CCT 070: Decoding Security Models: A Deep Dive into CISSP's Domain 3 Essentials (D3.2)

Bold Statement: "Your company's security depends on more than just your own vigilance. It also hinges heavily on third parties. In today's episode, we tackle that reality head-on, using a case study of a Windows 7 PC from a high-security fencing company that was hacked to infiltrate sensitive military and research sites. This real-life example serves as a stark reminder of the need for constant assessment and monitoring of third parties to safeguard your firm. Additionally, we shed light on the trusted computing base and its key components like the system kernel and hardware, the security kernel, and mandatory access controls, which are all essential in fortifying your environment against threats.

Tantalizing Teaser: "Trust us, you won't want to miss our deep-dive into trusted computing for data integrity and security. We lay bare the distinctions between TPM and HSM and illustrate how the trusted computing base (TCB) can be harnessed to craft a robust multi-level security system. We also illuminate the TCB's applications for financial systems, device identification and verification, and the Internet of Things. Towards the end, we unravel the HRU Model for Access Control, breaking down its components, outlining its practical applications, and discussing its limitations. This episode is designed to demystify complex cybersecurity concepts, so tune in and prepare to ace the CISSP exam.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

Content:

Transcript:Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey y'all, sean Gerber with CISSP Cyber Training Podcast, and I hope you all are having a beautifully blessed day today. Today is an amazing Monday and we are in the throes of having some nice weather here in Wichita, kansas, so it is exciting. It's actually finally starting to cool off. Just a little bit, because I am so tired of melting. I just got back from a wonderful trip out in Colorado to see my brother and that was a lot of fun, beautiful area. If you haven't been to the United States or have been to Colorado, I highly recommend it. You're up there and it's just. The views are breathtaking. But you aren't here on this podcast to learn about views of Colorado. You are here to learn about CISSP and the areas that go along with it. Well, before we get started, we're going to talk about a just recent hack that I saw in the news as it relates to our third party. So we talk a lot about third parties in CISSP, cyber Training, and this is another situation of how important your third parties are to the protection of your company. This is an article that was in the register and it talks about how a system was hacked due to a Windows 7 PC that was from a high security fencing company. So basically, these are the folks that deal with fences for military installations and they had a Windows 7 PC that was, for whatever reason, access had access to various entry points within the network. Well, what they use is they use this Windows 7 to gain access to some of this is the UK, their most sensitive military and research sites. So this ransom group of LockBit, which we've talked about on the podcast before in the past, did actually get access to it and exfiltrated about 10 gigs of data. So, in the grand scheme of things, 10 gigs is not a large amount of data. However, they were able to get access to UK's military defense complex, so that can be a bit of a challenge. So, as we talk about this, one of the main things you deal with as it relates to security is that you want to make sure that your third parties are secure just as secure, if not as, if not more so than your current environment, because you don't control them. So it's important for you to work with your third parties, and I recommend doing risk assessments of them, especially if they contain sensitive data that you have to deal with or that they're protecting on your behalf. So I highly recommend this good article out there on the UK. It basically talks about this a little bit more in depth, but I wanted to kind of bring this to your attention just because of the fact that Windows 7 PCs, as outdated as they are, are still being used within organizations, and so, therefore, it is up to you, as a security professional, to ensure that you are helping secure those environments within your company. So food for thought. Okay, so we're now going to get started into, though, the various aspects related to security models associated with domain 3. Now, as you deal with domain 3, some of the questions I get a lot on CISP, cyber training is around the security models. So we're going to quickly go over some of them and why we're kind of the quick overview around their aspects, but before we do, we're going to focus on one key aspect that I feel is really important and it's really necessary as you're looking at the various security models. That topic is called the trusted computing base. So you might be wondering what is the overall trusted computing base? So this is the trusting of you to base is set to all hardware, firmware, software, all those aspects that are set up that are to be critical to the security of your overall computing environment, and it does tie into some real key concepts. So it's the core operating functions will fall under the trusted computing base, as well as the hardware components and, such as the CPUs and the memory chips. They all fall under what is considered trusted and that is what helps ensure that we have a solid, trusted system when we are adding systems to our overall environment or network. This critical security algorithms are also part of the trusted computing base and if you don't maintain protection around all of this, the whole house of cards that we have from a networking and computing standpoint can come crashing down. The TCB is responsible for enforcing system-wide security by isolating processes, managing memory and controlling access to these various resources, and you'll talk about, you'll see hacks that will occur that focused on some of the components of the trusted computing base, such as the system kernel. You'll see various hacks out there that go they're targeting very deeply into the overall system, looking and targeting the kernel itself. There's a lot of EDR, which we talk about in CISSP, cyber