Computer Science Computer Security - Assignment
giggles.desmoin
Ch9-CISSP.pdf
235
Chap ter 9 Se cu rity Vul ner a bil i ties, Threats, and Coun ter mea sures
THE CISSP EXAM TOP ICS COV ERED IN THIS CHAP TER IN CLUDE:
Do main 3: Se cu rity Ar chi tec ture and En gi neer ing 3.5 As sess and mit i gate the vul ner a bil i ties of se cu rity ar chi tec tures, de signs, and so lu tion el e ments
3.5.1 Client-based sys tems
3.5.2 Server-based sys tems
3.5.3 Data base sys tems
3.5.5 In dus trial con trol sys tems (ICS)
3.5.6 Cloud-based sys tems
3.5.7 Dis trib uted sys tems
3.5.8 In ter net of Things (IoT)
3.6 As sess and mit i gate vul ner a bil i ties in web-based sys tems
3.7 As sess and mit i gate vul ner a bil i ties in mo bile sys tems
3.8 As sess and mit i gate vul ner a bil i ties in em bed ded de vices
In pre vi ous chap ters of this book, we’ve cov ered ba sic se cu rity prin ci ples and the pro tec tive mech a nisms put in place to pre vent vi o la tion of them. We’ve also ex am ined some of the spe cific types of at tacks used by ma li cious in di vid u als seek ing to cir cum vent those pro tec tive mech a nisms. Un til this point, when dis cussing pre ven tive mea sures, we have fo cused on pol icy mea sures and the soft ware that runs on a sys tem. How ever, se cu rity pro fes sion als must also pay care ful at ten tion to the sys tem it self and en sure that their higher-level pro tec tive con trols are not built on a shaky foun da tion. Af ter all, the most se cure fire wall con fig u ra tion in the world won’t do a bit of good if the com puter it runs on has a fun da men tal se cu rity flaw that al lows ma li cious in di vid u als to sim ply by pass the fire wall com pletely.
In this chap ter, we’ll cover those un der ly ing se cu rity con cerns by con duct ing a brief sur vey of a field known as com puter ar chi tec ture: the phys i cal de sign of com put ers from var i ous com po nents. We’ll ex am ine each of the ma jor phys i cal com po nents of a com put ing sys tem—hard ware and firmware—from a se cu rity per spec tive. Ob vi ously, the de tailed anal y sis of a sys tem’s hard ware com po nents is not al ways a lux ury avail able to you be cause of re source and time con straints. How ever, all se cu rity pro fes sion als should have at least a ba sic un der stand ing of these con cepts in case they en counter a se cu rity in ci dent that reaches down to the sys tem de sign level.
The Se cu rity En gi neer ing do main ad dresses a wide range of con cerns and is sues, in clud ing se cure de sign el e ments, se cu rity ar chi tec ture, vul ner a bil i ties, threats, and as so ci ated coun ter mea sures. Ad di tional el e ments of this do main are dis cussed in var i ous chap ters: Chap ter 6, “Cryp tog ra phy and Sym met ric Key Al go rithms,” Chap ter 7, “PKI and Cryp to graphic Ap pli ca tions,” Chap ter 8, “Prin ci ples of Se cu rity Mod els, De sign, and Ca pa bil i ties,” and Chap ter 10, “Phys i cal Se cu rity Re quire ments.” Please be sure to re view all of these chap ters to have a com plete per spec tive on the top ics of this do main.
As sess and Mit i gate Se cu rity Vul ner a bil i ties Com puter ar chi tec ture is an en gi neer ing dis ci pline con cerned with the de sign and con struc tion of
com put ing sys tems at a log i cal level. Many col lege-level com puter en gi neer ing and com puter sci ence pro grams find it dif fi cult to cover all the ba sic prin ci ples of com puter ar chi tec ture in a sin gle se mes ter, so this ma te rial is of ten di vided into two one-se mes ter cour ses for un der grad u ates. Com puter ar chi tec ture cour ses delve into the de sign of cen tral pro cess ing unit (CPU) com po nents, mem ory de vices, de vice com mu ni ca tions, and sim i lar top ics at the bit level, defin ing pro cess ing paths for in di vid ual logic de vices that make sim ple “0 or 1” de ci sions. Most se cu rity pro fes sion als do not need that level of knowl edge, which is well be yond the scope
236
of this book and the CISSP exam. How ever, if you will be in volved in the se cu rity as pects of the de sign of com put ing sys tems at this level, you would be well ad vised to con duct a more thor ough study of this field.
This ini tial dis cus sion of com puter ar chi tec ture may seem at first to be ir rel e vant to CISSP, but most of the se cu rity ar chi tec tures and de sign el e ments are based on a solid un der stand ing and im ple men ta tion of com puter hard ware.
The more com plex a sys tem, the less as sur ance it pro vides. More com plex ity means that
more ar eas for vul ner a bil i ties ex ist and more ar eas must be se cured against threats. More vul ner a bil i ties and more threats mean that the sub se quent se cu rity pro vided by the sys tem is less trust wor thy.
Hard ware Any com put ing pro fes sional is fa mil iar with the con cept of hard ware. As in the con struc tion in dus try,
hard ware is the phys i cal “stuff” that makes up a com puter. The term hard ware en com passes any tan gi ble part of a com puter that you can ac tu ally reach out and touch, from the key board and mon i tor to its CPU(s), stor age me dia, and mem ory chips. Take care ful note that al though the phys i cal por tion of a stor age de vice (such as a hard disk or flash mem ory) may be con sid ered hard ware, the con tents of those de vices—the col lec tions of 0s and 1s that make up the soft ware and data stored within them—may not. Af ter all, you can’t reach in side the com puter and pull out a hand ful of bits and bytes!
Pro ces sor
The cen tral pro cess ing unit (CPU), gen er ally called the pro ces sor or the mi cro pro ces sor, is the com puter’s nerve cen ter—it is the chip (or chips in a mul ti pro ces sor sys tem) that gov erns all ma jor op er a tions and ei ther di rectly per forms or co or di nates the com plex sym phony of cal cu la tions that al lows a com puter to per form its in tended tasks. Sur pris ingly, the CPU is ca pa ble of per form ing only a lim ited set of com pu ta tional and log i cal op er a tions, de spite the com plex ity of the tasks it al lows the com puter to per form. It is the re spon si bil ity of the op er at ing sys tem and com pil ers to trans late high-level pro gram ming lan guages used to de sign soft ware into sim ple as sem bly lan guage in struc tions that a CPU un der stands. This lim ited range of func tion al ity is in ten tional—it al lows a CPU to per form com pu ta tional and log i cal op er a tions at blaz ing speeds.
For an idea of the mag ni tude of the progress in com put ing tech nol ogy over the years, view
the Moore’s Law ar ti cle at http://en.wikipedia.org/wiki/Moore’s_law.
Ex e cu tion Types
As com puter pro cess ing power in creased, users de manded more ad vanced fea tures to en able these sys tems to process in for ma tion at greater rates and to man age mul ti ple func tions si mul ta ne ously. Com puter en gi neers de vised sev eral meth ods to meet these de mands:
At first blush, the terms mul ti task ing, mul ti core, mul ti pro cess ing, mul ti pro gram ming, and
mul ti thread ing may seem nearly iden ti cal. How ever, they de scribe very dif fer ent ways of ap proach ing the “do ing two things at once” prob lem. We strongly ad vise that you take the time to re view the dis tinc tions be tween these terms un til you feel com fort able with them.
Mul ti task ing In com put ing, mul ti task ing means han dling two or more tasks si mul ta ne ously. In the past, most sys tems did not truly mul ti task be cause they re lied on the op er at ing sys tem to sim u late mul ti task ing by care fully struc tur ing the se quence of com mands sent to the CPU for ex e cu tion. When a pro ces sor was hum ming along at mul ti ple gi ga hertz, it was hard to tell that it was switch ing be tween tasks rather than work ing on two tasks at once. A sin gle-core mul ti task ing sys tem is able to jug gle more than one task or process at any given time.
Mul ti core To day, most CPUs are mul ti core. This means that what was pre vi ously a sin gle CPU or mi cro pro ces sor chip is now a chip con tain ing two, four, eight, or po ten tially dozens of in de pen dent ex e cu tion cores that can op er ate si mul ta ne ously.
Mul ti pro cess ing In a mul ti pro cess ing en vi ron ment, a mul ti pro ces sor com put ing sys tem (that is, one with more than one CPU) har nesses the power of more than one pro ces sor to com plete the ex e cu tion of a mul ti threaded ap pli ca tion. For ex am ple, a data base server might run on a sys tem that con tains four, six, or more pro ces sors. If the data base ap pli ca tion re ceives a num ber of sep a rate queries si mul ta ne ously, it might send each query to a sep a rate pro ces sor for ex e cu tion.
237
Two types of mul ti pro cess ing are most com mon in mod ern sys tems with mul ti ple CPUs. The sce nario just de scribed, where a sin gle com puter con tains mul ti ple pro ces sors that are treated equally and con trolled by a sin gle op er at ing sys tem, is called sym met ric mul ti pro cess ing (SMP). In SMP, pro ces sors share not only a com mon op er at ing sys tem but also a com mon data bus and mem ory re sources. In this type of ar range ment, sys tems may use a large num ber of pro ces sors. For tu nately, this type of com put ing power is more than suf fi cient to drive most sys tems.
Some com pu ta tion ally in ten sive op er a tions, such as those that sup port the re search of sci en tists and math e ma ti cians, re quire more pro cess ing power than a sin gle op er at ing sys tem can de liver. Such op er a tions may be best served by a tech nol ogy known as mas sively par al lel pro cess ing (MPP). MPP sys tems house hun dreds or even thou sands of pro ces sors, each of which has its own op er at ing sys tem and mem ory/bus re sources. When the soft ware that co or di nates the en tire sys tem’s ac tiv i ties and sched ules them for pro cess ing en coun ters a com pu ta tion ally in ten sive task, it as signs re spon si bil ity for the task to a sin gle pro ces sor. This pro ces sor in turn breaks the task up into man age able parts and dis trib utes them to other pro ces sors for ex e cu tion. Those pro ces sors re turn their re sults to the co or di nat ing pro ces sor, where they are as sem bled and re turned to the re quest ing ap pli ca tion. MPP sys tems are ex tremely pow er ful (not to men tion ex tremely ex pen sive!) and are used in a great deal of com put ing or com pu ta tional-based re search.
Both types of mul ti pro cess ing pro vide unique ad van tages and are suit able for dif fer ent types of sit u a tions. SMP sys tems are adept at pro cess ing sim ple op er a tions at ex tremely high rates, whereas MPP sys tems are uniquely suited for pro cess ing very large, com plex, com pu ta tion ally in ten sive tasks that lend them selves to de com po si tion and dis tri bu tion into a num ber of sub or di nate parts.
Mul ti pro gram ming Mul ti pro gram ming is sim i lar to mul ti task ing. It in volves the pseu dosi mul ta ne ous ex e cu tion of two tasks on a sin gle pro ces sor co or di nated by the op er at ing sys tem as a way to in crease op er a tional ef fi ciency. For the most part, mul ti pro gram ming is a way to batch or se ri al ize mul ti ple pro cesses so that when one process stops to wait on a pe riph eral, its state is saved and the next process in line be gins to process. The first pro gram does not re turn to pro cess ing un til all other pro cesses in the batch have had their chance to ex e cute and they in turn stop for a pe riph eral. For any sin gle pro gram, this method ol ogy causes sig nif i cant de lays in com plet ing a task. How ever, across all pro cesses in the batch, the to tal time to com plete all tasks is re duced.
Mul ti pro gram ming is con sid ered a rel a tively ob so lete tech nol ogy and is rarely found in use to day ex cept in legacy sys tems. There are two main dif fer ences be tween mul ti pro gram ming and mul ti task ing:
Mul ti pro gram ming usu ally takes place on large-scale sys tems, such as main frames, whereas mul ti task ing takes place on per sonal com puter (PC) op er at ing sys tems, such as Win dows and Linux.
Mul ti task ing is nor mally co or di nated by the op er at ing sys tem, whereas mul ti pro gram ming re quires spe cially writ ten soft ware that co or di nates its own ac tiv i ties and ex e cu tion through the op er at ing sys tem.
Mul ti thread ing Mul ti thread ing per mits mul ti ple con cur rent tasks to be per formed within a sin gle process. Un like mul ti task ing, where mul ti ple tasks oc cupy mul ti ple pro cesses, mul ti thread ing per mits mul ti ple tasks to op er ate within a sin gle process. A thread is a self-con tained se quence of in struc tions that can ex e cute in par al lel with other threads that are part of the same par ent process. Mul ti thread ing is of ten used in ap pli ca tions where fre quent con text switch ing be tween mul ti ple ac tive pro cesses con sumes ex ces sive over head and re duces ef fi ciency. In mul ti thread ing, switch ing be tween threads in curs far less over head and is there fore more ef fi cient. Many In tel CPUs since the 2002 re lease of Xeon in cluded the pro pri etary mul ti thread ing tech nol ogy known as hy per thread ing, which is the abil ity to vir tu al ize two pro ces sors per phys i cal core in or der to al low for the con cur rent sched ul ing of tasks. In mod ern Win dows im ple men ta tions, for ex am ple, the over head in volved in switch ing from one thread to an other within a sin gle process is on the or der of 40 to 50 in struc tions, with no sub stan tial mem ory trans fers needed. By con trast, switch ing from one process to an other in volves 1,000 in struc tions or more and re quires sub stan tial mem ory trans fers as well.
A good ex am ple of mul ti thread ing oc curs when mul ti ple doc u ments are opened at the same time in a word pro cess ing pro gram. In that sit u a tion, you do not ac tu ally run mul ti ple in stances of the word pro ces sor—this would place far too great a de mand on the sys tem. In stead, each doc u ment is treated as a sin gle thread within a sin gle word pro ces sor process, and the soft ware chooses which thread it works on at any given mo ment.
Sym met ric mul ti pro cess ing sys tems use thread ing at the op er at ing sys tem level. As in the word pro cess ing ex am ple just de scribed, the op er at ing sys tem also con tains a num ber of threads that con trol the tasks as signed to it. In a sin gle-pro ces sor sys tem, the op er at ing sys tem (OS) sends one thread at a time to the pro ces sor for ex e cu tion. SMP sys tems send one thread to each avail able pro ces sor for si mul ta ne ous ex e cu tion.
Pro cess ing Types
Many high-se cu rity sys tems con trol the pro cess ing of in for ma tion as signed to var i ous se cu rity lev els, such as the clas si fi ca tion lev els of un clas si fied, sen si tive, con fi den tial, se cret, and top se cret that the U.S. gov ern ment as signs to in for ma tion re lated to na tional de fense. Com put ers must be de signed so that they do not—ide ally, so that they can not—in ad ver tently dis close in for ma tion to unau tho rized re cip i ents.
238
Com puter ar chi tects and se cu rity pol icy ad min is tra tors have ad dressed this prob lem at the pro ces sor level in two dif fer ent ways. One is through a pol icy mech a nism, whereas the other is through a hard ware so lu tion. The fol low ing list ex plores each of those op tions:
Sin gle State Sin gle-state sys tems re quire the use of pol icy mech a nisms to man age in for ma tion at dif fer ent lev els. In this type of ar range ment, se cu rity ad min is tra tors ap prove a pro ces sor and sys tem to han dle only one se cu rity level at a time. For ex am ple, a sys tem might be la beled to han dle only se cret in for ma tion. All users of that sys tem must then be ap proved to han dle in for ma tion at the se cret level. This shifts the bur den of pro tect ing the in for ma tion be ing pro cessed on a sys tem away from the hard ware and op er at ing sys tem and onto the ad min is tra tors who con trol ac cess to the sys tem.
Mul ti state Mul ti state sys tems are ca pa ble of im ple ment ing a much higher level of se cu rity. These sys tems are cer ti fied to han dle mul ti ple se cu rity lev els si mul ta ne ously by us ing spe cial ized se cu rity mech a nisms such as those de scribed in the next sec tion, “Pro tec tion Mech a nisms.” These mech a nisms are de signed to pre vent in for ma tion from cross ing be tween se cu rity lev els. One user might be us ing a mul ti state sys tem to process se cret in for ma tion, while an other user is pro cess ing top-se cret in for ma tion at the same time. Tech ni cal mech a nisms pre vent in for ma tion from cross ing be tween the two users and thereby cross ing be tween se cu rity lev els.
In ac tual prac tice, mul ti state sys tems are rel a tively un com mon ow ing to the ex pense of im ple ment ing the nec es sary tech ni cal mech a nisms. This ex pense is some times jus ti fied; how ever, when you’re deal ing with a very ex pen sive re source, such as a mas sively par al lel sys tem, the cost of ob tain ing mul ti ple sys tems far ex ceeds the cost of im ple ment ing the ad di tional se cu rity con trols nec es sary to en able mul ti state op er a tion on a sin gle such sys tem.
Pro tec tion Mech a nisms
If a com puter isn’t run ning, it’s an in ert lump of plas tic, sil i con, and metal do ing noth ing. When a com puter is run ning, it op er ates a run time en vi ron ment that rep re sents the com bi na tion of the op er at ing sys tem and what ever ap pli ca tions may be ac tive. When run ning, the com puter also has the ca pa bil ity to ac cess files and other data as the user’s se cu rity per mis sions al low. Within that run time en vi ron ment, it’s nec es sary to in te grate se cu rity in for ma tion and con trols to pro tect the in tegrity of the op er at ing sys tem it self, to man age which users are al lowed to ac cess spe cific data items, to au tho rize or deny op er a tions re quested against such data, and so forth. The ways in which run ning com put ers im ple ment and han dle se cu rity at run time may be broadly de scribed as a col lec tion of pro tec tion mech a nisms. What fol lows are de scrip tions of var i ous pro tec tion mech a nisms such as pro tec tion rings, op er a tional states, and se cu rity modes.
Be cause the ways in which com put ers im ple ment and use pro tec tion mech a nisms are so
im por tant to main tain ing and con trol ling se cu rity, you should un der stand how all three mech a nisms cov ered here—rings, op er a tional states, and se cu rity modes—are de fined and how they be have. Don’t be sur prised to see exam ques tions about specifics in all three ar eas be cause this is such im por tant stuff!
Pro tec tion Rings The ring pro tec tion scheme is an oldie but a goodie. It dates all the way back to work on the Mul tics op er at ing sys tem. This ex per i men tal op er at ing sys tem was de signed and built be tween 1963 and 1969 through the col lab o ra tion of Bell Labs, MIT, and Gen eral Elec tric. It saw com mer cial use in im ple men ta tions from Hon ey well. Mul tics has left two en dur ing lega cies in the com put ing world. First, it in spired the cre ation of a sim pler, less in tri cate op er at ing sys tem called Unix (a play on the word mul tics), and sec ond, it in tro duced the idea of pro tec tion rings to OS de sign.
From a se cu rity stand point, pro tec tion rings or ga nize code and com po nents in an op er at ing sys tem (as well as ap pli ca tions, util i ties, or other code that runs un der the op er at ing sys tem’s con trol) into con cen tric rings, as shown in Fig ure 9.1. The deeper in side the cir cle you go, the higher the priv i lege level as so ci ated with the code that oc cu pies a spe cific ring. Though the orig i nal Mul tics im ple men ta tion al lowed up to seven rings (num bered 0 through 6), most mod ern op er at ing sys tems use a four-ring model (num bered 0 through 3).
As the in ner most ring, 0 has the high est level of priv i lege and can ba si cally ac cess any re source, file, or mem ory lo ca tion. The part of an op er at ing sys tem that al ways re mains res i dent in mem ory (so that it can run on de mand at any time) is called the ker nel. It oc cu pies ring 0 and can pre empt code run ning at any other ring. The re main ing parts of the op er at ing sys tem—those that come and go as var i ous tasks are re quested, op er a tions per formed, pro cesses switched, and so forth—oc cupy ring 1. Ring 2 is also some what priv i leged in that it’s where I/O driv ers and sys tem util i ties re side; these are able to ac cess pe riph eral de vices, spe cial files, and so forth that ap pli ca tions and other pro grams can not them selves ac cess di rectly. Those ap pli ca tions and pro grams oc cupy the out er most ring, ring 3.
239
FIG URE 9.1 In the com monly used four-ring model, pro tec tion rings seg re gate the op er at ing sys tem into ker nel, com po nents, and driv ers in rings 0 through 2 and ap pli ca tions and pro grams run at ring 3.
The essence of the ring model lies in pri or ity, priv i lege, and mem ory seg men ta tion. Any process that wants to ex e cute must get in line (a pend ing process queue). The process as so ci ated with the low est ring num ber al ways runs be fore pro cesses as so ci ated with higher-num bered rings. Pro cesses in lower-num bered rings can ac cess more re sources and in ter act with the op er at ing sys tem more di rectly than those in higher-num bered rings. Those pro cesses that run in higher-num bered rings must gen er ally ask a han dler or a driver in a lower- num bered ring for ser vices they need; this is some times called a me di ated-ac cess model. In its strictest im ple men ta tion, each ring has its own as so ci ated mem ory seg ment. Thus, any re quest from a process in a higher-num bered ring for an ad dress in a lower-num bered ring must call on a helper process in the ring as so ci ated with that ad dress. In prac tice, many mod ern op er at ing sys tems break mem ory into only two seg ments: one for sys tem-level ac cess (rings 0 through 2), of ten called ker nel mode or priv i leged mode, and one for user-level pro grams and ap pli ca tions (ring 3), of ten called user mode.
From a se cu rity stand point, the ring model en ables an op er at ing sys tem to pro tect and in su late it self from users and ap pli ca tions. It also per mits the en force ment of strict bound aries be tween highly priv i leged op er at ing sys tem com po nents (such as the ker nel) and less priv i leged parts of the op er at ing sys tem (such as other parts of the op er at ing sys tem, plus driv ers and util i ties). Within this model, di rect ac cess to spe cific re sources is pos si ble only within cer tain rings; like wise, cer tain op er a tions (such as process switch ing, ter mi na tion, and sched ul ing) are al lowed only within cer tain rings.
The ring that a process oc cu pies de ter mines its ac cess level to sys tem re sources (and de ter mines what kinds of re sources it must re quest from pro cesses in lower-num bered, more priv i leged rings). Pro cesses may ac cess ob jects di rectly only if they re side within their own ring or within some ring out side its cur rent bound aries (in nu mer i cal terms, for ex am ple, this means a process at ring 1 can ac cess its own re sources di rectly, plus any as so ci ated with rings 2 and 3, but it can’t ac cess any re sources as so ci ated only with ring 0). The mech a nism whereby me di ated ac cess oc curs—that is, the driver or han dler re quest men tioned pre vi ously —is usu ally known as a sys tem call and usu ally in volves in vo ca tion of a spe cific sys tem or pro gram ming in ter face de signed to pass the re quest to an in ner ring for ser vice. Be fore any such re quest can be hon ored,
240
how ever, the called ring must check to make sure that the call ing process has the right cre den tials and au tho riza tion to ac cess the data and to per form the op er a tion(s) in volved in sat is fy ing the re quest.
Process States Also known as op er at ing states, process states are var i ous forms of ex e cu tion in which a process may run. Where the op er at ing sys tem is con cerned, it can be in one of two modes at any given mo ment: op er at ing in a priv i leged, all-ac cess mode known as su per vi sor state or op er at ing in what’s called the prob lem state as so ci ated with user mode, where priv i leges are low and all ac cess re quests must be checked against cre den tials for au tho riza tion be fore they are granted or de nied. The lat ter is called the prob lem state not be cause prob lems are guar an teed to oc cur but be cause the un priv i leged na ture of user ac cess means that prob lems can oc cur and the sys tem must take ap pro pri ate mea sures to pro tect se cu rity, in tegrity, and con fi den tial ity.
Pro cesses line up for ex e cu tion in an op er at ing sys tem in a pro cess ing queue, where they will be sched uled to run as a pro ces sor be comes avail able. Be cause many op er at ing sys tems al low pro cesses to con sume pro ces sor time only in fixed in cre ments or chunks, when a new process is cre ated, it en ters the pro cess ing queue for the first time; should a process con sume its en tire chunk of pro cess ing time (called a time slice) with out com plet ing, it re turns to the pro cess ing queue for an other time slice the next time its turn comes around. Also, the process sched uler usu ally se lects the high est-pri or ity process for ex e cu tion, so reach ing the front of the line doesn’t al ways guar an tee ac cess to the CPU (be cause a process may be pre empted at the last in stant by an other process with higher pri or ity).
Ac cord ing to whether a process is run ning, it can op er ate in one of sev eral states:
Ready In the ready state, a process is ready to re sume or be gin pro cess ing as soon as it is sched uled for ex e cu tion. If the CPU is avail able when the process reaches this state, it will tran si tion di rectly into the run ning state; oth er wise, it sits in the ready state un til its turn comes up. This means the process has all the mem ory and other re sources it needs to be gin ex e cut ing im me di ately.
Wait ing Wait ing can also be un der stood as “wait ing for a re source”—that is, the process is ready for con tin ued ex e cu tion but is wait ing for a de vice or ac cess re quest (an in ter rupt of some kind) to be ser viced be fore it can con tinue pro cess ing (for ex am ple, a data base ap pli ca tion that asks to read records from a file must wait for that file to be lo cated and opened and for the right set of records to be found). Some ref er ences la bel this state as a blocked state be cause the process could be said to be blocked from fur ther ex e cu tion un til an ex ter nal event oc curs.
The run ning state is also of ten called the prob lem state. How ever, don’t as so ciate the word
prob lem with an er ror. In stead, think of the prob lem state as you would think of a math prob lem be ing solved to ob tain the an swer. But keep in mind that it is called the prob lem state be cause it is pos si ble for prob lems or er rors to oc cur, just as you could do a math prob lem in cor rectly. The prob lem state is sep a rated from the su per vi sory state so that any er rors that might oc cur do not eas ily af fect the sta bil ity of the over all sys tem; they af fect only the process that ex pe ri enced the er ror.
Run ning The run ning process ex e cutes on the CPU and keeps go ing un til it fin ishes, its time slice ex pires, or it is blocked for some rea son (usu ally be cause it has gen er ated an in ter rupt for ac cess to a de vice or the net work and is wait ing for that in ter rupt to be ser viced). If the time slice ends and the process isn’t com pleted, it re turns to the ready state (and queue); if the process blocks while wait ing for a re source to be come avail able, it goes into the wait ing state (and queue).
Su per vi sory The su per vi sory state is used when the process must per form an ac tion that re quires priv i leges that are greater than the prob lem state’s set of priv i leges, in clud ing mod i fy ing sys tem con fig u ra tion, in stalling de vice driv ers, or mod i fy ing se cu rity set tings. Ba si cally, any func tion not oc cur ring in the user mode (ring 3) or prob lem state takes place in the su per vi sory mode.
Stopped When a process fin ishes or must be ter mi nated (be cause an er ror oc curs, a re quired re source is not avail able, or a re source re quest can’t be met), it goes into a stopped state. At this point, the op er at ing sys tem can re cover all mem ory and other re sources al lo cated to the process and re use them for other pro cesses as needed.
Fig ure 9.2 shows a di a gram of how these var i ous states re late to one an other. New pro cesses al ways tran si tion into the ready state. From there, ready pro cesses al ways tran si tion into the run ning state. While run ning, a process can tran si tion into the stopped state if it com pletes or is ter mi nated, re turn to the ready state for an other time slice, or tran si tion to the wait ing state un til its pend ing re source re quest is met. When the op er at ing sys tem de cides which process to run next, it checks the wait ing queue and the ready queue and takes the high est-pri or ity job that’s ready to run (so that only wait ing jobs whose pend ing re quests have been ser viced, or are ready to ser vice, are el i gi ble in this con sid er a tion). A spe cial part of the ker nel, called the pro gram ex ec u tive or the process sched uler, is al ways around (wait ing in mem ory) so that when a process state tran si tion must oc cur, it can step in and han dle the me chan ics in volved.
241
FIG URE 9.2 The process sched uler
In Fig ure 9.2, the process sched uler man ages the pro cesses await ing ex e cu tion in the ready and wait ing states and de cides what hap pens to run ning pro cesses when they tran si tion into an other state (ready, wait ing, or stopped).
Se cu rity Modes The US gov ern ment has des ig nated four ap proved se cu rity modes for sys tems that process clas si fied in for ma tion. These are de scribed next. In Chap ter 1, “Se cu rity Gov er nance Through Prin ci ples and Poli cies,” we re viewed the clas si fi ca tion sys tem used by the fed eral gov ern ment and the con cepts of se cu rity clear ances and ac cess ap proval. The only new term in this con text is need to know, which refers to an ac cess au tho riza tion scheme in which a sub ject’s right to ac cess an ob ject takes into con sid er a tion not just a priv i lege level but also the rel e vance of the data in volved in the role the sub ject plays (or the job they per form). This in di cates that the sub ject re quires ac cess to the ob ject to per form their job prop erly or to fill some spe cific role. Those with no need to know may not ac cess the ob ject, no mat ter what level of priv i lege they hold. If you need a re fresher on those con cepts, please re view them in Chap ter 1 be fore pro ceed ing. Three spe cific el e ments must ex ist be fore the se cu rity modes them selves can be de ployed:
A hi er ar chi cal manda tory ac cess con trol (MAC) en vi ron ment
To tal phys i cal con trol over which sub jects can ac cess the com puter con sole
To tal phys i cal con trol over which sub jects can en ter into the same room as the com puter con sole
You will rarely, if ever, en counter the fol low ing modes out side of the world of gov ern ment
agen cies and con trac tors. How ever, you may dis cover this ter mi nol ogy in other con texts, so you’d be well ad vised to com mit the terms to mem ory.
