Term
Security policy model (definition) |
|
Definition
A succinct statement of the protection properties that a system, or generic type of system, must have. Its key points can typically be written down in a page or less. It is the document in which the protection goals of the system are agreed with an entire community, or with the top management of a customer. It may also be the basis of formal mathematical analysis. |
|
|
Term
Security Target (definition) |
|
Definition
A more detailed description of the protection mechanism that a specific implementation provides, and of how they relate to a list of control objectives (some but not all of which are typically derived from the policy model).
From wiki: The central document, typically provided by the developer of the product, that specifies security evaluation criteria to substantiate the vendor's claims for the product's security properties. It contains some (but not very detailed) implementation-specific information that demonstrates how the product addresses the security requirements. |
|
|
Term
|
Definition
Like a security target but expressed in an implementation-independent way to enable comparable evaluations across products and versions.
From wiki: A document used as part of the certification process according to the Common Criteria (CC). As the generic form of a Security Target (ST), it is typically created by a user or user community and provides an implementation independent specification of information assurance security requirements. It specifies generic security evaluation criteria to substantiate vendors' claims of a given family of information system products. |
|
|
Term
Every context diagram should include what things? |
|
Definition
All active stakeholders (i.e., people and external systems that interface with the system of interist.) |
|
|
Term
Every systems requirements set should specify inputs and outputs (true or false) |
|
Definition
True. Inputs and outputs should be included in every requirements set. |
|
|
Term
What does RACI stand for? |
|
Definition
1. Responsible: performs task 2. Accoutable: authority or decision-maker 3. Consulted: contributes knowlege, two-way communication. 4. Informed: one-way communication |
|
|
Term
What does a system RACI maxtrix do? |
|
Definition
It specifies who DOES what at a high-level. |
|
|
Term
What does an Access Control Matrix do? |
|
Definition
Specifies who CAN do what. More detailed view. E.g., for each user type specify whether they can read, write, control, or observe something. |
|
|
Term
When is a right R considered leaked? |
|
Definition
When it is added to an access control matrix not already contain the right. Note: Authorized transfers are not considered leaks. |
|
|
Term
When is a system considered "safe with responsed to right R"? |
|
Definition
When it prevents leaking the right R. |
|
|
Term
Should a system rights transfer funtion be included in the system access control matrix? |
|
Definition
Yes. The transfer function should be accounted for in the system access control matrix. |
|
|
Term
Security Enforcement Mechanism |
|
Definition
The mechanism responsible for enforcing security policy. E.g., a reference monitor implementation requires a reference validation mechanism, which intself requires a security kernel (a.k.a., trusted computing base). |
|
|
Term
Reference Monitor (definition) |
|
Definition
A concept that defines a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' (e.g., processes and users) ability to perform operations (e.g., read and write) on objects (e.g., files and sockets) on a system. |
|
|
Term
What are the three main properties of a reference monitor? |
|
Definition
1. Must always be invoked (complete mediation). 2. Tamper-proof 3. Verifiable |
|
|
Term
|
Definition
Keep the design as simple and small as possible. |
|
|
Term
Fail-safe default behavior (three principles) |
|
Definition
1. Deny access unless explicitly authorized. 2. System default access sould be none at lowest level of operation. Note: If safety or other concerns require the opposite behavior, then these should be separated and controlled by a different security kernel. 3. Principle of complete mediation: all access requests go through a reference monitor. |
|
|
Term
|
Definition
Partition system assets by design. |
|
|
Term
|
Definition
1. Minimize the resources allocated to each user when multiple users share the same system mechanism. E.g., sandbox. |
|
|
Term
|
Definition
Function of subject should control rights as opposed to identity of subject. I.e., allocate minimal (separate) privileges according to need-to-know, need-tomodify, need-to-delete, need-to-use, and so on. |
|
|
Term
Separation of privileges (principle) |
|
Definition
System should not grant privileges based on a single condition. E.g., to gain root access in Berkley UNIX, user must be in system group “wheel” AND know the root password. |
|
|
Term
Separation/segregation of duties |
|
Definition
The practice of separating privileges to require multiparty authorization to reduce probability of misplaced trust. |
|
|
Term
|
Definition
Authorized dissemination of information. Relies on information classification. |
|
|
Term
|
Definition
Adversay should not be able to rely upon uniform threat surfaces. Conduct critical path analysis, cascase modeling, and exercise procurement discipline (among other things) to ensure. |
|
|
Term
|
Definition
1. Defense layer assessment: Utility and diversity. 2. System resource coverage analysis. 3. Access path coverage analysis. 4. Single Point of Failure (SPOF) analysis. |
|
|
Term
|
Definition
Policy and compliance strategies that strengthen enterprise security posture by enabling management metrics and strategy evaluation. |
|
|
Term
Why should security systems employ deception? (four reasons) |
|
Definition
1. divert attention 2. consume adversay energy 3. create target uncertainty 4. Record adversay behavior for analysis. |
|
|
Term
How to handle record compromises? (three things) |
|
Definition
1. Provide non-by-passable tamperproof trails of evidence. 2. Plan for data collection, correlation, and forensics 3. Record and recognize compromises. |
|
|
Term
Psychological acceptability (principles) |
|
Definition
1. strive for ease of use and operation, i.e., security mechanism should not make the system more difficult to use than if they were not present. 2. Seamlessness. |
|
|
Term
Psychological acceptability (explanation) |
|
Definition
It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user's mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors. |
|
|
Term
|
Definition
The cost to accomplish a task. From the point of view of the protector, this could be the cost to protect the system or a vulnerable aspect of the system. From the point of view of the attack, this could be the cost to circumvent security. Make the cost to protect commensurate with the threats and expected risks. |
|
|
Term
|
Definition
The design should not be secret. The mechanisms should not depend on the ignorance of potential attackers, but rather on the possession of specific, more easily protected, keys or passwords. It is simply not realistic to attempt to maintain secrecy for any system which receives wide distribution.
Corollary: For new software, this may mean there is a honeymoon period for new software until flaw and bugs are more widely known. |
|
|
Term
Physical Security Principals (four) |
|
Definition
1. Deter: demoticate adversary 2. Detect: identify adversary activity 3. Delay: slow down adversary 4. Deny: Prevent adversay attack success |
|
|
Term
Awareness (principles - three) |
|
Definition
1. External awareness. 2. Interal awareness. 3. Awareness escalation capability. |
|
|
Term
|
Definition
1. Extremists 2. terrorists 3. criminals (regular and organized) 4. Disgruntles customers and employees 5. competitors 6. hostile-nation states. |
|
|
Term
|
Definition
1. data access. 2. covert data mining 3. transaction fraud 4. corporate espionage 5. corporate espionage 6. sabotage (cyber and phyical) 7. corrupt mobile software supply chain 8. Attacks on employee personal property |
|
|
Term
|
Definition
1. Steal sensitive data 2. Steal tech 3. Perform unauthorized system actions 4. reduce system availability 5. impersonate user |
|
|