Lecture 10 Flashcards
Security Models
What is the first thing to do when developing security models for an organization/fixing security issues?
evaluate the current levels of security exposure
What are Security Models used for?
formalize security policies by providing a set of rules.
When a system complies with a set of ________, it can be said to exhibit a level of trust.
security criteria
The _____, known as the orange book, is a combination of hardware software, and controls that work together to form a trusted base to enforce your security policy.
A. Trusted Control Baseline
B. Trusted Computing Base
C. Bell-LaPaluda
D. TCSEC
B. Trusted Computing Base
In the TCB, _______ validates access to every resource and may be a conceptual part of the TCB.
reference monitor
The _____ describes a system that is secure in every part of its possible states.
A. Secure State Model
B. Trusted Computing Base
C. Bell-LaPaluda
D. TCSEC
A. Secure State Model
The _____ describes a system that is secure in every part of its possible states. States depend on the previous state and the input.
A. Secure State Model
B. Trusted Computing Base
C. Bell-LaPaluda
D. TCSEC
A. Secure State Model
A ______ is based on the state machine model and focuses on the flow of information. It is designed to prevent unauthorized, insecure or restricted information flow.
information flow model
The _____ is concerned with the interaction of a higher subject being noticed or interacting with a lower subject.
Interference Model
A composition theory is based on what?
How inputs and outputs between multiple systems relate to one another.
What are the 3 types of composition theories?
A. Linked B. Cascading C. Hookup D. Waterfall E. Feedback
B. Cascading
C. Hookup
E. Feedback
The _____ employs a directed graph to dictate how rights can be passed from one subject to another or subject to an object.
A.Trusted Computing Base
B. Information Flow Model
C. Take-Grant Model
D. Biba Model
C. Take-Grant Model
A ______ is a table of subjects and objects that shows what privileges are given to the subject for that object.
Access Control Matrix
The _____ was developed by the DoD to address concerns about protecting classified information. A subject w/any level of clearance can access resources at or below its clearance level on a need-to-know basis.
A. Trusted Computing Base
B. Biba Model
C. Bell-LaPadula Model
D. TCSEC
C. Bell-LaPadula Model
The ____ property states that a subject may not read info at a higher sensitivity level. (no read up)
A. * (Star) Security
B. Simple Security
C. Discretionary
B. Simple Security
The ____ property states that a subject cannot write data from one level to an object at a lower level. (no write down).
A. * (Star) Security
B. Simple Security
C. Discretionary
A. * (Star) Security
The ____ property enforces the need to know principle where a subject only has access to objects it needs.
A. * (Star) Security
B. Simple Security
C. Discretionary
C. Discretionary
______ is focused on integrity and less on confidentiality.
A. Trusted Computing Base
B. Biba Model
C. Bell-LaPadula Model
D. TCSEC
B. Biba Model
The Biba Model’s ______ states that a subject cannot read an object at a lower integrity model (no read down).
A. Simple Integrity
B. *(Star) Integrity
A. Simple Integrity
The Biba Model’s _____ states that a subject cannot modify an object at a higher integrity level (no write up)
A. Simple Integrity
B. *(Star) Integrity
B. *(Star) Integrity
The ______ was created to permit access controls to change dynamically based on a user’s previous data. It creates security domains to prevent conflict of interest.
A. Biba Model
B. Bell-LaPadula Model
C. Brewer and Nash Model
D. TCB
C. Brewer and Nash Model
A closed system is what?
Designed to work with a small range of other systems.
An Open system is what?
Designed using agreed-upon industry standards and integrates easier with other systems.
____ allows a process to read from and write to only certain memory locations and resources.
A. memory confinement
B. memory restriction
C. process restriction
D. process confinement
D. process confinement
_____ is the degree of confidence in the satisfaction of security needs.
Assurance
The government created the Rainbow Series and one of the first standards it used to set security standards for systems it purchased.
Trusted Computer System Evaluation Criteria (TCSEC)
TCSEC is based on assurance rating categories.
Match the Category with the type of rating.
Category A: 1. discretionary protection
Category B: 2. verified protection
Category C: 3. minimal protection
Category D: 4. Mandatory protection
Category A: 2. Verified protection
Category B: 4. Mandatory protection
Category C: 1. Discretionary protection
Category D: 3. Minimal protection
The _____ evaluates the functionality and assurance of a system using separate ratings for each category. It was developed in Europe.
ITSEC
_______ process is based on Protection Profiles (PP) and Security Targets (STs).
Common Criteria
_____ is a collection of requirements to improve the security of electronic payment transactions.
Payment Card Industry-Data Security Standard (PCI-DSS)
An Internal comprehensive evaluation of the technical and nontechnical security features of an IT system.
certification
A formal declaration by a designated approving authority that an IT system is approved to operate in a particular security mode with safeguards and at an acceptable level of risk.
accreditation
