CH- 2

INFORMATION SECURITY ARCHITECTURE & MODEL

Information Security & Risk Management
Information Security
- Refer this point from ch-1

Risk Management

Fig: Threats,Vulnerability,assets & risk

Assets :- It is a resource , process or product & so on ,Something that is important for

organization.
Threats :- Person or thing likely to cause damage or danger.
e.g Fire, earthquake, attack on website by human
Vulnerability :- It is the absence or weakness of safeguards.
Safeguard :- Protection mechanism to reduce the risk.
Exposure :- It is loss due to the risk.

Risk Management The process of identification, analysis and either acceptance or mitigation of
uncertainty in investment decision-making.
OR
Risk Management is the process for identifying, assessing & prioritizing the risk of different kinds.
OR
Risk management is the keystone to an effective performance as well as for targeted, proactive
solutions to potentials threats and incidents. Risk management is the ongoing process of
identifying risk and implementing plans to address them

 Inadequate risk management can result in severe consequences for companies as well
as individuals.
 Examples of Risk Management

1. Fire: Damage cause to a system due to fire in the premises where information is
preserve.
2. Flood: Datacenter/ Information hub gets affected due to flood
3. Recession that began in 2008 was largely caused by the loose credit risk management of
financial firms.

Components of Risk Management

Risk management is an essential part of any project plan and project implementation.
Without a thorough knowledge of possible risks, a project cannot be authorized. There are
always risks at stake which could no doubt benefit the project, but could incur huge monetary
losses. The most effective steps in a risk management are follows

Fig. :Components of risk management

1. Risk Assessment
2. Risk Control

1. Risk Assessment
This process involves identifying and analyzing program areas and critical technical
process risks to increase the cost, performance, and schedule objectives.
 Risk Identification is the first step in the proactive risk management process.
It is the process of examining the program areas & each critical technical process
 to identify and document the associated risk .
 Risk analysis is the process of defining and analyzing the dangers to individuals,
businesses and government agencies posed by potential natural and human-
caused adverse events.
 Risk Prioritization is the assigning priorities to different risk.
 For IT professionals it is necessary to identify the information assets of an
organization - people, procedure, data and information, software, hardware,
networking components etc. then classify and prioritize them.
2. Risk Control
It is the processes of selecting and applying controls to decrease the risk of an
organization‘s information system. There are following four strategies that can be used
to control the risk
1. Avoidance
2. Transference
3. Mitigation
4. Acceptance
Risk control includes: Risk planning, Selecting appropriate strategy & Risk Monitoring.

Identify Risk
 Risk is potential of losing something of value.
 Risk can be identified by following mathematical formula
Risks = Threats x Vulnerabilities x Assets
 Risk Analysis includes 3 main stages
1. Assets evaluation
2. Analysis of threats & vulnerabilities
3. Selection of safeguard.
 There are two fundamental types/approaches of risk analysis
1. Quantitative Risk Analysis
2. Qualitative Risk Analysis

1. Quantitative Risk Analysis

 A process for assigning a numeric value to the probability of loss based on known
risks, on financial values of the assets and on probability of threats.
 It is used to determine potential direct and indirect costs to the company based on
values assigned to company assets and their exposure to risk.
 E.g. the cost of replacing an asset, the cost of lost productivity, or the cost of
diminished brand reputation.

2. Qualitative Risk Analysis

 It is a collaborative process of assigning relative values to assets, assessing their risk
exposure, and estimating the cost of controlling the risk.
  It differs from quantitative risk analysis in that it utilizes relative measures and
approximate costs rather than precise valuation and cost determination.
 In qualitative risk analysis:
1. Assets can be rated based on criticality - very important, important, not-
important etc.
2. Vulnerabilities can be rated based on how it is fixed - fixed soon, should be fixed,
fix if
suitable etc
3. Threats can be rated based on scale of likely - likely, unlikely, very likely etc.

