1)Denial-of-service(DoS):

• Availability resource is intentionally blocked or degraded by an

attacker.
• DoS attack can occur through one of two vectors: either on the
local system, or remotely from access a network.
• The attack concentrate on degrading processes, degrading storage
capability destroying files to render the resource unusable or
shutting down parts of the system or processes.
2)Information Leakage:
• Information leakage is an abused resource that precludes attack.
• Military generals rely on information from reconnaissance troops
that have penetrated enemy lines to observe the type of weapons,
manpower, supplies and other resources possessed by the enemy.
• Attackers enter the network to perform the same tasks, gathering
information about programs, operating systems, and network
design on the target network.
3)Regular File Access:
• Regular file access can give an attacker several different means
from which to launch an attack.
• Regular file access may allow an attacker to gain access to
sensitive information, such as the usernames or passwords of users
on a system.
• Regular file access could also lead to an attacker gaining access to
other files such as changing the permissions or ownership of file,or
through a symbolic link attack.
4)Misinformation:
• The concept of misinformation can present itself in many ways.
• False or misleading information.
5)Special File/Database Access:
 • Methods used to gain access to a system are through special files
and database access.
• These types of files,although different in structure and
function,exist on all systems and all platforms.
• From an NT system to Sun Enterprise 15,000 to a Unisys
Mainframe, these files are common amongst all platforms.

6)Remote Arbitrary Code Execution:

• Remote code execution is one of the most commonly used methods
of exploiting systems.
• Several noteworthy attacks on high profile websites have been due
to the ability to execute arbitrary code remotely.
• Remote arbitrary code is serious in nature because it often does
not require authentication,and exploited by anybody.
7)Elevation of Privileges:
• Elevation of Privileges is certainly the most common of all attacks
launched.
• An elevation of privileges occurs when user against access to
resources that were not authorized previously.
• These resources may be anything from remote access to a system
to administrative access on a host.
Qualities of a Good Network:
• Computer networks must respond to many needs. These needs
often collide. The conflicts start with the fundamendal
incompatibility of access and security needs.
• The need for security will always conflict with the need for access.
A network must have qualities like these:
• Network should work together
 • Operations should be transparent to users
• Must provide remote access
• Must maintain peak performance

Organization security needs:

1. Confidentiality
2. Reliability
3. Integrity
• A network should not allow anyone to see confidential information
without authorization.
• Requires a reliable way to identify users.
• Good quality network requires an appropriate combination of
statistical ,engineering, management and motivational efforts.

SECURITY POLICIES , STANDARDS AND GUIDELINES

INFORMATION POLICY

INTRODUCTION:
➢ The cost to businesses of stolen, misused, or altered information
can be high, especially if real and purported damages to customers
can be traced back to mismanagement.
➢ The objective of security management is to eliminate or minimize
computer vulnerability to destruction modification, or disclosure.
POLICY
➢ Policy provides the rules that governs how systems should be
configured and how employees of an organisation should act in
normal circumstances and unusual circumstances.
 ➢ Policy defines how employees should perform certain security-
related duties such as the administration of users.
➢ Policy defines how employees are expected to behave when using
systems that belong to the organization
➢ Security policies can generally be subdivided into many categories,
they are :
1. Computer systems and Networks
2. Personal management
3. Physical security
1.COMPUTER SYSTEM AND NETWORKS :
▪ These policies apply generally to system and network
administrators who are responsible for designing, implementing
and supporting computers and networks.
▪ Examples include password and authentication mechanisms,
system level protection such as antivirus.
2. PERSONAL MANAGEMENT:
➢ These policies apply to individual employees.
➢ These policies tell the employees how to conduct the everyday
business in a secure fashion.
➢ Examples include handling of sensitive or confidential information,
and dealing with social engineering.
3. PHYSICAL SECURITY:
• These policies typically apply to the facilities, and somewhat
peripherally to system and network administrators. They define
what types of physical security controls are to be used.
• Examples include visual surveillance, door entry mechanisms and
audible alarms.
• The security policy tells its audience what must be implemented. It
does not address how it should be implemented.
• security policy vary from organization to organization.

