This is the 5th part on my CISSP Reloaded where I am revisiting the 10 CISSP domains I studied for many years ago to see what has changed and how much of it I have retained as well as adding in my own personal thoughts, experiences and rambles into the mix. (Domain One) (Domain Two) (Domain Three) (Domain Four)
I was looking forward to going through this domain once more. But upon reading through my notes and books, I can’t help but feel a little bit disappointed. It’s a bit like how I used to fondly remember Airwolf (probably because of the iconic opening credits and soundtrack), but upon watching a rerun recently, I couldn’t help but feel a bit cheated. As if my childhood memories had been violated. Or maybe I was more concerned that as a child I actually enjoyed it.
Back on topic. This domain has a good title and there is probably a lot one can talk about with regards to security architecture. In fact, in my opinion, there are not enough good and competent security architects on the market. Sure you can get a lot of penetration testers of varying degrees of competence and generalists or risk and compliance type people. But good architects are hard to come by. I mean just watch the Matrix reloaded and see how difficult it was for Neo to find the Architect.
I guess this domain means well, but ended up being filled with three types of information, fluff, theoretical fluff and useless fluff. Am I being overly harsh to the course as it was written over 9 years ago? Or was my ability to make coherent notes really that bad? Well, I passed the exam with flying colours (or could have scraped by) so as bad as my notes may be, there were good enough.
So what did this domain cover in terms of security architecture? Well it covers an extensive list of topics from Computer organisation, hardware components, open systems, evaluation criteria, confidentiality models and so on and so forth. Now is a good time to insert the inch deep and mile wide analogy once more. Fancy getting half your toe wet?
Computer Architecture
Nothing really useful in covered in computer architecture. It feels a bit like algebra in school. It was complicated, didn’t make any sense and you wasted half your childhood trying find the value of x. Yes, if you went into mathematics or rocket science or something that actually uses the value of x on a day to day basis you would have found it useful, but for the rest of us it wasn’t. And don’t get me started on those pointless mathematical questions that I’m sure maths teachers used to just create to troll their students. I can only imagine that at home if their child asked them, “Dad, how old are you?” and they would respond with something like, “Well, on your 10th birthday I will be 3.5 times older than you, and right now you’re 6, so work out my age as the value of x.”
This part talks about the fundamental computer components. Things such as CPU, memory, input and output devices are touched upon. You will then be enlightened to hear about how the bus connects these components and the different types of buses. I’m going to be lazy and not bother looking up what the different types of buses are, but for arguments sake lets just call them the routemaster, double decker and night bus. If you’re not a London person, then those three types of buses probably mean about as much to you as human rights mean to a TSA agent. Needless to say, the fact that I am struggling to recall the details probably goes to show that in my day job I’ve never needed to look into these. But just in case you were wondering, routemasters are the classic busses with the open back where people would jump on and off which gave health and safety people heart attacks. Double decker busses are those where all respectable people sit downstairs and only muggers or those who want to be mugged go upstairs. The night busses are for those who don’t mind waiting over an hour at 2am for the bus to arrive smelling of sick, only to be stabbed.
Then there’s some information given about RAM, ROM, the ways CPU addresses memory and so forth.
Even if I did remember what all of this is about, the material doesn’t go into any sufficient depth for it to be very useful. It’s like thinking you’re a qualified lifeguard after watching all episodes of Baywatch.
You’d imagine that being a security certification, the course material would at least introduce students to concepts around how these components can be attacked or manipulated and what needs to be done to protect these. Not too long ago I watched a film called the American which starred George Clooney. It was billed as an assassin with one last job and wanting to get out of the game. So I grabbed some popcorn and awaited the Bourn-esque action to begin. Instead I was treated to some sappy drivel that focussed more on scenic shots of the Italian countryside and romance rather than any real action. I felt misled and lied to. Which is how you feel as a security person reading this chapter. I mean where do they cover issues like buffer overflow which explain how you can start overwriting different parts of memory. Even if the technicalities of doing so are beyond the scope, the concepts should have been explained. I don’t really know how the petrol I put in my car gets converted into energy, but I know enough that I shouldn’t put diesel in my petrol car and that if I don’t stop filling up when it’s full, I’ll get petrol over my shoes.
