CISSP ch 8 Flashcards
Cascading composition theory
input for one system comes from the output of another system
Feedback composition theory
one system provides input to another system, which reciprocates by reversing those roles
Hookup composition theory
one system sends input to another system, but also sends input to external entities
Noninterference Model
concerned with how the actions of a subject a higher security level affect the system state or the actions of a subject at a lower security level = the actions of a subject at a higher level should not affect, interfere or be noticed by a subject at a lower level
Take-Grant model
employs a directed graph to dictate how rights can be passed from one subject to another or from a subject to an object = subjects can grant rights that they possess, or take rights
Grant rule (Take-Grant model)
allows a subject to grant rights to an object
Take rule (Take-Grant model)
allows a subject to take rights over an object
Create rule (Take-Grant model)
allows a subject to create new rights
Remove rule (Take-Grant model)
allows a subject to remove rights it has
ACL
Access control list, list subjects that can access a given object
Column of an access control matrix
an access control list (ACL) pulled from objects
Row of an access control matrix
each row of the matrix is a capabilities list for each listed subject
Bell-LaPadula Model
developed by the US Department of Defense (DoD) in the 1970’s = multilevel security policy where a subject with any level of clearance can access resources at or below its clearance level = within clearance levels, access to a compartmentalized objects is granted only on a need-to-know basis = prevents the leaking or transfer of classified information to less secure clearance levels = focused on maintaining confidentiality = built on a state machine concept and the information flow model, employs mandatory access controls and is a lattice-based access control concept
Bell-LaPadula Simple Security Property
no read-up = a subject may not read information at a higher sensitivity level
Bell-LaPadula * (star) Security Property
Confinement Property = no write-down = a subject may not write information to an object at a lower sensitivity level
Exception: A “trusted subject” is not constrained by the * Security Property, and is guaranteed not to consummate a security-breaching information transfer even if it is possible, i.e., allowed to write-down, which is necessary when performing valid object declassification or reclassification
Lattice-Based Access Control
subjects are assigned positions in a lattice and can only access those objects that fall into the range between
- the least upper bound (LUB) (the nearest security label or classification higher than their lattice position and
- the greatest lower bound (GLB) (the nearest security label or classification lower than their lattice position) of the labels or classifications of their lattice position
LUB (Lattice-Based Access Control)
least upper bound
GLB (Lattice-Based Access Control)
greatest lower bound
Biba-model
designed after Bell-LaPadula model, but focuses on integrity, also DoD-derived = built on a state machine concept and the information flow model
Simple Integrity Property (Biba)
no read-down = a subject cannot read an object at a lower integrity level
- (star) Integrity Property (Biba)
no write-up = a subject cannot modify an object at a higher integrity level
defines each data item and allows modifications through only a limited or controlled intermediary program or interface (as opposed to defining a formal state machine) = does not require the use of a lattice structure, rather it uses a three-part relationship of subject/program/object known as a triple or an access control triplet = subjects do not have direct access to object, objects can only be accessed through programs = protects integrity, but can lend itself to protect confidentiality
Clark-Wilson Model
Clark-Wilson principles
- Well formed transactions
- Separation of duties
also: three-part relationship of subject/program/object known as a triple or an access control triplet
Uses security labels to grant access to objects, but only through transformation procedures and a restricted interface model (restriction interface model uses classification-based restrictions to offer only subject-specific authorized information and function)
CDI (Clark-Wilson Model)
Constrained data item = any data item whose integrity is protected by the security model
UDI (Clark-Wilson Model)
Unconstrained data item = any data item that is not controlled by the security model = any data that is to be input and hasn’t validated = any output
IVP (Clark-Wilson Model)
integrity verification procedure = a procedure that scans items and confirms their integrity
TPs (Clark-Wilson Model)
transformation procedures = only procedures that are allowed to modify a CDI
Chinese Wall model / ethical wall / cone of silence = created to permit access controls to change dynamically based on a user’s previous activity (type of state machine model) = applies to a single integrated database = seeks to create security domains that are sensitive to the notion of conflict of interest = creates a class of data that defines which security domains are potentially in conflict and prevents any subject with access to one domain that belongs to a specific conflict class from accessing any other domain that belongs to the same conflict class = metaphorically puts a wall around all other information in any conflict class
Brewer and Nash Model
integrity model, foundation of noninterference model = based on predetermining the set or domain (i.e., a list) of objects that a subject can access, subjects are allowed only to perform predetermined actions against predetermined objects = similar users are grouped into their own domain, the members of one subject domain cannot interfere with the members of another subject domain
Goguen-Meseguer Model
integrity model = focuses on preventing interference in support of integrity, based on state machine model and information flow model, but does not directly indicate specific mechanisms for protection of integrity = based on the idea of defining a set of systems states, initial states and state transitions; through the use of only these predetermined secure states, integrity is maintained and interference is prohibited
Sutherland Model
focused on the secure creation and deletion of both subjects and objects = specific abilities or permissions of a subject over a set of objects is defined in an access matrix = eight primary protection rules or actions that define the boundaries of certain secure actions:
- Securely create an object
- Securely create a subject
- Securely delete an object
- Securely delete a subject
- Securely provide the read access right