• First business requirements must be clearly defined and the scope

of the policy must be classified.
• The business requirements definition and the scope definition
should be part of the management and planning (initial) phase of
any implementation.
• The security policy is documented, then the management decisions
can be made with regard to the design and implementation of
network technologies and controls.
SECURITY POLICIES, STANDARDS AND GUIDELINES
➢ An important part of any organization's approach to implementing
security are the policies, standards, procedures and guidelines.
1. Policies are high-level, broad statements of what the organization
wants to accomplish are made by management when laying out the
organizations position on some issue.
2. Standards are mandatory elements regarding the implementation of
a policy. They are accepted specifications providing specific details on
how a policy is to be enforced.
3. Guidelines are recommendations relating to a policy.
4. Procedures are the step-by-step instructions on how to implement
policies in the organization.
• The constant monitoring of the network and the periodic review of
the relevant documents are part of the process is the operational
 model. When applied to policies, this process results is known as
the policy life cycle.
• This operational process roughly consists of four steps:
1. Plan
2. Implement
3. Monitor
4. Evaluate.
The first step is to plan for security in organization to develop the
policies, procedures, and guidelines.
In second step, Implement the plans and monitor to ensure that both the
hardware and software as well as the policies, procedures and guidelines
are effective in securing the systems.
Finally Evaluate the effectiveness of the security measures. After
evaluating the security posture, begin again with step one, now adjust
the security mechanisms and then continue with this cyclic process.
INFORMATION POLICY
❖ The information policy defines what sensitive information is within
the organization and how that information should be protected.
This policy should be constructed to cover all information within
the organization.
❖ Each employee is responsible for protecting sensitive information
that comes into employee's possession. Information can be in the
form of paper records or electronic files.
❖ An Information policy must address how sensitive information is
transmitted. Information can be transmitted in a number of ways
(e-mail, regular mail, fax), and the policy should address each of
them.
❖ For sensitive information sent through mail, the policy should
specify encryption of the file or the body of the message.
 ❖ If the hardcopies of the information are to be sent some method
that requires a signed receipt is appropriate.
❖ When document is to be faxed, it is appropriate to require a phone
call to receiving party and for the sender to request the receiver to
wait by the fax machine for the document. This will prevent the
document from sitting on the receiving fax machine for an
extended period of time.
❖ Information of different types need to be secured in different ways.
Therefore, a classification system is needed.
❖ A classification system is proposed which has four classes based
on information.
❖ The lowest Class 1 is the least sensitive and the highest Class 4 is
for the most important information.
CONCEPTS:
➢ All data has an owner.
➢ The data or process owner must classify the information into one
of the security levels depending on legal obligations, costs,
corporate into policy and business needs.
➢ If the owner is not sure at what level data should be classified,
level 3 is used.
➢ The owner must declare who is allowed to access the data.
➢ The owner is responsible for this data and must secure it or have it
secured according to its classification.
➢ All documents should be classified and the classification level
should be written on at least the title page.
Class 1: Public/non-classified information
➢ Data on these systems could be made public without any
implications for the company.
 ➢ Data integrity is not vital. Loss of service due to malicious attacks
is an acceptable danger.
➢ Examples: Test services without confidential data, certain public
information services.
Class 2: Internal information
➢ External access to this data is to be prevented, but should this data
become public, the consequences are not critical Internal access is
selective.
➢ Data integrity is important but not vital.
➢ Examples of this type of data are found in development groups
certain production public services, telephone books.
Class 3: Confidential information
➢ Data in this class is confidential within the company and protected
from external access. If such data were to be accessed by
unauthorized persons, it could influence the company's operational
effectiveness, cause an important financial loss, provide a
significant gain to a competitor or cause a major drop in customer
confidence.
➢ Data integrity is vital.
➢ Examples: Salaries, personnel data, accounting data, passwords.
Class 4: Secret information
• Unauthorized external or internal access to this data would be
critical to the company.
• Data integrity is vital.
• The number of people with access to this data should be very
small. Very strict rules must be adhered to in the usage of this data.
Examples: Military data, secret contracts.
• The security required of a system depends on the
information it processes and for what purpose.
 • Systems need to be broken down into components and the security
of each component analyzed. When a user access data, he passes
through a variety of possible security controls, or components.
• For Data to be secured each of the different layers from
physical to operating system need to be correctly monitored.

