Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/51

Click to flip

51 Cards in this Set

  • Front
  • Back
Describe a level C1 System
Separation of users and data
Discretionary Access Control (DAC)
Describe a level C2 System
* More finely grained DAC
* Individual accountability through login procedures
* Audit trails
* Resource isolation
Describe a level B1 System
B1 — Labeled Security Protection

* Informal statement of the security policy model
* Data sensitivity labels
* Mandatory Access Control (MAC) over select subjects and objects
* Label exportation capabilities
* All discovered flaws must be removed or otherwise mitigated
Describe a level B2 System
B2 — Structured Protection

* Security policy model clearly defined and formally documented
* DAC and MAC enforcement extended to all subjects and objects
* Covert storage channels are analyzed for occurrence and bandwidth
* Carefully structured into protection-critical and non-protection-critical elements
* Design and implementation enable more comprehensive testing and review
* Authentication mechanisms are strengthened
* Trusted facility management is provided with administrator and operator segregation
* Strict configuration management controls are imposed
Describe a level B3 System
B3 — Security Domains

* Satisfies reference monitor requirements
* Structured to exclude code not essential to security policy enforcement
* Significant system engineering directed toward minimizing complexity
* A security administrator is supported
* Audit security-relevant events
* Automated imminent intrusion detection, notification, and response
* Trusted system recovery procedures
* Covert timing channels are analyzed for occurrence and bandwidth
* An example of such a system is the XTS-300, a precursor to the XTS-400
Describe a level A1 System
A1 — Verified Design

* Functionally identical to B3
* Formal design and verification techniques including a formal top-level specification
* Formal management and distribution procedures
* An example of such a system is SCOMP, a precursor to the XTS-400
What it is ITSEC E0
Inadequate Assurance
What is ITSEC E1
Requires a security target and informal architecture,
What is ITSEC E2?
test documentation must be created, formal security architecure, penetration testing, audit trail is required for start up and finish
What is ITSEC E3?
Requires source code and hardware drawings,
What is ITSEC E4?
Formal Model of security,
What is ITSEC E5?
Independent configuration management
What is ITSEC E6?
All tools subject to configuration management
What is mulitprocessing?
A processor that executes two or more programs at the same time on multiple processors
What is multi-programming?
executes two or more programs simultaneously on a single processor
What is multi-tasking?
Executes two or more sub-programs simultaneously on a single processor
What is a Trusted Computing Base?
The Total combination of protection mechanisms within a computer system which includes hardware, software and firmware that are trusted to enforce the security policy
What is a security perimeter?
the boundary that separates the TCB from the rest of the system
What is a trusted computer system?
One that employs the necessary hardware software assurance measure to enable its use in the processing multiple levels of classification
What is a reference monitor?
a system componenent that enforces access controls on an object
What is the reference monitor concept?
an abstract machine that mediates all access of subjet to objects
What is a TOC/TOU attack?
an attack that exploits the difference in the time that security controls were applied and the time an authorized service was used.
What is a fault-tolerant system/
When a computer or network detects a fault but continues to operate
What is a failsafe system?
Program execution is terminated and the system is protected from being compromised when a hardware or software failure is detected
What is a fail soft system?
select non-critical processing is terminated when a hardware or software failure is detected
In ITSEC a F-C1, E1 system is equivalent to a what in TCSEC?
C1
In ITSEC a F-C2, E2 system is equivalent to a what in TCSEC?
C2
In ITSEC a F-B1, E3 system is equivalent to a what in TCSEC?
B1
In ITSEC what is a F, E3 system equivalent to in TCSEC
B1
In ITSEC what is a F, E4 system equivalent to in TCSEC
B2
In ITSEC what is a F, E5 system equivalent to in TCSEC
B3
In ITSEC what is a F, E6 system equivalent to in TCSEC
A1
What are the columns in a Access Matrix?
ACLs
In an access control matrix what are the rows (tuples)?
capabilities list
In Bell-LaPadula model what is the Simple security property?
No read up
In Bell-LaPadula what is the * property?
No write down
In Bell LaPadula model what is the Strong* property?
No reading or writing is permitted at higher or lower confidentiality level
In the Biba model what is the Simple Integrity Axiom?
No read-down
In Biba model what is the * Integrity Axiom?
No write up
What three things does Clark-Wilson model define?
Constrained Data Item, Transformation Procedures, Unconstrained Data Items
In Operations security what constitutes a triple
threat, vulnerability, asset
What operational assurance requirements are specified in the Orange book?
system architecture, system integrity, cover channel analyss, trusted facility management, trusted recovery,
What life cycle assurance requirements are specified in the Orange book?
security testing, design and specification testing, configuration management, trusted distribution
What is a covert timing channel?
a covert channel in which one process signals information to another by modulating its own use of system resources
What is the minimum TCSEC level that requires protection against covert storage channels?
B2
At what TCSEC level is it required to protect against covert timing channels?
b3
AT what level is it required to support a separate operation and administrator function?
B2
At what level is it required to clearly identify the functions of the security administrator to perform security related function?
B3
What assurance levels require trusted recovery?
B3 & A1
What assurance level requires that configuration management be enforced during development and maintenance of the system?
B2&B3
What assurance level requires that configuration management be enforced during the entire life cycle?
A1