Chapter 11: Principles of Security Models, Design, and Capabilities

Question 1

In information security, what is the purpose of a model?

Answer 1

It provides a way to formalize security policies.

Question 2

What is the Trusted Computing Base, or TCB?

Answer 2

From the “Orange Book”, a combination of hardware, software, and controls that work together to form a trusted base to enforce your security policy.

It’s the only portion of a computer system that can be trusted to adhere to and enforce the security policy.

Question 3

What is the security perimeter of a system?

Answer 3

An imaginary boundary that separates the TCB from the rest of the system.

Question 4

What is a trusted path?

Answer 4

A secure channel created from the TCB to the rest of the system.

Question 5

What is a reference monitor or kernel?

Answer 5

The part of the TCB that validates access to every resource prior to granting access requests.

Question 6

What is the State Machine Model?

Answer 6

It describes a system that is always secure no matter what state it is in.

Question 7

What is the Information Flow Model?

Answer 7

A model that focuses on the flow of information. Based on a state machine model. Designed to prevent unauthorized, insecure, or restricted information flow, often between different levels of security.

Question 8

What is a Noninterference Model?

Answer 8

Loosely based on the Information Flow Model. Basically concerned with insuring that actions at a higher security level don’t affect anything at lower security model to avoid allowing objects or users at a lower security state from making inferences about the higher security state.

Question 9

What is the Take-Grant model?

Answer 9

A model that employs a directed graph to distate how rights can be passed from one subject to another or from a subject to an object.

Question 10

What is an Access Control Matrix?

Answer 10

A table of subjects and objects that indicate the actions or functions that each subject can perform on each object. Each column is an ACL. Each row is a capabilities list.

Question 11

What is involved in constructing an ACL?

Answer 11

Implementing an environment that can create and manage lists of subjects and objects
Crafting a function that can return the type associated with an object

Question 12

What is the Bell-LaPadula model?

Answer 12

A multilevel model that’s usually limited to unclassified, sensitive but unclassified, confidential, secret, and top-secret. A subject with any level of clearance can access resources at or below its clearance level, but at the higher levels, need to know applies.

Question 13

What is the Simple Security Property?

Answer 13

A subject may not read information at a higher sensitivity level (no read up)

Question 14

What is the * (star) Security Property?

Answer 14

A subject may not write information to an object a alower sensitivity level (no write down). AKA the confinement property.

Question 15

What is the Discretionary Security Property

Answer 15

The system uses an access matrix to enforce discretionary access control.

Question 16

Of the CIA triad, what does Bell-LaPadula address?

Answer 16

Only confidentiality. It does nothing for Integrity or Availability.

Question 17

What three issues does the Biba model address?

Answer 17

Prevent modification of objects by unauthorized subjects
Prevent unauthorized modifications of objects by authorized subjects
Protect internal and external object consistency.

Biba provides integrity where Bell-LaPadula does not.

Question 18

What is the Clark-Wilson Model?

Answer 18

Defines each data item and allows modifications only through a small set of programs. Subjects don’t have direct access to objects. Objects can only be accessed by programs. If you aren’t supposed to access the object, you aren’t given access to the program.

Question 19

What is the Brewer and Nash Model?

Answer 19

AKA Chinese Wall.

Question 20

What is a subject?

Answer 20

A user or process that makes a request to access a resource.

Question 21

What is an object?

Answer 21

The resource a user or process accesses.

Question 22

What is a closed system?

Answer 22

One designed to work well with a narrow range of other systems, genrally all from the same manufacturere.

Question 23

What is an open system?

Answer 23

Designed using agreed-upon industry standards. EAsier to integrate with systems from different manufacturers that support the same standards.

Question 24

What techniques exist for ensuring Confidentiality, Integrity, and Availability?

Answer 24

Confinement, bounds, isolation

Question 25

What is confinement?

Answer 25

Restricting a process to read and write to only certain memory locations and regions.

Question 26

What are bounds?

Answer 26

Assigning each process on the system an authority level which tells the OS how to set bounds for the processess. The bounds consist of limits set on memory adresses and resources the process can access.

Question 27

What is isolation?

Answer 27

Enforcing access bounds to cause confinement.

Question 28

What is a security control?

Answer 28

Something that uses access rules to limit the access of a subject to an object.

Question 29

What is a trusted system?

Answer 29

One in which all protection mechanisms work together to protect sensitive data for many types of users while maintaining a stable and secure computing environment.

Question 30

What is assurance?

Answer 30

The degree of confidence in satisfaction of security needs.

Question 31

What are the two steps in formal system evaluation?