SECURITY POILCY
➢ The implementation of this policy falls on the system and network
administrators with the backing of management.
➢ Security policy defines, the technical requirement for security on
computer system and network equipments. It defines how a system
or network administrator should configure a system with regard to
security.
 ➢ The security policy should define the requirements to be
implemented by each system.
➢ The policy itself should not define specific configuration for
different operating system.
➢ The security policy should define how users will be identified.
➢ This means that the security policy should either define a standard
for user IDs or point to a system administration procedure that
defines that standard
➢ The security policy should define the standard requirement for
access controls to be placed on electronic files.
➢ Security policy require the following events to be audited.
1. Logins
2. Logouts
3. Failed access to file or system objects
4. Remote access
5. Privileged actions
6. System events
Each system events should also capture the following information:
❖ User ID
❖ Date and time
❖ Process ID
❖ Action performed
❖ Success or failure of the event
➢ The security policy should specify how long the audit records
should be kept and how they should stored.
➢ The security policy should define the type of security device to be
used on such connections.
 ➢ The security policy should define acceptable encryption
algorithms for use within the organization and point back to the
information policy to show the appropriate algorithms to protect
sensitive information
PHYSICAL SECURITY
➢ Physical security consists of all mechanisms used to ensure that
physical access to the computer systems and networks is restricted
to only authorized users.
➢ The physical security of the organization’s building is a key
component of information security
➢ For example: the data center should have separate physical access
control from the buildings as a whole.
SOCIAL ENGINEERING
➢ Social engineering is the process of convincing an authorized
individual to provide confidential information or access to an
unauthorized individual.
➢ Kevin mitnick, a convicted cyber criminal turned security
consultant, once stated “Don’t relay on network safeguards and
firewalls to protect your information.
SECURITY PROCEDURES
• Procedural security is a set of management and supervisory
controls. It includes rules for the use of computers and data, and
ways to detect unauthorized use.
❖ Data input
❖ Data processing
❖ Network security and management
❖ Program development
❖ Output
❖ Communication
 ❖ Storage.
Most procedural security measures are based on two established
principles:
➢ Make each employee personally accountable.
➢ Make sure that it takes more then one person to commit a
fraudulent act if a sensitive transaction is made, the organization
should be able to identify the person responsible and hold that
employee personally responsible for the results.
A good procedural security program should include:
➢ A written policy that spells out employee’s responsibilities,
provides a mean to detect violations, and has enough management
control to make sure it properly implemented.
➢ Management controls to make sure the policies are observed, make
sure the employees keep up with the development of computer
system. Control over processes of computer use, and access to
programs and data.
➢ Regular tests of security system, to make sure it is adequate and
employees are observing the proper procedure.
➢ A standard procedure to deal with anyone caught missing the
system. This can range from minor disciplinary action to criminal
changes if necessary. Be ready to take this action even if it might
mean had publicity for the company .
➢ Constant communication, management officials and members of
the technical staff should stay in touch to discuss security needs
and problems .
BUILDING A SECURITY PLAN
❑ The basic goals of a Network Security system are pretty much like
the security goals for any kind of computer system.
➢ To protect information from accidental destruction or
modification.
 ➢ To protect information from deliberate destruction or
modification.
➢ Make sure the data is available to authorized users , need it and in
a form can use.
➢ Helping to identify the key managers in each client department.
➢ Devising professional surveys and other means to learn about
employees; current attitudes towards security.
➢ Helping to set up and conduct interviews with department
managers and employees.
➢ Planning and delivering training programs to support the security
program.

