Engineering Information Security
Description
More details
Other editions
Additional editions
Person
Content
Preface and Acknowledgments xxiii
About the Companion Website xxvii
1 What Is Security? 1
1.1 Introduction 1
1.2 The Subject of Security 2
1.2.1 Branches of Security 2
1.2.2 Defining Security by Function 5
1.2.3 The Common Body of Knowledge (CBK) Security Domains 8
1.3 A Twenty-First Century Tale 15
1.3.1 The Actors 15
1.3.2 What Actually Occurred 17
1.3.3 How Could All This Have Been Prevented? 19
1.3.4 They Did Not Live Happily Ever After 20
1.4 Why Are You Important to Computer Security? 21
1.4.1 What Are the Threats to Your Computer? 22
1.4.2 As a User, What to Do? 23
1.4.3 The Reality of Cybercrime and Cyberwarfare 23
1.5 End of the Beginning 25
1.6 Chapter Summary 29
1.7 Further Reading and Resources 30
2 Systems Engineering 31
2.1 So What Is Systems Engineering? 31
2.1.1 Similar Systems Engineering Process 32
2.1.2 Another Systems Engineering View 38
2.1.3 Process Variations 41
2.2 Process Management 41
2.2.1 ISO 9000 Processes and Procedures 41
2.2.2 Capability Maturity Model (CMM) 43
2.3 Organization Environments 46
2.3.1 Economic, Legal, and Political Contexts 47
2.3.2 Business/Organizational Types 52
2.3.3 National Critical Infrastructure 56
2.4 Chapter Summary 59
2.5 Further Reading and Resources 59
3 Foundation Concepts 61
3.1 Security Concepts and Goals 62
3.1.1 Subjects and Objects 63
3.1.2 What Is Trust? 63
3.1.3 Domains, Security, and Trust 64
3.1.4 Security Goals/Objectives 65
3.1.5 X.800 Security Services 66
3.1.6 A Modern Definition of Security Services 69
3.2 Role of Cryptography in Information Security 77
3.2.1 Cryptographic Hash Algorithms 81
3.2.2 Encryption Algorithms 86
3.2.3 Cryptanalysis and Other Key Issues 101
3.2.4 Key Management 108
3.2.5 Cryptographic Authentication 112
3.3 Key Management Revisited 120
3.4 Chapter Summary 121
3.5 Further Reading and Resources 122
4 Authentication of Subjects 123
4.1 Authentication Systems 123
4.1.1 Kerberos-Based Authentication 124
4.1.2 Public-Key Infrastructure 128
4.1.3 Remote Authentication Dial-in User Service and EAP 144
4.1.4 Diameter 149
4.1.5 Secure Electronic Transactions (SET) 150
4.1.6 Authentication Systems Summary 154
4.2 Human Authentication 154
4.2.1 What the Subject Has Factor 155
4.2.2 What the Subject Knows Factor 155
4.2.3 What the Subject Is Factor 156
4.2.4 Where the Subject Is Factor 157
4.2.5 Combinations of Factors 157
4.2.6 Rainbow Tables 158
4.2.7 Proxies for Humans 159
4.3 Chapter Summary 167
4.4 Further Reading and Resources 168
5 Security Systems Engineering 169
5.1 Security Policy Development 170
5.2 Senior Management Oversight and Involvement 170
5.3 Security Process Management and Standards 170
5.3.1 ISO 27002 172
5.3.2 ISO 27001 185
5.3.3 Policy Hierarchy 186
5.3.4 An Enterprise Security Policy Example 189
5.3.5 COBIT 189
5.3.6 Information Technology Infrastructure Library 194
5.3.7 Federal Information Security Management Act (FISMA) 196
5.4 Information Security Systems Engineering Methodology 199
5.4.1 Existing Asset Inventory and Classification 201
5.4.2 Vulnerabilities, Threats, and Risk 203
5.4.3 Dealing with Risk 224
5.4.4 Risk Management Framework 232
5.4.5 Risk Assignment 240
5.5 Requirements Analysis and Decomposition 240
5.6 Access Control Concepts 244
5.6.1 Subjects, Objects, and Access Operations 245
5.6.2 Mandatory Access Control using a Matrix or Lattice Approach 246
5.6.3 Discretionary Access Control using an Access Control List Approach 246
5.6.4 Mandatory Access Control using a Capability List Approach 247
5.6.5 Administrative Tasks in Access Control Methods 248
5.6.6 Role-Based Access Control (RBAC) 249
5.7 Security Modeling and Security-Related Standards 251
5.7.1 Confidentiality Policies and Integrity Policies 252
5.7.2 Bell-LaPadula Model 253
5.7.3 Graham-Denning Confidentiality Model 254
5.7.4 Chinese Wall Multilateral Confidentiality Model 255
5.7.5 Biba Integrity Model 256
5.7.6 Clark-Wilson Model 256
5.7.7 Security Model Summary 258
5.7.8 Security Standards 259
5.8 Chapter Summary 265
5.8.1 Things to Remember 266
6 Traditional Network Concepts 269
6.1 Networking Architectures 269
