Term
| Security policy model (definition) |
|
Definition
| A succinct statement of the protection properties that a system, or generic type of system, must have. Its key points can typically be written down in a page or less. It is the document in which the protection goals of the system are agreed with an entire community, or with the top management of a customer. It may also be the basis of formal mathematical analysis. |
|
|
Term
| Security Target (definition) |
|
Definition
A more detailed description of the protection mechanism that a specific implementation provides, and of how they relate to a list of control objectives (some but not all of which are typically derived from the policy model).
From wiki: The central document, typically provided by the developer of the product, that specifies security evaluation criteria to substantiate the vendor's claims for the product's security properties. It contains some (but not very detailed) implementation-specific information that demonstrates how the product addresses the security requirements. |
|
|
Term
|
Definition
Like a security target but expressed in an implementation-independent way to enable comparable evaluations across products and versions.
From wiki: A document used as part of the certification process according to the Common Criteria (CC). As the generic form of a Security Target (ST), it is typically created by a user or user community and provides an implementation independent specification of information assurance security requirements. It specifies generic security evaluation criteria to substantiate vendors' claims of a given family of information system products. |
|
|
Term
| Every context diagram should include what things? |
|
Definition
| All active stakeholders (i.e., people and external systems that interface with the system of interist.) |
|
|
Term
| Every systems requirements set should specify inputs and outputs (true or false) |
|
Definition
| True. Inputs and outputs should be included in every requirements set. |
|
|
Term
| What does RACI stand for? |
|
Definition
1. Responsible: performs task
2. Accoutable: authority or decision-maker
3. Consulted: contributes knowlege, two-way communication.
4. Informed: one-way communication |
|
|
Term
| What does a system RACI maxtrix do? |
|
Definition
| It specifies who DOES what at a high-level. |
|
|
Term
| What does an Access Control Matrix do? |
|
Definition
| Specifies who CAN do what. More detailed view. E.g., for each user type specify whether they can read, write, control, or observe something. |
|
|
Term
| When is a right R considered leaked? |
|
Definition
| When it is added to an access control matrix not already contain the right. Note: Authorized transfers are not considered leaks. |
|
|
Term
| When is a system considered "safe with responsed to right R"? |
|
Definition
| When it prevents leaking the right R. |
|
|
Term
| Should a system rights transfer funtion be included in the system access control matrix? |
|
Definition
| Yes. The transfer function should be accounted for in the system access control matrix. |
|
|
Term
| Security Enforcement Mechanism |
|
Definition
| The mechanism responsible for enforcing security policy. E.g., a reference monitor implementation requires a reference validation mechanism, which intself requires a security kernel (a.k.a., trusted computing base). |
|
|
Term
| Reference Monitor (definition) |
|
Definition
| A concept that defines a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' (e.g., processes and users) ability to perform operations (e.g., read and write) on objects (e.g., files and sockets) on a system. |
|
|
Term
| What are the three main properties of a reference monitor? |
|
Definition
1. Must always be invoked (complete mediation).
2. Tamper-proof
3. Verifiable |
|
|
Term
|
Definition
| Keep the design as simple and small as possible. |
|
|
Term
| Fail-safe default behavior (three principles) |
|
Definition
1. Deny access unless explicitly authorized.
2. System default access sould be none at lowest level of operation. Note: If safety or other concerns require the opposite behavior, then these should be separated and controlled by a different security kernel.
3. Principle of complete mediation: all access requests go through a reference monitor. |
|
|
Term
|
Definition
| Partition system assets by design. |
|
|
Term
|
Definition
| 1. Minimize the resources allocated to each user when multiple users share the same system mechanism. E.g., sandbox. |
|
|
Term
|
Definition
| Function of subject should control rights as opposed to identity of subject. I.e., allocate minimal (separate) privileges according to need-to-know, need-tomodify, need-to-delete, need-to-use, and so on. |
|
|
Term
| Separation of privileges (principle) |
|
Definition
| System should not grant privileges based on a single condition. E.g., to gain root access in Berkley UNIX, user must be in system group “wheel” AND know the root password. |
|
|
Term
| Separation/segregation of duties |
|
Definition
| The practice of separating privileges to require multiparty authorization to reduce probability of misplaced trust. |
|
|
Term
|
Definition
| Authorized dissemination of information. Relies on information classification. |
|
|
Term
|
Definition
| Adversay should not be able to rely upon uniform threat surfaces. Conduct critical path analysis, cascase modeling, and exercise procurement discipline (among other things) to ensure. |
|
|
Term
|
Definition
1. Defense layer assessment: Utility and diversity.
2. System resource coverage analysis.
3. Access path coverage analysis.
4. Single Point of Failure (SPOF) analysis. |
|
|
Term
|
Definition
| Policy and compliance strategies that strengthen enterprise security posture by enabling management metrics and strategy evaluation. |
|
|
Term
| Why should security systems employ deception? (four reasons) |
|
Definition
1. divert attention
2. consume adversay energy
3. create target uncertainty
4. Record adversay behavior for analysis. |
|
|
Term
| How to handle record compromises? (three things) |
|
Definition
1. Provide non-by-passable tamperproof trails of evidence.
2. Plan for data collection, correlation, and forensics
3. Record and recognize compromises. |
|
|
Term
| Psychological acceptability (principles) |
|
Definition
1. strive for ease of use and operation, i.e., security mechanism should not make the system more difficult to use than if they were not present.
2. Seamlessness. |
|
|
Term
| Psychological acceptability (explanation) |
|
Definition
| It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user's mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors. |
|
|
Term
|
Definition
| The cost to accomplish a task. From the point of view of the protector, this could be the cost to protect the system or a vulnerable aspect of the system. From the point of view of the attack, this could be the cost to circumvent security. Make the cost to protect commensurate with the threats and expected risks. |
|
|
Term
|
Definition
The design should not be secret. The mechanisms should not depend on the ignorance of potential attackers, but rather on the possession of specific, more easily protected, keys or passwords. It is simply not realistic to attempt to maintain secrecy for any system which receives wide distribution.
Corollary: For new software, this may mean there is a honeymoon period for new software until flaw and bugs are more widely known. |
|
|
Term
| Physical Security Principals (four) |
|
Definition
1. Deter: demoticate adversary
2. Detect: identify adversary activity
3. Delay: slow down adversary
4. Deny: Prevent adversay attack success |
|
|
Term
| Awareness (principles - three) |
|
Definition
1. External awareness.
2. Interal awareness.
3. Awareness escalation capability. |
|
|
Term
|
Definition
1. Extremists
2. terrorists
3. criminals (regular and organized)
4. Disgruntles customers and employees
5. competitors
6. hostile-nation states. |
|
|
Term
|
Definition
1. data access.
2. covert data mining
3. transaction fraud
4. corporate espionage
5. corporate espionage
6. sabotage (cyber and phyical)
7. corrupt mobile software supply chain
8. Attacks on employee personal property |
|
|
Term
|
Definition
1. Steal sensitive data
2. Steal tech
3. Perform unauthorized system actions
4. reduce system availability
5. impersonate user |
|
|
