Nortel Networks

This simple study booklet is based directly on the ISC² CBK document.

This guide does not replace in any way the outstanding value of the CISSP Seminar and the fact that you must have been involved into the security field for at least a few years if you intend to take the CISSP exam. This booklet simply intends to make your life easier and to provide you with a centralized resource for this particular domain of expertise.

This is NOT a Nortel Networks sponsored document, nor is it to be indented as a representation of Nortel Networks operating practices.

This document may be freely read, stored, reproduced, disseminated, translated or quoted by any means and on any medium provided the following conditions are met:

Security management entails the identification of an organization's information assets and the development, documentation, and implementation of policies, standards, procedures and guidelines which ensure confidentiality, integrity, and availability. Management tools such as date classification, risk assessment, and risk analysis are used to identify the threats, classify aSSetS, and to rate their vulnerabilities so that effective security controls can be implemented.

The professional should fully understand:

[HUTT95] Hutt, Arthur, Seymour Bosworth, Douglas Hoyt. The Computer Security Handbook: Third Edition. John Wiley and sons, 1995.

[ISC991] (ISC)2 CISSP Week 1 Review Material

[KRAU99] Krause, Mikki, Harold Tipton, Editors. The Handbook of Information Security Management 1999. Auerbach, 1999.

[PELT98] Peltier, Thomas. Information Systems Security Policies and Procedures: A Practitioner’s Guide. Auerbach, 1998.

[SUMM97] Summer, Rita C. Secure Computing. McGraw-Hill, 1997

Virus – is a self-propagating form of malicious code that executes unauthorized computer instructions. It spreads on contact with other programs or systems and is parasitic in nature. It can be benign, or cause loss of system resources or data.

Worm – Propagates new copies to other systems and executes unauthorized instructions. A self-contained program generally does not destroy data, but can prevent access to the system through consuming all available system resources

Trojan Horse/logic bomb – A form of malicious code that attacks when triggered, i.e. at a login to grab passwords, or when a specific event occurs.

Trap Door – an undocumented access path through a system. This typically bypasses the normal security mechanisms and can be used to plant any of the malicious code forms.

From [ISC991], Section 1, page 2,

Internal Control Standards are those that reduce risk. Internal controls are required in order to satisfy obligations with respect to the law, safeguard the organization’s assets, and to account for the accurate revenue and expense tracking.

There are three categories of internal controls: general standards, specific standards and audit resolution standard.

The general standards must provide reasonable assurance, support the internal controls, provide for competent personnel, assist in establishing control objectives and techniques.

The specific standards must be documented, clear and available to the personnel. They allow for the prompt recording of transactions, and the prompt execution of authorized transactions. It establishes separation of duties, qualified supervision and accountability.

The audit Resolution standard means that manager must promptly resolve audit finding. They must evaluate, determine the corrective action required, and take that action.

[SUM97] on page 629 adds

Auditors, either internal or external are to ensure that the organization’s internal controls are being met. This means that the internal controls are intended to make sure that the organizations objectives are being met; that it operates effectively; complies with the applicable laws and regulations, and prepares reliable financial data.

From [ISC991], Section 2 page 3:

Configuration Auditing ids the process of conducting an independent review and examination of systems records and activities. The purpose is to test for adequacy of system controls; ensure copmpliance with established policy and recommend indicated changes in policy, procedures and controls.

From [ISC991], Section 2 page 6;

Management is responsible for protecting all assets that are directly or indirectly under their control. They must ensure that employees understand their obligations to protect the company’s assets, and implement security in accordance with the company policy. Finally, management is responsible for initiating corrective actions when there are security violations.

"All assets" refers to not only the organization’s fixed assets, but people and information as well.

[SUMM97] on page 149 also states that management is responsible for overall policy and further responsibility for how the organization distributes authority.

From [PELT98], page 115

A Policy is a high-level statement beliefs, goals and objectives and the general means for their attainment for a specific subject area.

A Procedure spells out the specific steps of how the policy and supporting standards and how guidelines will be implemented. A procedure is a description of tasks that must be executed in a specific order.

A Standard is a mandatory activity, action, rule or regulation designed to provide policies with the support structure and specific direction they require to be effective. They are often expensive to administer and therefore should be used judiciously.

A Guideline is a more general statement of how to achieve the policies objectives by providing a framework within which to implement procedures. Where standards are mandatory, guidelines are recommendations.

From [ISC991], Section 1, page 11;

There are effectively three major criteria efforts. (Although, with the signing of the Common Criteria this has been reduced. Since this happened just recently, we must still focus on the three of them.)

The TCSEC, or Trusted Computers System Evaluation Criteria were written to establish a metric for trsut, identify built-in security features, and specify security requirements.

