Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
78 Cards in this Set
- Front
- Back
|
Complexity is the enemy of security, |
(reminder)
|
|
|
Allows multiple virtual operating system guests to run on one host.
|
Hypervisor
|
|
|
Volatile hardware memory that loses integrity after loss of power.
|
Random Access Memory (RAM)
|
|
|
Mediates all access between subjects and objects.
|
Reference Monitor
|
|
|
Nonvolatile memory that maintains integrity after loss of power.
|
Read Only Memory (ROM)
|
|
|
Created by DoD. This Book looks at operating systems and not networking issues. First significant attempt to define differing levels of security and access control implementation within an IT system. This publication was the inspiration for the Rainbow Series, a series of NCSC publications detailing
specific security standards for various communications systems |
Trusted Computer System Evaluation Criteria (TCSEC) Also known as the Orange Book.
|
|
|
Brings TCSEC concepts to network systems. Designed to address network components and products. This was done as a follow-up to the Orange Book focusing on stand-alone operating systems and not networking issues.
|
Trusted Network Interpretation (TNI) (a.k.a The Red Book); due to the color of its cover.
|
|
|
The security-relevant portions of a computer system. Orange book. The mechanisms can be hardware, software, and firmware.
|
Trusted Computing Base (TCB)
|
|
|
An interface between computer hardware and the operating system, allowing multiple guest operating
systems to run on one host computer. |
Virtualization
|
|
|
Separates hardware and software functionality into modular tiers.
|
Layering
|
|
|
Hides unnecessary details from the user.
|
Abstraction
|
|
|
List of objects a subject is allowed to access.
|
Security domain
|
|
|
Form of CPU hardware layering that separates and protects domains (such as kernel mode and user
mode) from each other. |
Ring model
|
|
|
Uses open hardware and standards, using standard components from a variety of vendors.
|
Open system
|
|
|
Uses proprietary hardware or
software |
Closed system
|
|
|
called the Memory Controller Hub (MCH), connects the CPU to RAM and video memory. Directly connected to the CPU and is faster than the (other)bridge
|
The northbridge
|
|
|
Called the I/O Controller Hub (ICH), connects input/output (I/O) devices, such as disk, keyboard, mouse, CD drive, USB ports, etc.
|
The southbridge
|
|
|
Performs mathematical calculations—it computes. It is fed instructions by the control unit
|
Arithmetic logic unit (ALU)
|
|
|
Sends instructions to the ALU. Traffic cop.
|
Control unit
|
|
|
Fetch and Execute:
These four steps take one clock cycle to complete. |
1. Fetch Instruction 1
2. Decode Instruction 1 3. Execute Instruction 1 4. Write (save) result 1 |
|
|
Combines multiple steps into one combined process, allowing simultaneous fetch, decode, execute, and write steps for different instructions.
|
Pipelining
|
|
|
Two types of multiprocessing:
|
Symmetric multiprocessing (SMP) and
Asymmetric multiprocessing (AMP) |
|
|
Have one operating system to manage all CPUs.
|
Symmetric multiprocessing (SMP)
|
|
|
Have one operating system image per CPU, essentially acting as independent systems.
|
Asymmetric multiprocessing (AMP)
|
|
|
Designed to recover a system by rebooting after critical processes hang or crash.
|
Watchdog timer
|
|
|
Logical control that attempts to prevent one process from interfering with another.
|
Process isolation
|
|
|
Exam Warning
|
Virtual memory allows swapping, but virtual memory has other capabilities. In other words, virtual memory
does not equal swapping. |
|
|
Exam Note
|
Swapping and paging are often used interchangeably, but there is a slight difference. Paging copies a block of memory to or from disk, while swapping copies an entire process to or from disk. This book uses the term "swapping."
|
|
|
Exam Note
|
Firmware is chip based, unlike magnetic disks. The term "flash drive" may lead some to think that flash memory drives are disk drives. They are physically quite different and have different remanence properties. A simple magnetic field will not erase flash memory. Secure destruction methods used for magnetic drives, such as degaussing (discussed in Chapter 8, Domain 7: Operations Security), may not work with flash drives.
