CYBR 7300: Ch 8

Ace your homework & exams now with Quizwiz!

Trusted computer system evaluation criteria (TCSEC)

-A deprecated (no longer used) DoD system certification and accreditation standard that defined the criteria for assessing the access controls in a computer system. -also known as the rainbow series due to the color coding of the individual documents that make up the criteria

Describe the dominant InfoSec management models, including national and international standards-based models

-ISO 27000 -NIST SP 800 -COBIT 5 -COSO -ITIL -InfoSec Governance Framework

NIST SP 800

-Infosec management model that has been cited by the U.S. government -publicly available at no charge -have been available for some time; thus, they have been broadly reviewed by government and industry professionals

storage channels

-a covert channel that communicates by modifying a stored object -example: steganography

timing channels

-a covert channel that transmits information by managing relative timing of events -example; in a system that places a long pause between packets to signify a 1 and a short pause between packets to signify a 0

Brewer-Nash Model (Chinese Wall)

-access control model designed to prevent a conflict of interest between two parties -example: a law firm represents 2 clients who are involved in a car accident. one sues the other & the firm has to represent both. to prevent a conflict of interest, the individual attorneys should not be able to access the private information of both litigants.

Harrison- Ruzzo-Ullman model

-access control model that allows changes to access rights and the addition and removal of subjects and objects. the BLP process does not allow this. -based on an access control matrix and includes a set of generic rights and a specific set of commands which include: -Create subject/create object -Enter right X into -Delete right X from -Destroy subject/destroy object

Graham-Denning Access Control Model

-access control model with 3 parts 1. set of objects 2. set of subjects 3. set of rights -subjects are composed of 2 things: a process and a domain -has 8 primitive protection rights 1. Create object 2. Create subject 3. Delete object 4. Delete subject 5. Read access right 6. Grant access right 7. Delete access right 8. Transfer access right

ITIL

-an infosec management model -"Information technology infrastructure library" -a collection of methods and practices for managing the development and operation of IT infrastructures.

COSO

-an infosec management model -Committee of Sponsoring Organizations -security control based model with an objective to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence.

COBIT 5

-an infosec management model -Control Objectives for Information and Related Technology -this framework is the only business framework for the governance and management of enterprise IT.

InfoSec Governance framework

-an infosec management model -provides guidance in the development and implementation of an organizational infosec governance structure and recommends the responsibilities that various members should have toward an organization

access control methodologies

-directive -deterrent -preventative -detective -corrective -recovery -compensating

Clark-Wilson Integrity Model

-model built upon principles of change control rather than integrity levels. -was designed for the commercial environment -principles: 1. no changes by unauthorized subjects 2. no unauthorized changes by authorized subjects 3. the maintenance of internal and external consistency -this model establishes a system of subject-program-object relationships such that the subject has no direct access to the object

Bell-LaPadula (BLP) confidentiality model

A confidentiality model or "state machine reference model" that ensures the confidentiality of the modeled system by using MACs, data classification, and security clearances. -a model of an automated system that is able to manipulate its state or status over time

security clearance

A personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is "cleared" to access.

Biba integrity model

A state machine access control model that is similar to BLP and is based on the premise that higher levels of integrity are more worthy of trust than lower levels.

Lattice-based access control (LBAC)

A variation on the MAC form of access control, which assigns users a matrix of authorizations for particular areas of access, incorporating the information assets of subjects such as users and objects.

framework / security model

In infosec, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including infosec policies, security education and training programs, and technological controls. -describes what the end product should look like

least privilege

The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation needed. -implies a need to know.

Separation of duties

The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them.

need-to-know

The principle of limiting users' access privileges to only the specific information required to perform their assigned tasks.

Trusted Computing Base (TCB)

Under TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy.

mandatory access controls (MAC)

a required, structured data classification scheme that rates each collection of information as well as each user -these ratings are often referred to as sensitivity or classification levels

Explain why access control is an essential element of InfoSec management

access control is maintained by a means of a collection of policies, programs to carry out those policies, and technologies that enforce policies. -all of which are controlled by management

discretionary access controls (DACs)

access controls that are implemented at the discretion or option of the data user

nondiscretionary controls

access controls that are implemented by a central authority

information technology system evaluation criteria (ITSEC)

an international set of criteria for evaluating computer systems

Common Criteria for Information Technology Security Evaluation ("CC")

an international standard (ISO/IEC 15408) for computer security certification that is considered the successor to TCSEC and ITSEC

blueprint

in infosec, a framework or security model customized to an organization including implementation details -includes information on how to get to the end product

capabilities table

in lattice-based access control (LBAC), the row of attributes associated with a particular subject (such as a user)

ISO 27000

infosec management model intended to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings

access controls

the selective method by which systems specify who may use a particular resource and how they may use it -processes 1. identification 2. authentication 3. authorization 4. accountability

covert channels

unauthorized or unintended methods of communications hidden inside a computer system -includes storage channels and timing channels

reference monitor

within TCB, a conceptual piece of the system that manages access controls -in other words, it mediates all access to objects by subjects


Related study sets

Acceleration Down an Incline Lab

View Set

CHAPTER 6: Creating a "More Perfect Union" 1783-1800 chương 6 : tạo ra một liên minh hoàn hảo hơn 1783-1800

View Set

N406 Exam 2 PrepU Questions (KIDNEYS)

View Set