Security Policy, Guidelines, Standards & Procedure

Security Policy
 Security is truly a multilayered process.
 An information security policy consists of higher level statements relating to the
protection of information across the business and should be produced by senior
management.
 The policy outlines security roles and responsibilities, defines the scope of
information to be protected, and provides a high level description of the controls
that must be in place to protect information.
 Policies describe security in general terms, not specifics. They provide the
blueprints for an overall security program just as a specification of product.
 Different information security policies are as follows
1. Senior Management Policy
2. Regulatory Policy
3. Advisory Policy
4. Informative Policy.

1. Senior Management Policy

 It is First step of policy creation
 It is high level statement of policy that contain following elements
1. An acknowledgement of importance of computing & network resources,
that are part of IS.
2. Statement of support for IS
3. A commitment to authorize & manage the definition of lower level
standards,procedure & standards.
2. Regulatory Policy
 These are security policies that an organization must implement owing to
compliance, regulation or other legal requirements as prevalent in the
organization‘s operating environment, both internal and external.
 The various entities with which the business organization interacts can be financial
institutions, public utilities or some other types of organizations that operate in the
public interest.
 Regulatory policies are usually very detailed and specific to the industry in which
the business organization operates.
 The two main purposes of the regulatory policies are:
1. Ensuring that an organization follows the standard procedures or base practices
of an operation in its specific industry.
2. Giving an organization the confidence that it is following the standard and
accepted industry policy.
 3. Advisory Policy
 These are security policies that may not be mandated but are strongly
recommended.
 Normally, the consequences of not following them are defined. An
organization with such polies wants its employees to consider these polices
mandatory.
 Most polices fall under this broad category.
4. Informative Policy
 These are polices that exist simply to inform the reader.
 There are no implied or specified requirements, and the audience for this
information could be certain internal entities or external parties

Fig. Policies,standards,standards & guidelines

2. Standards
 Standard consists of specific low level mandatory controls that help enforce and support the
information security policy.
 Standard helps to ensure security consistency across the business and usually contain
security controls relating to the implementation of specific technology, hardware or
software.
 For example, a password standard may set out rules for password complexity and a
Windows standard may set out the rules for hardening Windows clients.

3. Guidelines

 It should consist of recommended, non-mandatory controls that help support standards or

serve as a reference when no applicable standard is in place.

 It should view as best practices that neither are nor usually requirements, but are strongly
recommended.

 It can be consisting of additional recommended controls that support a standard or help to

fill in the gaps where no specific standard applies.
  A standard may require specific technical controls for accessing the internet securely and
separate guidelines may be outline the best practices for using it.

 For example, User Manual of any electronic equipment(microwave)

4.Procedure
 It consist of step by step instructions to assist workers in implementing the various
policies,standards ,guidelines.
 Procedure explains how to implement policies ,guideline etc.
 E.g procedure to written how to install Windows

2.2 Trusted computing base,

Trusted Computing Base (TCB): Trusted Computing Base is a complete protection mechanism in any
computer system and it is responsible for enforcing system-wide information security policies

 It is a combination of hardware, software and firmware that work together to implement a

combined security policy for system or a product.
 It reduces the likelihood of threats within the TCB and improves the overall security of a
computer system.
 Software model / abstract machine is a reference monitor that passes all access from any
subject (user) to any object (data / file) but it cannot be avoided.
 It gives access to object by subjects.

The reference monitor has three properties:

1. Cannot be bypassed and controls all access

2. Cannot be altered and is protected from modification or change

3. Can be verified and tested to be correct.

 It stands between each subject and object and its role is to verify the subject, meets the
minimum requirements for access to an object, as shown in Fig.

 In trusted system an object(data) is something that people want to access. These objects are
labeled according to their level of sensitivity.
  In trusted system subject(user) should have same level or higher level of classification while
accessing object.
 In Unix / Linux operating system, a security kernel acts as a reference monitor. The security
kernel handles all user/application requests for access to system resources.

2.2.1 Rings of Trust

The operating system knows who and what to trust by relying on rings of protection. Rings
of protection work much like your network of family, friends, coworkers, and acquaintances.
The people who are closest to you, such as your spouse and family, have the highest level of
trust. Those who are distant acquaintances or are unknown to you probably have a lower level
of trust.

