CHAPTER 8 Questions Flashcards
You have been working on crafting a new expansion service to link to the existing computing hardware of a core business function. However, after weeks of research and experimentation, you are unable to get the systems to communicate. The CTO informs you that the computing hardware you are focusing on is a closed system. What is a closed system?
A. A system designed around final, or closed, standards
B. A system that includes industry standards
C. A proprietary system that uses unpublished protocols
D. Any machine that does not run Windows
C. A proprietary system that uses unpublished protocols
A closed system is one that uses largely proprietary or unpublished protocols and standards. Options A and D do not describe any particular systems, and option B describes an open system.
A compromise of a newly installed Wi-Fi connected baby monitor enabled a hacker to virtually invade a home and play scary sounds to a startled toddler. How was the attacker able to gain access to the baby monitor in this situation?
A. Outdated malware scanners
B. A WAP supporting 5 GHz channels
C. Performing a social engineering attack against the parents
D. Exploiting default configuration
D. Exploiting default configuration
The most likely reason the attacker was able to gain access to the baby monitor was through exploitation of default configuration. Since there is no mention of the exact means used by the attacker in the question, and there is no discussion of any actions of installation, configuration, or security implementation, the only remaining option is to consider the defaults of the device. This is an unfortunately common issue with any device, but especially with IoT equipment connected to Wi-Fi networks. Unless malware was used in the attack, a malware scanner would not be relevant to this situation. This scenario did not mention malware. This type of attack is possible over any network type and all Wi-Fi frequency options. This scenario did not discuss frequencies or network types. There was no mention of any interaction with the parents, which was not required with a device using its default configuration.
While working against a deadline, you are frantically trying to finish a report on the current state of security of the organization. You are pulling records and data items from over a dozen sources, including a locally hosted database, several documents, a few spreadsheets, and numerous web pages from an internal server. However, as you start to open another file from your hard drive, the system crashes and displays the Windows Blue Screen of Death. This event is formally known as a stop error and is an example of a(n) _______ approach to software failure.
A. Fail-open
B. Fail-secure
C. Limit check
D. Object-oriented
B. Fail-secure
The Blue Screen of Death (BSoD) stops all processing when a critical failure occurs in Windows. This is an example of a fail-secure approach. The BSoD is not an example of a fail-open approach; a fail-open event would have required the system to continue to operate in spite of the error. A fail-open result would have protected availability, but typically by sacrificing confidentiality and integrity protections. This is not an example of a limit check, which is the verification that input is within a preset range or domain. Object-oriented is a type of programming approach, not a means of handling software failure.
As a software designer, you want to limit the actions of the program you are developing. You have considered using bounds and isolation but are not sure they perform the functions you need. Then you realize that the limitation you want can be achieved using confinement. Which best describes a confined or constrained process?
A. A process that can run only for a limited time
B. A process that can run only during certain times of the day
C. A process that can access only certain memory locations
D. A process that controls access to an object
C. A process that can access only certain memory locations
A constrained process is one that can access only certain memory locations. Allowing a process to run for a limited time is a time limit or timeout restriction, not a confinement. Allowing a process to run only during certain times of the day is a scheduling limit, not a confinement. A process that controls access to an object is authorization, not confinement.
When a trusted subject violates the star property of Bell–LaPadula in order to write an object into a lower level, what valid operation could be taking place?
A. Perturbation
B. Noninterference
C. Aggregation
D. Declassification
D. Declassification
Declassification is the process of moving an object into a lower level of classification once it is determined that it no longer justifies being placed at a higher level. Only a trusted subject can perform declassification because this action is a violation of the verbiage of the star property of Bell–LaPadula, but not the spirit or intent, which is to prevent unauthorized disclosure. Perturbation is the use of false or misleading data in a database management system in order to redirect or thwart information confidentiality attacks. Noninterference is the concept of limiting the actions of a subject at a higher security level so that they do not affect the system state or the actions of a subject at a lower security level. If noninterference was being enforced, the writing of a file to a lower level would be prohibited, not allowed and supported. Aggregation is the act of collecting multiple pieces of nonsensitive or low-value information and combining it or aggregating it to learn sensitive or high-value information.
What security method, mechanism, or model reveals a capabilities list of a subject across multiple objects?
A. Separation of duties
B. Access control matrix
C. Biba
D. Clark–Wilson
B. Access control matrix
An access control matrix assembles ACLs from multiple objects into a single table. The rows of that table are the ACEs of a subject across those objects, thus a capabilities list. Separation of duties is the division of administrative tasks into compartments or silos; it is effectively the application of the principle of least privilege to administrators. Biba is a security model that focuses on integrity protection across security levels. Clark–Wilson is a security model that protects integrity using an access control triplet.
What security model has a feature that in theory has one name or label but, when implemented into a solution, takes on the name or label of the security kernel?
A. Graham–Denning model
B. Harrison–Ruzzo–Ullman (HRU) model
C. Trusted computing base
D. Brewer and Nash model
C. Trusted computing base
The trusted computing base (TCB) has a component known as the reference monitor in theory, which becomes the security kernel in implementation. The other options do not have this feature. The Graham–Denning model is focused on the secure creation and deletion of both subjects and objects. The Harrison–Ruzzo–Ullman (HRU) model focuses on the assignment of object access rights to subjects as well as the integrity (or resilience) of those assigned rights. The Brewer and Nash model was created to permit access controls to change dynamically based on a user’s previous activity.