Ded i cated Mode Ded i cated mode sys tems are es sen tially equiv a lent to the sin gle-state sys tem de scribed in the sec tion “Pro cess ing Types” ear lier in this chap ter. Three re quire ments ex ist for users of ded i cated sys tems:
Each user must have a se cu rity clear ance that per mits ac cess to all in for ma tion pro cessed by the sys tem.
Each user must have ac cess ap proval for all in for ma tion pro cessed by the sys tem.
Each user must have a valid need to know for all in for ma tion pro cessed by the sys tem.
In the def i ni tions of each of these modes, we use “all in for ma tion pro cessed by the sys tem”
for brevity. The of fi cial def i ni tion is more com pre hen sive and uses “all in for ma tion pro cessed, stored, trans ferred, or ac cessed.” If you want to ex plore the source, use an In ter net search en gine to lo cate De part ment of De fense 8510.1-M DoD In for ma tion Tech nol ogy Se cu rity Cer ti fi ca tion and Ac cred i ta tion Process (DITSCAP) Man ual.
Sys tem High Mode Sys tem high mode sys tems have slightly dif fer ent re quire ments that must be met by users:
Each user must have a valid se cu rity clear ance that per mits ac cess to all in for ma tion pro cessed by the sys tem.
Each user must have ac cess ap proval for all in for ma tion pro cessed by the sys tem.
242
Each user must have a valid need to know for some in for ma tion pro cessed by the sys tem but not nec es sar ily all in for ma tion pro cessed by the sys tem.
Note that the ma jor dif fer ence be tween the ded i cated mode and the sys tem high mode is that all users do not nec es sar ily have a need to know for all in for ma tion pro cessed on a sys tem high mode com put ing de vice. Thus, al though the same user could ac cess both a ded i cated mode sys tem and a sys tem high mode sys tem, that user could ac cess all data on the for mer but be re stricted from some of the data on the lat ter.
Com part mented mode Com part mented mode sys tems weaken these re quire ments one step fur ther:
Each user must have a valid se cu rity clear ance that per mits ac cess to all in for ma tion pro cessed by the sys tem.
Each user must have ac cess ap proval for any in for ma tion they will have ac cess to on the sys tem.
Each user must have a valid need to know for all in for ma tion they will have ac cess to on the sys tem.
No tice that the ma jor dif fer ence be tween com part mented mode sys tems and sys tem high mode sys tems is that users of a com part mented mode sys tem do not nec es sar ily have ac cess ap proval for all the in for ma tion on the sys tem. How ever, as with sys tem high and ded i cated sys tems, all users of the sys tem must still have ap pro pri ate se cu rity clear ances. In a spe cial im ple men ta tion of this mode called com part mented mode work sta tions (CMWs), users with the nec es sary clear ances can process mul ti ple com part ments of data at the same time.
CMWs re quire that two forms of se cu rity la bels be placed on ob jects: sen si tiv ity lev els and in for ma tion la bels. Sen si tiv ity lev els de scribe the lev els at which ob jects must be pro tected. These are com mon among all four of the modes. In for ma tion la bels pre vent data over clas si fi ca tion and as so ciate ad di tional in for ma tion with the ob jects, which as sists in proper and ac cu rate data la bel ing not re lated to ac cess con trol.
Mul ti level Mode The gov ern ment’s def i ni tion of mul ti level mode sys tems pretty much par al lels the tech ni cal def i ni tion given in the pre vi ous sec tion. How ever, for con sis tency, we’ll ex press it in terms of clear ance, ac cess ap proval, and need to know:
Some users do not have a valid se cu rity clear ance for all in for ma tion pro cessed by the sys tem. Thus, ac cess is con trolled by whether the sub ject’s clear ance level dom i nates the ob ject’s sen si tiv ity la bel.
Each user must have ac cess ap proval for all in for ma tion they will have ac cess to on the sys tem.
Each user must have a valid need to know for all in for ma tion they will have ac cess to on the sys tem.
As you look through the re quire ments for the var i ous modes of op er a tion ap proved by the fed eral gov ern ment, you’ll no tice that the ad min is tra tive re quire ments for con trol ling the types of users that ac cess a sys tem de crease as you move from ded i cated sys tems down to mul ti level sys tems. How ever, this does not de crease the im por tance of lim it ing in di vid ual ac cess so that users can ob tain only the in for ma tion they are le git i mately en ti tled to ac cess. As dis cussed in the pre vi ous sec tion, it’s sim ply a mat ter of shift ing the bur den of en forc ing these re quire ments from ad min is tra tive per son nel (who phys i cally limit ac cess to a com puter) to the hard ware and soft ware (which con trol what in for ma tion can be ac cessed by each user of a multi user sys tem).
Mul ti level se cu rity mode can also be called the con trolled se cu rity mode.
Ta ble 9.1 sum ma rizes and com pares these four se cu rity modes ac cord ing to se cu rity clear ances re quired, need to know, and the abil ity to process data from mul ti ple clear ance lev els (ab bre vi ated PDMCL). When com par ing all four se cu rity modes, it is gen er ally un der stood that the mul ti level mode is ex posed to the high est level of risk.
TA BLE 9.1 Com par ing se cu rity modes
Mode Clear ance Need to know PDMCL Ded i cated Same None None Sys tem high Same Yes None Com part mented Same Yes Yes Mul ti level Dif fer ent Yes Yes
Clear ance is Same if all users must have the same se cu rity clear ances, Dif fer ent if oth er wise.
Need to Know is None if it does not ap ply and is not used or if it is used but all users have the need to know all data present on the sys tem, Yes if ac cess is lim ited by need-to-know re stric tions.
PDMCL ap plies if and when CMW im ple men ta tions are used (Yes); oth er wise, PDMCL is None.
243
Op er at ing Modes
Mod ern pro ces sors and op er at ing sys tems are de signed to sup port multi user en vi ron ments in which in di vid ual com puter users might not be granted ac cess to all com po nents of a sys tem or all the in for ma tion stored on it. For that rea son, the pro ces sor it self sup ports two modes of op er a tion: user mode and priv i leged mode.
User Mode User mode is the ba sic mode used by the CPU when ex e cut ing user ap pli ca tions. In this mode, the CPU al lows the ex e cu tion of only a por tion of its full in struc tion set. This is de signed to pro tect users from ac ci den tally dam ag ing the sys tem through the ex e cu tion of poorly de signed code or the un in ten tional mis use of that code. It also pro tects the sys tem and its data from a ma li cious user who might try to ex e cute in struc tions de signed to cir cum vent the se cu rity mea sures put in place by the op er at ing sys tem or who might mis tak enly per form ac tions that could re sult in unau tho rized ac cess or dam age to the sys tem or valu able in for ma tion as sets.
Of ten pro cesses within user mode are ex e cuted within a con trolled en vi ron ment called a vir tual ma chine (VM). A vir tual ma chine is a sim u lated en vi ron ment cre ated by the OS to pro vide a safe and ef fi cient place for pro grams to ex e cute. Each VM is iso lated from all other VMs, and each VM has its own as signed mem ory ad dress space that can be used by the hosted ap pli ca tion. It is the re spon si bil ity of the el e ments in priv i leged mode (aka ker nel mode) to cre ate and sup port the VMs and pre vent the pro cesses in one VM from in ter fer ing with the pro cesses in other VMs.
Priv i leged Mode CPUs also sup port priv i leged mode, which is de signed to give the op er at ing sys tem ac cess to the full range of in struc tions sup ported by the CPU. This mode goes by a num ber of names, and the ex act ter mi nol ogy varies ac cord ing to the CPU man u fac turer. Some of the more com mon monikers are in cluded in the fol low ing list:
Priv i leged mode
Su per vi sory mode
Sys tem mode
Ker nel mode
No mat ter which term you use, the ba sic con cept re mains the same—this mode grants a wide range of per mis sions to the process ex e cut ing on the CPU. For this rea son, well-de signed op er at ing sys tems do not let any user ap pli ca tions ex e cute in priv i leged mode. Only those pro cesses that are com po nents of the op er at ing sys tem it self are al lowed to ex e cute in this mode, for both se cu rity and sys tem in tegrity pur poses.
Don’t con fuse pro ces sor modes with any type of user ac cess per mis sions. The fact that the
high-level pro ces sor mode is some times called priv i leged or su per vi sory mode has no re la tion ship to the role of a user. All user ap pli ca tions, in clud ing those of sys tem ad min is tra tors, run in user mode. When sys tem ad min is tra tors use sys tem tools to make con fig u ra tion changes to the sys tem, those tools also run in user mode. When a user ap pli ca tion needs to per form a priv i leged ac tion, it passes that re quest to the op er at ing sys tem us ing a sys tem call, which eval u ates it and ei ther re jects the re quest or ap proves it and ex e cutes it us ing a priv i leged mode process out side the user’s con trol.
Mem ory
The sec ond ma jor hard ware com po nent of a sys tem is mem ory, the stor age bank for in for ma tion that the com puter needs to keep read ily avail able. There are many dif fer ent kinds of mem ory, each suit able for dif fer ent pur poses, and we’ll take a look at each in the sec tions that fol low.
Read-Only Mem ory
Read-only mem ory (ROM) works like the name im plies—it’s mem ory the PC can read but can’t change (no writ ing al lowed). The con tents of a stan dard ROM chip are burned in at the fac tory, and the end user sim ply can not al ter it. ROM chips of ten con tain “boot strap” in for ma tion that com put ers use to start up prior to load ing an op er at ing sys tem from disk. This in cludes the fa mil iar power-on self-test (POST) se ries of di ag nos tics that run each time you boot a PC.
ROM’s pri mary ad van tage is that it can’t be mod i fied. There is no chance that user or ad min is tra tor er ror will ac ci den tally wipe out or mod ify the con tents of such a chip. This at tribute makes ROM ex tremely de sir able for or ches trat ing a com puter’s in ner most work ings.
There is a type of ROM that may be al tered by ad min is tra tors to some ex tent. It is known as pro gram mable read-only mem ory (PROM), and its sev eral sub types are de scribed next:
244
Pro gram mable Read-Only Mem ory (PROM) A ba sic pro gram mable read-only mem ory (PROM) chip is sim i lar to a ROM chip in func tion al ity, but with one ex cep tion. Dur ing the man u fac tur ing process, a PROM chip’s con tents aren’t “burned in” at the fac tory as with stan dard ROM chips. In stead, a PROM in cor po rates spe cial func tion al ity that al lows an end user to burn in the chip’s con tents later. How ever, the burn ing process has a sim i lar out come—once data is writ ten to a PROM chip, no fur ther changes are pos si ble. Af ter it’s burned in, a PROM chip es sen tially func tions like a ROM chip.
PROM chips pro vide soft ware de vel op ers with an op por tu nity to store in for ma tion per ma nently on a high- speed, cus tom ized mem ory chip. PROMs are com monly used for hard ware ap pli ca tions where some cus tom func tion al ity is nec es sary but sel dom changes once pro grammed.
Erasable Pro gram mable Read-Only Mem ory (EPROM) Com bine the rel a tively high cost of PROM chips and soft ware de vel op ers’ in evitable de sires to tin ker with their code once it’s writ ten and you have the ra tio nale that led to the de vel op ment of erasable PROM (EPROM). There are two main sub cat e gories of EPROM, namely UVE PROM and EEP ROM (see next item). Ul tra vi o let EPROMs (UVE PROMs) can be erased with a light. These chips have a small win dow that, when il lu mi nated with a spe cial ul tra vi o let light, causes the con tents of the chip to be erased. Af ter this process is com plete, end users can burn new in for ma tion into the UVE PROM as if it had never been pro grammed be fore.
Elec tron i cally Erasable Pro gram mable Read-Only Mem ory (EEP ROM) A more flex i ble, friendly al ter na tive to UVE PROM is elec tron i cally erasable PROM (EEP ROM), which uses elec tric volt ages de liv ered to the pins of the chip to force era sure.
Flash Mem ory Flash mem ory is a de riv a tive con cept from EEP ROM. It is a non volatile form of stor age me dia that can be elec tron i cally erased and rewrit ten. The pri mary dif fer ence be tween EEP ROM and flash mem ory is that EEP ROM must be fully erased to be rewrit ten whereas flash mem ory can be erased and writ ten in blocks or pages. The most com mon type of flash mem ory is NAND flash. It is widely used in mem ory cards, thumb drives, mo bile de vices, and SSD (solid-state drives).
Ran dom Ac cess Mem ory
Ran dom ac cess mem ory (RAM) is read able and writable mem ory that con tains in for ma tion a com puter uses dur ing pro cess ing. RAM re tains its con tents only when power is con tin u ously sup plied to it. Un like with ROM, when a com puter is pow ered off, all data stored in RAM dis ap pears. For this rea son, RAM is use ful only for tem po rary stor age. Crit i cal data should never be stored solely in RAM; a backup copy should al ways be kept on an other stor age de vice to pre vent its dis ap pear ance in the event of a sud den loss of elec tri cal power. The fol low ing are types of RAM:
Real Mem ory Real mem ory (also known as main mem ory or pri mary mem ory) is typ i cally the largest RAM stor age re source avail able to a com puter. It is nor mally com posed of a num ber of dy namic RAM chips and, there fore, must be re freshed by the CPU on a pe ri odic ba sis (see the side bar “Dy namic vs. Static RAM” for more in for ma tion on this sub ject).
Cache RAM Com puter sys tems con tain a num ber of caches that im prove per for mance by tak ing data from slower de vices and tem po rar ily stor ing it in faster de vices when re peated use is likely; this is cache RAM. The pro ces sor nor mally con tains an on board cache of ex tremely fast mem ory used to hold data on which it will op er ate. This can be re ferred to as L1, L2, L3, and even L4 cache (with the L be ing short for level). Many mod ern CPUs in clude up to three lev els of on-chip cache, with some caches (usu ally L1 and/or L2) ded i cated to a sin gle pro ces sor core, while L3 may be a shared cache be tween cores. Some CPUs can in volve L4 cache which may be lo cated on the main board/moth er board or on the GPU (graph ics pro cess ing unit). Like wise, real mem ory of ten con tains a cache of in for ma tion stored on mag netic me dia or SSD. This chain con tin ues down through the mem ory/stor age hi er ar chy to en able com put ers to im prove per for mance by keep ing data that’s likely to be used next closer at hand (be it for CPU in struc tions, data fetches, file ac cess, or what have you).
Many pe riph er als also in clude on board caches to re duce the stor age bur den they place on the CPU and op er at ing sys tem. For ex am ple, many higher-end print ers in clude large RAM caches so that the op er at ing sys tem can quickly spool an en tire job to the printer. Af ter that, the pro ces sor can for get about the print job; it won’t be forced to wait for the printer to ac tu ally pro duce the re quested out put, spoon-feed ing it chunks of data one at a time. The printer can pre pro cess in for ma tion from its on board cache, thereby free ing the CPU and op er at ing sys tem to work on other tasks. Many stor age de vices, such as hard disc drive (HDD), solid-state drive (SSD), and some thumb drives con tain caches to as sist with im prov ing read and write speed. How ever, these caches must be flushed to the per ma nent or sec ondary stor age area be fore dis con nec tion or power loss in or der to avoid data loss of cache res i dent data.
245
Dy namic vs. Static RAM
There are two main types of RAM: dy namic RAM and static RAM. Most com put ers con tain a com bi na tion of both types and use them for dif fer ent pur poses.
To store data, dy namic RAM uses a se ries of ca pac i tors, tiny elec tri cal de vices that hold a charge. These ca pac i tors ei ther hold a charge (rep re sent ing a 1 bit in mem ory) or do not hold a charge (rep re sent ing a 0 bit). How ever, be cause ca pac i tors nat u rally lose their charges over time, the CPU must spend time re fresh ing the con tents of dy namic RAM to en sure that 1 bits don’t un in ten tion ally change to 0 bits, thereby al ter ing mem ory con tents.
Static RAM uses more so phis ti cated tech nol ogy—a log i cal de vice known as a flip-flop, which to all in tents and pur poses is sim ply an on/off switch that must be moved from one po si tion to an other to change a 0 to 1 or vice versa. More im por tant, static mem ory main tains its con tents un al tered as long as power is sup plied and im poses no CPU over head for pe ri odic re fresh op er a tions.
Dy namic RAM is cheaper than static RAM be cause ca pac i tors are cheaper than flip-flops. How ever, static RAM runs much faster than dy namic RAM. This cre ates a trade-off for sys tem de sign ers, who com bine static and dy namic RAM mod ules to strike the right bal ance of cost ver sus per for mance.
Reg is ters
The CPU also in cludes a lim ited amount of on board mem ory, known as reg is ters, that pro vide it with di rectly ac ces si ble mem ory lo ca tions that the brain of the CPU, the arith metic-log i cal unit (ALU), uses when per form ing cal cu la tions or pro cess ing in struc tions. In fact, any data that the ALU is to ma nip u late must be loaded into a reg is ter un less it is di rectly sup plied as part of the in struc tion. The main ad van tage of this type of mem ory is that it is part of the ALU it self and, there fore, op er ates in lock step with the CPU at typ i cal CPU speeds.
Mem ory Ad dress ing
When us ing mem ory re sources, the pro ces sor must have some means of re fer ring to var i ous lo ca tions in mem ory. The so lu tion to this prob lem is known as ad dress ing, and there are sev eral dif fer ent ad dress ing schemes used in var i ous cir cum stances. The fol low ing are five of the more com mon ad dress ing schemes:
Reg is ter Ad dress ing As you learned in the pre vi ous sec tion, reg is ters are small mem ory lo ca tions di rectly in the CPU. When the CPU needs in for ma tion from one of its reg is ters to com plete an op er a tion, it uses a reg is ter ad dress (for ex am ple, “reg is ter 1”) to ac cess its con tents.
Im me di ate Ad dress ing Im me di ate ad dress ing is not a mem ory ad dress ing scheme per se but rather a way of re fer ring to data that is sup plied to the CPU as part of an in struc tion. For ex am ple, the CPU might process the com mand “Add 2 to the value in reg is ter 1.” This com mand uses two ad dress ing schemes. The first is im me di ate ad dress ing—the CPU is be ing told to add the value 2 and does not need to re trieve that value from a mem ory lo ca tion—it’s sup plied as part of the com mand. The sec ond is reg is ter ad dress ing; it’s in structed to re trieve the value from reg is ter 1.
Di rect Ad dress ing In di rect ad dress ing, the CPU is pro vided with an ac tual ad dress of the mem ory lo ca tion to ac cess. The ad dress must be lo cated on the same mem ory page as the in struc tion be ing ex e cuted. Di rect ad dress ing is more flex i ble than im me di ate ad dress ing since the con tents of the mem ory lo ca tion can be changed more read ily than re pro gram ming the im me di ate ad dress ing’s hard-coded data.
In di rect Ad dress ing In di rect ad dress ing uses a scheme sim i lar to di rect ad dress ing. How ever, the mem ory ad dress sup plied to the CPU as part of the in struc tion doesn’t con tain the ac tual value that the CPU is to use as an op er and. In stead, the mem ory ad dress con tains an other mem ory ad dress (per haps lo cated on a dif fer ent page). The CPU reads the in di rect ad dress to learn the ad dress where the de sired data re sides and then re trieves the ac tual op er and from that ad dress.
Base+Off set Ad dress ing Base+off set ad dress ing uses a value stored in one of the CPU’s reg is ters as the base lo ca tion from which to be gin count ing. The CPU then adds the off set sup plied with the in struc tion to that base ad dress and re trieves the op er and from that com puted mem ory lo ca tion.
Sec ondary Mem ory
Sec ondary mem ory is a term com monly used to re fer to mag netic, op ti cal, or flash-based me dia or other stor age de vices that con tain data not im me di ately avail able to the CPU. For the CPU to ac cess data in sec ondary mem ory, the data must first be read by the op er at ing sys tem and stored in real mem ory. How ever, sec ondary mem ory is much more in ex pen sive than pri mary mem ory and can be used to store mas sive
246
amounts of in for ma tion. In this con text, hard disks, flash drives, and op ti cal me dia such as com pact discs (CDs), dig i tal ver sa tile discs (DVDs), and Blu-ray discs can all func tion as sec ondary mem ory.
Vir tual mem ory is a spe cial type of sec ondary mem ory that the op er at ing sys tem man ages to make look and act just like real mem ory. The most com mon type of vir tual mem ory is the page file that most op er at ing sys tems man age as part of their mem ory man age ment func tions. This spe cially for mat ted file con tains data pre vi ously stored in mem ory but not re cently used. When the op er at ing sys tem needs to ac cess ad dresses stored in the page file, it checks to see whether the page is mem ory-res i dent (in which case it can ac cess it im me di ately) or whether it has been swapped to disk, in which case it reads the data from disk back into real mem ory (this process is called pag ing).
Us ing vir tual mem ory is an in ex pen sive way to make a com puter op er ate as if it had more real mem ory than is phys i cally in stalled. Its ma jor draw back is that the pag ing op er a tions that oc cur when data is ex changed be tween pri mary and sec ondary mem ory are rel a tively slow (mem ory func tions in nanosec onds, disk sys tems in mi crosec onds; usu ally, this means three or ders of mag ni tude dif fer ence!) and con sume sig nif i cant com puter over head, slow ing down the en tire sys tem. The need for vir tual mem ory is re duced with larger banks of ac tual phys i cal RAM, and the per for mance hit of vir tual mem ory can be re duced by us ing a flash card or an SSD to host the vir tual mem ory pag ing file.
Mem ory Se cu rity Is sues
Mem ory stores and pro cesses your data—some of which may be ex tremely sen si tive. It’s es sen tial that you un der stand the var i ous types of mem ory and know how they store and re tain data. Any mem ory de vices that may re tain sen si tive data should be purged be fore they are al lowed to leave your or ga ni za tion for any rea son. This is es pe cially true for sec ondary mem ory and ROM/PROM/EPROM/EEP ROM de vices de signed to re tain data even af ter the power is turned off.
How ever, mem ory data re ten tion is sues are not lim ited to those types of mem ory de signed to re tain data. Re mem ber that static and dy namic RAM chips store data through the use of ca pac i tors and flip-flops (see the side bar “Dy namic vs. Static RAM”). It is tech ni cally pos si ble that those elec tri cal com po nents could re tain some of their charge for a lim ited pe riod of time af ter power is turned off. A tech ni cally so phis ti cated in di vid ual could the o ret i cally take elec tri cal mea sure ments of those com po nents and re trieve por tions of the data stored on such de vices. How ever, this re quires a good deal of tech ni cal ex per tise and is not a likely threat un less you have ad ver saries with mind-bog glingly deep pock ets.
There is an at tack that freezes mem ory chips to de lay the de cay of res i dent data when the sys tem is turned off or the RAM is pulled out of the moth er board. See http://en.wikipedia.org/wiki/Cold_ boot_at tack. There are even at tacks that fo cus on mem ory im age dumps or sys tem crash dumps to ex tract en cryp tion keys. See www.lost pass word.com/hdd-de cryp tion.htm.
One of the most im por tant se cu rity is sues sur round ing mem ory is con trol ling who may ac cess data stored in mem ory while a com puter is in use. This is pri mar ily the re spon si bil ity of the op er at ing sys tem and is the main mem ory se cu rity is sue un der ly ing the var i ous pro cess ing modes de scribed in pre vi ous sec tions in this chap ter. In the sec tion “Es sen tial Se cu rity Pro tec tion Mech a nisms” later in this chap ter, you’ll learn how the prin ci ple of process iso la tion can be used to en sure that pro cesses don’t have ac cess to read or write to mem ory spa ces not al lo cated to them. If you’re op er at ing in a mul ti level se cu rity en vi ron ment, it’s es pe cially im por tant to en sure that ad e quate pro tec tions are in place to pre vent the un wanted leak age of mem ory con tents be tween se cu rity lev els, through ei ther di rect mem ory ac cess or covert chan nels (a full dis cus sion of covert chan nels ap pears later in this chap ter).
Stor age
Data stor age de vices make up the third class of com puter sys tem com po nents we’ll dis cuss. These de vices are used to store in for ma tion that may be used by a com puter any time af ter it’s writ ten. We’ll first ex am ine a few com mon terms that re late to stor age de vices and then cover some of the se cu rity is sues re lated to data stor age.
Pri mary vs. Sec ondary
The con cepts of pri mary and sec ondary stor age can be some what con fus ing, es pe cially when com pared to pri mary and sec ondary mem ory. There’s an easy way to keep it straight—they’re the same thing! Pri mary mem ory, also known as pri mary stor age, is the RAM that a com puter uses to keep nec es sary in for ma tion read ily avail able to the CPU while the com puter is run ning. Sec ondary mem ory (or sec ondary stor age) in cludes all the fa mil iar long-term stor age de vices that you use ev ery day. Sec ondary stor age con sists of mag netic and op ti cal me dia such as HDD, SSDs, flash drives, mag netic tapes, CDs, DVDs, flash mem ory cards, and the like.
Volatile vs. Non volatile
247
You’re al ready fa mil iar with the con cept of volatil ity from our dis cus sion of mem ory, al though you may not have heard it de scribed us ing that term be fore. The volatil ity of a stor age de vice is sim ply a mea sure of how likely it is to lose its data when power is turned off. De vices de signed to re tain their data (such as mag netic me dia) are clas si fied as non volatile, whereas de vices such as static or dy namic RAM mod ules, which are de signed to lose their data, are clas si fied as volatile. Re call from the dis cus sion in the pre vi ous sec tion that so phis ti cated tech nol ogy may some times be able to ex tract data from volatile mem ory af ter power is re moved, so the lines be tween the two may some times be blurry.
Ran dom vs. Se quen tial
Stor age de vices may be ac cessed in one of two fash ions. Ran dom ac cess stor age de vices al low an op er at ing sys tem to read (and some times write) im me di ately from any point within the de vice by us ing some type of ad dress ing sys tem. Al most all pri mary stor age de vices are ran dom ac cess de vices. You can use a mem ory ad dress to ac cess in for ma tion stored at any point within a RAM chip with out read ing the data that is phys i cally stored be fore it. Most sec ondary stor age de vices are also ran dom ac cess. For ex am ple, hard drives use a mov able head sys tem that al lows you to move di rectly to any point on the disk with out spin ning past all the data stored on pre vi ous tracks; like wise, CD and DVD de vices use an op ti cal scan ner that can po si tion it self any where on the plat ter sur face.
Se quen tial stor age de vices, on the other hand, do not pro vide this flex i bil ity. They re quire that you read (or speed past) all the data phys i cally stored prior to the de sired lo ca tion. A com mon ex am ple of a se quen tial stor age de vice is a mag netic tape drive. To pro vide ac cess to data stored in the mid dle of a tape, the tape drive must phys i cally scan through the en tire tape (even if it’s not nec es sar ily pro cess ing the data that it passes in fast-for ward mode) un til it reaches the de sired point.
Ob vi ously, se quen tial stor age de vices op er ate much slower than ran dom ac cess stor age de vices. How ever, here again you’re faced with a cost/ben e fit de ci sion. Many se quen tial stor age de vices can hold mas sive amounts of data on rel a tively in ex pen sive me dia. This prop erty makes tape drives uniquely suited for backup tasks as so ci ated with a dis as ter re cov ery/busi ness con ti nu ity plan (see Chap ter 3, “Busi ness Con ti nu ity Plan ning,” and Chap ter 18, “Dis as ter Re cov ery Plan ning”). In a backup sit u a tion, you of ten have ex tremely large amounts of data that need to be stored, and you in fre quently need to ac cess that stored in for ma tion. The sit u a tion just begs for a se quen tial stor age de vice!
Stor age Me dia Se cu rity
We dis cussed the se cu rity prob lems that sur round pri mary stor age de vices in the pre vi ous sec tion. There are three main con cerns when it comes to the se cu rity of sec ondary stor age de vices; all of them mir ror con cerns raised for pri mary stor age de vices:
Data may re main on sec ondary stor age de vices even af ter it has been erased. This con di tion is known as data re ma nence. Most tech ni cally savvy com puter users know that util i ties are avail able that can re trieve files from a disk even af ter they have been deleted. It’s also tech ni cally pos si ble to re trieve data from a disk that has been re for mat ted. If you truly want to re move data from a sec ondary stor age de vice, you must use a spe cial ized util ity de signed to de stroy all traces of data on the de vice or dam age or de stroy it be yond pos si ble re pair (com monly called san i tiz ing).
SSDs present a unique prob lem in re la tion to san i ti za tion. SSD wear lev el ing means that there are of ten blocks of data that are not marked as “live” but that hold a copy of the data when it was copied off to lower wear lev eled blocks. This means that a tra di tional zero wipe is in ef fec tive as a data se cu rity mea sure for SSDs.