Fig. Rings of trust

Protection rings support the availability, integrity, and confidentiality requirements of

multitasking operating systems. These protection rings provide an intermediate layer between
subjects and objects, and are used for access control when a subject tries to access an object.
The ring determines the access level to sensitive system resources. The lower the number, the
greater the amount of privilege that is given to the process that runs within that ring.

Fig shows the rings of trust concept in the context of a single computer system.
 In this model, outer rings contain a lower level of security, and systems requiring higher
levels of security are located inside the inner rings.
 Extra security mechanisms must be navigated to move from an outer ring into an inner ring.
 The operating system (OS) enforces how communications flow between layers using the
reference monitor (within the kernel) to mediate all access and protect resources.
 Many systems use four protection rings:
• Ring 0:- Operating system kernel
• Ring 1:- Remaining parts of the operating system
• Ring 2:- I/O drivers and utilities
• Ring 3:- Applications and programs
 Fig. Rings of trust in standalone system

It‘s also possible to use the concepts of rings of trust to design security domains or operating
environments for networks of systems. Fig below illustrates this concept.

This model divides the hosts into rings, based on the security rating of the services they provide to
the network, and then uses these rings as the basis for trust between hosts.
To help determine the hierarchy of the rings, some questions must be answered:
 Is the host in a physically secure computer room?
 Does the host have normal (as opposed to privileged) user accounts?
 Is this host at a remote site and, hence, less trustworthy than the ones in the central
computer room?
 Does this host operate software that relies on data obtained from the Internet?
 Does this host provide mission-critical services? How many people in the company would be
affected by downtime on this host?

The following general rules apply to constructing rings of trust in network systems:
 Each host trusts hosts in a more inner ring than its own.
 No host trusts any host in a more outer ring than its own.
 Each host may trust hosts in the same ring as its own.
  Where a ring has been segmented into separate subnet works, a host in one segment does
not trust hosts in other segments.

As you can see, rings of trust apply equally well for stand-alone systems, small business or
home networks, and large –scale corporate and government networks where security
requirements are absolute. To implement the rings of trust model, a number of software
constructs and design objectives are used for security and resources protection.

2.2.2 Protection Mechanisms in a trusted Computing Base

 Process isolation
 is a design objective in which each process has its own distinct address space for its
application code and data
 prevents data or information leakage and prevents modification of the data while it
is memory
 Principle of least privilege
 Used to limit the access to minimum level that will allow minimum functioning.
 Every process has least privilege which is required to access resources to perform its
function. This will prevent data from being exploited.
 Hardware segmentation
 relates to the segmentation of memory into protected segments
 Prevents user processes from being able to access both another process’s allocated
memory and system memory.
 Layering
 is a process operation that is divided into layers to perform various function.
 Each layer performs specific action.
 Basically there two types of layers-Lower layer which performs all basic functions &
Higher layer which perform more complex and protected functions.
 Abstraction
 is a process that defines a specific set of permissible values for an object and the
operations that are permissible on that object
 Help to maintain security by ignoring implementation details.

 Data hiding (also known as information hiding)

 is a mechanism to assure that information available at one processing level is not
available in another, regardless of whether it is higher or lower

