CISSP Vulnerabilities of Security Architectures, Designs, and Solution Elements – Bk2D3T5P2

CISSP Vulnerabilities of Security Architectures, Designs, and Solution Elements in this topic explain Cloud-based Systems, Distributed Systems, Internet of Things (IoT) Systems, Embedded Systems, Mobile system, web based systems etc.

Cloud-based Systems

For the sake of discussion, cloud computing has been formally defined by NIST as:

“… a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

The definition from the comparable ISO/IEC standard 17888 for cloud computing is similar: “Paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand.”

Five Essential Characteristics of Cloud Computing

NIST defines the five essential characteristics of cloud computing as the following:

  1. On-Demand Self-Service: A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
  2. Broad Network Access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
  3. Resource Pooling: The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. Examples of resources include storage, processing, memory, and network bandwidth.
  4. Rapid Elasticity: Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demands.
  5. Measured Service: Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts).The ISO/IEC 17888 standard includes the NIST characteristics and adds a sixth:
  6. Multi-Tenancy: A feature where physical or virtual resources are allocated in such a way that multiple tenants and their computations and data are isolated from and inaccessible to one onother.

NIST and ISO/IEC 17889 identify three service models (NIST) and four service categories (ISO/IEC 17889) that represent different types of cloud services available. The first three are the same with both standards:

Software as a service (SaaS): The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the  possible  exception  of limited user-specific application configuration settings.

Platform as a service (PaaS): The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage but has control over the deployed applications and possibly configuration settings for the application- hosting environment.

Infrastructure as a service (IaaS): The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

ISO/IEC 17789 adds an additional service category as:

Network as a service (NaaS): A cloud service category in which the capability provided to the cloud service customer is transport connectivity and related network capabilities.

ISO/IEC 17888 defines the four categories above and adds some additional service categories:

  • Communication as a service (CaaS)
  • Compute as a service (CompaaS)
  • Data storage as a service (DSaaS)

NIST, ISO/IEC 17888, and ISO/IEC 17889 both describe four different deployment models:

Private cloud: In this model, the cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination   of them, and it may exist on or off premises.

Community cloud: Community cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

Public cloud: The public cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

Hybrid cloud: The hybrid cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). As more organizations are leveraging SaaS, PaaS, and IaaS, it is important to be aware of the limited ability they have to define specific security controls and functions.

Vulnerabilities
  • Inherently exposed to external communication/access: By their nature, cloud systems tend to be more exposed to external communications.
  • Misconfiguration a major risk: Cloud providers typically have well managed infrastructure, but unfamiliarity with the interface and management functions often results in users misconfiguring the cloud service or hosted components in a way that exposes data.
  • May exist for long periods (risk of being outdated): Services ported to cloud environment may exist for long periods of time. While the underlying components provisioned by the cloud service provider (CSP) may be periodically updated, it is often the user’s responsibility to update some components, but assumptions may exist that it is not necessary or that the CSP is providing that function when they are
  • Gap between CSP and data owner security controls: There is a high risk for misunderstanding on the cloud customer’s part where the responsibilities of the CSP end for security and the customer responsibilities begin.
Mitigations
  • Reputable cloud service provider that supplies security information/testing results
  • Well trained system administrators
  • Robust configuration control/change control
  • File and communication encryption
  • Well managed identity and access controls

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

Distributed Systems

In a distributed computing environment, nodes and processors operate independently, and storage and processing may be spread across multiple components. Nodes “pass messages” to coordinate and communicate. Example: Traditional telephone switches operate independently for local calls but coordinate to pass calls between them.

In computing terms, distributed systems may be used by large organizations to spread processing and storage across multiple low-cost systems, or it can include user provided resources operating collectively (e.g., peer to peer networks).