Sec ondary stor age de vices are also prone to theft. Eco nomic loss is not the ma jor fac tor (af ter all, how much does a backup tape or a hard drive cost?), but the loss of con fi den tial in for ma tion poses great risks. If some one copies your trade se crets onto a re mov able me dia disc and walks out the door with it, it’s worth a lot more than the cost of the disc it self. For this rea son, it is im por tant to use full disk en cryp tion to re duce the risk of an unau tho rized en tity gain ing ac cess to your data. It is good se cu rity prac tice to en crypt SSDs prior to stor ing any data on them due to their wear lev el ing tech nol ogy. This will min i mize the chance of any plain text data re sid ing in dor mant blocks. For tu nately, many HDD and SSD de vices of fer on-de vice na tive en cryp tion.
Ac cess to data stored on sec ondary stor age de vices is one of the most crit i cal is sues fac ing com puter se cu rity pro fes sion als. For hard disks, data can of ten be pro tected through a com bi na tion of op er at ing sys tem ac cess con trols. Re mov able me dia pose a greater chal lenge, so se cur ing them of ten re quires en cryp tion tech nolo gies.
As avail abil ity is also part of the se cu rity triad, it is es sen tial to choose me dia that will re tain data for the length of the time re quired. For in stance, a backup tape might de grade be fore the re ten tion pe riod of the data ter mi nates. Also, the tech nol ogy used for sec ondary stor age might be come ob so lete, mak ing it dif fi cult to re store/read the data.
248
In put and Out put De vices
In put and out put de vices are of ten seen as ba sic, prim i tive pe riph er als and usu ally don’t re ceive much at ten tion un til they stop work ing prop erly. How ever, even these ba sic de vices can present se cu rity risks to a sys tem. Se cu rity pro fes sion als should be aware of these risks and en sure that ap pro pri ate con trols are in place to mit i gate them. The next four sec tions ex am ine some of the risks posed by spe cific in put and out put de vices.
Mon i tors
Mon i tors seem fairly in nocu ous. Af ter all, they sim ply dis play the data pre sented by the op er at ing sys tem. When you turn them off, the data dis ap pears from the screen and can’t be re cov ered. How ever, tech nol ogy from a pro gram known as TEM PEST can com pro mise the se cu rity of data dis played on a mon i tor. Gen er ally, cath ode ray tube (CRT) mon i tors are more prone to ra di ate sig nif i cantly, whereas liq uid crys tal dis play (LCD) mon i tors leak much less (some claim not enough to re veal crit i cal data).
TEM PEST is a tech nol ogy that al lows the elec tronic em a na tions that ev ery mon i tor pro duces (known as Van Eck ra di a tion) to be read from a dis tance (this process is known as Van Eck phreak ing) and even from an other lo ca tion. The tech nol ogy is also used to pro tect against such ac tiv ity. Var i ous demon stra tions have shown that you can eas ily read the screens of mon i tors in side an of fice build ing us ing gear housed in a van parked out side on the street. Un for tu nately, the pro tec tive con trols re quired to pre vent Van Eck ra di a tion (lots and lots of cop per!) are ex pen sive to im ple ment and cum ber some to use. It is ar guable that the big gest risk with any mon i tor is still shoul der surf ing or tele photo lenses on cam eras. The con cept that some one can see what is on your screen with their eyes or a video cam era is known as shoul der surf ing. Don’t for get shoul der surf ing is a con cern for desk top dis plays, note book dis plays, tablets, and mo bile phones.
Print ers
Print ers also may rep re sent a se cu rity risk, al beit a sim pler one. De pend ing on the phys i cal se cu rity con trols used at your or ga ni za tion, it may be much eas ier to walk out with sen si tive in for ma tion in printed form than to walk out with a flash drive or mag netic me dia. If print ers are shared, users may for get to re trieve their sen si tive print outs, leav ing them vul ner a ble to pry ing eyes. Many mod ern print ers also store data lo cally, of ten on a hard drive, and some re tain copies of print outs in def i nitely. Print ers are usu ally ex posed on the net work for con ve nient ac cess and are of ten not de signed to be se cure sys tems. But there are nu mer ous con fig u ra tion set tings that may be avail able de pend ing on the printer model that can pro vide some rea son able level of se cure net work print ing ser vices. These can in clude en crypted data trans fer and au then ti ca tion be fore printer in ter ac tion. These are all is sues that are best ad dressed by an or ga ni za tion’s se cu rity pol icy.
Key boards/Mice
Key boards, mice, and sim i lar in put de vices are not im mune to se cu rity vul ner a bil i ties ei ther. All of these de vices are vul ner a ble to TEM PEST mon i tor ing. Also, key boards are vul ner a ble to less so phis ti cated bug ging. A sim ple de vice can be placed in side a key board or along its con nec tion ca ble to in ter cept all the key strokes that take place and trans mit them to a re mote re ceiver us ing a ra dio sig nal. This has the same ef fect as TEM PEST mon i tor ing but can be done with much less ex pen sive gear. Ad di tion ally, if your key board and mouse are wire less, in clud ing Blue tooth, their ra dio sig nals can be in ter cepted.
Modems
With the ad vent of ubiq ui tous broad band and wire less con nec tiv ity, modems are be com ing a scarce legacy com puter com po nent. If your or ga ni za tion is still us ing older equip ment, there is a chance that a mo dem is part of the hard ware con fig u ra tion. The pres ence of a mo dem on a user sys tem is of ten one of the great est woes of a se cu rity ad min is tra tor. Modems al low users to cre ate un con trolled ac cess points into your net work. In the worst case, if im prop erly con fig ured, they can cre ate ex tremely se ri ous se cu rity vul ner a bil i ties that al low an out sider to by pass all your perime ter pro tec tion mech a nisms and di rectly ac cess your net work re sources. At best, they cre ate an al ter nate egress chan nel that in sid ers can use to fun nel data out side your or ga ni za tion. But keep in mind, these vul ner a bil i ties can only be ex ploited if the mo dem is con nected to an op er a tional tele phone land line.
You should se ri ously con sider an out right ban on modems in your or ga ni za tion’s se cu rity pol icy un less you truly need them for busi ness rea sons. In those cases, se cu rity of fi cials should know the phys i cal and log i cal lo ca tions of all modems on the net work, en sure that they are cor rectly con fig ured, and make cer tain that ap pro pri ate pro tec tive mea sures are in place to pre vent their il le git i mate use.
Firmware Firmware (also known as mi crocode in some cir cles) is a term used to de scribe soft ware that is stored in a
ROM chip. This type of soft ware is changed in fre quently (ac tu ally, never, if it’s stored on a true ROM chip as op posed to an EPROM/EEP ROM) and of ten drives the ba sic op er a tion of a com put ing de vice. There are two types of firmware: BIOS on a moth er board and gen eral in ter nal and ex ter nal de vice firmware.
249
BIOS and UEFI
The ba sic in put/out put sys tem (BIOS) con tains the op er at ing sys tem–in de pen dent prim i tive in struc tions that a com puter needs to start up and load the op er at ing sys tem from disk. The BIOS is con tained in a firmware de vice that is ac cessed im me di ately by the com puter at boot time. In most com put ers, the BIOS is stored on an EEP ROM chip to fa cil i tate ver sion up dates. The process of up dat ing the BIOS is known as “flash ing the BIOS.”
There have been a few ex am ples of ma li cious code em bed ding it self into BIOS/firmware. There is also an at tack known as phlash ing, in which a ma li cious vari a tion of of fi cial BIOS or firmware is in stalled that in tro duces re mote con trol or other ma li cious fea tures into a de vice.
Since 2011, most sys tem man u fac tur ers have re placed the tra di tional BIOS sys tem on their moth er boards with Uni fied Ex ten si ble Firmware In ter face (UEFI). UEFI is a more ad vanced in ter face be tween hard ware and the op er at ing sys tem, which main tains sup port for legacy BIOS ser vices.
De vice Firmware
Many hard ware de vices, such as print ers and modems, also need some lim ited pro cess ing power to com plete their tasks while min i miz ing the bur den placed on the op er at ing sys tem it self. In many cases, these “mini” op er at ing sys tems are en tirely con tained in firmware chips on board the de vices they serve. As with a com puter’s BIOS, de vice firmware is fre quently stored on an EEP ROM de vice so it can be up dated as nec es sary.
Client-Based Sys tems Client-based vul ner a bil i ties place the user, their data, and their sys tem at risk of com pro mise and
de struc tion. A client-side at tack is any at tack that is able to harm a client. Gen er ally, when at tacks are dis cussed, it’s as sumed that the pri mary tar get is a server or a server-side com po nent. A client-side or client- fo cused at tack is one where the client it self, or a process on the client, is the tar get. A com mon ex am ple of a client-side at tack is a ma li cious web site that trans fers ma li cious mo bile code (such as an ap plet) to a vul ner a ble browser run ning on the client. Client-side at tacks can oc cur over any com mu ni ca tions pro to col, not just Hy per text Trans fer Pro to col (HTTP). An other po ten tial vul ner a bil ity that is client based is the risk of poi son ing of lo cal caches.
Ap plets
Re call that agents are code ob jects sent from a user’s sys tem to query and process data stored on re mote sys tems. Ap plets per form the op po site func tion; these code ob jects are sent from a server to a client to per form some ac tion. In fact, ap plets are ac tu ally self-con tained minia ture pro grams that ex e cute in de pen dently of the server that sent them. The arena of the World Wide Web is un der go ing con stant flux. The use of ap plets is not as com mon to day as it was in the early 2010s. How ever, ap plets are not ab sent from the Web, and most browsers still sup port them (or still have add-ons present that sup port them). Thus, even when your or ga ni za tion does not use ap plets in your in ter nal or pub lic web de sign, your web browsers could en counter them while surf ing the pub lic Web.
Imag ine a web server that of fers a va ri ety of fi nan cial tools to web users. One of these tools might be a mort gage cal cu la tor that pro cesses a user’s fi nan cial in for ma tion and pro vides a monthly mort gage pay ment based on the loan’s prin ci pal and term and the bor rower’s credit in for ma tion. In stead of pro cess ing this data and re turn ing the re sults to the client sys tem, the re mote web server might send to the lo cal sys tem an ap plet that en ables it to per form those cal cu la tions it self. This pro vides a num ber of ben e fits to both the re mote server and the end user:
The pro cess ing bur den is shifted to the client, free ing up re sources on the web server to process re quests from more users.
The client is able to pro duce data us ing lo cal re sources rather than wait ing for a re sponse from the re mote server. In many cases, this re sults in a quicker re sponse to changes in the in put data.
In a prop erly pro grammed ap plet, the web server does not re ceive any data pro vided to the ap plet as in put, there fore main tain ing the se cu rity and pri vacy of the user’s fi nan cial data.
How ever, just as with agents, ap plets in tro duce a num ber of se cu rity con cerns. They al low a re mote sys tem to send code to the lo cal sys tem for ex e cu tion. Se cu rity ad min is tra tors must take steps to en sure that code sent to sys tems on their net work is safe and prop erly screened for ma li cious ac tiv ity. Also, un less the code is an a lyzed line by line, the end user can never be cer tain that the ap plet doesn’t con tain a Tro jan horse com po nent. For ex am ple, the mort gage cal cu la tor might in deed trans mit sen si tive fi nan cial in for ma tion to the web server with out the end user’s knowl edge or con sent.
Two his tor i cal ex am ples of ap plet types are Java ap plets and Ac tiveX con trols.
250
Java Ap plets Java is a plat form-in de pen dent pro gram ming lan guage de vel oped by Sun Mi crosys tems (now owned by Or a cle). Java is largely su per seded by mod ern ap pli ca tions, and it is no longer sup ported di rectly in most browsers. How ever, you should still have a ba sic un der stand of Java as it may still be in use in ter nally or sup ported in the spe cific browser im ple mented by your or ga ni za tion. While mod ern web de sign has moved away from Java, this does not mean Java has been scrubbed off the in ter net. Most pro gram ming lan guages use com pil ers that pro duce ap pli ca tions cus tom-tai lored to run un der a spe cific op er at ing sys tem. This re quires the use of mul ti ple com pil ers to pro duce dif fer ent ver sions of a sin gle ap pli ca tion for each plat form it must sup port. Java over comes this lim i ta tion by in sert ing the Java Vir tual Ma chine (JVM) into the pic ture. Each sys tem that runs Java code down loads the ver sion of the JVM sup ported by its op er at ing sys tem. The JVM then takes the Java code and trans lates it into a for mat ex e cutable by that spe cific sys tem. The great ben e fit of this ar range ment is that code can be shared be tween op er at ing sys tems with out mod i fi ca tion. Java ap plets are sim ply short Java pro grams trans mit ted over the in ter net to per form op er a tions on a re mote sys tem.
Se cu rity was of para mount con cern dur ing the de sign of the Java plat form, and Sun’s de vel op ment team cre ated the “sand box” con cept to place priv i lege re stric tions on Java code. The sand box iso lates Java code ob jects from the rest of the op er at ing sys tem and en forces strict rules about the re sources those ob jects can ac cess. For ex am ple, the sand box would pro hibit a Java ap plet from re triev ing in for ma tion from ar eas of mem ory not specif i cally al lo cated to it, pre vent ing the ap plet from steal ing that in for ma tion. Un for tu nately, while sand box ing re duces the forms of ma li cious events that can be launched via Java, there are still plenty of other vul ner a bil i ties that have been widely ex ploited.
Ac tiveX Con trols Ac tiveX con trols were Mi cro soft’s an swer to Sun’s Java ap plets. They op er ate in a sim i lar fash ion, but they are im ple mented us ing a va ri ety of lan guages, in clud ing Vis ual Ba sic, C, C++, and Java. There are two key dis tinc tions be tween Java ap plets and Ac tiveX con trols. First, Ac tiveX con trols use pro pri etary Mi cro soft tech nol ogy and, there fore, can ex e cute only on sys tems run ning Mi cro soft browsers. Sec ond, Ac tiveX con trols are not sub ject to the sand box re stric tions placed on Java ap plets. They have full ac cess to the Win dows op er at ing en vi ron ment and can per form a num ber of priv i leged ac tions. There fore, you must take spe cial pre cau tions when de cid ing which Ac tiveX con trols to down load and ex e cute. Some se cu rity ad min is tra tors have taken the some what harsh po si tion of pro hibit ing the down load of any Ac tiveX con tent from all but a se lect hand ful of trusted sites.
Ac tiveX is still sup ported by In ter net Ex plorer 11, but Mi cro soft’s lat est browser, Edge, re leased with Win dows 10, does not in clude sup port for Ac tiveX. This sig nals that Mi cro soft is phas ing out Ac tiveX.
Lo cal Caches A lo cal cache is any thing that is tem po rar ily stored on the client for fu ture re use. There are many lo cal
caches on a typ i cal client, in clud ing Ad dress Res o lu tion Pro to col (ARP) cache, Do main Name Sys tem (DNS) cache, and in ter net files cache. ARP cache poi son ing is caused by an at tack re spond ing to ARP broad cast queries in or der to send back fal si fied replies. If the false re ply is re ceived by the client be fore the valid re ply, then the false re ply is used to pop u late the ARP cache and the valid re ply is dis carded as be ing out side an open query. The dy namic con tent of ARP cache, whether poi soned or le git i mate, will re main in cache un til a time out oc curs (which is usu ally un der 10 min utes). ARP is used to re solve an In ter net Pro to col (IP) ad dress into the ap pro pri ate MAC ad dress in or der to craft the Eth er net header for data trans mis sion. Once an IP-to- MAC map ping falls out of cache, then the at tacker gains an other op por tu nity to poi son the ARP cache when the client re-per forms the ARP broad cast query.
A sec ond form of ARP cache poi son ing is to cre ate static ARP en tries. This is done via the ARP com mand and must be done lo cally. But this is eas ily ac com plished through a script that gets ex e cuted on the client through ei ther a Tro jan horse, buf fer over flow, or so cial en gi neer ing at tack. Static ARP en tries are per ma nent, even across sys tem re boots. Once ARP poi son ing has oc curred, whether against a per ma nent en try or a dy namic one, the traf fic trans mit ted from the client will be sent to a dif fer ent sys tem than in tended. This is due to hav ing the wrong or a dif fer ent hard ware ad dress (that is, the MAC ad dress) as so ci ated with an IP ad dress. ARP cache poi son ing or just ARP poi son ing is one means of set ting up a man-in-the-mid dle at tack.
An other pop u lar means of per form ing a man-in-the-mid dle at tack is through DNS cache poi son ing. Sim i lar to ARP cache, once a client re ceives a re sponse from DNS, that re sponse will be cached for fu ture use. If false in for ma tion can be fed into the DNS cache, then mis di rect ing com mu ni ca tions is triv ially easy. There are many means of per form ing DNS cache poi son ing, in clud ing HOSTS poi son ing, au tho rized DNS server at tacks, caching DNS server at tacks, DNS lookup ad dress chang ing, and DNS query spoof ing.
The HOSTS file is the static file found on Trans mis sion Con trol Pro to col/In ter net Pro to col (TCP/IP) sup port ing sys tem that con tains hard-coded ref er ences for do main names and their as so ci ated IP ad dresses. The HOSTS file was used prior to the dy namic query–based DNS sys tem of to day, but it serves as a fall back mea sure or a means to force res o lu tion. Ad min is tra tors or hack ers can add con tent to the HOSTS file that sets up a re la tion ship be tween a FQDN (fully qual i fied do main name) and the IP ad dress of choice. If an at tacker is able to plant false in for ma tion into the HOSTS file, then when the sys tem boots the con tents of the HOSTS
251
file will be read into mem ory where they will take prece dence. Un like dy namic queries, which even tu ally time out and ex pire from cache, en tries from the HOSTS file are per ma nent.
Au tho rized DNS server at tacks aim at al ter ing the pri mary record of a FQDN on its orig i nal host sys tem, the pri mary au thor i ta tive DNS server. The pri mary au thor i ta tive DNS server hosts the zone file or do main data base. If this orig i nal dataset is al tered, then even tu ally those changes will prop a gate across the en tire in ter net. How ever, an at tack on an au thor i ta tive DNS server typ i cally gets no ticed very quickly, so this rarely re sults in wide spread ex ploita tion. So, most at tack ers fo cus on caching DNS servers in stead. A caching DNS server is any DNS sys tem de ployed to cache DNS in for ma tion from other DNS servers. Most com pa nies and ISPs pro vide a caching DNS server for their users. The con tent hosted on a caching DNS server is not be ing watched by the world wide se cu rity com mu nity, just the lo cal op er a tors. Thus, an at tack against a caching DNS server can po ten tially oc cur with out no tice for a sig nif i cant pe riod of time. For de tailed in for ma tion on how caching DNS server at tacks can oc cur, see “An Il lus trated Guide to the Kamin sky DNS Vul ner a bil ity” at http://unixwiz.net/techtips/igu ide-kamin sky-dns-vuln.html. Al though both of these at tacks fo cus on DNS servers, they ul ti mately af fect clients. Once a client has per formed a dy namic DNS res o lu tion, the in for ma tion re ceived from an au thor i ta tive DNS server or a caching DNS server will be tem po rar ily stored in the client’s lo cal DNS cache. If that in for ma tion is false, then the client’s DNS cache has been poi soned.
A fourth ex am ple of DNS poi son ing fo cuses on send ing an al ter nate IP ad dress to the client to be used as the DNS server the client uses for re solv ing queries. The DNS server ad dress is typ i cally dis trib uted to clients through Dy namic Host Con trol Pro to col (DHCP) but it can also be as signed stat i cally. Even if all of the other el e ments of IP con fig u ra tion have been as signed by DHCP, a lo cal al ter ation can eas ily stat i cally as sign a DNS server ad dress. At tacks to al ter a client’s DNS server lookup ad dress can be per formed through a script (sim i lar to the ARP at tack men tioned ear lier) or by com pro mis ing DHCP. Once the client has the wrong DNS server, they will be send ing their queries to a hacker-con trolled DNS server, which will re spond with poi soned re sults.
A fifth ex am ple of DNS poi son ing is that of DNS query spoof ing. This at tack oc curs when the hacker is able to eaves drop on a client’s query to a DNS server. The at tacker then sends back a re ply with false in for ma tion. If the client ac cepts the false re ply, they will put that in for ma tion in their lo cal DNS cache. When the real re ply ar rives, it will be dis carded since the orig i nal query will have al ready been an swered. No mat ter which of these five means of DNS at tack is per formed, false en tries will be present in the lo cal DNS cache of the client. Thus, all of the IP com mu ni ca tions will be sent to the wrong end point. This al lows the hacker to set up a man- in-the-mid dle at tack by op er at ing that false end point and then for ward ing traf fic on to the cor rect des ti na tion.
A third area of con cern in re gard to lo cal cache is that of the tem po rary in ter net files or the in ter net files cache. This is the tem po rary stor age of files down loaded from in ter net sites that are be ing held by the client’s util ity for cur rent and pos si bly fu ture use. Mostly this cache con tains web site con tent, but other in ter net ser vices can use a file cache as well. A va ri ety of ex ploita tions, such as the split-re sponse at tack, can cause the client to down load con tent and store it in the cache that was not an in tended el e ment of a re quested web page. Mo bile code script ing at tacks could also be used to plant false con tent in the cache. Once files have been poi soned in the cache, then even when a le git i mate web doc u ment calls on a cached item, the ma li cious item will be ac ti vated.
Mit i gat ing or re solv ing these at tacks is not al ways sim ple or straight for ward. There is not an easy patch or up date that will pre vent these ex ploits from be ing waged against a client. This is due to the fact that these at tacks take ad van tage of the nor mal and proper mech a nisms built into var i ous pro to cols, ser vices, and ap pli ca tions. Thus, in stead of a patch to fix a flaw, the de fense is more of a de tec tive and pre ven tive con cern. Gen er ally as a start, keep op er at ing sys tems and ap pli ca tions cur rent with patches from their re spec tive ven dors. Next, in stall both host-IDS and net work-IDS tools to watch for abuses of these types. Reg u larly re view the logs of your DNS and DHCP sys tems, as well as lo cal client sys tem logs and po ten tially fire wall, switch, and router logs for en tries in di cat ing ab nor mal or ques tion able oc cur rences.
Or ga ni za tions should use a split-DNS sys tem (aka split-hori zon DNS, split-view DNS, and split-brain DNS). A split-DNS is de ploy ing a DNS server for pub lic use and a sep a rate DNS server for in ter nal use. All data in the zone file on the pub lic DNS server is ac ces si ble by the pub lic via queries or prob ing. How ever, the in ter nal DNS is for in ter nal use only. Only in ter nal sys tems are granted ac cess to in ter act with the in ter nal DNS server. Out siders are pro hib ited from ac cess ing the in ter nal DNS server by block ing in bound port 53 for both Trans mis sion Con trol Pro to col (TCP) and User Data gram Pro to col (UDP). TCP 53 is used for zone trans fers (which in cludes most DNS server to DNS server com mu ni ca tions), and UDP 53 is used for queries (which is any non-DNS sys tem send ing a query to a DNS server). In ter nal sys tems can be con fig ured to only in ter act with the in ter nal DNS servers, or they may be al lowed to send queries to ex ter nal DNS servers (which does re quire the fire wall to be a state ful in spec tion fire wall con fig ured to al low re sponses to re turn to the in ter nal sys tem from an ap proved out bound query).
Server-Based Sys tems
252
An im por tant area of server-based con cern, which may in clude clients as well, is the is sue of data flow con trol. Data flow is the move ment of data be tween pro cesses, be tween de vices, across a net work, or over com mu ni ca tion chan nels. Man age ment of data flow en sures not only ef fi cient trans mis sion with min i mal de lays or la tency, but also re li able through put us ing hash ing and con fi den tial ity pro tec tion with en cryp tion. Data flow con trol also en sures that re ceiv ing sys tems are not over loaded with traf fic, es pe cially to the point of drop ping con nec tions or be ing sub ject to a ma li cious or even self-in flicted de nial of ser vice. When data over flow oc curs, data may be lost or cor rupted or may trig ger a need for re trans mis sion. These re sults are un de sir able, and data flow con trol is of ten im ple mented to pre vent these is sues from oc cur ring. Data flow con trol may be pro vided by net work ing de vices, in clud ing routers and switches, as well as net work ap pli ca tions and ser vices.
A load bal ancer is used to spread or dis trib ute net work traf fic load across sev eral net work links or net work de vices. A load bal ancer may be able to pro vide more con trol over data flow. The pur pose of load bal anc ing is to ob tain more op ti mal in fra struc ture uti liza tion, min i mize re sponse time, max i mize through put, re duce over load ing, and elim i nate bot tle necks. Al though load bal anc ing can be used in a va ri ety of sit u a tions, a com mon im ple men ta tion is spread ing a load across mul ti ple mem bers of a server farm or clus ter. A load bal ancer might use a va ri ety of tech niques to per form load dis tri bu tion, in clud ing ran dom choice, round robin, load/uti liza tion mon i tor ing, and pref er enc ing.
A de nial-of-ser vice at tack can be a se vere detri ment to data flow con trol. It is im por tant to mon i tor for DoS at tacks and im ple ment mit i ga tions. Please see Chap ters 12 and 17 for a dis cus sion of these at tacks and po ten tial de fenses.
Data base Sys tems Se cu rity Data base se cu rity is an im por tant part of any or ga ni za tion that uses large sets of data as an es sen tial
as set. With out data base se cu rity ef forts, busi ness tasks can be in ter rupted and con fi den tial in for ma tion dis closed. For the CISSP exam, it is im por tant that you are aware of sev eral top ics in re la tion to data base se cu rity. These in clude ag gre ga tion, in fer ence, data min ing, data ware hous ing, and data an a lyt ics.
Ag gre ga tion
SQL pro vides a num ber of func tions that com bine records from one or more ta bles to pro duce po ten tially use ful in for ma tion. This process is called ag gre ga tion. Ag gre ga tion is not with out its se cu rity vul ner a bil i ties. Ag gre ga tion at tacks are used to col lect nu mer ous low-level se cu rity items or low-value items and com bine them to cre ate some thing of a higher se cu rity level or value.
These func tions, al though ex tremely use ful, also pose a risk to the se cu rity of in for ma tion in a data base. For ex am ple, sup pose a low-level mil i tary records clerk is re spon si ble for up dat ing records of per son nel and equip ment as they are trans ferred from base to base. As part of his du ties, this clerk may be granted the data base per mis sions nec es sary to query and up date per son nel ta bles.
The mil i tary might not con sider an in di vid ual trans fer re quest (in other words, Sergeant Jones is be ing moved from Base X to Base Y) to be clas si fied in for ma tion. The records clerk has ac cess to that in for ma tion be cause he needs it to process Sergeant Jones’s trans fer. How ever, with ac cess to ag gre gate func tions, the records clerk might be able to count the num ber of troops as signed to each mil i tary base around the world. These force lev els are of ten closely guarded mil i tary se crets, but the low-rank ing records clerk could de duce them by us ing ag gre gate func tions across a large num ber of un clas si fied records.
For this rea son, it’s es pe cially im por tant for data base se cu rity ad min is tra tors to strictly con trol ac cess to ag gre gate func tions and ad e quately as sess the po ten tial in for ma tion they may re veal to unau tho rized in di vid u als.
In fer ence The data base se cu rity is sues posed by in fer ence at tacks are sim i lar to those posed by the threat of data
ag gre ga tion. In fer ence at tacks in volve com bin ing sev eral pieces of non sen si tive in for ma tion to gain ac cess to in for ma tion that should be clas si fied at a higher level. How ever, in fer ence makes use of the hu man mind’s de duc tive ca pac ity rather than the raw math e mat i cal abil ity of mod ern data base plat forms.
A com monly cited ex am ple of an in fer ence at tack is that of the ac count ing clerk at a large cor po ra tion who is al lowed to re trieve the to tal amount the com pany spends on salaries for use in a top-level re port but is not al lowed to ac cess the salaries of in di vid ual em ploy ees. The ac count ing clerk of ten has to pre pare those re ports with ef fec tive dates in the past and so is al lowed to ac cess the to tal salary amounts for any day in the past year. Say, for ex am ple, that this clerk must also know the hir ing and ter mi na tion dates of var i ous em ploy ees and has ac cess to this in for ma tion. This opens the door for an in fer ence at tack. If an em ployee was the only per son hired on a spe cific date, the ac count ing clerk can now re trieve the to tal salary amount on that date and the day be fore and de duce the salary of that par tic u lar em ployee—sen si tive in for ma tion that the user would not be per mit ted to ac cess di rectly.
253
As with ag gre ga tion, the best de fense against in fer ence at tacks is to main tain con stant vig i lance over the per mis sions granted to in di vid ual users. Fur ther more, in ten tional blur ring of data may be used to pre vent the in fer ence of sen si tive in for ma tion. For ex am ple, if the ac count ing clerk were able to re trieve only salary in for ma tion rounded to the near est mil lion, they would prob a bly not be able to gain any use ful in for ma tion about in di vid ual em ploy ees. Fi nally, you can use data base par ti tion ing (dis cussed ear lier in this chap ter) to help sub vert these at tacks.
Data Min ing and Data Ware hous ing Many or ga ni za tions use large data bases, known as data ware houses, to store large amounts of
in for ma tion from a va ri ety of data bases for use with spe cial ized anal y sis tech niques. These data ware houses of ten con tain de tailed his tor i cal in for ma tion not nor mally stored in pro duc tion data bases be cause of stor age lim i ta tions or data se cu rity con cerns.
