Week 2: Security policies. Safety and security usability.

Question 1

What are some examples of bad policies?

Answer 1

1. If it does not address who determines “need-to-know” and how.
2. If it mixes statements at different levels (organizational approval of a policy should logically not be part of the policy itself).
3. If there is an implied rather than explicit mechanism: “staff shall obey” … what do they have to do? Must obedience be enforced by the system?
4. If it doesn’t describe how breaches are to be detected, and who has a specific duty to report them?

Question 2

What is a security policy?

Answer 2

A security policy model is a succinct statement of the protection properties that a system must have. It is the document in which the protection goals of the system are agreed with an entire community, or with the top management of a customer.

Question 3

What is a security target?

Answer 3

A security target is a more detailed description of the protection mechanisms
The security target forms the basis for testing and evaluation of a product.

Question 4

List some clarifications of multilevel security policy examples.

Answer 4

Top Secret
secret
confidential
unclassified

Question 5

What 2 properties Bell-LaPadula (BLP) model enforce?

Answer 5

1. The simple security property: no process may read data at a higher level. This is also known as no read up (NRU);
2. The *-property: no process may write data to a lower level. This is also known as no write down (NWD).

Question 6

What 3 letters of permission are there?

Answer 6

r - read
w - write
x - execute

Question 7

who do the 3 types of permission apply to?

Answer 7

file owner
group owner of the file
all other users

Question 8

Before the rwx, there is either a - or a d, what do these mean?

Answer 8

• means a regular file
  d indicates directory

Question 9

How can policies help safety security usability?

Answer 9

To ensure additional training is provided if needed so reduce risk

Question 10

List the hierarchy of harms. list from most sophistated to volume of harm.

Answer 10

targeted attacks
generic malware
bulk password compromise
abuse of mechanism

Question 11

What’s the difference between MAC and DAC in abbreviation?

Answer 11

DAC stands for Discretionary Access Control.
MAC stands for Mandatory Access Control.

Question 12

What’s the difference between MAC and DAC in use?

Answer 12

DAC is identity-based access control. DAC mechanisms will be controlled by user identification such as username and password.
The operating system in MAC will provide access to the user based on their identities and data. For gaining access, the user has to submit their personal information.

Question 13

What were the operational assumptions about the Bell-LaPadula (BLP) model?

Answer 13

it is also assumed that most staff are careless, and some are dishonest; extensive operational security measures have long been used,