|
|
|
Heart of the operating system, which usually runs in ring 0. It provides the interface between hardware
and the rest of the operating system, including applications. |
The kernel; two basic designs: monolithic
and microkernel |
|
|
Compiled into one static executable and the entire kernel runs in supervisor mode. All functionality
required must be precompiled in. |
Monolithic kernel
|
|
|
Modular kernels; Usually smaller and has less native functionality than a typical
monolithic kernel but can add functionality via loadable kernel modules. May also run kernel modules in user mode (usually ring 3), instead of supervisor mode. |
Microkernels
|
|
|
Stores account information and encrypted passwords,
|
(/etc/passwd) and shadow file (/etc/shadow), respectively.
|
|
|
Two basic virtualization types:
|
transparent virtualization (sometimes called full virtualization) and
paravirtualization. |
|
|
Runs stock operating systems, such as Windows 7 or Ubuntu® Linux® 9.10,as virtual guests. No changes to the guest OS are required.
|
Transparent virtualization
|
|
|
Runs specially modified operating systems,
with modified kernel system calls. Can be more efficient but requires changing the guest operating systems. This may not be possible for closed operating systems such as the Microsoft Windows family. |
Paravirtualization
|
|
|
Controls access between virtual guests and host hardware.
|
hypervisor;
|
|
|
Part of an operating system that runs directly on host hardware (also called bare metal); (e.g. VMWare ESX )
|
Type 1 hypervisor
|
|
|
Runs as an application on a normal operating system, such as Windows 7; (e.g. VMWare Workstation)
|
A Type 2 hypervisor
|
|
|
Three commonly available levels of service provided by cloud providers: In all three cases, the cloud provider manages hardware
|
- Infrastructure as a service (IaaS)
- Platform as a service (PaaS) - Software as a service (SaaS) |
|
|
Provides an entire virtualized operating system, which the customer configures from the OS on up. (e.g.Linux server hosting)
|
Infrastructure as a service (IaaS)
|
|
|
Provides a preconfigured operating system, and the customer configures the applications. (e.g. Web service hosting)
|
Platform as a service (PaaS)
|
|
|
Completely configured, from the operating system to applications, and the customer simply uses the application. (e.g. Web Mail)
|
Software as a service (SaaS)
|
|
|
Any communication that violates security policy. (e.g. The communication channel used by malware installed on a system that locates personally identifiable information (PII) such as credit card information and sends it to a malicious
server) |
Covert channel
|
|
|
Two specific types of covert channels:
|
Storage channels and timing
channels |
|
|
Uses shared storage, such as a temporary directory, to allow two subjects to signal each other.
|
A storage channel
|
|
|
Relies on the system clock to infer sensitive information.
|
A covert timing channel
|
|
|
Attacks are also called race conditions. An attacker attempts to alter a condition after it has been checked by the operating system, but before it is used. A state attack, where the attacker capitalizes on a change in operating system state.
|
Time of check, time of use (TOCTOU)
|
|
|
Attempts to reduce application architecture down to a functional unit of a service.
|
Service-Oriented Architecture (SOA)
|
|
|
Exam Note
|
Do not confuse Service-Oriented Architecture (SOA) with SOAP. They are related, but different concepts:
SOA may use SOAP for connectivity. |
|
|
Used to control database inference
|
Polyinstantiation.
|
|
|
Mandatory Access Control model: (no read up (NRU); no write down (NWD), Confidentiality (aka Disclosure)
|
Bell–LaPadula
|
|
|
Bell–LaPadula operates by observing two rules:
|
1) Simple Security Property and
2) * Security Property (Star Security Property) |
|
|
States that there is no read up; that is, a subject at a specific classification level cannot read
an object at a higher classification level. (e.g. Subjects with a secret clearance cannot access top secret objects) |
The Simple Security Property
|
|
|
States that there is no write down; that is, a subject at a higher classification level cannot write to a
lower classification level. (e.g. Subjects who are logged into a top secret system cannot send emails to a secret system) |
The * Security Property (Star Security Property)
|
|
|
Within the Bell–LaPadula access control model, there are two properties which dictate how the system will issue security labels for objects.
|
1) Strong Tranquility Property: security labels will not change while the system is operating.