A data dic tio nary is com monly used for stor ing crit i cal in for ma tion about data, in clud ing us age, type, sources, re la tion ships, and for mats. Data base man age ment sys tem (DBMS) soft ware reads the data dic tio nary to de ter mine ac cess rights for users at tempt ing to ac cess data.
Data min ing tech niques al low an a lysts to comb through data ware houses and look for po ten tial cor re lated in for ma tion. For ex am ple, an an a lyst might dis cover that the de mand for light bulbs al ways in creases in the win ter months and then use this in for ma tion when plan ning pric ing and pro mo tion strate gies. Data min ing tech niques re sult in the de vel op ment of data mod els that can be used to pre dict fu ture ac tiv ity.
The ac tiv ity of data min ing pro duces meta data. Meta data is data about data or in for ma tion about data. Meta data is not ex clu sively the re sult of data min ing op er a tions; other func tions or ser vices can pro duce meta data as well. Think of meta data from a data min ing op er a tion as a con cen tra tion of data. It can also be a su per set, a sub set, or a rep re sen ta tion of a larger dataset. Meta data can be the im por tant, sig nif i cant, rel e vant, ab nor mal, or aber rant el e ments from a dataset.
One com mon se cu rity ex am ple of meta data is that of a se cu rity in ci dent re port. An in ci dent re port is the meta data ex tracted from a data ware house of au dit logs through the use of a se cu rity au dit ing data min ing tool. In most cases, meta data is of a greater value or sen si tiv ity (due to dis clo sure) than the bulk of data in the ware house. Thus, meta data is stored in a more se cure con tainer known as the data mart.
Data ware houses and data min ing are sig nif i cant to se cu rity pro fes sion als for two rea sons. First, as pre vi ously men tioned, data ware houses con tain large amounts of po ten tially sen si tive in for ma tion vul ner a ble to ag gre ga tion and in fer ence at tacks, and se cu rity prac ti tion ers must en sure that ad e quate ac cess con trols and other se cu rity mea sures are in place to safe guard this data. Sec ond, data min ing can ac tu ally be used as a se cu rity tool when it’s used to de velop base lines for sta tis ti cal anom aly–based in tru sion de tec tion sys tems. Data min ing is used to “hunt” through large vol umes of se cu rity-re lated data for anoma lous events that could in di cate an on go ing at tack, com pro mise, or breach.
Data An a lyt ics
Data an a lyt ics is the sci ence of raw data ex am i na tion with the fo cus of ex tract ing use ful in for ma tion out of the bulk in for ma tion set. The re sults of data an a lyt ics could fo cus on im por tant out liers or ex cep tions to nor mal or stan dard items, a sum mary of all data items, or some fo cused ex trac tion and or ga ni za tion of in ter est ing in for ma tion. Data an a lyt ics is a grow ing field as more or ga ni za tions are gath er ing an as tound ing vol ume of data from their cus tomers and prod ucts. The sheer vol ume of in for ma tion to be pro cessed has de manded a whole new cat e gory of data base struc tures and anal y sis tools. It has even picked up the nick name of “big data.”
Big data refers to col lec tions of data that have be come so large that tra di tional means of anal y sis or pro cess ing are in ef fec tive, in ef fi cient, and in suf fi cient. Big data in volves nu mer ous dif fi cult chal lenges, in clud ing col lec tion, stor age, anal y sis, min ing, trans fer, dis tri bu tion, and re sults pre sen ta tion. Such large vol umes of data have the po ten tial to re veal nu ances and idio syn cra sies that more mun dane sets of data fail to ad dress. The po ten tial to learn from big data is tremen dous, but the bur dens of deal ing with big data are equally great. As the vol ume of data in creases, the com plex ity of data anal y sis in creases as well. Big data anal y sis re quires high-per for mance an a lyt ics run ning on mas sively par al lel or dis trib uted pro cess ing sys tems. With re gard to se cu rity, or ga ni za tions are en deav or ing to col lect an ever more de tailed and ex haus tive range of event data and ac cess data. This data is col lected with the goal of as sess ing com pli ance, im prov ing ef fi cien cies, im prov ing pro duc tiv ity, and de tect ing vi o la tions.
Large-Scale Par al lel Data Sys tems Par al lel data sys tems or par al lel com put ing is a com pu ta tion sys tem de signed to per form nu mer ous
cal cu la tions si mul ta ne ously. But par al lel data sys tems of ten go far be yond ba sic mul ti pro cess ing ca pa bil i ties. They of ten in clude the con cept of di vid ing up a large task into smaller el e ments, and then dis tribut ing each subele ment to a dif fer ent pro cess ing sub sys tem for par al lel com pu ta tion. This im ple men ta tion is based on the idea that some prob lems can be solved ef fi ciently if bro ken into smaller tasks that can be worked on
254
con cur rently. Par al lel data pro cess ing can be ac com plished by us ing dis tinct CPUs or mul ti core CPUs, us ing vir tual sys tems, or any com bi na tion of these. Large-scale par al lel data sys tems must also be con cerned with per for mance, power con sump tion, and re li a bil ity/sta bil ity is sues.
Within the arena of mul ti pro cess ing or par al lel pro cess ing there are sev eral di vi sions. The first di vi sion is be tween asym met ric mul ti pro cess ing (AMP) and sym met ric mul ti pro cess ing (SMP). In AMP, the pro ces sors are of ten op er at ing in de pen dently of each other. Usu ally each pro ces sor has its own OS and/or task in struc tion set. Un der AMP, pro ces sors can be con fig ured to ex e cute only spe cific code or op er ate on spe cific tasks (or spe cific code or tasks is al lowed to run only on spe cific pro ces sors; this might be called affin ity in some cir cum stances). In SMP, the pro ces sors each share a com mon OS and mem ory. The col lec tion of pro ces sors also works col lec tively on a sin gle task, code, or project. A vari a tion of AMP is mas sive par al lel pro cess ing (MPP), where nu mer ous SMP sys tems are linked to gether in or der to work on a sin gle pri mary task across mul ti ple pro cesses in mul ti ple linked sys tems. An MPP tra di tion ally in volved mul ti ple chas sis, but mod ern MPPs are com monly im ple mented onto the same chip.
The arena of large-scale par al lel data sys tems is still evolv ing. It is likely that many man age ment is sues are yet to be dis cov ered and so lu tions to known is sues are still be ing sought. Large-scale par al lel data man age ment is likely a key tool in man ag ing big data and will of ten in volve cloud com put ing, grid com put ing, or peer-to-peer com put ing so lu tions. These three con cepts are cov ered in the fol low ing sec tions.
Dis trib uted Sys tems and End point Se cu rity As com put ing has evolved from a host/ter mi nal model (where users could be phys i cally dis trib uted but all
func tions, ac tiv ity, data, and re sources re side on a sin gle cen tral ized sys tem) to a client-server model (where users op er ate in de pen dent, fully func tional desk top com put ers but also ac cess ser vices and re sources on net worked servers), se cu rity con trols and con cepts have had to evolve to fol low suit. This means that clients have com put ing and stor age ca pa bil i ties and, typ i cally, that mul ti ple servers do like wise. The con cept of a client-server model net work is also known as a dis trib uted sys tem or a dis trib uted ar chi tec ture. Thus, se cu rity must be ad dressed ev ery where in stead of at a sin gle cen tral ized host. From a se cu rity stand point, this means that be cause pro cess ing and stor age are dis trib uted on mul ti ple clients and servers, all those com put ers must be prop erly se cured and pro tected. It also means that the net work links be tween clients and servers (and in some cases, these links may not be purely lo cal) must also be se cured and pro tected. When eval u at ing se cu rity ar chi tec ture, be sure to in clude an as sess ment of the needs and risks re lated to dis trib uted ar chi tec tures.
Dis trib uted ar chi tec tures are prone to vul ner a bil i ties un think able in mono lithic host/ter mi nal sys tems. Desk top sys tems can con tain sen si tive in for ma tion that may be at some risk of be ing ex posed and must there fore be pro tected. In di vid ual users may lack gen eral se cu rity savvy or aware ness, and there fore the un der ly ing ar chi tec ture has to com pen sate for those de fi cien cies. Desk top PCs, work sta tions, and lap tops can pro vide av enues of ac cess into crit i cal in for ma tion sys tems else where in a dis trib uted en vi ron ment be cause users re quire ac cess to net worked servers and ser vices to do their jobs. By per mit ting user ma chines to ac cess a net work and its dis trib uted re sources, or ga ni za tions must also rec og nize that those user ma chines can be come threats if they are mis used or com pro mised. Such soft ware and sys tem vul ner a bil i ties and threats must be as sessed and ad dressed prop erly.
Com mu ni ca tions equip ment can also pro vide un wanted points of en try into a dis trib uted en vi ron ment. For ex am ple, modems at tached to a desk top ma chine that’s also at tached to an or ga ni za tion’s net work can make that net work vul ner a ble to dial-in at tacks. There is also a risk that wire less adapters on client sys tems can be used to cre ate open net works. Like wise, users who down load data from the in ter net in crease the risk of in fect ing their own and other sys tems with ma li cious code, Tro jan horses, and so forth. Desk tops, lap tops, tablets, mo bile phones, and work sta tions—and as so ci ated disks or other stor age de vices—may not be se cure from phys i cal in tru sion or theft. Fi nally, when data re sides only on client ma chines, it may not be se cured with a proper backup (it’s of ten the case that al though servers are backed up rou tinely, the same is not true for client com put ers).
You should see that the fore go ing litany of po ten tial vul ner a bil i ties in dis trib uted ar chi tec tures means that such en vi ron ments re quire nu mer ous safe guards to im ple ment ap pro pri ate se cu rity and to en sure that such vul ner a bil i ties are elim i nated, mit i gated, or reme died. Clients must be sub jected to poli cies that im pose safe guards on their con tents and their users’ ac tiv i ties. These in clude the fol low ing:
Email must be screened so that it can not be come a vec tor for in fec tion by ma li cious soft ware; email should also be sub ject to poli cies that gov ern ap pro pri ate use and limit po ten tial li a bil ity.
Down load/up load poli cies must be cre ated so that in com ing and out go ing data is screened and sus pect ma te ri als blocked.
Sys tems must be sub ject to ro bust ac cess con trols, which may in clude mul ti fac tor au then ti ca tion and/or bio met rics to re strict ac cess to end-user de vices and to pre vent unau tho rized ac cess to servers and ser vices.
255
Re stricted user-in ter face mech a nisms and data base man age ment sys tems should be in stalled, and their use re quired, to re strict and man age ac cess to crit i cal in for ma tion so users have min i mal but nec es sary ac cess to sen si tive re sources.
File en cryp tion may be ap pro pri ate for files and data stored on client ma chines (in deed, drive-level en cryp tion is a good idea for lap tops and other mo bile com put ing gear that is sub ject to loss or theft out side an or ga ni za tion’s premises).
It’s es sen tial to sep a rate and iso late pro cesses that run in user and su per vi sory modes so that unau tho rized and un wanted ac cess to high-priv i lege pro cesses and ca pa bil i ties is pre vented.
Pro tec tion do mains should be cre ated so that com pro mise of a client won’t au to mat i cally com pro mise an en tire net work.
Disks and other sen si tive ma te ri als should be clearly la beled as to their se cu rity clas si fi ca tion or or ga ni za tional sen si tiv ity; pro ce dural pro cesses and sys tem con trols should com bine to help pro tect sen si tive ma te ri als from un wanted or unau tho rized ac cess.
Files on desk top ma chines should be backed up, as well as files on servers—ide ally, us ing some form of cen tral ized backup util ity that works with client agent soft ware to iden tify and cap ture files from clients stored in a se cure backup stor age ar chive.
Desk top users need reg u lar se cu rity aware ness train ing to main tain proper se cu rity aware ness; they also need to be no ti fied about po ten tial threats and in structed on how to deal with them ap pro pri ately.
Desk top com put ers and their stor age me dia re quire pro tec tion against en vi ron men tal haz ards (tem per a ture, hu mid ity, power loss/fluc tu a tion, and so forth).
Desk top com put ers should be in cluded in dis as ter re cov ery and busi ness con ti nu ity plan ning be cause they’re po ten tially as im por tant as (if not more im por tant than) other sys tems and ser vices within an or ga ni za tion for [or in] get ting their users back to work on other sys tems.
De vel op ers of cus tom soft ware built in and for dis trib uted en vi ron ments also need to take se cu rity into ac count, in clud ing us ing for mal meth ods for de vel op ment and de ploy ment, such as code li braries, change con trol mech a nisms, con fig u ra tion man age ment, and patch and up date de ploy ment.
In gen eral, safe guard ing dis trib uted en vi ron ments means un der stand ing the vul ner a bil i ties to which they’re sub ject and ap ply ing ap pro pri ate safe guards. These can (and do) range from tech nol ogy so lu tions and con trols to poli cies and pro ce dures that man age risk and seek to limit or avoid losses, dam age, un wanted dis clo sure, and so on.
A rea son able un der stand ing of coun ter mea sure prin ci ples is al ways im por tant when re spond ing to vul ner a bil i ties and threats. Some spe cific coun ter mea sure prin ci ples are dis cussed in Chap ter 2, “Per son nel Se cu rity and Risk Man age ment Con cepts,” in the sec tion “Risk Man age ment.” But a com mon gen eral prin ci ple is that of de fense in depth. De fense in depth is a com mon se cu rity strat egy used to pro vide a pro tec tive mul ti layer bar rier against var i ous forms of at tack. It’s rea son able to as sume that there is greater dif fi culty in pass ing bad traf fic or data through a net work heav ily for ti fied by a fire wall, an IDS, and a dili gent ad min is tra tion staff than one with a fire wall alone. Why shouldn’t you dou ble up your de fenses? De fense in depth (aka mul ti lay ered de fense and di ver sity of de fense) is the use of mul ti ple types of ac cess con trols in lit eral or the o ret i cal con cen tric cir cles. This form of lay ered se cu rity helps an or ga ni za tion avoid a mono lithic se cu rity stance. A mono lithic or fortress men tal ity is the be lief that a sin gle se cu rity mech a nism is all that is re quired to pro vide suf fi cient se cu rity. Un for tu nately, ev ery in di vid ual se cu rity mech a nism has a flaw or a work around just wait ing to be dis cov ered and abused by a hacker. Only through the in tel li gent com bi na tion of coun ter mea sures is a de fense con structed that will re sist sig nif i cant and per sis tent at tempts of com pro mise.
Cloud-Based Sys tems and Cloud Com put ing Cloud com put ing is the pop u lar term re fer ring to a con cept of com put ing where pro cess ing and stor age
are per formed else where over a net work con nec tion rather than lo cally. Cloud com put ing is of ten thought of as In ter net-based com put ing or re mote vir tu al iza tion. Ul ti mately, pro cess ing and stor age still oc curs on com put ers some where, but the dis tinc tion is that the lo cal op er a tor no longer needs to have that ca pac ity or ca pa bil ity lo cally. This also al lows a larger group of users to lever age cloud re sources on de mand. From the end-user per spec tive, all the work of com put ing is now per formed “in the cloud” and thus the com plex ity is iso lated from them.
Cloud com put ing is a nat u ral ex ten sion and evo lu tion of vir tu al iza tion, the in ter net, dis trib uted ar chi tec ture, and the need for ubiq ui tous ac cess to data and re sources. How ever, it does have some is sues, in clud ing pri vacy con cerns, reg u la tion com pli ance dif fi cul ties, use of open- ver sus closed-source so lu tions, adop tion of open stan dards, and whether or not cloud-based data is ac tu ally se cured (or even se cur able). The hy per vi sor, also known as the vir tual ma chine mon i tor (VMM), is the com po nent of vir tu al iza tion that cre ates, man ages, and op er ates the vir tual ma chines. The com puter run ning the hy per vi sor is known as the host OS, and the OSs run ning within a hy per vi sor-sup ported vir tual ma chine are known as guest OSs.
256
A type I hy per vi sor is a na tive or bare-metal hy per vi sor. In this con fig u ra tion, there is no host OS; in stead, the hy per vi sor in stalls di rectly onto the hard ware where the host OS would nor mally re side. Type 1 hy per vi sors are of ten used to sup port server vir tu al iza tion. This al lows for max i miza tion of the hard ware re sources while elim i nat ing any risks or re source re duc tion caused by a host OS.
A type II hy per vi sor is a hosted hy per vi sor. In this con fig u ra tion, a stan dard reg u lar OS is present on the hard ware, and then the hy per vi sor is in stalled as an other soft ware ap pli ca tion. Type II hy per vi sors are of ten used in re la tion to desk top de ploy ments, where the guest OSs of fer safe sand box ar eas to test new code, al low the ex e cu tion of legacy ap pli ca tions, sup port apps from al ter nate OSs, and pro vide the user with ac cess to the ca pa bil i ties of a host OS.
Cloud stor age is the idea of us ing stor age ca pac ity pro vided by a cloud ven dor as a means to host data files for an or ga ni za tion. Cloud stor age can be used as form of backup or sup port for on line data ser vices. Cloud stor age may be cost ef fec tive, but it is not al ways high speed or low la tency. Most do not yet con sider cloud stor age as a re place ment for phys i cal backup me dia so lu tions but rather as a sup ple ment for or ga ni za tional data pro tec tion. Ad di tion ally, us ing cloud stor age may in volve ad di tional risk be cause your or ga ni za tion’s data is re sid ing on equip ment in an other fa cil ity and un der third-party con trol.
Elas tic ity refers to the flex i bil ity of vir tu al iza tion and cloud so lu tions to ex pand or con tract based on need. In re la tion to vir tu al iza tion, host elas tic ity means ad di tional hard ware hosts can be booted when needed and then used to dis trib ute the work load of the vir tu al ized ser vices over the newly avail able ca pac ity. As the work load be comes smaller, you can pull vir tu al ized ser vices off un needed hard ware so it can be shut down to con serve elec tric ity and re duce heat.
Some of the con cepts in cloud com put ing are listed here:
Plat form as a ser vice Plat form as a ser vice (PaaS) is the con cept of pro vid ing a com put ing plat form and soft ware so lu tion stack as a vir tual or cloud-based ser vice. Es sen tially, this type of cloud so lu tion pro vides all the as pects of a plat form (that is, the op er at ing sys tem and com plete so lu tion pack age). The pri mary at trac tion of PaaS is the avoid ance of hav ing to pur chase and main tain high-end hard ware and soft ware lo cally.
Soft ware as a ser vice Soft ware as a ser vice (SaaS) is a de riv a tive of PaaS. SaaS pro vides on-de mand on line ac cess to spe cific soft ware ap pli ca tions or suites with out the need for lo cal in stal la tion. In many cases, there are few lo cal hard ware and OS lim i ta tions. SaaS can be im ple mented as a sub scrip tion ser vice (for ex am ple, Mi cro soft Of fice 365), a pay-as-you-go ser vice, or a free ser vice (for ex am ple, Google Docs).
In fra struc ture as a ser vice In fra struc ture as a ser vice (IaaS) takes the PaaS model yet an other step for ward and pro vides not just on-de mand op er at ing so lu tions but com plete out sourc ing op tions. This can in clude util ity or me tered com put ing ser vices, ad min is tra tive task au to ma tion, dy namic scal ing, vir tu al iza tion ser vices, pol icy im ple men ta tion and man age ment ser vices, and man aged/fil tered in ter net con nec tiv ity. Ul ti mately, IaaS al lows an en ter prise to scale up new soft ware or data-based ser vices/so lu tions through cloud sys tems quickly and with out hav ing to in stall mas sive hard ware lo cally.
There are many other “X as a ser vice” of fer ings avail able in the mar ket place, each with its own po ten tial vul ner a bil i ties and ad van tages. Dif fer ent cloud com put ing com pa nies may de fine or la bel their ser vices dif fer ently than oth ers. Thus, it is im por tant to care fully com pare and con trast providers with what fea tures and op tions are avail able from each.
An on-premise so lu tion is the tra di tional de ploy ment con cept in which an or ga ni za tion owns the hard ware, li censes the soft ware, and op er ates and main tains the sys tems on its own usu ally within their own build ing. On-premises so lu tions do not have on go ing monthly sub scrip tion costs like a cloud ser vice but may be costlier be cause of ini tial up-front costs of ob tain ing hard ware and li cens ing and on go ing op er a tional man age ment costs. On-premises so lu tions of fer full cus tomiza tion, pro vide lo cal con trol over se cu rity, do not re quire in ter net con nec tiv ity, and pro vide lo cal con trol over up dates and changes. How ever, they also re quire sig nif i cant ad min is tra tive in volve ment for up dates and changes, re quire lo cal backup and man age ment, and are more chal leng ing to scale.
A hosted so lu tion is a de ploy ment con cept where the or ga ni za tion must li cense soft ware and then op er ates and main tains the soft ware. The host ing provider owns, op er ates, and main tains the hard ware that sup ports the or ga ni za tion’s soft ware.
A cloud so lu tion is a de ploy ment con cept where an or ga ni za tion con tracts with a third-party cloud provider. The cloud provider owns, op er ates, and main tains the hard ware and soft ware. The or ga ni za tion pays a monthly fee (of ten based on a per-user mul ti plier) to use the cloud so lu tion. Most on-premises en vi ron ments can be crafted or re-cre ated as a cloud-only so lu tion.
Cloud ser vices can also be of fered in a va ri ety of de ploy ment op tions, in clud ing the fol low ing:
Pri vate A pri vate cloud is a cloud ser vice within a cor po rate net work and iso lated from the in ter net. The pri vate cloud is for in ter nal use only. A vir tual pri vate cloud is a ser vice of fered by a pub lic cloud provider that
257
pro vides an iso lated sub sec tion of a pub lic or ex ter nal cloud for ex clu sive use by an or ga ni za tion in ter nally. In other words, an or ga ni za tion out sources its pri vate cloud to an ex ter nal provider.
Pub lic A pub lic cloud is a cloud ser vice that is ac ces si ble to the gen eral pub lic, typ i cally over an in ter net con nec tion. Pub lic cloud ser vices may re quire some form of sub scrip tion or pay-per-use or may be of fered for free. Al though an or ga ni za tion’s or in di vid ual’s data is usu ally kept sep a rated and iso lated from other cus tomers’ data in a pub lic cloud, the over all pur pose or use of the cloud is the same for all cus tomers.
Hy brid A hy brid cloud is a mix ture of pri vate and pub lic cloud com po nents. For ex am ple, an or ga ni za tion could host a pri vate cloud for ex clu sive in ter nal use but dis trib ute some re sources onto a pub lic cloud for the pub lic, busi ness part ners, cus tomers, the ex ter nal sales force, and so on.
Com mu nity A com mu nity cloud is a cloud en vi ron ment main tained, used, and paid for by a group of users or or ga ni za tions for their shared ben e fit, such as col lab o ra tion and data ex change. This may al low for some cost sav ings com pared to ac cess ing pri vate or pub lic clouds in de pen dently.
Cloud com put ing is a nat u ral ex ten sion and evo lu tion of vir tu al iza tion, the in ter net, dis trib uted ar chi tec ture, and the need for ubiq ui tous ac cess to data and re sources. How ever, it does have some is sues, in clud ing pri vacy con cerns, reg u la tion com pli ance dif fi cul ties, use of open/closed-source so lu tions, adop tion of open stan dards, and whether or not cloud-based data is ac tu ally se cured (or even se cur able).
Cloud so lu tions of ten have lower up-front costs, lower main te nance costs, ven dor-main tained se cu rity, and scal able re sources, and they usu ally have high lev els of up time and avail abil ity from any where (over the in ter net). How ever, cloud so lu tions do not of fer cus tomer con trol over the OS and soft ware, such as up dates and con fig u ra tion changes; pro vide min i mal cus tomiza tion; and are of ten in ac ces si ble with out in ter net con nec tiv ity. In ad di tion, the se cu rity poli cies of the cloud provider might not match those of the or ga ni za tion.
Cloud com put ing and vir tu al iza tion, es pe cially when you are vir tu al iz ing in the cloud, have se ri ous risks as so ci ated with them. Once sen si tive, con fi den tial, or pro pri etary data leaves the con fines of the or ga ni za tion, it also leaves the pro tec tions im posed by the or ga ni za tional se cu rity pol icy and re sul tant in fra struc ture. Cloud ser vices and their per son nel might not ad here to the same se cu rity stan dards as your or ga ni za tion. Many cloud ven dors may ac tu ally pro vide a more se cure en vi ron ment than most or ga ni za tions can main tain them selves. Cloud providers of ten have the re sources to in vest in se cu rity en gi neers, op er a tions, and testers that many small to mid size (or even large) or ga ni za tions sim ply can’t af ford. It is im por tant to in ves ti gate the se cu rity of a cloud ser vice be fore adopt ing it.
With the in creased bur den of in dus try reg u la tions, such as the Sar banes–Ox ley Act of 2002 (SOX), Health In sur ance Porta bil ity and Ac count abil ity Act (HIPAA), and Pay ment Card In dus try Data Se cu rity Stan dards (PCI DSS), it is es sen tial to en sure that a cloud ser vice pro vides suf fi cient pro tec tions to main tain com pli ance. Ad di tion ally, cloud ser vice providers may not main tain your data in close prox im ity to your pri mary phys i cal lo ca tion. In fact, they may dis trib ute your data across nu mer ous lo ca tions, some of which may re side out side your coun try of ori gin. It may be nec es sary to add to a cloud ser vice con tract a lim i ta tion to house your data only within spe cific log i cal and ge o graphic bound aries.
It is im por tant to in ves ti gate the en cryp tion so lu tions em ployed by a cloud ser vice. Do you send your data to them preen crypted, or is it en crypted only af ter reach ing the cloud? Where are the en cryp tion keys stored? Is there seg re ga tion be tween your data and that be long ing to other cloud users? An en cryp tion mis take can re veal your se crets to the world or ren der your in for ma tion un re cov er able.
What is the method and speed of re cov ery or restora tion from the cloud? If you have sys tem fail ures lo cally, how do you get your en vi ron ment back to nor mal? Also con sider whether the cloud ser vice has its own dis as ter-re cov ery so lu tion. If it ex pe ri ences a dis as ter, what is its plan to re cover and re store ser vices and ac cess to your cloud re sources?
Other is sues in clude the dif fi culty with which in ves ti ga tions can be con ducted, con cerns over data de struc tion, and what hap pens if the cur rent cloud-com put ing ser vice goes out of busi ness or is ac quired by an other or ga ni za tion.
Snap shots are back ups of vir tual ma chines. They of fer a quick means to re cover from er rors or poor up dates. It’s of ten eas ier and faster to make back ups of en tire vir tual sys tems rather than the equiv a lent na tive hard ware-in stalled sys tem.
Vir tu al iza tion doesn’t lessen the se cu rity man age ment re quire ments of an OS. Thus, patch man age ment is still es sen tial. Patch ing or up dat ing vir tu al ized OSs is the same process as for a tra di tion ally hard ware- in stalled OS, with the added ben e fit that you may be able to patch sys tems (or swap out ac tive sys tems) with out tak ing the ser vice down. Also, don’t for get that you need to keep the vir tu al iza tion host up dated as well.
When you’re us ing vir tu al ized sys tems, it’s im por tant to pro tect the sta bil ity of the host. This usu ally means avoid ing us ing the host for any pur pose other than host ing the vir tu al ized el e ments. If host avail abil ity is com pro mised, the avail abil ity and sta bil ity of the vir tual sys tems are also com pro mised.
258
Vir tu al ized sys tems should be se cu rity tested. The vir tu al ized OSs can be tested in the same man ner as hard ware-in stalled OSs, such as with vul ner a bil ity as sess ment and pen e tra tion test ing. How ever, the vir tu al iza tion prod uct may in tro duce ad di tional and unique se cu rity con cerns, so the test ing process needs to be adapted to in clude those idio syn cra sies.
A cloud ac cess se cu rity bro ker (CASB) is a se cu rity pol icy en force ment so lu tion that may be in stalled on- premises, or it may be cloud-based. The goal of a CASB is to en force and en sure that proper se cu rity mea sures are im ple mented be tween a cloud so lu tion and a cus tomer or ga ni za tion.
Se cu rity as a ser vice (SE CaaS) is a cloud provider con cept in which se cu rity is pro vided to an or ga ni za tion through or by an on line en tity. The pur pose of SE CaaS so lu tions are to re duce the cost and over head of im ple ment ing and man ag ing se cu rity lo cally. SE CaaS of ten im ple ments soft ware-only se cu rity com po nents that do not need ded i cated on-premises hard ware. SE CaaS se cu rity com po nents can in clude a wide range of se cu rity prod ucts, in clud ing au then ti ca tion, au tho riza tion, au dit ing/ac count ing, anti-mal ware, in tru sion de tec tion, com pli ance and vul ner a bil ity scan ning, pen e tra tion test ing, and se cu rity event man age ment.
The cloud shared re spon si bil ity model is the con cept that when an or ga ni za tion uses a cloud so lu tion, there is a di vi sion of se cu rity and sta bil ity re spon si bil ity be tween the provider and the cus tomer. The dif fer ent forms of cloud ser vice (such as SaaS, PaaS, and IaaS) may each have dif fer ent lev els or di vi sion points of shared re spon si bil ity. A SaaS so lu tion places most of the man age ment bur den on the shoul ders of the cloud provider, while IaaS man age ment leans more to ward the cus tomer. When elect ing to use a cloud ser vice, it is im por tant to con sider the specifics of the man age ment, trou bleshoot ing, and se cu rity man age ment and how those re spon si bil i ties are as signed, di vided, or shared be tween the cloud provider and the cus tomer.