Areas to examine in the preliminary exam:

➢ Enterprise-wide systems that carry sensitive information but may
be lacking in security. Example-Electronic mail systems
➢ Applications and networks that see heavy use in day-to-day
operations. These busy services are the most likely to carry
information that should be protected.
➢ Danger spots where data might be altered or lost during
transmission. For example, a large transmission of engineering
drawing may overload the capacity of a local area network.
➢ Network components that need physical protection. These can
include servers and wiring hubs.
➢ Ensuring security policies and practices. Assess how well they
respond to identified needs and how well they are observed.
➢ Prevailing employee’s attitudes about security.
Elements of security plan:
Completed security plan should have two major sections:
1.A risk assessment.
2.Strategies to deal with identified risks.
These strategies fall into several categories:
• Procedural tactics like revised security policies.
• Physical protection, to prevent direct access to important
resources.
• Technical security, which includes both hardware and software
techniques.
• A good way to access risks is to examine the kind of data handle.
Ask questions like these:
What kind of data do maintain?
• For what purposes does the organization use it?
• What would the organization lose if the data were lost or stolen?
• If budget is limited and whose is not, it makes sense to concentrate
effort on the threats that are most serious to organization. Once
have countered the most serious threats, additional spending will
be less cost-effective
Network Security Planning:
→A full-scale security plan, is a complex document that can take a
large toll on time and energy. Not everyone writes a complex new
plan from scratch. Not everyone has to.
→The only time need to go through the full process of analysis and
justification is if decide not to follow the prevailing standard.
Example: should decide a particular risk is too small, and its solution
too expensive to be used in organization, one should be prepared to
defend that judgement.
 Be equally prepared, should believe on unique situation dictates a
higher than normal degree of security.
• First level security:
The need is so universal nearly everyone will use them.
• Second level security:
These are used less universally, but they are still familiar,
standardized and well-accepted. Someone who proposes one of these
controls should demonstrate that the risk is worth the effort, but the
selection of the strategy itself is more or less automatic.
• Third level security:
Here, both the risks and the responses are truly unique to situation.
Anyone who makes a proposal at this level should be prepared to
strongly justify both the needs and the response.

List of first level security controls:

ITEM CLASS

Administrator computer access control Procedural/technical

Comply with laws and regulations Procedural

Create a disaster recovery plan Disaster control

Encrypt the password file Technical

Establish passwords for network Procedural/technical and physical

access

Minimize traffic and access to area physical

List of second level security controls:

The process of building network security has seven basic steps:

Step 1: Determine the scope of the review (start by identifying, at least

in broad strokes the people and facilities that will be involved in the
security plan)
Step 2: Identify existing security controls.
Step 3: List additional control techniques.
Step 4: See what preliminary list of first level security controls.
Step 5: Build a preliminary list of first level security controls.
Step 6: Identify and address the remaining risks.
Step 7: Prepare a management proposal based on network security
planning.

IMPLEMENTING A SECURITY POLICY

➢ The security policy is a living document. This means it is not written
once and left unchanged for years.
➢ The policy should be regularly updated in response to changing
business conditions, technologies, customer requirements, and so
on.
 ➢ Some form of document version control technology may be helpful
in managing this lifecycle process.
➢ In order to communicate the security policy, it is best to keep it
online or in a place where its audience will be able to review and
understand changes as they are approved and implemented.
➢ Some companies use an intranet web site to communicate this
security policy, so employees can easily reference it throughout the
work day.
➢ Once the security policy is in place, well established, and in a
position to dictate daily company operations, an audit may be
performed by outside agencies or internal departments.
➢ An audit compares existing practices to the intentions of the policy.
➢ Having an unbiased third party perspective can be helpful in
isolating weaknesses or problems with the policy and its
enforcement-this requires a disinterested party (not the security
organization or the IT department) to perform the audit.

