Chapter 3 - CISSP Flashcards Preview

Cissp > Chapter 3 - CISSP > Flashcards

Flashcards in Chapter 3 - CISSP Deck (103):

State Machine Model

Evaluates all systems of a state showing all possible interactions between a user and the objects. If every state is secure, the system is secure.


Bell-LaPadula Model

Simple Security Property = No Read Up
+Star Security Property = No Write Down

Keeps things secure by not letting pion see more than he's allowed and a boss not to tell peons anything.


Lattice-Based Access Control

Defines a Least Upper Bound (LUB) and Greatest Lower Bound (GLB) access. Creates distinct level of access.


Biba Model

Maintain **INTEGRITY**
Simple Integrity Axiom = No Read Down
*Integrity Axiom = No Write Up

Keeps information integrity so that a higher classification doesn't read low level bullshit and think it's real. Doesn't let an amateur write up to a top secret holder.


Clark Wilson

Means because the computer is restricted to certain actions, you are also restricted.
- Limits abilities of subject
Two Concepts:
1) Well Formed Transactions
2) Separation of Duties


Clark Wilson: Well Formed Transactions

Compromised of the "Access Triple Control."
- Transformation Procedure (TP) - A well formed transaction
- Constrained Data Item (CDI) - Data that requires integrity
- Unconstrained Data Items (UDI) - Data that does not require integrity

For each TP - an audit is kept. Provides both detective and recovery controls.


Clark Wilson: Separation of Duties

Means within this system, two people are necessary to do two duties, like AP/AR. Both can't be doing it.


Clark Wilson: General

Users must be authorized.
All transactions must be reconstructible.
Must meet the requirements of separation of duties.


Chinese Wall (aka Brewer Nash)

Consultants must disclose Conflict of Interest (COI) categories so that if they work for another company they can't access sensitive information in direct conflict with each company.


Noninterference Model

Means that data can't cross over from different security levels can't cross over to the other security domains. It's impossible!


Take-Grant Model

Complex rules that govern interaction between subjects, objects and permissions.

Rules Include: Take, Grant, Create and Remove.

Subjects and objects represented on a graph.


Access Control Matrix

Table that describes users and their access rights to items.
Somedumbfile1.txt Somedumbfile2.txt
Daniel Read Read/Write
Kye None Write
Jack Read/Write Read


Zachman Framework for Enterprise Architecture

Provides six frameworks for providing information security, asking what, how, where, where, when and why and mapping those frameworks across rules including planner, owner, designer, builder, programmer and user. These frameworks and roles are mapped to a matrix (table)


Graham Denning Model

The Graham-Denning Model has three parts: objects, subjects and rules. It provides a more granular approach for interaction between subjects and objects. There are eight rules.

R1: Transfer Access
R2: Grant Access
R3: Delete Access
R4: Read Object
R5: Create Object
R6: Destroy Object
R7: Create Subject
R8: Destroy Subject



The HRU model maps subjects and objects and access rights to an access matrix. It is considered a variation to the Graham Denning Model. It has six primitive operations and considers subjects to be objects.

Create Object
Create Subject
Destroy Subject
Destroy Object
Enter right into access matrix
Delete right from access matrix


Modes of Operation

Classifying a system based on what type of security classification the files on it are.

There are four:

Dedicated - All items are the same security level. You must have that access or higher to get one. eg. All files are "Secret" and you have "Top Secret" access - Bingo you are in. Or, you have "Secret" access. Bingo you are in.
- Note: You need Formal Access Approval, and Need to Know for all files on the system.

System High - Various types of file security levels but you need to have the same or higher to access.

Compartmentalized - Various files of security levels and you have to have specific access to each file.

Multi Level - Research this one


The Orange Book

Part of NIST (National Institute of Standards and Technology) with help from NSA:
- Trusted Computer System Evaluation Criteria (TSEC) aka The Orange Book
- First attempt to define differing security levels and access control implementations within an IT system.
- No longer used but as a reference.


The Orange Book: Classes

From Worst to Best . . .

D. Minimal Protection (does not meet requirements)
C. Discretionary Protection (Linux/Windows, etc)
B. Mandatory Protection (Top secret, secret etc)
A. Verified Protection


The Red Book

Brings Orange Book concepts to networks.


