ISA 08
timing channels
A TCSEC-defined covert channel that communicates by managing the relative timing of events.
storage channels
A TCSEC-defined covert channel that communicates by modifying a stored object, such as in steganography.
Bell-LaPadula (BLP) confidentiality model
A confidentiality model or "state machine reference model" that ensures the confidentiality of the modeled system by using MACs, data classification, and security clearances
security clearance
A personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is "cleared" to access.
mandatory access control (MAC)
A required, structured data classification scheme that rates each collection of information as well as each user. These ratings are often referred to as sensitivity or classification levels.
lattice-based access control
A variation on the MAC form of access control, which assigns users a matrix of authorizations for particular areas of access, incorporating the information assets of subjects such as users and objects.
discretionary access controls (DACs)
Access controls that are implemented at the discretion or option of the data user.
nondiscretionary controls
Access controls that are implemented by a central authority.
Biba integrity model
An access control model that is similar to BLP and is based on the premise that higher levels of integrity are more worthy of trust than lower levels.
dumpster diving
An information attack that involves searching through a target organization's trash and recycling bins for sensitive information.
Information Technology System Evaluation Criteria (ITSEC)
An international set of criteria for evaluating computer systems, very similar to TCSEC.
Common Criteria for Information Technology Security Evaluation
An international standard (ISO/IEC 15408) for computer security certification that is considered the successor to TCSEC and ITSEC.
Trusted Computer System Evaluation Criteria (TCSEC)
An older DoD system certification and accreditation standard that defines the criteria for assessing the access controls in a computer system. Also known as the rainbow series due to the color coding of the individual documents that made up the criteria.
18. What are the common names for NIST SP 800-53 and NIST SP 800-53A? What is the purpose of each document? What resources do they provide?
Answer: "NIST SP 800-53A, Rev. 4: Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans" is the functional successor to "SP 800-26: Security Self-Assessment Guide for Information Technology Systems." A companion guide to "SP 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations," it provides a systems developmental life cycle (SDLC) approach to security assessment of information systems.
10. What is a data classification model? How is data classification different from a clearance level?
Answer: A data classification model provides guidance as to the sensitivity level for information assets. A clearance level is applied to human resources, indicating the sensitivity levels of data to which they have access.
1. What is an InfoSec framework?
Answer: A framework is the outline of the plans for intended security control.
9. What is a mandatory access control?
Answer: A mandatory access control (MAC) is an implementation in which software elements are structured and coordinated within a data classification scheme that rates each collection of information as well as each user and forces compliance with policy through the use of a reference monitor.
6. What are the essential processes of access control?
Answer: Access control includes four processes: • Identification—Obtaining the identity of the entity requesting access to a logical or physical area • Authentication—Confirming the identity of the entity seeking access to a logical or physical area • Authorization—Determining which actions an authenticated entity can perform in a physical or logical area • Accountability—Documenting the activities of the authorized individual and systems
7. What are the key principles on which access control is founded?
Answer: Access control is built on several key principles, including least privilege, need to know, and separation of duties.
5. What is access control?
Answer: Access control regulates the admission of users into trusted areas of the organization—both logical access to the information systems and physical access to the organization's facilities. Access control is maintained through a collection of policies, programs to carry out those policies, and technologies that enforce the policies.
14. What is COBIT? Who is its sponsor? What does it accomplish?
Answer: Control Objectives for Information and Related Technology (COBIT) is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues, and business risks. COBIT was created in 1992 by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). COBIT enables clear policy development and good practice for IT control throughout organizations
4. How might an InfoSec professional use a security model?
Answer: InfoSec professionals can use security models as an outline for a comprehensive design of an organization's entire planned security program or as the starting point for a more fully customized version of such a plan.
13. What are the documents in the ISO/IEC 27000 series?
Answer: Table 8-3 in the text shows the existing or planned documents for the 27000 series.
