SlideShare a Scribd company logo

CISSP Certification- Security Engineering-part1

Download as PPTX, PDF
H
Hamed Moghaddam

The document outlines key objectives and principles of security engineering, emphasizing the importance of applying security design principles throughout the engineering lifecycle. It covers various security models, architectures, and evaluation criteria, illustrating how to protect and manage information systems effectively. Additionally, it includes discussions on access permissions, security zones, and common frameworks used in enterprise security architecture.

Education
1 of 51
Downloaded 37 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
SECURITY ENGINEERING Objectives of Domain: Understand the engineering lifecycle and apply security design principles. Understand the fundamental concepts of security models. Select controls and countermeasures based upon systems security standards. Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements, mobile systems, and embedded devices. Apply cryptography Apply secure principles to site and facility design. 1
SECURITY ENGINEERING The Engineering Lifecycle Using Security Design principles  Systems engineering models and processes usually organize themselves around the concept of lifecycle.  Concept of operations  Requirements  Design  Integration, Test, and Verification  Verification and Validation  Operation and Maintenance  Retirement 2
SECURITY ENGINEERING Fundamental principles of Security Models  Common system components  Processors  Memory and storage  Primary storage  Memory protection  Secondary storage  Virtual memory  Firmware  Peripherals and other I/O devices  Operating system 3
SECURITY ENGINEERING • Security architecture is part of the overall architecture of an information system. It directs how the components included in the system architecture should be organized to ensure that security requirements are met. The security architecture of an information system should include: A description of the locations in the overall architecture where security measures should be placed. A description of how various components of the architecture should interact to ensure security. The security specifications to be followed when designing and developing the system. 4
SECURITY ENGINEERING Computer Architecture It comprises all the parts in a computer system that are necessary for it to function. Such parts include the operating system, memory chips, logic circuits, storage devices, I/O devices, security components, buses, and networking components. The Central Processing Unit (CPU) – Processes the instructions provided by the various applications/programs. To do this the CPU needs to access such instructions from their memory locations. The CPU can access the memory locations in its cache, along with memory locations in the random access memory (RAM). These types of memory are called primary memory. The major components. The Arithmetic Logic Unit (ALU) Control Unit (coordinates instruction execution) Registers that act as temporary memory locations and store the memory addresses of the instructions and data that needs processing by the CPU. 5
SECURITY ENGINEERING Computer Architecture Multiprocessing – more than one CPU Operating System Architecture Process Activity Memory Management Memory Types – RAM, ROM, etc. Virtual Memory CPU Modes & Protection Rings 6
SECURITY ENGINEERING CPU Modes & Protection rings Protection Rings provide a security mechanism for an operating system by creating boundaries between the various processes operating on a system and also ensures that processes do not affect each other or harm critical system components. Ring 0 – Operating system kernel (supervisor /privilege mode) Ring 1 – Remaining parts of the operating system (OS) Ring 2 – Operating system and I/O drivers and OS utilities Ring 3 – Applications (Programs) and user activity 7
SECURITY ENGINEERING Recognizing access permissions Let us evaluate access control mechanism provided by the protection rings: Suppose a subject is located in ring 3. Which of the ring levels can this subject access? A subject located in ring 3 can directly access objects in its own ring. Most applications running on a system operate from ring 3 which has the least access to system components. On the contrary, a subject in a lower numbered ring can directly access objects in higher numbered rings. Suppose an application located in ring 3 has directly sends an instruction to the CPU. What would be the result of this instruction (choose one)? A. The CPU executes the instruction. B. The CPU raises an exception error. C. The operating systems uses a system call to handle the instruction Answer: B. In case an application located in ring 3 directly sends an instruction directly to the CPU, the CPU raises an exception error! When an application needs to perform an operation that requires access to the CPU – which is only accessible from ring 0 – the application needs to send a request to the OS. The OS then executes the instruction on behalf of the application by using system calls. 8
SECURITY ENGINEERING Computer Architecture • Domains • Layering & Data Hiding • Virtual Machines • A virtual machine is a simulated real machine environment created to simultaneously run multiple applications on a computer. • Additional Storage Devices • Input/Output Device Management 9
SECURITY ENGINEERING • System Architecture Defined Subset of Subjects and Objects Trusted Computing Base (TCB) Originated from the Orange Book and deals with the protection mechanisms within a computer. It addresses hardware, software, and firmware. Security Perimeter It delineates the trusted and the untrusted components within a computer system. Reference Monitor The reference monitor is an abstract machine concept that mediates all access between subjects and objects. Security Kernel The Security kernel enforces the reference monitor concept. Must facilitate isolation of processes Must be invoked at every access attempt. Must be small enough to be tested and verified in a comprehensive manner. Security Policy – a set of rules on how resources are managed within a computer system. Least Privilege – one process has no more privileges than it needs. 10
SECURITY ENGINEERING • Security Models The function of a Security Model is to Map the abstract goals of a security policies to an information system. Specify mathematical formulae and data structures for implementing security policy goals. While a security policy states goals without specifying how to accomplish them, a security model specifies a framework to implement these goals. An organization can use different types of security models. However, it is very important for security personnel to understand the different security models to protect the organization’s resources.  For example the security model that a military organization uses is quite different from that of a commercial entity, due to the variations in the types of data. Security Model can be formal when it is based on pure mathematical implementation of security policies and assure high security. For example in military systems, air controller systems, etc. Security Model is informal when it merely describes how to 11