The same happens when discussing Input/Output interface. You’ll learn about how a user communicates with the processor with an interface called an input/output interface. It describes the different ways the I/O interface will work and gives the pros and cons of each method. Again, there’s no real security angle discussed which makes me question why this is included in the course material. Of course it’s important for people to know the basics, but if you expect someone to have 5 years experience before sitting the exam, then you’d hope they have some knowledge of the basics after 5 years. Maybe the new material is covering how malicious devices can masquerade as a legitimate I/O device and recommending what security protection needs to be in place.
Software
It’s probably very clear that I am by no stretch of the imagination a programmer. I think the last bit of coding I done was HTML back in the good old days when it was a cool skill to have because you could set up your own website on Geocities. I’d spend hours coding away on notepad and saving as a HTML file. I remember when a friend showed me a program called HoT MetaL which was a html coding application with a nice interface a bit like word. So if you clicked bold, it would automatically add the <b> </b> tags before and after the words which was amazing. But I still opted for notepad because it made me feel far more hardcore.
If you go to a lower level, there are more ‘real’ programming languages that people use to write code that talks with the CPU.
Which in a nutshell is all this talks about. Included is a bit about MACRO’s, interpreted languages and compiler code etc. None of which make any reference to anything security.
It wouldn’t be hard to throw in a couple of lines into the text that would explain why or why not someone should consider software as part of their security design. What could or couldn’t happen with badly written software and the like. It just delves into 5 generations of languages (GL).
I’m smiling and shaking my head in disbelief reading my scribbled notes which I have written as follows:
“A program or set of programs that control the resources and operations of the computer is called an operating system (OS). Examples are Windows, Linux and Unix”
I must have been very naive back in the day to (a) not have walked out there and then and (b) actually written down what the examples of operating systems are because had I been asked to name an operating system in the exam, I would have been totally stumped! It would actually be amusing if someone was asked the question in the exam:
Q – Which of the following is an operating system:
Java
HTML
Windows 95
Scientology
Open and Closed Systems
Exactly two paragraphs are dedicated to open and closed systems in my old book, which is a bit of a shame. Maybe open systems weren’t as popular back then as they are today. But there is much more that can be said than simply stating that closed systems are proprietary and are not subject to independent examination therefore may have vulnerabilities. Whereas open systems have published specifications and is subject to review and evaluation by independent parties so the vulnerabilities are more likely to be found.
Which is a bit like saying the quiet ones are the ones you’ve got to be careful of because you never know when they’ll snap and go on a rampage. A security certification such as the CISSP pitches itself toward the management side, so should be more in tune with management ways of thinking and the challenges they face.
For arguments sake, let’s assume that it’s true that open source systems have fewer vulnerabilities that closed source systems. Does that mean a security person should always recommend an open source system? Maybe the business will look at open source and see that it’s a free system so they’re going to save a ton of money. I mean a system with less vulnerabilities and free. A win-win surely?
Well, not quite. You have support considerations to factor in. Maybe your vendor solution has the support that you need which may not be available with open source. Maybe you have interoperability concerns as to how your system will run your business applications. Also, free software does not mean cost-free. At the end of the day, you still need hardware upon which to install the software, you need a data centre of some sort in which to host the hardware, which comes along with it’s costs and you have the installation and maintenance costs. In essence, you only end up saving the cost of your license and nothing else.
Look at it from all angles, work with the business and come to the solution that fits the business needs. Maybe the answer is to go for an inherently more vulnerable system, but at least you’re aware of it and you can help protect against it by implementing other security controls.
I’m not saying this is the only way to look at it and neither am I advocating a flame war begin on whether open or closed systems are better, any more than I like to see Mac Vs PC debates break out. Well, they are fun to begin with, but a bit like watching too many episodes of Cops, there are only so many car chases you can see before they get repetitive and the voiceover becomes tedious.
Rather, someone looking to enhance their career, which what anyone preparing for a CISSP generally is seeking to do, is that they should really think things through from all angles. A lot of times your manager or someone will ask you a question and make you feel as if you have to give an answer immediately or risk looking like you don’t know your subject. But slowing down is sometimes the best thing to do. No-one will ever know all the answers, but you know what questions to ask and that’s what internet search engines were created for.
Yes, information security is akin to an action flick, there is lots of action. But don’t make it a no-brainer Jason Statham movie. It’s more like a Sergio Leone action film which takes it’s time to establish the shots and build up slowly and once the characters have been built up and the tension is thick, you have a blistering 5 seconds of blindly mad action and all is calm again.
