Slide 1 - McGraw Hill Higher Education

Download Report

Transcript Slide 1 - McGraw Hill Higher Education

Information Assurance for the Enterprise: A Roadmap to Information Security, by Schou and Shoemaker
Chapter 14
Ensuring the Secure Use of
Software
McGraw-Hill/Irwin
Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved.
Objectives
Define the requirements of application and
system software security
 Use processes for securing operating systems
 Structure and execute an operational process to
secure applications
 Describe software assurance methods

14-2
Software Assurance

Software is the weakest link in electronic
security process because it is both intangible
and complex


Most successful attacks result from the
exploitation of defects in commercial software
Important user actions include:
Securing operating system configuration
 Securing network management
 Ensuring that applications software does not
breach security and integrity
 Securing management of databases
 Data transmission services and encryption

14-3
Configuring the Operating System for
Security

Architectural design of the operating system
determines the effectiveness of its security

Most commercially available operating systems
offer
• Basic preprogrammed functions
• Capability to adapt functions provided by the system

Operating systems allow security administrators
to embed trust relationships into the system
processes

14-4
Involves establishing and maintaining access
rights of every user and process
Types: Assigning the Proper Label

Access control at the system level requires the
definition of access types
Label may apply to a structure, class, module,
defined interface, or user
 Types serve as the basis for making the
automated decisions about:

• The form of the access
• The permissions that will be assigned to each request
Type is determined based on attributes, roles,
and relationships that each object possesses
within the system
 Establishing types is an ongoing function for
system administrators

14-5
Types: Assigning the Proper Label
Reference monitor is software that is interposed
between all subjects and objects within the
system
 Reference monitors provide four types of
services:

Link access control to a set of specified policies
 Monitor and regulate access based on policies
 Allow policies to be updated easily
 Log the degree of conformance of the
accumulated requests

14-6
Types: Assigning the Proper Label

14-7
Access process
Rights: Ensuring the Proper Access

Rights are the specific controls, restrictions, and
rules granted to a given subject upon access or
which apply to a particular object
Assigned and managed for each access attempt
 Granted by the administrator
 Administrator pre-establishes the actions through
internal access control tables

• May be part of the reference monitor and is similar to
the access control lists (ACL)

14-8
Assignment of rights determines the access
privileges granted to an object at a particular time
Policies and Operating System
Configuration

Policies establish the access control
requirements implemented and enforced by the
operating system at its interfaces

Complete and correct set of policies:
• Ensures a high degree of organizational control at the
automatic or system level
• Guarantees that system operations will be aligned with
the security requirements of the organization
14-9
Application Management Software and
Security

Application security includes the measures
installed to secure:
The applications themselves
 The practices to configure and manage securely
subsequent application use


Application assurance – increasingly critical
because Internet applications no longer load
and operate in isolation

Gained by identifying threats and ensuring
against application vulnerabilities by
• Patching them
• Reconfiguring the system to prevent exploitation
14-10
Scope of Application Security

Ensuring application: necessity of secure use

Secure use – actions to ensure software security
while it is in the operational environment
• Provides assurance that software will continue to
achieve its confidentiality, integrity, and availability
goals
• Establishes the appropriate level of confidence in the
entire portfolio of software items because they are
inter-connected
14-11
Scope of Application Security

Forms of secure use

Proactive
• Identification of threats and vulnerabilities
• Creation, assessment, and optimization of security solutions
• Implementation of controls to protect software and information

Reactive
• Threat response
• Detection of and reaction to intrusions or security violations
• Disaster recovery

14-12
Ensured by operational assurance, operational
analysis, and problem-resolution processes
Scope of Application Security

Types of response:

Proactive assurance response can be:
• Preventive
• Perfective
• Adaptive

Reactive assurance responses include:
• Corrective
• Emergency
14-13
Scope of Application Security

Types of response

14-14
The way the software receives, processes, or
transmits data must be a matter of certainty
Operational Assurance

Operational assurance is a proactive function
Uses defined policies, procedures, tools, and
standards to monitor, test, and review the
software to detect vulnerabilities or violations
 Identifies and resolves latent security and control
weaknesses present within the software
 Requires periodic performance reviews


14-15
Assurance is accomplished by monitoring the
ongoing function of the software
Ensuring Operational Effectiveness:
Making the Assurance Case

