Gary 02 - Security modules

Question 1

What are the 3 basic terms that are need to be fulfilled while designing a secure system.

Answer 1

Question 2

What is confidentaility in secure system.

Answer 2

(POUFNOŚĆ)
The confidentiality is focused on the information and making sure the **only thing as you can see who have a right to say the information conceded. **

Question 3

Wha is an integrity in secure system.

Answer 3

(SPÓJNOŚĆ)

Integrity, the data has not been distributed.

Question 4

What the accessability is about in secure system.

Answer 4

(DOSTĘPNOŚĆ)
Without access security is pointless. The secured assets has to be accesable to be used by the people who need to use them and protectes them.

Question 5

What authenticity is about? Why it is so important?

Answer 5

(AUTENTYCZNOŚĆ)
Authenticity anwsets the question is it really from who they say it is from, is it genuine, uses digital signatures.

Question 6

What is non-repudiation. Where is it used and why is it important.

Answer 6

(NIEZAPRZECZALNOŚĆ)
Non-repudiation is law focused, it is the obligations of a contract. So you cannot say you did not receive or did not send the transaction. Technology helps but it is Law based.

Question 7

What are the other 3 things that describe security system, the incentives of creating one, the environment.

Answer 7

Question 8

What is a threat.

Answer 8

the threat what it is that might happen. The thing we are securing our assets from.

Question 9

What is a vulnerability.

Answer 9

The vulnerability where we are week. The weaknesses of our system, the potential attack points we need to focus on to secure them.

Question 10

What is a controll.

Answer 10

The control is how do we handle the weakness to make sure that the threat doesn’t become a reality.

Question 11

What is a good metaphore of secure system and why.

Answer 11

Chain.

Question 12

Describe the Static Security Model.

Answer 12

Question 13

How the more advance model f security look like.

Answer 13

Question 14

What is a procedure and who has to stick/obey/follow to it?

Answer 14

The procedure is a set of rules how the access has to be granted and how the security has to be kepet, for example authenticity check by providing the valid password and username.

Question 15

What is an ethic code?

Answer 15

So you will have to follow a code of ethic that appliers to security. This applies to ethical hackers.

However the Foe does not follow these codes. Kill the guard.

Question 16

What is another layer of static security model that concerns the treasure.

Answer 16

The encryption.

Question 17

What is an Infromation Passing security model. What are the elements of that model and how are they designed.

Answer 17

Question 18

What are the sourcess of attack in case of Information-Passing security model.

Answer 18

Note that attack may come in terms of:

• Corruption of original information
• Disruption of communication
• Corruption of information in transit
• Interference with processing of information
• Nullification of action

Question 19

What are the additional layers in Information-Passing security model.

Answer 19

Question 20

What is communication about in information-passing security model.

Answer 20

Communications, moving from one area of storage to another area of storage.

Question 21

How can we maintain na access or communication in information-passing model.

Answer 21

Locking it up in some secure server, sets up secure linkage through the stage coach.

Question 22

What is Information Sharing security model about? Why is it so different from previous models?

Answer 22

This relates to “security in the marketplace”.

In a distributed environment, we need to be able to “police” entry and exit from the marketplace, but also monitor activity within the marketplace.

Question 23

What are the benefits of Security Models? For what are they designed for?

Answer 23

In general, security models -in text books - come from the realms of “formal methods”
–they are designed to help you prove that your system is secure.
–First thing you need to do is create the model, an abstraction of the real world
–General idea is to make a representation, and then test it to ensure it is secure or prove mathematically

Question 24

What is the purpose of Security Models.

Answer 24

In general, security models -in text books - come from the realms of “formal methods”
–they are designed to help you prove that your system is secure.
–First thing you need to do is create the model, an abstraction of the real world
–General idea is to make a representation, and then test it to ensure it is secure or prove mathematically

the idea is that what we want to do is we want to make a representation of i t. system , and then tests it through whatever means but probably mathematically to prove conclusively that it is secure.

Question 25

What are the steps of **analysing the Secure System**.

Answer 25

•Produce **an Abstraction** •Make **assumptions explicit (wyraźniej określaj wszystkie założenia)** •Define **clear boundaries** •Declare inviolate **rules** (that cannot be broken)

Question 26

What does **making an Abstraction** means.

Answer 26

Understand that you are **analysing an abstraction, not the real system.** You are representing **your secure system** as some kind of **abstraction** that **can be assessed in mathematicaly** to **prove that is secure** or fail to rpove that.

Question 27

Whay does it mean that you have to make your **assumptions expliciy**.

Answer 27

As you move from the real world to the model. ## Footnote There will be some assumptions that you will have to make moving from the real systems to the abstraction if you forget that you've made these assumptions then, you are liable to start say that I have tested my model rigorously and it's proved to be totally secure. As it breaks but how did it happened- you forgot the assumption.

Question 28

Why is it so difficult to **define clear boundries**?

Answer 28

**People make it messy** so this can be difficult. ## Footnote People and really systems are greyer and people make it messy. You need clear boundaries what is in the system and what is out side (mucky human).

Question 29

What is the problem of security models?

Answer 29

In practice, this means that security models work well for small “stuff”, but can't be applied to entire information systems (because they involve people, and other messy things).

Question 30

What is an **oragnge book.**

Answer 30

Actually Orange book is **not really a security model: but a set of requirements by which to assess something** Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) **standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system.** The TCSEC was used **to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classified information.**

Question 31

Describe **Diffie–Hellman key exchange.**

Answer 31

* Allows **two parties** that have to **jointly establish a shared secret key over an non-secure communications channel.** * This **key can then be used to encrypt subsequent communications** using a **symmetric key cipher.**

Question 32

How Diffie–Hellman key exchange works.

Answer 32

Question 33

Describe **State Machine **security model.