2) Weak Tranquility Property: security labels will not change in a way that conflicts with defined security properties. |
|
|
Allows security controls for complex environments. For every relationship between a subject
and an object, there are defined upper and lower access limits implemented by the system. |
Lattice-based access control
|
|
|
Mandatory Access Control; Opposite of Bell-LaPadula; (no read down (NRD); no write up (NWU); Focus on Integrity (aka Alteration)
|
Biba
|
|
|
The Biba model has two primary rules:
|
1) Simple Integrity Axiom
2) * Integrity Axiom (Star Integrity Axiom) |
|
|
"no read down"; that is, a subject at a specific classification level cannot read data at a lower
classification. This prevents subjects from accessing information at a lower integrity level. This protects integrity by preventing bad information from moving up from lower integrity levels. |
Simple Integrity Axiom
|
|
|
"no write up"; that is, a subject at a specific classification level cannot write to data at a higher
classification. This prevents subjects from passing information up to a higher integrity level than they have clearance to change. This protects integrity by preventing bad information from moving up to higher integrity levels. |
* Integrity Axiom (Star Integrity Axiom)
|
|
|
Real-world integrity model that protects integrity by requiring subjects (e.g.users) to access objects (e.g. database) via programs. Because the programs have specific limitations to what they can and cannot do to objects, effectively limits the capabilities of the subject. Uses two primary concepts to ensure that security policy is enforced; well-formed transactions and separation of duties.
|
Clark–Wilson
|
|
|
Clark–Wilson process comprised of the "access control triple":
|
1) User
2) Transformation procedure (TP) 3) Constrained data item (CDI) |
|
|
A well-formed transaction
|
Transformation Procedure (TP)
|
|
|
Data that requires integrity.
|
Constrained data item (CDI)
|
|
|
Exam Warning !
|
Clark–Wilson requires that users are authorized to access and modify data. It also requires that data is
modified in only authorized ways. |
|
|
Exam Warning !
|
Clark–Wilson enforces the concept of a separation of duties and transformation procedures within the
system. |
|
|
Designed to avoid conflicts of interest by prohibiting one person, such as a consultant, from
accessing multiple conflict of interest categories (CoIs). |
Brewer–Nash / Chinese Wall model
|
|
|
Ensures that data at different security domains remain separate from one another.
|
Noninterference model
|
|
|
Contains rules that govern the interactions between subjects (user) and objects (file), and permissions subjects can grant to other subjects. Very complex.
|
Take–grant protection model
|
|
|
A table defining what access permissions exist between specific subjects and objects.
|
An access control matrix
|
|
|
An access control matrix; each row is called:
|
Capability list.
|
|
|
Provides six frameworks for providing information security, asking who, what, when, where, how, why
and mapping those frameworks across rules, including planner, owner, designer, builder, programmer, and user. |
The Zachman Framework for Enterprise Architecture
|
|
|
The Divisions of TCSEC (Trusted
Computer System Evaluation Criteria) (aka Orange book) includes four levels: |
- D: Minimal Protection. This division describes TCSEC-evaluated systems that do not meet the requirements of higher divisions (C through A).
- C: Discretionary Protection. "Discretionary" means Discretionary Access Control systems (DAC). - B: Mandatory Protection. "Mandatory" means Mandatory Access Control systems (MAC). - A: Verified Protection. This includes all requirements of B, plus additional controls |
|
|
Refers to TCSEC Orange Book levels, separating functionality (F: how well a system works) from
assurance (the ability to evaluate the security of a system). There are two types of assurance: effectiveness (Q) and correctness (E) |
European Information Technology Security Evaluation Criteria (ITSEC)
|
|
|
Internationally agreed upon standard for describing and testing the security of IT products.
Use specific terms when defining specific portions of the testing process: - Target of Evaluation (ToE): the system or product which is being evaluated - Security Target (ST): the documentation describing the TOE, including security requirements and operational environment - Protection Profile (PP): an independent set of security requirements and objectives for a specific category of products or systems, such as firewalls and intrusion detection systems - Evaluation Assurance Level (EAL): the evaluation score of the tested product or system |
Common Criteria
|
|
|
Means a system has been certified to meet the security requirements of the data owner. Considers the system, the security measures taken to protect the system, and the residual risk represented by the system.
|
Certification
|
|
|
Data owner's acceptance of the certification, and of the residual risk, required before the system is put
into production. |
Accreditation
|