The ITSEC, or Information Technology Security Evaluation Criteria, were designed to harmonize international security criteria, and were built on experience that had been accumulated over time. It was an international effort driven primarily by the European Community.

The "Common Criteria" was based upon the work derived from both the TCSEC and ITSEC efforts. It was intended to form the framework for specifying new security requirements and to enhance existing development and evaluation criteria while preserving their fundamental principles.

From [ISC991], Section 1, page 11;

The TCSEC identified that there are level of security within the criteria. These levels established how much of the security was implemented by the system (DAC vs. MAC), defined object labels (a requirement for MAC), subject identification and protected audit information. It also defined a mechanism to make sure that the requirements were enforced by the system and how it must be protected from tampering.

An object is defined as something that is being accessed. For example, an object could be a file, a directory, a device or a process.

A subject is something that is accessing an object. For example, a user, or a process can be a subject.

Labels are used to identify the classification/categorization that is attached to an object or subject.

According to [SUMM97] page 258, the TCSEC was part of a larger effort to have vendors build systems that were designed for military use. The criteria were intended to provide

A standard as to what security features the vendors should build into commercial products;

A metric that DoD units can use to evaluate systems‘ trustworthiness for secure processing of sensitive information; and,

A basis for specifying security requirements in acquisition specifications.

The TCSEC has four major areas of classification for systems. These are

Finally, it is important to remember that TCSEC was focused on confidentiality issues.

From [SUMM97] page 262,

Developed by Germany, France, the Netherlands and Britain in 1991, ITSEC was to bring government and commercial requirements into one document. Unlike TCSEC, ITSEC was focused on providing more than confidentiality in the model. It also more clearly separated the functionality required, from the level of assurance that the system should be evaluated for.

For functionality, there are for three levels of security features:

As discussed in the review class, and in [SUMM97], there is a need for the development of common criteria between the major industrialized countries. This common criteria effort has been underway since 1996 intending to resolve the differences among the TCSEC, ITSEC and Canadian CTCPEC. This effort has resulted in the recent signing of the common criteria.

In [ISC991], Section 1 page 13:

Classified information is generally government information is must be protected against unauthorized disclosure. The classifications to protect this information are generally Top Secret, Secret and confidential.

Sensitive information is often related to military critical technologies that are new or identifies key operational capabilities.

Sensitive But Unclassified (SBU), or Sensitive Unclassified Information (SUI), is not government classified per se, but still requires protection. The information many not be of value, but when combined with other information can establish a larger understanding (data aggregation).

We classify informati9on in order to determine the appropriate level of protection required. Information may be valuable today, but not tomorrow as there is generally a specific window that the information is valuable. Sometimes that windows is quite large, while typically that window is in practice quite small.

From [ISC991] Section 1 page 14 and [KRAU97] Page 341-344,

Classification of information schemes must be used by a large number of people. This means that there shouldn’t be too many categories as this will make it hard for the person classifying the information to determine what it’s classification should be.

The criteria used to establish the classifications are:

Value – what is this information worth to the company? How much would it cost to reproduce if it was lost? What would the lass be if this information found its way to our competitor, or on the front page of the newspaper?

Age/Useful Life – how old is this information? When will it’s useful lifetime be reached?

Associations - ?

Authorization – who is authorized to see this information? Everyone, a restricted group, only top level management? Who is authorized to allow declassification?

Custody – Who will have custody of this information? How will they determine if the requesting user is entitled access?

Reproduction – Can this material be copied? If so, how will distribution be controlled?

Logging – Should records be kept regarding who has the material, was it returned or destroyed? Was it copied?

Marking and Labeling – How will the classified information be labeled and marked to show the classification?

Filing and Safekeeping – How will the information be protected in storage? Does it requires the use of encryption or special locking mechanisms?

The classification program must also address a security awareness program, and how the classification and handling information will be provided to employees.

Data Aggregation occurs when smaller pieces of information are assembled together to provide the "big picture". The risk is that through data collection techniques, a person who is authorized to have some of much of the information may be able to discern more than what they should from the information.

A good countermeasure is to maintain strong separation of duties and a "need to know" approach. Job rotation can be beneficial.

From [ISC991], Section 1 Page 19

The IS/IT function is responsible for establishing and maintaining a security awareness program. This includes the development of policies, procedures and guidelines, maintenance of resource access controls and providing guidance on distributed computing and telecommunications security issues.

(In practice however, larger organizations may have someone who is responsible for the development of the policies and procedures while IS provides input.)

The IS function is responsible for conducting the Security awareness training, providing risk analysis services and investigating computer security incidents. It is also important that this team provide coordination with internal or external auditors during an EDP audit.