The Orange Book: Classes In Detail


Items to Remember


Built, installed, and delivered in a secure manner


Security labels (MAC)


Security labels and verification of no covert channels (MAC


Security labels, verification of no covert channels, and must stay secure during startup (MAC)


Weak protection mechanisms (DAC


Strict login procedures (DAC)


Failed or was not tested


The Orange Book: Classes In Detail

A1 Built, installed, and delivered in a secure manner

B1 Security labels (MAC)

B2 Security labels and verification of no covert channels (MAC

B3 Security labels, verification of no covert channels, and must stay secure during startup (MAC)

C1 Weak protection mechanisms (DAC

C2 Strict login procedures (DAC)

D1 Failed or was not tested


European Information Technology Security Evaluation Criteria (ITSEC)

European Information Technology Security Evaluation Criteria (ITSEC). It refers to the TCSEC Orange book levels separating functionality from assurance. There are two types of assuranceL effectiveness (Q) and Correctness (E). Assurance ratings range from E0 (inadequate) to E6 (formal model of security policy); Functionality ratings range include TCSEC equivalent ratings (F-C1, F-C2 etc.). The equivalent ITSEC/TCSEC ratings are:

E0: D
F-C1,E1: C1
F-C2,E2: C2
F-B1,E3: B1
F-B2,E4: B2
F-B3,E5: B3
F-B3,E6: A1

Additional functionality ratings include:

F-IN: High Integrity requirements
AV: High Availability requirements
DI: High Integrity requirements for networks
DC: High Confidentiality requirements for networks
DX: High Integrity and confidentiality requirements for networks


The International Common Criteria

An internationally agreed upon standard for describing and testing the security of IT products.

- For governments and private


Common Criteria Items

Target of Evaluation (ToE): What is being evaluated?
Security Target (ST): Documentation describing ToE and security requirements
Protection Profile (PP): Independent set of security requirements for a specific category of objects
Evaluation Assurance Level (EAL): the evaluation score of the tested product



EAL1: Functionality Tested
EAL2: Structurally Tested
EAL3: Methodically Testing and checked
EAL4: Methodically designed, tested and reviewed
EAL5: Semi-formally designed and tested
EAL6: Semi-formally verified, designed and tested
EAL7: Formally verified, designed and tested



Separates hardware and software functionality into four tiers. Means, doing something in one layer won't effect the other layers.


Layering Tiers

1) Hardware
2) Kernel and Device Drivers
3) Operating System
4) Applications



Means the computer hides all the crazy stuff from the users. All the crazy computer stuff that happens when you say hit .mp3 is hidden. Manages complexity to make computer more secure.


Security Domains

A security domain is a list of objects a subject is allowed to access. Ex. Confidential, Secret and Top secret are security domains used by DoD. Ex. Modern OS – Kernel mode and user mode separates domains where users interactions in the user mode should not affect processes in the kernel mode.


Kernel Mode

Most trusted part of the OS: Allows low level access to the memory, CPU, Disk, etc.
- Most trusted and powerful part of the system.


Ring Model

The ring model is a form of CPU hardware layering that separates and protects domains (such as Kernel mode and user mode) from each other.


Rings of the Ring Model

Ring 0 : Kernel
Ring 1: Other OS components that do not fit into Ring 0
Ring 2: Device Drivers
Ring 3: User Applications

Processes communicate between the rings via system calls, which allow processes to communicate with the kernel and provide a window between the rings.

While x86 CPUs have four rings – the usage is theoretical. Linux and Windows users rings 0 and 3 only opting for simplicity and speed. A new mode called hypervisor mode (informally called “ring -1” allows virtual guests to operate in ring 0 controlled by the hypervisor one ring below.


Open and Closed Systems

An "open" system uses hardware from various sources. like an IBC compatible PC. A "closed" system uses hardware from only proprietary sources, like a Mac.


The System Unit and Motherboard

The System Unit is the case that holds everything, the motherboard, disk drives, power supply.

The Motherboard contains CPU, memory slots, firmware, etc.


Computer BUS

Primary point of communication on a computer between the CPU and Memory Display, Keyboard, CD etc.


Northbridge and Southbridge

A computer that uses two BUSes.

Northbridge (faster): Connects the CPU to to RAM and video memory
Southbridge: Connects the Hard Disk, USB, CD to Northbridge



The central processing unit CPU is the brains of the computer, performs mathematical calculations, logical operations, accessing memory locations by address etc.


Arithmetic Logic and Control Unit

ALU performs mathematical calculations “it computes”. It is fed instructions by the control unit CU which acts as a traffic cop sending instructions to the ALU.


Fetch & Execute

Fetches machine language instructions and executes in four steps:
1) Fetch
2) Decode
3) Execute
4) Write

NB: These four steps take one clock cycle to complete



Pipelinig combines multiple steps into one combined process, allowing simultaneous fetch, decode, execute and write steps for different instructions increasing throughput.