Slowing down and taking time to think things through can mean you end up with a masterpiece at the end.
Distributed Architecture
I know beyond a doubt my notes are old because there’s not a single mention of ‘cloud’ anywhere! The topic covers how computing has migrated from a centralised model to a client-server model and therefore desktop PC’s and workstations have the ability to store and process information locally.
What’s good is that although this is quite a bit into the chapter, we finally get to start talking about some security concepts in as much as what does a security professional need to consider about distributed setups and some of the common protections.
But let’s not be sheep about this. Just because that’s how General Jones done things back in ‘Nam, doesn’t mean we should start cutting ears off our victims and make necklaces out of them.
Regardless of the type of architecture you have. You may still be running dumb terminals connected to a mainframe with a certain amount of processing time allocated to you. Or you could have the classic client-server model. If you’re a small business, maybe you just have a client-external hard drive model. Or maybe you just magically teleport your data into the cloud.
All of these scenarios have their pro’s and cons. But much like an undercover cop infiltrating a drug cartel. Keep an eye on the low life drug dealers on the street corners for sure. But the real money-shot is in following the money. Trace it back to Mr Big and find out where it goes and where the drugs are being produced and then bring the cartel down from the inside. You’ll need a big budget to do this, a white Ferrari, a stock of Hawaiian shirts and maybe a speedboat. Perhaps you’ll even grow a Tom Selleck style epic tache.
The point I’m trying to make is follow the data. Thats what you’re primarily focussing on protecting. Unless of course you’re providing a service whereby your infrastructure is the service in which case your infrastructure and model of delivery becomes more important. Remember the business impact analysis in conjunction with understanding how the business actually works. This will allow you to focus on the areas that need the most attention.
Rings
I’ve got some notes about rings. It’s a scheme that supports multiple layers of protection. You have the central ring which is the most privileged, Ring 0 and has access rights to all domains. The outer rings are surprisingly easily numbered 1,2,3… onwards. Think of Inception, a ring within a ring within another ring.
Actually I only think I decided to write about rings so that I could make an Inception reference. Except this doesn’t have any trains or crazy ex-wives who want to kill you. Well, that probably defines any ex-wife. At least quoting Inception is a welcome break from saying it’s like an onion layer. I’ve seen so many presentations over the years where someone breaks out an onion ring model that just the name of it is enough to bring tears to my eyes.
But the concept is that access rights decrease as the ring numbers increases. So you place your crown jewels in the central ring and the less important ones are cast out like Snow White by her evil step mother.
Security Labels
If something is super secret private important, then put a label on it saying, “Super Secret Private important stuff. Do not touch unless you’re super secret private and important.”
Security Modes
In the classic Arnie film Predator, which is among the best films ever made, Arnies team has to let Mr. Apollo Creed himself (Carl Weathers) tag along on their mission which is to rescue the guys who went in to rescue the guys. After a gripping fire fight in which Arnie and his bunch of expendable hard men totally blow the living crap out of some local rebels; he gets the feeling that something’s not quite right so he threatens to terminate Apollo. After pinning him up against the wall using nothing but his bicep and intimidating him with his accent, Apollo finally cracks and tells him that they were only on a mission to kill the living hell out of some rebels for some reason or another and that it was on a need to know basis only.
That’s an example of a security mode. All the team had the same clearance level. But they were only fed information on a need to know basis.
The types of security modes are, dedicated, compartmented, controlled and limited access. Your proper CISSP book will explain these in detail. I don’t think they’re very important to know i the real world. Unless maybe you work in Government, where beancounters and people who speak in annoyingly nasal voices will preach the importance of all types of security modes and who can access what and how without adding much real value when beyond writing a document.
Like anything, in an isolated silo the concepts are easy to grasp, understand and implement. But when you’re looking at global organisation with thousands of employees accessing dozens of different applications on different servers, crossing network devices it starts to resemble a bowl of spaghetti.
Assurance
Assurance is a word that is thrown about very loosely by organisations these days so it’s lost some of it’s charm. Yes, the course material goes into the Orange book and the criteria that must be fulfilled. But let’s cut this cake in a different way.
One of the common definitions of assurance goes a little bit like you having confidence that a system (or whatever thing you’re assuring) acts properly and securely when under the control of proper people.