There are several organizational layouts discussed in [SUMM97] on pages 566-567. These are

Security as a function within the Information Systems on Information Technology organization. In this organization, the security functions tend to lack independence and resources and get little management attention. Separating security from operations and applications development gives it more autonomy. Alternatively, it can be a staff function reporting to the CIO.

Security reporting to a specialized business unit such as legal, corporate security or insurance. This structure is not recommended as it promotes a low technology view of the function and leads people to believe that it is someone else’s problem.

A structure that can be used (and makes sense) was proposed by William Perry in 1985. This structure has a Chief Security Officer reporting directly to the CEO. Each business unit has a security officer that reports to the head of that business unit. A security council is established and chaired by the CSO. New projects are identified and run by the security officers. Each business unit security officer is responsible for the implementation of the security program within his or her business unit.

Establish a security planning committee as proposed by Digital Equipment Corp. The committee establishes policies and oversees security for the company. Each level or major organization has a security coordinator. This model de-emphasizes the security organization in favour of making security everyone’s job.

NIST has a structure primarily for federal agencies. This structure has different levels. For example, there is a central agency and a system agency. Depending upon the size of the organization, there may be agency, unit, computer facility and application levels.

From [ISC991], Section 1 Page 19 describes these responsibilities as

Owners

This is a business manager of other person who is responsible for that information asset. Responsibilities include:

From [ISC991] Section 1, page 19,

The standard activities of security management personnel include:

This the separation of tasks between two or more people so that no single person can commit a fraud undetected.

See [SUMM97], page 106.

From [ISC991], Section 1, page 22

The security management depends to some degree upon the level of technological or non-technological levels within the organization. For example, the technology level within the environment (i.e. mainframe, distributed processing, network configuration) will bring different technology issues into the forefront.

Within each of these technology levels, access control can be handled quite differently. It may include passwords, smart cards, tokens, biometrics or digital certificates. Protection of the information can be accomplished through encryption, and the need for anti-viral software changes between technology levels.

The non-technological side aids technological security. This includes the

From [ISC991] Section 1, page 25

The requirements for a security awareness program are

The objectives for a security awareness program (are not vague at all).

The security awareness program is intended to

Suggested topics from [ISC991] Section1 page 27 are

From [ISC991] Section 1, page 29

The military is interested (and concerned) in

Economic Espionage is defined in [ISC991] Section 1 page 29 as a government oriented activity to provide competitor-enhancing information to favoured businesses.

Most corporations and governments are vulnerable to some degree. Specific areas of vulnerability include

From [ISC991] Section 1 page 33,

From [ISC991] Section 1 page 34-35

Virus – is a self-propagating form of malicious code that executes unauthorized computer instructions. It spreads on contact with other programs or systems and is parasitic in nature. It can be benign, or cause loss of system resources or data.

Worm – Propagates new copies to other systems and executes unauthorized instructions. A self-contained program generally does not destroy data, but can prevent access to the system through consuming all available system resources

Trojan Horse/logic bomb – A form of malicious code that attacks when triggered, i.e. at a login to grab passwords, or when a specific event occurs.

Trap Door – an undocumented access path through a system. This typically bypasses the normal security mechanisms and is to plant any of the malicious code forms.

From [ISC991] Section 1 page 36

Boot infector – moves or overwrites the boot sector with the virus code.

System infector – infects BIOS command other system files. It is often a memory resident virus.

General Application (COM/EXE) Infector – Infects any .exe or .com file, and if it is a memory resident virus, it infects each program as it is executed.

Stealth virus – It is capable of hiding from detection programs and installs a memory resident extension when it is executed.

Multipart virus - It is generally a file and master boot sector infector that is harder to find because its components are in several places.

Self-garbling virus – Hides from detection programs because most of its virus code is garbled. A small header program "degarbles" the virus code when run and then executes the virus code.

Polymorphic virus – this is also a self-garbling virus where the virus changes the "garble" pattern each time is spreads. As a result, it is also difficult to detect.

Macro virus – malicious code that is written in a macro language. Intended for applications that run specific macro languages, such as MS-Word.

From [ISC991] Section 1, page 37

Good computing practices can result in fewer virus incidents. Some examples of good practices include:

Very old and not worth worrying about, lead alone reading.

Penetration testing is a method used to determine if any vulnerability can be actively exploited to gain access to your network or system. Typically, the team doing the penetration test starts out with the same type of information that a hacker would, and initiates similar attacks to simulate breaking into your system. If they cannot break in, then the attack has demonstrated that the level of security implemented is good. If they are successful, then it demonstrates what vulnerabilities exist, how they can be used, and what areas of improvement should be taken.

There are many way of doing penetration testing, but there are some common methods of gathering information during the penetration test. These methods as described in [ISC991] Section 1 page 430 include

As defined in [ISC991], Section 1 page 45,

Quantitative risk analysis attempts to assign an independently objective numeric value to components of the risk assessment and to the assessment of potential losses.

