CISSP ch 8

Question 1

Cascading composition theory

Answer 1

input for one system comes from the output of another system

Question 2

Feedback composition theory

Answer 2

one system provides input to another system, which reciprocates by reversing those roles

Question 3

Hookup composition theory

Answer 3

one system sends input to another system, but also sends input to external entities

Question 4

Noninterference Model

Answer 4

concerned with how the actions of a subject a higher security level affect the system state or the actions of a subject at a lower security level = the actions of a subject at a higher level should not affect, interfere or be noticed by a subject at a lower level

Question 5

Take-Grant model

Answer 5

employs a directed graph to dictate how rights can be passed from one subject to another or from a subject to an object = subjects can grant rights that they possess, or take rights

Question 6

Grant rule (Take-Grant model)

Answer 6

allows a subject to grant rights to an object

Question 7

Take rule (Take-Grant model)

Answer 7

allows a subject to take rights over an object

Question 8

Create rule (Take-Grant model)

Answer 8

allows a subject to create new rights

Question 9

Remove rule (Take-Grant model)

Answer 9

allows a subject to remove rights it has

Question 10

ACL

Answer 10

Access control list, list subjects that can access a given object

Question 11

Column of an access control matrix

Answer 11

an access control list (ACL) pulled from objects

Question 12

Row of an access control matrix

Answer 12

each row of the matrix is a capabilities list for each listed subject

Question 13

Bell-LaPadula Model

Answer 13

developed by the US Department of Defense (DoD) in the 1970’s = multilevel security policy where a subject with any level of clearance can access resources at or below its clearance level = within clearance levels, access to a compartmentalized objects is granted only on a need-to-know basis = prevents the leaking or transfer of classified information to less secure clearance levels = focused on maintaining confidentiality = built on a state machine concept and the information flow model, employs mandatory access controls and is a lattice-based access control concept

Question 14

Bell-LaPadula Simple Security Property

Answer 14

no read-up = a subject may not read information at a higher sensitivity level

Question 15

Bell-LaPadula * (star) Security Property

Answer 15

Confinement Property = no write-down = a subject may not write information to an object at a lower sensitivity level

Exception: A “trusted subject” is not constrained by the * Security Property, and is guaranteed not to consummate a security-breaching information transfer even if it is possible, i.e., allowed to write-down, which is necessary when performing valid object declassification or reclassification

Question 16

Lattice-Based Access Control

Answer 16

subjects are assigned positions in a lattice and can only access those objects that fall into the range between

• the least upper bound (LUB) (the nearest security label or classification higher than their lattice position and
• the greatest lower bound (GLB) (the nearest security label or classification lower than their lattice position) of the labels or classifications of their lattice position

Question 17

LUB (Lattice-Based Access Control)

Answer 17

least upper bound

Question 18

GLB (Lattice-Based Access Control)

Answer 18

greatest lower bound

Question 19

Biba-model

Answer 19

designed after Bell-LaPadula model, but focuses on integrity, also DoD-derived = built on a state machine concept and the information flow model

Question 20

Simple Integrity Property (Biba)

Answer 20

no read-down = a subject cannot read an object at a lower integrity level

Question 21

• (star) Integrity Property (Biba)

Answer 21

no write-up = a subject cannot modify an object at a higher integrity level

Question 22

defines each data item and allows modifications through only a limited or controlled intermediary program or interface (as opposed to defining a formal state machine) = does not require the use of a lattice structure, rather it uses a three-part relationship of subject/program/object known as a triple or an access control triplet = subjects do not have direct access to object, objects can only be accessed through programs = protects integrity, but can lend itself to protect confidentiality

Answer 22

Clark-Wilson Model

Question 23

Clark-Wilson principles

Answer 23

• Well formed transactions
• Separation of duties

also: three-part relationship of subject/program/object known as a triple or an access control triplet

Uses security labels to grant access to objects, but only through transformation procedures and a restricted interface model (restriction interface model uses classification-based restrictions to offer only subject-specific authorized information and function)