Answer 31

The system is tested and a technical evaluation is performed to make sure the system’s security capabilties meet criteria laid out for its intended use.
The system is subejcted to a formal comparision of its deisgn and security criteria and its actual capabilities and performance.

Question 32

What are the four major TCSEC categories?

Answer 32

Cat A: Verified protection (highest level)
Cat B: Mandatory Protection
Cat C: Discretionary Protection
Cat D: Minimal protection.

Question 33

What are the discretionary protection categories?

Answer 33

C1: Discretionary Security Protection. Controls access by user IDs and/or groups. Weak protection
C2: Controlled access protection: Users must be individually identified. Media cleansing is enforced. Requires strict login procedures so that invalid or unauthorized users are refused.

Question 34

What are the mandatory protection categoreis?

Answer 34

B1: Labelled security. Each subject and object has a security label. Sufficient for classified data.
B2: Structured protection: Like B1, but B2 systems must ensure that no covert channels exist. Operator and administrator functions are separated. Process isolation.
B3: Security domains: Sufficient for very sensitive or secret data.

Question 35

What is the Red Book?

Answer 35

Interprets TCSEC in network setting. Rates confidentiality and integrity, addresses communications integrity, DoS protection, compromise protection and prevention, limited to networks labeled as “centralized networks with a single accreditation authority”, uses only four rating levels: none, C1, C2, B2.

Question 36

What is the Green Book?

Answer 36

DoD Password Management Guidelines.

Question 37

What are the objectives of the Common Criteria guidelines?

Answer 37

1. Add buyer confidence in security of evaluated, rated IT products
2. Eliminate duplicate evaluations
3. Keep making security evaluations more cost effective and efficient
4. Make sure evaluations of IT products adhere to high and consistent standards
5. Promote evaluation and increase availability of evaluated, rated IT products
6. Evaluate the functionality of the TOE

Question 38

What are protection profiles?

Answer 38

A profile that specifies for a product the security requirements and protections desired by a customer.

Question 39

What is a security target?

Answer 39

The claims of security from the vendor that are built into a TOE.

Question 40

What is a TOE?

Answer 40

Target of Evaluation

Question 41

What is a package in the Common Criteria?

Answer 41

An intermediate grouping of security requirement components that can be added or removed from a TOE.

Question 42

What are the three topical areas of the Common Criteria?

Answer 42

1. Introduction and General Model
2. Security Functional Requirements
3. Security Assurance

Question 43

What is Part 1 of the Common Criteria guidelines?

Answer 43

Describes the general concepts and underlying model used to evaluate IT security and what’s involved in specifying targets of evaluation.

Question 44

What is Part 2 of the Common Criteria guidelines?

Answer 44

Security Functional Requirements. Describes various functional requirements in terms of security audits, communications security, cryptographic support for security, user data protetion, identification and authentication, security management, TOE security functions, resource utilization, system access, and trusted paths.

Question 45

What is Part 3 of the Common Criteria guidelines?

Answer 45

Security Assurance. Assurance requirements for TOEs in the areas of configuration management, delivery and operation, development, guideance documents, and life cycle support plus assurance testss and vulnerability assessments.

Question 46

What are EALs?

Answer 46

Evaluation Assurance Levels in the Common Criteria. There are 7.

Question 47

List the EALs.

Answer 47

EAL1: Functionally tested
EAL2: Structurally tested
EAL3: Methodically tested and checked
EAL4: Mehodically designed, tested, and reviewed
EAL5: Semi-formally designed and tested
EAL6: Semi-formally verified, designed, and tested
EAL7: Formally verified, designed, and tested.

Question 48

What is PCI-DSS?

Answer 48

A collection of requirements for improving the security of electronic payments, defined by the PCI Security Standards Council (primarily banks and credit card companies).

Defines requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.

Question 49

What is certification?

Answer 49

The comprehensive evaluation of the technical and nontechnical security features of an IT system and other safeguards made in support of the accreditation process to establish the extent to which a particular design and implementation meeds a set of specified security standards.

This is the first phase in a total evaluation process.

Question 50

What is accreditation?

Answer 50

The formal declaration by the designated approving authority that an IT system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.

Question 51

What is DITSCAP?

Answer 51

The Defense Information Technology Security Certification and Accreditation Process.

Question 52

What is NIACAP

Answer 52

National Information Assurance Certification and Accreditation Process

Question 53

What phases are DITSCAP and NIACAP divided into?

Answer 53

Definition, verification, validation, post-accreditation.

Question 54

Define DITSCAP/NIACAP phases in detail.

Answer 54

.