Chapter 8 Flashcards
entity that makes a request to access a resource
subject
entity a subject wants access to
resource
concept that if A trusts B and B trusts C, then A can also trust C
transitive trust
system that is designed to work well with a narrow range of other systems; standards are often proprietary and not normally disclosed
closed system
systems that are designed using agreed-upon industry standards
open systems
defined set of interactions allowed between computing elements
API - Application Programming Interface
11 secure design principles
- secure defaults
- fail securely
- keep it simple
- zero trust
- privacy by design
- trust but verify
- threat modeling
- defense in depth
- least privilege
- separation of duties
- shared responsibility
should you assume that A. default settings are the most secure or B. default settings are for easy installation and need to be hardened?
B
process where programmer codes in mechanisms to anticipate and defend against errors in order to avoid the termination of execution
exception handling
the inclusion of code that will attempt to handle errors when they arise before they can cause harm or interrupt execution
error handling
logical block statement that is used to place code that could result in an error on the “try” branch
an example of an exception handling mechanism
try..catch
3 mechanisms for avoiding or preventing errors related to user input
input sanitation
input validation
input filtering
allow a system to continue to operate after a component fails
fail-soft
human protection prioritization; when a failure occurs the product will revert to a state that protects the health and safety of people
fail-safe or fail-open
a system that prioritizes the physical security of assets of the safety of people
fail-secure or fail-close
the more complex a system, the more difficult it is to secure
KISS - Keep it Simple
eliminating redundancy in software by not repeating the same code in multiple places
DRY - Don’t Repeat Yourself
code should use the least necessary resources possible
Computing Minimalism
use the least powerful programming language that is suitable
Rule of Least Power
software quality/security does not necessarily increase with an increase in capabilities and functions
New Jersey Style (Worse is Better)
don’t add capabilities until they are actually necessary
YAGNI - You Aren’t Gonna Need It
nothing inside the organization is automatically trusted; every access request should be authenticated, authorized, and encrypted
zero trust
dividing up an internal network into numerous subzones using firewalls, subnets, or VLANS
microsegmentation
guideline to integrate privacy protections into products during the early design phase
Privacy by Design (PbD)
7 principles of PbD
- Proactive not reactive, preventative not remedial
- Privacy as the default
- Privacy embedded into design
- Full functionality
- End-to-end security
- visibility and transparency
- respect for user privacy
depends on an initial authentication process to gain access to the internal secure environment
trust but verify
allowing a process to read from and write to only certain memory locations and resources
confinement/sandboxing
limits set on the memory addresses and resources a process can access
bounds
the degree of confidence in satisfaction of security needs; how reliable the security mechanisms are
assurance
a system in which all protection mechanisms work together to process sensitive data while maintaining a stable and secure computing environment
trusted system
an object that is associated with a resource and describes its security attributes
token
a list that maintains a row of security attributes for each controlled object
capabilities list
a type of attribute storage that is a permanent part of the object to which its attached
security label
combination of hardware, software, and controls that work together to form a trusted base
trusted computing base (TCB)
an imaginary boundary that separates the TCB from the rest of the system
security perimeter
part of the TCB that validates access to every resource
reference monitor
collection of components in the TCB that work together to implement reference monitor functions
security kernel
a system that is always secure no matter what state its in
state machine model
a snapshot of a system at a specific moment in time
state
this security model focuses on controlling the flow of information; designed to prevent unauthorized, insecure, or restricted information flow between different levels of security
information flow model
this security model is concerned with how the actions of a subject at a higher security level affect the system state at a lower security level
noninterference model
this security model employs a directed graph to dictate how rights can be passed from on subject to another
take-grant model
4 rules of the take-grant model
take rule: allows a subject to take rights over an object
grant rule: allows a subject to grant rights to an object
create rule: allows a subject to create new rights
remove rule: allows a subject to remove rights it has
a table of subjects and objects that indicates the actions or functions that each subject can perform on each object
access control matrix
this security model was developed by the DoD based on multilevel security policies
Bell-LaPadula model
This security model has two properties: simple integrity property and star integrity property
Biba model
Integrity property that states a subject cannot read an object at a lower integrity level
Simple Integrity Property
integrity property that states that a subject cannot modify an object at a higher integrity level
star integrity property
this model only provides integrity
Biba
this model defines each data item and allows modifications through only a limited or controlled intermediary program or interface
Clark-Wilson model
any data item whose integrity is protected by the security model
constrained data item (CDI)
an data item that is not controlled by the security model
unconstrained data item (UDI)
a procedure that scans data items and confirms their identity
integrity verification procedure (IVP)
the only procedures that are allowed to modify a CDI
transformation procedures (TPs)
this model permits access controls to change based on a user’s previous activity; involves conflicts of interest defined by conflict classes
Brewer and Nash model
this integrity model is a noninterference model, and is based on predetermining the set or domain of objects that a subject can access
Gogen-Meseguer Model
this integrity model is based on the idea of defining a set of system states, initial states, and state transitions.
Sutherland Model
this model is focused on the secure creation and deletion of both subjects and objects.
Graham-Denning model
this model focuses on the assignment of object access rights to subjects as well as the resilience of those rights
Harrison-Ruzzo-Ullman model (HRU)
This product evaluation model defines various levels of testing and confirmation of systems’ security capabilities
Common Criteria (CC)
The Common Criteria process is based on two key elements:
protection profiles and security targets
official approval to use secured equipment for operational objectives
ATO - Authorization to Operate
the 4 authorization decisions an AO can issue
ATO Authorization to Operate
Common control Authorization
Authorization to Use
Denial of Authorization
this security capability is used to prevent an active process from interacting with an area of memory that was not specifically assigned or allocated to it
Memory Protection
this exploitation can allow for the reading of private kernel memory contents by a nonprivileged process
Meltdown
this exploitation can enable to wholesale theft of memory contents from other running applications
Spectre
hosting one or more operating systems within the memory of a single host computer
virtualization
the ability of a system to suffer a fault but continue to operate; achieved through redundancy (RAID), and failover clusters
Fault Tolerance