SECURITY ENGINEERING Enterprise Security Architecture (ESA)  Implements the building blocks of information security infrastructure across the entire organization.  It focuses on a strategic design for a set of security services that can be leveraged by multiple applications, systems, or business processes  Key goals and objectives of an ESA includes,  Long term view of controls  A unified vision for common security controls  Leverages existing technology investments 12
SECURITY ENGINEERING Common Security Services  Boundary control services – firewalls, border routers, etc.  Access control services – authentication, SSO, etc.  Integrity services – antivirus, content filtering, file integrity services, etc.  Cryptographic services – encryption services, PKI, etc  Audit and monitoring services – log collection and management, analytics (SEIM – Security Event 13
SECURITY ENGINEERING Security Zones of Control  Area or grouping within which a defined set of security policies and measures are applied to achieve a specific level of security.  Ensures that systems in a more secured zone do not leak through to a less secured zone.  Zones are tightly controlled with mechanisms such as firewalls, authentication services, proxies, etc. 14
SECURITY ENGINEERING Common Architecture Frameworks  An architecture framework is a structure that can further be used to develop a broad range of architectures.  It describes a method of designing an integrated set of systems or system components.  It may include a set of recommended standards and operational practices. 15
SECURITY ENGINEERING Zachman Framework  Developed as a common context for understanding complex architectures.  Allows for the communication and collaboration of all entities in the development of architectures.  It provides a logical structure for integrating the plan, design, and build aspects of an architecture. 16
CISSP SECURITY ENGINEERING ASM EDUCATIONAL CENTER INC. (ASM) WHERE TRAINING, TECHNOLOGY & SERVICE CONVE RGE WWW.ASMED.COM PHONE: (301)984-7400 17
SECURITY ENGINEERING Sherwood Applied Business Security Architecture (SABSA) Framework  A holistic lifecycle for developing a security architecture that considers business requirements.  It creates a chain of traceability through the phases of strategy, concept, design, implementation, and metric. 18
SECURITY ENGINEERING The Open Group Architecture Framework (TOGAF)  It is an open framework for organizations to design and build enterprise architectures.  It provides an architecture development method that describes the step-by-step process. 19
SECURITY ENGINEERING IT Infrastructure Library (ITIL)  Developed by the Central Computer and Telecommunications Agency (CCTA), an agency under the British Government.  ITIL defines the organizational structure and skill requirements and operational procedures with practices that direct IT operations and infrastructure, including security.  What sets ITIL apart is the strong focus on end-to-end service delivery and management. 20
SECURITY ENGINEERING Types of Security Models  State Machine Model.  Multilevel Lattice Model  Non-interference Model  Information Flow Model 21
SECURITY ENGINEERING •Security Models State Machine Models The Bell-LaPadula Model The Biba Model The Clark-Wilson Model The Brewer & Nash Model Take-Grant Model Access Control Matrix The Graham-Denning Model The Information Flow Model The Non-Interference Model The Harrison-Ruzzo-Ulman Model 22
SECURITY ENGINEERING Security Models State Machine Models The state of a system is its snapshot at any one particular moment. The state machine model describes subjects, objects, and sequences in a system. The focus of this model is to capture the system’s state and ensure its security. When an object accepts input, the value of the state variable is modified. For a subject to access this object or modify the object value, the subject should have appropriate access rights. State transitions refer to activities that alter a systems state. 23
24 SECURITY ENGINEERING Confidentiality models: Bell & LaPadula)  Developed by David Elliot Bell and Len LaPadula  This model focuses on data confidentiality and access to classified information.  A Formal Model developed for the DoD multilevel security policy  This formal model divides entities in an information system into subjects and objects.  Model is built on the concept of a state machine with different allowable states (i.e. Secure state)
25 SECURITY ENGINEERING Bell & LaPadula Confidentiality Model Has 3 rules:  Simple Security Property – “no read up”  A subject cannot read data from a security level higher than subject’s security level.  * Security Property – “no write down”  A subject cannot write data to a security level lower than the subject’s security level.  Strong * Property – “no write up and no read down”.  A subject with read/write privilege can perform read/write functions only at the subject’s security levels.
26 SECURITY ENGINEERING Integrity models (e.g., Biba, Clark and Wilson) Biba Integrity Model Developed by Kenneth J. Biba in 1977 based on a set of access control rules designed to ensure data integrity No subject can depend on an object of lesser integrity Based on a hierarchical lattice of integrity levels
27 SECURITY ENGINEERING Biba Integrity Model The Rules: Simple integrity axiom – “no read down” – A Subject cannot read data from an object of lower integrity level. * Integrity axiom – “no write up” – A Subject cannot write data to an object at a higher integrity level. Invocation property – A subject cannot invoke (call upon) subjects at a higher integrity level.
28 SECURITY ENGINEERING Commercial Models Integrity models – Clark-Wilson Model Model Characteristics: Deals with all three integrity goals Prevents unauthorized users from making modifications Prevents authorized users from making improper modifications Maintain internal and external consistency – reinforces separation of duties
29 SECURITY ENGINEERING Commercial Models – cont’d Brewer-Nash Model – a.k.a. Chinese Wall Developed to combat conflict of interest Publish in 1989 to ensure fair competition Defines a wall and a set of rules to ensure that no subject accesses objects on the other side of the wall Way of separating competitors data within the same integrated database
30 SECURITY ENGINEERING Commercial Models Take-Grant Model Model Characteristics Mathematical framework used for granting and revoking access rights The take rule allows a subject to take the rights of another subject The grant rule allows a subject to grant rights to another subject.
31 SECURITY ENGINEERING Commercial Models Access Control Matrix Model (ACL) Model Characteristics Implemented using an Access Control List Specifies access rights for each subject as it relates to objects Two dimensional matrix representing subjects in rows and objects in columnsSubjects & Objects Admin Directory Payroll File Pay Process Kwame Read Read/Write None Dan Read Read None Angela Read Delete Execute Juan Read Read/Write Execute Lee Read Update Delete
32 SECURITY ENGINEERING Commercial Models Graham Denning Model Model Characteristics Defines the commands that a subject can execute to securely Such as Create and delete an object Create and delete a subject Provide read, grant, delete, and transfer access rights
