Flashcards in Chapter 3 - CISSP Deck (103):
State Machine Model
Evaluates all systems of a state showing all possible interactions between a user and the objects. If every state is secure, the system is secure.
Simple Security Property = No Read Up
+Star Security Property = No Write Down
Keeps things secure by not letting pion see more than he's allowed and a boss not to tell peons anything.
Lattice-Based Access Control
Defines a Least Upper Bound (LUB) and Greatest Lower Bound (GLB) access. Creates distinct level of access.
Simple Integrity Axiom = No Read Down
*Integrity Axiom = No Write Up
Keeps information integrity so that a higher classification doesn't read low level bullshit and think it's real. Doesn't let an amateur write up to a top secret holder.
Means because the computer is restricted to certain actions, you are also restricted.
- Limits abilities of subject
1) Well Formed Transactions
2) Separation of Duties
Clark Wilson: Well Formed Transactions
Compromised of the "Access Triple Control."
- Transformation Procedure (TP) - A well formed transaction
- Constrained Data Item (CDI) - Data that requires integrity
- Unconstrained Data Items (UDI) - Data that does not require integrity
For each TP - an audit is kept. Provides both detective and recovery controls.
Clark Wilson: Separation of Duties
Means within this system, two people are necessary to do two duties, like AP/AR. Both can't be doing it.
Clark Wilson: General
Users must be authorized.
All transactions must be reconstructible.
Must meet the requirements of separation of duties.
Chinese Wall (aka Brewer Nash)
Consultants must disclose Conflict of Interest (COI) categories so that if they work for another company they can't access sensitive information in direct conflict with each company.
Means that data can't cross over from different security levels can't cross over to the other security domains. It's impossible!
Complex rules that govern interaction between subjects, objects and permissions.
Rules Include: Take, Grant, Create and Remove.
Subjects and objects represented on a graph.
Access Control Matrix
Table that describes users and their access rights to items.
Daniel Read Read/Write
Kye None Write
Jack Read/Write Read
Zachman Framework for Enterprise Architecture
Provides six frameworks for providing information security, asking what, how, where, where, when and why and mapping those frameworks across rules including planner, owner, designer, builder, programmer and user. These frameworks and roles are mapped to a matrix (table)
Graham Denning Model
The Graham-Denning Model has three parts: objects, subjects and rules. It provides a more granular approach for interaction between subjects and objects. There are eight rules.
R1: Transfer Access
R2: Grant Access
R3: Delete Access
R4: Read Object
R5: Create Object
R6: Destroy Object
R7: Create Subject
R8: Destroy Subject
The HRU model maps subjects and objects and access rights to an access matrix. It is considered a variation to the Graham Denning Model. It has six primitive operations and considers subjects to be objects.
Enter right into access matrix
Delete right from access matrix
Modes of Operation
Classifying a system based on what type of security classification the files on it are.
There are four:
Dedicated - All items are the same security level. You must have that access or higher to get one. eg. All files are "Secret" and you have "Top Secret" access - Bingo you are in. Or, you have "Secret" access. Bingo you are in.
- Note: You need Formal Access Approval, and Need to Know for all files on the system.
System High - Various types of file security levels but you need to have the same or higher to access.
Compartmentalized - Various files of security levels and you have to have specific access to each file.
Multi Level - Research this one
The Orange Book
Part of NIST (National Institute of Standards and Technology) with help from NSA:
- Trusted Computer System Evaluation Criteria (TSEC) aka The Orange Book
- First attempt to define differing security levels and access control implementations within an IT system.
- No longer used but as a reference.
The Orange Book: Classes
From Worst to Best . . .
D. Minimal Protection (does not meet requirements)
C. Discretionary Protection (Linux/Windows, etc)
B. Mandatory Protection (Top secret, secret etc)
A. Verified Protection
The Red Book
Brings Orange Book concepts to networks.
