CASP Chapter 4
A standard operating system is a standard build of a host system. The idea is that a standard build is used throughout the organization. The advantages are:
-Reduction in the Total cost of ownership (TCO) -Consistent configuration
There are two different classes of clearances:
1. government: unclassified, secret, and top secret 2. public sector: public, private, and restricted
What are the 4 categories of TCSEC?
A: Verified Protection B: Mandatory security C: Discretionary Protection D: Minimal Protection
___ are a basic example of data flow enforcement
ACLs
___-based technology is heavily used within organizations that use SCADA systems
Agent
ITSEC ___ classes rate the effectiveness and correctness of a system.
Assurance (E)
___ security model uses mandatory access control to enforce the Department of Defense (DoD) multilevel security policy
Bell-LaPadula
Viruses can use different techniques to infect and replicate. The following techniques are common: Reside in the boot sector of the computer
Boot Record Infectors
___ model is an example of capability-based security.
Clark-Wilson
___model differs from Bell-LaPadula and Biba in that it was intended for use with commercial activities.
Clark-Wilson
TCSEC (Orange Book) categories: C:
Discretionary Protection A C-rated system provides discretionary protection of the TCB.
---gives users the capability to access organizational files and directories. ---based on the decision of the owner of the file or directory. ---uses access control lists along with the Unix permission file system.
Discretionary access control (DAC)
Least functionality control maps to the ___ baseline.
FIPS 199
Common Criteria Levels of assurance: EAL 1:
Functionality tested
Common Criteria Levels of assurance: EAL 0:
Inadequate assurance
TCSEC (Orange Book) categories: D:
Minimal Protection A D-rated system fails to meet any of the standards of A, B, or C, and basically it has no security controls.
___ can help with quarantine/remediation of suspect network traffic. Typically placed at the edge of the network between the demilitarized zone/external/internal network and help with the separation of critical assets
Nextgen firewalls
___ often perform compliance along with authentication before allowing systems to have network access. - Can run continuously. They are great for organizations that are trying to set up security for bring your own device (BYOD) policies.
Persistent agents
Other types of malware can live exclusively in files and load themselves into RAM. These viruses are known as ___
RAM-resident viruses
Common Criteria Levels of assurance: EAL 5:
Semi-formally designed and tested
Many times, Trojans are used to access and control a host computer remotely. These programs are also known as ___
remote access Trojans (RATs)
A ___ is a profile that dictates what programs, menus, applications, commands, or functions are available within an environment.
restricted interface
security options in Group Policy ___ policies contain a password policy, account lockout policy, and Kerberos policy.
Account
Spam filters can use several techniques to detect and filter spam:
Blacklists Is the email from a known spammer? Fingerprint Does the email match the fingerprint of spam? Rules Scoring Does the email match a score high enough that it is potentially spam?
___ model design was promoted as a means to prevent conflict-of-interest problems.
Brewer and Nash
___ model has the nickname of "the Chinese Wall" model
Brewer and Nash
Trusted OS ___ examined different areas of the trusted OS, including physical and logical controls, startup and recovery, reference mediation, and privileged states.
Common Criteria
____ allows the spyware distributor to mask the stream of one file behind another.
DNS redirection and the use of alternate data streams (ADSs)
This is most often associated with database attacks. It is possible if the attacker has access to the system and can make small incremental changes to data or files.
Data Diddling
two primary incremental attacks:
Data Diddling Salami Attack
Botnets often use free DNS services, such as ___.
DynDNS
Viruses can use different techniques to infect and replicate. The following techniques are common: Target Microsoft Office programs such as Word documents and Excel spreadsheets
Macro Viruses
This method works with TPM and the secure boot process to determine if an OS is allowed to load and what portions can execute.
Measured Launch
Common Criteria Levels of assurance: EAL 3:
Methodically checked and tested
Common Criteria Levels of assurance: EAL 4:
Methodically designed, tested, and reviewed
Viruses can use different techniques to infect and replicate. The following techniques are common: Target both boot records and programs
Multipartite Infectors
___ is the concept of employing a dedicated management channel, separate from the network channel or cabling used by servers.
Out-of-band management
Examples of trusted OSs include
SELinux: brings MAC to linux kernel SEAndroid: brings MAC to android kernel Trusted Solaris: brings MAC as well as read-only protection for host or guest environments that Solaris dubs "immutable zones."