33 SECURITY ENGINEERING Information flow model Model Characteristics: Hold data in distinct compartments Data is compartmentalized based on classification and the need to know Model seeks to eliminate covert channels Model ensures that information always flows from a low security level to a higher security level and from a high integrity level to a low integrity level. Whatever component directly affects the flow of information must dominate all components involved with the flow of information
34 SECURITY ENGINEERING Noninterference Model Model Characteristics: Model ensures that actions at a higher security level does not interfere with the actions at a lower security level. The goal of this model is to protect the state of an entity at the lower security level by actions at the higher security level so that data does not pass through covert or timing channels.
35 SECURITY ENGINEERING Harrison-Russo-Ulman Model Model Characteristics Harrison-Ruzzo-Ullman Model is a security model that provides policies for changing access rights and rights for the creation and deletion of subjects and objects. It is generally considered to be one of the more complex security models.
SECURITY ENGINEERING Security Modes of Operation Dedicated Security Mode Where all users have a clearance for, and a formal need to know about, all data processed within a system. System High-Security Mode Where all users have security clearance to access information but not necessarily a need to know all the information processed on a system. Compartmented Security Mode Where all users have security clearance to access all the information processed on a system in a high security mode, but not the need to know or formal access approval. Multilevel Security Mode When it permits two or more classification levels of information to be processed at the same time when not all users have the clearance or approval to access the info being processed. All users must have the right approval to access what they need to perform their duties. Trust & Assurance Trust levels give a customer how much protection is being offered. This leads to the expectation of assurance 36
SECURITY ENGINEERING Capturing & Analyzing Requirements  Functional requirements  Nonfunctional requirements 37
SECURITY ENGINEERING Creating & Documenting Security Architecture  Requirement capturing is paramount to the architecture and design of every system . 38
SECURITY ENGINEERING Information Systems Security Evaluation Models  Common formal security methods.  Evaluation criteria 39
SECURITY ENGINEERING Product Evaluation Models  Trusted Computer System Evaluation Criteria (TCSEC).  ITSEC  The Common Criteria 40
41 SECURITY ENGINEERING Trusted Computer Security Evaluation Criteria (TCSEC) Developed by the National Computer Security Center (NCSC) for the DOD Also known as the Orange Book Based on the Bell-LaPadulla model (deals with only confidentiality) Uses a hierarchically ordered series of evaluation classes Fundamental Requirements Security policy – evaluated to check if it is well-defined and enforced in the system Marking/Labels – evaluated to ensure availability of access control for all objects Identification – evaluated to check if all individual subjects are uniquely identified. Accountability – evaluated to check if security audit data is logged and protected. Life-cycle Assurance – evaluated by separately testing software, hardware, and firmware to ascertain if they implement the security policy. Continuous protection – if designs support continuous protection.
42 SECURITY ENGINEERING Trusted Computer Security Evaluation Criteria (TCSEC) Ratings: A1 – Verified Protection B1, B2, B3 – Mandatory Protection C1, C2 – Discretionary Protection D – Minimal Security
43 SECURITY ENGINEERING Information Tech Security Evaluation Criteria (ITSEC) Created by some European nations in 1991 as a standard to evaluate security attributes of computer systems Evaluates functionality and assurance separately E1 to E6 for assurance Functional levels of F1 to F10 are not strictly required
44 SECURITY ENGINEERING Information Technology Security Evaluation criteria (ITSEC): Functionality ratings are F1 to F5 – Maps to the TCSEC ratings C1 to A1 F6 - For systems that require high levels of integrity for data and programs F7 - For systems that require high levels of availability of their functions F8 - For systems that require high levels of data integrity during communications F9 - For systems that require high levels of data confidentiality during communications F10 – For networks that require high levels of data confidentiality and integrity
45 SECURITY ENGINEERING Information Technology Security Evaluation Criteria (ITSEC): Assurance ratings are E0 – Indicates inadequate assurance and assigned to systems that fail to meet the E1 criteria E1 - Rating includes functional testing to verify if TOE meets its security target E2 - Includes the evaluation of testing evidence, configuration controls, and distribution processes E3 - Evaluates the source code and hardware drawings of the security mechanism and also the testing of the mechanisms. E4 - Verifies the availability of a formal model of the security policy. Also verifies semiformal specifications of security mechanisms, architectural design and detailed design E5 - Evaluates whether there is close correspondence between the detailed design and the source code or hardware drawings E6 – Verifies whether the security mechanisms and the architectural design are consistent with the security policy
46 SECURITY ARCHITECTURE & DESIGN Information Technology Security Evaluation criteria (ITSEC) ITSEC TCSEC E0 D F1 + E1 C1 F2 + E2 C2 F3 + E3 B1 F4 + E4 B2 F5 + E5 B3 F5 + E6 A1
47 SECURITY ENGINEERING Common Criteria (CC) ISO Standard created in 1993 for global security evaluation Made up from TCSEC, ITSEC, and the Canadian version Components Protection profile  a set of security requirements and objectives for the system A Protection Profile consists of  Descriptive elements – contains the name of the profile and the description of the security problem to solved.  Rationale – justifies the profile and provides a detailed description of the real-world problems that need to be solved.  Functional requirements – establishes a protection boundary that the product must provide.  Development assurance requirements – Identify the requirements for the various development phases of the product.  Evaluation assurance requirements – establish the type and intensity of the evaluation.
48 SECURITY ENGINEERING Common Criteria (CC) Target of evaluation Security target Evaluation packages
49 SECURITY ENGINEERING Common Criteria (CC) Ratings Rated as Evaluation Assurance Level (EAL) 1 through 7 EAL 1 – Functionally tested EAL 2 – Structurally tested EAL 3 – Methodically tested and checked EAL 4 – Methodically designed, tested, and reviewed EAL 5 – Semi formally designed and tested EAL 6 – Semi-formally verified designed and tested EAL 7 – Formally verified designed and tested
SECURITY ENGINEERING Industry & International Security Implementation Guidelines  ISO/IEC 27001 and 27002 Security Standards  Control Objectives for Information & Related Technology (COBIT)  Payment Card Industry Data Security Standard (PCI-DSS) 50
GOOD LUCK! ASM EDUCATIONAL CENTER INC. (ASM) WHERE TRAINING, TECHNOLOGY & SERVICE CONVE RGE WWW.ASMED.COM PHONE: (301)984-7400 51

