Chapter 8– Principles of Security Models, Design, and Capabilities

Question 1

1. What is system certification?

A technical evaluation of each part of a computer system to assess its compliance with security standards

Answer 1

A technical evaluation of each part of a computer system to assess its compliance with security standards
A system certification is a technical evaluation. Option A describes system accreditation. Options C and D refer to manufacturer standards, not implementation standards.

Question 2

2. What is a system accreditation?

Formal acceptance of stated system configuration

Answer 2

Formal acceptance of stated system configuration
Accreditation is the formal acceptance process. Option B is not an appropriate answer because it addresses manufacturer standards. Options C and D are incorrect because there is no way to prove that a configuration enforces a security policy and accreditation does not entail secure communication specification.

Question 3

3. What is a closed system?

A proprietary system that uses unpublished protocols

Answer 3

A proprietary system that uses unpublished protocols
A closed system is one that uses largely proprietary or unpublished protocols and standards. Options A and D do not describe any particular systems, and Option B describes an open system.

Question 4

4. Which best describes a confined or constrained process?

A process that can access only certain memory locations

Answer 4

A process that can access only certain memory locations
A constrained process is one that can access only certain memory locations. Options A, B, and D do not describe a constrained process.

Question 5

5. What is an access object?

A resource a user or process wants to assess

Answer 5

A resource a user or process wants to assess

An object is a resource a user or process wants to access. Option A describes an access object.

Question 6

6. What is a security control?

A mechanism that limits access to an object

Answer 6

A mechanism that limits access to an object

A control limits access to an object to protect it from misuse by unauthorized users.

Question 7

7. For what type of information system security accreditation are the applications and systems at a specific, self-contained location evaluated?
   Site accreditation

Answer 7

Site accreditation
The applications and systems at a specific, self-contained location are evaluated for DITSCAP and NIACAP site accreditation.

Question 8

8. How many major categories do the TCSEC criteria define?

Four

Answer 8

Four
TCSEC defines four major categories: Category A is verified protection, Category B is mandatory protection, Category C is discretionary protection, and Category D is minimal protection.

Question 9

9. What is a trusted computing base (TCB)?

The combination of hardware, software, and controls that work together to enforce a security policy

Answer 9

The combination of hardware, software, and controls that work together to enforce a security policy
The TCB is the combination of hardware, software, and controls that work together to enforce a security policy.

Question 10

10. What is a security perimeter? (Choose all that apply.)

The boundary of the physically secure area surrounding your system

The imaginary boundary that separates the TCB from the rest of the system

Answer 10

The boundary of the physically secure area surrounding your system

The imaginary boundary that separates the TCB from the rest of the system

Answer: A;B

Although the most correct answer in the context of this chapter is Option B, Option A is also a correct answer in the context of physical security.

Question 11

11. What part of the TCB concept validates access to every resource prior to granting the requested access?

Reference monitor

Answer 11

Reference monitor

The reference monitor validates access to every resource prior to granting the requested access. Option D, the security kernel, is the collection of TCB components that work together to implement the reference monitor functions. In other words, the security kernel is the implementation of the reference monitor concept. Options A and B are not valid TCB concept components.

Question 12

12. What is the best definition of a security model?

A security model provides a framework to implement a security policy.

Answer 12

A security model provides a framework to implement a security policy.

Option B is the only option that correctly defines a security model. Options A, C, and D define part of a security policy and the certification and accreditation process.

Question 13

13. Which security models are built on a state machine model?

Bell-LaPadula and Biba

Answer 13

Bell-LaPadula and Biba

The Bell-LaPadula and Biba models are built on the state machine model.

Question 14

14. Which security model addresses data confidentiality?

A. Bell-LaPadula
B. Biba
C. Clark-Wilson
D. Brewer and Nash

Answer 14

Bell-LaPadula

Only the Bell-LaPadula model addresses data confidentiality. The Biba and Clark-Wilson models address data integrity. The Brewer and Nash model prevents conflicts of interest.

Question 15

15. Which Bell-LaPadula property keeps lower-level subjects from accessing objects with a higher security level?

A. * (star) Security Property
B. No write up property
C. No read up property
D. No read down property

Answer 15

No read up property

The no read up property, also called the Simple Security Policy, prohibits subjects from reading a higher security level object.

Question 16

16. What is the implied meaning of the simple property of Biba?

A. Write down
B. Read up
C. No write up
D. No read down

Answer 16

Read up

The simple property of Biba is no read down, but it implies that it is acceptable to read up.

Question 17

17. When a trusted subject violates the star property of Bell-LaPadula in order to write an object into a lower level, what valid operation could be taking place?

Declassification

Answer 17

Declassification

Declassification is the process of moving an object into a lower level of classification once it is determined that it no longer justifies being placed at a higher level. Only a trusted subject can perform declassification because this action is a violation of the verbiage of the star property of Bell-LaPadula, but not the spirit or intent, which is to prevent unauthorized disclosure.

Question 18

18. What security method, mechanism, or model reveals a capabilities list of a subject across multiple objects?

Access control matrix

Answer 18

Access control matrix

An access control matrix assembles ACLs from multiple objects into a single table. The rows of that table are the ACEs of a subject across those objects, thus a capabilities list.

Question 19

19. What security model has a feature that in theory has one name or label, but when implemented into a solution, takes on the name or label of the security kernel?

Trusted computing base

Answer 19

Trusted computing base

The trusted computing base (TCB) has a component known as the reference monitor in theory, which becomes the security kernel in implementation.

Question 20

20. Which of the following is not part of the access control relationship of the Clark-Wilson model?

Programming language

Answer 20

Programming language

The three parts of the Clark-Wilson model’s access control
relationship (aka access triple) are subject, object, and program (or interface).