The Clark–Wilson model uses a multifaceted approach to enforcing data integrity. Instead of defining a formal state machine, the Clark–Wilson model defines each data item and allowable data transformations. Which of the following is not part of the access control relationship of the Clark–Wilson model?
A. Object
B. Interface
C. Input sanitization
D. Subject
C. Input sanitization
The three parts of the Clark–Wilson model’s access control relationship (aka access triple) are subject, object, and program (or interface). Input sanitization is not an element of the Clark–Wilson model.
While researching security models to base your new computer design around, you discover the concept of the TCB. What is a trusted computing base (TCB)?
A. Hosts on your network that support secure transmissions
B. The operating system kernel, other OS components, and device drivers
C. The combination of hardware, software, and controls that work together to enforce a security policy
D. The predetermined set or domain (i.e., a list) of objects that a subject can access
C. The combination of hardware, software, and controls that work together to enforce a security policy
The TCB is the combination of hardware, software, and controls that work together to enforce a security policy. The other options are incorrect. Hosts on a network that support secure transmissions may be able to support VPN connections, use TLS encryption, or implement some other form of data-in-transit protection mechanism. The operating system kernel, other OS components, and device drivers are located in Rings 0–2 of the protection rings concept, or in the Kernel Mode ring in the variation used by Microsoft Windows (see Chapter 9). The predetermined set or domain (i.e., a list) of objects that a subject can access is the Goguen–Meseguer model.
What is a security perimeter? (Choose all that apply.)
A. The boundary of the physically secure area surrounding your system
B. The imaginary boundary that separates the TCB from the rest of the system
C. The network where your firewall resides
D. Any connections to your computer system
A. The boundary of the physically secure area surrounding your system
B. The imaginary boundary that separates the TCB from the rest of the system
Although the most correct answer in the context of this chapter is option B, the imaginary boundary that separates the TCB from the rest of the system, option A, the boundary of the physically secure area surrounding your system, is also a correct answer in the context of physical security. The network where your firewall resides is not a unique concept or term, since a firewall can exist in any network as either a hardware device or a software service. A border firewall could be considered a security perimeter protection device, but that was not a provided option. Any connections to your computer system are just pathways of communication to a system’s interface—they are not labeled as a security perimeter.
The trusted computing base (TCB) is a combination of hardware, software, and controls that work together to form a trusted base to enforce your security policy. What part of the TCB concept validates access to every resource prior to granting the requested access?
A. TCB partition
B. Trusted library
C. Reference monitor
D. Security kernel
C. Reference monitor
The reference monitor validates access to every resource prior to granting the requested access. The other options are incorrect. Option D, the security kernel, is the collection of TCB components that work together to implement the reference monitor functions. In other words, the security kernel is the implementation of the reference monitor concept. Option A, a TCB partition, and option B, a trusted library, are not valid TCB concept components.
A security model provides a way for designers to map abstract statements into a solution that prescribes the algorithms and data structures necessary to build hardware and software. Thus, a security model gives software designers something against which to measure their design and implementation. Which of the following is the best definition of a security model?
A. A security model states policies an organization must follow.
B. A security model provides a framework to implement a security policy.
C. A security model is a technical evaluation of each part of a computer system to assess its concordance with security standards.
D. A security model is used to host one or more operating systems within the memory of a single host computer or to run applications that are not compatible with the host OS.
B. A security model provides a framework to implement a security policy.
Option B is the only option that correctly defines a security model. The other options are incorrect. Option A is a definition of a security policy. Option C is a formal evaluation of the security of a system. Option D is the definition of virtualization
The state machine model describes a system that is always secure no matter what state it is in. A secure state machine model system always boots into a secure state, maintains a secure state across all transitions, and allows subjects to access resources only in a secure manner compliant with the security policy. Which security models are built on a state machine model?
A. Bell–LaPadula and take-grant
B. Biba and Clark–Wilson
C. Clark–Wilson and Bell–LaPadula
D. Bell–LaPadula and Biba
D. Bell–LaPadula and Biba
The Bell–LaPadula and Biba models are built on the state machine model. Take-Grant and Clark–Wilson are not directly based or built on the state machine model.
You are tasked with designing the core security concept for a new government computing system. The details of its use are classified, but it will need to protect confidentiality across multiple classification levels. Which security model addresses data confidentiality in this context?
A. Bell–LaPadula
B. Biba
C. Clark–Wilson
D. Brewer and Nash
A. Bell–LaPadula
Only the Bell–LaPadula model addresses data confidentiality. The Biba and Clark–Wilson models address data integrity. The Brewer and Nash model prevents conflicts of interest.
The Bell–LaPadula multilevel security model was derived from the DoD’s multilevel security policies. The multilevel security policy states that a subject with any level of clearance can access resources at or below its clearance level. Which Bell–LaPadula property keeps lower-level subjects from accessing objects with a higher security level?
A. (Star) security property
B. No write-up property
C. No read-up property
D. No read-down property
C. No read-up property
The no read-up property, also called the simple security property, prohibits subjects from reading a higher security level object. The other options are incorrect. Option A, the (star) security property of Bell–LaPadula, is no write-down. Option B, no write-up, is the (star) property of Biba. Option D, no read-down, is the simple property of Biba.