Grid Com put ing Grid com put ing is a form of par al lel dis trib uted pro cess ing that loosely groups a sig nif i cant num ber of
pro cess ing nodes to work to ward a spe cific pro cess ing goal. Mem bers of the grid can en ter and leave the grid at ran dom in ter vals. Of ten, grid mem bers join the grid only when their pro cess ing ca pac i ties are not be ing taxed for lo cal work loads. When a sys tem is oth er wise in an idle state, it could join a grid group, down load a small por tion of work, and be gin cal cu la tions. When a sys tem leaves the grid, it saves its work and may up load com pleted or par tial work el e ments back to the grid. Many in ter est ing uses of grid com put ing have de vel oped, rang ing from projects seek ing out in tel li gent aliens, per form ing pro tein fold ing, pre dict ing weather, mod el ing earth quakes, plan ning fi nan cial de ci sions, and solv ing for primes.
The big gest se cu rity con cern with grid com put ing is that the con tent of each work packet is po ten tially ex posed to the world. Many grid com put ing projects are open to the world, so there is no re stric tion on who can run the lo cal pro cess ing ap pli ca tion and par tic i pate in the grid’s project. This also means that grid mem bers could keep copies of each work packet and ex am ine the con tents. Thus, grid projects will not likely be able to main tain se crecy and are not ap pro pri ate for pri vate, con fi den tial, or pro pri etary data.
Grid com put ing can also vary greatly in the com pu ta tional ca pac ity from mo ment to mo ment. Work pack ets are some times not re turned, re turned late, or re turned cor rupted. This re quires sig nif i cant re work ing and causes in sta bil ity in the speed, progress, re spon sive ness, and la tency of the project as a whole and with in di vid ual grid mem bers. Time-sen si tive projects might not be given suf fi cient com pu ta tional time to fin ish by a spe cific chrono log i cal dead line.
Grid com put ing of ten uses a cen tral pri mary core of servers to man age the project, track work pack ets, and in te grate re turned work seg ments. If the cen tral servers are over loaded or go off line, com plete fail ure or crash ing of the grid can oc cur. How ever, usu ally when cen tral grid sys tems are in ac ces si ble, grid mem bers com plete their cur rent lo cal tasks and then reg u larly poll to dis cover when the cen tral servers come back on line. There is also a po ten tial risk that a com pro mise of the cen tral grid servers could be lever aged to at tack grid mem bers or trick grid mem bers into per form ing ma li cious ac tions in stead of the in tended pur pose of the grid com mu nity.
Peer to Peer
Peer-to-peer (P2P) tech nolo gies are net work ing and dis trib uted ap pli ca tion so lu tions that share tasks and work loads among peers. This is sim i lar to grid com put ing; the pri mary dif fer ences are that there is no cen tral man age ment sys tem and the ser vices pro vided are usu ally real time rather than as a col lec tion of com pu ta tional power. Com mon ex am ples of P2P in clude many VoIP ser vices, such as Skype, Bit Tor rent (for data/file dis tri bu tion), and Spo tify (for stream ing au dio/mu sic dis tri bu tion).
Se cu rity con cerns with P2P so lu tions in clude a per ceived in duce ment to pi rate copy righted ma te ri als, the abil ity to eaves drop on dis trib uted con tent, a lack of cen tral con trol/over sight/man age ment/fil ter ing, and the po ten tial for ser vices to con sume all avail able band width.
259
Cryp to graphic sys tems are cov ered in de tail in Chap ter 6, “Cryp tog ra phy and Sym met ric
Key Al go rithms,” and Chap ter 7, “PKI and Cryp to graphic Ap pli ca tions.”
In ter net of Things Smart de vices are a range of mo bile de vices that of fer the user a plethora of cus tomiza tion op tions,
typ i cally through in stalling apps, and may take ad van tage of on-de vice or in-the-cloud ar ti fi cial in tel li gence (AI) pro cess ing. The prod ucts that can be la beled “smart de vices” are con stantly ex pand ing and al ready in clude smart phones, tablets, mu sic play ers, home as sis tants, ex treme sport cam eras, and fit ness track ers.
The In ter net of Things (IoT) is a new sub cat e gory or even a new class of smart de vices that are In ter net- con nected in or der to pro vide au to ma tion, re mote con trol, or AI pro cess ing to tra di tional or new ap pli ances or de vices in a home or of fice set ting. IoT de vices are some times rev o lu tion ary adap ta tions of func tions or op er a tions you may have been per form ing lo cally and man u ally for decades, which you would not want to ever be with out again. Other IoT de vices are noth ing more than ex pen sive gim micky gad gets that af ter the first few mo ments of use are for got ten about and/or dis carded. The se cu rity is sues re lated to IoT are about ac cess and en cryp tion. All too of ten an IoT de vice was not de signed with se cu rity as a core con cept or even an af ter thought. This has al ready re sulted in nu mer ous home and of fice net work se cu rity breaches. Ad di tion ally, once an at tacker has re mote ac cess to or through an IoT de vice, they may be able to ac cess other de vices on the com pro mised net work. When elect ing to in stall IoT equip ment, eval u ate the se cu rity of the de vice as well as the se cu rity rep u ta tion of the ven dor. If the new de vice does not have the abil ity to meet or ac cept your ex ist ing se cu rity base line, then don’t com pro mise your se cu rity just for a flashy gad get.
One pos si ble se cure im ple men ta tion is to de ploy a dis tinct net work for the IoT equip ment, which is kept sep a rate and iso lated from the pri mary net work. This con fig u ra tion is of ten known as the three dumb routers (see https://www.grc.com/sn/sn-545.pdf or https://www.pcper.com/re views/Gen eral-Tech/Steve-Gib sons- Three-Router-So lu tion- IOT-In se cu rity).
While we of ten as so ciate smart de vices and IoT with home or per sonal use, they are also a con cern to ev ery or ga ni za tion. This is partly be cause of the use of mo bile de vices by em ploy ees within the com pany’s fa cil i ties and even on the or ga ni za tional net work. An other as pect of net work pro fes sional con cern is that many IoT or net worked au to ma tion de vices are be ing added to the busi ness en vi ron ment. This in cludes en vi ron men tal con trols, such as heat ing, ven ti la tion, and air con di tion ing (HVAC) man age ment, air qual ity con trol, de bris and smoke de tec tion, light ing con trols, door au to ma tion, per son nel and as set track ing, and con sum able in ven tory man age ment and auto-re order ing (such as cof fee, snacks, printer toner, pa per, and other of fice sup plies). Thus, both smart de vices and IoT de vices are po ten tial el e ments of a mod ern busi ness net work that need ap pro pri ate se cu rity man age ment and over sight. For some ad di tional read ing on the im por tance of proper se cu rity man age ment of smart de vices and IoT equip ment, please see “NIST Ini tia tives in IoT” at https://www .nist.gov/itl/ap plied-cy ber se cu rity/nist-ini tia tives-iot.
In dus trial Con trol Sys tems An in dus trial con trol sys tem (ICS) is a form of com puter-man age ment de vice that con trols in dus trial
pro cesses and ma chines. ICSs are used across a wide range of in dus tries, in clud ing man u fac tur ing, fab ri ca tion, elec tric ity gen er a tion and dis tri bu tion, wa ter dis tri bu tion, sewage pro cess ing, and oil re fin ing. There are sev eral forms of ICS, in clud ing dis trib uted con trol sys tems (DCSs), pro gram mable logic con trollers (PLCs), and su per vi sory con trol and data ac qui si tion (SCADA).
DCS units are typ i cally found in in dus trial process plans where the need to gather data and im ple ment con trol over a large-scale en vi ron ment from a sin gle lo ca tion is es sen tial. An im por tant as pect of DCS is that the con trol ling el e ments are dis trib uted across the mon i tored en vi ron ment, such as a man u fac tur ing floor or a pro duc tion line, and the cen tral ized mon i tor ing lo ca tion sends com mands out of those lo cal ized con trollers while gath er ing sta tus and per for mance data. A DCS might be ana log or dig i tal in na ture, de pend ing on the task be ing per formed or the de vice be ing con trolled. For ex am ple, a liq uid flow value DCS would be an ana log sys tem whereas an elec tric volt age reg u la tor DCS would likely be a dig i tal sys tem.
PLC units are ef fec tively sin gle-pur pose or fo cused-pur pose dig i tal com put ers. They are typ i cally de ployed for the man age ment and au to ma tion of var i ous in dus trial electro mechan i cal op er a tions, such as con trol ling sys tems on an as sem bly line or a large-scale dig i tal light dis play (such as a gi ant dis play sys tem in a sta dium or on a Las Ve gas Strip mar quee).
A SCADA sys tem can op er ate as a stand-alone de vice, be net worked to gether with other SCADA sys tems, or be net worked with tra di tional in for ma tion tech nol ogy (IT) sys tems. Most SCADA sys tems are de signed with min i mal hu man in ter faces. Of ten, they use me chan i cal but tons and knobs or sim ple LCD screen
260
in ter faces (sim i lar to what you might have on a busi ness printer or a GPS nav i ga tion de vice). How ever, net worked SCADA de vices may have more com plex re mote-con trol soft ware in ter faces.
In the ory, the static de sign of SCADA, PLC, and DCS units and their min i mal hu man in ter faces should make the sys tem fairly re sis tant to com pro mise or mod i fi ca tion. Thus, lit tle se cu rity was built into these in dus trial con trol de vices, es pe cially in the past. But there have been sev eral well-known com pro mises of in dus trial con trol sys tems in re cent years; for ex am ple, Stuxnet de liv ered the first-ever rootkit to a SCADA sys tem lo cated in a nu clear fa cil ity. Many SCADA ven dors have started im ple ment ing se cu rity im prove ments into their so lu tions in or der to pre vent or at least re duce fu ture com pro mises. How ever, in prac tice, SCADA and ICS sys tems are still of ten poorly se cured, vul ner a ble, and in fre quently up dated, and older ver sions not de signed for se cu rity are still in wide spread use.
As sess and Mit i gate Vul ner a bil i ties in Web-Based Sys tems There is a wide va ri ety of ap pli ca tion and sys tem vul ner a bil i ties and threats in web-based sys tems, and the
range is con stantly ex pand ing. Vul ner a bil i ties in clude con cerns re lated to Ex ten si ble Markup Lan guage (XML) and Se cu rity As so ci a tion Markup Lan guage (SAML) plus many other con cerns dis cussed by the open com mu nity-fo cused web project known as the Open Web Ap pli ca tion Se cu rity Project (OWASP).
OWASP is a non profit se cu rity project fo cus ing on im prov ing se cu rity for on line or web-based ap pli ca tions. OWASP is not just an or ga ni za tion—it is also a large com mu nity that works to gether to freely share in for ma tion, method ol ogy, tools, and tech niques re lated to bet ter cod ing prac tices and more se cure de ploy ment ar chi tec tures. For more in for ma tion on OWASP and to par tic i pate in the com mu nity, visit www.owasp.org. The OWASP group main tains a guide of rec om men da tions for as sess ing the se cu rity of a web ser vice at https://www.owasp.org/in dex.php/We b_Ap pli ca tion_Se cu ri ty_Test ing_Cheat_Sheet. OWASP also main tains a top ten list of the most crit i cal web ap pli ca tion at tacks at https://www.owasp.org/im ages/7/72/OWASP_ Top_10-2017_%28en%29.pdf.pdf. Both of these doc u ments would be a rea son able start ing point for plan ning a se cu rity eval u a tion or pen e tra tion test of an or ga ni za tion’s web ser vices.
Any se cu rity eval u a tion should start off with re con nais sance or in for ma tion gath er ing. This step is to col lect as much in for ma tion as pos si ble about the tar get for later steps to use. This usu ally in cludes view ing each of the hosted web pages, dis cov er ing the au to ma tion tech nolo gies in use, look ing for in for ma tion that should not have been posted, and check ing for con fig u ra tion and se cu rity leaks. This is fol lowed by an as sess ment of the site’s con fig u ra tion man age ment (such as file han dling, ex ten sions in use, back ups, look ing for sen si tive data in client-side code), and eval u at ing the site’s trans mis sion se cu rity (such as check ing for Se cure Sock ets Layer (SSL)/Trans port Layer Se cu rity (TLS) ver sion sup port, as sess ing ci pher suites, cookie/ses sion ID/to ken man age ment, and sus cep ti bil ity to forged re quests).
Next in a web se cu rity as sess ment is to eval u ate au then ti ca tion and ses sion man age ment. This is fol lowed by eval u at ing the cryp tog ra phy of the site and the meth ods used for data val i da tion and san i ti za tion. A web se cu rity as sess ment should also in volve check ing for DoS de fenses, eval u at ing risk re sponses, and test ing er ror han dling.
This is only a brief over view of the con cept of web se cu rity as sess ment, as the CISSP exam does not ex pect you to be a pro fes sional pen e tra tion tester, but you should be gen er ally aware of the con cept of se cu rity eval u a tion. You are wel come to ex plore more de tails about web se cu rity as sess ment from the OWASP guide if you find this topic in ter est ing.
A few of the OWASP top ten Web risks that you may want to know about are in jec tion, XML ex ploita tion, cross-site script ing (XSS), and XSRF.
An in jec tion at tack is any ex ploita tion that al lows an at tacker to sub mit code to a tar get sys tem in or der to mod ify its op er a tions and/or poi son and cor rupt its data set. There are a wide range of po ten tial in jec tion at tacks. Typ i cally, an in jec tion at tack is named af ter the type of back end sys tem it takes ad van tage of or the type of pay load de liv ered (in jected) onto the tar get. Ex am ples in clude Struc tured Query Lan guage (SQL) in jec tion, Light weight Di rec tory Ac cess Pro to col (LDAP), XML in jec tion, com mand in jec tion, Hy per text Markup Lan guage (HTML) in jec tion, code in jec tion, and file in jec tion. A few of these are pre sented in more de tail in this sec tion.
SQL in jec tion at tacks are even riskier than XSS at tacks (see the fol low ing sec tion) from an or ga ni za tion’s per spec tive be cause the tar gets of a SQL in jec tion at tack are or ga ni za tional as sets, whereas the tar gets of an XSS at tack are cus tomers or vis i tors to a web site. SQL in jec tion at tacks use un ex pected in put to al ter or com pro mise a web ap pli ca tion. How ever, in stead of us ing this in put to at tempt to fool a user, SQL in jec tion at tacks use it to gain unau tho rized ac cess to an un der ly ing data base and re lated as sets.
In the early days of the Web, all web pages were static, or un chang ing. Web mas ters cre ated web pages con tain ing in for ma tion and placed them on a web server, where users could re trieve them us ing their web browsers. The web quickly out grew this model be cause users wanted the abil ity to ac cess cus tom ized in for ma tion based on their in di vid ual needs. For ex am ple, vis i tors to a bank web site aren’t in ter ested only in
261
static pages con tain ing in for ma tion about the bank’s lo ca tions, hours, and ser vices. They also want to re trieve dy namic con tent con tain ing in for ma tion about their per sonal ac counts. Ob vi ously, the web mas ter can’t pos si bly cre ate pages on the web server for each in di vid ual user with that user’s per sonal ac count in for ma tion. At a large bank, that would re quire main tain ing mil lions of pages with up-to-the-minute in for ma tion. That’s where dy namic web ap pli ca tions come into play.
Web ap pli ca tions take ad van tage of a data base to cre ate con tent on de mand when the user makes a re quest. In the bank ing ex am ple, the user logs in to the web ap pli ca tion, pro vid ing an ac count num ber and pass word. The web ap pli ca tion then re trieves cur rent ac count in for ma tion from the bank’s data base and uses it to in stantly cre ate a web page con tain ing the user’s cur rent ac count in for ma tion. If that user re turns an hour later, the web server re peats the process, ob tain ing up dated ac count in for ma tion from the data base.
What does this mean to you as a se cu rity pro fes sional? Web ap pli ca tions add com plex ity to the tra di tional se cu rity model. The web server, as a pub licly ac ces si ble server, be longs in a sep a rate net work zone from other servers, com monly re ferred to as a de mil i ta rized zone (DMZ). The data base server, on the other hand, isn’t meant for pub lic ac cess, so it be longs on the in ter nal net work or at least a se cured sub net sep a rated from the DMZ. The web ap pli ca tion needs ac cess to the data base, so the fire wall ad min is tra tor must cre ate a rule al low ing ac cess from the web server to the data base server. This rule cre ates a po ten tial path for in ter net users to gain ac cess to the data base server.
If the web ap pli ca tion func tions prop erly, it al lows only au tho rized re quests to the data base. How ever, if there is a flaw in the web ap pli ca tion, it may let in di vid u als tam per with the data base in an un ex pected and unau tho rized fash ion through the use of SQL in jec tion at tacks. These at tacks al low a ma li cious in di vid ual to per form SQL trans ac tions di rectly against the un der ly ing data base. SQL in jec tion at tacks might en able an at tacker to by pass au then ti ca tion, re veal con fi den tial data from data base ta bles, change ex ist ing data, add new records into the data base, de stroy en tire ta bles or data bases, and even gain com mand line–like ac cess through cer tain data base ca pa bil i ties (such as com mand shell stored pro ce dures).
You can use two tech niques to pro tect your web ap pli ca tions against SQL in jec tion at tacks.
Per form in put val i da tion. In put val i da tion lets you limit the types of data a user pro vides in a form. There are nu mer ous vari a tions of in put in jec tion or ma nip u la tion at tacks that re quire a broad-spec trum de fense ap proach, in clud ing whitelist ing and black list ing fil ters. The pri mary forms of in put san i ti za tion that should be adopted in clude lim it ing the length of in put, fil ter ing on known ma li cious con tent pat terns, and es cap ing metachar ac ters.
Limit ac count priv i leges. The data base ac count used by the web server should have the small est set of priv i leges pos si ble. If the web ap pli ca tion needs only to re trieve data, it should have that abil ity only.
Metachar ac ters
Metachar ac ters are char ac ters that have been as signed spe cial pro gram matic mean ing. Thus, they have spe cial pow ers that stan dard, nor mal char ac ters do not have. There are many com mon metachar ac ters, but typ i cal ex am ples in clude sin gle and dou ble quo ta tion marks; the open/close square brack ets; the back slash; the semi colon; the am per sand; the caret; the dol lar sign; the pe riod, or dot; the ver ti cal bar, or pipe sym bol; the ques tion mark; the as ter isk; the plus sign; open/close curly braces; and open/close paren the ses: ‘ “ [ ] \ ; & ^ $ . | ? * + { } ( )
Es cap ing a metachar ac ter is the process of mark ing the metachar ac ter as merely a nor mal or com mon char ac ter, such as a let ter or num ber, thus re mov ing its spe cial pro gram matic pow ers. This is of ten done by adding a back slash in front of the char ac ter (\&), but there are many ways to es cape metachar ac ters based on the pro gram ming lan guage or ex e cu tion en vi ron ment.
Ul ti mately, SQL in jec tion is a vul ner a bil ity of the script used to han dle the in ter ac tion be tween a front end (typ i cally a web server) and the back end data base. If the script was writ ten de fen sively and in cluded code to es cape (in val i date or re ject) metachar ac ters, SQL in jec tion would not be pos si ble.
LDAP in jec tion is a vari a tion of an in put in jec tion at tack; how ever, the fo cus of the at tack is on the back end of an LDAP di rec tory ser vice rather than a data base server. If a web server front end uses a script to craft LDAP state ments based on in put from a user, then LDAP in jec tion is po ten tially a threat. Just as with SQL in jec tion, san i ti za tion of in put and de fen sive cod ing are es sen tial to elim i nate this threat.
XML in jec tion is an other vari ant of SQL in jec tion, where the back end tar get is an XML ap pli ca tion. Again, in put san i ti za tion is nec es sary to elim i nate this threat.
262
Di rec tory Tra ver sal/Com mand In jec tion
A di rec tory tra ver sal is an at tack that en ables an at tacker to jump out of the web root di rec tory struc ture and into any other part of the filesys tem hosted by the web server’s host OS. A com mon, but his tor i cal, ver sion of this at tack was against IIS 4.0, hosted by Win dows NT 4.0 Server. The at tack used a mod i fied URL to di rec tory-tra verse out of the web root, into the main OS fold ers, in or der to ac cess the com mand prompt ex e cutable. Here’s an ex am ple:
http://victim.com/scripts/..% c0 % af../..% c0 % af../..% c0 % af../..% c0 % af../..% c 0 % af../..% c0 % af../winnt/system32/cmd.exe?/c+tftp+-i+get+exploit.exe
This URL in cludes a Uni code equiv a lent of the “change to par ent di rec tory” com mand, which is ../ in ASCII, and also no tice it uses the metachar ac ter of per cent (%). This URL not only per formed di rec tory tra ver sal but also granted the at tacker the abil ity to per form com mand in jec tion. The ex am ple shows a com mand in jec tion trig ger ing a Triv ial File Trans fer Pro to col (TFTP) Get op er a tion to down load an ex ploit tool onto the vic tim web server. Any com mand that could be ex e cuted un der the priv i leges of the IIS ser vice and be crafted within the lim i ta tions of a uni form re source lo ca tor (URL) could be used. The ex am ple per forms a sin gle di rec tory list ing of the C root. But with mi nor tweak ing, TFTP com mands could be used to down load hacker tools to the tar get and sub se quently launch those tools to grant greater re mote con trol or true com mand shell ac cess. This at tack can be stopped with metachar ac ter es cap ing or fil ter ing. Many mod ern web servers can be vul ner a ble to vari a tions of this at tack as new forms of al ter nate en cod ing of the change-to-par ent com mand are crafted.
XML ex ploita tion is a form of pro gram ming at tack that is used to ei ther fal sify in for ma tion be ing sent to a vis i tor or cause their sys tem to give up in for ma tion with out au tho riza tion. One area of grow ing con cern in re gard to XML at tacks is Se cu rity As so ci a tion Markup Lan guage (SAML). SAML abuses are of ten fo cused on web-based au then ti ca tion. SAML is an XML-based con ven tion for the or ga ni za tion and ex change of com mu ni ca tion au then ti ca tion and au tho riza tion de tails be tween se cu rity do mains, of ten over web pro to cols. SAML is of ten used to pro vide a web-based SSO (sin gle sign-on) so lu tion. If an at tacker can fal sify SAML com mu ni ca tions or steal a vis i tor’s ac cess to ken, they may be able to by pass au then ti ca tion and gain unau tho rized ac cess to a site.
Cross-site script ing (XSS) is a form of ma li cious code-in jec tion at tack in which an at tacker is able to com pro mise a web server and in ject their own ma li cious code into the con tent sent to other vis i tors. Hack ers have dis cov ered nu mer ous and in ge nious meth ods for in ject ing ma li cious code into web sites via Com mon Gate way In ter face (CGI) scripts, web server soft ware vul ner a bil i ties, SQL in jec tion at tacks, frame ex ploita tion, DNS redi rects, cookie hi jacks, and many other forms of at tack. A suc cess ful XSS at tack can re sult in iden tity theft, cre den tial theft, data theft, fi nan cial losses, or the plant ing of re mote-con trol soft ware on vis it ing clients.
For the ad min is tra tor of a web site, de fenses against XSS in clude main tain ing a patched web server, us ing web ap pli ca tion fire walls, op er at ing a host-based in tru sion de tec tion sys tem (HIDS), au dit ing for sus pi cious ac tiv ity, and, most im por tant, per form ing server-side in put val i da tion for length, ma li cious con tent, and metachar ac ter fil ter ing. As a web user, you can de fend against XSS by keep ing your sys tem patched, run ning an tivirus soft ware, and avoid ing non main stream web sites. There are add-ons for some web browsers, such as No Script for Fire fox and uBlock Ori gin for Chrome, that al low only scripts of your choos ing to be ex e cuted.
Cross-site re quest forgery (XSRF) is an at tack that is sim i lar in na ture to XSS. How ever, with XSRF, the at tack is fo cused on the vis it ing user’s web browser more than the web site be ing vis ited. The main pur pose of XSRF is to trick the user or the user’s browser into per form ing ac tions they had not in tended or would not have au tho rized. This could in clude log ging out of a ses sion, up load ing a site cookie, chang ing ac count in for ma tion, down load ing ac count de tails, mak ing a pur chase, and so on. One form of XSRF in fects a vic tim’s sys tem with mal ware that stays dor mant un til a spe cific web site is vis ited. Then the mal ware forges re quests as the user in or der to fool the web server and per form ma li cious ac tions against the web server and/or the client.
One such ex am ple of an ex ploit that used XSRF is Zeus, which would hide on a vic tim’s sys tem un til the user vis ited their on line bank site; then, af ter it checked their ac count bal ance and de ter mined their bank ac count num ber, those de tails would be sent to the con trol ling at tacker, who would ini ti ate an ACH money trans fer to an other bank. Thus, this is an ex am ple of mal ware that as sists in steal ing money di rectly from the vic tim’s ac count.
Web site ad min is tra tors can im ple ment pre ven tion mea sures against XSRF by re quir ing con fir ma tions or reau then ti ca tion when ever a sen si tive or risky ac tion is re quested by a con nected client. This could in clude re quir ing the user to reen ter their pass word, send ing a code to the user via text mes sage or email that must be pro vided back to the web site, trig ger ing a phone call–based ver i fi ca tion, or solv ing a Com pletely Au to mated Pub lic Tur ing Test to Tell Com put ers and Hu mans Apart (CAPTCHA) (a mech a nism to dif fer en ti ate be tween
263
hu mans and soft ware ro bots). An other po ten tial pro tec tion mech a nism is to add a ran dom iza tion string (called a nonce) to each URL re quest and ses sion es tab lish ment and to check the client HTTP re quest header re fer rer for spoof ing. End users can form more se cure habits, such as run ning anti-mal ware scan ners; us ing an HIDS; run ning a fire wall; avoid ing non main stream web sites; al ways log ging off from sites in stead of clos ing the browser, clos ing the tab, or mov ing on to an other URL; keep ing browsers patched; and clear ing out tem po rary files and cached cook ies reg u larly.
Ad di tional cov er age of XSS and XSRF can be found in Chap ter 21, “Ma li cious Code and Ap pli ca tion At tacks.”
As sess and Mit i gate Vul ner a bil i ties in Mo bile Sys tems Smart phones and other mo bile de vices present an ever-in creas ing se cu rity risk as they be come more and
more ca pa ble of in ter act ing with the in ter net as well as cor po rate net works. When per son ally owned de vices are al lowed to en ter and leave a se cured fa cil ity with out lim i ta tion, over sight, or con trol, the po ten tial for harm is sig nif i cant.
Ma li cious in sid ers can bring in ma li cious code from out side on var i ous stor age de vices, in clud ing mo bile phones, au dio play ers, dig i tal cam eras, mem ory cards, op ti cal discs, and Uni ver sal Se rial Bus (USB) drives. These same stor age de vices can be used to leak or steal in ter nal con fi den tial and pri vate data in or der to dis close it to the out side world. (Where do you think most of the con tent on Wik iLeaks comes from?) Ma li cious in sid ers can ex e cute ma li cious code, visit dan ger ous web sites, or in ten tion ally per form harm ful ac tiv i ties.
A de vice owned by an in di vid ual can be ref er enced us ing any of these terms: por ta ble
de vice, mo bile de vice, per sonal mo bile de vice (PMD), per sonal elec tronic de vice or por ta ble elec tronic de vice (PED), and per son ally owned de vice (POD).
Mo bile de vices of ten con tain sen si tive data such as con tacts, text mes sages, email, and pos si bly notes and doc u ments. Any mo bile de vice with a cam era fea ture can take pho to graphs of sen si tive in for ma tion or lo ca tions. The loss or theft of a mo bile de vice could mean the com pro mise of per sonal and/or cor po rate se crets.
Mo bile de vices are com mon tar gets of hack ers and ma li cious code. It’s im por tant to keep nonessen tial in for ma tion off por ta ble de vices, run a fire wall and an tivirus prod uct (if avail able), and keep the sys tem locked and/or en crypted (if pos si ble).
Many mo bile de vices also sup port USB con nec tions to per form syn chro niza tion of com mu ni ca tions and con tacts with desk top and/or note book com put ers as well as the trans fer of files, doc u ments, mu sic, video, and so on.
Ad di tion ally, mo bile de vices aren’t im mune to eaves drop ping. With the right type of so phis ti cated equip ment, most mo bile phone con ver sa tions can be tapped into—not to men tion the fact that any one within 15 feet can hear you talk ing. Be care ful what you dis cuss over a mo bile phone, es pe cially when you’re in a pub lic place.
A wide range of se cu rity fea tures are avail able on mo bile de vices. How ever, sup port for a fea ture isn’t the same thing as hav ing a fea ture prop erly con fig ured and en abled. A se cu rity ben e fit is gained only when the se cu rity func tion is in force. Be sure to check that all de sired se cu rity fea tures are op er at ing as ex pected on your de vice.
264
An droid
An droid is a mo bile de vice OS based on Linux, which was ac quired by Google in 2005. In 2008, the first de vices host ing An droid were made avail able to the pub lic. The An droid source code is made open source through the Apache li cense, but most de vices also in clude pro pri etary soft ware. Al though it’s mostly in tended for use on phones and tablets, An droid is be ing used on a wide range of de vices, in clud ing tele vi sions, game con soles, dig i tal cam eras, mi crowaves, watches, e-read ers, cord less phones, and ski gog gles.
