CASP Chapter 4

A standard operating system is a standard build of a host system. The idea is that a standard build is used throughout the organization. The advantages are:

-Reduction in the Total cost of ownership (TCO) -Consistent configuration

There are two different classes of clearances:

1. government: unclassified, secret, and top secret 2. public sector: public, private, and restricted

What are the 4 categories of TCSEC?

A: Verified Protection B: Mandatory security C: Discretionary Protection D: Minimal Protection

___ are a basic example of data flow enforcement

ACLs

___-based technology is heavily used within organizations that use SCADA systems

Agent

ITSEC ___ classes rate the effectiveness and correctness of a system.

Assurance (E)

___ security model uses mandatory access control to enforce the Department of Defense (DoD) multilevel security policy

Bell-LaPadula

Viruses can use different techniques to infect and replicate. The following techniques are common: Reside in the boot sector of the computer

Boot Record Infectors

___ model is an example of capability-based security.

Clark-Wilson

___model differs from Bell-LaPadula and Biba in that it was intended for use with commercial activities.

Clark-Wilson

TCSEC (Orange Book) categories: C:

Discretionary Protection A C-rated system provides discretionary protection of the TCB.

---gives users the capability to access organizational files and directories. ---based on the decision of the owner of the file or directory. ---uses access control lists along with the Unix permission file system.

Discretionary access control (DAC)

Least functionality control maps to the ___ baseline.

FIPS 199

Common Criteria Levels of assurance: EAL 1:

Functionality tested

Common Criteria Levels of assurance: EAL 0:

Inadequate assurance

TCSEC (Orange Book) categories: D:

Minimal Protection A D-rated system fails to meet any of the standards of A, B, or C, and basically it has no security controls.

___ can help with quarantine/remediation of suspect network traffic. Typically placed at the edge of the network between the demilitarized zone/external/internal network and help with the separation of critical assets

Nextgen firewalls

___ often perform compliance along with authentication before allowing systems to have network access. - Can run continuously. They are great for organizations that are trying to set up security for bring your own device (BYOD) policies.

Persistent agents

Other types of malware can live exclusively in files and load themselves into RAM. These viruses are known as ___

RAM-resident viruses

Common Criteria Levels of assurance: EAL 5:

Semi-formally designed and tested

Many times, Trojans are used to access and control a host computer remotely. These programs are also known as ___

remote access Trojans (RATs)

A ___ is a profile that dictates what programs, menus, applications, commands, or functions are available within an environment.

restricted interface

security options in Group Policy ___ policies contain a password policy, account lockout policy, and Kerberos policy.

Account

Spam filters can use several techniques to detect and filter spam:

Blacklists Is the email from a known spammer? Fingerprint Does the email match the fingerprint of spam? Rules Scoring Does the email match a score high enough that it is potentially spam?

___ model design was promoted as a means to prevent conflict-of-interest problems.

Brewer and Nash

___ model has the nickname of "the Chinese Wall" model

Brewer and Nash

Trusted OS ___ examined different areas of the trusted OS, including physical and logical controls, startup and recovery, reference mediation, and privileged states.

Common Criteria

____ allows the spyware distributor to mask the stream of one file behind another.

DNS redirection and the use of alternate data streams (ADSs)

This is most often associated with database attacks. It is possible if the attacker has access to the system and can make small incremental changes to data or files.

Data Diddling

two primary incremental attacks:

Data Diddling Salami Attack

Botnets often use free DNS services, such as ___.

DynDNS

Viruses can use different techniques to infect and replicate. The following techniques are common: Target Microsoft Office programs such as Word documents and Excel spreadsheets

Macro Viruses

This method works with TPM and the secure boot process to determine if an OS is allowed to load and what portions can execute.

Measured Launch

Common Criteria Levels of assurance: EAL 3:

Methodically checked and tested

Common Criteria Levels of assurance: EAL 4:

Methodically designed, tested, and reviewed

Viruses can use different techniques to infect and replicate. The following techniques are common: Target both boot records and programs

Multipartite Infectors

___ is the concept of employing a dedicated management channel, separate from the network channel or cabling used by servers.

Out-of-band management

Examples of trusted OSs include

SELinux: brings MAC to linux kernel SEAndroid: brings MAC to android kernel Trusted Solaris: brings MAC as well as read-only protection for host or guest environments that Solaris dubs "immutable zones."

