Lecture 10 Flashcards

Security Models

1
Q

What is the first thing to do when developing security models for an organization/fixing security issues?

A

evaluate the current levels of security exposure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are Security Models used for?

A

formalize security policies by providing a set of rules.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

When a system complies with a set of ________, it can be said to exhibit a level of trust.

A

security criteria

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The _____, known as the orange book, is a combination of hardware software, and controls that work together to form a trusted base to enforce your security policy.

A. Trusted Control Baseline
B. Trusted Computing Base
C. Bell-LaPaluda
D. TCSEC

A

B. Trusted Computing Base

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

In the TCB, _______ validates access to every resource and may be a conceptual part of the TCB.

A

reference monitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The _____ describes a system that is secure in every part of its possible states.

A. Secure State Model
B. Trusted Computing Base
C. Bell-LaPaluda
D. TCSEC

A

A. Secure State Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The _____ describes a system that is secure in every part of its possible states. States depend on the previous state and the input.

A. Secure State Model
B. Trusted Computing Base
C. Bell-LaPaluda
D. TCSEC

A

A. Secure State Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A ______ is based on the state machine model and focuses on the flow of information. It is designed to prevent unauthorized, insecure or restricted information flow.

A

information flow model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The _____ is concerned with the interaction of a higher subject being noticed or interacting with a lower subject.

A

Interference Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A composition theory is based on what?

A

How inputs and outputs between multiple systems relate to one another.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the 3 types of composition theories?

A. Linked
B. Cascading
C. Hookup
D. Waterfall
E. Feedback
A

B. Cascading
C. Hookup
E. Feedback

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The _____ employs a directed graph to dictate how rights can be passed from one subject to another or subject to an object.

A.Trusted Computing Base
B. Information Flow Model
C. Take-Grant Model
D. Biba Model

A

C. Take-Grant Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A ______ is a table of subjects and objects that shows what privileges are given to the subject for that object.

A

Access Control Matrix

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The _____ was developed by the DoD to address concerns about protecting classified information. A subject w/any level of clearance can access resources at or below its clearance level on a need-to-know basis.

A. Trusted Computing Base
B. Biba Model
C. Bell-LaPadula Model
D. TCSEC

A

C. Bell-LaPadula Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The ____ property states that a subject may not read info at a higher sensitivity level. (no read up)

A. * (Star) Security
B. Simple Security
C. Discretionary

A

B. Simple Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The ____ property states that a subject cannot write data from one level to an object at a lower level. (no write down).

A. * (Star) Security
B. Simple Security
C. Discretionary

A

A. * (Star) Security

17
Q

The ____ property enforces the need to know principle where a subject only has access to objects it needs.

A. * (Star) Security
B. Simple Security
C. Discretionary

A

C. Discretionary

18
Q

______ is focused on integrity and less on confidentiality.

A. Trusted Computing Base
B. Biba Model
C. Bell-LaPadula Model
D. TCSEC

A

B. Biba Model

19
Q

The Biba Model’s ______ states that a subject cannot read an object at a lower integrity model (no read down).

A. Simple Integrity
B. *(Star) Integrity

A

A. Simple Integrity

20
Q

The Biba Model’s _____ states that a subject cannot modify an object at a higher integrity level (no write up)

A. Simple Integrity
B. *(Star) Integrity

A

B. *(Star) Integrity

21
Q

The ______ was created to permit access controls to change dynamically based on a user’s previous data. It creates security domains to prevent conflict of interest.

A. Biba Model
B. Bell-LaPadula Model
C. Brewer and Nash Model
D. TCB

A

C. Brewer and Nash Model

22
Q

A closed system is what?

A

Designed to work with a small range of other systems.

23
Q

An Open system is what?

A

Designed using agreed-upon industry standards and integrates easier with other systems.

24
Q

____ allows a process to read from and write to only certain memory locations and resources.

A. memory confinement
B. memory restriction
C. process restriction
D. process confinement

A

D. process confinement

25
Q

_____ is the degree of confidence in the satisfaction of security needs.

A

Assurance

26
Q

The government created the Rainbow Series and one of the first standards it used to set security standards for systems it purchased.

A

Trusted Computer System Evaluation Criteria (TCSEC)

27
Q

TCSEC is based on assurance rating categories.
Match the Category with the type of rating.

Category A: 1. discretionary protection
Category B: 2. verified protection
Category C: 3. minimal protection
Category D: 4. Mandatory protection

A

Category A: 2. Verified protection
Category B: 4. Mandatory protection
Category C: 1. Discretionary protection
Category D: 3. Minimal protection

28
Q

The _____ evaluates the functionality and assurance of a system using separate ratings for each category. It was developed in Europe.

A

ITSEC

29
Q

_______ process is based on Protection Profiles (PP) and Security Targets (STs).

A

Common Criteria

30
Q

_____ is a collection of requirements to improve the security of electronic payment transactions.

A

Payment Card Industry-Data Security Standard (PCI-DSS)

31
Q

An Internal comprehensive evaluation of the technical and nontechnical security features of an IT system.

A

certification

32
Q

A formal declaration by a designated approving authority that an IT system is approved to operate in a particular security mode with safeguards and at an acceptable level of risk.

A

accreditation