The use of An droid in phones and tablets al lows for a wide range of user cus tomiza tion: you can in stall both Google Play Store apps as well as apps from un known ex ter nal sources (such as Ama zon’s App Store), and many de vices sup port the re place ment of the de fault ver sion of An droid with a cus tom ized or al ter nate ver sion. How ever, when An droid is used on other de vices, it can be im ple mented as some thing closer to a static sys tem.
Whether static or not, An droid has nu mer ous se cu rity vul ner a bil i ties. These in clude ex po sure to ma li cious apps, run ning scripts from ma li cious web sites, and al low ing in se cure data trans mis sions. An droid de vices can of ten be rooted (break ing their se cu rity and ac cess lim i ta tions) in or der to grant the user full root-level ac cess to the de vice’s low-level con fig u ra tion set tings. Root ing in creases a de vice’s se cu rity risk, be cause all run ning code in her its root priv i leges.
Im prove ments are made to An droid se cu rity as new up dates are re leased. Users can ad just nu mer ous con fig u ra tion set tings to re duce vul ner a bil i ties and risks. Also, users may be able to in stall apps that add ad di tional se cu rity fea tures to the plat form.
iOS
iOS is the mo bile de vice OS from Ap ple that is avail able on the iPhone, iPad, and Ap ple TV. iOS isn’t li censed for use on any non-Ap ple hard ware. Thus, Ap ple is in full con trol of the fea tures and ca pa bil i ties of iOS. How ever, iOS is not an ex am ple of a static en vi ron ment, be cause users can in stall any of over two mil lion apps from the Ap ple App Store. Also, it’s of ten pos si ble to jail break iOS (break ing Ap ple’s se cu rity and ac cess re stric tions), al low ing users to in stall apps from third par ties and gain greater con trol over low-level set tings. Jail break ing an iOS de vice re duces its se cu rity and ex poses the de vice to po ten tial com pro mise. Users can ad just de vice set tings to in crease an iOS de vice’s se cu rity and in stall many apps that can add se cu rity fea tures.
De vice Se cu rity De vice se cu rity is the range of po ten tial se cu rity op tions or fea tures that may be avail able for a mo bile
de vice. Not all por ta ble elec tronic de vices (PEDs) have good se cu rity fea tures. But even if de vices have se cu rity fea tures, they’re of no value un less they’re en abled and prop erly con fig ured. Be sure to con sider the se cu rity op tions of a new de vice be fore you make a pur chase de ci sion.
Full De vice En cryp tion
Some mo bile de vices, in clud ing por ta ble com put ers, tablets, and mo bile phones, may of fer de vice en cryp tion. If most or all the stor age me dia of a de vice can be en crypted, this is usu ally a worth while fea ture to en able. How ever, en cryp tion isn’t a guar an tee of pro tec tion for data, es pe cially if the de vice is stolen while un locked or if the sys tem it self has a known back door at tack vul ner a bil ity.
Voice en cryp tion may be pos si ble on mo bile de vices when Voice over In ter net Pro to col (VoIP) ser vices are used. VoIP ser vice be tween com puter-like de vices is more likely to of fer an en cryp tion op tion than VoIP con nec tions to a tra di tional land line phone or typ i cal mo bile phone. When a voice con ver sa tion is en crypted, eaves drop ping be comes worth less be cause the con tents of the con ver sa tion are un de ci pher able.
Re mote Wip ing
It’s be com ing com mon for a re mote wipe or re mote san i ta tion to be per formed if a de vice is lost or stolen. A re mote wipe lets you delete all data and pos si bly even con fig u ra tion set tings from a de vice re motely. The wipe process can be trig gered over mo bile phone ser vice or some times over any in ter net con nec tion. How ever, a re mote wipe isn’t a guar an tee of data se cu rity. Thieves may be smart enough to pre vent con nec tions that would trig ger the wipe func tion while they dump out the data. Ad di tion ally, a re mote wipe is mostly a dele tion op er a tion. The use of an un delete or data re cov ery util ity can of ten re cover data on a wiped de vice. To en sure that a re mote wipe de stroys data be yond re cov ery, the de vice should be en crypted. Thus, the un delete op er a tion would only be re cov er ing en crypted data, which the at tacker would be un able to de ci pher.
265
Lock out
Lock out on a mo bile de vice is sim i lar to ac count lock out on a com pany work sta tion. When a user fails to pro vide their cre den tials af ter re peated at tempts, the ac count or de vice is dis abled (locked out) for a pe riod of time or un til an ad min is tra tor clears the lock out flag.
Mo bile de vices may of fer a lock out fea ture, but it’s in use only if a screen lock has been con fig ured. Oth er wise, a sim ple screen swipe to ac cess the de vice doesn’t pro vide suf fi cient se cu rity, be cause an au then ti ca tion process doesn’t oc cur. Some de vices trig ger ever longer de lays be tween ac cess at tempts as a greater num ber of au then ti ca tion fail ures oc cur. Some de vices al low for a set num ber of at tempts (such as three) be fore trig ger ing a lock out that lasts min utes. Other de vices trig ger a per sis tent lock out and re quire the use of a dif fer ent ac count or mas ter pass word/code to re gain ac cess to the de vice.
Screen Locks
A screen lock is de signed to pre vent some one from ca su ally pick ing up and be ing able to use your phone or mo bile de vice. How ever, most screen locks can be un locked by swip ing a pat tern or typ ing a num ber on a key pad dis play. Nei ther of these is truly a se cure op er a tion. Screen locks may have work arounds, such as ac cess ing the phone ap pli ca tion through the emer gency call ing fea ture. And a screen lock doesn’t nec es sar ily pro tect the de vice if a hacker con nects to it over Blue tooth, wire less, or a USB ca ble.
Screen locks are of ten trig gered af ter a time out pe riod of nonuse. Most PCs au totrig ger a pass word- pro tected screen saver if the sys tem is left idle for a few min utes. Sim i larly, many tablets and mo bile phones trig ger a screen lock and dim or turn off the dis play af ter 30–60 sec onds. The lock out fea ture en sures that if you leave your de vice unat tended or it’s lost or stolen, it will be dif fi cult for any one else to be able to ac cess your data or ap pli ca tions. To un lock the de vice, you must en ter a pass word, code, or PIN; draw a pat tern; of fer your eye ball or face for recog ni tion; scan your fin ger print; or use a prox im ity de vice such as a near-field com mu ni ca tion (NFC) or ra dio-fre quency iden ti fi ca tion (RFID) ring or tile.
Near field com mu ni ca tion (NFC) is a stan dard to es tab lish ra dio com mu ni ca tions be tween
de vices in close prox im ity. It lets you per form a type of au to matic syn chro niza tion and as so ci a tion be tween de vices by touch ing them to gether or bring ing them within inches of each other. NFC is com monly found on smart phones and many mo bile de vice ac ces sories. It’s of ten used to per form de vice- to-de vice data ex changes, set up di rect com mu ni ca tions, or ac cess more com plex ser vices such as WiFi Pro tected Ac cess 2 (WPA2) en crypted wire less net works by link ing with the wire less ac cess point via NFC. Be cause NFC is a ra dio-based tech nol ogy, it isn’t with out its vul ner a bil i ties. NFC at tacks can in clude man-in-the-mid dle, eaves drop ping, data ma nip u la tion, and re play at tacks.
GPS
Many mo bile de vices in clude a Global Po si tion ing Sys tem (GPS) chip to sup port and ben e fit from lo cal ized ser vices, such as nav i ga tion, so it’s pos si ble to track those de vices. The GPS chip it self is usu ally just a re ceiver of sig nals from or bit ing GPS satel lites. How ever, ap pli ca tions on the mo bile de vice can record the GPS lo ca tion of the de vice and then re port it to an on line ser vice. You can use GPS track ing to mon i tor your own move ments, track the move ments of oth ers (such as mi nors or de liv ery per son nel), or track down a stolen de vice. But for GPS track ing to work, the mo bile de vice must have in ter net or wire less phone ser vice over which to com mu ni cate its lo ca tion in for ma tion.
Ap pli ca tion Con trol
Ap pli ca tion con trol is a de vice-man age ment so lu tion that lim its which ap pli ca tions can be in stalled onto a de vice. It can also be used to force spe cific ap pli ca tions to be in stalled or to en force the set tings of cer tain ap pli ca tions, in or der to sup port a se cu rity base line or main tain other forms of com pli ance. Us ing ap pli ca tion con trol can of ten re duce ex po sure to ma li cious ap pli ca tions by lim it ing the user’s abil ity to in stall apps that come from un known sources or that of fer non-work-re lated fea tures.
Stor age Seg men ta tion
Stor age seg men ta tion is used to ar ti fi cially com part men tal ize var i ous types or val ues of data on a stor age medium. On a mo bile de vice, the de vice man u fac turer and/or the ser vice provider may use stor age seg men ta tion to iso late the de vice’s OS and pre in stalled apps from user-in stalled apps and user data. Some mo bile de vice-man age ment sys tems fur ther im pose stor age seg men ta tion in or der to sep a rate com pany data and apps from user data and apps.
As set Track ing
As set track ing is the man age ment process used to main tain over sight over an in ven tory, such as de ployed mo bile de vices. An as set-track ing sys tem can be pas sive or ac tive. Pas sive sys tems rely on the as set it self to
266
check in with the man age ment ser vice on a reg u lar ba sis, or the de vice is de tected as be ing present in the of fice each time the em ployee ar rives at work. An ac tive sys tem uses a polling or push ing tech nol ogy to send out queries to de vices in or der to elicit a re sponse.
You can use as set track ing to ver ify that a de vice is still in the pos ses sion of the as signed au tho rized user. Some as set-track ing so lu tions can lo cate miss ing or stolen de vices.
Some as set-track ing so lu tions ex pand be yond hard ware in ven tory man age ment and can over see the in stalled apps, app us age, stored data, and data ac cess on a de vice. You can use this type of mon i tor ing to ver ify com pli ance with se cu rity guide lines or check for ex po sure of con fi den tial in for ma tion to unau tho rized en ti ties.
In ven tory Con trol
The term in ven tory con trol may de scribe hard ware as set track ing (as dis cussed in the pre vi ous topic). How ever, it can also re fer to the con cept of us ing a mo bile de vice as a means of track ing in ven tory in a ware house or stor age cab i net. Most mo bile de vices have a cam era. Us ing a mo bile de vice cam era, apps that can take pho tos or scan bar codes can be used to track phys i cal goods. Those mo bile de vices with RFID or NFC ca pa bil i ties may be able to in ter act with ob jects or their con tain ers that have been elec tron i cally tagged.
Mo bile De vice Man age ment
Mo bile de vice man age ment (MDM) is a soft ware so lu tion to the chal leng ing task of man ag ing the myr iad mo bile de vices that em ploy ees use to ac cess com pany re sources. The goals of MDM are to im prove se cu rity, pro vide mon i tor ing, en able re mote man age ment, and sup port trou bleshoot ing. Many MDM so lu tions sup port a wide range of de vices and can op er ate across many ser vice providers. You can use MDM to push or re move apps, man age data, and en force con fig u ra tion set tings both over the air (across a car rier net work) and over Wi-Fi con nec tions. MDM can be used to man age com pany-owned de vices as well as per son ally owned de vices (such as in a bring your own de vice [BYOD] en vi ron ment).
De vice Ac cess Con trol
A strong pass word would be a great idea on a phone or other mo bile de vice if lock ing the phone pro vided true se cu rity. But many mo bile de vices aren’t se cure, so even with a strong pass word, the de vice is still ac ces si ble over Blue tooth, wire less, or a USB ca ble. If a spe cific mo bile de vice blocked ac cess to the de vice when the sys tem lock was en abled, this would be a worth while fea ture to set to trig ger au to mat i cally af ter a pe riod of in ac tiv ity or man ual ini tial iza tion. This ben e fit is usu ally ob tained when you en able both a de vice pass word and stor age en cryp tion.
You should con sider any means that re duces unau tho rized ac cess to a mo bile de vice. Many MDM so lu tions can force screen-lock con fig u ra tion and pre vent a user from dis abling the fea ture.
Re mov able Stor age
Many mo bile de vices sup port re mov able stor age. Some de vices sup port mi croSD cards, which can be used to ex pand avail able stor age on a mo bile de vice. How ever, most mo bile phones re quire the re moval of a back plate and some times re moval of the bat tery in or der to add or re move a stor age card. Larger mo bile phones, tablets, and note book com put ers may sup port an eas ily ac ces si ble card slot on the side of the de vice.
Many mo bile de vices also sup port ex ter nal USB stor age de vices, such as flash drives and ex ter nal hard drives. These may re quire a spe cial on-the-go (OTG) ca ble.
In ad di tion, there are mo bile stor age de vices that can pro vide Blue tooth- or Wi-Fi-based ac cess to stored data through an on-board wire less in ter face.
Dis abling Un used Fea tures
Al though en abling se cu rity fea tures is es sen tial for them to have any ben e fi cial ef fect, it’s just as im por tant to re move apps and dis able fea tures that aren’t es sen tial to busi ness tasks or com mon per sonal use. The wider the range of en abled fea tures and in stalled apps, the greater the chance that an ex ploita tion or soft ware flaw will cause harm to the de vice and/or the data it con tains. Fol low ing com mon se cu rity prac tices, such as hard en ing, re duces the at tack sur face of mo bile de vices.
Ap pli ca tion Se cu rity In ad di tion to man ag ing the se cu rity of mo bile de vices, you also need to fo cus on the ap pli ca tions and
func tions used on those de vices. Most of the soft ware se cu rity con cerns on desk top or note book sys tems ap ply to mo bile de vices just as much as com mon-sense se cu rity prac tices do.
Key Man age ment
267
Key man age ment is al ways a con cern when cryp tog ra phy is in volved. Most of the fail ures of a cryp tosys tem are based on the key man age ment rather than on the al go rithms. Good key se lec tion is based on the qual ity and avail abil ity of ran dom num bers. Most mo bile de vices must rely lo cally on poor ran dom- num ber-pro duc ing mech a nisms or ac cess more ro bust ran dom num ber gen er a tors (RNGs) over a wire less link. Once keys are cre ated, they need to be stored in such a way as to min i mize ex po sure to loss or com pro mise. The best op tion for key stor age is usu ally re mov able hard ware or the use of a Trusted Plat form Mod ule (TPM), but these are rarely avail able on mo bile phones and tablets.
Cre den tial Man age ment
The stor age of cre den tials in a cen tral lo ca tion is re ferred to as cre den tial man age ment. Given the wide range of in ter net sites and ser vices, each with its own par tic u lar lo gon re quire ments, it can be a bur den to use unique names and pass words. Cre den tial man age ment so lu tions of fer a means to se curely store a plethora of cre den tial sets. Of ten these tools em ploy a mas ter cre den tial set (mul ti fac tor be ing pre ferred) to un lock the dataset when needed. Some cre den tial-man age ment op tions can even pro vide auto-lo gin op tions for apps and web sites.
Au then ti ca tion
Au then ti ca tion on or to a mo bile de vice is of ten fairly sim ple, es pe cially for mo bile phones and tablets. How ever, a swipe or pat tern ac cess shouldn’t be con sid ered true au then ti ca tion. When ever pos si ble, use a pass word, pro vide a per sonal iden ti fi ca tion num ber (PIN), of fer your eye ball or face for recog ni tion, scan your fin ger print, or use a prox im ity de vice such as an NFC or RFID ring or tile. These means of de vice au then ti ca tion are much more dif fi cult for a thief to by pass if prop erly im ple mented. As men tioned pre vi ously, it’s also pru dent to com bine de vice au then ti ca tion with de vice en cryp tion to block ac cess to stored in for ma tion via a con nec tion ca ble.
Geo tag ging
Mo bile de vices with GPS sup port en able the em bed ding of ge o graph i cal lo ca tion in the form of lat i tude and lon gi tude as well as date/time in for ma tion on pho tos taken with these de vices. This al lows a would-be at tacker (or an gry ex) to view pho tos from so cial net work ing or sim i lar sites and de ter mine ex actly when and where a photo was taken. This geo tag ging can be used for ne far i ous pur poses, such as de ter min ing when a per son nor mally per forms rou tine ac tiv i ties.
Once a geo tagged photo has been up loaded to the in ter net, a po ten tial cy ber-stalker may have ac cess to more in for ma tion than the up loader in tended. This is prime ma te rial for se cu rity-aware ness briefs for end users.
En cryp tion
En cryp tion is of ten a use ful pro tec tion mech a nism against unau tho rized ac cess to data, whether in stor age or in tran sit. Most mo bile de vices pro vide some form of stor age en cryp tion. When this is avail able, it should be en abled. Some mo bile de vices of fer na tive sup port for com mu ni ca tions en cryp tion, but most can run add- on soft ware (apps) that can add en cryp tion to data ses sions, voice calls, and/or video con fer ences.
Ap pli ca tion Whitelist ing
Ap pli ca tion whitelist ing is a se cu rity op tion that pro hibits unau tho rized soft ware from be ing able to ex e cute. Whitelist ing is also known as deny by de fault or im plicit deny. In ap pli ca tion se cu rity, whitelist ing pre vents any and all soft ware, in clud ing mal ware, from ex e cut ing un less it’s on the preap proved ex cep tion list: the whitelist. This is a sig nif i cant de par ture from the typ i cal de vice-se cu rity stance, which is to al low by de fault and deny by ex cep tion (also known as black list ing).
Due to the growth of mal ware, an ap pli ca tion whitelist ing ap proach is one of the few op tions re main ing that shows real prom ise in pro tect ing de vices and data. How ever, no se cu rity so lu tion is per fect, in clud ing whitelist ing. All known whitelist ing so lu tions can be cir cum vented with ker nel-level vul ner a bil i ties and ap pli ca tion con fig u ra tion is sues.
BYOD Con cerns Bring your own de vice (BYOD) is a pol icy that al lows em ploy ees to bring their own per sonal mo bile
de vices into work and use those de vices to con nect to (or through) the com pany net work to busi ness re sources and/or the in ter net. Al though BYOD may im prove em ployee morale and job sat is fac tion, it in creases se cu rity risk to the or ga ni za tion. If the BYOD pol icy is open-ended, any de vice is al lowed to con nect to the com pany net work. Not all mo bile de vices have se cu rity fea tures, and thus such a pol icy al lows non com pli ant de vices onto the pro duc tion net work. A BYOD pol icy that man dates spe cific de vices may re duce this risk, but it may in turn re quire the com pany to pur chase de vices for em ploy ees who are un able to pur chase their own com pli ant de vice. Many other BYOD con cerns are dis cussed in the fol low ing sec tions.
268
There are sev eral al ter na tives to a BYOD pol icy, in clud ing COPE, CYOD, cor po rate owned, and VDI.
The con cept of com pany-owned, per son ally en abled (COPE) is for the or ga ni za tion to pur chase de vices and pro vide them to em ploy ees. Each user is then able to cus tom ize the de vice and use it for both work ac tiv i ties and per sonal ac tiv i ties. COPE al lows the or ga ni za tion to se lect ex actly which de vices are to be al lowed on the or ga ni za tional net work—specif i cally only those de vices that can be con fig ured into com pli ance with the se cu rity pol icy.
The con cept of choose your own de vice (CYOD) pro vides users with a list of ap proved de vices from which to se lect the de vice to im ple ment. A CYOD can be im ple mented so that em ploy ees pur chase their own de vices from the ap proved list (a BYOD vari ant) or the com pany can pur chase the de vices for the em ploy ees (a COPE vari ant).
A cor po rate-owned mo bile strat egy is when the com pany pur chases the mo bile de vices that can sup port se cu rity com pli ance with the se cu rity pol icy. These de vices are to be used ex clu sively for com pany pur poses, and users should not per form any per sonal tasks on the de vices. This of ten re quires work ers to carry a sec ond de vice for per sonal use.
Vir tual desk top in fra struc ture (VDI) is a means to re duce the se cu rity risk and per for mance re quire ments of end de vices by host ing vir tual ma chines on cen tral servers that are re motely ac cessed by users. VDI has been adopted into mo bile de vices and has al ready been widely used in re la tion to tablets and note book com put ers. It is a means to re tain stor age con trol on cen tral servers, gain ac cess to higher lev els of sys tem pro cess ing and other re sources, and al low lower-end de vices ac cess to soft ware and ser vices be hind their hard ware’s ca pac ity.
This has led to vir tual mo bile in fra struc ture (VMI), where the op er at ing sys tem of a mo bile de vice is vir tu al ized on a cen tral server. Thus, most of the ac tions and ac tiv i ties of the tra di tional mo bile de vice are no longer oc cur ring on the mo bile de vice it self. This re mote vir tu al iza tion al lows an or ga ni za tion greater con trol and se cu rity than when us ing a stan dard mo bile de vice plat form. It can also en able per son ally owned de vices to in ter act with the VDI with out in creas ing the risk pro file. This con cept will re quire a ded i cated iso lated wire less net work to re strict BYOD de vices from in ter act ing di rectly with com pany re sources other than through the VDI so lu tion.
Users need to un der stand the ben e fits, re stric tions, and con se quences of us ing their own de vices at work. Read ing and sign ing off on the BYOD, COPE, CYOD, etc., pol icy along with at tend ing an over view or train ing pro gram may be suf fi cient to ac com plish rea son able aware ness.
Data Own er ship
When a per sonal de vice is used for busi ness tasks, com min gling of per sonal data and busi ness data is likely to oc cur. Some de vices can sup port stor age seg men ta tion, but not all de vices can pro vide data-type iso la tion. Es tab lish ing data own er ship can be com pli cated. For ex am ple, if a de vice is lost or stolen, the com pany may wish to trig ger a re mote wipe, clear ing the de vice of all valu able in for ma tion. How ever, the em ployee will of ten be re sis tant to this, es pe cially if there is any hope that the de vice will be found or re turned. A wipe may re move all busi ness and per sonal data, which may be a sig nif i cant loss to the in di vid ual —es pe cially if the de vice is re cov ered, be cause then the wipe would seem to have been an over re ac tion. Clear poli cies about data own er ship should be es tab lished. Some MDM so lu tions can pro vide data iso la tion/seg men ta tion and sup port busi ness data san i ti za tion with out af fect ing per sonal data.
The mo bile de vice pol icy re gard ing data own er ship should ad dress back ups for mo bile de vices. Busi ness data and per sonal data should be pro tected by a backup so lu tion—ei ther a sin gle so lu tion for all data on the de vice or sep a rate so lu tions for each type or class of data. This re duces the risk of data loss in the event of a re mote-wipe event as well as de vice fail ure or dam age.
Sup port Own er ship
When an em ployee’s mo bile de vice ex pe ri ences a fail ure, a fault, or dam age, who is re spon si ble for the de vice’s re pair, re place ment, or tech ni cal sup port? The mo bile de vice pol icy should de fine what sup port will be pro vided by the com pany and what sup port is left to the in di vid ual and, if rel e vant, their ser vice provider.
Patch Man age ment
The mo bile de vice pol icy should de fine the means and mech a nisms of patch man age ment for a per son ally owned mo bile de vice. Is the user re spon si ble for in stalling up dates? Should the user in stall all avail able up dates? Should the or ga ni za tion test up dates prior to on-de vice in stal la tion? Are up dates to be han dled over the air (via ser vice provider) or over Wi-Fi? Are there ver sions of the mo bile OS that can not be used? What patch or up date level is re quired?
An tivirus Man age ment
The mo bile de vice pol icy should dic tate whether an tivirus, anti-mal ware, and an ti spy ware scan ners are to be in stalled on mo bile de vices. The pol icy should in di cate which prod ucts/apps are rec om mended for use, as
269
well as the set tings for those so lu tions.
Foren sics
The mo bile de vice pol icy should ad dress foren sics and in ves ti ga tions as re lated to mo bile de vices. Users need to be aware that in the event of a se cu rity vi o la tion or a crim i nal ac tiv ity, their de vices might be in volved. This would man date gath er ing ev i dence from those de vices. Some pro cesses of ev i dence gath er ing can be de struc tive, and some le gal in ves ti ga tions re quire the con fis ca tion of de vices.
Pri vacy
The mo bile de vice pol icy should ad dress pri vacy and mon i tor ing. When a per sonal de vice is used for busi ness tasks, the user of ten loses some or all of the pri vacy they en joyed prior to us ing their mo bile de vice at work. Work ers may need to agree to be tracked and mon i tored on their mo bile de vice, even when not on com pany prop erty and out side work hours. A per sonal de vice in use un der BYOD should be con sid ered by the in di vid ual to be quasi-com pany prop erty.
On-board ing/Off-board ing
The mo bile de vice pol icy should ad dress per sonal mo bile de vice on-board ing and off-board ing pro ce dures. Mo bile de vice on board ing in cludes in stalling se cu rity, man age ment, and pro duc tiv ity apps along with im ple ment ing se cure and pro duc tive con fig u ra tion set tings. Mo bile de vice off-board ing in cludes a for mal wipe of the busi ness data along with the re moval of any busi ness-spe cific ap pli ca tions. In some cases, a full de vice wipe and fac tory re set may be pre scribed.
Ad her ence to Cor po rate Poli cies
A mo bile de vice pol icy should clearly in di cate that us ing a per sonal mo bile de vice for busi ness ac tiv i ties doesn’t ex clude a worker from ad her ing to cor po rate poli cies. A worker should treat mo bile de vice equip ment as com pany prop erty and thus stay in com pli ance with all re stric tions, even when off premises and off hours.
User Ac cep tance
A mo bile de vice pol icy needs to be clear and spe cific about all the el e ments of us ing a per sonal de vice at work. For many users, the re stric tions, se cu rity set tings, and MDM track ing im ple mented un der com pany pol icy will be much more oner ous than they ex pect. Thus, or ga ni za tions should make the ef fort to fully ex plain the de tails of a mo bile de vice pol icy prior to al low ing a per sonal de vice into the pro duc tion en vi ron ment. Only af ter an em ployee has ex pressed con sent and ac cep tance, typ i cally through a sig na ture, should their de vice be on-boarded.
Ar chi tec ture/In fra struc ture Con sid er a tions
When im ple ment ing mo bile de vice poli cies, or ga ni za tions should eval u ate their net work and se cu rity de sign, ar chi tec ture, and in fra struc ture. If ev ery worker brings in a per sonal de vice, the num ber of de vices on the net work may dou ble. This re quires plan ning to han dle IP as sign ments, com mu ni ca tions iso la tion, data- pri or ity man age ment, and in creased in tru sion de tec tion sys tem (IDS)/in tru sion pre ven tion sys tem (IPS) mon i tor ing load, as well as in creased band width con sump tion, both in ter nally and across any in ter net link. Most mo bile de vices are wire less en abled, so this will likely re quire a more ro bust wire less net work and deal ing with Wi-Fi con ges tion and in ter fer ence. A mo bile de vice pol icy needs to be con sid ered in light of the ad di tional in fra struc ture costs it will trig ger.
Le gal Con cerns
Com pany at tor neys should eval u ate the le gal con cerns of mo bile de vices. Us ing per sonal de vices in the ex e cu tion of busi ness tasks prob a bly means an in creased bur den of li a bil ity and risk of data leak age. Mo bile de vices may make em ploy ees happy, but it might not be a worth while or cost-ef fec tive en deavor for the or ga ni za tion.
Ac cept able Use Pol icy
The mo bile de vice pol icy should ei ther ref er ence the com pany ac cept able use pol icy or in clude a mo bile de vice–spe cific ver sion fo cus ing on unique is sues. With the use of per sonal mo bile de vices at work, there is an in creased risk of in for ma tion dis clo sure, dis trac tion, and ac cess of in ap pro pri ate con tent. Work ers should re main mind ful that the pri mary goal when at work is to ac com plish pro duc tiv ity tasks.
On-board Cam era/Video
The mo bile de vice pol icy needs to ad dress mo bile de vices with on-board cam eras. Some en vi ron ments dis al low cam eras of any type. This would re quire that mo bile de vices be with out a cam era. If cam eras are al lowed, a de scrip tion of when they may and may not be used should be clearly doc u mented and ex plained to work ers. A mo bile de vice can act as a stor age de vice, pro vide an al ter nate wire less con nec tion path way to an
270
out side provider or ser vice, and also be used to col lect im ages and video that dis close con fi den tial in for ma tion or equip ment.
As sess and Mit i gate Vul ner a bil i ties in Em bed ded De vices and Cy ber-Phys i cal Sys tems
An em bed ded sys tem is a com puter im ple mented as part of a larger sys tem. The em bed ded sys tem is typ i cally de signed around a lim ited set of spe cific func tions in re la tion to the larger prod uct of which it’s a com po nent. It may con sist of the same com po nents found in a typ i cal com puter sys tem, or it may be a mi cro con troller (an in te grated chip with on-board mem ory and pe riph eral ports). Ex am ples of em bed ded sys tems in clude net work-at tached print ers, smart TVs, HVAC con trols, smart ap pli ances, smart ther mostats, ve hi cle en ter tain ment/driver as sist/self-driv ing sys tems, and med i cal de vices.