SECURITY INFRASTRUCTURE

What is security infrastructure?

• A security infrastructure should provide a synergistic use of many
components of its architecture, organized in such a manner as to
improve the overall security posture beyond any single component.
• Security failures can occur in two ways.
• First, a failure can allow unauthorized users access to resources
and data they are not authorized to use.
• Second, a failure can prevent an authorized user from access to
resources and data overlooked.
 • The primary goal of network infrastructure security is to allow all
authorized use and deny all unauthorized use of resources.
Infrastructure components:
• The major components of a security infrastructure can be defined
as belonging to one of four categories. These categories are
1. Networks
2. Platform
3. Physical
4. Process
Network Category:
• The network category encompasses firewalls, routers, and
switches, remote access devices (such a VPNs, and dial-up modem
banks) and network-based ID systems that add some security
features to the overall design.
• These components are used to monitor, filter and/or restrict traffic
as seen either by their network interfaces or as defined logic in
software.
Platform category:
• The platform category encompasses the server and client side
software (such as underlying operating system and security
applications controls).
• Devices that perform some electronic operation such as smart cards
and readers hardware token-producing cards, and hardware-based
encryption devices fit into this platform category.
• Application-level access controls, such as soft-taken producing
programs, digital certificates, host-based ID intrusion detection and
analysis, virus detection and event accounting and analysis.
• These security functions are used to protect the application that
resides within these major infrastructure boundaries.
Physical components:
• The physical components of a security infrastructure include
standard door keys and locks, key cards, identification badges
security cameras, motion sensors audible and visual alarms, cages,
fences, security guards and systems.
• Biometric components fit into this category as well and include
hand geometry readers, facial geometry cameras, and retinal-scan
cameras.
• The typical intent of these biometric components is to identify and
authenticate users via the nature and purpose of their hardware
design.
• Network cabling and backup power devices such as UPS systems
and diesel generators fit into this category as well.
• The primary goal of a physical security component is to keep
unauthorized persons out and keep infrastructure components
supplied with power and network connectivity.
Process category:
• The process category includes corporate security policy and
procedural documentation that govern the creation, use, storage
and disposal of corporate data, as well as the systems and networks
which that data resides.
• The purpose of a corporate security policy is to define the scope of
protection for corporate assets and suggest or require a specific
protection mechanism for those assets.

GOALS OF SECURITY INFRASTRUCTURE:

• Data confidentiality
• Data integrity
• Data availability.
Data confidentiality:
• The purpose of confidentiality is to ensure that only those
individuals who have the authority to view a piece of information
• No unauthorized individual should ever be able to view data they
are not entitled to. In other words, confidentiality is the protection
of transmitted data from passive attacks.
• The broadcast service protects all users data transmitted between
two users over a period of time. For example, if a virtual circuit is
set up between two systems, this broad protection would prevent
the release of any user data transmitted over the virtual circuit.