Involves making small changes to financial accounts or records.

Salami Attack

A security standard developed by members of the PC industry to help make sure your PC boots using only software that is trusted by the device manufacturer.

Secure Boot

Common Criteria Levels of assurance: EAL 2:

Structurally tested

What are some of the trusted operating systems testing standards?

Trusted Computer System Evaluation Criteria (TCSEC) Information Technology Security Evaluation Criteria Common Criteria

Approaches used to build security zones This approach focuses on common vectors used to launch an attack. Examples include disabling autorun on USB thumb drives, disabling USB ports, and removing CD/DVD burners.

Vector-Oriented

Approaches used to build security zones:

Vector-Oriented Information-Centric Protected Enclaves

A ___ is used with databases to generate process templates.

data interface

Techniques such as ___ provide the botnet with the ability to hide their servers behind ever-changing proxies, making it difficult to locate the bot herder.

fast-flux DNS

The concept of ____ means to search for and identify security threats and problems that have yet to be discovered in the environment. This is proactve.

hunt teaming

___ technology is codependent on a central authority that is connected to a network. An organization that depends heavily on vulnerability assessment and patch management would benefit from this.

Agentless-based

___ model dictates that the separation of duties must be enforced, subjects must access data through an application, and auditing is required. Data cannot be tampered with while being changed, and the integrity of the data must be consistent.

Clark-Wilson

The International Standards Organization (ISO) created ___ (ISO ___) to be a global standard that built on TCSEC, ITSEC, and others.

Common Criteria (ISO 15408)

An example of malware that could modify host firewall settings is ___, which has the ability to disable several high-order TCP and UDP ports that it needs for communication with the outside world. There are more advanced methods of evasion, such as the creation of a ___.

Conficker custom TCP stack

Common Criteria Levels of assurance:

EAL 0: Inadequate assurance EAL 1: Functionality tested EAL 2: Structurally tested EAL 3: Methodically checked and tested EAL 4: Methodically designed, tested, and reviewed EAL 5: Semi-formally designed and tested EAL 6: Semi-formally verified, designed, and tested EAL 7: Formally verified, designed, and tested

Common Criteria Levels of assurance: EAL 0: EAL 1: EAL 2: EAL 3: EAL 4: EAL 5: EAL 6: EAL 7:

EAL 0: Inadequate assurance EAL 1: Functionality tested EAL 2: Structurally tested EAL 3: Methodically checked and tested EAL 4: Methodically designed, tested, and reviewed EAL 5: Semi-formally designed and tested EAL 6: Semi-formally verified, designed, and tested EAL 7: Formally verified, designed, and tested

___ viruses infect any file that they are capable of infecting.

Fast infection

____ are usually set at the demarcation line between trusted and untrusted network elements

Firewalls

Common Criteria Levels of assurance: EAL 7:

Formally verified, designed, and tested

a trusted OS includes the following basic attributes:

Hardware Protection A trusted OS must be designed from the ground up. Secure hardware is the beginning. Long-Term Protected Storage A trusted OS must have the ability to offer protected storage that lasts across power cycles and other events. Isolation A trusted OS must be able to isolate programs. It must be able to keep program A from accessing information from program B. Separation of User Processes from Supervisor Processes User and supervisor functions must be separated.

Common Criteria essentially replaced ___

ITSEC

Trusted OS - Designed to meet the needs of the European market. - Examines the confidentiality, integrity, and availability of an entire system.

Information Technology Security Evaluation Criteria (ITSEC)

Approaches used to build security zones This approach focuses on layering controls on top of the data. Examples include information controls, application controls, host controls, and network controls.

Information-Centric

___was developed by IBM to verify the integrity and trust of Linux OSs.

Integrity Measurement Architecture (IMA)

TCSEC (Orange Book) categories: B:

Mandatory Security A B-rated system has mandatory protection of the TCB.

___allows for the system to run at the same or lower levels. ---Overriding ___ requires authorization from senior management.

Mandatory access control (MAC)

The steps in the change management process are as follows:

Place the change request. Get approval for the change request. Test the change and document the findings. Implement the change. Report the change to company management.

___viruses can change their signature every time they replicate and infect a new file.

Polymorphic

___means that an object has just enough authority or capability to perform its function.

Principle of Least Functionality

___ are reusable collections of activity types. They allow system integrators and others who work with different clients to manipulate similar types of data.