training. Edr is the end point detection and response capability, and you'll see questions around that on your CISSP is what is an EDR solution? Well, the EDR solution will look at these various components that are tied to the trusted computing base, and one of them would be the overall system kernel. Another component would be your hardware, and your hardware would be components like your CPU, your memory disks that provide computational storage capabilities. All of that is going to be available to you as well. That's all tied under the trusted computing base. Then your security kernel. This is a specialized component of this TCB that does ensure that you have mandatory access controls. Which we've talked about is the Mac and your DAC, your mandatory access controls and your discretionary access controls. Your mandatory access controls. This, the security kernel, specializes in enforcing your mandatory access control policies over all the subjects and processes that are going on. Again, your components are your operating system kernel, your hardware and your security kernel. Those are three components of the TCB. There are two processes that are associated with integrity as it relates to the trusted computing base. One is configuration management. Now, configuration management is the systematic management of system files and changes to maintain the integrity of your TCB. Then there's also the secure boot process. Now, this is a big factor because you want to make sure that I'm going to come back to. The real secure boot process is that it verifies that all boot components are there before loading them to prevent unauthorized or malicious code execution. So I kind of spin back that a little bit. When you're doing configuration changes to your trusted computing base, which would be your operating system kernel, your hardware or your security kernel, you're going to want to ensure you have solid configuration management, which means I am. If I'm making a change to version one, I know version one is the version that's supposed to be in place in there. I also know that that is a trusted version one. That's not a manipulated version one. This is another way where hackers, if they can get into the configuration management piece and they can get into the boot process, they will manipulate those in a way to install their malware in a trusted format, because if they can break into the TCB, they now are considered trusted within that device. So it's important that you do understand this concept because without it now you have all these systems and if you can't trust the firmware that's being put in there then it can lead to, obviously, problems within your overall trust of the system itself. So what are some examples of the trusted computing base? So you have the operating. We're going to get into those a few of them, but the first one is the operating system. Now the operating system understands the isolation of the overall processes that are occurring in this trusted computing base. So the TCB ensures that the different processes that are isolated from each other. You want to make sure that whatever processes is operating, they can't blend or that the rights that are allowed to you to run one process within the TCB are not used to run another right, another process. It also restricts unauthorized access to the overall resources. So again, you don't want to have broad brush access. Like we've talked about time and again. Security it's ensuring that the proper access for the proper role and you want to make sure that, especially in your operating system, that only the certain roles are allowed the access they are deemed to have. Another one is user authentication. Now this manages the mechanisms to validate the user's credentials before actually granting them the access that this ensures that they are. Only the right person or the right system that is actually running these processes is able to do that. The role based access control applies to the policies depending upon the user's roles, ensuring that their only authorized tasks can actually be executed. Another example of the trusted computer base is virtualized environments. Now the hypervisor we talked about, that is the layer that's below, that actually runs all the systems within your virtualized environment. This is the TCB will ensure the hypervisor, which controls the virtual machine. So again, you have multiple virtual machines that are sitting in a virtual environment that are run by the hypervisor. The TCB ensures that they all remain secure and again, that controls the policies that are implemented to those to avoid there's any sort of cross contamination. One of the things you're concerned about is, if you have multiple virtual machines in an environment, you don't want one transferring data between another. You don't want one that has access to another. That's the cross control piece of this. You want to ensure that they are separated and segregated. The networking equipment there's various network equipment that are. We're just going to quickly talk about. One is the firewalls. Now the firewalls. Tcb will control packet filtering, allowing for traffic to be denied or traffic to be allowed. This also goes in line with an intrusion detection system as well. So they work very similar as the IDS and IPS as a firewall. But we'll just talk about the intrusion detection system. It analyzes network behavior and flags for suspicious activity, and those components that are tied to the TCB will provide that network behavior and then they're the ones that are going to annotate if there is anything suspicious. Another aspect of the trusted computing base is your UEFI secure boot. Now. We've talked about this on CISP Cyber Training before and you'll see this in the CISP exam. There is the UEFI secure boot Now. This checks to ensure that there are digital signatures loaded that haven't been tampered with or compromised. We've been seeing issues with Microsoft lately where they've had digital signatures compromised. I say this to the point of the UEFI secure boot. Necessarily hasn't, but if your digital signatures were, you now are acted as a trusted resource when they're having to do the boot up mechanism. There's also in the secure boot piece of this. There's the chain of trust and this is from the boot loader to the OS, which basically