The Orange Book: Classes In Detail
Items to Remember
Built, installed, and delivered in a secure manner
Security labels (MAC)
Security labels and verification of no covert channels (MAC
Security labels, verification of no covert channels, and must stay secure during startup (MAC)
Weak protection mechanisms (DAC
Strict login procedures (DAC)
Failed or was not tested
The Orange Book: Classes In Detail
A1 Built, installed, and delivered in a secure manner
B1 Security labels (MAC)
B2 Security labels and verification of no covert channels (MAC
B3 Security labels, verification of no covert channels, and must stay secure during startup (MAC)
C1 Weak protection mechanisms (DAC
C2 Strict login procedures (DAC)
D1 Failed or was not tested
European Information Technology Security Evaluation Criteria (ITSEC)
European Information Technology Security Evaluation Criteria (ITSEC). It refers to the TCSEC Orange book levels separating functionality from assurance. There are two types of assuranceL effectiveness (Q) and Correctness (E). Assurance ratings range from E0 (inadequate) to E6 (formal model of security policy); Functionality ratings range include TCSEC equivalent ratings (F-C1, F-C2 etc.). The equivalent ITSEC/TCSEC ratings are:
Additional functionality ratings include:
F-IN: High Integrity requirements
AV: High Availability requirements
DI: High Integrity requirements for networks
DC: High Confidentiality requirements for networks
DX: High Integrity and confidentiality requirements for networks
The International Common Criteria
An internationally agreed upon standard for describing and testing the security of IT products.
- For governments and private
Common Criteria Items
Target of Evaluation (ToE): What is being evaluated?
Security Target (ST): Documentation describing ToE and security requirements
Protection Profile (PP): Independent set of security requirements for a specific category of objects
Evaluation Assurance Level (EAL): the evaluation score of the tested product
EAL1: Functionality Tested
EAL2: Structurally Tested
EAL3: Methodically Testing and checked
EAL4: Methodically designed, tested and reviewed
EAL5: Semi-formally designed and tested
EAL6: Semi-formally verified, designed and tested
EAL7: Formally verified, designed and tested
Separates hardware and software functionality into four tiers. Means, doing something in one layer won't effect the other layers.
2) Kernel and Device Drivers
3) Operating System
Means the computer hides all the crazy stuff from the users. All the crazy computer stuff that happens when you say hit .mp3 is hidden. Manages complexity to make computer more secure.
A security domain is a list of objects a subject is allowed to access. Ex. Confidential, Secret and Top secret are security domains used by DoD. Ex. Modern OS – Kernel mode and user mode separates domains where users interactions in the user mode should not affect processes in the kernel mode.
Most trusted part of the OS: Allows low level access to the memory, CPU, Disk, etc.
- Most trusted and powerful part of the system.
The ring model is a form of CPU hardware layering that separates and protects domains (such as Kernel mode and user mode) from each other.
Rings of the Ring Model
Ring 0 : Kernel
Ring 1: Other OS components that do not fit into Ring 0
Ring 2: Device Drivers
Ring 3: User Applications
Processes communicate between the rings via system calls, which allow processes to communicate with the kernel and provide a window between the rings.
While x86 CPUs have four rings – the usage is theoretical. Linux and Windows users rings 0 and 3 only opting for simplicity and speed. A new mode called hypervisor mode (informally called “ring -1” allows virtual guests to operate in ring 0 controlled by the hypervisor one ring below.
Open and Closed Systems
An "open" system uses hardware from various sources. like an IBC compatible PC. A "closed" system uses hardware from only proprietary sources, like a Mac.
The System Unit and Motherboard
The System Unit is the case that holds everything, the motherboard, disk drives, power supply.
The Motherboard contains CPU, memory slots, firmware, etc.
Primary point of communication on a computer between the CPU and Memory Display, Keyboard, CD etc.
Northbridge and Southbridge
A computer that uses two BUSes.
Northbridge (faster): Connects the CPU to to RAM and video memory
Southbridge: Connects the Hard Disk, USB, CD to Northbridge
The central processing unit CPU is the brains of the computer, performs mathematical calculations, logical operations, accessing memory locations by address etc.
Arithmetic Logic and Control Unit
ALU performs mathematical calculations “it computes”. It is fed instructions by the control unit CU which acts as a traffic cop sending instructions to the ALU.
Fetch & Execute
Fetches machine language instructions and executes in four steps:
NB: These four steps take one clock cycle to complete
Pipelinig combines multiple steps into one combined process, allowing simultaneous fetch, decode, execute and write steps for different instructions increasing throughput.
An interrupt indicates that an asynchronous event has occurred. CPU interrupts are a form of hardware interrupt that cause the CPU to stop processing it’s current task, save the state and being processing a new request. When the new task is complete the CPU will complete the prior task.