6.1.1 OSI Network Model 270
6.1.2 Internet Network Model 272
6.2 Types of Networks 274
6.2.1 Local Area Network (LAN) 274
6.2.2 Wireless LAN (WLAN) 277
6.2.3 Metropolitan Area Networks (MAN) 277
6.2.4 Wide Area Networks (WAN) 278
6.2.5 The Internet 279
6.2.6 Circuit Switched Networks 279
6.2.7 Supervisory Control and Data Acquisition (SCADA) Systems 284
6.2.8 Sensor Networks 288
6.2.9 Clouds 289
6.2.10 Cellular Networks 294
6.2.11 IEEE 802.16 Networks 295
6.2.12 Long-Term Evolution Networks 295
6.3 Network Protocols 295
6.3.1 Layer 1-Physical 296
6.3.2 Layer 2-Data Link Protocols 296
6.3.3 Layer 3-Internetworking Layer Protocols 310
6.3.4 Layer 4-Transport 332
6.3.5 Layer 5-User Application Protocols 342
6.3.6 Layer 5-Signaling and Control Application Protocols 349
6.3.7 Layer 5-Management Application Protocols 363
6.4 Chapter Summary 368
6.5 Further Reading and Resources 370
7 Next-Generation Networks 371
7.1 Framework and Topology of the NGN 372
7.1.1 Functional Entities and Groups 372
7.1.2 Domains 373
7.1.3 Interfaces 374
7.1.4 Protocol Layers, Functional Planes, and Interfaces 376
7.2 The NGN Functional Reference Model 380
7.2.1 Strata 380
7.2.2 Management Functional Group 381
7.2.3 Application Functional Group 381
7.2.4 The Transport Stratum 381
7.2.5 The Service Stratum 385
7.2.6 The Service Stratum and the IP Multimedia Subsystem (IMS) 385
7.3 Relationship Between NGN Transport and Service Domains 389
7.4 Enterprise Role Model 390
7.5 Security Allocation within the NGN Transport Stratum Example 393
7.6 Converged Network Management (TMN and eTOM) 393
7.7 General Network Security Architectures 401
7.7.1 The ITU-T X.800 Generic Architecture 402
7.7.2 The Security Frameworks (X.810-X.816) 402
7.7.3 The ITU-T X.805 Approach to Security 403
7.8 Chapter Summary 405
7.9 Further Reading and Resources 405
8 General Computer Security Architecture 409
8.1 The Hardware Protects the Software 410
8.1.1 Processor States and Status 411
8.1.2 Memory Management 412
8.1.3 Interruption of Processor Activity 420
8.1.4 Hardware Encryption 421
8.2 The Software Protects Information 424
8.3 Element Security Architecture Description 426
8.3.1 The Kernel 429
8.3.2 Security Contexts 430
8.3.3 Security-Critical Functions 432
8.3.4 Security-Related Functions 435
8.4 Operating System (OS) Structure 435
8.4.1 Security Management Function 437
8.4.2 Networking Subsystem Function 437
8.5 Security Mechanisms for Deployed Operating Systems (OSs) 437
8.5.1 General Purpose (GP) OSs 438
8.5.2 Minimized General Purpose Operating Systems 438
8.5.3 Embedded ("Real-Time") Operating Systems 449
8.5.4 Basic Input-Output Systems (BIOS) 451
8.6 Chapter Summary 456
8.7 Further Reading and Resources 460
9 Computer Software Security 461
9.1 Specific Operating Systems (OSs) 461
9.1.1 Unix and Linux Security 462
9.1.2 Solaris Operating System and Role-Based Access Controls 473
9.1.3 Windows OSs 476
9.1.4 Embedded OSs 496
9.2 Applications 498
9.2.1 Application Security Issues 498
9.2.2 Malicious Software (Malware) 503
9.2.3 Anti-malware Applications 512
9.3 Chapter Summary 515
9.4 Further Reading and Resources 516
10 Security Systems Design-Designing Network Security 517
10.1 Introduction 517
10.2 Security Design for Protocol Layer 1 520
10.2.1 Wired and Optical Media 520
10.2.2 Wireless Media 522
10.3 Layer 2-Data Link Security Mechanisms 524
10.3.1 IEEE 802.1x 524
10.3.2 IEEE 802.1ae 525
10.3.3 IEEE 802.11 WPA and 802.11i 528
10.4 Security Design for Protocol Layer 3 530
10.4.1 IP Security (IPsec) 530
10.5 IP Packet Authorization and Access Control 558
10.5.1 Network and Host Packet Filtering 559
10.5.2 The Demilitarized Zone 563
10.5.3 Application-Level Gateways 564
10.5.4 Deep-Packet Inspection (DPI) 567
10.6 Chapter Summary 571
10.7 Further Reading and Resources 571
11 Transport and Application Security Design and Use 573
11.1 Layer 4-Transport Security Protocols 573
11.1.1 TLS, DTLS, and SSL 574
11.1.2 Secure Shell (SSH) 581
11.1.3 Comparison of SSL, TLS, DTLS, and IPsec 581
11.2 Layer 5-User Service Application Protocols 582
11.2.1 Email 583
11.2.2 World Wide Web (Web) and Identity Management 589
11.2.3 Voice over Internet Protocol (VoIP) 596
