Chapter 8: Principles of Security Models, Design, and Capabilities

Question 1

Subject vs Object

Answer 1

Subject makes request to access a resource (the object)

Question 2

Transitive Trust

Answer 2

Concept that if A trusts B, and B trusts C, then A inherits trust of C through the transitive property
Serious security concern, may enable bypassing of restrictions or limitations
Employee using a web proxy to access a blocked site is an example

Question 3

Closed System

Answer 3

Designed to work well with a NARROW range of other systems, generally all proprietary from same manufacturer. Potentially more secure

Question 4

Open System

Answer 4

Designed using agreed upon industry standards to easily integrate with systems from other manufacturers using the same standards or that use compatible APIs (more attractive target)

Question 5

API

Answer 5

Application Programming Interface
Defined set of instructions allowed between computing elements such as applications, services, networking, firmware and hardware.
Defines the types of requests that can be made, how they can be made, what form the data takes, authentication and encryption requirements

Question 6

Fail Securely

Answer 6

Programmer codes in mechanisms to anticipate and defend against errors in order to avoid termination of execution

Question 7

Fail Soft

Answer 7

Allowing a program to continue to operate after a component fails

Question 8

Zero Trust

Answer 8

Security concept where nothing inside organization is automatically trusted. Each request for activity or access is assumed to be from an unknown and untrusted source until otherwise verified

Question 9

Privacy by Design (PbD)

Answer 9

Guideline to integrate privacy protections into products during early design phase rather than tacking it on at the end of development

Question 10

Confinement

Answer 10

Allows a process to read from and write to only certain memory locations and resources

Question 11

Trusted Computing Base (TCB)

Answer 11

Design principle that is the combination of hardware, software, and controls that work together to form a trusted base to enforce security policy. Should be as small as possible so a detailed analysis can reasonably ensure the system meets design specifications and requirements
Separated from rest of information system by security perimeter
For TCB to communicate with the rest of the system, must create secure channels with strict standards

Question 12

Trusted Shell

Answer 12

Allows subject to perform command line operations without risk to the TCB or subject

Question 13

Reference Monitor

Answer 13

Access control enforcer for the TCB

Question 14

Security Kernel

Answer 14

Collection of components in the TCB that work together to implement reference monitor functions. Mediates all resource access requests.

Question 15

State Machine Model

Answer 15

Describes a system that is always secure no matter what state is is in. All state transitions must be evaluated

Question 16

Information Flow Model

Answer 16

Focuses on controlling the flow of information- both direction of flow and type of flow. Only allows authorized information flows

Question 17

Non-interference Model

Answer 17

Actions of a higher security level subject (A) should not interfere with the actions of a lower level user (B) or even be noticed by them. This is to prevent B from being able to deduce information about higher level classification

Question 18

Composition Theories

Answer 18

Explain how outputs from one system relate to inputs to another system

Question 19

Cascading Composition

Answer 19

Input for one system comes from output of another system

Question 20

Feedback Composition

Answer 20

One system provides input to another, which reciprocates by reversing those roles

Question 21

Hookup Composition

Answer 21

One system sends input to another system but also sends input to external entities

Question 22

Take-Grant Model

Answer 22

Employs a directed graph to dictate how rights can be passed from one subject to another or from a subject to an object, via take and grant rights

Question 23

Access Control Matrix

Answer 23

Table of subjects and objects that indicates the actions or functions that each subject can perform on each object
Administrative nightmare- managing each user individually

Question 24

Bell-LaPadula Model

Answer 24

Developed by DoD, states subject with any level of clearance can access resources at or below its clearance level. Within these levels access to compartmentalized objects is granted only on a need to know basis. Has three basic properties.

Question 25

Simple Security Property

Answer 25

Property of Bell-LaPadula Model. Subject may not read information at a higher sensitivity level (no read up)

Question 26

• (Star) Security Property

Answer 26

Property of Bell-LaPadula Model. Subject may not write information to an object at a lower sensitivity level (no write down- prevent disclosure)

Question 27

Discretionary Security Property

Answer 27

Property of Bell-LaPadula Model. States that the system uses an access control matrix to enforce discretionary access control

Question 28

Biba Model

Answer 28

Designed after Bell-LaPadula but focuses on integrity. It is an inverse of Bell-LaPadula: no read down, no write up.

Question 29

Clark-Wilson Model

Answer 29

Uses an access control triplet, where subjects can only access objects via limited or controlled intermediary program, interface, or access portal

Question 30

Brewer and Nash Model

Answer 30

Separates security domains to prevent conflict of interest

Question 31

Goguen-Meseguer Model

Answer 31

Focuses on integrity- subjects allowed only to perform predetermined actions against predetermined objects

Question 32

Sutherland Model

Answer 32

Focuses on integrity. Uses predetermined secure states to prevent interference

Question 33

Graham-Denning Model

Answer 33

Focuses on the secure creation and deletion of both subjects and objects

Question 34

Harrison-Ruzzo-Ullman Model (HRU)

Answer 34

Focuses on the assignment of object access rights to subjects as well as the integrity/resilience of those rights

Question 35

Common Criteria (CC)

Answer 35

Defines various levels of testing and confirmation of system’s security capabilities. Number of the level indicates what kind of testing has been performed
International standard for evaluation of IT products
Based on two key elements, and provides Evaluation Assurance Levels (EALs)

Question 36

Protection Profiles (PP)

Answer 36

Key element of Common Criteria. Specify the security requirements and protections, which are considered the customer’s “security desires”

Question 37

Security Targets (STs)

Answer 37

Key element of Common Criteria. The vendor’s implemented security measures

Question 38

Evaluation Assurance Levels (EALs)

Answer 38

Evaluation Assurance Levels. Provided by Common Criteria. 7 levels, with EAL1 being lowest and EAL7 being highest.

Question 39

Authorization to Operate (ATO)

Answer 39

Official authorization to use a specific collection of secured IT/IS systems to perform business tasks and accept the identified risk
Typically issued for 5 years, but must be reobtained in event of a beach or a significant security change

Question 40

Memory Protection

Answer 40

Used to prevent an active process from interacting with an area of memory that was not specifically assigned or allocated to it

Question 41

HSM

Answer 41

Hardware Security Module
Cryptoprocessor that can manage and store digital encryption keys, accelerate crypto operations, support faster digital signatures, and improve authentication
Can be a chip on a motherboard, external peripheral, network attached device, etc
Include tamper protection to prevent misuse even if attacker gains physical access