Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
47 Cards in this Set
- Front
- Back
What was the first mechanism developed by NCSC to evaluate IT computers, OSs, etc.?
|
TCSEC
Trusted Computer System Evaluation Criteria |
|
What security model is the TCSEC based upon?
|
Bell-Lapadula
|
|
Name the four levels of system classification define in TCSEC from highest to lowest?
|
A. Verified
B.Mandatory C. Discretionary D. Minimal security |
|
What are the 4 main criteria topics that TCSEC addresses?
|
security policy
accountabilty assurance documentation |
|
What was the mechanism developed by European countries to Evaluate IT Systems?
|
ITSEC
|
|
What two attributes are evaluated by ITSEC?
|
functionality (can perform at least one time)
assurance (will perform consistently) |
|
What was design after TCSEC and ITSEC to address concerns of both methods.
|
Common Criteria developed by the IOS.
|
|
What model uses Evaluation Assurance Levels for evaluating IT systems?
|
Common Criteria
There are 7 test levels of functionality and assurance |
|
Products successfully test by the Trusted Products Evaulation Program are added to what list?
|
Evaluated Products List
|
|
The BS 7799 later evolved into what ISO standard for measuring risk.
|
ISO 17799 and then later to ISO 27005
|
|
What is the certification process developed by NIST that can be used by the government and civilian?
|
NIST SP 800-37
|
|
What is certification?
|
A comprehensive evaluation of security components and their compliance for the purpose of accreditation
|
|
What is accreditation?
|
Formal accptance of the adequacy of a system's overall security and functionality be management
|
|
What is Strategic alignment?
|
Business drivers and the regulatory and legal requirements are being met by the security architecture
|
|
What are the concerns in designing an Enterprise Security Architecture
|
business enablement
process enhancement security effectiveness |
|
Who is responsible for asset inventory, discovery, monitoring, responding, administration
|
Operation Management
|
|
Who is responsible for Configuration management, installation, maintenance of indvidual products
|
Component Management
|
|
What Rainbow Series deals with password management guidelines?
|
Green Book
|
|
What Rainbow Series deals with Database Management Systems
|
Lavander
|
|
What Rainbow Series deals with Auditing?
|
Tan
|
|
What is the distinguishing characteristic of Dedicated Security Mode?
|
All user must have a need to know and a
need access to all data |
|
What are distinguishing characteristics of System High-Security Mode
|
All user must have a need know some of the information
|
|
What are distinguishing characteristics of Compartmented Security Mode
|
Formal approval to access some of the information
|
|
What are distinguishing characteristics of Multilevel Security Mode?
|
All user can access some data, based on their need to knwo, clearance, and formal access approval
|
|
National Information Assurance Certification and Accreditation Process (NIACAP) ?
|
establishes the minimum national standards for certifying and accrediting national security systems
|
|
What security model is based on well-formed transaction and SOD?
|
Clark-Wilson
|
|
What MAC and Lattice model provides confidentiality
|
Bell-LaPadula
|
|
What MAC and lattice model provides integrity?
|
Biba
|
|
In a lattice model simple refers to;
and * refers to |
read;
write |
|
According to the Common Criteria, what can be described as an intermediate combination of security requirement components?
|
package
|
|
TCSEC level D
|
Minimal protection
|
|
TCSEC level C
|
C – Discretionary protection
C1 – Discretionary Security Protection C2 – Controlled Access Protection |
|
TCSEC level B
|
B – Mandatory Protection
B1 – Labeled Security B2 – Structured Protection B3 – Security Domains |
|
TSCEC level A
|
A – Verified Protection
A1 – Verified Design |
|
Difference between Compartmented Security Mode and Multilevel Security Mode
|
In a CSM, all users must have clearance for the highest level of database. MSM can handle multiple information levels.
|
|
What are the 2 components of an object's sensitivity label?
|
A single classification and different categories that represents compartments of information.
|
|
Give examples of security subjects
|
users, programs, print queue, and processes
|
|
Give examples of security objects
|
files, directories, devices, windows, and sockets
|
|
What is Data Hiding?
|
Making information available at one processing level, but not another
|
|
What is Orange book level is the first to support object reuse, and distinguish users by means of strict login? controls?
|
C2
|
|
Give examples of a C2 level systems.
|
Windows, Novell
|
|
What Orange book level requires sensitvity labels for all subjects and storage objects?
|
B1
|
|
What Orange book level support hierarchical device labels, trust path communications between user and system, and covert channel analysis
|
B2
|
|
What Orange book level spports trusted recovery, automated security analysis, must address covert timing vulnerabilitie?
|
B3
|
|
What Orange book must meet formal proof of integrity and must also be installed and delivered securely?
|
A1
|
|
What is the difference between Information Labels and Sensitivity Label?
|
In addition to the classification and category set, Information Labels have the necessary controls to be able to operate as a trusted computer.
|
|
What are the five assurance requirements specified in the Orange Book?
|
system architecture, system integrity, covert channel analysis, trusted facility management, and trusted recovery
|