 Information storage
 refers to the parts of a computer system that retain a physical state (information) for some
interval of time, possibly even after electrical power to the computer is removed
 Following are the types used for information storage
 Primary storage is the computer’s main memory and a volatile storage medium
 Secondary storage is a nonvolatile storage format, where application and system
code plus data can be stored when the system is not in use
 Real memory is where a program has been given a definite storage location in
memory and direct access to a peripheral device
 Virtual memory extends the volume of primary storage by using secondary storage
to hold the memory contents
 Random memory is the computer’s primary working and storage area
 Sequential storage is computer memory that is accessed sequentially
  Volatile memory means that there is a complete loss of any stored information
when the power is removed
 Closed & Open System
 Closed systems are of a proprietary nature
 use specific operating systems and hardware to perform the task and generally lack
standard interfaces to allow connection to other systems
 An open system is based on accepted standards and employs standard interfaces to
allow connections between different systems
 promotes interoperability and allows the user to have full access to the total system
capability
 Multitasking
 is a technique used by a system that is capable of running two or more tasks in a
concurrent performance or interleaved execution
 Multiprogramming system
 allows for the interleaved execution of two or more programs on a processor
 Multiprocessing
 provides for simultaneous execution of two or more programs by a processor (CPU)
 Finite-state machine
 stores the status or state of something at a given time
 operate based on inputs given to device
 according to input it will change the stored status and/or cause an action or output
to take place

2.3 System Security Assurance Concept

When considering IT security systems the requirement or the needs, decided by those who sponsor
the development appear in two forms
1. Functional requirement
 Describe what a system should do

2. Assurance Requirement
 Describe how functional requirements should be implemented and tested.

Both types of requirement must be tested and are included in the scope of security assurance
testing.
1. Security Testing
 It verifies that the functions designed to meet a security requirement operate as
expected
 In addition, it validates that the implementation of the function is not flawed or
haphazard

2. Formal Security Testing Models

 Trusted Computer System Evaluation Criteria (TCSEC)
 United States in the early 1980s
 Information Technology Security Evaluation Criteria (ITSEC)
 Europe in 1991 by the European Commission
 Canadian Trusted Computer Product Evaluation Criteria (CTCPEC)
 Canada in early 1993
  Federal Criteria for Information Technology Security (FC)
 United States in early 1993
 Common Criteria
 Today’s standard
2.3.1. TCSEC(Trusted Computer System Evaluation Criteria)
Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government
Department of Defense (DOD) standard that sets basic requirements for assessing the effectiveness
of computer security controls built into a computer system.
1. The TCSEC was used to evaluate, classify and select computer systems being considered for
the processing, storage and retrieval of sensitive or classified information.
2. Policy: The security policy must be explicit, well-defined and enforced by the computer
system. There are three basic security policies:
 Mandatory Security Policy - Enforces access control rules based directly on
an individual's clearance, authorization for the information and the
confidentiality level of the information being sought. Other indirect factors
are physical and environmental. This policy must also accurately reflect the
laws, general policies and other relevant guidance from which the rules are
derived.
 Marking - Systems designed to enforce a mandatory security policy must
store and preserve the integrity of access control labels and retain the labels
if the object is exported.
 Discretionary Security Policy - Enforces a consistent set of rules for
controlling and limiting access based on identified individuals who have been
determined to have a need-to-know for the information.
3. Accountability
Individual accountability regardless of policy must be enforced. A secure means must exist to ensure
the access of an authorized and competent agent which can then evaluate the accountability
information within a reasonable amount of time and without undue difficulty. There are three
requirements under the accountability objective:
 Identification - The process used to recognize an individual user.
 Authentication - The verification of an individual user's authorization to specific categories
of information.
 Auditing - Audit information must be selectively kept and protected so that actions affecting
security can be traced to the authenticated individual.
4. Divisions and classes
The TCSEC defines four divisions: D, C, B and A where division A has the highest security.
Each division represents a significant difference in the trust an individual or organization can
place on the evaluated system. Additionally divisions C, B and A are broken into a series of
hierarchical subdivisions called classes: C1, C2, B1, B2, B3 and A1. Each division and class
expands or modifies as indicated the requirements of the immediately prior division or class.
D — Minimal protection
Reserved for those systems that have been evaluated but that fail to meet the
requirements for a higher division
C — Discretionary protection
o C1 — Discretionary Security Protection
o C2 — Controlled Access Protection
B — Mandatory protection
o B1 — Labeled Security Protection
o B2 — Structured Protection
 o B3 — Security Domains
A — Verified protection
o A1 — Verified Design
o Beyond A1
2.4 ITSEC (Information Technology security equation criteria ):

 ITSEC is developed by European country for security equation criteria.