Data integrity:
• Integrity is a related concept but deals with the generation and
modification of data. Only authorized individuals should ever be
able to create or change (or delete) information.
• In other worth data integrity is concerned with the protection of
any unauthorized alteration or destruction of data. The primary
focus of this goal , then, is the accuracy and legitimacy of the data.
• A common solution for providing data integrity involves the use of
common encryption strategies (such as Internet Protocol Security)
that use such a checksum strategy to ensure that the data sent
equals the data that was received.
Availability:
• The goal of availability is to ensure that the data or the system
itself, is available for use when the authorized user wants it. A
variety of attacks can result in the loss of or reduction in
availability.
• Some of these attacks are amenable to automated counter
measures, such as authentication and encryption, whereas others
 require some sort of physical action to prevent or recover from loss
of availability of elements of a distributed system.
Design guidelines
• To ensure that corporate security policies and procedure are in line
with present business objectives.
• If not steps should be taken to implement the necessary change to
these policies and procedures prior to designing and building a
security infrastructure
• Without the full acceptance and support of such corporate
guidelines from executive management , security design cannot
fully reach its potential and in fact due to the lack of both written
guidelines and managerial support
• The policies and procedures are in line with present business
practices, so it is the time to design the infrastructure security
services that will directly support the started guidelines and
requirements
❖ These services include:
❖ Authentication
❖ Authorization
❖ Accounting
❖ Physical access controls
❖ Logical access controls
Authentication:
• Authentication is the process of binding a specific ID to a specific
computer connection.
• The authentication of authorized users prevents unauthorized users
from gaining access to corporate information system
• The use of authentication mechanism can also prevent authorized
users from accessing information that they are not authorized to
view.
• Currently, passwords remain the primary authentication
mechanism for internal system access.
• If passwords are to be used the following a recommended as best
practices
• Password length: Passwords should be a minimum of eight
characters in length
• Password change frequency: Passwords should not be more than
60 days old . In addition, passwords should not be changed for one
day after a password change
• Password history: The last ten passwords should not be reused.
• Password content: Password should not be made up of only letters
but instead include letters, numbers and special punctuation
characters. The system should enforce restrictions when the
passwords are changed
• Passwords should always be stored in encrypted form, and the
encrypted passwords should not be accessible to normal users.
• For extremely sensitive system or information, passwords may not
provide sufficient protection. In these cases, dynamic passwords or
some form of two authentication should be used. Keep in mind that
authentication includes some combination of three things:
• Something person knows, like a password
• Something a person has, like an access card
• Something a person is like a fingerprint
• Two factors authentication is used to counter the weakness that
each type of authentication information has. For example,
passwords may be written down and thus discovered.
 • Access cards may be stolen, and biometrics tend to be expensive
and require controlled or trusted access between the user and the
machine.
• All organization systems should be configured to a screen server to
remove information from the screen and require re-authentication
if the user is away from the computer for longer than ten minutes.
• If employees were to leave a computer logged into the network and
unattended, an intruder would be able to use that computer as the
employee unless some form of re-authentication were required.
Authorization:
• Authorization is the process of permitting or denying access to a
specific resource.
• Once identity is confirmed via authentication, specific actions can
be authorized or denied.
• Many types of authorization schemes are used, but the purpose is
the same: determine whether a given user who has been identified
has permissions for a particular object or resource being requested.
• This functionality is frequently part of the operating system and is
transparent to users.
• The separation of tasks, from identification to authentication to
authorization, has several advantages. There are many methods to
perform each task, and on many systems several methods are
concurrently present for each task.
• Separation of these tasks into individual elements allows
combinations of implementations to all work together.
• Authentication is a process of verifying properly presented