20. What is COSO, and why is it important?
Answer: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a U.S. private-sector initiative formed in 1985. Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. The COSO established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems. The committee's report has entered practical usage as a standard of performance that helps organizations comply with critical regulations like the Sarbanes-Oxley Act of 2002
11. Which international InfoSec standards have evolved from the BS7799 model? What do they include?
Answer: The ISO/IEC 27000 series has evolved from the BS7799 model. Its security model has 10 sections that give recommendations for InfoSec managers who are responsible for initiating, implementing, or maintaining security in their organization.
2. What is an InfoSec blueprint?
Answer: The InfoSec blueprint is the detailed plan for the complete design, selection, and implementation of all subsequent security controls, including InfoSec policies, security education and training programs, and technological controls. It includes sequenced steps and planned timeframes for each component.
12. What is an alternative model to the BS7799 model (and its successors)? What does it include?
Answer: The NIST collection of InfoSec management practices offers an alternative to BS7799 and its successors. The NIST approach includes a broad array of documentation that covers the broad topical area of InfoSec management.
16. What is the common name for NIST SP 800-12? What is the document's purpose? What resources does it provide?
Answer: The common name for NIST SP 800-12 is "The Computer Security Handbook." It provides an excellent background and terminology for InfoSec.
17. What is the common name for NIST SP 800-14? What is the document's purpose? What resources does it provide?
Answer: The common name for NIST SP 800-14 is "Generally Accepted Principles and Practices for Securing Information Technology Systems." The document describes the best practices in InfoSec, and can be used to direct the security team in the development of a security blueprint
19. What is the common name of NIST SP 800-30? What is the document's purpose? What resources does it provide?
Answer: The common name of NIST SP 800-30, Rev. 1, is "Guide for Conducting Risk Assessments." It is a foundation for the development of an effective risk management program, and it contains both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations better manage IT-related mission risks.
15. What are the two primary advantages of NIST security models?
Answer: They are publicly available at no charge, and they have been available for some time; thus, they are very thorough and have undergone a great deal of refinement over time.
3. How might an organization create a security blueprint?
Answer: To generate a usable security blueprint, most organizations draw on established security frameworks, models, and practices. Some of these models are proprietary and are only available for a significant fee; others are relatively inexpensive. The chosen model must be flexible, scalable, robust, and sufficiently detailed.
capabilities table
In a lattice-based access control, the row of attributes associated with a particular subject (such as a user).
blueprint
In information security, a framework or security model customized to an organization, including implementation details.
framework
In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including InfoSec policies, security education and training programs, and technological controls. Also known as a security model.
security model
In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including InfoSec policies, security education and training programs, and technological controls. Also known as a security model.
8. Identify at least two approaches used to categorize access control methodologies. List the types of controls found in each.
One approach depicts controls by their inherent characteristics and classifies each control as one of the following: • Preventative—Helps an organization avoid an incident • Deterrent—Discourages or deters an incipient incident • Detective—Detects or identifies an incident or threat when an incident occurs • Corrective—Remedies a circumstance or mitigates damage done during an incident • Recovery—Restores operating conditions back to normal • Compensating—Resolves shortcomings A second approach, described in the NIST Special Publication series, categorizes controls based on their operational impact on the organization: • Management—Controls that cover security processes designed by strategic planners, integrated into the organization's management practices, and routinely used by security administrators to design, implement, and monitor other control systems • Operational (or administrative)—Controls that deal with the operational functions of security that have been integrated into the repeatable processes of the organization • Technical—Controls that support the tactical portion of a security program and that have been implemented as reactive mechanisms to deal with the immediate needs of the organization as it responds to the realities of the technical environment
least privilege
The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary. Least privilege implies a need to know.
separation of duties
The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them.
need-to-know
The principle of limiting users' access privileges to only the specific information required to perform their assigned tasks.
covert channels
Unauthorized or unintended methods of communications hidden inside a computer system.
trusted computing base (TCB)
Under TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy.
reference monitor
Within TCB, a conceptual piece of the system that manages access controls—in other words, it mediates all access to objects by subjects.