Question 24

CDI (Clark-Wilson Model)

Answer 24

Constrained data item = any data item whose integrity is protected by the security model

Question 25

UDI (Clark-Wilson Model)

Answer 25

Unconstrained data item = any data item that is not controlled by the security model = any data that is to be input and hasn’t validated = any output

Question 26

IVP (Clark-Wilson Model)

Answer 26

integrity verification procedure = a procedure that scans items and confirms their integrity

Question 27

TPs (Clark-Wilson Model)

Answer 27

transformation procedures = only procedures that are allowed to modify a CDI

Question 28

Chinese Wall model / ethical wall / cone of silence = created to permit access controls to change dynamically based on a user’s previous activity (type of state machine model) = applies to a single integrated database = seeks to create security domains that are sensitive to the notion of conflict of interest = creates a class of data that defines which security domains are potentially in conflict and prevents any subject with access to one domain that belongs to a specific conflict class from accessing any other domain that belongs to the same conflict class = metaphorically puts a wall around all other information in any conflict class

Answer 28

Brewer and Nash Model

Question 29

integrity model, foundation of noninterference model = based on predetermining the set or domain (i.e., a list) of objects that a subject can access, subjects are allowed only to perform predetermined actions against predetermined objects = similar users are grouped into their own domain, the members of one subject domain cannot interfere with the members of another subject domain

Answer 29

Goguen-Meseguer Model

Question 30

integrity model = focuses on preventing interference in support of integrity, based on state machine model and information flow model, but does not directly indicate specific mechanisms for protection of integrity = based on the idea of defining a set of systems states, initial states and state transitions; through the use of only these predetermined secure states, integrity is maintained and interference is prohibited

Answer 30

Sutherland Model

Question 31

focused on the secure creation and deletion of both subjects and objects = specific abilities or permissions of a subject over a set of objects is defined in an access matrix = eight primary protection rules or actions that define the boundaries of certain secure actions:
- Securely create an object
- Securely create a subject
- Securely delete an object
- Securely delete a subject
- Securely provide the read access right
- Secure provide the grant access right
- Securely provide the delete access right
- Securely provide the transfer access right

Answer 31

Graham-Denning Model

Question 32

focuses on the assignment of object access rights to subjects, as well as the resilience of those assigned rights = extension of the Graham-Denning model = centered around the establishment of a finite set of procedures (or access rights) that can be used to edit or alter the access rights of a subject over an object = state of access rights can be expressed in a matrix, where the rows are subjects and the columns are objects, intersection of each row and column will include the specific procedures that each subject is allowed to perform against each object = a finite set of commands or primites is defined that controls how the matrix can be modified by authorized subjects

Answer 32

HRU model = Harrison -Ruzzo-Ullman

Question 33

HRU model

Answer 33

Harrison -Ruzzo-Ullman = focuses on the assignment of object access rights to subjects, as well as the resilience of those assigned rights = extension of the Graham-Denning model = centered around the establishment of a finite set of procedures (or access rights) that can be used to edit or alter the access rights of a subject over an object = state of access rights can be expressed in a matrix, where the rows are subjects and the columns are objects, intersection of each row and column will include the specific procedures that each subject is allowed to perform against each object = a finite set of commands or primites is defined that controls how the matrix can be modified by authorized subjects

Question 34

CC

Answer 34

Common Criteria = various levels of testing and confirmation of systems’ security capabilities, and the number of the level indicates what kind of testing and confirmation has been performed = published as ISO/IEC 15408-1, -2 and -3 “Information technology – Security techniques – Evaluation criteria for IT security”, = dynamic subjective product evaluation model that replaced previous static systems, such as the US Department of Defense’s Trusted Computer System Evaluation Criteria (TCSEC) and the EU’s Information Technology Security Evaluation Criteria (ITSEC)

Question 35

TOE (CC)

Answer 35

Target of evaluation = product to be evaluated

Question 36

PP (CC)