An interrupt indicates that an asynchronous event has occurred. CPU interrupts are a form of hardware interrupt that cause the CPU to stop processing it’s current task, save the state and being processing a new request. When the new task is complete the CPU will complete the prior task.



Process – Executable program and it’s associated data loaded and running in memory.

States include:
New – A process being created
Ready – Process waiting to be executed by the CPU
Running – Process being executed by the CPU
Blocked – waiting for I/O
Terminate – A completed process
Zombie – A child process whose parent is terminated


Heavyweight Process (HWP)

Is called a "task." Can spawn Lightweight Processes (LWP).


Lightweight Processes (LWP)

The child process called a "thread." Can share memory resulting in lower overhead.



Allows multiple tasks (heavy weight processes) to run simultaneously on one CPU



Runs multiple process on multiple CPU.


Watchdog Timer

Designed to recover a system by rebooting after critical process hangs or crash. It reboots the system when it reaches 0, critical operating system processes continually reset the timer so it never reaches 0. If a critical process hangs or crash they no longer reset the timer which reaches – and the system reboots



Two forms of CPU design



Complex Instruction Set Computer ie X86

- Uses a large set of complex machine language instructions
- Mainly PCS



Reduced Instruction Set Computer ie ARM

- Uses a smaller set of simpler instructions
- Mostly on cell phones, PDAs,


Memory Addressing

Where memory is stored on the computer. RAM, registers, etc.


Memory Addressing Modes

Can be store directly or indirectly

Direct - Goes right to location in RAM (Go to RAM-1)
Indirect – Goes to the location in RAM that refers to another location (Go to RAM-1 but RAM-1 points to RAM-12)
Register direct – CPU cache register direct (Go to Register 5)
Register indirect – CPU cache register points to another location (Go to Register 5 but points to Register 7)


Memory Protection

Memory protection prevents one process from affecting the CIA of another. This is a requirement for secure multiuser and multitasking systems.


Process Isolation

Logical control: Means that one process cannot interfere with another. This is common in modern OS such as Windows and Linux. MSDOS does not have this feature. Techniques include virtual memory, object encapsulation and time multiplexing.


Hardware Segmentation

Maps processes to memory locations and keeps them separate.


Virtual Memory

Virtual memory provides address mapping between applications and hardware memory. Virtual memory provides many functions, including multitasking, allowing multiple processes to access the same shared library in memory, swapping and others.


Swapping and Paging

Read This;

What is Paging?

Paging is a memory management method used by operating systems. Paging allows the main memory to use data that is residing on a secondary storage device. These data are stored in the secondary storage device as blocks of same size called pages. Paging allows the operating system to use data that will not fit in to the main memory. When a program tries to access a page, first the page table is checked to see whether that page is on the main memory. Page table holds details about where the pages are stored. If it is not in the main memory, it is called a page fault. Operating system is responsible for handling page faults without showing it to the program. The operating system first finds where that particular page is stored in the secondary storage and then brings it in to an empty page frame in the main memory. Then it updates the page table to indicate that the new data is in the main memory and returns the control back to the program that initially requested the page.

What is Swapping?

Swapping is the process of moving all the segments belonging to a process between the main memory and a secondary storage device. Swapping occurs under heavier work loads. Operating system kernel would move all the memory segments belonging to a process in to an area called swap area. When selecting a process for swapping, the operating system will select a process that will not become active for a while. When the main memory has enough space to hold the process, it will be transferred back in to the main memory from the swap space so that its execution could be continued.

What is the difference between Paging and Swapping?

In paging, blocks of equal size (called pages) are transferred between the main memory and a secondary storage device, while in swapping, all the segments belonging to a process will be moved back and forth between the main memory and a secondary storage device. Since paging allows moving pages (it could be a part of the address space of a process), it is more flexible than swapping. Since, paging only moves pages (unlike swapping, which move a whole process), paging would allow more processes to reside on the main memory at the same time, when compared with a swapping system. Swapping is more suitable when running heavier workloads.



Contains code in firmware that is executed when powered on – POST power on self test. Once POST completes it locates the boot sector where the OS kernel is loaded and executes to boot the OS up.


WORM Storage

Write once ready many storage can only be written once and read many times. CDR, DVDR and some DLT drives support WORM.

- Often used for legal reasons as long term backups


Trusted Platform Module (TPM)

Piece of Hardware attached to computer
- Security functions can leverage the TPM chip for random number generation, symmetric/asymmetric and hashing algorithms and secure storage of cryptographic keys and message digests.
- Provides Hardware Root of Trust
- Used for boot integrity
- Stores keys that provide full disk encryption


Data Execution Prevention (DEP)

Enabled in hardware or software attempts to ensure that memory locations not pre-defined to contain executable content will not have the ability to have code executed


Address Space Location Randomization (ASLR)

Decrease likelihood of successful exploitation by making memory addresses employed by the system less predictable


The Kernel

Heart of the OS.
- In Ring 0
- Provides interface between hardware and rest of OS.