More Related Content

What's hot (20)

PDF
Information Security Management 101
Jerod Brennen
 
PPT
information security management
Gurpreetkaur838
 
PPTX
Introduction to information security
KATHEESKUMAR S
 
PPTX
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
PPTX
Information Security Blueprint
Zefren Edior
 
PPTX
Domain 2 - Asset Security
Maganathin Veeraragaloo
 
PPT
Chapter 3: Information Security Framework
Nada G.Youssef
 
PPT
Introduction to information security - by Ivan Nganda
See You Rise Holdings
 
PDF
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
IGN MANTRA
 
PPTX
Information security management (bel g. ragad)
Rois Solihin
 
PPTX
Information Security - Back to Basics - Own Your Vulnerabilities
Jack Nichelson
 
PDF
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
festival ICT 2016
 
PPT
Introduction to information security
Dhani Ahmad
 
PPTX
Information Security
Alok Katiyar
 
DOCX
Information security management iso27001
Hiran Kanishka
 
PPT
Lesson 1- Information Policy
MLG College of Learning, Inc
 
PDF
Information Security
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
PPTX
Importance Of A Security Policy
charlesgarrett
 
PPTX
Information security management best practice
parves kamal
 
PPTX
MIS: Information Security Management
Jonathan Coleman
 
Information Security Management 101
Jerod Brennen
 
information security management
Gurpreetkaur838
 
Introduction to information security
KATHEESKUMAR S
 
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
Information Security Blueprint
Zefren Edior
 
Domain 2 - Asset Security
Maganathin Veeraragaloo
 
Chapter 3: Information Security Framework
Nada G.Youssef
 
Introduction to information security - by Ivan Nganda
See You Rise Holdings
 
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
IGN MANTRA
 
Information security management (bel g. ragad)
Rois Solihin
 
Information Security - Back to Basics - Own Your Vulnerabilities
Jack Nichelson
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
festival ICT 2016
 
Introduction to information security
Dhani Ahmad
 
Information Security
Alok Katiyar
 
Information security management iso27001
Hiran Kanishka
 
Lesson 1- Information Policy
MLG College of Learning, Inc
 
Information Security
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
Importance Of A Security Policy
charlesgarrett
 
Information security management best practice
parves kamal
 
MIS: Information Security Management
Jonathan Coleman
 

Similar to CISSP Certification- Security Engineering-part1 (20)

PPTX
Security Architecture and Design - CISSP
Srishti Ahuja
 
PPTX
Engnerring documents chapter 134Ch14.pptx
AJAYKUMAR34368
 
ODP
CISSP Week 22
jemtallon
 
PPTX
Ch14
Keith Jasper Mier
 
DOCX
Laureate Online Education Information Security Engineering .docx
DIPESH30
 
PPTX
Security engineering
OWASP Indonesia Chapter
 
PDF
Designing Security Architecture Solutions 1st Jay Ramachandran
pianondorman
 
DOCX
SECURITY SOFTWARE RESOLIUTIONS (SSR) .docx
bagotjesusa
 
PPTX
Enumerating software security design flaws throughout the ssdlc cosac - 201...
John M. Willis
 
PPTX
Enumerating software security design flaws throughout the SSDLC
John M. Willis
 
PDF
Designing Security Architecture Solutions 1st Edition Jay Ramachandran
wohkwrtliu0660
 
PDF
TUD CS4105 | 2015 | Lecture 1
Eelco Visser
 
PDF
CISSP Preview - For the next generation of Security Leaders
NUS-ISS
 
PDF
3. Security Engineering
Sam Bowne
 
PPT
ch0001 computer systems security and principles and practices
stephen972973
 
PDF
Information Security basic introduction by professor
adityakatare35
 
PPTX
Safe and secure autonomous systems
Alan Tatourian
 
PPTX
SECURITY PRINCIPLES AND SECURITY SERVICES.pptx
22r01a05l4
 
PPTX
Development lifecycle and principals of Security
SylvesterNdegese1
 
PPTX
Lecture 1
fadwa_stuka
 
Security Architecture and Design - CISSP
Srishti Ahuja
 
Engnerring documents chapter 134Ch14.pptx
AJAYKUMAR34368
 
CISSP Week 22
jemtallon
 
Ch14
Keith Jasper Mier
 
Laureate Online Education Information Security Engineering .docx
DIPESH30
 
Security engineering
OWASP Indonesia Chapter
 
Designing Security Architecture Solutions 1st Jay Ramachandran
pianondorman
 
SECURITY SOFTWARE RESOLIUTIONS (SSR) .docx
bagotjesusa
 
Enumerating software security design flaws throughout the ssdlc cosac - 201...
John M. Willis
 
Enumerating software security design flaws throughout the SSDLC
John M. Willis
 
Designing Security Architecture Solutions 1st Edition Jay Ramachandran
wohkwrtliu0660
 
TUD CS4105 | 2015 | Lecture 1
Eelco Visser
 
CISSP Preview - For the next generation of Security Leaders
NUS-ISS
 
3. Security Engineering
Sam Bowne
 
ch0001 computer systems security and principles and practices
stephen972973
 
Information Security basic introduction by professor
adityakatare35
 
Safe and secure autonomous systems
Alan Tatourian
 
SECURITY PRINCIPLES AND SECURITY SERVICES.pptx
22r01a05l4
 
Development lifecycle and principals of Security
SylvesterNdegese1
 
Lecture 1
fadwa_stuka
 
Ad

More from Hamed Moghaddam (20)

