Given multivariate, multidimensional events generated by adaptive human agents, perhaps it would not be too far a stretch to claim that no two events are precisely the same. Given t
Given multivariate, multidimensional events generated by adaptive human agents, perhaps it would not be too far a stretch to claim that no two events are precisely the same. Given the absence of actuarial data, what can a poor security architect do?
Answer the question with a short paragraph, with a minimum of 300 words. APA formatting but do not include a title page, abstract or table of contents. Body and references only in your post.
A minimum of two references are required. One reference for the book is acceptable but multiple references are allowed. There should be multiple citations within the body of the paper. Note that an in-text citation includes author’s name, year of publication and the page number where the paraphrased material is located.
University of the Cumberlands School of Computer & Information Sciences
ISOL-536 – Security Architecture & Design
Chapter 3: Security Architecture of Systems
Chapter 3: Security Architecture of Systems
3.1 Why Is Enterprise Architecture Important?
3.2 The “Security” in “Architecture”
3.3 Diagramming For Security Analysis
3.4 Seeing and Applying Patterns
3.5 System Architecture Diagrams and Protocol Interchange Flows (Data Flow Diagrams)
3.5.1 Security Touches All Domains
3.5.2 Component Views
3.6 What’s Important?
3.6.1 What Is “Architecturally Interesting”?
3.7 Understanding the Architecture of a System
3.7.1 Size Really Does Matter
3.8 Applying Principles and Patterns to Specific Designs
3.8.1 Principles, But Not Solely Principles
3.1 Why Is Enterprise Architecture Important?
A survey of 7,000 years of history of human kind would conclude that the only known
strategy for accommodating extreme complexity and high rates of change is architecture.
If you can’t describe something, you can’t create it, whether it is an airplane, a hundred
story building, a computer, an automobile . . . or an enterprise. Once you get a
complex product created and you want to change it, the basis for change is its descriptive
representations.
Any process, manual or digital, that contributes to the overall goals of
the enterprise, of the entire system taken as a whole, is then, necessarily,
a part of the “enterprise architecture.” Thus, a manually executed process
will, by definition, include the people who execute that process:
“People, process, and technology.”
3.2 The “Security” in “Architecture”
An assessor (usually a security architect) must then be proficient in
architecture in order to understand and manipulate system architectures.
In addition, the security architect also brings substantial specialized
knowledge to the practice of security assessment. Hence, we start with
solutions or systems architectures and their representations and then
apply security to them.
3.2 The “Security” in “Architecture” – Cont.
Mario Godinez et al. (2010) categorize architectures into several
different layers, as follows:
Conceptual Level – This level is closest to business definitions, business processes,
and enterprise standards.
Logical Level – This level of the Reference Architecture translates conceptual
design into logical design.
Physical Level – This level of the Reference Architecture translates the logical
design into physical structures and often products.
3.3 Diagramming For Security Analysis
Figure 3.1 A simplistic Web architecture diagram.
The diagram does show something of the system: There is some sort of interaction between a user’s computer
and a server. The server interacts with another set of servers in some manner. So there are obviously at least three
different components involved. The brick wall is a standard representation of a firewall. Apparently, there’s some
kind of security control between the user and the middle server. Because the arrows are double headed, we don’t
know which component calls the others. It is just as likely that the servers on the far right call the middle server
as the other way around.
3.3 Diagramming For Security Analysis – Cont.
Figure 3.2 Marketing architecture for a business intelligence product.
From Figure 3.2, we know that, somehow, a “warehouse” (whatever that is) communicates with data sources.
Even though we understand, by studying
Figure 3.2, that there’s some sort of
“application platform”—an operating
environment that might call various modules
that are being considered as “applications” –
We do not know what that execution entails,
whether “application” in this diagram should
be considered as atomic, with attack surfaces
exposed, or whether this is simply a functional
nomenclature to express functionality about
which customers will have
some interest.
3.3 Diagramming For Security Analysis – Cont.
Figure 3.3 Sample external web architecture.
Figure 3.3 Explain how to securely allow HTTP traffic to be processed by internal resources that were not originally designed to be exposed to the constant attack levels of the Internet. The diagram was not intended for architecture analysis. However, unlike Figure 3.1, several trust-level boundaries are clearly delineated. Internet traffic must pass a firewall before HTTP/S traffic is terminated at a web server. The web server is separated by a second firewall from the application server. Finally, there is a third firewall between the entire DMZ network and the internal networks (the cloud in the lower right-hand corner of the diagram).