An other sim i lar con cept to that of em bed ded sys tems are static sys tems (aka static en vi ron ments). A static en vi ron ment is a set of con di tions, events, and sur round ings that don’t change. In the ory, once un der stood, a static en vi ron ment doesn’t of fer new or sur pris ing el e ments. A static IT en vi ron ment is any sys tem that is in tended to re main un changed by users and ad min is tra tors. The goal is to pre vent, or at least re duce, the pos si bil ity of a user im ple ment ing change that could re sult in re duced se cu rity or func tional op er a tion.
In tech nol ogy, static en vi ron ments are ap pli ca tions, OSs, hard ware sets, or net works that are con fig ured for a spe cific need, ca pa bil ity, or func tion, and then set to re main un al tered. How ever, al though the term static is used, there are no truly static sys tems. There is al ways the chance that a hard ware fail ure, a hard ware con fig u ra tion change, a soft ware bug, a soft ware-set ting change, or an ex ploit may al ter the en vi ron ment, re sult ing in un de sired op er at ing pa ram e ters or ac tual se cu rity in tru sions.
Ex am ples of Em bed ded and Static Sys tems
Net work-en abled de vices are any type of por ta ble or non portable de vice that has na tive net work ca pa bil i ties. This gen er ally as sumes the net work in ques tion is a wire less type of net work, pri mar ily that pro vided by a mo bile telecom mu ni ca tions com pany. How ever, it can also re fer to de vices that con nect to Wi- Fi (es pe cially when they can con nect au to mat i cally), de vices that share data con nec tiv ity from a wire less telco ser vice (such as a mo bile hot spot), and de vices with RJ-45 jacks to re ceive a stan dard Eth er net ca ble for a wired con nec tion. Net work-en abled de vices in clude smart phones, mo bile phones, tablets, smart TVs, set-top boxes, or an HDMI stick stream ing me dia play ers (such as a Roku Player, Ama zon Fire TV, or Google An droid TV/Chrome cast), net work-at tached print ers, game sys tems, and much more.
In some cases, net work-en abled de vices might in clude equip ment sup port ing Blue tooth,
NFC, and other ra dio-based con nec tion tech nolo gies. Ad di tion ally, some ven dors of fer de vices to add net work ca pa bil i ties to de vices that are not net work en abled on their own. These add-on de vices might be viewed as net work-en abled de vices them selves (or more specif i cally, net work-en abling de vices) and their re sul tant en hanced de vice might be deemed a net work-en abled de vice.
Cy ber-phys i cal sys tems re fer to de vices that of fer a com pu ta tional means to con trol some thing in the phys i cal world. In the past these might have been re ferred to as em bed ded sys tems, but the cat e gory of cy ber- phys i cal seems to fo cus more on the phys i cal world re sults rather than the com pu ta tional as pects. Cy ber- phys i cal de vices and sys tems are es sen tially key el e ments in ro bot ics and sen sor net works. Ba si cally, any com pu ta tional de vice that can cause a move ment to oc cur in the real world is con sid ered a ro botic el e ment, whereas any such de vice that can de tect phys i cal con di tions (such as tem per a ture, light, move ment, and hu mid ity) is a sen sor. Ex am ples of cy ber-phys i cal sys tems in clude pros thet ics to pro vide hu man aug men ta tion or as sis tance, col li sion avoid ance in ve hi cles, air traf fic con trol co or di na tion, pre ci sion in ro bot surgery, re mote op er a tion in haz ardous con di tions, and en ergy con ser va tion in ve hi cles, equip ment, mo bile de vices, and build ings.
An other ex ten sion of cy ber-phys i cal sys tems, em bed ded sys tems, and net work-en abled de vices is that of the In ter net of Things (IoT). As dis cussed ear lier, the IoT is the col lec tion of de vices that can com mu ni cate over the in ter net with one an other or with a con trol con sole in or der to af fect and mon i tor the real world. IoT de vices might be la beled as smart de vices or smart-home equip ment. Many of the ideas of in dus trial en vi ron men tal con trol found in of fice build ings are find ing their way into more con sumer-avail able so lu tions for small of fices or per sonal homes. IoT is not lim ited to static lo ca tion equip ment but can also be used in as so ci a tion with land, air, or wa ter ve hi cles or on mo bile de vices. IoT de vices are usu ally static sys tems since they may only run the firmware pro vided by the man u fac turer.
Main frames are high-end com puter sys tems used to per form highly com plex cal cu la tions and pro vide bulk data pro cess ing. Older main frames may be con sid ered static en vi ron ments be cause they were of ten de signed
271
around a sin gle task or sup ported a sin gle mis sion-crit i cal ap pli ca tion. These con fig u ra tions didn’t of fer sig nif i cant flex i bil ity, but they did pro vide for high sta bil ity and long-term op er a tion. Many main frames were able to op er ate for decades.
Mod ern main frames are much more flex i ble and are of ten used to pro vide high-speed com pu ta tion power in sup port of nu mer ous vir tual ma chines. Each vir tual ma chine can be used to host a unique OS and in turn sup port a wide range of ap pli ca tions. If a mod ern main frame is im ple mented to pro vide fixed or static sup port of one OS or ap pli ca tion, it may be con sid ered a static en vi ron ment.
Game con soles, whether home sys tems or por ta ble sys tems, are po ten tially ex am ples of static sys tems. The OS of a game con sole is gen er ally fixed and is changed only when the ven dor re leases a sys tem up grade. Such up grades are of ten a mix ture of OS, ap pli ca tion, and firmware im prove ments. Al though game con sole ca pa bil i ties are gen er ally fo cused on play ing games and me dia, mod ern con soles may of fer sup port for a range of cul ti vated and third-party ap pli ca tions. The more flex i ble and open-ended the app sup port, the less of a static sys tem it be comes.
In-ve hi cle com put ing sys tems can in clude the com po nents used to mon i tor en gine per for mance and op ti mize brak ing, steer ing, and sus pen sion, but can also in clude in-dash el e ments re lated to driv ing, en vi ron ment con trols, and en ter tain ment. Early in-ve hi cle sys tems were static en vi ron ments with lit tle or no abil ity to be ad justed or changed, es pe cially by the owner/driver. Mod ern in-ve hi cle sys tems may of fer a wider range of ca pa bil i ties, in clud ing link ing a mo bile de vice or run ning cus tom apps.
Meth ods of Se cur ing Em bed ded and Static Sys tems Se cu rity con cerns re gard ing em bed ded and static sys tems in clude the fact that most are de signed with a
fo cus on min i miz ing costs and ex tra ne ous fea tures. This of ten leads to a lack of se cu rity and dif fi culty with up grades or patches. Be cause an em bed ded sys tem is in con trol of a mech a nism in the phys i cal world, a se cu rity breach could cause harm to peo ple and prop erty.
Static en vi ron ments, em bed ded sys tems, and other lim ited or sin gle-pur pose com put ing en vi ron ments need se cu rity man age ment. Al though they may not have as broad an at tack sur face and aren’t ex posed to as many risks as a gen eral-pur pose com puter, they still re quire proper se cu rity gov ern ment.
Net work Seg men ta tion
Net work seg men ta tion in volves con trol ling traf fic among net worked de vices. Com plete or phys i cal net work seg men ta tion oc curs when a net work is iso lated from all out side com mu ni ca tions, so trans ac tions can only oc cur be tween de vices within the seg mented net work. You can im pose log i cal net work seg men ta tion with switches us ing vir tual lo cal area net works (VLANs), or through other traf fic-con trol means, in clud ing MAC ad dresses, IP ad dresses, phys i cal ports, TCP or UDP ports, pro to cols, or ap pli ca tion fil ter ing, rout ing, and ac cess con trol man age ment. Net work seg men ta tion can be used to iso late static en vi ron ments in or der to pre vent changes and/or ex ploits from reach ing them.
Se cu rity Lay ers
Se cu rity lay ers ex ist where de vices with dif fer ent lev els of clas si fi ca tion or sen si tiv ity are grouped to gether and iso lated from other groups with dif fer ent lev els. This iso la tion can be ab so lute or one-di rec tional. For ex am ple, a lower level may not be able to ini ti ate com mu ni ca tion with a higher level, but a higher level may ini ti ate with a lower level. Iso la tion can also be log i cal or phys i cal. Log i cal iso la tion re quires the use of clas si fi ca tion la bels on data and pack ets, which must be re spected and en forced by net work man age ment, OSs, and ap pli ca tions. Phys i cal iso la tion re quires im ple ment ing net work seg men ta tion or air gaps be tween net works of dif fer ent se cu rity lev els.
Ap pli ca tion Fire walls
An ap pli ca tion fire wall is a de vice, server add-on, vir tual ser vice, or sys tem fil ter that de fines a strict set of com mu ni ca tion rules for a ser vice and all users. It’s in tended to be an ap pli ca tion-spe cific server-side fire wall to pre vent ap pli ca tion-spe cific pro to col and pay load at tacks.
A net work fire wall is a hard ware de vice, typ i cally called an ap pli ance, de signed for gen eral net work fil ter ing. A net work fire wall is de signed to pro vide broad pro tec tion for an en tire net work.
Both of these types of fire walls are im por tant and may be rel e vant in many sit u a tions. Ev ery net work needs a net work fire wall. Many ap pli ca tion servers need an ap pli ca tion fire wall. How ever, the use of an ap pli ca tion fire wall gen er ally doesn’t negate the need for a net work fire wall. You should use both fire walls in a se ries to com ple ment each other, rather than see ing them as com pet i tive so lu tions.
Man ual Up dates
Man ual up dates should be used in static en vi ron ments to en sure that only tested and au tho rized changes are im ple mented. Us ing an au to mated up date sys tem would al low for untested up dates to in tro duce un known
272
se cu rity re duc tions.
Firmware Ver sion Con trol
Sim i lar to man ual soft ware up dates, strict con trol over firmware in a static en vi ron ment is im por tant. Firmware up dates should be im ple mented on a man ual ba sis, only af ter test ing and re view. Over sight of firmware ver sion con trol should fo cus on main tain ing a sta ble op er at ing plat form while min i miz ing ex po sure to down time or com pro mise.
Wrap pers
A wrap per is some thing used to en close or con tain some thing else. Wrap pers are well known in the se cu rity com mu nity in re la tion to Tro jan horse mal ware. A wrap per of this sort is used to com bine a be nign host with a ma li cious pay load.
Wrap pers are also used as en cap su la tion so lu tions. Some static en vi ron ments may be con fig ured to re ject up dates, changes, or soft ware in stal la tions un less they’re in tro duced through a con trolled chan nel. That con trolled chan nel can be a spe cific wrap per. The wrap per may in clude in tegrity and au then ti ca tion fea tures to en sure that only in tended and au tho rized up dates are ap plied to the sys tem.
Mon i tor ing
Even em bed ded and static sys tems should be mon i tored for per for mance, vi o la tions, com pli ance, and op er a tional sta tus. Some of these types of de vices can per form on-de vice mon i tor ing, au dit ing, and log ging, while oth ers may re quire ex ter nal sys tems to col lect ac tiv ity data. Any and all de vices, equip ment, and com put ers within an or ga ni za tion should be mon i tored to en sure high per for mance, min i mal down time, and de tect ing and stop ping vi o la tions and abuse.
Con trol Re dun dancy and Di ver sity
As with any se cu rity so lu tion, re ly ing on a sin gle se cu rity mech a nism is un wise. De fense in depth uses mul ti ple types of ac cess con trols in lit eral or the o ret i cal con cen tric cir cles or lay ers. This form of lay ered se cu rity helps an or ga ni za tion avoid a mono lithic se cu rity stance. A mono lithic men tal ity is the be lief that a sin gle se cu rity mech a nism is all that is re quired to pro vide suf fi cient se cu rity. By hav ing se cu rity con trol re dun dancy and di ver sity, a static en vi ron ment can avoid the pit falls of a sin gle se cu rity fea ture fail ing; the en vi ron ment has sev eral op por tu ni ties to de flect, deny, de tect, and de ter any threat. Un for tu nately, no se cu rity mech a nism is per fect. Each in di vid ual se cu rity mech a nism has a flaw or a work around just wait ing to be dis cov ered and abused by a hacker.
Es sen tial Se cu rity Pro tec tion Mech a nisms The need for se cu rity mech a nisms within an op er at ing sys tem comes down to one sim ple fact: soft ware
should not be trusted. Third-party soft ware is in her ently un trust wor thy, no mat ter who or where it comes from. This is not to say that all soft ware is evil. In stead, this is a pro tec tion stance—be cause all third-party soft ware is writ ten by some one other than the OS cre ator, that soft ware might cause prob lems. Thus, treat ing all non-OS soft ware as po ten tially dam ag ing al lows the OS to pre vent many dis as trous oc cur rences through the use of soft ware man age ment pro tec tion mech a nisms. The OS must em ploy pro tec tion mech a nisms to keep the com put ing en vi ron ment sta ble and to keep pro cesses iso lated from each other. With out these ef forts, the se cu rity of data could never be re li able or even pos si ble.
Com puter sys tem de sign ers should ad here to a num ber of com mon pro tec tion mech a nisms when de sign ing se cure sys tems. These prin ci ples are spe cific in stances of the more gen eral se cu rity rules that gov ern safe com put ing prac tices. De sign ing se cu rity into a sys tem dur ing the ear li est stages of de vel op ment will help en sure that the over all se cu rity ar chi tec ture has the best chance for suc cess and re li a bil ity. In the fol low ing sec tions, we’ll di vide the dis cus sion into two ar eas: tech ni cal mech a nisms and pol icy mech a nisms.
Tech ni cal Mech a nisms
Tech ni cal mech a nisms are the con trols that sys tem de sign ers can build right into their sys tems. We’ll look at five: lay er ing, ab strac tion, data hid ing, process iso la tion, and hard ware seg men ta tion.
Lay er ing
By lay er ing pro cesses, you im ple ment a struc ture sim i lar to the ring model used for op er at ing modes (and dis cussed ear lier in this chap ter) and ap ply it to each op er at ing sys tem process. It puts the most sen si tive func tions of a process at the core, sur rounded by a se ries of in creas ingly larger con cen tric cir cles with cor re spond ingly lower sen si tiv ity lev els (us ing a slightly dif fer ent ap proach, this is also some times ex plained in terms of up per and lower lay ers, where se cu rity and priv i lege de crease when climb ing up from lower to up per lay ers). In dis cus sions of OS ar chi tec tures, the pro tected ring con cept is com mon, and it is not
273
ex clu sive. There are other ways of rep re sent ing the same ba sic ideas with lev els rather than rings. In such a sys tem, the high est level is the most priv i leged, while the low est level is the least priv i leged.
Lev els Com pared to Rings
Many of the fea tures and re stric tions of the pro tect ing ring con cept ap ply also to a mul ti layer or mul ti level sys tem. Think about a high-rise apart ment build ing. The low-rent apart ments are of ten found in the lower floors. As you reach the mid dle floors, the apart ments are of ten larger and of fer bet ter views. Fi nally, the top floor (or floors) is the most lav ish and ex pen sive (of ten deemed the pent house). Usu ally, if you are liv ing in a low-rent apart ment in the build ing, you are un able to ride the el e va tors any higher than the high est floor of the low-rent apart ments. If you are a mid dle-floor apart ment res i dent, you can ride the el e va tors ev ery where ex cept to the pent house floor(s). And if you are a pent house res i dent, you can ride the el e va tors any where you want to go. You may also find this floor re stric tion sys tem in of fice build ings and ho tels. You may also have an el e va tor that op er ates di rectly be tween the low est level and the pent house level, thus by pass ing all lower lev els. How ever, if the di rect el e va tor is breached, the other lay ers of pro tec tion are of no value.
The top of a lay ered or mul ti level sys tem is the same as the cen ter ring of a pro tec tion ring scheme. Like wise, the bot tom of a lay ered or mul ti level sys tem is the same as the outer ring of a pro tec tion ring scheme. In terms of pro tec tion and ac cess con cepts, lev els, lay ers, and rings are sim i lar. The term do main (that is, a col lec tion of ob jects with a sin gu lar char ac ter is tic) might also be used.
Com mu ni ca tion be tween lay ers takes place only through the use of well-de fined, spe cific in ter faces to pro vide nec es sary se cu rity. All in bound re quests from outer (less-sen si tive) lay ers are sub ject to strin gent au then ti ca tion and au tho riza tion checks be fore they’re al lowed to pro ceed (or de nied, if they fail such checks). Us ing lay er ing for se cu rity is sim i lar to us ing se cu rity do mains and lat tice-based se cu rity mod els in that se cu rity and ac cess con trols over cer tain sub jects and ob jects are as so ci ated with spe cific lay ers and priv i leges and that ac cess in creases as you move from outer to in ner lay ers.
In fact, sep a rate lay ers can com mu ni cate only with one an other through spe cific in ter faces de signed to main tain a sys tem’s se cu rity and in tegrity. Even though less se cure outer lay ers de pend on ser vices and data from more se cure in ner lay ers, they know only how to in ter face with those lay ers and are not privy to those in ner lay ers’ in ter nal struc ture, char ac ter is tics, or other de tails. So that layer in tegrity is main tained, in ner lay ers nei ther know about nor de pend on outer lay ers. No mat ter what kind of se cu rity re la tion ship may ex ist be tween any pair of lay ers, nei ther can tam per with the other (so that each layer is pro tected from tam per ing by any other layer). Fi nally, outer lay ers can not vi o late or over ride any se cu rity pol icy en forced by an in ner layer.
Ab strac tion
Ab strac tion is one of the fun da men tal prin ci ples be hind the field known as ob ject-ori ented pro gram ming. It is the “black-box” doc trine that says that users of an ob ject (or op er at ing sys tem com po nent) don’t nec es sar ily need to know the de tails of how the ob ject works; they need to know just the proper syn tax for us ing the ob ject and the type of data that will be re turned as a re sult (that is, how to send in put and re ceive out put). This is very much what’s in volved in me di ated ac cess to data or ser vices, such as when user mode ap pli ca tions use sys tem calls to re quest ad min is tra tor mode ser vices or data (and where such re quests may be granted or de nied de pend ing on the re quester’s cre den tials and per mis sions) rather than ob tain ing di rect, un medi ated ac cess.
An other way in which ab strac tion ap plies to se cu rity is in the in tro duc tion of ob ject groups, some times called classes, where ac cess con trols and op er a tion rights are as signed to groups of ob jects rather than on a per-ob ject ba sis. This ap proach al lows se cu rity ad min is tra tors to de fine and name groups eas ily (the names are of ten re lated to job roles or re spon si bil i ties) and helps make the ad min is tra tion of rights and priv i leges eas ier (when you add an ob ject to a class, you con fer rights and priv i leges rather than hav ing to man age rights and priv i leges for each ob ject sep a rately).
Data Hid ing
Data hid ing is an im por tant char ac ter is tic in mul ti level se cure sys tems. It en sures that data ex ist ing at one level of se cu rity is not vis i ble to pro cesses run ning at dif fer ent se cu rity lev els. The key con cept be hind data hid ing is a de sire to make sure those who have no need to know the de tails in volved in ac cess ing and pro cess ing data at one level have no way to learn or ob serve those de tails covertly or il lic itly. From a se cu rity per spec tive, data hid ing re lies on plac ing ob jects in se cu rity con tain ers that are dif fer ent from those that sub jects oc cupy to hide ob ject de tails from those with no need to know about them.
Process Iso la tion
274
Process iso la tion re quires that the op er at ing sys tem pro vide sep a rate mem ory spa ces for each process’s in struc tions and data. It also re quires that the op er at ing sys tem en force those bound aries, pre vent ing one process from read ing or writ ing data that be longs to an other process. There are two ma jor ad van tages to us ing this tech nique:
It pre vents unau tho rized data ac cess. Process iso la tion is one of the fun da men tal re quire ments in a mul ti level se cu rity mode sys tem.
It pro tects the in tegrity of pro cesses. With out such con trols, a poorly de signed process could go hay wire and write data to mem ory spa ces al lo cated to other pro cesses, caus ing the en tire sys tem to be come un sta ble rather than af fect ing only the ex e cu tion of the er rant process. In a more ma li cious vein, pro cesses could at tempt (and per haps even suc ceed at) read ing or writ ing to mem ory spa ces out side their scope, in trud ing on or at tack ing other pro cesses.
Many mod ern op er at ing sys tems ad dress the need for process iso la tion by im ple ment ing vir tual ma chines on a per-user or per-process ba sis. A vir tual ma chine presents a user or process with a pro cess ing en vi ron ment—in clud ing mem ory, ad dress space, and other key sys tem re sources and ser vices—that al lows that user or process to be have as though they have sole, ex clu sive ac cess to the en tire com puter. This al lows each user or process to op er ate in de pen dently with out re quir ing it to take cog nizance of other users or pro cesses that might be ac tive si mul ta ne ously on the same ma chine. As part of the me di ated ac cess to the sys tem that the op er at ing sys tem pro vides, it maps vir tual re sources and ac cess in user mode so that they use su per vi sory mode calls to ac cess cor re spond ing real re sources. This not only makes things eas ier for pro gram mers, it also pro tects in di vid ual users and pro cesses from one an other.
Hard ware Seg men ta tion
Hard ware seg men ta tion is sim i lar to process iso la tion in pur pose—it pre vents the ac cess of in for ma tion that be longs to a dif fer ent process/se cu rity level. The main dif fer ence is that hard ware seg men ta tion en forces these re quire ments through the use of phys i cal hard ware con trols rather than the log i cal process iso la tion con trols im posed by an op er at ing sys tem. Such im ple men ta tions are rare, and they are gen er ally re stricted to na tional se cu rity im ple men ta tions where the ex tra cost and com plex ity is off set by the sen si tiv ity of the in for ma tion in volved and the risks in her ent in unau tho rized ac cess or dis clo sure.
Se cu rity Pol icy and Com puter Ar chi tec ture Just as se cu rity pol icy guides the day-to-day se cu rity op er a tions, pro cesses, and pro ce dures in
or ga ni za tions, it has an im por tant role to play when de sign ing and im ple ment ing sys tems. This is equally true whether a sys tem is en tirely hard ware based, en tirely soft ware based, or a com bi na tion of both. In this case, the role of a se cu rity pol icy is to in form and guide the de sign, de vel op ment, im ple men ta tion, test ing, and main te nance of a par tic u lar sys tem. Thus, this kind of se cu rity pol icy tightly tar gets a sin gle im ple men ta tion ef fort. (Al though it may be adapted from other, sim i lar ef forts, it should re flect the tar get as ac cu rately and com pletely as pos si ble.)
For sys tem de vel op ers, a se cu rity pol icy is best en coun tered in the form of a doc u ment that de fines a set of rules, prac tices, and pro ce dures that de scribe how the sys tem should man age, pro tect, and dis trib ute sen si tive in for ma tion. Se cu rity poli cies that pre vent in for ma tion flow from higher se cu rity lev els to lower se cu rity lev els are called mul ti level se cu rity poli cies. As a sys tem is de vel oped, the se cu rity pol icy should be de signed, built, im ple mented, and tested as it re lates to all ap pli ca ble sys tem com po nents or el e ments, in clud ing any or all of the fol low ing: phys i cal hard ware com po nents, firmware, soft ware, and how the or ga ni za tion in ter acts with and uses the sys tem. The over all point is that se cu rity needs be con sid ered for the en tire life of the project. When se cu rity is ap plied only at the end, it typ i cally fails.
Pol icy Mech a nisms
As with any se cu rity pro gram, pol icy mech a nisms should also be put into place. These mech a nisms are ex ten sions of ba sic com puter se cu rity doc trine, but the ap pli ca tions de scribed in this sec tion are spe cific to the field of com puter ar chi tec ture and de sign.
Prin ci ple of Least Priv i lege
Chap ter 13, “Man ag ing Iden tity and Au then ti ca tion,” dis cusses the gen eral se cu rity prin ci ple of least priv i lege and how it ap plies to users of com put ing sys tems. This prin ci ple is also im por tant to the de sign of com put ers and op er at ing sys tems, es pe cially when ap plied to sys tem modes. When de sign ing op er at ing sys tem pro cesses, you should al ways en sure that they run in user mode when ever pos si ble. The greater the num ber of pro cesses that ex e cute in priv i leged mode, the higher the num ber of po ten tial vul ner a bil i ties that a ma li cious in di vid ual could ex ploit to gain su per vi sory ac cess to the sys tem. In gen eral, it’s bet ter to use APIs to ask for su per vi sory mode ser vices or to pass con trol to trusted, well-pro tected su per vi sory mode pro cesses as they’re needed from within user mode ap pli ca tions than it is to el e vate such pro grams or pro cesses to su per vi sory mode al to gether.
275
Sep a ra tion of Priv i lege
The prin ci ple of sep a ra tion of priv i lege builds on the prin ci ple of least priv i lege. It re quires the use of gran u lar ac cess per mis sions; that is, dif fer ent per mis sions for each type of priv i leged op er a tion. This al lows de sign ers to as sign some pro cesses rights to per form cer tain su per vi sory func tions with out grant ing them un re stricted ac cess to the sys tem. It also al lows in di vid ual re quests for ser vices or ac cess to re sources to be in spected, checked against ac cess con trols, and granted or de nied based on the iden tity of the user mak ing the re quests or on the ba sis of groups to which the user be longs or se cu rity roles that the user oc cu pies.
Think of sep a ra tion of du ties as the ap pli ca tion of the prin ci ple of least priv i lege to ad min is tra tors. In most mod er ate to large or ga ni za tions, there are many ad min is tra tors, each with dif fer ent as signed tasks. Thus, there are usu ally few or no in di vid ual ad min is tra tors with com plete and to tal need for ac cess across the en tire en vi ron ment or in fra struc ture. For ex am ple, a user ad min is tra tor has no need for priv i leges that en able re con fig ur ing net work rout ing, for mat ting stor age de vices, or per form ing backup func tions.
Sep a ra tion of du ties is also a tool used to pre vent con flicts of in ter est in the as sign ment of ac cess priv i leges and work tasks. For ex am ple, those per sons re spon si ble for pro gram ming code should not be tasked to test and im ple ment that code. Like wise, those who work in ac counts payable should not also have ac counts re ceiv able re spon si bil i ties. There are many such job or task con flicts that can be se curely man aged through the proper im ple men ta tion of sep a ra tion of du ties.
Ac count abil ity
Ac count abil ity is an es sen tial com po nent in any se cu rity de sign. Many high-se cu rity sys tems con tain phys i cal de vices (such as pa per-and-pen vis i tor logs and non mod i fi able au dit trails) that en force in di vid ual ac count abil ity for priv i leged func tion al ity. In gen eral, how ever, such ca pa bil i ties rely on a sys tem’s abil ity to mon i tor ac tiv ity on and in ter ac tions with a sys tem’s re sources and con fig u ra tion data and to pro tect re sult ing logs from un wanted ac cess or al ter ation so that they pro vide an ac cu rate and re li able record of ac tiv ity and in ter ac tion that doc u ments ev ery user’s (in clud ing ad min is tra tors or other trusted in di vid u als with high lev els of priv i lege) his tory on that sys tem. In ad di tion to the need for re li able au dit ing and mon i tor ing sys tems to sup port ac count abil ity, there must be a re silient au tho riza tion sys tem and an im pec ca ble au then ti ca tion sys tem.
Com mon Ar chi tec ture Flaws and Se cu rity Is sues No se cu rity ar chi tec ture is com plete and to tally se cure. Ev ery com puter sys tem has weak nesses and
vul ner a bil i ties. The goal of se cu rity mod els and ar chi tec tures is to ad dress as many known weak nesses as pos si ble. Due to this fact, cor rec tive ac tions must be taken to re solve se cu rity is sues. The fol low ing sec tions present some of the more com mon se cu rity is sues that af fect com puter sys tems in re la tion to vul ner a bil i ties of se cu rity ar chi tec tures. You should un der stand each of the is sues and how they can de grade the over all se cu rity of your sys tem. Some is sues and flaws over lap one an other and are used in cre ative ways to at tack sys tems. Al though the fol low ing dis cus sion cov ers the most com mon flaws, the list is not ex haus tive. At tack ers are very clever.
Covert Chan nels
A covert chan nel is a method that is used to pass in for ma tion over a path that is not nor mally used for com mu ni ca tion. Be cause the path is not nor mally used for com mu ni ca tion, it may not be pro tected by the sys tem’s nor mal se cu rity con trols. Us ing a covert chan nel pro vides a means to vi o late, by pass, or cir cum vent a se cu rity pol icy un de tected. Covert chan nels are one of the im por tant ex am ples of vul ner a bil i ties of se cu rity ar chi tec tures.
As you might imag ine, a covert chan nel is the op po site of an overt chan nel. An overt chan nel is a known, ex pected, au tho rized, de signed, mon i tored, and con trolled method of com mu ni ca tion.
There are two ba sic types of covert chan nels:
Covert Tim ing Chan nel A covert tim ing chan nel con veys in for ma tion by al ter ing the per for mance of a sys tem com po nent or mod i fy ing a re source’s tim ing in a pre dictable man ner. Us ing a covert tim ing chan nel is gen er ally a method to se cretly trans fer data and is very dif fi cult to de tect.
Covert Stor age Chan nel A covert stor age chan nel con veys in for ma tion by writ ing data to a com mon stor age area where an other process can read it. When as sess ing the se cu rity of soft ware, be dili gent for any process that writes to any area of mem ory that an other process can read.