PPTX
Cisco CCNA IP SLA with tracking configuration
Hamed Moghaddam
 
PPTX
Cisco CCNA-CCNP IP SLA Configuration
Hamed Moghaddam
 
PPTX
Juniper JNCIA – Juniper RIP and OSPF Route Configuration
Hamed Moghaddam
 
PPTX
Cisco CCNA CCNP VACL Configuration
Hamed Moghaddam
 
PPTX
Juniper JNCIA – Juniper RIP Route Configuration
Hamed Moghaddam
 
PPTX
Juniper JNCIA – Juniper OSPF Route Configuration
Hamed Moghaddam
 
PPTX
Juniper JNCIA – Juniper Floating Static Route Configuration
Hamed Moghaddam
 
PPTX
Cisco CCNA IPV6 Static Configuration
Hamed Moghaddam
 
PPTX
Cisco CCNA Port Security
Hamed Moghaddam
 
PPTX
Cisco CCNA- NAT Configuration
Hamed Moghaddam
 
PPTX
Cisco CCNA GRE Tunnel Configuration
Hamed Moghaddam
 
PPTX
Cisco CCNA- PPP Multilink Configuration
Hamed Moghaddam
 
PPTX
Cisco CCNA EIGRP IPV6 Configuration
Hamed Moghaddam
 
PPTX
Cisco CCNA OSPF IPV6 Configuration
Hamed Moghaddam
 
PPTX
Cisco CCNA- How to Configure Multi-Layer Switch
Hamed Moghaddam
 
PPTX
CISSP Certification Security Engineering-Part2
Hamed Moghaddam
 
PPTX
Cisco CCNA-Router on Stick
Hamed Moghaddam
 
PPTX
Cisco CCNA-Standard Access List
Hamed Moghaddam
 
PPTX
Cisco CCNA- DHCP Server
Hamed Moghaddam
 
PPTX
Microsoft MCSA- Joining Client Machines To The Domain!
Hamed Moghaddam
 
Cisco CCNA IP SLA with tracking configuration
Hamed Moghaddam
 
Cisco CCNA-CCNP IP SLA Configuration
Hamed Moghaddam
 
Juniper JNCIA – Juniper RIP and OSPF Route Configuration
Hamed Moghaddam
 
Cisco CCNA CCNP VACL Configuration
Hamed Moghaddam
 
Juniper JNCIA – Juniper RIP Route Configuration
Hamed Moghaddam
 
Juniper JNCIA – Juniper OSPF Route Configuration
Hamed Moghaddam
 
Juniper JNCIA – Juniper Floating Static Route Configuration
Hamed Moghaddam
 
Cisco CCNA IPV6 Static Configuration
Hamed Moghaddam
 
Cisco CCNA Port Security
Hamed Moghaddam
 
Cisco CCNA- NAT Configuration
Hamed Moghaddam
 
Cisco CCNA GRE Tunnel Configuration
Hamed Moghaddam
 
Cisco CCNA- PPP Multilink Configuration
Hamed Moghaddam
 
Cisco CCNA EIGRP IPV6 Configuration
Hamed Moghaddam
 
Cisco CCNA OSPF IPV6 Configuration
Hamed Moghaddam
 
Cisco CCNA- How to Configure Multi-Layer Switch
Hamed Moghaddam
 
CISSP Certification Security Engineering-Part2
Hamed Moghaddam
 
Cisco CCNA-Router on Stick
Hamed Moghaddam
 
Cisco CCNA-Standard Access List
Hamed Moghaddam
 
Cisco CCNA- DHCP Server
Hamed Moghaddam
 
Microsoft MCSA- Joining Client Machines To The Domain!
Hamed Moghaddam
 
Ad

Recently uploaded (20)

PPTX
SPINA BIFIDA: NURSING MANAGEMENT .pptx
PRADEEP ABOTHU
 
PPTX
Mathematics 5 - Time Measurement: Time Zone
menchreo
 
PPTX
grade 5 lesson matatag ENGLISH 5_Q1_PPT_WEEK4.pptx
SireQuinn
 
PDF
Isharyanti-2025-Cross Language Communication in Indonesian Language
Neny Isharyanti
 
PPT
Talk on Critical Theory, Part One, Philosophy of Social Sciences
Soraj Hongladarom
 
PPTX
THE TAME BIRD AND THE FREE BIRD.pptxxxxx
MarcChristianNicolas
 
PDF
Dimensions of Societal Planning in Commonism
StefanMz
 
PPTX
BANDHA (BANDAGES) PPT.pptx ayurveda shalya tantra
rakhan78619
 
PDF
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 - GLOBAL SUCCESS - CẢ NĂM - NĂM 2024 (VOCABULARY, ...
Nguyen Thanh Tu Collection
 
PPTX
Universal immunization Programme (UIP).pptx
Vishal Chanalia
 
PPTX
Stereochemistry-Optical Isomerism in organic compoundsptx
Tarannum Nadaf-Mansuri
 
PPT
Talk on Critical Theory, Part II, Philosophy of Social Sciences
Soraj Hongladarom
 
PPTX
2025 Winter SWAYAM NPTEL & A Student.pptx
Utsav Yagnik
 
PPTX
HYDROCEPHALUS: NURSING MANAGEMENT .pptx
PRADEEP ABOTHU
 
PPTX
A PPT on Alfred Lord Tennyson's Ulysses.
Beena E S
 
PDF
ARAL-Orientation_Morning-Session_Day-11.pdf
JoelVilloso1
 
PDF
LAW OF CONTRACT (5 YEAR LLB & UNITARY LLB )- MODULE - 1.& 2 - LEARN THROUGH P...
APARNA T SHAIL KUMAR
 
PDF
CONCURSO DE POESIA “POETUFAS – PASSOS SUAVES PELO VERSO.pdf
Colégio Santa Teresinha
 
PDF
Lesson 2 - WATER,pH, BUFFERS, AND ACID-BASE.pdf
marvinnbustamante1
 
PDF
0725.WHITEPAPER-UNIQUEWAYSOFPROTOTYPINGANDUXNOW.pdf
Thomas GIRARD, MA, CDP
 
SPINA BIFIDA: NURSING MANAGEMENT .pptx
PRADEEP ABOTHU
 
Mathematics 5 - Time Measurement: Time Zone
menchreo
 
grade 5 lesson matatag ENGLISH 5_Q1_PPT_WEEK4.pptx
SireQuinn
 
Isharyanti-2025-Cross Language Communication in Indonesian Language
Neny Isharyanti
 
Talk on Critical Theory, Part One, Philosophy of Social Sciences
Soraj Hongladarom
 
THE TAME BIRD AND THE FREE BIRD.pptxxxxx
MarcChristianNicolas
 
Dimensions of Societal Planning in Commonism
StefanMz
 
BANDHA (BANDAGES) PPT.pptx ayurveda shalya tantra
rakhan78619
 
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 - GLOBAL SUCCESS - CẢ NĂM - NĂM 2024 (VOCABULARY, ...
Nguyen Thanh Tu Collection
 
Universal immunization Programme (UIP).pptx
Vishal Chanalia
 
Stereochemistry-Optical Isomerism in organic compoundsptx
Tarannum Nadaf-Mansuri
 
Talk on Critical Theory, Part II, Philosophy of Social Sciences
Soraj Hongladarom
 
2025 Winter SWAYAM NPTEL & A Student.pptx
Utsav Yagnik
 
HYDROCEPHALUS: NURSING MANAGEMENT .pptx
PRADEEP ABOTHU
 
A PPT on Alfred Lord Tennyson's Ulysses.
Beena E S
 
ARAL-Orientation_Morning-Session_Day-11.pdf
JoelVilloso1
 
LAW OF CONTRACT (5 YEAR LLB & UNITARY LLB )- MODULE - 1.& 2 - LEARN THROUGH P...
APARNA T SHAIL KUMAR
 
CONCURSO DE POESIA “POETUFAS – PASSOS SUAVES PELO VERSO.pdf
Colégio Santa Teresinha
 