11.2.4 DNS Security Extensions 605
11.2.5 Instant Messaging and Chat 608
11.2.6 Peer-to-Peer Applications 615
11.2.7 Ad hoc Networks 616
11.2.8 Java 618
11.2.9 .NET 622
11.2.10 Common Object Request Broker Architecture (CORBA) 624
11.2.11 Distributed Computing Environment 626
11.2.12 Dynamic Host Configuration Protocol Security 630
11.3 Chapter Summary 632
11.4 Further Reading and Resources 632
12 Securing Management and Managing Security 633
12.1 Securing Management Applications 633
12.1.1 Management Roots 633
12.1.2 The Telecommunications Management Network 634
12.1.3 TMN Security 640
12.1.4 Management of Security Mechanisms 642
12.1.5 A Security Management Framework 645
12.2 Operation, Administration, Maintenance, and Decommissioning 648
12.2.1 Operational Security Mechanisms 649
12.2.2 Operations Security 654
12.2.3 Operations Compliance 664
12.3 Systems Implementation or Procurement 671
12.3.1 Development 672
12.3.2 Procurement 673
12.3.3 Forensic Tools 681
12.4 Chapter Summary 681
12.5 Further Reading and Resources 681
About the Author 683
Glossary 685
Index 725
1
What is Security?
1.1 Introduction
The central role of computer security for the working of the economy, the defense of the country, and the protection of our individual privacy is universally acknowledged today. This is a relatively recent development; it has resulted from the rapid deployment of Internet technologies in all fields of human endeavor and throughout the world that started at the beginning of the 1990s. Mainframe computers have handled secret military information and personal computers have stored private data from the very beginning of their existence in the mid-1940s and 1980s, respectively. However, security was not a crucial issue in either case: the information could mostly be protected in the old-fashioned way, by physically locking up the computer and checking the trustworthiness of the people who worked on it through background checks and screening procedures. What has radically changed and made the physical and administrative approaches to computer security insufficient is the interconnectedness of computers and information systems. Highly sensitive economic, financial, military, and personal information is stored and processed in a global network that spans countries, governments, businesses, organizations, and individuals. Securing this cyberspace is synonymous with securing the normal functioning of our daily lives.
Secure information systems must work reliably despite random errors, disturbances, and malicious attacks. Mechanisms incorporating security measures are not just hard to design and implement but can also backfire by decreasing efficiency, sometimes to the point of making the system unusable. This is why some programmers used to look at security mechanisms as an unfortunate nuisance; they require more work, do not add new functionality, and slow down the application and thus decrease usability. The situation is similar when adding security at the hardware, network, or organizational level: increased security makes the system clumsier and less fun to use; just think of the current airport security checks and contrast them to the happy (and now so distant) pre-September 11, 2001 memories of buying your ticket right before boarding the plane. Nonetheless, systems must work, and they must be secure; thus, there is a fine balance to maintain between the level of security on one side and the efficiency and usability of the system on the other. One can argue that there are three key attributes of information systems:
- Processing capacity-speed
- Convenience-user friendliness
- Secure-reliable operation
The process of securing these systems is finding an acceptable balance of these attributes.
1.2 The Subject of Security
Security is a word used to refer to many things, so its use has become somewhat ambiguous. Here we will try to clarify just what security focuses on. Over the years, the subject of information security has been considered from a number of perspectives, as a concept, a function, and a subject area. We will discuss each of these perspectives and examine their value.