Both types of covert chan nels rely on the use of com mu ni ca tion tech niques to ex change in for ma tion with oth er wise unau tho rized sub jects. Be cause the covert chan nel is out side the nor mal data trans fer en vi ron ment, de tect ing it can be dif fi cult. The best de fense is to im ple ment au dit ing and an a lyze log files for any covert chan nel ac tiv ity.
276
At tacks Based on De sign or Cod ing Flaws and Se cu rity Is sues Cer tain at tacks may re sult from poor de sign tech niques, ques tion able im ple men ta tion prac tices and
pro ce dures, or poor or in ad e quate test ing. Some at tacks may re sult from de lib er ate de sign de ci sions when spe cial points of en try built into code to cir cum vent ac cess con trols, lo gin, or other se cu rity checks of ten added to code while un der de vel op ment are not re moved when that code is put into pro duc tion. For what we hope are ob vi ous rea sons, such points of egress are prop erly called back doors be cause they avoid se cu rity mea sures by de sign (they’re cov ered later in this chap ter in “Main te nance Hooks and Priv i leged Pro grams”). Ex ten sive test ing and code re view are re quired to un cover such covert means of ac cess, which are easy to re move dur ing fi nal phases of de vel op ment but can be in cred i bly dif fi cult to de tect dur ing the test ing and main te nance phases.
Al though func tion al ity test ing is com mon place for com mer cial code and ap pli ca tions, sep a rate test ing for se cu rity is sues has been gain ing at ten tion and cred i bil ity only in the past few years, cour tesy of widely pub li cized virus and worm at tacks, SQL in jec tion at tacks, cross-site script ing at tacks, and oc ca sional de face ments of or dis rup tions to widely used pub lic sites on line. You might ben e fit from view ing the OWASP Top 10 Web Ap pli ca tion Se cu rity Risks re port at https://www.owasp.org/im ages/7/72/OWASP_ Top_10- 2017_%28en%29.pdf.pdf.
In the sec tions that fol low, we cover com mon sources of at tack or vul ner a bil i ties of se cu rity ar chi tec tures that can be at trib uted to fail ures in de sign, im ple men ta tion, pre re lease code cleanup, or out-and-out cod ing mis takes. Al though they’re avoid able, find ing and fix ing such flaws re quires rig or ous se cu rity-con scious de sign from the be gin ning of a de vel op ment project and ex tra time and ef fort spent in test ing and anal y sis. This helps to ex plain the of ten lam en ta ble state of soft ware se cu rity, but it does not ex cuse it!
Hu mans will never write com pletely se cure (flaw less) code. Source code anal y sis tools im ple mented through out the ap pdev cy cle will min i mize the num ber of flaws in the pro duc tion re lease, and the flaws iden ti fied prior to pro duc tion re lease will cost much less to mit i gate. The con cepts of code re view and test ing are cov ered in Chap ter 15, “Se cu rity As sess ment and Test ing.”
Trusted Re cov ery
When an un pre pared sys tem crashes and sub se quently re cov ers, two op por tu ni ties to com pro mise its se cu rity con trols may arise. Many sys tems un load se cu rity con trols as part of their shut down pro ce dures. Trusted re cov ery en sures that all se cu rity con trols re main in tact in the event of a crash. Dur ing a trusted re cov ery, the sys tem en sures that there are no op por tu ni ties for ac cess to oc cur when se cu rity con trols are dis abled. Even the re cov ery phase runs with all con trols in tact.
For ex am ple, sup pose a sys tem crashes while a data base trans ac tion is be ing writ ten to disk for a data base clas si fied as top se cret. An un pro tected sys tem might al low an unau tho rized user to ac cess that tem po rary data be fore it gets writ ten to disk. A sys tem that sup ports trusted re cov ery en sures that no data con fi den tial ity vi o la tions oc cur, even dur ing the crash. This process re quires care ful plan ning and de tailed pro ce dures for han dling sys tem fail ures. Al though au to mated re cov ery pro ce dures may make up a por tion of the en tire re cov ery, man ual in ter ven tion may still be re quired. Ob vi ously, if such man ual ac tion is needed, ap pro pri ate iden ti fi ca tion and au then ti ca tion for per son nel per form ing re cov ery is like wise es sen tial.
In put and Pa ram e ter Check ing
One of the most no to ri ous se cu rity vi o la tions is a buf fer over flow. This vi o la tion oc curs when pro gram mers fail to val i date in put data suf fi ciently, par tic u larly when they do not im pose a limit on the amount of data their soft ware will ac cept as in put. Be cause such data is usu ally stored in an in put buf fer, when the nor mal max i mum size of the buf fer is ex ceeded, the ex tra data is called over flow. Thus, the type of at tack that re sults when some one at tempts to sup ply ma li cious in struc tions or code as part of pro gram in put is called a buf fer over flow. Un for tu nately, in many sys tems such over flow data is of ten ex e cuted di rectly by the sys tem un der at tack at a high level of priv i lege or at what ever level of priv i lege at taches to the process ac cept ing such in put. For nearly all types of op er at ing sys tems, in clud ing Win dows, Unix, Linux, and oth ers, buf fer over flows ex pose some of the most glar ing and pro found op por tu ni ties for com pro mise and at tack of any kind of known se cu rity vul ner a bil ity.
The party re spon si ble for a buf fer over flow vul ner a bil ity is al ways the pro gram mer whose code al lowed non san i tized or un san i tized in put. Due dili gence from pro gram mers can erad i cate buf fer over flows com pletely, but only if pro gram mers check all in put and pa ram e ters be fore stor ing them in any data struc ture (and limit how much data can be prof fered as in put). Proper data val i da tion is the only way to do away with buf fer over flows. Oth er wise, dis cov ery of buf fer over flows leads to a fa mil iar pat tern of crit i cal se cu rity up dates that must be ap plied to af fected sys tems to close the point of at tack.
Main te nance Hooks and Priv i leged Pro grams
Main te nance hooks are en try points into a sys tem that are known only by the de vel oper of the sys tem. Such en try points are also called back doors. Al though the ex is tence of main te nance hooks is a clear vi o la tion
277
of se cu rity pol icy, they still pop up in many sys tems. The orig i nal pur pose of back doors was to pro vide guar an teed ac cess to the sys tem for main te nance rea sons or if reg u lar ac cess was in ad ver tently dis abled. The prob lem is that this type of ac cess by passes all se cu rity con trols and pro vides free ac cess to any one who knows that the back doors ex ist. It is im per a tive that you ex plic itly pro hibit such en try points and mon i tor your au dit logs to un cover any ac tiv ity that may in di cate unau tho rized ad min is tra tor ac cess.
An other com mon sys tem vul ner a bil ity is the prac tice of ex e cut ing a pro gram whose se cu rity level is el e vated dur ing ex e cu tion. Such pro grams must be care fully writ ten and tested so they do not al low any exit and/or en try points that would leave a sub ject with a higher se cu rity rat ing. En sure that all pro grams that op er ate at a high se cu rity level are ac ces si ble only to ap pro pri ate users and that they are hard ened against mis use. A good ex am ple of this is root-owned world-writable ex e cutable scripts in the Unix/Linux OS en vi ron ment. This ma jor se cu rity flaw is over looked all too of ten. Any one can mod ify the script, and it will ex e cute un der root con text al low ing users to be cre ated, re sult ing in back door ac cess.
In cre men tal At tacks
Some forms of at tack oc cur in slow, grad ual in cre ments rather than through ob vi ous or rec og niz able at tempts to com pro mise sys tem se cu rity or in tegrity. Two such forms of at tack are data did dling and the salami at tack.
Data did dling oc curs when an at tacker gains ac cess to a sys tem and makes small, ran dom, or in cre men tal changes to data dur ing stor age, pro cess ing, in put, out put, or trans ac tion rather than ob vi ously al ter ing file con tents or dam ag ing or delet ing en tire files. Such changes can be dif fi cult to de tect un less files and data are pro tected by en cryp tion or un less some kind of in tegrity check (such as a check sum or mes sage di gest) is rou tinely per formed and ap plied each time a file is read or writ ten. En crypted file sys tems, file-level en cryp tion tech niques, or some form of file mon i tor ing (which in cludes in tegrity checks like those per formed by ap pli ca tions such as Trip wire and other file in tegrity mon i tor ing [FIM] tools) usu ally of fer ad e quate guar an tees that no data did dling is un der way. Data did dling is of ten con sid ered an at tack per formed more of ten by in sid ers rather than out siders (in other words, ex ter nal in trud ers). It should be ob vi ous that since data did dling is an at tack that al ters data, it is con sid ered an ac tive at tack.
The salami at tack is more myth i cal by all pub lished re ports. The name of the at tack refers to a sys tem atic whit tling at as sets in ac counts or other records with fi nan cial value, where very small amounts are de ducted from bal ances reg u larly and rou tinely. Metaphor i cally, the at tack may be ex plained as steal ing a very thin slice from a salami each time it’s put on the slic ing ma chine when it’s be ing ac cessed by a pay ing cus tomer. In re al ity, though no doc u mented ex am ples of such an at tack are avail able, most se cu rity ex perts con cede that salami at tacks are pos si ble, es pe cially when or ga ni za tional in sid ers could be in volved. Only by proper sep a ra tion of du ties and proper con trol over code can or ga ni za tions com pletely pre vent or elim i nate such an at tack. Set ting fi nan cial trans ac tion mon i tors to track very small trans fers of funds or other items of value should help to de tect such ac tiv ity; reg u lar em ployee no ti fi ca tion of the prac tice should help to dis cour age at tempts at such at tacks.
If you want an en ter tain ing method of learn ing about the salami at tack or the salami
tech nique, view the movies Of fice Space, Sneak ers, and Su per man III. You can also read the ar ti cle from Wired about an at tack of this na ture from 2008: https://www.wired.com/2008/05/man-al legedly-b/.
Pro gram ming We have al ready men tioned the big gest flaw in pro gram ming: the buf fer over flow, which can oc cur if the
pro gram mer fails to check or san i tize the for mat and/or the size of in put data. There are other po ten tial flaws with pro grams. Any pro gram that does not han dle any ex cep tion grace fully is in dan ger of ex it ing in an un sta ble state. It is pos si ble to clev erly crash a pro gram af ter it has in creased its se cu rity level to carry out a nor mal task. If an at tacker is suc cess ful in crash ing the pro gram at the right time, they can at tain the higher se cu rity level and cause dam age to the con fi den tial ity, in tegrity, and avail abil ity of your sys tem.
All pro grams that are ex e cuted di rectly or in di rectly must be fully tested to com ply with your se cu rity model. Make sure you have the lat est ver sion of any soft ware in stalled, and be aware of any known se cu rity vul ner a bil i ties. Be cause each se cu rity model, and each se cu rity pol icy, is dif fer ent, you must en sure that the soft ware you ex e cute does not ex ceed the au thor ity you al low. Writ ing se cure code is dif fi cult, but it’s cer tainly pos si ble. Make sure all pro grams you use are de signed to ad dress se cu rity con cerns. Please see Chap ter 15 for more in for ma tion on code re view and test ing.
Tim ing, State Changes, and Com mu ni ca tion Dis con nects
Com puter sys tems per form tasks with rigid pre ci sion. Com put ers ex cel at re peat able tasks. At tack ers can de velop at tacks based on the pre dictabil ity of task ex e cu tion. The com mon se quence of events for an al go rithm is to check that a re source is avail able and then ac cess it if you are per mit ted. The time of check
278
(TOC) is the time at which the sub ject checks on the sta tus of the ob ject. There may be sev eral de ci sions to make be fore re turn ing to the ob ject to ac cess it. When the de ci sion is made to ac cess the ob ject, the pro ce dure ac cesses it at the time of use (TOU). The dif fer ence be tween the TOC and the TOU is some times large enough for an at tacker to re place the orig i nal ob ject with an other ob ject that suits their own needs. Time of check to time of use (TOC TOU) at tacks are of ten called race con di tions be cause the at tacker is rac ing with the le git i mate process to re place the ob ject be fore it is used.
A clas sic ex am ple of a TOCT TOU at tack is re plac ing a data file af ter its iden tity has been ver i fied but be fore data is read. By re plac ing one au then tic data file with an other file of the at tacker’s choos ing and de sign, an at tacker can po ten tially di rect the ac tions of a pro gram in many ways. Of course, the at tacker would have to have in-depth knowl edge of the pro gram and sys tem un der at tack.
Like wise, at tack ers can at tempt to take ac tion be tween two known states when the state of a re source or the en tire sys tem changes. Com mu ni ca tion dis con nects also pro vide small win dows that an at tacker might seek to ex ploit. Any time a sta tus check of a re source pre cedes ac tion on the re source, a win dow of op por tu nity ex ists for a po ten tial at tack in the brief in ter val be tween check and ac tion. These at tacks must be ad dressed in your se cu rity pol icy and in your se cu rity model. TOCT TOU at tacks, race con di tion ex ploits, and com mu ni ca tion dis con nects are known as state at tacks be cause they at tack tim ing, data flow con trol, and tran si tion be tween one sys tem state to an other.
Tech nol ogy and Process In te gra tion It is im por tant to eval u ate and un der stand the vul ner a bil i ties in sys tem ar chi tec tures, es pe cially in re gard
to tech nol ogy and process in te gra tion. As mul ti ple tech nolo gies and com plex pro cesses are in ter twined in the act of craft ing new and unique busi ness func tions, new is sues and se cu rity prob lems of ten sur face. As sys tems are in te grated, at ten tion should be paid to po ten tial sin gle points of fail ure as well as to emer gent weak nesses in ser vice-ori ented ar chi tec ture (SOA). An SOA con structs new ap pli ca tions or func tions out of ex ist ing but sep a rate and dis tinct soft ware ser vices. The re sult ing ap pli ca tion is of ten new; thus, its se cu rity is sues are un known, untested, and un pro tected. All new de ploy ments, es pe cially new ap pli ca tions or func tions, need to be thor oughly vet ted be fore they are al lowed to go live into a pro duc tion net work or the pub lic in ter net.
Elec tro mag netic Ra di a tion
Sim ply be cause of the kinds of elec tronic com po nents from which they’re built, many com puter hard ware de vices emit elec tro mag netic (EM) ra di a tion dur ing nor mal op er a tion. The process of com mu ni cat ing with other ma chines or pe riph eral equip ment cre ates em a na tions that can be in ter cepted. It’s even pos si ble to re- cre ate key board in put or mon i tor out put by in ter cept ing and pro cess ing elec tro mag netic ra di a tion from the key board and com puter mon i tor. You can also de tect and read net work pack ets pas sively (that is, with out ac tu ally tap ping into the ca ble) as they pass along a net work seg ment. These em a na tion leaks can cause se ri ous se cu rity is sues but are gen er ally easy to ad dress.
The eas i est way to elim i nate elec tro mag netic ra di a tion in ter cep tion is to re duce em a na tion through ca ble shield ing or con duit and block unau tho rized per son nel and de vices from get ting too close to equip ment or ca bling by ap ply ing phys i cal se cu rity con trols. By re duc ing the sig nal strength and in creas ing the phys i cal buf fer around sen si tive equip ment, you can dra mat i cally re duce the risk of sig nal in ter cep tion.
As dis cussed pre vi ously, sev eral TEM PEST tech nolo gies could pro vide pro tec tion against EM ra di a tion eaves drop ping. These in clude Fara day cages, jam ming or noise gen er a tors, and con trol zones. A Fara day cage is a spe cial en clo sure that acts as an EM ca pac i tor. When a Fara day cage is in use, no EM sig nals can en ter or leave the en closed area. Jam ming or noise gen er a tors use the idea that it is dif fi cult or im pos si ble to re trieve a sig nal when there is too much in ter fer ence. Thus, by broad cast ing your own in ter fer ence, you can pre vent un wanted EM in ter cep tion. The only is sue with this con cept is that you have to en sure that the in ter fer ence won’t af fect the nor mal op er a tions of your de vices. One way to en sure that is to use con trol zones, which are Fara day cages used to block pur posely broad cast in ter fer ence. For ex am ple, if you wanted to use wire less net work ing within a few rooms of your of fice but not al low it any where else, you could en close those rooms in a sin gle Fara day cage and then plant sev eral noise gen er a tors out side the con trol zone. This would al low nor mal wire less net work ing within the des ig nated rooms but com pletely pre vent nor mal use and eaves drop ping any where out side those des ig nated ar eas.
Sum mary De sign ing se cure com put ing sys tems is a com plex task, and many se cu rity en gi neers have ded i cated their
en tire ca reers to un der stand ing the in ner most work ings of in for ma tion sys tems and en sur ing that they sup port the core se cu rity func tions re quired to safely op er ate in the cur rent en vi ron ment. Many se cu rity pro fes sion als don’t nec es sar ily re quire an in-depth knowl edge of these prin ci ples, but they should have at least a broad un der stand ing of the ba sic fun da men tals that drive the process to en hance se cu rity within their own or ga ni za tions.
279
Such un der stand ing be gins with an in ves ti ga tion of hard ware, soft ware, and firmware and how those pieces fit into the se cu rity puz zle. It’s im por tant to un der stand the prin ci ples of com mon com puter and net work or ga ni za tions, ar chi tec tures, and de signs, in clud ing ad dress ing (both phys i cal and sym bolic), the dif fer ence be tween ad dress space and mem ory space, and ma chine types (real, vir tual, mul ti state, mul ti task ing, mul ti pro gram ming, mul ti pro cess ing, mul ti pro ces sor, and multi user).
Ad di tion ally, a se cu rity pro fes sional must have a solid un der stand ing of op er at ing states (sin gle-state, mul ti state), op er at ing modes (user, su per vi sor, priv i leged), stor age types (pri mary, sec ondary, real, vir tual, volatile, non volatile, ran dom, se quen tial), and pro tec tion mech a nisms (lay er ing, ab strac tion, data hid ing, process iso la tion, hard ware seg men ta tion, prin ci ple of least priv i lege, sep a ra tion of priv i lege, ac count abil ity).
No mat ter how so phis ti cated a se cu rity model is, flaws ex ist that at tack ers can ex ploit. Some flaws, such as buf fer over flows and main te nance hooks, are in tro duced by pro gram mers, whereas oth ers, such as covert chan nels, are ar chi tec tural de sign is sues. It is im por tant to un der stand the im pact of such is sues and mod ify the se cu rity ar chi tec ture when ap pro pri ate to com pen sate.
Exam Es sen tials Be able to ex plain the dif fer ences be tween mul ti task ing, mul ti thread ing, mul ti pro cess ing,
and mul ti pro gram ming. Mul ti task ing is the si mul ta ne ous ex e cu tion of more than one ap pli ca tion on a com puter and is man aged by the op er at ing sys tem. Mul ti thread ing per mits mul ti ple con cur rent tasks to be per formed within a sin gle process. Mul ti pro cess ing is the use of more than one pro ces sor to in crease com put ing power. Mul ti pro gram ming is sim i lar to mul ti task ing but takes place on main frame sys tems and re quires spe cific pro gram ming.
Un der stand the dif fer ences be tween sin gle-state pro ces sors and mul ti state pro ces sors. Sin gle-state pro ces sors are ca pa ble of op er at ing at only one se cu rity level at a time, whereas mul ti state pro ces sors can si mul ta ne ously op er ate at mul ti ple se cu rity lev els.
De scribe the four se cu rity modes ap proved by the fed eral gov ern ment for pro cess ing clas si fied in for ma tion. Ded i cated sys tems re quire that all users have ap pro pri ate clear ance, ac cess per mis sions, and need to know for all in for ma tion stored on the sys tem. Sys tem high mode re moves the need- to-know re quire ment. Com part mented mode re moves the need-to-know re quire ment and the ac cess per mis sion re quire ment. Mul ti level mode re moves all three re quire ments.
Ex plain the two lay ered op er at ing modes used by most mod ern pro ces sors. User ap pli ca tions op er ate in a lim ited in struc tion set en vi ron ment known as user mode. The op er at ing sys tem per forms con trolled op er a tions in priv i leged mode, also known as sys tem mode, ker nel mode, and su per vi sory mode.
De scribe the dif fer ent types of mem ory used by a com puter. ROM is non volatile and can’t be writ ten to by the end user. The end user can write data to PROM chips only once. EPROM/UVE PROM chips may be erased through the use of ul tra vi o let light and then can have new data writ ten to them. EEP ROM chips may be erased with elec tri cal cur rent and then have new data writ ten to them. RAM chips are volatile and lose their con tents when the com puter is pow ered off.
Know the se cu rity is sues sur round ing mem ory com po nents. Some se cu rity is sues sur round mem ory com po nents: the fact that data may re main on the chip af ter power is re moved and the con trol of ac cess to mem ory in a multi user sys tem.
De scribe the dif fer ent char ac ter is tics of stor age de vices used by com put ers. Pri mary stor age is the same as mem ory. Sec ondary stor age con sists of mag netic, flash, and op ti cal me dia that must be first read into pri mary mem ory be fore the CPU can use the data. Ran dom ac cess stor age de vices can be read at any point, whereas se quen tial ac cess de vices re quire scan ning through all the data phys i cally stored be fore the de sired lo ca tion.
Know the se cu rity is sues sur round ing sec ondary stor age de vices. There are three main se cu rity is sues sur round ing sec ondary stor age de vices: re mov able me dia can be used to steal data, ac cess con trols and en cryp tion must be ap plied to pro tect data, and data can re main on the me dia even af ter file dele tion or me dia for mat ting.
Un der stand se cu rity risks that in put and out put de vices can pose. In put/out put de vices can be sub ject to eaves drop ping and tap ping, used to smug gle data out of an or ga ni za tion, or used to cre ate unau tho rized, in se cure points of en try into an or ga ni za tion’s sys tems and net works. Be pre pared to rec og nize and mit i gate such vul ner a bil i ties.
Know the pur pose of firmware. Firmware is soft ware stored on a ROM chip. At the com puter level, it con tains the ba sic in struc tions needed to start a com puter. Firmware is also used to pro vide op er at ing in struc tions in pe riph eral de vices such as print ers.
Be able to de scribe process iso la tion, lay er ing, ab strac tion, data hid ing, and hard ware seg men ta tion. Process iso la tion en sures that in di vid ual pro cesses can ac cess only their own data. Lay er ing
280
cre ates dif fer ent realms of se cu rity within a process and lim its com mu ni ca tion be tween them. Ab strac tion cre ates “black-box” in ter faces for pro gram mers to use with out re quir ing knowl edge of an al go rithm’s or de vice’s in ner work ings. Data hid ing pre vents in for ma tion from be ing read from a dif fer ent se cu rity level. Hard ware seg men ta tion en forces process iso la tion with phys i cal con trols.
Un der stand how a se cu rity pol icy drives sys tem de sign, im ple men ta tion, test ing, and de ploy ment. The role of a se cu rity pol icy is to in form and guide the de sign, de vel op ment, im ple men ta tion, test ing, and main te nance of some par tic u lar sys tem.
Un der stand cloud com put ing. Cloud com put ing is the pop u lar term re fer ring to a con cept of com put ing where pro cess ing and stor age are per formed else where over a net work con nec tion rather than lo cally. Cloud com put ing is of ten thought of as In ter net-based com put ing.
Un der stand the risks as so ci ated with cloud com put ing and vir tu al iza tion. Cloud com put ing and vir tu al iza tion, es pe cially when com bined, have se ri ous risks as so ci ated with them. Once sen si tive, con fi den tial, or pro pri etary data leaves the con fines of the or ga ni za tion, it also leaves the pro tec tions im posed by the or ga ni za tional se cu rity pol icy and re sul tant in fra struc ture. Cloud ser vices and their per son nel might not ad here to the same se cu rity stan dards as your or ga ni za tion.
Un der stand hy per vi sors. The hy per vi sor, also known as the vir tual ma chine mon i tor (VMM), is the com po nent of vir tu al iza tion that cre ates, man ages, and op er ates the vir tual ma chines.
Know about the type I hy per vi sor. A type I hy per vi sor is a na tive or bare-metal hy per vi sor. In this con fig u ra tion, there is no host OS; in stead, the hy per vi sor in stalls di rectly onto the hard ware where the host OS would nor mally re side.
Know about the type II hy per vi sor. A type II hy per vi sor is a hosted hy per vi sor. In this con fig u ra tion, a stan dard reg u lar OS is present on the hard ware, and the hy per vi sor is then in stalled as an other soft ware ap pli ca tion.
De fine CASB. A cloud ac cess se cu rity bro ker (CASB) is a se cu rity pol icy en force ment so lu tion that may be in stalled on-premises, or it may be cloud based.
Un der stand SE CaaS. Se cu rity as a ser vice (SE CaaS) is a cloud provider con cept in which se cu rity is pro vided to an or ga ni za tion through or by an on line en tity.
Un der stand smart de vices. A smart de vice is a range of mo bile de vices that of fer the user a plethora of cus tomiza tion op tions, typ i cally through in stalling apps, and may take ad van tage of on-de vice or in-the-cloud ar ti fi cial in tel li gence (AI) pro cess ing.
Com pre hend IoT. The In ter net of Things (IoT) is a new sub cat e gory or maybe even a new class of de vices con nected to the in ter net in or der to pro vide au to ma tion, re mote con trol, or AI pro cess ing to tra di tional or new ap pli ances or de vices in a home or of fice set ting.
Un der stand mo bile de vice se cu rity. De vice se cu rity in volves the range of po ten tial se cu rity op tions or fea tures that may be avail able for a mo bile de vice. Not all por ta ble elec tronic de vices (PEDs) have good se cu rity fea tures. PED se cu rity fea tures in clude full de vice en cryp tion, re mote wip ing, lock out, screen locks, GPS, ap pli ca tion con trol, stor age seg men ta tion, as set track ing, in ven tory con trol, mo bile de vice man age ment, de vice ac cess con trol, re mov able stor age, and the dis abling of un used fea tures.
Un der stand mo bile de vice ap pli ca tion se cu rity. The ap pli ca tions and func tions used on a mo bile de vice need to be se cured. Re lated con cepts in clude key man age ment, cre den tial man age ment, au then ti ca tion, geo tag ging, en cryp tion, ap pli ca tion whitelist ing, and tran si tive trust/au then ti ca tion.
Un der stand BYOD. Bring your own de vice (BYOD) is a pol icy that al lows em ploy ees to bring their own per sonal mo bile de vices to work and then use those de vices to con nect to (or through) the com pany net work to busi ness re sources and/or the in ter net. Al though BYOD may im prove em ployee morale and job sat is fac tion, it in creases se cu rity risks to the or ga ni za tion. Re lated is sues in clude data own er ship, sup port own er ship, patch man age ment, an tivirus man age ment, foren sics, pri vacy, on-board ing/off-board ing, ad her ence to cor po rate poli cies, user ac cep tance, ar chi tec ture/in fra struc ture con sid er a tions, le gal con cerns, ac cept able use poli cies, and on-board cam eras/video.
Un der stand em bed ded sys tems and static en vi ron ments. An em bed ded sys tem is typ i cally de signed around a lim ited set of spe cific func tions in re la tion to the larger prod uct of which it’s a com po nent. Static en vi ron ments are ap pli ca tions, OSs, hard ware sets, or net works that are con fig ured for a spe cific need, ca pa bil ity, or func tion, and then set to re main un al tered.
Un der stand em bed ded sys tems and static en vi ron ment se cu rity con cerns. Static en vi ron ments, em bed ded sys tems, and other lim ited or sin gle-pur pose com put ing en vi ron ments need se cu rity man age ment. These tech niques may in clude net work seg men ta tion, se cu rity lay ers, ap pli ca tion fire walls, man ual up dates, firmware ver sion con trol, wrap pers, and con trol re dun dancy and di ver sity.
Un der stand how the prin ci ple of least priv i lege, sep a ra tion of priv i lege, and ac count abil ity ap ply to com puter ar chi tec ture. The prin ci ple of least priv i lege en sures that only a min i mum num ber of
281
pro cesses are au tho rized to run in su per vi sory mode. Sep a ra tion of priv i lege in creases the gran u lar ity of se cure op er a tions. Ac count abil ity en sures that an au dit trail ex ists to trace op er a tions back to their source.
Be able to ex plain what covert chan nels are. A covert chan nel is any method that is used to pass in for ma tion but that is not nor mally used for in for ma tion.
Un der stand what buf fer over flows and in put check ing are. A buf fer over flow oc curs when the pro gram mer fails to check the size of in put data prior to writ ing the data into a spe cific mem ory lo ca tion. In fact, any fail ure to val i date in put data could re sult in a se cu rity vi o la tion.
De scribe com mon flaws to se cu rity ar chi tec tures. In ad di tion to buf fer over flows, pro gram mers can leave back doors and priv i leged pro grams on a sys tem af ter it is de ployed. Even well-writ ten sys tems can be sus cep ti ble to time-of-check-to-time-of-use (TOCT TOU) at tacks. Any state change could be a po ten tial win dow of op por tu nity for an at tacker to com pro mise a sys tem.
Writ ten Lab
1. Name the three stan dard cloud-based X as a ser vice op tions and briefly de scribe them.
2. What are the four se cu rity modes for sys tems pro cess ing clas si fied in for ma tion?
3. Name the three pairs of as pects or fea tures used to de scribe stor age.
4. Name some vul ner a bil i ties found in dis trib uted ar chi tec tures.