To ensure that operational assurance is done
correctly the organization should:
Assess and audit the policies, procedures, tools,
and standards used for operational assurance
 Document those assessments and audits and
make recommendations for improvement

• Standard procedure manual – steps for every activity
in the process
• Set of sanctioned actions, procedures, or protocols
that can be invoked:
• When an anticipated threat occurs
• When an unforeseen hazard occurs
14-16
Ensuring Operational Effectiveness:
Making the Assurance Case

Documented evidence (cont’d)
• Specific method for incident reporting or requesting change and
the procedures for responding to each report
• A process to ensure Business Continuity Plan
• Awareness of members with respect to secure use and time
requirement to perform them
• Precise steps taken to build awareness of correct practice
• Each employee’s specific education, training, and awareness
activities
• Explicit enforcement requirements and consequences for noncompliance
• Specification and evidence of personal agreement to the
consequences for non-compliance
• Enforcement practiced on a continuous basis
14-17
Operational Analysis

Operational analysis directly supports
operational assurance
Evaluates the consequences of vulnerabilities or
violations identified
 Goal – to understand the effect of identified
threats along with the impact of recommended
responses
 To produce valid results, all software, systems,
policies, processes, or objectives affected by that
threat must be included in the evaluation
 Wide range of considerations is necessary to
ensure a coordinated response

14-18
Operational Analysis

Areas of consideration in the development of a response
strategy might include:
• Effect of any response on the assurance case
• Type of violation, exposure, or vulnerability, and the threat that
might exploit it
• Scope of the impact and criticality of violation, exposure, or
vulnerability
• Feasible options for response
• Likelihood and feasibility of occurrence
• Safety and security impacts if a response is not implemented
• Implications of any proposed responses as they affect the
organization’s procedural infrastructure
• Resource requirements and staff capability required to implement
the response
• Feasibility and timelines for implementation
14-19
Problem Resolution

Ensures the integrity of the system or software
product is maintained throughout its life cycle
Associated activities revolve around establishing
and maintaining control mechanisms
 Guarantees the satisfactory resolution of
reported threats or violations brought to its
attention
 Confirm the long-term effectiveness of the
proposed solution
 Maintain a full set of documentation items
sufficient to warrant that the integrity of the
software has been satisfactorily assured

14-20
Problem Resolution

Importance of problem resolution in application
assurance

Sometimes established by contract
• To ensure that concerns involving threats arising from
the operational use of software do not persist
• Each reported problem is resolved quickly and that
participants know what that resolution was
It is normally conducted as a closed-loop activity
 It ensures coordination and assurance of the
chosen remediation option

14-21
Problem Resolution

Responsibilities of the process when resolution
is not required

Operational justification for not resolving a
problem or for not resolving it as soon as
possible
• Reasons might be established by factors such as the
amount of time and resources required to implement
the resolution
• Lack of current resources, difficulty, or infeasibility of
the repair, or an unwillingness to take down a critical
operational system
14-22
Problem Resolution

Ensuring the effectiveness of the resolution





14-23
Identify the appropriate change agent
Develop and document a statement of work (SOW) and
communicate it to the selected change agent
Develop and document the criteria that will be used to
test and evaluate the software to ensure that the
remediation was successful
Communicate these criteria to the change agent prior to
institution of the change process
Develop and document criteria for ensuring that the
elements and requirements of the software that must not
be modified remain unaffected
Problem Resolution

Reintegration: operationalizing the solution

Solution must be reintegrated into the array of day-to-day
functioning applications
• Decision maker who authorized the resolution must provide
approval to perform the reintegration
• Approval must be accompanied by proof of issue resolution

Reintegration is supported by comprehensive testing
programs
• It must be designed at the beginning of the resolution process
• It must certify satisfactory resolution and accurate functionality

Update and fully document the new software baseline
configuration
• Maintained under strict configuration management control
14-24
Problem Resolution

Ensuring the integrity of the solution post-change is
often continuous because changes are complex



Changes to software may eliminate vulnerabilities or
create new ones
Monitoring and evaluation must continue to understand
the long-term consequences of changes
Ensure an in-depth examination of the changed code
• Examination can include: penetration-testing, load-testing, or
other stress-testing methods
• This process continues until the designated decision maker
determines that the resolution is satisfactory

