Previous | Table of Contents | Next |
Controls. Controls are measures that protect against loss or harm. Evaluation tasks here often focus on controls embodied in specific application functions and procedures. Examples of evaluation tasks are control analysis (to examine a particular control in-depth and determine its vulnerabilities and severity), work-factor analysis (to determine actual difficulties in exploiting control weaknesses), and countermeasure tradeoff analysis (to examine alternative ways to implement a control; this is often necessary to recommend corrective action).
Situational Analysis. One forbidding aspect of computer security evaluation is the complexity of an application and its protective safeguards. This limits not only the percentage of the application that can be examined but also the degree of understanding attainable for those portions that are examined. A solution to this problem is the use of situational analysis. Two forms of situational analysis are discussed: the analysis of attack scenarios and the analysis of transaction flows. Each is used to complement the high-level completeness of a basic evaluation with detailed, well-understood examples and can focus on particular aspects of the application.
An attack scenario is a synopsis of a projected course of events associated with a threat. It encompasses the four security componentsassets, threats, exposure, and controlsinterwoven with the specific functions, procedures, and products of the application. An example of an attack scenario is a step-by-step description of a penetration, describing penetrator planning and activities, the vulnerability exploited, the asset involved, and the resulting exposure.
A transaction flow is a sequence of events involved in the processing of a transaction. If the application as a whole contains only a small set of transactions, transaction flow analysis might be a sufficient vehicle in itself for the detailed evaluation.
The idea underlying situational analysis is to focus attention on a manageable set of individual situations that can be carefully examined and thoroughly understood. This makes the resulting analysis more meaningful because, first, it places threats, controls, assets, and exposures in context with respect to each other and to application functions. This allows for the proper consideration of interdependencies and presents a balanced, realistic picture. If a detailed evaluation decomposes security components into constituent parts, a situational analysis pieces these components together again into a coherent whole. Second, it emphasizes the objectives being served by controls and allows safeguards to be evaluated on the basis of these objectives. The increased understanding that can result from the use of situational analysis, as well as its illustrative value, make it an important tool for conducting and presenting detailed evaluations.
Review Functional Operation. Functional operation is the area most often emphasized in detailed evaluation because it assesses protection against human errors and casual attempts to misuse the application. Evaluations of functional operation assess whether controls perform their required functions acceptably. Although testing is the primary technique used in evaluating functional operation, other validation and verification techniques must also be used, particularly to provide adequate analysis and review during early phases of the system life cycle. The routine testing often satisfies certification objectives and verification performed during development and operation, and it is not practical for the audit team to duplicate these activities. On the other hand, when routine testing and verification does not provide sufficient assurance for the desired level of security, additional testing that focuses on security control functional operation must be added to satisfy the desired level of security needs.
Besides testing, there are other security evaluation tools and techniques than can be used in examining functional operation. For example, software tools for program analysis can be helpful in documentation analysis. Matrices can suggest ideas for test cases and scenarios. Checklists provide quick training as well as suggest ideas for tests. Their value increases as more varied checklists become available to meet particular needs. For example, it can be useful to have checklists of assets, exposures, policies, policy alternatives and issues, environmental characteristics, threats, threat and asset characteristics, factors influencing threat frequency, controls, control interactions, flaw categories, and penetration approaches.
Review Performance. The quality of safeguards depends on much more than proper functional operation. Several qualitative factors are listed under the general heading of performance, which is the second area of concern in detailed evaluation. These are:
Previous | Table of Contents | Next |