Process – Executable program and it’s associated data loaded and running in memory.
New – A process being created
Ready – Process waiting to be executed by the CPU
Running – Process being executed by the CPU
Blocked – waiting for I/O
Terminate – A completed process
Zombie – A child process whose parent is terminated
Heavyweight Process (HWP)
Is called a "task." Can spawn Lightweight Processes (LWP).
Lightweight Processes (LWP)
The child process called a "thread." Can share memory resulting in lower overhead.
Allows multiple tasks (heavy weight processes) to run simultaneously on one CPU
Runs multiple process on multiple CPU.
Designed to recover a system by rebooting after critical process hangs or crash. It reboots the system when it reaches 0, critical operating system processes continually reset the timer so it never reaches 0. If a critical process hangs or crash they no longer reset the timer which reaches – and the system reboots
CISC and RISC
Two forms of CPU design
Complex Instruction Set Computer ie X86
- Uses a large set of complex machine language instructions
- Mainly PCS
Reduced Instruction Set Computer ie ARM
- Uses a smaller set of simpler instructions
- Mostly on cell phones, PDAs,
Where memory is stored on the computer. RAM, registers, etc.
Memory Addressing Modes
Can be store directly or indirectly
Direct - Goes right to location in RAM (Go to RAM-1)
Indirect – Goes to the location in RAM that refers to another location (Go to RAM-1 but RAM-1 points to RAM-12)
Register direct – CPU cache register direct (Go to Register 5)
Register indirect – CPU cache register points to another location (Go to Register 5 but points to Register 7)
Memory protection prevents one process from affecting the CIA of another. This is a requirement for secure multiuser and multitasking systems.
Logical control: Means that one process cannot interfere with another. This is common in modern OS such as Windows and Linux. MSDOS does not have this feature. Techniques include virtual memory, object encapsulation and time multiplexing.
Maps processes to memory locations and keeps them separate.
Virtual memory provides address mapping between applications and hardware memory. Virtual memory provides many functions, including multitasking, allowing multiple processes to access the same shared library in memory, swapping and others.
Swapping and Paging
Read This; http://www.differencebetween.com/difference-between-paging-and-vs-swapping/
What is Paging?
Paging is a memory management method used by operating systems. Paging allows the main memory to use data that is residing on a secondary storage device. These data are stored in the secondary storage device as blocks of same size called pages. Paging allows the operating system to use data that will not fit in to the main memory. When a program tries to access a page, first the page table is checked to see whether that page is on the main memory. Page table holds details about where the pages are stored. If it is not in the main memory, it is called a page fault. Operating system is responsible for handling page faults without showing it to the program. The operating system first finds where that particular page is stored in the secondary storage and then brings it in to an empty page frame in the main memory. Then it updates the page table to indicate that the new data is in the main memory and returns the control back to the program that initially requested the page.
What is Swapping?
Swapping is the process of moving all the segments belonging to a process between the main memory and a secondary storage device. Swapping occurs under heavier work loads. Operating system kernel would move all the memory segments belonging to a process in to an area called swap area. When selecting a process for swapping, the operating system will select a process that will not become active for a while. When the main memory has enough space to hold the process, it will be transferred back in to the main memory from the swap space so that its execution could be continued.
What is the difference between Paging and Swapping?
In paging, blocks of equal size (called pages) are transferred between the main memory and a secondary storage device, while in swapping, all the segments belonging to a process will be moved back and forth between the main memory and a secondary storage device. Since paging allows moving pages (it could be a part of the address space of a process), it is more flexible than swapping. Since, paging only moves pages (unlike swapping, which move a whole process), paging would allow more processes to reside on the main memory at the same time, when compared with a swapping system. Swapping is more suitable when running heavier workloads.
Contains code in firmware that is executed when powered on – POST power on self test. Once POST completes it locates the boot sector where the OS kernel is loaded and executes to boot the OS up.
Write once ready many storage can only be written once and read many times. CDR, DVDR and some DLT drives support WORM.
- Often used for legal reasons as long term backups
Trusted Platform Module (TPM)
Piece of Hardware attached to computer
- Security functions can leverage the TPM chip for random number generation, symmetric/asymmetric and hashing algorithms and secure storage of cryptographic keys and message digests.