Vulnerabilities
  • Lack of central control/monitoring may introduce failures or allow entry of unauthorized nodes
  • Data elements may be lost if nodes fail
  • Inconsistent security levels between nodes is possible in large-scale organizational employments and highly likely in peer to peer employment
  • Susceptible to communication failures, compromise, or denial of service (DoS) from either external attackers or internal components misbehaving (intentional or accidental)
Mitigations
  • Standard security rules for nodes to enter distributed network
  • Communication control, encryption, and redundancy
  • Node backup and data sharing between nodes

Internet of Things (IoT) Systems

The Internet of Things (IoT) is made up of small dedicated use devices that are typically designed as small form factor, embedded hardware with a limited functionality OS. They may interface with the physical world and tend to be pervasively deployed where they exist. They are often connected to general purpose networks with the protections applied to general purpose computing systems, and their full range of functions and external accessibility may be unclear to owner or user.

Vulnerabilities
  • Limited vendor support for updates: Vendors may provide a limited support lifecycle for individual devices and little concern provided for security updates.
  • Little to no onboard security capability: The devices have limited integrated security capabilities and rarely have any mechanism to allow external monitoring of their security functions (if any exist).
  • Poor code management due to rapid development cycles: Vendor code may be suspect and “hacked together” from various sources to meet aggressive product release schedules.
  • May contain limited or weak security implementations on standard protocols (e.g., Bluetooth, WiFi): While the devices are often capable of using standard protocols, the security features may be disabled or degraded in favor of interoperability and ease of use.
Mitigations

In effect, most IoT devices are small embedded system controllers and should be treated like an embedded system or industrial control systems (ICSs) as appropriate.

  • Isolated on private networks with controlled access
  • Products selected for security features and updatability: inherently insecure products are not procured
  • Product security/penetration testing
  • Disable unneeded functions

Web-based Systems

Web-based systems or applications are mainly characterized by user interaction occurring through a web browser using http or https protocols. Applications or data are accessible and manipulated through a web browser or web service, and they often connect to a data source (database) that may be on or off platform. They use standard protocols, and interfaces and connections are typically dynamic with potentially thousands forming and closing within seconds of operation.

Vulnerabilities

Web servers or applications inherit the vulnerabilities of whatever platform or OS they execute upon. Common web vulnerabilities include the following:

  • Accessibility to network communications/access: They tend to be highly exposed and accessible to outside attackers.
  • Use of obsolete protocols/encryption: Unless specifically configured to prevent it, some web servers will allow obsolete or lower security protocols or encryption to support backwards compatibility with older browser types.
  • Code/configuration errors that expose components or data: The main vulnerability in most web servers is in server configuration errors or code flaws.
Mitigations

Besides mitigations applied to the platform, common mitigation strategies include the following:

  • Protect system behind firewalls and access controls
  • Limit and monitor communication protocols
  • Scan, evaluate, and assess interfaces and code (HTML, Java, scripts, )
  • Tightly control configuration and change management
  • Ensure platform is security configured

Mobile Systems

Mobile systems include a large and diverse set of products.

It is commonly agreed to include phones, tablets, and wearable devices. Many have a portable, small form factor and a limited functionality embedded OS. They typically contain limited amounts of data but are highly connected (cellular, WiFi, Bluetooth, tethering) devices designed for single user.

Laptop and convertible computers are essentially general purpose computing platforms in a small form factor hardware configuration. These include laptops, convertibles, and full function computing platforms in tablet-like  form factors. The main differentiator between this type of mobile platform is the inclusion of a full featured Operating System with capabilities similar to a desktop computer. They typically contain large amounts of data and are multi-user capable. However, they may share connectivity characteristics with smaller form factor  mobile systems and be highly connected (WiFi, Bluetooth, tethering, possibly cellular).

Are laptops mobile systems? Opinions may vary, they are certainly portable systems and share many of the physical security concerns with other mobile devices but may have significantly different security concerns associated with the OS. They are capable of more onboard controls (e.g., traditional computer host protections, logging, monitoring, access controls) and have different mitigation mechanisms available to them than other mobile device types. Some tablets cross the line between laptop characteristics and embedded mobile device characteristics.

