[ISM3 Users] Tuesday Insight: Security Patterns

Mon Oct 29 16:46:03 CET 2007

Hello Vicente, hello all,

I am involved in a european project (under the 6th Framework
Programme) which deals with security & dependability patterns at three
levels:
- Organization
- Workflow
- Networks and Devices

You may consult some early results at:
  http://www.serenity-project.org/
  http://www.serenity-forum.org/-Activities-.html

The project is ongoing, and will end on December 2008.
I can provide more information if you'd like.

Best regards,

-- 
Pedro Soria-Rodriguez, CISSP
sorrodp at gmail.com

On 10/25/07, Vicente Aceituno <vac at zenobia.es> wrote:
> Probably many of you have noticed that information security and other
> types of security use common techniques. By techniques or security
> patterns I don't mean how something is protected, but the general
> "what you do" scheme used for the protection.
>
> For example, encryption is a way of Hiding. In this particular case,
> you hide structured information in information that is apparently
> random. If you use stenography instead, you are hiding structured
> information inside structured information.
>
> I can think of the following security patterns:
>
> 1- User Registation - identify users (identification) and providing
> them with credentials and access rights.
> 2- Access Control - users providing credentials to systems
> (authentication) and actually using them with their access rigths
> (authorization)
> 3- Records - systems recording the use performed by users
> 4- Backup - making copies of information (backup) ) to replace
> information if lost
> 5- Summarization - Adding hashes and digital signatures or detect if
> information has changed.
> 6- Camouflage - hide structured information in information that is
> apparently random
> 7- Mimetism - hide structured information in structured information.
> 8- Clearing - destroying information or systems
> 9- Redundancy - keeping spare channels, repositories, interfaces, etc
> in case the main ones are not available
> 10- Decoys - creating lookalikes of potential targets to force the
> attacker to fail or use more resources (honeypots)
> 11- Delays - add artifical delays to hamper attacks (e.g. delay
> between login attempts)
> 12- Quarantine - delaying authorization until authentication can be
> performed thouroughly or other conditions are met.
> 13- Watch: keep under surveillance
> 14- Marking: for inventory and ownership proof purposes, Watermarking:
> hidden marking
> 15- Signatures: express will or authorship of something
> 16- Disociation: keep two pieces of information linked but separated
> (used for privacy)
> 17- Dispersion: spread your systems in a big geographic area (most
> runaways groups spread to prevent getting all caught )
> 18- Diversification: use different technologies in redundant systems
> to prevent technology-dependent single points of failure
> 19- Durability: make systems in a way that doesn't break down easily.
> 20- Environment Control: control temperature, humidity and heat
> 21- Expiry: marking for clearing outdated information
> 22- Hardening: making systems less vulnerable to attack
> 23- High Mobility: move and turn fast to prevent being hit
> 24- High Visibility: be so obvious that it is more difficult to hit
> you (or miss you) by mistake. 25- Impredecibility: reduce the
> opportunity of attack by not following predictable patterns of
> behaviour (threatened people use different routes every day)
> 26- Insurance: recover your loss by transferring the risk to someone else
> 27- Inventory: learn what you have so you can protect it
> 28- Misinformation: misguide the attacker by giving him false but
> seemingly true information
> 29- Opportunity Minimization, Patching: Reduce the opportunities of
> attack by fixing holes or restricting when you are available
> 30- Reservoir: keep spares so you can replace failed componets or systems
> 31- Shielding: put something hard between you and what could hit you
>
> My best
>
> Vicente
>
> P.S. I hope next Tuesday Insight get actually sent on a Tuesday... :)
> _______________________________________________
> Users mailing list
> Users at ism3.com
> http://lists.ism3.com/mailman/listinfo/users
>