- Provides Hardware Root of Trust
- Used for boot integrity
- Stores keys that provide full disk encryption
Data Execution Prevention (DEP)
Enabled in hardware or software attempts to ensure that memory locations not pre-defined to contain executable content will not have the ability to have code executed
Address Space Location Randomization (ASLR)
Decrease likelihood of successful exploitation by making memory addresses employed by the system less predictable
Heart of the OS.
- In Ring 0
- Provides interface between hardware and rest of OS.
Monolithic Kernel - Compiled into one static executable and entire kernel runs in supervisor mode. All functionality are precompiled. If additional drivers are needed, a recompile is necessary.
Micro Kernel - Modular, and can add functionality via loadable kernel modules which can run in user mode (ring 3)
- Means you can add a driver or device after the computer is running
A core function of the kernel is running the reference monitor, which mediates access between subjects and objects.
Microsoft New Technology File System
- More options than Unix
- Includes Modify and Full Control
Programs that can be run by a user than less than root permissions that can access deep level stuff. Like setuid or passwd are programs lower level user can run that can make root level changes.
- Integrity of program is key, hackers will try to attack.
Virtualization: Two Kinds
Transparent Virtualization – Runs stock operating systems as virtual guests such as Windows 10, Ubuntu
Paravirtualization – runs specifically modified operating systems with modified kernel system calls.
- More efficient but means changing the OS, which may not be possible
Hypervisor: Both Kinds
Type 1: Runs on the metal
Type 2: Needs an OS to host it
Lower overall hardware costs, hardware consolidation, lower power and cooling needs. Snapshots allow administrators to create OS images that can be restored with a click of a mouse, making backup and recovery simple and fast, testing new OS, applications and patches can be quite simple. Clustering simplified.
Virtualization Security Benefits
Complexity is the enemy of security. Never combine guests with different security requirements (such as DMZ and internal) onto one host. VMEscape allows exploits on the host OS or a guest from another guest. Many network based security tools, such as NIDS connected to a physical SPAN port or tap cannot see traffic passing from one guest to another. There’s a shift to virtual network devices going forward
Cloud Computing Types
Public Cloud Computing – outsources IT infrastructure, storage or applications to a 3rd party provider
IaaS – Infrastructure as a service – Provides entire virtualized OS, which the customer configures from OS up.
PaaS – Platform as a service – provides pre-configured OS and the customer configures the application
SaaS – Software as a service – is completely configured from OS to application where the customer simply uses the application
Private Cloud – House data for a single organization and maybe operated by a 3rd party or organization itself. Government clouds are designed to keep data an resources geographically contained within the borders of one country.
Grid computing harnesses the computational power of a large number of dissimilar devices. It typically leverages the spare CPU cycles of devices.
Large Scale Parallel Data Systems
Large-scale parallel and distributed computer systems assemble computing resources from many different computers that may be at multiple locations to harness their combined power to solve problems and offer services.
Peer to Peer
A model that any system may act as a server, client or both. P2P networks are often used to download commercial music or movies in violation of intellectual property rights.
Later variations such as Gnutella or BiTorrent are decentralized and are much more resilient. Maintaining integrity could be a challenge as users have no assurance they are receiving legitimate data.
Hardware or software based systems that are used to access a centralized server that serves applications and store associated data. Benefits include associated security costs of upgrades, patching and data storage etc.
Contains CPU, memory but no disk ie PCs, routers, embedded devices, and others. The Kernel and OS are typically loaded via the network, via PXE Boot, BOOTP and DHCP
Thin Client Applications
Thin client applications normally run on a system with a full OS but use a web browser as a universal client, providing access to robust applications that are downloaded from the thin client server an run in the client’s browser.
Advantages: Simplify client/server and network architecture design, improve performance, and lowers cost.
Internet of Things IOT
Small internet connected devices such as baby monitors, cash registers, appliances, light bulbs, smart meters, fitness monitors, cars, etc which is directly accessible via the internet.
Internet of Things Risk
These devices pose significant security risks: default credentials are common, enterprise management tools are lacking, patching can be difficult. Vendors often release base OS and patch slowly and end support for devices that are still in widespread use.
Energy that escapes an electronic system, which may be remotely monitored under certain circumstances such as electromagnetic interference – shielding should be used to mitigate such risks.
Any communication that violates security policy. The opposite is called overt channel.
Covert Storage Channels
Uses shared storage such as temporary directory to allow two subjects to signal each other.