Vulnerabilities

For most mobile device types:

  • Loss or theft
  • Weak access controls configured
  • Unencrypted data
  • Communication interception or eavesdropping
  • Limited onboard security services and monitoring
Mitigations

Mitigations for embedded type mobile devices without a full featured OS:

  • Mobile device management (MDM) installed and managed centrally
  • Device tracking, wiping, software control, policy enforcement
  • Activate screen lock and high complexity passcodes or biometrics
  • Ensure device is encrypted
  • Tunnel communications through virtual private network (VPN) architecture
  • Limit software/apps installed to trusted packages
  • Prevent jailbreak or rooting devices as this bypasses most built-in security functions and leaves the device susceptible to both local access and network based attacks
  • Do not connect to public networks (e.g., coffee shop, hotel) 

For laptops or hybrid systems with a full featured OS:

  • Apply all traditional computer system protections (e.g., AV, FW, Host IPS, )
  • Ensure encryption is activated
  • Ensure strong passwords, biometrics, or two factor authentication on all user accounts
  • Activate anti-theft function or tracking functions if available (available on many business class systems and some personal class systems)
  • Tunnel mobile communications through VPN
  • Do not connect to public networks (e.g., coffee shop, hotel)

Embedded Systems

An embedded system is best characterized as a computing platform with a dedicated function that usually has a limited function or specialized OS that does not have the capabilities typical of a full featured OS (e.g., Windows, MacOS, Standard Linux distro). Embedded systems typically have limited processing power and a long service life in many applications. They may include System on a Chip (SoC) architectures with very limited ability to update. Embedded systems are common in IoT, ICS, and mobile devices and tend to be highly diverse in nature with significant vendor specific customizations. They perform specialized computing operations instead of general purpose computing.

Vulnerabilities

Embedded systems have vulnerabilities associated with their particular function or use case. In general they include the following:

  • Limited function design does not include all full monitoring and security control implementation
  • Limited access controls
  • Limited ability to update, vendor support often time limited
Mitigations

For all classes or types of embedded systems, the following mitigations will typically improve security, but may impact functionality and should be applied intelligently after appropriate tailoring.

  • Limit access to devices
  • Limit communications to devices
  • Disable unnecessary/unneeded components/features/ communications
  • Isolate on dedicated networks if connected
  • Monitor external communications with exterior sensors (e.g., network taps, sensors)
  • Apply vendor updates when available
Activity: Designing Security into an Architecture

The National Federal Amalgamated Corporation (NFAC) is developing a new customer facing application for amalgamated data. The initial design includes the following elements:

  • Database servers within the NFAC data center that store customer private and sensitive data elements
  • Application servers within the NFAC data center that access the database servers and are accessed by NFAC employee workstations
  • Employee workstations (some desktop, some laptop) are used by NFAC employees to access the application servers to access, upload, modify, and delete sensitive customer data
  • Web servers located with a cloud provider that access NFAC databases and applications to deliver data to external customers through a web browser
  • Mobile applications distributed to customers for installation on Android and Apple devices that provide customer access via a Mobile Application Service hosted by the same cloud provider hosting the web servers
INSTRUCTIONS:

Consider the scenario and the vulnerabilities, mitigations, and controls discussed in the preceding modules. Each of the system types listed in the scenario has inherent strengths and weaknesses. For each item, identify potential risks or weakness and one or more controls or mitigation consistent with the access requirements listed in the scenario.

EXAMPLE:

Database Servers

  • Risk: Database servers contain bulk sensitive data and may be targeted by adversaries.
  • Control: Database servers will be placed on a protected network segment and network access controls will prevent access to  the database server for any connection except from authorized application servers.

Complete for:
Database Servers

Application Servers

Employee workstations

Web Servers

Mobile Applications

Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/