CISSP - Certified Information Systems Security Professional Study Guide, 2nd Edition (2004)
.pdf
Summary 351
Integrity Because integrity models are concerned with how information moves from one level to another, they are a special type of information flow models. That is, they enforce security by enforcing integrity constraints. Two examples of integrity models are the Biba and Clark-Wilson models. To maintain integrity, the goals are to establish and maintain internal and external consistency, to prevent authorized users from making improper or illegal modifications, and to block unauthorized users from making any modifications whatsoever. Whereas Clark-Wilson delivers on all three goals, Biba only blocks unauthorized users from making modifications. This explains why Clark-Wilson is used far more frequently than Biba in real-world applications.
Access control Access control models attempt to enforce security using formal access controls, which determine whether or not subjects can access objects they request. They include the state machine, access matrix, Take-Grant, Bell-LaPadula, and Brewer and Nash models.
When it comes to anticipating questions and coverage of the various models mentioned, the following items recur repeatedly in all of the practice exams we reviewed for this chapter:
Biba and Clark-Wilson versus Bell-LaPadula: Biba or Clark-Wilson is used to enforce integrity, Bell-LaPadula to enforce confidentiality. Biba uses integrity levels and Clark-Wilson uses access triples where subjects must use programs to access objects (all subject to integrity constraints), whereas Bell-LaPadula uses security levels. Because Bell-LaPadula focuses on confidentiality, it’s most often used in military applications; likewise, because Biba and Clark-Wilson focus on integrity, they’re most often used in commercial applications.
Of all security models, Bell-LaPadula and Biba are best known.
Of all security models, Bell-LaPadula is used most often in military applications, Clark-Wilson in commercial ones.
Bell-LaPadula defines access permissions using an access control matrix.
Access control models provide a formal description of a security policy (one that’s designed to make sense to a computer, in fact).
The Clark-Wilson access triple involves an object (a constrained data item), a subject (an integrity verification procedure or a certification rule), and a program (a transformation procedure or an enforcement rule). Because these same access triples include a program element as well as a subject, Clark-Wilson also supports separation of duties, which divides operations into disconnected parts and also requires different users to perform each part to prevent fraud or misuse.
The access matrix model is most commonly implemented using access control lists (ACLs).
Brewer and Nash (a.k.a. Chinese wall) manages how subjects access datasets according to their assignments to conflict-of-interest classes.
Summary
Designing secure computing systems is a complex task, and many security engineers have dedicated their entire careers to understanding the innermost workings of information systems and
352 Chapter 11 Principles of Computer Design
ensuring that they support the core security functions required to safely operate in the current environment. Many security professionals don’t necessarily require an in-depth knowledge of these principles, but they should have at least a broad understanding of the basic fundamentals that drive the process to enhance security within their own organizations.
Such understanding begins with an investigation of hardware, software, and firmware and how those pieces fit into the security puzzle. It’s important to understand the principles of common computer and network organizations, architectures, and designs, including addressing (both physical and symbolic), the difference between address space and memory space, and machine types (real, virtual, multistate, multitasking, multiprogramming, multiprocessing, multiprocessor, and multiuser).
Additionally, a security professional must have a solid understanding of operating states (single state, multistate), operating modes (user, supervisor, privileged), storage types (primary, secondary, real, virtual, volatile, nonvolatile, random, sequential), and protection mechanisms (layering, abstraction, data hiding, process isolation, hardware segmentation, principle of least privilege, separation of privilege, accountability).
All of this understanding must culminate into an effective system security implementation in terms of preventive, detective, and corrective controls. That’s why you must also know the access control models and their functions. This includes the state machine model, Bell-LaPadula, Biba, Clark-Wilson, the information flow model, the nointerference model, the Take-Grant model, the access control matrix model, and the Brewer and Nash model.
Exam Essentials
Be able to explain the differences between multitasking, multithreading, multiprocessing, and multiprogramming. Multitasking is the simultaneous execution of more than one application on a computer and is managed by the operating system. Multithreading permits multiple concurrent tasks to be performed within a single process. Multiprocessing is the use of more than one processor to increase computing power. Multiprogramming is similar to multitasking but takes place on mainframe systems and requires specific programming.
Understand the differences between single state processors and multistate processors.
Single state processors are capable of operating at only one security level at a time, whereas multistate processors can simultaneously operate at multiple security levels.
Describe the four security modes approved by the federal government for processing classified information. Dedicated systems require that all users have appropriate clearance, access permissions, and need-to-know for all information stored on the system. System high mode removes the need-to-know requirement. Compartmented mode removes the need-to-know requirement and the access permission requirement. Multilevel mode removes all three requirements.
Explain the two layered operating modes used by most modern processors. User applications operate in a limited instruction set environment known as user mode. The operating system performs controlled operations in privileged mode, also known as system mode, kernel mode, and supervisory mode.
Exam Essentials 353
Describe the different types of memory used by a computer. ROM is nonvolatile and can’t be written to by the end user. PROM chips allow the end user to write data once. EPROM chips may be erased through the use of ultraviolet light and then rewritten. EEPROM chips may be erased with electrical current and then rewritten. RAM chips are volatile and lose their contents when the computer is powered off.