- Say people have two different layers of access but can see the same tmp directory. One person can add a 1 mb file that is a message that something is happening. Or a 0 mb file that means nothing his happening.
Covert Timing Channels
uses system clock to infer sensitive information. Ex. An insecure system prints “bad username or password” immediately when a user types a base username/bad password, but there is a small delay when a user types a good username with a bad password. This timing delay allows attackers to infer which usernames are good or bad
Shortcut in a system that allows a user to bypass security checks to login. Maintenance hooks are a type of backdoor; they are shortcuts installed by the system designers and programmers to allow developers to bypass normal system checks during development.
Malware that does not spread automatically; they require a carrier.
Macro virus – virus written in macro language that targets word processors or spreadsheets
Boot Sector Virus – virus that infects the boot sector which loads during PC startup
Stealth Virus – A virus that hides itself from the OS and other protective software, such as AV
Polymorphic Virus – A virus that changes its signature upon infection of a new system, attempting to evade signature-based AV software
Multipartite Virus – A virus that spreads via multiple vectors AKA multipart virus
A malware that self-propagates. Worms can cause damage by two ways: first by the malicious code that it carries and second by the loss of network availability due to aggressive self-propagation. Ex, Blaster, Sasser, Conficker.
A malware that performs two functions; one benign and one malicious.
A malware that replaces portions of the kernel and/or OS. A user-mode rootkit operates in ring 3 on most systems, replacing the OS components in userland. Ex. OS binaries, ls, ps, commands on Linux/Unix. Kernel mode root kit replaces the kernel or loads malicious loadable kernel modules and operate in ring 0.
Provide runtime compression of executables. Upon execution the decompressor unpacks the compressed executable machine code and runs it. Often used to evade signature-based malware detection.
Malicious program that is triggered when a logical condition is met, such as after a number of transactions have been processed, or on specific data (time bomb). Malware such as worms contain logic bombs, behaving in one manner, and then changing tactics on a specific date and time.
AV is designed to prevent and detect malware infections. Signature based AV use signatures of known malware. Heuristic based antivirus use anomaly based detection to attempt to identify behavioral characteristics of malware such as altering the boot sector.
Server Side Attacks
aka Service side attacks are launched directly from an attacker (the client) to a listening service. Conficker worm spread via a number of methods, including service side attack on TCP port 445 exploiting a weakness on RPC service. Patching, system hardening, firewalls, and other forms of defense-in-depth mitigate server side attacks.
Client side Attacks
Occur when a user downloads malicious content. Attacks are initiated from the victim who downloads content from the attacker. Client side attacks are difficult to mitigate for organizations that allow internet access. Clients include, word processors, spreadsheets, web browsers – within them, flash players, media players etc.
All client-side software must be patched, a challenge many organizations struggle with.
Runs in a sandbox which segregates code from the operating system. Interpreted by the JVM and available for many OSes
- Malicious applets may be able to compromise the security of the client.
Active X Applets
Uses digital certificates instead of sandbox to provide security. Tied more to OS allowing functionality such as installing patches via Windows updates but runs on Windows only
- Malicious applets may be able to compromise the security of the client.
The open web application security project represents one of the best application security resources. OWASP provides a number of free resources dedicated to improving organization’s application security posture. The OWASP Top 10 project provides consensus guidance on what are considered to be the ten most significant application security risk.
Service Oriented Architecture (SOA
Look this Up
Polyinstantiation allows two different objects to have the same name. In databases it means two rows may have the same primary key but different data. Databases normally require that all rows in a table contain unique primary key so a normal database would generate an error like “duplicate” entry
- The reason is so that in one db with two different security levels you wouldn't be tipped off to something by not being able to duplicate a key.
Inference and Aggregation
Inference and aggregation occur when a user is able to use lower level access to learn restricted information. Inference requires deduction: there is a mystery to be solved, and a lower level details provide the clues. Aggregation is a mathematical process: a user asks every question, receives every answer, and derives restricted information.
- Like guessing that a war will start because you see cars late at night at The Pentagon.
- Downloading an entire phone book by sequentially adding numbers to a query string, but not having access to download an entire book in one go.
Improves security by analyzing a typical use cases in the database to provide a baseline. This potentially allows an organization to proactively identify abuse from insider threats or compromised accounts.