mean this is a mini hacks that have occurred utilizing. They've taken out and they've seen they need to do some sort of update and they'll take from the boot loader and they will update to the operating system and what ends up happening is that then installs the malware in a trusted environment. The big issue here, you understand, is with the trusted computing base. It's so important that the data that's going into it has been verified and had. The integrity of it is valid and it is free from any sort of malicious content. The hardware base security we're going to be dealing with the TPM, which is the trusted platform module. This is a key factor. We've seen in the news a lot lately where the TPM keys have been stolen or modified. This provides the root of trust to store the encryption keys securely. The TPM You'll hear about that a lot. The other one is the HSM, which is your hardware security module. There's actually a device itself that manages the digital keys. It too is part of the overall trusted computing base in a very high security environment. What the HSM is is you have your TPM, which manages the keys locally. If you have a very high security environment, you may have an actual hardware device called an HSM that will actually store your physical digital keys for you. Okay, so then we're going to look at some military and governmental systems that are related to the TCB. These are multi-level security systems that allow or enable software running at different security clearances on the same hardware Similar we've talked about before. If you have a top secret system and a secret system, you want to ensure that those are adequately separated. The TCB will ensure that they are. Now that allows them to run on the same switch, the same in the path. You know, the same switch, the same firewall, whatever that might be. In the past, they used to have them completely segregated. The TCB will allow these multi or these military level systems to be able to be multiple used between them. The good part about that is there needs to be some level of an audit trail that you can go back and ensure that there was no cross contamination and that one system was not accessed through the secret side and then had access to the top secret side. Also, when you're dealing with financial systems, tcb is important because it ensures that there's a secure transaction between one to another and, again, this ensures the integrity and the origin of the transactions before they're being processed. It also can do data masking and depending upon we've talked about, from a legal standpoint or the governmental standpoint, that will determine a lot of where. If you enable this, because you want to have the ability to enable protection of the data itself, both from a privacy standpoint and also from a financial transactions. The Internet of Things TCB will help manage certificates and keys for device identification and verification. I've had to do this with my college students is that we'd walk them through how do you use a Raspberry Pi? How do you manage the certificates that go with this Raspberry Pi? The TCB will help that overall process. The trusted computing base Again, that it isn't a thing, it's just basically a concept that if you maintain the trusted computer base, it will ensure that the keys of each of those devices are properly protected. When you're dealing with TCB and mobile devices, there is there's two areas. There's sandboxing and biometric verification. The sandboxing basically isolates the application in their own environment to prevent unauthorized access to system resources. The biometric verification uses your fingerprint or face to a part of the TCB authentication process as well. It's important that these are all segregated from the overall operating system tied to the mobile device. You do not want cross-contamination if you're able to get into the mobile device, into the operating system and then actually able to pivot into the overall application itself and or into the biometrics pieces of this as well. So Apple's done a really good job of this. More Android are not as well in many cases, but the bottom line is that you want to ensure that your TCB is what breaks into sandboxing and biometric verification. Okay, the state machine model. Now, this model describes a system in terms of various states, which would be the initial state and the transition between those areas. There's rules that describe how each system moves from one to the next, and this is basically how it starts itself up. Now, the initial state is a state in which the machine begins its operation. Now there's various use cases on how this works. So one would be your formal verification. This is where there's math. There's math I can't say the word. It's mathematical, that's it, the big word. It's a mathematical methods that are used to prove or disprove the overall correctness of the system. So, is the state? Is it solid? Is it actually where it's supposed to be? Is it in a position where it's going to be? It's going to work more or less, and then there's a secure system design around this and this utilizes the state machine model to design systems where there's transitions between each of these various aspects are secure. So from one state to the next, state that it is in a secure form. Then there's the information flow model. Now, the information flow model is designed to ensure that data moves in a way that complies with the organization's security policies. So you basically have your state that that's the first level. Then you have how your information model is going to grow and go from this position. Now there are various types of information flow models. There's the Bell La Pula model I can never say the name Pa-dula, pa-dula Bell La Pa-dula model. Now this Bell La Pa-dula, the BLP much easier to say that focuses on data confidentiality and is used in government and military applications. Then there's the BIBA model, which you will hear again as well from in your taking your CSP exam. This focuses on the data integrity and ensures that the data is not degraded by less trustworthy subjects. Now, as we deal with implementation around these various information flow models, you're going to be dealing with security labels. Now the security labels are the classification labels, such as top secret, public