There are three kinds of vulnerabilities that can affect the security of an MLS system:
Unauthorized changes to the system include both software and hardware changes and can occur during code development, system distribution, and local maintenance. During the development phase, a disgruntled employee could intentionally place Trojan horses in the code or in the development tools. Source code reviews and tool reviews could reduce the likelihood of undiscovered Trojan horses. System developers should also ensure that, throughout development, strict controls monitor changes to the code. It is imperative that changes to the code not take place after the system is tested and approved.
During system distribution and local maintenance, unauthorized changes can occur if untrusted hardware and software components are substituted for the trusted computing base (TCB) hardware and software. Countermeasures to deter unauthorized modification include distribution controls, thorough tests of all maintenance, and strict controls that monitor changes to the original code. All personnel who are involved in this stage must be trusted individuals. The system manufacturer and the customer must play an active role to combat unauthorized changes during distribution and maintenance.
An unauthorized user who assumes the identity of a trusted security administrator is a threat to security. The likelihood of an unauthorized user assuming the role of an authorized user is greatly reduced when the system provides individual authentication and password protection. The potential for abuse is lessened even more when users take seriously the policies regarding password use and the policies are enforced by the system and by the security administrators. Unauthorized users could also assume the role of authorized users if trusted individuals abuse their authority. For example, if an individual authorized to change passwords changes the password for a special user, and then logs on to the ID with the new password, he has all the privileges of that ID. For this reason, it is important to properly separate administrative roles. DAC and MAC for administrative users must be properly implemented.
Misuse of authority can be the result of carelessness or a deliberate attempt to misuse authority. Users can tell other users their passwords or assign privileges as a favor to a friend. An auditor can go on vacation and forget to have a substitute monitor a suspicious employee's activity. Deliberate misuse of authority may occur if individuals who have access to sensitive information share that information with unauthorized personnel. Failure to consistently perform one's job functions in a timely manner can also be misuse of authority. For example, if a systems programmer receives maintenance that solves a security problem and does not apply the fix in a timely manner, the system is vulnerable to the security problem that the maintenance fixes. Preventive measures to halt or limit misuse and abuse of authority include sufficient training and education about the use of the system, the security policy, and job responsibilities. Various audit capabilities can monitor users and detect misuse or abuse of authority.
|
Copyright © 2010 CA Technologies.
All rights reserved.
|
|