The threats to IS Security are found in [ISC991] Section 1 page 46 and include:

There are four classifications that can be summed up in a four quadrant matrix

When considering this matrix, it is important to focus time and resources on high loss/high freq. While essentially ignoring loss loss/low freq.

The risks that IT can fall victim to include

As defined in [ISC991] Section 1 page 48, the evaluation functions are

The basic risk analysis steps include

Qualitative Risk Analysis does not attempt to assign numeric values to the components of the analysis. Rather, it is scenario oriented to identify the types of problems that can occur, the development of a scenario, working through the scenario to determine the outcome and then ranking the seriousness of the threat and sensitivity of the assets.

This is less subjective that quantitative analysis, and lends itself to the application of analysis tools and fuzzy logic.

[ISC991], Section 1 page 51

The approach of due care is an important one. Even if the organization gets cause in a problem, they may not be held fully responsible or liable. Should the organization be able to demonstrate that it took the appropriate cautions and used

Controls and practices that are generally used

That it meets the commonly desired security control objectives

That it uses methods that are considered for use in well-run computing facilities

Common sense and prudent management practices

Then the organization will be said to have operated with due care, as any other informed person would.

Countermeasures are tools and techniques used to address vulnerabilities. For example, if you want to reduce the risk of a break-in at your home, you will either install an alrm system or get a dog. Both are examples of a countermeasure.

From [ISC991] Section 1 page 55, there are several selection principles with regard to countermeasure selection. These include

Cost effectiveness

Before being able to determine if a particular countermeasure is cost effect8ve, you must consider the cost of the countermeasure itself, support costs, and ongoing maintenance costs. In addition, it is necessary to include the human intervention cost. For example, if you choose to install a door alarm. What does it cost you to have a guard who can respond to the alarm?

Minimum Human Intervention

The countermeasure should have the least amount of human intervention. This is because manual intervention in a countermeasure is usually the weakest part of the safeguard.

Override and failsafe defaults

Each of the countermeasures must have shutdown capability. They must have a failsafe capability that defaults to lack of permission (i.e. no access through a door), yet still allow for the safety of personnel.

Absence of Design Secrecy

Countermeasures should be designed and thoroughly tested. If the design is totally proprietary, then it may be harder to verify compliant operation of the product. In addition, if the design in totally secret, then it may also be harder to change aspects of the countermeasure when some improved product is developed.

Least Privilege

Here the countermeasure operates by providing only the minimal amount of information to the user in order for them to function effectively. Consider the UNIX login program. When the user enters a bad username/password pair, the UNIX login program doesn’t identify the problem, only that the login was not successful.

Entrapment

In this countermeasure, the vulnerability is made to be attractive for the attacker. The use of this countermeasure is a highly ethical one, and should be avoided.

Independence of Control and Subject

Here the countermeasure controls and/or constrains the subject into only doing what is permitted based upon certain factors (i.e. who they are).

Universal Countermeasure

In this case, the countermeasure must perform the same constraint uniformly across all subjects and minimize exceptions to the countermeasure.

Compartmentalization and Defensive Depth

In this case, one countermeasure must with another ro provide a depth of defense. The depth provide multiple hurdles that the attacker must circumvent to gain access.

Isolation, economy and least common mechanisms

Here the countermeasures must work totally independent of each other. This minimizes the dependencies on common systems to implement the safeguards.

Completeness ad Consistency

This countermeasure specifies the allowed and prevented actions through specifications and operating instructions.

Instrumentation

This monitors the countermeasure for proper function and reports on failures to perform as expected and identifies attacks.

Acceptance and Tolerance by Personnel

Management and the users must be willing to accept and tolerate the constraints imposed by the countermeasure. If they do not, they will find a way to work around the countermeasure, thereby eliminating any value.

Sustainability

The more automatic the operation, the more sustainable the countermeasure is over a longer period of time.

Auditability

The countermeasure must record actions taken by personnel and be verifiable. The auditors should be involved in the design and implementation of devices to ensure their audit control objectives are operating as expected.

Accountability

Assign at least one person to take ownership of the countermeasure, and its implementation within the organization. The operation of the countermeasure should be associated directly with that employee’s performance.

Reaction and Recovery

Residual and Reset

Once the countermeasure has been activated, the asset must be as protected as it was before, and the asset must continue to be protected as the countermeasure is reset.

Vendor Trustworthiness

Review the past performance of the vendor and their products. This includes trade journals, product reviews, and seeking experience with the product/service through client references.

Multiple Functions

If the countermeasure has the ability to provide several operations/functions, then base the evaluation of the primary function supported.

From [ISC991] Section 1, page 58

There are three bases for information worth. These are