3.3 Diagramming For Security Analysis – Cont.
The security architect has a requirement for abstraction that is different from most of the other architects working on a system. As we shall see further along, we reduce to a unit that presents the relevant attack surfaces. The reduction is dependent on other factors in an assessment, which were enumerated earlier:
Active threat agents that attack similar systems
Infrastructure security capabilities
Expected deployment model
Distribution of executables or other deployable units
The computer programming languages that have been used
Relevant operating system(s) and runtime
or execution environment(s)
3.3 Diagramming For Security Analysis – Cont.
Figure 3.4, from a defensible perimeter
standpoint, and from the standpoint of
a typical security architect, we have a
three-tier application:
Web server
Application server
Database
For this architecture, the Web server tier
includes disk storage. Static content to be
served by the system resides in this forward most
layer. Next, further back in the system,
where it is not directly exposed to HTTP-based
Attacks. there is an application server that runs
dynamic code. We don’t know from this diagram
what protocol is used between the Web server and
The application server.
Figure 3.3 Sample external web architecture. (Courtesy of the SANS Institute.)
3.3 Diagramming For Security Analysis – Cont.
Figure 3.5 Two-component endpoint
application and driver.
Figure 3.5 represents a completely different type of architecture compared to a web application. In this case, there are only two components (I’ve purposely simplified the architecture): a user interface (UI) and a kernel driver. The entire application resides on some sort of independent computing device (often called an “endpoint”). Although a standard desktop computer is shown, this type of architecture shows up on laptops, mobile devices,
and all sorts of different endpoint types that can be
generalized to most operating systems. The separation of
the UI from a higher privileged system function is a classic
architecture pattern that crops up again and again.
3.4 Seeing and Applying Patterns
A pattern is a common and repeating idiom of solution design and architecture. A pattern is defined as a solution to a problem in the context of an application.
There are architectural patterns that may be abstracted from specific architectures:
Standard e-commerce Web tiers
Creating a portal to backend application services
Database as the point of integration between disparate functions
Message bus as the point of integration between disparate functions
Integration through proprietary protocol
Web services for third-party integration
Service-oriented architecture (SOA)
Federated authentication [usually Security Assertion Markup Language (SAML)]
Web authentication validation using a session token
Employing a kernel driver to capture or alter system traffic
Model–view–controller (MVC)
Separation of presentation from business logic
JavaBeans for reusable components
Automated process orchestration
And more
3.4 Seeing and Applying Patterns – Cont.
In order to recognize patterns—whether architectural or security—one has to have a representation of the architecture. There are many forms of architectural representation. Certainly, an architecture can be described in a specification document through descriptive paragraphs. Even with a well-drawn set of diagrams, the components and flows will typically need to be documented in prose as well as diagramed. That is, details will be described in words, as well. It is possible, with sufficient diagrams and a written explanation, that a security assessment can be performed with little or no interaction.
3.5 System Architecture Diagrams and Protocol Interchange Flows (Data Flow Diagrams)
Figure 3.6 Conceptual enterprise architecture.
In Figure 3.6, we get some sense that there are technological infrastructures that are key to the business flows and processes. For instance, “Integrations” implies some
sort of messaging bus technology. Details like a message bus and other infrastructures might be shown in the conceptual architecture only if the technologies were “standards”
within the organization. Details like a message bus might also be depicted if these details will in some manner enhance the understanding of what the architecture is trying to accomplish at a business level. Mostly, technologies will be represented
at a very gross level; details are unimportant within the conceptual architecture. There are some important details, however, that the security architect can glean from a conceptual architecture.
3.5 System Architecture Diagrams and Protocol Interchange Flows (Data Flow Diagrams) – Cont.
Figure 3.7 Component enterprise architecture.
Figure 3.7 represents the same enterprise architecture
that was depicted in Figure 3.6. Figure 3.6 represents a conceptual view, whereas Figure 3.7 represents the
component view.
3.5.1 Security Touches All Domains
Like any practice, the enterprise architect can only understand so many factors and so many technologies. Usually, anyone operating at the enterprise level will be an expert in many domains. The reason they depend upon security architects is because the enterprise architects are typically not security experts. Security is a matrix function across every other domain. Some security controls are reasonably separate and distinct, and thus, can be placed in their own component space, whereas other controls must be embedded within the functionality of each component. It is our task as security architects to help our sister and brother architects understand the nature of security as a matrix domain.
3.5.2 Component Views
“Presentations” have been split from “external integrations” as the integrations are sited in a special area: “Extranet.” That is typical at an enterprise, where organizations are cross-connected with special, leased lines and other
point-to-point solutions, such as virtual private networks (VPN). Access is
granted based upon business contracts and relationships. Allowing data
exchange after contracts are confirmed is a different relationship than
encouraging interested parties to be customers through a “presentation” of
customer services and online shopping (“eCommerce”). Because these two
modes of interaction are fundamentally different, they are often segmented
into different zones: web site zone (for the public and customers) and Extranet
(for business partners).