Lesson 2 - WATER,pH, BUFFERS, AND ACID-BASE.pdf
marvinnbustamante1
 
0725.WHITEPAPER-UNIQUEWAYSOFPROTOTYPINGANDUXNOW.pdf
Thomas GIRARD, MA, CDP
 

CISSP Certification- Security Engineering-part1

  • 1. SECURITY ENGINEERING Objectives of Domain: Understand the engineering lifecycle and apply security design principles. Understand the fundamental concepts of security models. Select controls and countermeasures based upon systems security standards. Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements, mobile systems, and embedded devices. Apply cryptography Apply secure principles to site and facility design. 1
  • 2. SECURITY ENGINEERING The Engineering Lifecycle Using Security Design principles  Systems engineering models and processes usually organize themselves around the concept of lifecycle.  Concept of operations  Requirements  Design  Integration, Test, and Verification  Verification and Validation  Operation and Maintenance  Retirement 2
  • 3. SECURITY ENGINEERING Fundamental principles of Security Models  Common system components  Processors  Memory and storage  Primary storage  Memory protection  Secondary storage  Virtual memory  Firmware  Peripherals and other I/O devices  Operating system 3
  • 4. SECURITY ENGINEERING • Security architecture is part of the overall architecture of an information system. It directs how the components included in the system architecture should be organized to ensure that security requirements are met. The security architecture of an information system should include: A description of the locations in the overall architecture where security measures should be placed. A description of how various components of the architecture should interact to ensure security. The security specifications to be followed when designing and developing the system. 4
  • 5. SECURITY ENGINEERING Computer Architecture It comprises all the parts in a computer system that are necessary for it to function. Such parts include the operating system, memory chips, logic circuits, storage devices, I/O devices, security components, buses, and networking components. The Central Processing Unit (CPU) – Processes the instructions provided by the various applications/programs. To do this the CPU needs to access such instructions from their memory locations. The CPU can access the memory locations in its cache, along with memory locations in the random access memory (RAM). These types of memory are called primary memory. The major components. The Arithmetic Logic Unit (ALU) Control Unit (coordinates instruction execution) Registers that act as temporary memory locations and store the memory addresses of the instructions and data that needs processing by the CPU. 5
  • 6. SECURITY ENGINEERING Computer Architecture Multiprocessing – more than one CPU Operating System Architecture Process Activity Memory Management Memory Types – RAM, ROM, etc. Virtual Memory CPU Modes & Protection Rings 6
  • 7. SECURITY ENGINEERING CPU Modes & Protection rings Protection Rings provide a security mechanism for an operating system by creating boundaries between the various processes operating on a system and also ensures that processes do not affect each other or harm critical system components. Ring 0 – Operating system kernel (supervisor /privilege mode) Ring 1 – Remaining parts of the operating system (OS) Ring 2 – Operating system and I/O drivers and OS utilities Ring 3 – Applications (Programs) and user activity 7
  • 8. SECURITY ENGINEERING Recognizing access permissions Let us evaluate access control mechanism provided by the protection rings: Suppose a subject is located in ring 3. Which of the ring levels can this subject access? A subject located in ring 3 can directly access objects in its own ring. Most applications running on a system operate from ring 3 which has the least access to system components. On the contrary, a subject in a lower numbered ring can directly access objects in higher numbered rings. Suppose an application located in ring 3 has directly sends an instruction to the CPU. What would be the result of this instruction (choose one)? A. The CPU executes the instruction. B. The CPU raises an exception error. C. The operating systems uses a system call to handle the instruction Answer: B. In case an application located in ring 3 directly sends an instruction directly to the CPU, the CPU raises an exception error! When an application needs to perform an operation that requires access to the CPU – which is only accessible from ring 0 – the application needs to send a request to the OS. The OS then executes the instruction on behalf of the application by using system calls. 8
  • 9. SECURITY ENGINEERING Computer Architecture • Domains • Layering & Data Hiding • Virtual Machines • A virtual machine is a simulated real machine environment created to simultaneously run multiple applications on a computer. • Additional Storage Devices • Input/Output Device Management 9
  • 10. SECURITY ENGINEERING • System Architecture Defined Subset of Subjects and Objects Trusted Computing Base (TCB) Originated from the Orange Book and deals with the protection mechanisms within a computer. It addresses hardware, software, and firmware. Security Perimeter It delineates the trusted and the untrusted components within a computer system. Reference Monitor The reference monitor is an abstract machine concept that mediates all access between subjects and objects. Security Kernel The Security kernel enforces the reference monitor concept. Must facilitate isolation of processes Must be invoked at every access attempt. Must be small enough to be tested and verified in a comprehensive manner. Security Policy – a set of rules on how resources are managed within a computer system. Least Privilege – one process has no more privileges than it needs. 10
  • 11. SECURITY ENGINEERING • Security Models The function of a Security Model is to Map the abstract goals of a security policies to an information system. Specify mathematical formulae and data structures for implementing security policy goals. While a security policy states goals without specifying how to accomplish them, a security model specifies a framework to implement these goals. An organization can use different types of security models. However, it is very important for security personnel to understand the different security models to protect the organization’s resources.  For example the security model that a military organization uses is quite different from that of a commercial entity, due to the variations in the types of data. Security Model can be formal when it is based on pure mathematical implementation of security policies and assure high security. For example in military systems, air controller systems, etc. Security Model is informal when it merely describes how to 11
  • 12. SECURITY ENGINEERING Enterprise Security Architecture (ESA)  Implements the building blocks of information security infrastructure across the entire organization.  It focuses on a strategic design for a set of security services that can be leveraged by multiple applications, systems, or business processes  Key goals and objectives of an ESA includes,  Long term view of controls  A unified vision for common security controls  Leverages existing technology investments 12