Involves making small changes to financial accounts or records.
Salami Attack
A security standard developed by members of the PC industry to help make sure your PC boots using only software that is trusted by the device manufacturer.
Secure Boot
Common Criteria Levels of assurance: EAL 2:
Structurally tested
What are some of the trusted operating systems testing standards?
Trusted Computer System Evaluation Criteria (TCSEC) Information Technology Security Evaluation Criteria Common Criteria
Approaches used to build security zones This approach focuses on common vectors used to launch an attack. Examples include disabling autorun on USB thumb drives, disabling USB ports, and removing CD/DVD burners.
Vector-Oriented
Approaches used to build security zones:
Vector-Oriented Information-Centric Protected Enclaves
A ___ is used with databases to generate process templates.
data interface
Techniques such as ___ provide the botnet with the ability to hide their servers behind ever-changing proxies, making it difficult to locate the bot herder.
fast-flux DNS
The concept of ____ means to search for and identify security threats and problems that have yet to be discovered in the environment. This is proactve.
hunt teaming
___ technology is codependent on a central authority that is connected to a network. An organization that depends heavily on vulnerability assessment and patch management would benefit from this.
Agentless-based
___ model dictates that the separation of duties must be enforced, subjects must access data through an application, and auditing is required. Data cannot be tampered with while being changed, and the integrity of the data must be consistent.
Clark-Wilson
The International Standards Organization (ISO) created ___ (ISO ___) to be a global standard that built on TCSEC, ITSEC, and others.
Common Criteria (ISO 15408)
An example of malware that could modify host firewall settings is ___, which has the ability to disable several high-order TCP and UDP ports that it needs for communication with the outside world. There are more advanced methods of evasion, such as the creation of a ___.
Conficker custom TCP stack
Common Criteria Levels of assurance:
EAL 0: Inadequate assurance EAL 1: Functionality tested EAL 2: Structurally tested EAL 3: Methodically checked and tested EAL 4: Methodically designed, tested, and reviewed EAL 5: Semi-formally designed and tested EAL 6: Semi-formally verified, designed, and tested EAL 7: Formally verified, designed, and tested
Common Criteria Levels of assurance: EAL 0: EAL 1: EAL 2: EAL 3: EAL 4: EAL 5: EAL 6: EAL 7:
EAL 0: Inadequate assurance EAL 1: Functionality tested EAL 2: Structurally tested EAL 3: Methodically checked and tested EAL 4: Methodically designed, tested, and reviewed EAL 5: Semi-formally designed and tested EAL 6: Semi-formally verified, designed, and tested EAL 7: Formally verified, designed, and tested
___ viruses infect any file that they are capable of infecting.
Fast infection
____ are usually set at the demarcation line between trusted and untrusted network elements
Firewalls
Common Criteria Levels of assurance: EAL 7:
Formally verified, designed, and tested
a trusted OS includes the following basic attributes:
Hardware Protection A trusted OS must be designed from the ground up. Secure hardware is the beginning. Long-Term Protected Storage A trusted OS must have the ability to offer protected storage that lasts across power cycles and other events. Isolation A trusted OS must be able to isolate programs. It must be able to keep program A from accessing information from program B. Separation of User Processes from Supervisor Processes User and supervisor functions must be separated.
Common Criteria essentially replaced ___
ITSEC
Trusted OS - Designed to meet the needs of the European market. - Examines the confidentiality, integrity, and availability of an entire system.
Information Technology Security Evaluation Criteria (ITSEC)
Approaches used to build security zones This approach focuses on layering controls on top of the data. Examples include information controls, application controls, host controls, and network controls.
Information-Centric
___was developed by IBM to verify the integrity and trust of Linux OSs.
Integrity Measurement Architecture (IMA)
TCSEC (Orange Book) categories: B:
Mandatory Security A B-rated system has mandatory protection of the TCB.
___allows for the system to run at the same or lower levels. ---Overriding ___ requires authorization from senior management.
Mandatory access control (MAC)
The steps in the change management process are as follows:
Place the change request. Get approval for the change request. Test the change and document the findings. Implement the change. Report the change to company management.
___viruses can change their signature every time they replicate and infect a new file.
Polymorphic
___means that an object has just enough authority or capability to perform its function.
Principle of Least Functionality
___ are reusable collections of activity types. They allow system integrators and others who work with different clients to manipulate similar types of data.
