Domain 3

Question 1

Threat modeling

Answer 1

• Form of testing
• design to identify critical systems and services
• only identify the problem does not fix it

Question 2

fail securely

Answer 2

• fail in a secure manner by default

Question 3

Defense in depth layers

Answer 3

• physical parameter
• perimeter network
• local area network
• host
• applications
• data

Question 4

Bell- Lapadula (BLP)

Answer 4

• No read Up No write Down
  - You can think of a pyramid You can only write stuff at your level or higher and you can read everything at your level and lower
• Address confidentiality in a multi level security system
• two security constructs
  - subjects and objects
• subjects are active parties while objects are the passive parties
• assigned clearances
• early security model does not provide a mechanism for one-to-one mapping of individual subjects and objects
• Defines 3 properties
  - simple security property
   cannot read or write on the object of Higher classification (no read up)
  - star property
   a subject with this property can only save an object at the same or higher classification (no write down)
  - strong star property
   can only write to objects that these same security classification (no write down no write up)

Purpose: Ensures confidentiality by preventing unauthorized data flow.
Key Idea: “No read up, no write down” (focuses on confidentiality).
Mnemonic: “BLP Blocks Leaks” (confidentiality through controlled access).

Question 5

Biba

Answer 5

• No read down no Write up
  - you can think of this as a ladder
• addresses integrity but not confidentiality
• Uses observe and modify instead of read and right
• Main difference between Biba and BLP is that it is mostly an integrity model
• Three properties
  - simple security property
   No read down
  - star property
   No write up
  - invocation property
   a subject with a lower integrity level cannot request access to a higher integrity level object only to an object equal or lower integrity level

Biba (Integrity Model)
Purpose: Prevents data from being corrupted by unauthorized or lower integrity data.
Key Idea: “No write up, no read down” (focuses on integrity, opposite of Bell-LaPadula).
Mnemonic: “Biba Boosts Integrity” (protects against corruption).

Question 6

Brewer and Nash

Answer 6

• Avoid Conflicts Keep context
  - Stop shoe from visiting data based off of data already visited
  - For example the system remembers your history to enforce restrictions
• focuses on preventing conflicts of interest
• principle is that the user should not access confidential information of both the client organization and its competitor
• Access rules change based on subjects behavior
• once you access one party’s information access to the competing organization is automatically revoked

Brewer-Nash (Chinese Wall Model)
Purpose: Prevents conflicts of interest by restricting access based on previously accessed data.
Key Idea: “You can’t access conflicting projects.”
Mnemonic: “Brewer builds Walls” (like the Chinese Wall to separate conflicts of interest).

Question 7

Clark Wilson

Answer 7

• Well Formed Well checked
  - Secure workflow you can think of this as processing a bank withdrawal the system that only allows them to do to do so through a predefined workflow that records the transaction
• improvement on the Biba model
• Focuses on integrity at the transaction level
• Requires transactions by authorized subjects to be evaluated by another party providing separation of duties
• Deviation from expected paths or defined steps would result in a failure of the transaction
• establishes a subject program object binding

Clark-Wilson
Purpose: Enforces well-formed transactions and integrity in commercial applications.
Key Idea: Users interact with data only through authorized programs.
Mnemonic: “Clark Cleans Data” (ensures integrity through well-formed transactions).

Question 8

Graham Denning

Answer 8

• Primarily concerned with how subject and objects are created
  - how subjects are assigned rights or privileges
  - how ownership of objects is managed
• has three parts
  - set of subjects
  - set of objects
  - set of rights
• subjects are comprised of two things
  - processing a domain
• describes 8 primitive protection rates
  - create object securely
  - Delete objects securely
  - create subjects securely
  - Delete subjects securely
  - provision read access rights securely
  - provision grant access right securely
  - provision delete access rights securely
  - Provision transfer access rights securely

Graham-Denning
Purpose: Describes how subjects and objects are created, deleted, and managed in systems.
Key Idea: Set of 8 rules for managing subjects, objects, and rights.
Mnemonic: “Graham Grants Rights” (emphasizes management of access rights).

Question 9

Harrison, Ruzzo, Ullman (HRU)

Answer 9

• Modify Access maintain Control
• Similar to the graham denning model
• also concerned with subject being restricted from gaining particular privileges

Purpose: General framework for access control in systems, focuses on access rights.
Key Idea: Tracks creation, deletion, and transfer of rights.
Mnemonic: “HRU Handles Rights Universally” (models access control flexibly).

