptionexist:

. Symmetric encryption—uses a shared key to both encrypt and decrypt the data.. Asymmetric encryption—uses two keys, a public key and a correspondingprivate key Before data are transmitted, the data are encrypted with therecipient’s public key The encrypted data can only be decrypted withthe recipient’s private key

The CBK Cryptography domain not only focuses on system internal securitymechanisms, it also includes:

. infrastructures for the management of public keys allowing individuals to obtainvalid keys and know when keys are no longer valid,

. risks associated with various encryption algorithms and how they may bedeployed, and

. techniques used for attacking the use of cryptography

1.2.3.5 Information Security and Risk Management This domain isconcerned with the identification of an organization’s information assets and thedevelopment, documentation, and implementation of policies, standards, procedures,and guidelines that ensure confidentiality, integrity, and availability Management toolssuch as data classification, risk assessment, and risk analysis are used to identify thethreats, classify them, consider their vulnerabilities so that effective security controlscan be implemented This domain also includes personnel security, training, andsecurity awareness The organization needs to determine the items to be protected,see how they are accessed, and then select controls, and audit the users who operatethe devices

What are the threats to our infrastructure, and what is at risk? Consider theconfidentiality, integrity, and availability tenets of security Any physical damage orinterruptions in providing system services affect the availability Unauthorized disclo-sure of information breaches the confidentiality Any loss of control over the systemcompromises the integrity If there is a theft, it affects all the three aspect mentionedabove

1.2.3.6 Legal, Regulations, Compliance, and Investigations By the CBKdefinition, this domain addresses computer crime laws and regulations, investigativemeasures and techniques that can be used if a crime is committed, methods to gatherevidence, and the ethical issues and code of conduct for security professionals.Intruders can access private data, destroy information, steal intellectual property,and so forth The owner of the system should report the crime, making sure that noevidence is destroyed or lost Federal, state, or civil laws may be applicable depending

on the crime committed Even if the attacker is identified, it is important not to attack

the attacker Attacking an attacker is considered illegal by many nations and should not

be engaged in

Computer forensics is the field of computer crime investigation and deals with thecollection of information from computer systems that will be admissible in court of law.Gathering, control, storage, and preservation of evidence are crucial The evidence must

be relevant, legally permissible, reliable, properly identified, and preserved to beadmissible Legal evidence can be classified into the following types:

. Best evidence—original or primary evidence rather than a copy

. Secondary evidence—copy of the evidence

. Direct evidence—information gathered through the witness

. Conclusive evidence—incontrovertible evidence

. Expert opinion

. Circumstantial evidence—inference of information from other facts

. Hearsay evidence—computer-generated records

Incident planning addresses the handling of malicious attacks through technical meansand should address the following questions:

. What is the incident?

. How should it be reported?

. To whom it should be reported?

. When should management be informed of the incident?

. What action to take if an incident is detected?

. Who handles the response to an incident?

. How much damage was caused by the incident?

. What information was damaged or compromised by the incident?

. Hoe are follow-up and review after the incident handled?

. What additional safeguards can be instituted as a result?

This CBK domain also includes consideration of software licensing and software piracyalong with import-export laws and issues

1.2.3.7 Operations Security This domain identifies the controls over hardware,media, and operations personnel with access privileges to any of these resources.Auditing and monitoring mechanisms are used to identify security events and reportthe information appropriately To build a defensive system, put yourself in youropponent’s role and see where the vulnerabilities are Determine the resources thatneed to be protected and the privileges that need to be restricted The following keyprinciples have to be considered: identifying critical information, analyzing threats,assessing vulnerabilities, risks, and applying countermeasures Operations Security usesindicators collected via log files, auditing, monitoring, and the like Other sources of