Process templates

Viruses can use different techniques to infect and replicate. The following techniques are common: Target executable programs

Program Infectors

___ project essentially placed the keylogger inside the keyboard.

Programmable HID USB Keystroke Dongle (PHUKD)

Approaches used to build security zones This approach specifies that some areas are of greater importance than others. Controls may include VPNs, strategic placement of firewalls, deployment of VLANs, and restricted access to critical segments of the network.

Protected Enclaves

Extended ACLs have the ability to look more closely at the traffic and inspect for more items, such as the following:

Protocol Port numbers Differentiated Services Code Point (DSCP) value Precedence value State of the synchronize sequence number (SYN) bit

___ determine how security will be implemented, what subjects can access the system, and to what objects they will have access. Simply stated, they are a way to formalize the design of a trusted OS

Security models

Common Criteria Levels of assurance: EAL 6:

Semi-formally verified, designed, and tested

Bell-LaPadula model is defined by the following properties: This property states that a subject at one level of confidentiality is not allowed to read information at a higher level of confidentiality. This is sometimes referred to as "no read up."

Simple Security

The Bell-LaPadula model is defined by the following properties:

Simple Security This property states that a subject at one level of confidentiality is not allowed to read information at a higher level of confidentiality. This is sometimes referred to as "no read up." Star Security This property states that a subject at one level of confidentiality is not allowed to write information to a lower level of confidentiality. This is also known as "no write down." Strong Star Security This property states that a subject cannot read up or write down.

___ means that the virus takes its time in infecting other files or spreading its damage. This technique is used to try to avoid detection

Sparse infection

Bell-LaPadula model is defined by the following properties: This property states that a subject at one level of confidentiality is not allowed to write information to a lower level of confidentiality. This is also known as "no write down."

Star Security

Bell-LaPadula model is defined by the following properties: This property states that a subject cannot read up or write down.

Strong Star Security

___ also pairs a field programmable gate array (FPGA) and a processor on a single chip.

System on a chip

The orange book is also known as ____, was developed to evaluate standalone systems

Trusted Computer System Evaluation Criteria (TCSEC)

TCSEC (Orange Book) categories: A:

Verified Protection An A-rated system is the highest security division.

___& ___ are two renowned botnets to surface within the last few years

Zeus and SpyEye

The basis of measure of TCSEC is ___

confidentiality

The Bell-LaPadula model enforces ___ through the use of ____

confidentiality mandatory access control

ITSEC examines the ___ of an entire system.

confidentiality, integrity, and availability

The concept of a ___ is based on the premise that a computer program can be fooled by an attacker into misusing its authority

confused deputy

WAFs can protect against

cross-site scripting, hidden field tampering, cookie poisoning, and even SQL injection.

A ___ is a port that is devoted to specific traffic.

dedicated interface

Change management should have an ___ so that changes can be backed out should the change be unsuccessful

escape path

Common Criteria (ISO 15408) categorizes assurance into one of 7 increasingly strict levels of assurance referred to as:

evaluation assurance levels (EALs)

ITSEC is divided into two parts: One part evaluates ___ and the other part evaluates

functionality (10 F classes) assurance (7 E classes)

Attestation means that you are validating something as true. An attestation service can be designed as ___-based, ___-based, or ____.

hardware-based, software-based, or hybrid

security options in Group Policy ___ policies apply to audit policies, user rights, and security options.

local

A ___ is designed to be used as a way to manage a computer or server that may be powered off or otherwise unresponsive. -Often use an out-of-band NIC

management interface

DNS redirection and the use of alternate data streams (ADSs) allows the spyware distributor to mask the stream of one file behind another. A quick search of the drive will find no trace of the offending executable because it has no entry in the ___ where the directory listing of all files is kept.

master file table (MFT)

____ do not run continuously. Once they check the system, they usually terminate their process.

non-persistent agents

A ___ is a microchip that has all of the components required to power a computer. An example is the Raspberry Pi.

system on a chip (SOC)

The ___ is the sum of all of the protection mechanisms within a computer, and it is responsible for enforcing the security policy.

trusted computer base (TCB)

a ___ needs to attach itself to a file in order to infect a system.

virus

___ require no interaction on the user's part to replicate and spread

worms