Question 10

Common selected security standards

Answer 10

• INCOSE Systems engineering handbook
• NIST SP800-160 system security engineering
• ISO/IEC 15026 series systems and software engineering
• ISO/IEC/IEEE 15288 systems and software engineering

Question 11

INCOSE Systems engineering handbook

Answer 11

• Not-for-profit member organization
• present system principles in terms of affordability and performance

Question 12

NIST SP800-160 system security engineering

Answer 12

• Addresses the engineering driven actions
• starts with a well established international standards for systems and software engineering by ISO and IEEE and infuses system security engineering techniques methods and practices

Question 13

ISO/IEC 15026 series systems and software engineering

Answer 13

• Focuses on system and software engineering

Question 14

ISO/IEC/IEEE 15288 systems and software engineering

Answer 14

• overall system engineering lifecycle model
• outgrowth of earlier models and various military standards and specifications

Question 15

Technical management process

Answer 15

• (P) project planning
• (A) project assessment and control
• (D) decision making process
• (R) risk management process
• (C) configuration and management process
• (I) information management process
• (M) measurement process
• (Q) quality assurance process
• Please Ask Don’t Risk completely ignoring management Quality

Question 16

Security models

Answer 16

• State machine model
  - system starting condition and the end state to which the system must be and once the process is complete
  - You can think of a traffic light and how it goes from red to green to yellow
  - Secure States Stay Ready
• Information flow model
  - extends the state machine model and focuses on movement of information
  - also describes how privileges granted to subjects constrain their access to objects
  - you can think of a water valve and how water flows through it
  - Info Flows Forward Freely
• non interference model
  - ensure that objects and subjects at one level do not inappropriately interact with objects and subjects at other levels
  - An example would be that a system login process should not disclose the input values such as login ID and password after the authentication that results from a successful login
• Ring model
  - emphasizes the interactions between underlying hardware and security capabilities
  - ring 0
   OS and security kernel
  - ring one
   device drivers
  - ring 2
   system utilities
  - ring 3
   applications

Question 17

Security architecture

Answer 17

• Every information system element must have the following features or inherent capabilities
  - privileged mode instructions
  - processor state
  - memory management
  - abstraction layer
  - data and code space isolation and code and data segregation
  - file system attributes
  - security channels

Question 18

Client based systems

Answer 18

• Traditionally have been the end points
• Typically connect to a server (system providing a service)
• Thick clients are referred to as client based systems

Question 19

Server based systems

Answer 19

• provide a specific purpose
• common types
  - application servers
  - file servers
  - controllers
  - print servers
  - network service servers
• often centrally managed controlled and maintained

Question 20

Embedded systems

Answer 20

• micro computer technologies directly incorporated into mechanical electrical hydraulic or other types of devices
  - examples would be thermostats regulators or load balancing mechanisms
• Many embedded systems the code base is maintained and read only memory and it’s not updatable
• Vulnerabilities of embedded systems
  - programming errors
  - web-based vulnerability
  - weak access control or authentication
  - poor cryptography practices
  - reverse engineering
  - malware
  - eavesdropping
• Mitigations
  - risk assessment
  - patching and updating
  - secure coding techniques
  - implementing third party risk management

Question 21

distributed systems

Answer 21

• nodes and processes operate independently
• Many form nearly all forms of cloud architecture
• often used by large orgs to spread processing and storage needs across multiple local systems
• high levels of redundancy including geographic replication

Question 22

cloud based systems

Answer 22

• NIST defines cloud computing as a model for enabling ubiquitous convenient on demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction

Question 23

common cloud deployment models

Answer 23

• private cloud
  - A cloud environment that’s dedicated to a single organization
  - examples could include a financial institution like a faint creating a private cloud to securely store sensitive customer data and complying with strict regulatory requirements
• public cloud
• community cloud
• hybrid cloud
• GovCloud

Question 24

Micro services

Answer 24

• implementation of service oriented architecture for cloud systems
• lightweight protocols
• Several advantages
  - maintenance id simplified
  - can quickly scale up and down to meet demand due to their individual microservices running as independent processing threads
• Examples
  - think about Netflix
  - you have the different services like recommendation services playback services and content delivery service each one is a micro service handling the different functionalities independently
• Mitigations
  - using authentication and authorization services
  - implementing microservices and containers or within serverless environments
  - leveraging API gateways

Question 25

containerization

Answer 25

• layer of shared OS services to reduce the size and complexity of an individual VM in the cloud environment
• several different technologies like docker and Kubernetes
• They differ from the DM for the following reasons
  - containers share the OS
  - does not need a hypervisor
• Analogy
  - you can think of VMS as houses and containers as high rise apartments
  - each house has its own foundation plumbing walls and electrical system whereas apartment shared the same infrastructure