secret, unclassified. Then tied to those is going to be what they call mandatory access controls. These are policies in which access to an object is regulated by security policies determined by the objects label. So what does that mean? So it means that you may have a policy that set up that only top secret systems, then only these people can access those, and that policy will then is regulating or is guiding that access based on that specific label. Those are the mandatory access controls that are associated with the overall label. Now, what is the non-interference model? Now, the non-interference model this aims to prevent any activity at higher security levels from affecting activities at a lower security level. So in a concept would be around. This would be the non inferrence. This ensures that lower classification levels cannot infer their activities occurring from the higher level. So if you have something that's happening at a higher level of security and now the lower level because of the communications between them, you can infer what is going on at the higher level. It is designed as the non-interference model to avoid that inference, that understanding of what's actually occurring. The other one is a non deducibility. This prevents any logical deduction based on the observables behavior at lower levels to deduce activities at higher levels. It prevents logical deduction and understanding what's going on on the observable behavior, to be able to watch what's going on. So you can't deduce it based on what you're seeing at the lower levels to deduce activities at higher levels. So you have the inference piece and then you have the non deduce ability. Those are two key concepts associated with the interference model. I just said a lot there and your prize are probably all your eyes are rolling in the back of your head going. I am confused. I will have documents on CISP. Cyber training will be available. You guys can download those and it will walk you through each of these again in a actual format or textual based. They'll also see this on YouTube. I'll have this, the outline, the video of this will be available. The video is available on CISP cyber training as well. So what are some real world applications around this? So you have covert channel analysis. Now we've talked about covert channels and how those work. Well, the covert channel analysis. This identifies unintended communication paths that may leak information. So if you have a communication path that's occurring and you don't want it to basically like an API is a good example. You wouldn't want that to leak information out. This is where the non interference model will help understand what are the different model, things that are talking together. Is there a possibility that this information could spill out? That's the overall goal of this model itself. The other one is around separation of duties. This is dividing tasks and privileges among multiple people or systems. I deal with the separation of duties a lot in my with other areas that I do, and so the separation of duties piece would be as Sean can have access to it today and then, but for him to basically provide he has to approve access because people are giving a better example. Someone comes in and says I want to request access to a. Well, they can. Their supervisor may be able to prove a, but to a has a separate level of access that is beyond everybody else. So once the supervisor approves it, then it comes to show on to approve it. Because separation of duties I'm not in their overall that what they do on a day to day basis. So when it comes to me, I look at this and go should I approve this? Should I not approve it? That is separation of duties. Another model is what we call the take grant model. Now this is a formal way to represent the dynamic behavior of access rights in a system. Now there's various components to the take grant model. There's subjects, objects and rights. Now the subjects are the users, the processes or any entity that can perform the actions itself. The objects are resources, like files, cpus and memory that are being accessed. So, you again, your subjects are the users and the processes. The objects are the resources your files, your CPU, all the memory, what's being worked on. And then, finally, are the rights. These are the permissions that are granted or taken, like read, write, execute, etc. So again, the components are subjects, objects and rights. That are all tied to the take grant model. Now some use cases around the take grant model would be databases. These have very complex permissions and since they do have so many complex permissions, they can be effectively modeled and work through using the take grant process Operating systems. These also process can be better to manage when you're ensuring they only accesses the recent, their resources that they're allowed to access. That is tied to the operating system, and those use cases are also part of the overall take grant methodology. Now I'll give you one model that I really didn't know much about until I started doing some more research on this one, and this is called the Harrison, ruzu-ulman or HRU model. I saw it in the book and I wanted to kind of dig a little deeper into this myself Now that Harrison Ruzu-Ulman HRU is a formal model used to describe and analyze access control systems. Now this is tied specifically to their capability to safely alter access rights. I hadn't really even known that this was available and it must be obviously relatively new as it relates to the overall models. But what it's designed to do is designed to address the issues of rights amplification or degradation as a result of these real, quickly changing or dynamically changing permissions. So, as we noticed, in this today's world their permissions are changing routinely and very quickly. This HRU model was designed to help understand that access and how to put in place controls to ensure that those are done quickly and appropriately. Now the HRU model design defines a formal system of representing access control mechanisms to safely and the safety properties of a system as rights are granted, removed and or modified. So again, as you give them, remove them. It's ensuring that the access controls are properly maintained, removed and granted. Now you're dealing with key concepts around this. This is