  • 13. SECURITY ENGINEERING Common Security Services  Boundary control services – firewalls, border routers, etc.  Access control services – authentication, SSO, etc.  Integrity services – antivirus, content filtering, file integrity services, etc.  Cryptographic services – encryption services, PKI, etc  Audit and monitoring services – log collection and management, analytics (SEIM – Security Event 13
  • 14. SECURITY ENGINEERING Security Zones of Control  Area or grouping within which a defined set of security policies and measures are applied to achieve a specific level of security.  Ensures that systems in a more secured zone do not leak through to a less secured zone.  Zones are tightly controlled with mechanisms such as firewalls, authentication services, proxies, etc. 14
  • 15. SECURITY ENGINEERING Common Architecture Frameworks  An architecture framework is a structure that can further be used to develop a broad range of architectures.  It describes a method of designing an integrated set of systems or system components.  It may include a set of recommended standards and operational practices. 15
  • 16. SECURITY ENGINEERING Zachman Framework  Developed as a common context for understanding complex architectures.  Allows for the communication and collaboration of all entities in the development of architectures.  It provides a logical structure for integrating the plan, design, and build aspects of an architecture. 16
  • 17. CISSP SECURITY ENGINEERING ASM EDUCATIONAL CENTER INC. (ASM) WHERE TRAINING, TECHNOLOGY & SERVICE CONVE RGE WWW.ASMED.COM PHONE: (301)984-7400 17
  • 18. SECURITY ENGINEERING Sherwood Applied Business Security Architecture (SABSA) Framework  A holistic lifecycle for developing a security architecture that considers business requirements.  It creates a chain of traceability through the phases of strategy, concept, design, implementation, and metric. 18
  • 19. SECURITY ENGINEERING The Open Group Architecture Framework (TOGAF)  It is an open framework for organizations to design and build enterprise architectures.  It provides an architecture development method that describes the step-by-step process. 19
  • 20. SECURITY ENGINEERING IT Infrastructure Library (ITIL)  Developed by the Central Computer and Telecommunications Agency (CCTA), an agency under the British Government.  ITIL defines the organizational structure and skill requirements and operational procedures with practices that direct IT operations and infrastructure, including security.  What sets ITIL apart is the strong focus on end-to-end service delivery and management. 20
  • 21. SECURITY ENGINEERING Types of Security Models  State Machine Model.  Multilevel Lattice Model  Non-interference Model  Information Flow Model 21
  • 22. SECURITY ENGINEERING •Security Models State Machine Models The Bell-LaPadula Model The Biba Model The Clark-Wilson Model The Brewer & Nash Model Take-Grant Model Access Control Matrix The Graham-Denning Model The Information Flow Model The Non-Interference Model The Harrison-Ruzzo-Ulman Model 22
  • 23. SECURITY ENGINEERING Security Models State Machine Models The state of a system is its snapshot at any one particular moment. The state machine model describes subjects, objects, and sequences in a system. The focus of this model is to capture the system’s state and ensure its security. When an object accepts input, the value of the state variable is modified. For a subject to access this object or modify the object value, the subject should have appropriate access rights. State transitions refer to activities that alter a systems state. 23
  • 24. 24 SECURITY ENGINEERING Confidentiality models: Bell & LaPadula)  Developed by David Elliot Bell and Len LaPadula  This model focuses on data confidentiality and access to classified information.  A Formal Model developed for the DoD multilevel security policy  This formal model divides entities in an information system into subjects and objects.  Model is built on the concept of a state machine with different allowable states (i.e. Secure state)
  • 25. 25 SECURITY ENGINEERING Bell & LaPadula Confidentiality Model Has 3 rules:  Simple Security Property – “no read up”  A subject cannot read data from a security level higher than subject’s security level.  * Security Property – “no write down”  A subject cannot write data to a security level lower than the subject’s security level.  Strong * Property – “no write up and no read down”.  A subject with read/write privilege can perform read/write functions only at the subject’s security levels.
  • 26. 26 SECURITY ENGINEERING Integrity models (e.g., Biba, Clark and Wilson) Biba Integrity Model Developed by Kenneth J. Biba in 1977 based on a set of access control rules designed to ensure data integrity No subject can depend on an object of lesser integrity Based on a hierarchical lattice of integrity levels
  • 27. 27 SECURITY ENGINEERING Biba Integrity Model The Rules: Simple integrity axiom – “no read down” – A Subject cannot read data from an object of lower integrity level. * Integrity axiom – “no write up” – A Subject cannot write data to an object at a higher integrity level. Invocation property – A subject cannot invoke (call upon) subjects at a higher integrity level.
  • 28. 28 SECURITY ENGINEERING Commercial Models Integrity models – Clark-Wilson Model Model Characteristics: Deals with all three integrity goals Prevents unauthorized users from making modifications Prevents authorized users from making improper modifications Maintain internal and external consistency – reinforces separation of duties
  • 29. 29 SECURITY ENGINEERING Commercial Models – cont’d Brewer-Nash Model – a.k.a. Chinese Wall Developed to combat conflict of interest Publish in 1989 to ensure fair competition Defines a wall and a set of rules to ensure that no subject accesses objects on the other side of the wall Way of separating competitors data within the same integrated database
  • 30. 30 SECURITY ENGINEERING Commercial Models Take-Grant Model Model Characteristics Mathematical framework used for granting and revoking access rights The take rule allows a subject to take the rights of another subject The grant rule allows a subject to grant rights to another subject.
  • 31. 31 SECURITY ENGINEERING Commercial Models Access Control Matrix Model (ACL) Model Characteristics Implemented using an Access Control List Specifies access rights for each subject as it relates to objects Two dimensional matrix representing subjects in rows and objects in columnsSubjects & Objects Admin Directory Payroll File Pay Process Kwame Read Read/Write None Dan Read Read None Angela Read Delete Execute Juan Read Read/Write Execute Lee Read Update Delete
  • 32. 32 SECURITY ENGINEERING Commercial Models Graham Denning Model Model Characteristics Defines the commands that a subject can execute to securely Such as Create and delete an object Create and delete a subject Provide read, grant, delete, and transfer access rights
  • 33. 33 SECURITY ENGINEERING Information flow model Model Characteristics: Hold data in distinct compartments Data is compartmentalized based on classification and the need to know Model seeks to eliminate covert channels Model ensures that information always flows from a low security level to a higher security level and from a high integrity level to a low integrity level. Whatever component directly affects the flow of information must dominate all components involved with the flow of information