Kernel Modes

Monolithic Kernel - Compiled into one static executable and entire kernel runs in supervisor mode. All functionality are precompiled. If additional drivers are needed, a recompile is necessary.

Micro Kernel - Modular, and can add functionality via loadable kernel modules which can run in user mode (ring 3)

- Means you can add a driver or device after the computer is running


Reference Monitor

A core function of the kernel is running the reference monitor, which mediates access between subjects and objects.


NTFS Permissions

Microsoft New Technology File System
- More options than Unix
- Includes Modify and Full Control


Privileged Programs

Programs that can be run by a user than less than root permissions that can access deep level stuff. Like setuid or passwd are programs lower level user can run that can make root level changes.
- Integrity of program is key, hackers will try to attack.


Virtualization: Two Kinds

Transparent Virtualization – Runs stock operating systems as virtual guests such as Windows 10, Ubuntu

Paravirtualization – runs specifically modified operating systems with modified kernel system calls.
- More efficient but means changing the OS, which may not be possible


Hypervisor: Both Kinds

Type 1: Runs on the metal
Type 2: Needs an OS to host it


Virtualization Benefits

Lower overall hardware costs, hardware consolidation, lower power and cooling needs. Snapshots allow administrators to create OS images that can be restored with a click of a mouse, making backup and recovery simple and fast, testing new OS, applications and patches can be quite simple. Clustering simplified.


Virtualization Security Benefits

Complexity is the enemy of security. Never combine guests with different security requirements (such as DMZ and internal) onto one host. VMEscape allows exploits on the host OS or a guest from another guest. Many network based security tools, such as NIDS connected to a physical SPAN port or tap cannot see traffic passing from one guest to another. There’s a shift to virtual network devices going forward


Cloud Computing Types

Public Cloud Computing – outsources IT infrastructure, storage or applications to a 3rd party provider
IaaS – Infrastructure as a service – Provides entire virtualized OS, which the customer configures from OS up.
PaaS – Platform as a service – provides pre-configured OS and the customer configures the application
SaaS – Software as a service – is completely configured from OS to application where the customer simply uses the application
Private Cloud – House data for a single organization and maybe operated by a 3rd party or organization itself. Government clouds are designed to keep data an resources geographically contained within the borders of one country.


Grid Computing

Grid computing harnesses the computational power of a large number of dissimilar devices. It typically leverages the spare CPU cycles of devices.


Large Scale Parallel Data Systems

Large-scale parallel and distributed computer systems assemble computing resources from many different computers that may be at multiple locations to harness their combined power to solve problems and offer services.


Peer to Peer

A model that any system may act as a server, client or both. P2P networks are often used to download commercial music or movies in violation of intellectual property rights.

Later variations such as Gnutella or BiTorrent are decentralized and are much more resilient. Maintaining integrity could be a challenge as users have no assurance they are receiving legitimate data.


Thin Clients

Hardware or software based systems that are used to access a centralized server that serves applications and store associated data. Benefits include associated security costs of upgrades, patching and data storage etc.


Diskless Workstations

Contains CPU, memory but no disk ie PCs, routers, embedded devices, and others. The Kernel and OS are typically loaded via the network, via PXE Boot, BOOTP and DHCP


Thin Client Applications

Thin client applications normally run on a system with a full OS but use a web browser as a universal client, providing access to robust applications that are downloaded from the thin client server an run in the client’s browser.

Advantages: Simplify client/server and network architecture design, improve performance, and lowers cost.


Internet of Things IOT

Small internet connected devices such as baby monitors, cash registers, appliances, light bulbs, smart meters, fitness monitors, cars, etc which is directly accessible via the internet.


Internet of Things Risk

These devices pose significant security risks: default credentials are common, enterprise management tools are lacking, patching can be difficult. Vendors often release base OS and patch slowly and end support for devices that are still in widespread use.



Energy that escapes an electronic system, which may be remotely monitored under certain circumstances such as electromagnetic interference – shielding should be used to mitigate such risks.


Covert Channels

Any communication that violates security policy. The opposite is called overt channel.


Covert Storage Channels

Uses shared storage such as temporary directory to allow two subjects to signal each other.

- Say people have two different layers of access but can see the same tmp directory. One person can add a 1 mb file that is a message that something is happening. Or a 0 mb file that means nothing his happening.