 ITSEC focuses more on integrity and availability. It tries to provide a uniform approach to
product and system.
 ITSEC will also provide security targets like.
1. Policy for system security.

2. Required mechanism for security.

3. Required rating to claim for minimum strength.

4. Level for evaluating targets –functional as well as evaluation.

ITSEC classes contain hierarchical structure where every class will be added to the class above it.
This class contains some particular function. Following are some classes that are stand alone (non-
hierarchical)
 F-IN This class will provide high integrity.
 F-AV This class will provide high availability.
 F-DI This class will provide high data integrity.
 F-DC This class provide high data confidentiality.
 F-DX This class is used for networks. It provide high integrity while exchanging data in
networking.
ITSEC uses following assurance classes from E0 to E6 to evaluate the security.
E0 – Minimal protection.
E1 – Security target and informal architecture design must be produced.
E2 – An informal detail design and test document must be produced.
E3 – Source code or hardware drawing to be produced. Correspondence must be shown
Between source code of detailed design.
E4 – Formal model of Security and Semi – formal specification of Security function
architecture and detailed design to be produced.
E5 – Architecture design explain the inter relationship between security component.
E6 – Formal description of architecture and Security function to be produced. Information
could leak from those users who were cleared to see it, down to those users who are not.
2.4.1 confidentially and integrity models
Security models are mathematical representation of abstract machines that describe how a
reference monitor is designed to operate and help evaluators determine if the implementation
meets the design requirements. The following are some of the more commonly used models :
 Bell-LaPadula model
 Biba integrity model
 Clark and Wilson
  Noninterference
 State machine model
 Access matrix model
 Information flow model

1. Bell – LaPadula: -
 It focus on confidentiality.
 The Bell-La Padula (BLP) model is a classic mandatory access-control model for protecting
confidentiality.
 It is intended to preserve principle of least privilege.
 The BLP model is derived from the military multilevel security paradigm, which has been
traditionally used in military organizations for document classification and personnel
clearance.
 The BLP model has a strict, linear ordering on the security of levels of documents, so that
each document has a specific security level in this ordering and each user is assigned a strict
level of access that allows them to view all documents with the corresponding level of
security or below.
 How Bell LaPadula Works?
 The security levels in BLP form a partial order, <
 Each object, x, is assigned to a security level, L(x). Similarly, each user, u, is assigned to a
security level, L(u). Access to objects by users is controlled by the following two rules:
1. Simple security property. A user u can read an object x only if L(x) <L(u)
2. A user u can write (create, edit, or append to) an object x only if L(u) < L(x)
 The simple security property is also called the “no read up” rule, as it prevents users from
viewing objects with security levels higher than their own.
 The property is also called the “no write down” rule. It is meant to prevent propagation of
information to users with a lower security level
.

Fig. : Bell-LaPadula Model

2. Biba Model

 It focus on integrity
 The Biba model has a similar structure to the BLP model, but it addresses integrity rather
than confidentiality.
 Objects and users are assigned integrity levels that form a partial order, similar to the BLP
model.
 The integrity levels in the Biba model indicate degrees of trust worthiness, or accuracy, for
objects and users, rather than levels for determining confidentiality.
 For example, a file stored on a machine in a closely monitored data center would be
assigned a higher integrity level than a file stored on a laptop.
 In general, a data-center computer is less likely to be compromised than a random laptop
computer. Likewise, when it comes to users, a senior employee with years of experience
would have a higher integrity level than an intern.
 The access-control rules for Biba are the reverse of those for BLP. That is, Biba does not
allow reading from lower levels and writing to upper levels.
 If we let I (u) denote the integrity level of a user u and I(x) denote the integrity level for an
object, x, we have the following rules in the Biba model:
1. A user u can read an object x only if I(u) < I(x).
2. A user u can write (create, edit or append to) an object x only if I(x) < I(u).
3. Thus, the Biba rules express the principle that information can only flow down,
going from higher integrity levels to lower integrity levels.