- Secure provide the grant access right
- Securely provide the delete access right
- Securely provide the transfer access right
Graham-Denning Model
focuses on the assignment of object access rights to subjects, as well as the resilience of those assigned rights = extension of the Graham-Denning model = centered around the establishment of a finite set of procedures (or access rights) that can be used to edit or alter the access rights of a subject over an object = state of access rights can be expressed in a matrix, where the rows are subjects and the columns are objects, intersection of each row and column will include the specific procedures that each subject is allowed to perform against each object = a finite set of commands or primites is defined that controls how the matrix can be modified by authorized subjects
HRU model = Harrison -Ruzzo-Ullman
HRU model
Harrison -Ruzzo-Ullman = focuses on the assignment of object access rights to subjects, as well as the resilience of those assigned rights = extension of the Graham-Denning model = centered around the establishment of a finite set of procedures (or access rights) that can be used to edit or alter the access rights of a subject over an object = state of access rights can be expressed in a matrix, where the rows are subjects and the columns are objects, intersection of each row and column will include the specific procedures that each subject is allowed to perform against each object = a finite set of commands or primites is defined that controls how the matrix can be modified by authorized subjects
CC
Common Criteria = various levels of testing and confirmation of systems’ security capabilities, and the number of the level indicates what kind of testing and confirmation has been performed = published as ISO/IEC 15408-1, -2 and -3 “Information technology – Security techniques – Evaluation criteria for IT security”, = dynamic subjective product evaluation model that replaced previous static systems, such as the US Department of Defense’s Trusted Computer System Evaluation Criteria (TCSEC) and the EU’s Information Technology Security Evaluation Criteria (ITSEC)
TOE (CC)
Target of evaluation = product to be evaluated
PP (CC)
Protection Profiles = desired measures = security requirements and protections (security desires) specified by a customer for a product that is to be evaluated (the TOE)
ST (CC)
Security Targets = implemented measures = claims of the security from the vendor that are built into a TOE
Vendors may also offer packages of additional security features, which are an intermediate grouping of security requirement components that can be added or removed from a TOE
EAL (CC)
evaluation assurance levels, 1 to 7
EAL1 = Functionally tested
o Some confidence in correct operation is required
o Threats to security are not serious
o Provides independent assurance that due care has been exercised in protecting personal information
EAL2 = Structurally tested
o Delivery of design information and test results are in keeping with good commercial practices
o Low to moderate levels of independently assured security
o Especially relevant when evaluating legacy systems
EAL3 = Methodically tested and checked
o Security engineering begins at the design stage and is carried through without substantial subsequent alteration
o Moderate level of independently assured security
EAL4 = Methodically designed, tested and reviewed
o Rigorous, positive security engineering and good commercial development practices are used
o Does not require substantial specialist knowledge, skills or resources
o Independent testing of all TOE security functions
EAL5 = Semi-formally designed and tested
o Rigorous security engineering and commercial development practices, including specialist security engineering techniques, for semi-formal testing
o High level of independently assured security in a planned development approach, followed by rigorous development
EAL6 = Semi-formally verified, designed and tested
o Direct, rigorous security engineering techniques at all phases of design, development, and testing to produce a premium TOE
o TOEs for high-risk situations, where value of protected assets justifies additional cost
o Extensive testing reduces risks of penetration, probability of covert channels, and vulnerability to attack
EAL7 = Formally verified, designed and tested
o Highest risk situations or where high-value assets are involved
o Limited to TOEs where tightly focused security functionality is subject to extensive formal analysis and testing
ATO
Authorization to Operate = an official approval to use secured equipment for operational objectives and accept the identified risk = decision is issued when risk is managed to an acceptable level = term defined by the Risk Management Framework (see NIST SP 800-37r2), replacing former term “accreditation” and C&A (certification and accreditation) process = performed by an Authorizing Official (AO) = typically issued for 5 years and must be reobtained if:
- The ATO time frame has expired
- The system experiences a significant security breach or a significant security change
AO
Authorizing Official = authorized entity who can evaluate an IT/IS system, its operations, and its risks, and potentially issue an ATO
DAA
Designated approving authority
AA
Approving authority
SCA
Security Control Assessor
RO
Recommending Official
Common control authorization
when a security control is inherited from another provider and the risk associated with the common control is at an acceptable and already has an ATO from the same AO
Authorization to use
when a third-party provider provides IT/IS servers that are deemed to have risk at an acceptable level; also used to allow for reciprocity in accepting another AO’s ATO
Denial of authorization
when risk is unacceptable
Meltdown
Memory error discovered in 2017 - Allows for reading of private kernel memory contents by a nonprivileged process
Arose from methods used by modern CPUs to predict future instructions to optimize performance, enabling them to seemingly make reliable predictions about what code to retrieve or process even before requested. When the speculative execution is wrong, the procedure is not completely reversed, resulting in data remnants being left behind in memory in an unprotected state
Spectre
Memory error discovered in 2017 - Enables the wholesale theft of memory contents from other running applications
Arose from methods used by modern CPUs to predict future instructions to optimize performance, enabling them to seemingly make reliable predictions about what code to retrieve or process even before requested. When the speculative execution is wrong, the procedure is not completely reversed, resulting in data remnants being left behind in memory in an unprotected state