Know the security issues surrounding memory components. There are three main security issues surrounding memory components: the fact that data may remain on the chip after power is removed, the fact that memory chips are highly pilferable, and the control of access to memory in a multiuser system.
Describe the different characteristics of storage devices used by computers. Primary storage is the same as memory. Secondary storage consists of magnetic and optical media that must be first read into primary memory before the CPU can use the data. Random access storage devices can be read at any point, whereas sequential access devices require scanning through all the data physically stored before the desired location.
Know the security issues surrounding secondary storage devices. There are three main security issues surrounding secondary storage devices: removable media can be used to steal data, access controls and encryption must be applied to protect data, and data can remain on the media even after file deletion or media formatting.
Understand security risks that input and output devices can pose. Input/output devices can be subject to eavesdropping and tapping, used to smuggle data out of an organization, or used to create unauthorized, insecure points of entry into an organization’s systems and networks. Be prepared to recognize and mitigate such vulnerabilities.
Understand I/O addresses, configuration, and setup. Working with legacy PC devices requires some understanding of IRQs, DMA, and memory-mapped I/O. Be prepared to recognize and work around potential address conflicts and misconfigurations and to integrate legacy devices with Plug and Play (PnP) counterparts.
Know the purpose of firmware. Firmware is software stored on a ROM chip. At the computer level, it contains the basic instructions needed to start a computer. Firmware is also used to provide operating instructions in peripheral devices such as printers.
Be able to describe process isolation, layering, abstraction, data hiding, and hardware segmentation. Process isolation ensures that individual processes can access only their own data. Layering creates different realms of security within a process and limits communication between them. Abstraction creates “black box” interfaces without requiring knowledge of an algorithm’s or device’s inner workings. Data hiding prevents information from being read from a different security level. Hardware segmentation enforces process isolation with physical controls.
Understand how a security policy drives system design, implementation, testing, and deployment.
The role of a security policy is to inform and guide the design, development, implementation, testing, and maintenance of some particular system.
354 Chapter 11 Principles of Computer Design
Understand how the principle of least privilege, separation of privilege, and accountability apply to computer architecture. The principle of least privilege ensures that only a minimum number of processes are authorized to run in supervisory mode. Separation of privilege increases the granularity of secure operations. Accountability ensures that an audit trail exists to trace operations back to their source.
Know details about each of the access control models. Know the access control models and their functions. The state machine model ensures that all instances of subjects accessing objects are secure. Bell-LaPadula subjects have a clearance level that allows them to access only objects with corresponding classification levels. Biba prevents subjects with lower security levels from writing to objects at higher security levels. Clark-Wilson is an integrity model that relies on auditing to ensure that unauthorized subjects cannot access objects and that authorized users access objects properly. The information flow model is designed to prevent unauthorized, insecure, or restricted information flow. The noninterference model prevents the actions of one subject from affecting the system state or actions of another subject. The Take-Grant model dictates how rights can be passed from one subject to another or from a subject to an object. Finally, an access control matrix is a table of subjects and objects that indicates the actions or functions that each subject can perform on each object.
Review Questions |
355 |
Review Questions
1.Many PC operating systems provide functionality that enables them to support the simultaneous execution of multiple applications on single-processor systems. What term is used to describe this capability?
A.Multiprogramming
B.Multithreading
C.Multitasking
D.Multiprocessing
2.Which one of the following devices is most susceptible to TEMPEST monitoring of its emanations?
A.Floppy drive
B.Monitor
C.CD-ROM
D.Keyboard
3.You have three applications running on a single-processor system that supports multitasking. One of those applications is a word processing program that is managing two threads simultaneously. The other two applications are using only one thread of execution. How many application threads are running on the processor at any given time?
A.1
B.2
C.3
D.4
4.What type of federal government computing system requires that all individuals accessing the system have a need-to-know all of the information processed by that system?
A.Dedicated
B.System high
C.Compartmented
D.Multilevel
5.What term describes the processor mode used to run the system tools used by administrators seeking to make configuration changes to a machine?
A.User mode
B.Supervisory mode
C.Kernel mode
D.Privileged mode
356 Chapter 11 Principles of Computer Design
6.What type of memory chip allows the end user to write information to the memory only one time and then preserves that information indefinitely without the possibility of erasure?
A.ROM
B.PROM
C.EPROM
D.EEPROM
7.Which type of memory chip can be erased only when it is removed from the computer and exposed to a special type of ultraviolet light?
A.ROM
B.PROM
C.EPROM
D.EEPROM
8.Which one of the following types of memory might retain information after being removed from a computer and, therefore, represent a security risk?
A.Static RAM
B.Dynamic RAM
C.Secondary memory
D.Real memory
9.What is the single largest security threat RAM chips pose to your organization?
A.Data retention
B.Fire
C.Theft
D.Electronic emanations
10.What type of electrical component serves as the primary building block for dynamic RAM chips?
A.Capacitor
B.Resistor
C.Flip-flop
D.Transistor
11.Which one of the following storage devices is most likely to require encryption technology in order to maintain data security in a networked environment?