credentials; the source if the credentials is not a relevant item.
• Different forms of authorization can be implemented, based on the
resource being requested such a database access or router admin
access.
 • Any system or resource, be it hardware (router, workstation) or
software component (database system) that requires authorization
can use its own authorization method once authentication for a
connection has been resolved for it.
Accounting
• Accounting refers to the logging and monitoring of actions, events
and subsequent alerts that result from a satisfied condition.
• Most operating systems can be configured to produce accounting
logs used to alert administrators of various system-generated
events
• The most prevalent operating system log utilities are syslog (used
on UNIX-based systems) and Ntevent log (used on Microsoft NT-
based systems).
• The satisfied condition may simply be a UNIX syslog or Microsoft
NT event log setting of WARNING that produces WARNING-
level messages (or of a higher significance) in its log file.
• However, the condition may be as complex as correlating and
collaborating several non-contiguous events from different agent
sources across the corporation such that the resultant alert means
something of importance.
• Regardless of complexity, accounting results can provide us with
the following
➢ Operating system usage details
➢ Application usage details
➢ Internet, Extranet, or Intranet network connectivity
➢ Data for forensic analysis
➢ Data for trending analysis
➢ Data for report generation
 • Each of these results is valuable to a corporation for many reasons.
In addition to providing performance forecasts and trending
analysis, events can be used to as certain one's security profile and
to identify existent or potential threats.
• Operating system events can be used to notify security staff
members of failed logon attempts, attempts to gain root or
administrator access, and whether file systems have been mounted
for export to name a few.
Physical access controls
• Physical access controls pertain to the elements of security
infrastructure that typically work in conjunction with one another
to reduce the effects of abuses by humans and acts of God.
• Physical controls are as much operational as they are physical.
• Common physical access controls include standard keys, key cards,
smart cards, identification badges, security cameras, motion
sensors, audible and visual alarms, doors, locks, cages, fences,
signage, security guards and system or device labels.
• The way these elements are put into use determines the quality of
physical access control strategy.
• Operational procedures, as defined in corporate security policies
and procedures documentation, should define how specific
classifications of data and underlying systems are protected.
• These procedures should also state which actions are taken to
notify appropriate personnel in the event of a disaster, define
appropriate forensic procedures as they apply so the importance of
data affected, and state how associated risks may be mitigated.
• In addition to reducing the risk, or effects of a security breach,
disruption of service must also be factored into physical protection
strategy.
Logical Access Controls
• Logical access controls probably receive the most limelight of all
the security infrastructure control availability.
• These controls consist of firewalls, routers, switches, VPNs, and
application-level controls put in place to restrict both system and
network use.
• Logical access controls sometimes utilize authentication and
authorization information to make a determination as to whether
access will be granted or denied upon either the port or protocol
being used.
• Logical access controls can be applied in a variety of ways to
restrict system or network use.
SECURITY MODELS
▪ Concept Of Security Models
▪ Three Main Types Of Classic Security Models
1.Bell-LaPadula model
2.Biba model
3.Clark-Wilson Security model
Concept Of Security Models:
▪ The effective and efficient security models secure the sensitive and
relevant information or data of the organizations.
▪ GOALS OF CONFIDENTIALITY POLICIES Confidentiality
Policies emphasize the protection of confidentiality.
▪ Confidentiality policy also called information flow policy prevents
unauthorized disclosure of information.
What is a Security Model?
▪ A model describes the system – e.g., a high level specification or
an abstract machine description of what the system does.
▪ A security policy – defines the security requirements for a given
system.
▪ Verification techniques that can be used to show that a policy is
satisfied by a system.
▪ System Model + Security Policy = Security Model.
1. Bell-LaPadula model:
• This Model was invented by Scientists David Elliot
Bell and Leonard .J. LaPadula.
• The Bell–LaPadula model focuses on data confidentiality and
controlled access to classified information.
• Bell-LaPadula is a form of Multi-level Security
 • MLS--a subject at a high level may not convey information to a
subject at a lower