  • 34. 34 SECURITY ENGINEERING Noninterference Model Model Characteristics: Model ensures that actions at a higher security level does not interfere with the actions at a lower security level. The goal of this model is to protect the state of an entity at the lower security level by actions at the higher security level so that data does not pass through covert or timing channels.
  • 35. 35 SECURITY ENGINEERING Harrison-Russo-Ulman Model Model Characteristics Harrison-Ruzzo-Ullman Model is a security model that provides policies for changing access rights and rights for the creation and deletion of subjects and objects. It is generally considered to be one of the more complex security models.
  • 36. SECURITY ENGINEERING Security Modes of Operation Dedicated Security Mode Where all users have a clearance for, and a formal need to know about, all data processed within a system. System High-Security Mode Where all users have security clearance to access information but not necessarily a need to know all the information processed on a system. Compartmented Security Mode Where all users have security clearance to access all the information processed on a system in a high security mode, but not the need to know or formal access approval. Multilevel Security Mode When it permits two or more classification levels of information to be processed at the same time when not all users have the clearance or approval to access the info being processed. All users must have the right approval to access what they need to perform their duties. Trust & Assurance Trust levels give a customer how much protection is being offered. This leads to the expectation of assurance 36
  • 37. SECURITY ENGINEERING Capturing & Analyzing Requirements  Functional requirements  Nonfunctional requirements 37
  • 38. SECURITY ENGINEERING Creating & Documenting Security Architecture  Requirement capturing is paramount to the architecture and design of every system . 38
  • 39. SECURITY ENGINEERING Information Systems Security Evaluation Models  Common formal security methods.  Evaluation criteria 39
  • 40. SECURITY ENGINEERING Product Evaluation Models  Trusted Computer System Evaluation Criteria (TCSEC).  ITSEC  The Common Criteria 40
  • 41. 41 SECURITY ENGINEERING Trusted Computer Security Evaluation Criteria (TCSEC) Developed by the National Computer Security Center (NCSC) for the DOD Also known as the Orange Book Based on the Bell-LaPadulla model (deals with only confidentiality) Uses a hierarchically ordered series of evaluation classes Fundamental Requirements Security policy – evaluated to check if it is well-defined and enforced in the system Marking/Labels – evaluated to ensure availability of access control for all objects Identification – evaluated to check if all individual subjects are uniquely identified. Accountability – evaluated to check if security audit data is logged and protected. Life-cycle Assurance – evaluated by separately testing software, hardware, and firmware to ascertain if they implement the security policy. Continuous protection – if designs support continuous protection.
  • 42. 42 SECURITY ENGINEERING Trusted Computer Security Evaluation Criteria (TCSEC) Ratings: A1 – Verified Protection B1, B2, B3 – Mandatory Protection C1, C2 – Discretionary Protection D – Minimal Security
  • 43. 43 SECURITY ENGINEERING Information Tech Security Evaluation Criteria (ITSEC) Created by some European nations in 1991 as a standard to evaluate security attributes of computer systems Evaluates functionality and assurance separately E1 to E6 for assurance Functional levels of F1 to F10 are not strictly required
  • 44. 44 SECURITY ENGINEERING Information Technology Security Evaluation criteria (ITSEC): Functionality ratings are F1 to F5 – Maps to the TCSEC ratings C1 to A1 F6 - For systems that require high levels of integrity for data and programs F7 - For systems that require high levels of availability of their functions F8 - For systems that require high levels of data integrity during communications F9 - For systems that require high levels of data confidentiality during communications F10 – For networks that require high levels of data confidentiality and integrity
  • 45. 45 SECURITY ENGINEERING Information Technology Security Evaluation Criteria (ITSEC): Assurance ratings are E0 – Indicates inadequate assurance and assigned to systems that fail to meet the E1 criteria E1 - Rating includes functional testing to verify if TOE meets its security target E2 - Includes the evaluation of testing evidence, configuration controls, and distribution processes E3 - Evaluates the source code and hardware drawings of the security mechanism and also the testing of the mechanisms. E4 - Verifies the availability of a formal model of the security policy. Also verifies semiformal specifications of security mechanisms, architectural design and detailed design E5 - Evaluates whether there is close correspondence between the detailed design and the source code or hardware drawings E6 – Verifies whether the security mechanisms and the architectural design are consistent with the security policy
  • 46. 46 SECURITY ARCHITECTURE & DESIGN Information Technology Security Evaluation criteria (ITSEC) ITSEC TCSEC E0 D F1 + E1 C1 F2 + E2 C2 F3 + E3 B1 F4 + E4 B2 F5 + E5 B3 F5 + E6 A1
  • 47. 47 SECURITY ENGINEERING Common Criteria (CC) ISO Standard created in 1993 for global security evaluation Made up from TCSEC, ITSEC, and the Canadian version Components Protection profile  a set of security requirements and objectives for the system A Protection Profile consists of  Descriptive elements – contains the name of the profile and the description of the security problem to solved.  Rationale – justifies the profile and provides a detailed description of the real-world problems that need to be solved.  Functional requirements – establishes a protection boundary that the product must provide.  Development assurance requirements – Identify the requirements for the various development phases of the product.  Evaluation assurance requirements – establish the type and intensity of the evaluation.
  • 48. 48 SECURITY ENGINEERING Common Criteria (CC) Target of evaluation Security target Evaluation packages
  • 49. 49 SECURITY ENGINEERING Common Criteria (CC) Ratings Rated as Evaluation Assurance Level (EAL) 1 through 7 EAL 1 – Functionally tested EAL 2 – Structurally tested EAL 3 – Methodically tested and checked EAL 4 – Methodically designed, tested, and reviewed EAL 5 – Semi formally designed and tested EAL 6 – Semi-formally verified designed and tested EAL 7 – Formally verified designed and tested
  • 50. SECURITY ENGINEERING Industry & International Security Implementation Guidelines  ISO/IEC 27001 and 27002 Security Standards  Control Objectives for Information & Related Technology (COBIT)  Payment Card Industry Data Security Standard (PCI-DSS) 50
  • 51. GOOD LUCK! ASM EDUCATIONAL CENTER INC. (ASM) WHERE TRAINING, TECHNOLOGY & SERVICE CONVE RGE WWW.ASMED.COM PHONE: (301)984-7400 51