Understand the security capabilities of information systems.   Common security capabilities include memory protection, virtualization, Trusted Platform Module (TPM), encryption/ decryption, interfaces, and fault tolerance.

Written Lab

1.Name at least seven security models and the primary security benefit of using each.

2.Describe the primary components of TCB.

3.What are the two primary rules or principles of the Bell–LaPadula security model? Also, what are the two rules of Biba?

4.What is the difference between open and closed systems and open and closed source?

5.Name at least four design principles and describe them.

348  Chapter 8  ■  Principles of Security Models, Design, and Capabilities

Review Questions

1.You have been working on crafting a new expansion service to link to the existing computing hardware of a core business function. However, after weeks of research and experimentation, you are unable to get the systems to communicate. The CTO informs you that the computing hardware you are focusing on is a closed system. What is a closed system?

A.A system designed around final, or closed, standards

B.A system that includes industry standards

C.A proprietary system that uses unpublished protocols

D.Any machine that does not run Windows

2.A compromise of a newly installed Wi-Fi connected baby monitor enabled a hacker to virtually invade a home and play scary sounds to a startled toddler. How was the attacker able to gain access to the baby monitor in this situation?

A.Outdated malware scanners

B.A WAP supporting 5 GHz channels

C.Performing a social engineering attack against the parents

D.Exploiting default configuration

3.While working against a deadline, you are frantically trying to finish a report on the current state of security of the organization. You are pulling records and data items from over a dozen sources, including a locally hosted database, several documents, a few spreadsheets, and numerous web pages from an internal server. However, as you start to open another file from your hard drive, the system crashes and displays the Windows Blue Screen of Death. This event is formally known as a stop error and is an example of a(n) _______ approach to software failure.

A.Fail-open

B.Fail-secure

C.Limit check

D.Object-oriented

4.As a software designer, you want to limit the actions of the program you are developing. You have considered using bounds and isolation but are not sure they perform the functions you need. Then you realize that the limitation you want can be achieved using confinement. Which best describes a confined or constrained process?

A.A process that can run only for a limited time

B.A process that can run only during certain times of the day

C.A process that can access only certain memory locations

D.A process that controls access to an object

5.When a trusted subject violates the star property of Bell–LaPadula in order to write an object into a lower level, what valid operation could be taking place?

A.Perturbation

B.Noninterference

C.Aggregation

D.Declassification

6.What security method, mechanism, or model reveals a capabilities list of a subject across multiple objects?

A.Separation of duties

B.Access control matrix

C.Biba

D.Clark–Wilson

7.What security model has a feature that in theory has one name or label but, when implemented into a solution, takes on the name or label of the security kernel?

A.Graham–Denning model

B.Harrison–Ruzzo–Ullman (HRU) model

C.Trusted computing base

D.Brewer and Nash model

8.The Clark–Wilson model uses a multifaceted approach to enforcing data integrity. Instead of defining a formal state machine, the Clark–Wilson model defines each data item and allowable data transformations. Which of the following is not part of the access control relationship of the Clark–Wilson model?

A.Object

B.Interface

C.Input sanitization

D.Subject

9.While researching security models to base your new computer design around, you discover the concept of the TCB. What is a trusted computing base (TCB)?

A.Hosts on your network that support secure transmissions

B.The operating system kernel, other OS components, and device drivers

C.The combination of hardware, software, and controls that work together to enforce a security policy

D.The predetermined set or domain (i.e., a list) of objects that a subject can access

10.What is a security perimeter? (Choose all that apply.)

A.The boundary of the physically secure area surrounding your system

B.The imaginary boundary that separates the TCB from the rest of the system

350  Chapter 8  ■  Principles of Security Models, Design, and Capabilities

C.The network where your firewall resides

D.Any connections to your computer system

11.The trusted computing base (TCB) is a combination of hardware, software, and controls that work together to form a trusted base to enforce your security policy. What part of the TCB concept validates access to every resource prior to granting the requested access?

A.TCB partition

B.Trusted library

C.Reference monitor

D.Security kernel

12.A security model provides a way for designers to map abstract statements into a solution that prescribes the algorithms and data structures necessary to build hardware and software. Thus, a security model gives software designers something against which to measure their design and implementation. Which of the following is the best definition of a security model?

A.A security model states policies an organization must follow.

B.A security model provides a framework to implement a security policy.

C.A security model is a technical evaluation of each part of a computer system to assess its concordance with security standards.

D.A security model is used to host one or more operating systems within the memory of a single host computer or to run applications that are not compatible with the host OS.

13.The state machine model describes a system that is always secure no matter what state it is in. A secure state machine model system always boots into a secure state, maintains a secure state across all transitions, and allows subjects to access resources only in a secure manner compliant with the security policy. Which security models are built on a state machine model?

A.Bell–LaPadula and take-grant

B.Biba and Clark–Wilson

C.Clark–Wilson and Bell–LaPadula

D.Bell–LaPadula and Biba

14.You are tasked with designing the core security concept for a new government computing system. The details of its use are classified, but it will need to protect confidentiality across multiple classification levels. Which security model addresses data confidentiality in this context?

A.Bell–LaPadula

B.Biba

C.Clark–Wilson

D.Brewer and Nash

15.The Bell–LaPadula multilevel security model was derived from the DoD’s multilevel security policies. The multilevel security policy states that a subject with any level of clearance can access resources at or below its clearance level. Which Bell–LaPadula property keeps lower-level subjects from accessing objects with a higher security level?

A.(Star) security property

B.No write-up property

C.No read-up property

D.No read-down property

16.The Biba model was designed after the Bell–LaPadula model. Whereas the Bell–LaPadula model addresses confidentiality, the Biba model addresses integrity. The Biba model is also built on a state machine concept, is based on information flow, and is a multilevel model. What is the implied meaning of the simple property of Biba?

A.Write-down

B.Read-up

C.No write-up

D.No read-down

17.The Common Criteria defines various levels of testing and confirmation of systems’ security capabilities, and the number of the level indicates what kind of testing and confirmation has been performed. What part of the Common Criteria specifies the claims of security from the vendor that are built into a target of evaluation?

A.Protection profiles

B.Evaluation Assurance Levels

C.Authorizing Official

D.Security target

18.The Authorizing Official (AO) has the discretion to determine which breaches or security changes result in a loss of Authorization to Operate (ATO). The AO can also issue four types of authorization decisions. Which of the following are examples of these ATOs? (Choose all that apply.)

A.Common control authorization

B.Mutual authorization

C.Denial of authorization

D.Authorization to transfer

E.Authorization to use

F.Verified authorization

19.A new operating system update has made significant changes to the prior system. While testing, you discover that the system is highly unstable, allows for integrity violations

352  Chapter 8  ■  Principles of Security Models, Design, and Capabilities

between applications, can be affected easily by local denial-of-service attacks, and allows for information disclosure between processes. You suspect that a key security mechanism has been disabled or broken by the update. What is a likely cause of these problems?

A.Use of virtualization

B.Lack of memory protections

C.Not following the Goguen–Meseguer model

D.Support for storage and transmission encryption

20.As an application designer, you need to implement various security mechanisms to protect the data that will be accessed and processed by your software. What would be the purpose of implementing a constrained or restricted interface?

A.To limit the actions of authorized and unauthorized users

B.To enforce identity verification

C.To track user events and check for violations

D.To swap datasets between primary and secondary memory