3.6 What’s Important?
“Architecturally interesting” is dependent upon a number of factors. Unfortunately, there is no simple answer to this problem. When assessing,
if you’re left with a lot of questions, or the diagram only answers one or two,
it’s probably “too soft.” On the other hand, if your eyes glaze over from all
the detail, you probably need to come up one or two levels of granularity, at
least to get started.
3.6.1 What Is “Architecturally Interesting”?
The architecture diagram needs to represent the appropriate logical components. But, unfortunately, what constitutes “logical components” is dependent upon three factors:
Deployment model
Infrastructure (and execution environment)
Attack method
19
3.7 Understanding the Architecture of a System
The question that needs answering in order to factor the architecture properly for attack surfaces is at what level of specificity can components be treated as atomic? In other words, how deep should the analysis decompose an architecture? What constitutes meaningless detail that confuses the picture?
20
3.7.1 Size Really Does Matter
Figure 3.8 Anti-virus endpoint architecture.
The AV runs in a separate process space; it receives commands from the UI, which also runs in a separate process. Despite what you may believe, quite often, AV engines do not run at high privilege. This is purposive. But, AV engines typically communicate or receive communications from higher privilege components, such as system drivers and the like. The UI will be running at the privilege level of the user (unless the security architect has made a big mistake!).
The foregoing details why most anti-virus and malware programs employ digital signatures rendered over executable binary files. The digital signature can be validated by each process before communications commence. Each process will verify that, indeed, the process attempting to communicate is the intended process. Although not entirely foolproof, binary signature validation can provide a significant barrier to an attack to a more trusted process from a less than trusted source.
21
3.8 Applying Principles and Patterns to Specific Designs
Figure 3.9 Mobile security application endpoint architecture.
The art of architecture involves the skill of recognizing and then applying abstract patterns while, at the same time, understanding any local details that will be ignored through the application of patterns. Any unique local circumstances are also important and will have to be attended to properly.
It is not that locally specific details should be completely ignored. Rather, in the interest of achieving an “architectural” view, these implementation details are overlooked until a broader view can be established. That broader view is the architecture. As the architecture proceeds to specific design, the implementation details, things like specific operating system services that are or are not available, once again come to the fore and must receive attention.
22
3.8.1 Principles, But Not Solely Principles
The Open Web Application Security Project (OWASP) provides a distillation of several of the most well known sets of principles:
Apply defense in depth (complete mediation).
Use a positive security model (fail-safe defaults, minimize attack surface).
Fail securely.
Run with least privilege.
Avoid security by obscurity (open design).
Keep security simple (verifiable, economy of mechanism).
Detect intrusions (compromise recording).
Don’t trust infrastructure.
Don’t trust services.
Establish secure defaults.
23
Chapter 3: Summary
By abstracting general architectural patterns from specific architectures, we can apply known effective security solutions in order to build the security posture. There will be times, however, when we must be creative in response to architecture situations that are as yet unknown or that are exceptional. Still, a body of typical patterns and solutions helps to cut down the complexity when determining an appropriate set of requirements for a system under analysis.
Chapter 3: Summary
END
University of the Cumberlands School of Computer & Information Sciences
ISOL-536 – Security Architecture & Design
Chapter 4 – Information Security Risk
Chapter 4 – Information Security Risk
4.1 Rating with Incomplete Information
4.2 Gut Feeling and Mental Arithmetic
4.3 Real-World Calculation
4.4 Personal Security Posture
4.5 Just Because It Might Be Bad, Is It?
4.6 The Components of Risk
4.6.1 Threat
4.6.2 Exposure
4.6.3 Vulnerability
4.6.4 Impact
4.7 Business Impact
4.7.1 Data Sensitivity Scales
4.8 Risk Audiences
4.8.1 The Risk Owner
4.8.2 Desired Security Posture
4.9 Summary
4.1 Rating with Incomplete Information
It would be extraordinarily helpful if the standard insurance risk equation could be calculated for
information security risks.
Probability * Annualized Loss = Risk
However, this equation requires data that simply are not available in sufficient quantities for a statistical analysis comparable to actuarial data that are used by insurance companies to calculate risk. In order to calculate probability, one must have enough statistical data on mathematically comparable events. Unfortunately, generally speaking, few security incidents in the computer realm are particularly mathematically similar. Given multivariate, multidimensional events generated by adaptive human agents, perhaps it wouldn’t be too far a stretch to claim that no two events are precisely the same?
Given the absence of actuarial data, what can a poor security architect do?
4.2 Gut Feeling and Mental Arithmetic
Experienced security architects do these “back of the napkin” calculations fairly
rapidly. They’ve seen dozens, perhaps hundreds, of systems. Having rated risk for
hundreds or perhaps many more attack vectors, they get very comfortable
delivering risk pronouncements consistently. With experience
comes a gut feeling, perhaps an intuitive grasp, of the organization’s risk posture.