A.Hard disk
B.Backup tape
C.Floppy disk
D.RAM
Review Questions |
357 |
12.In which of the following security modes can you be assured that all users have access permissions for all information processed by the system but will not necessarily have a need-to-know all of that information?
A.Dedicated
B.System high
C.Compartmented
D.Multilevel
13.Which one of the following security modes does not require that all users have a security clearance for the highest level of information processed by the system?
A.Dedicated
B.System high
C.Compartmented
D.Multilevel
14.What type of memory device is normally used to contain a computer’s BIOS?
A.PROM
B.EEPROM
C.ROM
D.EPROM
15.What type of memory is directly available to the CPU and does not need to be loaded?
A.RAM
B.ROM
C.Register memory
D.Virtual memory
16.In what type of addressing scheme is the data actually supplied to the CPU as an argument to the instruction?
A.Direct addressing
B.Immediate addressing
C.Base+Offset addressing
D.Indirect addressing
17.What type of addressing scheme supplies the CPU with a location that contains the memory address of the actual operand?
A.Direct addressing
B.Immediate addressing
C.Base+Offset addressing
D.Indirect addressing
358 Chapter 11 Principles of Computer Design
18.What security principle helps prevent users from accessing memory spaces assigned to applications being run by other users?
A.Separation of privilege
B.Layering
C.Process isolation
D.Least privilege
19.Which security principle mandates that only a minimum number of operating system processes should run in supervisory mode?
A.Abstraction
B.Layering
C.Data hiding
D.Least privilege
20.Which security principle takes the concept of process isolation and implements it using physical controls?
A.Hardware segmentation
B.Data hiding
C.Layering
D.Abstraction
Answers to Review Questions |
359 |
Answers to Review Questions
1.C. Multitasking is processing more than one task at the same time. In most cases, multitasking is actually simulated by the operating system even when not supported by the processor.
2.B. Although all electronic devices emit some unwanted emanations, monitors are the devices most susceptible to this threat.
3.A. A single-processor system can operate on only one thread at a time. There would be a total of four application threads (ignoring any threads created by the operating system), but the operating system would be responsible for deciding which single thread is running on the processor at any given time.
4.A. In a dedicated system, all users must have a valid security clearance for the highest level of information processed by the system, they must have access approval for all information processed by the system, and they must have a valid need-to-know all information processed by the system.
5.A. All user applications, regardless of the security permissions assigned to the user, execute in user mode. Supervisory mode, kernel mode, and privileged mode are all terms that describe the mode used by the processor to execute instructions that originate from the operating system itself.
6.B. Programmable read-only memory (PROM) chips may be written once by the end user but may never be erased. The contents of ROM chips are burned in at the factory and the end user is not allowed to write data. EPROM and EEPROM chips both make provisions for the end user to somehow erase the contents of the memory device and rewrite new data to the chip.
7.C. EPROMs may be erased through exposure to high-intensity ultraviolet light. ROM and PROM chips do not provide erasure functionality. EEPROM chips may be erased through the application of electrical currents to the chip pins and do not require removal from the computer prior to erasure.
8.C. Secondary memory is a term used to describe magnetic and optical media. These devices will retain their contents after being removed from the computer and may be later read by another user.
9.C. RAM chips are highly pilferable items and the single greatest threat they pose is the economic loss that would result from their theft.
10.A. Dynamic RAM chips are built from a large number of capacitors, each of which holds a single electrical charge. These capacitors must be continually refreshed by the CPU in order to retain their contents. The data stored in the chip is lost when power is removed.
11.C. Floppy disks are easily removed and it is often not possible to apply operating system access controls to them. Therefore, encryption is often the only security measure short of physical security that can be afforded to them. Backup tapes are most often well controlled through physical security measures. Hard disks and RAM chips are often secured through operating system access controls.
12.C. In system high mode, all users have appropriate clearances and access permissions for all information processed by the system but have a need-to-know for only some of the information processed by that system.
360 Chapter 11 Principles of Computer Design
13.D. In a multilevel security mode system, there is no requirement that all users have appropriate clearances to access all of the information processed by the system.
14.B. BIOS and device firmware are often stored on EEPROM chips in order to facilitate future firmware updates.
15.C. Registers are small memory locations that are located directly on the CPU chip itself. The data stored within them is directly available to the CPU and can be accessed extremely quickly.
16.B. In immediate addressing, the CPU does not need to actually retrieve any data from memory. The data is contained in the instruction itself and can be immediately processed.
17.D. In indirect addressing, the location provided to the CPU contains a memory address. The CPU retrieves the operand by reading it from the memory address provided (hence the use of the term indirect).
18.C. Process isolation provides separate memory spaces to each process running on a system. This prevents processes from overwriting each other’s data and ensures that a process can’t read data from another process.
19.D. The principle of least privilege states that only processes that absolutely need kernel-level access should run in supervisory mode. The remaining processes should run in user mode to reduce the number of potential security vulnerabilities.
20.A. Hardware segmentation achieves the same objectives as process isolation but takes them to a higher level by implementing them with physical controls in hardware.