Use operating environments with solid process separation.
Operating systems with solid process separation include modern
version of Windows, Unix-like operating systems, and most other widely
used general purpose operating systems.
Configure discretionary access controls to protect temporary areas.
Configuration controls over temporary areas prevent interference
with data values in temporary areas including file storage areas used
by processes. Programs often fail to provide proper protection for
their files and default values are sometimes overly broad for control
over the content in use.
Use cryptographic transforms to allow confidential computation in the open.
These mechanisms use encrypted forms of content that have
particular properties that allow the encrypted forms to be useful for
specific types of computation. The most common use is for things like
password protection, where plaintext of passwords is never stored and
in use, passwords are checked by passing them through a one-way
cryptographic hash function and comparing results to the stored hash.
This is only workable when the number of values is high enough and the
algorithm complex enough to prevent exhausting the value space. Its use
for things like social security numbers is relatively easy to defeat,
and thus while it affords limited protection, it is not sound for
substantial threats. It also takes a great deal of performance for all
feasible approaches today other than the strict comparison of values,
and even these are significantly slowed.
Only use sensitive content in well controlled areas of the environment.
In a zones and physically secured environment, these controls may
be adequate to reduce threats and available exploitation paths to a
desired level. However, this depends on the properties of a lot of
other controls.
Use configuration controlled computers for sensitive computation.
This is an effective means for limiting the things that can
happen in the normal environment, however; it is only of limited utility for
higher threat levels.
Use real-time checks on data just prior to use.
These include antivirus checks just prior to execution of
programs, integrity shells, and other similar pre-use checks.
For each program, integrity checks for all incoming data should
be applied, and this also falls under this category.
Use redundant computation to assure proper answers and availability of results.
Redundant computation ranges from having multiple DNS servers for assured
availability to the use of N-modular redundancy for assuring proper results
in computations for life-critical applications and real-time control systems.
Use sanity checks and other similar validation for important results.
Output checks on the results are sensible when the results are
important enough to cause significant harm. Checks of audit records against
executions are also used to assure accountability in some high risk systems.
Use microzones to control and enable access only
while in use.
Microzoning and its combination of encryption
and virtual machines (VMs) provide for separation of use in time (the
VM running state and content are only available while in use), in use
by VM (i.e., separate VMs have little or no direct interaction - but
do have covert channels) and decryption of content (VMs may
selectively decrypt content internally for use in a microzoning
approach). At this granularity level, these mechanisms can be
effective, but they are not normally high surety today.
Do nothing special.
It speaks for itself. In low risk systems, due diligence probably dictates some
controls in some situations, but this remains a feasible option.