Covert Timing Channels

uses system clock to infer sensitive information. Ex. An insecure system prints “bad username or password” immediately when a user types a base username/bad password, but there is a small delay when a user types a good username with a bad password. This timing delay allows attackers to infer which usernames are good or bad



Shortcut in a system that allows a user to bypass security checks to login. Maintenance hooks are a type of backdoor; they are shortcuts installed by the system designers and programmers to allow developers to bypass normal system checks during development.



Computer Viruses
Logic Bombs


Computer Viruses

Malware that does not spread automatically; they require a carrier.

Macro virus – virus written in macro language that targets word processors or spreadsheets
Boot Sector Virus – virus that infects the boot sector which loads during PC startup
Stealth Virus – A virus that hides itself from the OS and other protective software, such as AV
Polymorphic Virus – A virus that changes its signature upon infection of a new system, attempting to evade signature-based AV software
Multipartite Virus – A virus that spreads via multiple vectors AKA multipart virus



A malware that self-propagates. Worms can cause damage by two ways: first by the malicious code that it carries and second by the loss of network availability due to aggressive self-propagation. Ex, Blaster, Sasser, Conficker.



A malware that performs two functions; one benign and one malicious.



A malware that replaces portions of the kernel and/or OS. A user-mode rootkit operates in ring 3 on most systems, replacing the OS components in userland. Ex. OS binaries, ls, ps, commands on Linux/Unix. Kernel mode root kit replaces the kernel or loads malicious loadable kernel modules and operate in ring 0.



Provide runtime compression of executables. Upon execution the decompressor unpacks the compressed executable machine code and runs it. Often used to evade signature-based malware detection.


Logic Bombs

Malicious program that is triggered when a logical condition is met, such as after a number of transactions have been processed, or on specific data (time bomb). Malware such as worms contain logic bombs, behaving in one manner, and then changing tactics on a specific date and time.


Antivirus Software

AV is designed to prevent and detect malware infections. Signature based AV use signatures of known malware. Heuristic based antivirus use anomaly based detection to attempt to identify behavioral characteristics of malware such as altering the boot sector.


Server Side Attacks

aka Service side attacks are launched directly from an attacker (the client) to a listening service. Conficker worm spread via a number of methods, including service side attack on TCP port 445 exploiting a weakness on RPC service. Patching, system hardening, firewalls, and other forms of defense-in-depth mitigate server side attacks.


Client side Attacks

Occur when a user downloads malicious content. Attacks are initiated from the victim who downloads content from the attacker. Client side attacks are difficult to mitigate for organizations that allow internet access. Clients include, word processors, spreadsheets, web browsers – within them, flash players, media players etc.
All client-side software must be patched, a challenge many organizations struggle with.


Java Applet

Runs in a sandbox which segregates code from the operating system. Interpreted by the JVM and available for many OSes

- Malicious applets may be able to compromise the security of the client.


Active X Applets

Uses digital certificates instead of sandbox to provide security. Tied more to OS allowing functionality such as installing patches via Windows updates but runs on Windows only

- Malicious applets may be able to compromise the security of the client.



The open web application security project represents one of the best application security resources. OWASP provides a number of free resources dedicated to improving organization’s application security posture. The OWASP Top 10 project provides consensus guidance on what are considered to be the ten most significant application security risk.


Service Oriented Architecture (SOA

Look this Up



Polyinstantiation allows two different objects to have the same name. In databases it means two rows may have the same primary key but different data. Databases normally require that all rows in a table contain unique primary key so a normal database would generate an error like “duplicate” entry

- The reason is so that in one db with two different security levels you wouldn't be tipped off to something by not being able to duplicate a key.


Inference and Aggregation

Inference and aggregation occur when a user is able to use lower level access to learn restricted information. Inference requires deduction: there is a mystery to be solved, and a lower level details provide the clues. Aggregation is a mathematical process: a user asks every question, receives every answer, and derives restricted information.

- Like guessing that a war will start because you see cars late at night at The Pentagon.
- Downloading an entire phone book by sequentially adding numbers to a query string, but not having access to download an entire book in one go.


Data Analytics

Improves security by analyzing a typical use cases in the database to provide a baseline. This potentially allows an organization to proactively identify abuse from insider threats or compromised accounts.


Mobile Device Defense

Administrative controls such as restricting use of mobile devices via policy. Suspend use of USB thumb drives, CDs, flash media cards, and all other removable media.

Technical controls to mitigate infected drives include disabling auto-run via group policy.

Technical controls to mitigate infected mobile computers include requiring authentication at layer 2 via 802.1x and NAC.

Technical control to mitigate loss of backups or mobile device – use Full Disk encryption, remote wipe