Answer 36

Protection Profiles = desired measures = security requirements and protections (security desires) specified by a customer for a product that is to be evaluated (the TOE)

Question 37

ST (CC)

Answer 37

Security Targets = implemented measures = claims of the security from the vendor that are built into a TOE

Vendors may also offer packages of additional security features, which are an intermediate grouping of security requirement components that can be added or removed from a TOE

Question 38

EAL (CC)

Answer 38

evaluation assurance levels, 1 to 7

EAL1 = Functionally tested
o Some confidence in correct operation is required
o Threats to security are not serious
o Provides independent assurance that due care has been exercised in protecting personal information

EAL2 = Structurally tested
o Delivery of design information and test results are in keeping with good commercial practices
o Low to moderate levels of independently assured security
o Especially relevant when evaluating legacy systems

EAL3 = Methodically tested and checked
o Security engineering begins at the design stage and is carried through without substantial subsequent alteration
o Moderate level of independently assured security

EAL4 = Methodically designed, tested and reviewed
o Rigorous, positive security engineering and good commercial development practices are used
o Does not require substantial specialist knowledge, skills or resources
o Independent testing of all TOE security functions

EAL5 = Semi-formally designed and tested
o Rigorous security engineering and commercial development practices, including specialist security engineering techniques, for semi-formal testing
o High level of independently assured security in a planned development approach, followed by rigorous development

EAL6 = Semi-formally verified, designed and tested
o Direct, rigorous security engineering techniques at all phases of design, development, and testing to produce a premium TOE
o TOEs for high-risk situations, where value of protected assets justifies additional cost
o Extensive testing reduces risks of penetration, probability of covert channels, and vulnerability to attack

EAL7 = Formally verified, designed and tested
o Highest risk situations or where high-value assets are involved
o Limited to TOEs where tightly focused security functionality is subject to extensive formal analysis and testing

Question 39

ATO

Answer 39

Authorization to Operate = an official approval to use secured equipment for operational objectives and accept the identified risk = decision is issued when risk is managed to an acceptable level = term defined by the Risk Management Framework (see NIST SP 800-37r2), replacing former term “accreditation” and C&A (certification and accreditation) process = performed by an Authorizing Official (AO) = typically issued for 5 years and must be reobtained if:
- The ATO time frame has expired
- The system experiences a significant security breach or a significant security change

Question 40

AO

Answer 40

Authorizing Official = authorized entity who can evaluate an IT/IS system, its operations, and its risks, and potentially issue an ATO

Question 41

DAA

Answer 41

Designated approving authority

Question 42

AA

Answer 42

Approving authority

Question 43

SCA

Answer 43

Security Control Assessor

Question 44

RO

Answer 44

Recommending Official

Question 45

Common control authorization

Answer 45

when a security control is inherited from another provider and the risk associated with the common control is at an acceptable and already has an ATO from the same AO

Question 46

Authorization to use

Answer 46

when a third-party provider provides IT/IS servers that are deemed to have risk at an acceptable level; also used to allow for reciprocity in accepting another AO’s ATO

Question 47

Denial of authorization

Answer 47

when risk is unacceptable

Question 48

Meltdown

Answer 48

Memory error discovered in 2017 - Allows for reading of private kernel memory contents by a nonprivileged process

Arose from methods used by modern CPUs to predict future instructions to optimize performance, enabling them to seemingly make reliable predictions about what code to retrieve or process even before requested. When the speculative execution is wrong, the procedure is not completely reversed, resulting in data remnants being left behind in memory in an unprotected state

Question 49

Spectre

Answer 49

Memory error discovered in 2017 - Enables the wholesale theft of memory contents from other running applications

Arose from methods used by modern CPUs to predict future instructions to optimize performance, enabling them to seemingly make reliable predictions about what code to retrieve or process even before requested. When the speculative execution is wrong, the procedure is not completely reversed, resulting in data remnants being left behind in memory in an unprotected state