What people fail to accurately define before they embark on an assurance plan is exactly what level of confidence they are looking to achieve and for what purpose.
For example, a company may want to gain security assurance that all their externally facing websites are secure. But there’s no clear definition of what secure means so someone may opt for a vulnerability scan and leave it at that. Others may go for a full on manual penetration test, undertaken by a 3rd party. The approach will vary depending on the level of assurance you’ve defined and how much time and money you are willing to throw at it. This money is tied directly to the business case and objective. If your company is only scanning in order to meet PCI compliance requirements, chances are that’s all they will be doing it for.
I was once out in central London as a young teenager and whilst at Big Ben asked someone for directions on how to get to Leicester Square. He told me how to get to the nearest tube station. Wanting to save money and not pay for the tube, I asked him if Leicester Square was in walking distance, to which he responded, “everythings in walking distance depending on how long you’re prepared to walk for.” Which is a bit like what assurance is like. Sure you can tell your boss you can get systems assured within an inch of their life but he may not be willing to walk that far. As a side note, remember as a good upstanding security professional, do try and work with your business partners to help them work out the level of assurance needed. Don’t just simply sit back and ask them to give you a level, because chances are they won’t be totally sure on what’s needed either. If they ask how much they should budget for assurance, resist the urge to respond with, “how long is a piece of string.”
Once you’ve established the level to which you need to be assured, you can make things more interesting by introducing the concepts of certification and accreditation. Certification leads up to accreditation. It’s where a deep expert will evaluate the information security measures that are implemented by a system and determine if they are adequate and up to the benchmark you defined when you set out on your assurance program.
Accreditation is where a usually overweight man who breathes loudly through his mouth, in an ill fitting suit will inspect the certification report, pretend like he knows what he’s doing and pull out his big rubber stamp and officially declare in his capacity of being an approver that the system is accredited and the controls keep the risk within acceptable levels. He’ll then order a coffee with no sugar because he’s on a diet and drink it with a couple of donuts.
My notes go into some mention of government certification and accreditation standards. But I don’t want to go into them because all standards look the same after a while. Or maybe they get boring. Like going out with a hot super model and 3 months later dumping her because she has no personality. Standards are a bit like that. May seem sexy at first but you wake up one morning, roll over in bed and say, hey that’s just another boring standard.
So the thing to focus on is personality. What I mean to say is, first assess and agree what level of assurance you’re comfortable with. For example, you agree that you need to lock your front door. The next step would be to agree the type of lock that you need in order to protect your front door. Then you get a lock expert to come and inspect or certify that the lock is in accordance with your requirements and finally a big fat man comes up with a clipboard, ticks the box and grants you an accreditation.
Unlike fairy tales though, you don’t just live happily ever after. You live happily for a year maybe before you have to repeat the whole process once again. A year is a long time in which your risk position may change and you’ll need to re-evaluate your position. Is that rusty lock still sufficient? Do you need to invest in something more heavy duty? Does it hinder the flow of traffic through the door unnecessarily? Have the users of the lock just gotten lazy and leave a key in it all the time?
Information Security Models
Now you may think that because of my good looks, this chapter is going to be about me. Unfortunately, the topic isn’t quite as good as that but what it does touch upon is different models that have been defined for both access control and integrity.
There are a few access control models such as Bell-LaPadula, Take-Grant, Biba, Star, and others that are mentioned.
These may be used and implemented in pencil pushing governmental departments. But most companies would use something like Role Based Access Control (RBAC) in order to define who has access to what. It’s probably the most commonly deployed and easy to understand model out there for larger organisations. Although in practical terms, a proper implementation of RBAC is rarely seen, just because of how large a lot of organisations are and the fact they have so many disparate systems that refuse to talk to one another. So sometimes people will push for a rule-based access model.
Either way, what these models are trying to achieve is control over who can access certain data and furthermore what they can do with that access. The problem is that models are great and technology vendors will offer their magic products that will solve all your problems. This isn’t a technology issue and can’t be solved by technology alone. You need to work out the business processes first and then, if need be, implement a technology that supports those processes. In reality, there’s no substitute for doing the hard work of listing everything you have and agreeing with the person who owns those assets what importance those assets have and who can access is. It’s a tough and dirty job but a lot of the time, there’s no substitute for getting tough and getting dirty.
Javvad Malik 