14-25
Update the range of countermeasures deployed to
enforce security status and requirements of the software
Problem Resolution

Management responsibilities for problem resolution
must certify that:



Non-concurrences identified in the testing and review
process were addressed
The problem-resolution process was properly managed
They may need to provide documentary evidence
proving:
• Resource considerations were factored into the initial
authorizations
• The resolution was authorized by the proper authority and
documentation of an approved schedule or timetable
• A capable status-accounting function involved the use of
established baselines for each software item and the ability to
document the current state of the software at all times
14-26
Certification and Accreditation of
Applications

Critical applications need to verify:
Assessment and identification are secured by an
appropriate agent
 Done using a commonly accepted process
 Findings of that process are accredited by formal
certification
 Re-accreditation of the initial results will be
confirmed on a periodic basis
 Intervals for re-accreditation are specified by
organizational policy and/or external regulation

• Good practice: Conduct audits using a legitimate thirdparty agency
14-27
Certification and Accreditation of
Applications

Role of audit in certifying applications
 Principal condition required for the audit process
is the independence of the auditing agent
• Entity must be empowered and able to operate
independent of the group undergoing the audit
• Must be guaranteed that an audit is based on
objective evidence and is conducted without bias
• Agents must be situated sufficiently far enough from
the group to ensure impartial execution
14-28
Certification and Accreditation of
Applications

Common Criteria has established a formal
certification infrastructure of trusted independent
evaluation labs for the universal certification of
the security levels of application software
• National Information Assurance Partnership (NIAP)
conducted under the sponsorship of the National
Security Agency (NSA)
• Third-party agencies are accredited through the
National Voluntary Laboratory Accreditation Program
(NVLAP)
• NVLAP serves as the accreditation body for certification of
NIAP Common Criteria Testing Laboratories (CCTLs)
14-29
Certification and Accreditation of
Applications

Organizing the audit process for security

Audit must be based on accepted auditing standard
• Accepted standard is the Common Criteria, but this varies based
on the situation
• Audit planning must be done in accordance with the applicable
audit standard and must address the specified audit objectives
• Auditor should gather reliable, pertinent, and practical evidence to
demonstrate that the audit objectives can be achieved

When the audit is completed
• Objective data and conclusions must be authenticated by suitable
analysis and justified
• Auditing agent’s report should describe the scope, objectives, and
duration of the examination, as well as the particulars of the work
performed
14-30
Certification and Accreditation of
Applications

Common Criteria: ensuring confidence in commercial
software

ISO 15408 standard, dubbed the Common Criteria
• They provide a catalogue of attributes that should be present in
any secure application
• They can serve as the basis for assessment and formal
certification of any software product
• They are a set of commonly recognized characteristics found in
trusted systems
• Their aim is to provide a rigorous examination of the security
capabilities of software by testing for an exhaustive set of useful
attributes employed to benchmark the required security behaviors
• They enumerate known security attributes that can be confirmed
through direct observation
14-31
Certification and Accreditation of
Applications

What does the common criteria do for application
security?


Provides an encyclopedic collection of standardized
security properties
Eleven generic areas of security in the standard are:
•
•
•
•
•
•
•
•
•
•
•
14-32
Security audit
Data communication
Cryptographic support
User data protection
Identification and authentication
Security management
Privacy
Protection of the security function
Resource utilization
Access
Trusted path/channels
Ensuring the Effective Security
Architecture

Security architecture
Presentation of security requirements
 Description of the discrete, formal process that
assures the development of a tangible structure
from a set of intangible requirements

14-33
Ensuring the Effective Security
Architecture

Purpose of security architecture is to ensure that
the software assets are protected by an effective
defense

14-34
Develop a defense in depth
Database Security


Due to the issues of access and interoperability,
databases are a major source of risk
Ensuring security of databases requires:


Development of a system architecture that implements
robust security functions within the database software
Development of security functions based on risk and
vulnerability assessment; refined by installation of realtime detection capabilities within DBMS
• Established based on a predefined set of rules
• Implemented by software utilities capable of discriminating
between various types of data and selectively exercising the
controls assigned

14-35
Definitions of data to be controlled are set using modeling
techniques