Process templates
Viruses can use different techniques to infect and replicate. The following techniques are common: Target executable programs
Program Infectors
___ project essentially placed the keylogger inside the keyboard.
Programmable HID USB Keystroke Dongle (PHUKD)
Approaches used to build security zones This approach specifies that some areas are of greater importance than others. Controls may include VPNs, strategic placement of firewalls, deployment of VLANs, and restricted access to critical segments of the network.
Protected Enclaves
Extended ACLs have the ability to look more closely at the traffic and inspect for more items, such as the following:
Protocol Port numbers Differentiated Services Code Point (DSCP) value Precedence value State of the synchronize sequence number (SYN) bit
___ determine how security will be implemented, what subjects can access the system, and to what objects they will have access. Simply stated, they are a way to formalize the design of a trusted OS
Security models
Common Criteria Levels of assurance: EAL 6:
Semi-formally verified, designed, and tested
Bell-LaPadula model is defined by the following properties: This property states that a subject at one level of confidentiality is not allowed to read information at a higher level of confidentiality. This is sometimes referred to as "no read up."
Simple Security
The Bell-LaPadula model is defined by the following properties:
Simple Security This property states that a subject at one level of confidentiality is not allowed to read information at a higher level of confidentiality. This is sometimes referred to as "no read up." Star Security This property states that a subject at one level of confidentiality is not allowed to write information to a lower level of confidentiality. This is also known as "no write down." Strong Star Security This property states that a subject cannot read up or write down.
___ means that the virus takes its time in infecting other files or spreading its damage. This technique is used to try to avoid detection
Sparse infection
Bell-LaPadula model is defined by the following properties: This property states that a subject at one level of confidentiality is not allowed to write information to a lower level of confidentiality. This is also known as "no write down."
Star Security
Bell-LaPadula model is defined by the following properties: This property states that a subject cannot read up or write down.
Strong Star Security
___ also pairs a field programmable gate array (FPGA) and a processor on a single chip.
System on a chip
The orange book is also known as ____, was developed to evaluate standalone systems
Trusted Computer System Evaluation Criteria (TCSEC)
TCSEC (Orange Book) categories: A:
Verified Protection An A-rated system is the highest security division.
___& ___ are two renowned botnets to surface within the last few years
Zeus and SpyEye
The basis of measure of TCSEC is ___
confidentiality
The Bell-LaPadula model enforces ___ through the use of ____
confidentiality mandatory access control
ITSEC examines the ___ of an entire system.
confidentiality, integrity, and availability
The concept of a ___ is based on the premise that a computer program can be fooled by an attacker into misusing its authority
confused deputy
WAFs can protect against
cross-site scripting, hidden field tampering, cookie poisoning, and even SQL injection.
A ___ is a port that is devoted to specific traffic.
dedicated interface
Change management should have an ___ so that changes can be backed out should the change be unsuccessful
escape path
Common Criteria (ISO 15408) categorizes assurance into one of 7 increasingly strict levels of assurance referred to as:
evaluation assurance levels (EALs)
ITSEC is divided into two parts: One part evaluates ___ and the other part evaluates
functionality (10 F classes) assurance (7 E classes)
Attestation means that you are validating something as true. An attestation service can be designed as ___-based, ___-based, or ____.
hardware-based, software-based, or hybrid
security options in Group Policy ___ policies apply to audit policies, user rights, and security options.
local
A ___ is designed to be used as a way to manage a computer or server that may be powered off or otherwise unresponsive. -Often use an out-of-band NIC
management interface
DNS redirection and the use of alternate data streams (ADSs) allows the spyware distributor to mask the stream of one file behind another. A quick search of the drive will find no trace of the offending executable because it has no entry in the ___ where the directory listing of all files is kept.
master file table (MFT)
____ do not run continuously. Once they check the system, they usually terminate their process.
non-persistent agents
A ___ is a microchip that has all of the components required to power a computer. An example is the Raspberry Pi.
system on a chip (SOC)
The ___ is the sum of all of the protection mechanisms within a computer, and it is responsible for enforcing the security policy.
trusted computer base (TCB)
a ___ needs to attach itself to a file in order to infect a system.
virus
___ require no interaction on the user's part to replicate and spread
worms