1.2.1 Branches of Security
A concept approach treats security as a set of related activity areas, or branches. Figure 1.1 shows the security-related areas typically considered. Note that all the areas are mutually dependent on each other. Within Figure 1.1, the rings do not define a hierarchy among the different areas of security. The rings are meant to express a layered approach to achieving cost-effective information security.
Figure 1.1 Areas of security
Each security area focuses on a specific need to erect a barrier against inappropriate use of, or access to, the assets (information, capabilities, property, equipment, personnel, processes, etc.) considered valuable to an organization. Since there are now multiple avenues (approaches) by which assets can be targeted, multiple security area activities are necessary. Physical security capabilities are necessary to control physical access to:
- buildings, rooms, and offices;
- equipment used for processing, storing, transferring, or accessing information; and
- the cables used for communicating information between facilities, buildings, and even between individual systems within a building, floor, or rooms.
Personnel security processes and procedures are necessary to:
- ensure that an organization's employees have been accurate in representing who they are and that academic or professional credentials and past experience are valid;
- verify the identities and validate the reasons for nonemployee (guests, visitors, service/supply personnel) access to the organization's facilities or other assets;
- ensure that the organization's security-related policies and procedures conform to legal constrains for employment, document disciplinary activities, and conditions for termination of employment; and
- inform both new and continuing employees as to what the organization considers necessary, acceptable, and unacceptable behavior.
Network security technology, processes, and procedures are necessary to ensure that:
- data transferred between networked devices is adequately protected from tampering, misuse, or destruction;
- networked devices are appropriately managed, monitored, and utilized; and
- networking resources are used only for acceptable activities.
Computer security spans all aspects of computing equipment hardware, software, usage, and administration (e.g., device, data, applications/operating systems, operations, and database subareas), and is necessary to ensure that they are:
- adequately protected from tampering, misuse, or destruction;
- appropriately managed and monitored;
- utilized for organization sanctioned activities and purposes; and
- available to support organization activities, processes, and functions.
Frequently, security discussions focus primarily on networks, their links and interconnecting equipment, and on securing operating systems and applications. However, providing network security is just not enough. Attackers can leverage other weaknesses to bypass the network security mechanisms in place. Network and computer security both need to be considered along with the other branches of security. The reader needs to remember that the term "information security" is generally used to refer to concepts, mechanisms, activities, and objectives that span all of the security areas mentioned above.
Regardless of what security area/branch is under discussion, the following three views of security measures can be applied to any situation: defense, deterrence, and detection. These are known as the three Ds of security.
- Defense-protect assets first. Network areas should be analyzed before adopting any protective efforts. Defense measures reduce the likelihood of an attack and lessen the risk of damage. Lack of defensive measures will leave sensitive information exposed and lead to losses. For example, installing a firewall is a good defensive measure. But, this may not be enough. The other two modes of security-deterrence and detection-should not be ignored.
- Deterrence-reduce the frequency of security compromises. With deterrence mechanisms and policies in place, attackers have to expend more effort, and thus risk discovery. Deterrence policies within an organization are enforced by using threats of discipline and termination of the employee if any company policies are violated (email, web browsing, etc.) Entering a computer network without company authorization is illegal, and laws are in place to prosecute and punish intruders. Intruders who know that their activities are being monitored will likely think twice before attacking a system.
- Detection-sound the alarm. Unfortunately, in practice, security control is the least implemented policy and often neglected. When security is violated, without security enforcers in place, the security breach could go unnoticed for a long time.
Each of the three Ds is important and complements the others. A security program that spans all three D categories provides strong protection. The following are examples of how each strategy can be implemented:
- Defensive controls-firewalls, access lists in routers, spam filters, virus filters, etc.
- Deterrent controls-email messages to employees, posting of Internet sites visited, display of IP addresses to external visitors, etc.
- Detective controls-audit trails, log files, intrusion detection systems, summary reports, etc.
1.2.2 Defining Security by Function
Alternatively, security can be categorized under the following functional areas:
- Risk avoidance
- Deterrence
- Prevention
- Detection
- Recovery
1.2.2.1 Risk Avoidance
An enterprise should do a risk assessment that identifies what value and risk each component has to the system in whole and include strategies that reduce the likelihood of behavior/activity that can be damaging. Risk avoidance covers consideration of which components are required and which are optional. Components include hardware, services, processes, and applications. The components should be documented, reviewed, and the assessments of their value and risk accepted by all parties in the organization.
