Chapter 9 - Security Concepts

Question 1

Confidentiality

Answer 1

This concept refers to the protection of systems and data so that only authorised subjects are permitted to access them. Depending on the context, there are several different types of controls to ensure confidentiality. Preventive controls include
userids and passwords, firewalls, intrusion prevention systems, data leakage prevention systems, and encryption. Detective controls include access logs and video surveillance

Question 2

Integrity

Answer 2

This concept refers to the protection of systems and data so that only authorised changes may be made to them. Preservation of integrity means that systems
can be counted on to provide reliable information that will not be questioned.

Question 3

Availability

Answer 3

This concept refers to the resilience of systems so that they will be
available when needed, even when considering scenarios such as hardware failure and
disasters.

Question 4

Security Models

Answer 4

There are two important terms used in discussions of security models.

• Subjects: These are usually people who use a system. In cases of system-to-system communication, a subject can also be another system, or a process running on another
  system.
• Objects. These are the systems, data, or other resources that someone wants to access.

Question 5

NRU

Answer 5

No Read-Up

Question 6

NWD

Answer 6

No Write-Down

Question 7

NRD

Answer 7

No Read-Down

Question 8

NWU

Answer 8

No Write-Up

Question 9

UDI

Answer 9

Unconstrained Data Items

Question 10

CDI

Answer 10

Constrained Data Items

Question 11

Access Matrix

Answer 11

An access matrix security model consists of a two-dimensional matrix that defines which subjects are permitted to access which objects

Question 12

MAC

Answer 12

Mandatory Access Control (MAC) describes a system (such as an operating system) that controls access to resources. When a subject
requests access to an object, the system examines the subject’s identity and access rights together with the access permissions associated with the object. The system will permit or deny the requested access.

Question 13

DAC

Answer 13

In the discretionary access control model, the owner of an object controls who and what may access it. DAC is so named because permission to access an object is made at its owner’s discretion.
DAC is common in information systems where owners of files, directories, web pages, and
other objects can set access permissions on their own, to control which users or groups of
users may access their objects.

Question 14

RBAC

Answer 14

Role-Based Access Control is usually used to simplify the task of managing user rights in a complex system that contains many objects and users.

Instead of managing the access rights of individual users, an RBAC system relies on the existence of roles, which contain collections of allowed accesses. Each subject is then assigned to one of the established roles, and each subject then inherits the rights defined by the role to which the user is assigned.

Question 15

Non-Interference

Answer 15

A user with low clearance can-
not gain any knowledge of any activities performed by high-clearance users. The term non-interference means that activities performed by a user with high clearance will not interfere
with any activities performed by a user with low clearance, thus providing information about the activities of the high-level clearance user to the low-level user.

Question 16

Information Flow

Answer 16

Information flow models are based upon the flow of information rather than upon access
controls. Objects are assigned to a class or level of security, and the flow of these objects is
controlled by a security policy that specifies where objects of various levels are permitted to
flow.