Intimacy with the infrastructure and security capabilities allows the assessor to
understand the relative risk of any particular vulnerability or attack vector. This is
especially true if the vulnerability and attack vector are well understood by the
assessor. But what if one hasn’t seen hundreds of systems? What does one do
when just starting out?
4.3 Real-World Calculation
For the purposes of architecture assessment for security, risk may be thought of as:
Credible Attack Vector * Impact = Risk Rating
Where:
Credible Attack Vector (CAV) = 0 < CAV > 1
Impact = An ordinal that lies within a predetermined range such
that 0 < Impact >
Predetermined limit (Example: 0 < Impact > 500)
4.4 Personal Security Posture
Personal risk predilection will have to be factored out of any risk calculations performed for an organization’s systems. The analyst is not trying to make the system under analysis safe enough for him or herself. She is trying to provide sufficient security to enable the mission of the organization. “Know thyself” is an important maxim with which to begin.
4.5 Just Because It Might Be Bad, Is It?
Given certain types of attacks, there is absolute certainty in the world of computer security: Unprotected Internet addressable systems will be attacked. The uncertainty lies in the frequency of successful attacks versus “noise,” uncertainty in whether the attacks will be sophisticated or not, how sophisticated, and which threat agents may get to the unprotected system first. Further, defenders won’t necessarily know the objectives of the attackers. Uncertainty lies not within a probability of the event, but rather in the details of the event, the specificity of the event.
4.5 Just Because It Might Be Bad, Is It? – Cont.
We are interested in preventing “credible attack vectors” from success, whatever the goals of the attackers may be. We are constraining our definition of risk to:
Human threat agents
Attacks aimed at computer systems
Attack methods meant to abuse or misuse a system
4.6 The Components of Risk
There is a collection of conditions that each must be true in order for there to be any significant computer security risk. If any one of the conditions is not true, that is, the condition doesn’t exist or has been interrupted, then that single missing condition can negate the ability of an attack to succeed.
To illustrate how network defenders can act on their knowledge of their adversaries’
tactics, the paper lays out the multiple steps an attacker must proceed through to plan
and execute an attack. These steps are the “kill chain.” While the attacker must complete
all of these steps to execute a successful attack, the defender only has to stop the attacker
from completing any one of these steps to thwart the attack.
4.6.1 Threat
The term “threat” is scattered about in the literature and in parlance among practitioners. In some methodologies, threat is used to mean some type of attack methodology, such as spoofing or brute force password cracking. Under certain circumstances, it may make sense to conflate all of the components of threat into an attack methodology. This approach presumes two things:
All attack methodologies can be considered equal.
There are sufficient resources to guard against every attack methodology.
4.6.1 Threat – Cont.
In order to understand how relevant any particular threat agent is to a particular attack surface, impact or loss to the organization, and the level of protection required to dissuade that particular type of attacker.
Threat agent
Threat goals
Threat capabilities
Threat work factor
Threat risk tolerance
4.6.2 Exposure
In organizations that don’t employ any separation of duties between roles, administrative staff may have the run of backend servers, databases, and even applications. In situations like this, the system administrators can cause catastrophic damage.
Even in mature and well-run shops, administrative staff will have significant power to do damage. The excepted protections against misuse of this power are:
Strict separation of duties
Independent monitoring of the administrative activities to identify abuse of administrative access
Restriction of outbound capabilities at the time when and on the network where administrative
duties are being carried out
Restriction of inbound vectors of attack to administrative staff when they are carrying out
their duties
4.6.2 Exposure – Cont.
In the world of highly targeted phishing attacks, where a person’s social relations, their interests, even their patterns of usage, can be studied in detail, a highly targeted “spear-phishing” attack can be delivered that is very difficult to recognize. Consequently, these highly targeted spear-phishing techniques are much more difficult to resist. The highly targeted attacks are still relatively rare compared to a “shotgun” approach. If you, the reader, maintain a more or less public Web persona with an email address attached to that persona, you will no doubt see your share of untargeted attacks every day – that is, email spam or phishing attacks.
4.6.2 Exposure – Cont.
“Exposure” is the ability of an attacker to make contact with the vulnerability. It is the availability of vulnerabilities for exploitation. The attacker must be able to make use of whatever media the vulnerability expresses itself through. As a general rule, vulnerabilities have a presentation. The system presents the vulnerability through an input to the system, some avenue through which the system takes in data. Classic inputs are:
The user interface
A command-line interface (CLI)
Any network protocol
A file read (including configuration files)
Inter-process communication
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.
All Rights Reserved Terms and Conditions
College pals.com Privacy Policy 2010-2018