called there's a. The state description itself will kind of talk about what that is. So the state in the HRU model consists of set of subjects, a set of objects and a set of rights, very similar to what we talked about with the take grant, and it connects the subjects and objects together. But what it does is it serves as a snapshot of the current access situation. So it's focusing on the current access as it is today and that's what's using it as its baseline. Now the commands are the actions that change the access matrix, basically the rights among the subjects and the objects. So the commands will make changes to this matrix and this matrix will then actually cascade through. Each command consists of a precondition that must be met and an operation that are performed if those conditions are met. So you already have it set up. So you have your objects and your subjects. Okay, those are the two key pieces, just similar to take grant, but then it has preconditions that must be met for this operation to continue. So it's much more granular than the strand standard take grant method. You actually have preconditions built in that must be met. Now the safety properties that are tied to this HRU, which they consider a central concept, is it is where it's impossible to reach an unsafe state where an unauthorized access could occur. So this happens a lot, right. So if you have individuals that are hackers, that are trying to gain access to systems, they utilize credentials that are above what they should be allowed to do and they're able to gain access to this, and this would be considered as, as far as the HRU model is concerned, an unsafe state. This is where unauthorized access could occur. Again, key concept, understand with HRU unsafe state is where unauthorized access could occur, kind of those key bullets you need to kind of keep in mind when you're looking at this. So if it can be proven that an unsafe state is unreachable from the initial state, which means you can't get to it, right, you first get in, you can't get to it. If it's proven that you can do this, then it would be considered a safe state. Okay, so that under I know there's a lot of states in there is a lot of confusion, confusion as it relates to the wording. Bottom line, though, is if you can be proven to be a safe state is reachable from the initial one, then it's considered air quotes safe, Because when you're dealing with HRU, you have the properties that are associated with it. There is administrative policies that are tied to the HRU, and these provide a way to analyze how the administrative tasks affect the overall safety of the system Through the use of commands, you can understand how the access control policy is evolving over time. So it's the design of those policies is how you can ensure that it is in an air quotes safe state. Now this, the HRU model, is general enough to express a wide variety of access control policies, making it much more flexible for various implementations that you may want to deploy. Now the model provides a framework where or not you can determine if it's in a safe state as the rights are changed. So, again, if they're changed, you want to ensure that it maintains that safe position. Now there are some limitations around it complexity and lack of real world semantics. Okay, like we said, we've talked a lot around safe states, states, all these overall aspects. Well, the complexity of this is because it's undecidable. It checks the safety at all possible states. It's very complex and it can be computationally challenging. So there's a lot of, there's a lot of nuances that so if it's having to compute computationally check each time that it's safe, that can be very daunting. There's also the lack of real world semantics. While it's powerful in a theoretical standpoint, it doesn't deal with real world semantics, like user authentication, and limits its practical application. So you're telling me you're probably listening is going. Why am I paying attention to this? Because it's in the CISSP book and it's also something I learned, but I did not understand how complex this overall process is. But the ultimate goal again come back to is is that it's designing to ensure that your objects and your subjects, any changes that occur, you can validate those and you can ensure that it is safe. It is not. It is in a situation where no one can mess with it. If you can make changes to it, then it would be considered unsafe. So what are some various applications in which this could be used? Okay, so you have database security and the HRU model can be used to analyze and model complex permissions because databases are challenging, and also as the permissions and the roles in these various database systems, operating systems. You can have it by identifying potential issues of privileged escalation, which we talk about as hackers do quite routinely and or unauthorized access. Now, the HRU model can contribute to the design and analysis of secure operating systems. And then the room comes right down to it. What are some practical implications If you want to deeply understand the implications of a dynamically changing access rights. Whether it's software development or policy configurations, the HRU is a good option from a model standpoint. Is it practical in today's world? You know I who am I to say I would say it's probably limited, but there probably are very specific use cases where the HRU model could be used in a very strong case to prevent any sort of access to these systems that they shouldn't people shouldn't have. All right, that's all I have for you today. I hope you have a wonderful day. Go out to cispsybertrainingcom. Check out all the free stuff that's out there and available to you. Get access to these, this documentation I have. Get access to the videos I have. You'll be able to check me out on YouTube. We'll have access to that there. I have 30 free CISP questions every single month that are available to you. You just got to sign up for my email and you'll get those each and every month. There's also CISP questions that will come to you on a weekly basis that I have you can test yourself. So my ultimate goal is to create as much content to help you provide everything you need to pass the CISP exam the first time. All right, have a wonderful day and we'll catch on the flip side, see ya.