Clark–Wilson Model

  • Subjects can access objekcts only by autorized Programms (Access tripple)
  • Segregation of duty is enforced
  • Auditing is requred

Brewer and Nash

  • Dynamic changing access model that protects against conflicts of interest
  • Chinese Wall Model
  • Maybe in a legal firm processing two parts of a case in the same company

Security Modes

Dedicaded Security Mode

All users must have:

  • Proper clearance for all information on the system
  • Formal approval for all information on the system
  • Signed an NDA
  • Valid Need-To-Know for all Information
  • All users can access all data

System High-Security Mode

All users must have:

  • Proper clearance for all information on the system
  • Formal approval for all information on the system
  • Signed an NDA
  • Valid Need-To-Know for some Information
  • All users can access some information based on the Need-To-Know

Comparted Security Mode

All users must have:

  • Proper clearance for highest level of data classification on the system
  • Formal approval for some information on the system
  • Signed an NDA
  • Valid Need-To-Know for some Information
  • All users can access some information based on the Need-To-Know

Multilevel Security Mode

All users must have:

  • Proper clearance for some information on the system
  • Formal approval for some information on the system
  • Signed an NDA
  • Valid Need-To-Know for some Information
  • All users can access some information based on the Need-To-Know

System Evaluation Methods

Trusted Computer System Evaluation Criteria (TCSEC)

Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information. The TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD Rainbow Series publications.

Policy

  • Mandatory Security Policy – Enforces access control rules based directly on an individual's clearance, authorization for the information and the confidentiality level of the information being sought. Other indirect factors are physical and environmental. This policy must also accurately reflect the laws, general policies and other relevant guidance from which the rules are derived.
  • Marking – Systems designed to enforce a mandatory security policy must store and preserve the integrity of access control labels and retain the labels if the object is exported.
  • Discretionary Security Policy – Enforces a consistent set of rules for controlling and limiting access based on identified individuals who have been determined to have a need-to-know for the information.

Accountability

  • Identification – The process used to recognize an individual user.
  • Authentication – The verification of an individual user's authorization to specific categories of information.
  • Auditing – Audit information must be selectively kept and protected so that actions affecting security can be traced to the authenticated individual.

Assurance

  • Operational Assurance: System Architecture, System Integrity, Covert Channel Analysis, Trusted Facility Management, and Trusted Recovery
  • Life-cycle Assurance : Security Testing, Design Specification and Verification, Configuration Management, and Trusted System Distribution
  • Continuous Protection Assurance – The trusted mechanisms that enforce these basic requirements must be continuously protected against tampering or unauthorized changes.

Divisions and classes

  • D – Minimal protection
  • C – Discretionary protection
  • B – Mandatory protection
  • A – Verified protection

Trusted Computer System Evaluation Criteria (TCSEC)

The Information Technology Security Evaluation Criteria (ITSEC) is a structured set of criteria for evaluating computer security within products and systems. The ITSEC was first published in May 1990 in France, Germany, the Netherlands, and the United Kingdom based on existing work in their respective countries. Following extensive international review, Version 1.2 was subsequently published in June 1991 by the Commission of the European Communities for operational use within evaluation and certification schemes.

Common Criteria

A description of each of the seven levels of assurance follows:

  • EAL 0—Inadequate assurance
  • EAL 1—Functionality tested
  • EAL 2—Structurally tested
  • EAL 3—Methodically checked and tested
  • EAL 4—Methodically designed, tested, and reviewed
  • EAL 5—Semiformally designed and tested
  • EAL 6—Semiformally verified designed and tested
  • EAL 7—Formally verified designed and tested

The protection profile is divided into the following five sections:

  • Rationale
  • Evaluation assurance requirements
  • Descriptive elements
  • Functional requirements
  • Development assurance requirements

Accreditation vs Certification

Certification represents a written assurance by a third party of the conformity of a product, process or service to specified requirements. Accreditation, on the other hand, is the formal recognition by an authoritative body (Management) of the competence to work to specified standards.

Threats to systems

  • Maintenance hooks are a back door by the developer to get back into the system
  • Time-Of-Check/Time-Of-Use Attack (See race conditions)