Lecture 10

Question 1

What is the first thing to do when developing security models for an organization/fixing security issues?

Answer 1

evaluate the current levels of security exposure

Question 2

What are Security Models used for?

Answer 2

formalize security policies by providing a set of rules.

Question 3

When a system complies with a set of ________, it can be said to exhibit a level of trust.

Answer 3

security criteria

Question 4

The _____, known as the orange book, is a combination of hardware software, and controls that work together to form a trusted base to enforce your security policy.

A. Trusted Control Baseline
B. Trusted Computing Base
C. Bell-LaPaluda
D. TCSEC

Answer 4

B. Trusted Computing Base

Question 5

In the TCB, _______ validates access to every resource and may be a conceptual part of the TCB.

Answer 5

reference monitor

Question 6

The _____ describes a system that is secure in every part of its possible states.

A. Secure State Model
B. Trusted Computing Base
C. Bell-LaPaluda
D. TCSEC

Answer 6

A. Secure State Model

Question 7

The _____ describes a system that is secure in every part of its possible states. States depend on the previous state and the input.

A. Secure State Model
B. Trusted Computing Base
C. Bell-LaPaluda
D. TCSEC

Answer 7

A. Secure State Model

Question 8

A ______ is based on the state machine model and focuses on the flow of information. It is designed to prevent unauthorized, insecure or restricted information flow.

Answer 8

information flow model

Question 9

The _____ is concerned with the interaction of a higher subject being noticed or interacting with a lower subject.

Answer 9

Interference Model

Question 10

A composition theory is based on what?

Answer 10

How inputs and outputs between multiple systems relate to one another.

Question 11

What are the 3 types of composition theories?

A. Linked
B. Cascading
C. Hookup
D. Waterfall
E. Feedback

Answer 11

B. Cascading
C. Hookup
E. Feedback

Question 12

The _____ employs a directed graph to dictate how rights can be passed from one subject to another or subject to an object.

A.Trusted Computing Base
B. Information Flow Model
C. Take-Grant Model
D. Biba Model

Answer 12

C. Take-Grant Model

Question 13

A ______ is a table of subjects and objects that shows what privileges are given to the subject for that object.

Answer 13

Access Control Matrix

Question 14

The _____ was developed by the DoD to address concerns about protecting classified information. A subject w/any level of clearance can access resources at or below its clearance level on a need-to-know basis.

A. Trusted Computing Base
B. Biba Model
C. Bell-LaPadula Model
D. TCSEC

Answer 14

C. Bell-LaPadula Model

Question 15

The ____ property states that a subject may not read info at a higher sensitivity level. (no read up)

A. * (Star) Security
B. Simple Security
C. Discretionary

Answer 15

B. Simple Security

Question 16

The ____ property states that a subject cannot write data from one level to an object at a lower level. (no write down).

A. * (Star) Security
B. Simple Security
C. Discretionary

Answer 16

A. * (Star) Security

Question 17

The ____ property enforces the need to know principle where a subject only has access to objects it needs.

A. * (Star) Security
B. Simple Security
C. Discretionary

Answer 17

C. Discretionary

Question 18

______ is focused on integrity and less on confidentiality.

A. Trusted Computing Base
B. Biba Model
C. Bell-LaPadula Model
D. TCSEC

Answer 18

B. Biba Model

Question 19

The Biba Model’s ______ states that a subject cannot read an object at a lower integrity model (no read down).

A. Simple Integrity
B. *(Star) Integrity

Answer 19

A. Simple Integrity

Question 20

The Biba Model’s _____ states that a subject cannot modify an object at a higher integrity level (no write up)

A. Simple Integrity
B. *(Star) Integrity

Answer 20

B. *(Star) Integrity

Question 21

The ______ was created to permit access controls to change dynamically based on a user’s previous data. It creates security domains to prevent conflict of interest.

A. Biba Model
B. Bell-LaPadula Model
C. Brewer and Nash Model
D. TCB

Answer 21

C. Brewer and Nash Model

Question 22

A closed system is what?

Answer 22

Designed to work with a small range of other systems.

Question 23

An Open system is what?

Answer 23

Designed using agreed-upon industry standards and integrates easier with other systems.

Question 24

____ allows a process to read from and write to only certain memory locations and resources.

A. memory confinement
B. memory restriction
C. process restriction
D. process confinement

Answer 24

D. process confinement

Question 25

_____ is the degree of confidence in the satisfaction of security needs.

Answer 25

Assurance

Question 26

The government created the Rainbow Series and one of the first standards it used to set security standards for systems it purchased.

Answer 26

Trusted Computer System Evaluation Criteria (TCSEC)

Question 27

TCSEC is based on assurance rating categories.
Match the Category with the type of rating.

Category A: 1. discretionary protection
Category B: 2. verified protection
Category C: 3. minimal protection
Category D: 4. Mandatory protection

Answer 27

Category A: 2. Verified protection
Category B: 4. Mandatory protection
Category C: 1. Discretionary protection
Category D: 3. Minimal protection

Question 28

The _____ evaluates the functionality and assurance of a system using separate ratings for each category. It was developed in Europe.

Answer 28

ITSEC

Question 29

_______ process is based on Protection Profiles (PP) and Security Targets (STs).

Answer 29

Common Criteria

Question 30

_____ is a collection of requirements to improve the security of electronic payment transactions.

Answer 30

Payment Card Industry-Data Security Standard (PCI-DSS)

Question 31

An Internal comprehensive evaluation of the technical and nontechnical security features of an IT system.

Answer 31

certification

Question 32

A formal declaration by a designated approving authority that an IT system is approved to operate in a particular security mode with safeguards and at an acceptable level of risk.

Answer 32

accreditation