The Bell-La Padula model is defined by the following properties:

• Simple security property (ss property)
• Star * security property
• The Discretionary Security Property (ds-property)
Simple security property (ss property)
• This property states that a subject at one level of confidentiality is
not allowed to read information at a higher level of confidentiality.
This is sometimes referred to as -no read up.
• Eg: A person in one classification level, cannot read data in a
higher classification level. In Secret clearance, then you cannot
read objects with a label of Top Secret. This is also known as No
Read Up.
Star * security property
• This property states that a subject at one level of confidentiality
is not allowed to write information to a lower level of
confidentiality. This is also known as -no write down.
• Eg: A person in a higher classification level cannot write messages
to someone in a lower classification level. In clearance of Top
Secret, then user cannot write messages to someone with a Secret
clearance. This is known as No Write Down
The Discretionary Security Property (ds-property)
• An individual (or role) may grant to another individual (or role)
access to a document based on the owner‘s discretion, constrained
by the MAC rules.
• A message authentication code (MAC) is a cryptographic
checksum on data that uses a session key to detect both accidental
and intentional modifications of the data.
• A MAC requires two inputs: a message and a secret key known
only to the originator of the message and its intended recipient(s).
Bell-La Padula model has two major limitations:
• It provides confidentiality only. (no integrity, authentication ,etc.)
• It provides no method for management of classifications:
1. It assumes all data are assigned with a
classification
2. It assumes that the data classification
will never change.
2. Biba model Integrity:
• There are three main policies of integrity:
1. Preventing unauthorized users from making modifications to data
or programs.
2. Preventing authorized users from making improper or unauthorized
modifications.
3. Maintaining internal and external consistency of data and
programs.
• The Biba integrity model was published in 1977() at the Mitre
Corporation, one year after the Bell La-Padula model was
published.
• The Biba model addresses the problem with the star property of the
Bell-LaPadula model, which does not restrict a subject from
writing to a more trusted object.
• Subjects and Objects
• Like other models, the Biba model supports the access control of
both subjects and objects.
• Subjects are the active elements in the system that can access
information (processes acting on behalf of the users).
• Objects are the passive system elements for which access can be
requested (files, programs, etc.).
• Each subject and object in the Biba model will have a integrity
level associated with it.
• Protects information from unauthorized changes.
• ROLE ON: INTEGRITY
• No -WRITE UP
• No –READ DOWN
• PROPERITIES:
• Simple Security → no read up
• *Star properties → no write down
• Simple Integrity → no read down
• *Star Integrity → no write up
Advantages:
• The Biba model is it simple and easy to implement.
• The Biba model provides a number of different policies that can be
selected based on need.
Disadvantages:
• The model does nothing to enforce confidentiality.
• The Biba model doesn‘t support the granting and revocation of
authorization.
• To use this model all computers in the system must support the
labeling of integrity for both subjects and objects.
• To date, there is no network protocol that supports this labeling.So
there are problems with using the Biba model in a network
environment.
Bell-LaPadula vs Biba model
• The Bell-LaPadula model is used to provide confidentiality. The
Biba model is used to provide integrity. The Bell-LaPadula and
Biba models are informational flow models because they are most
concerned about data flowing from one level to another.
• Bell-LaPadula uses security levels and Biba uses integrity levels
3.Clark-Wilson Security model

The three main rules of integrity models:

• Prevent unauthorized users from making modifications
• Prevent authorized users from making improper
modifications (separation of duties)
• Maintain internal/external consistency (well-formed
transaction)
• Clark-Wilson model addresses each of these goals where
Biba model only addresses the first goal.
• Clark-Wilson model enforces the three goals of integrity
by using access triple (subject, software TP, and object),
separation of duties, and auditing. It enforces integrity
by using well-formed transactions (through access triple)
and separation of user duties.
 • Separation of duties: assigning different roles to different
users.
Integrity goals of Clark–Wilson model:
• Prevent unauthorized users from making modification (This is
addressed by the Biba model).
• Separation of duties prevents authorized users from making
improper modifications.
• Well-formed transactions:
Maintain internal and external consistency i.e. it is a series of
operations that are carried out to transfer the data from one consistent
state to the other.
The model uses the following elements:
• Transformation Procedures (TPs): Programmed abstract operations,
such as read, write and modify.
-TP takes input as CDI or UDI and convert into valid CDIs
-Transition of system from one valid state to another valid state.
• Constrained Data Item (CDI): A data item whose integrity is to be
preserved. Can only be manipulated by TPs.
• Unconstrained Data Item (UDI): Data items outside of the control
area of the modeled environment such as input information. Can be
manipulated by users via primitive read and write operations.
• Integrity Verification Procedure (IVP):Check the consistency of
CDIs with external reality.(Assure all CDI s are valid )
• The model contains a number of basic constructs that represent
both data items and processes that operate on those data items. The
key data type in the Clark Wilson model is a Constrained Data
Item (CDI).
• An Integrity Verification Procedure (IVP) ensures that all CDIs
in the system are valid at a certain state. Transactions that
 enforce the integrity policy are represented by Transformation
Procedures (TPs). A TP takes as input a CDI or (UDI) and
produces a CDI.
• Transition of system from one valid state to another valid state.
• It must guarantee (via certification) that it transforms all possible
values of a UDI to a ―safe CDI
s