CISSP Security Architecture Flashcards

Not Set
Terms Definitions
CPU Control Unit
Access and interpret instructions
Arithmetic and Logic funtions
CPU Register
within the CPU (in most cases) easy for alu/cu to acess
CPU clock
every pulse determines if either the alu or cu runs an instruction
dynamic RAM - cheaper/capacitor (must be recharged) slower
static RAM - flip/flop circuit; doesn't lose charge; more expensive but faster
burned in; low lever instructions that can never be changed.
POST (Power On System Testing)
Read Only Memory, but you can program it, comes from manufacturer empty. Burn once.
Erasable Programmable ROM via UV
Electrical Erasable Programmable ROM via electrical charges. So cpu can reset/program. FLASH>
Direct Addressing
specific location
Indirect Address
go to location stored in register place and execute
Hackers will replace location value with their own
Cache Memory
Memory the cpu has direct access to, doesn't need to get from RAM, then on the bus, then into a register, lots of wasted clock cycles.
Virtual Programs
Allows computers to address more memory than it has
MMU will check local memory first, then see if it's in virtual, a 2ndary device.
Code that is run, instruction by instruction, on a particular O/S platform. machine code.
Intermediate of source to machine code. So you compile Java to bytecode, then it can run on any O/S as long as it has Java VM running that takes bytecode and creates correct machine code.
Execution Cycle
Linear - have to wait for full FDE to finish to start next cycle
Pipeline - allows multiple FDE steps
Scalar Processor
One instruction at a time; can be pipeline
Superscalar Processor
Multiple instructions at a time; each being pipe lined simultaneously.
Complex Instruction Set Computing
Each instruction performs multiple steps
Compilers are simpler
Performance may suffer.
Reduced Instruction Set Computing
Instructions are simple; need more to achieve same instruction. so more modular.
Compilers are more complex.
Time slicing the CPU among processes to 'appear' to be doing more than one at a time
Multiple instructions being run on multiple CPUs
subdividing a process into several sub processes and running them on one or more CPUs at the same time.
Operating States
Single State- one security state per machine
Multi-state - more than one. More expensive. Must have mechanism to shield different levels
Operating Modes
User Mode - Typical/User programs. Only a subset of instructions available to you.
Privileged Mode - All instructions available. (Supervisor or Kernel mode)
Storage Types (PRSV)
Primary - directly on board cpu and available (registers)
Real - holds user prgrms, no direct cpu access
Secondary - hard disc/tape/
Virtual - memory space that can exceed real memory
Securing processes; put the most sensitive processes at the center (ring) or bottom layer.
One layer must only talk to next layer via security, well defined paths.
processes should not have access to understand the inter workings of how the steps are performed to carry out their task.
Least Privileges
Only allow program to have access to object than are absolutely necessary.
Physical Isolation
Reference Monitor
The code between subject and object that enforces access rules. Implemented via Security Kernel
Trusted Computer Base
Hardware/Software/Controls working together to provide security policies.
Evaluation Criteria phases
Certification - comparing your systems posture with published standards
Accreditation - Submission of cert to group for approval
Open/Closed System
Closed systems standard not readily available/published.
Trusted Computer Security Evaluation Criteria
Published Orange book, specifying categories to rate functionality & assurance of a system.
Orange Book
Uses Bel-Lapadela
Red Book
Trusted Network Interpretation
International Criteria
ITSEC - Europe
Common Criteria
Single State Machine
The state of all objects any a point in time and transition from one state to another.
Confidentiality Only/Built on State Machine Model
- Simple Security Principle (no read up) - S may not read an O at higher sensitivity level.
- * security principle - (no write down) S may not write an object at a lower sensitivity level.
Discretionary security property - Access Matrix enforces discretionary AC
Integrity - stop unauthorized changes. Based on state model.
Simple Integrity Property - No read down, S cannot read O of lower integrity level
* security property ( no write up) - S can't write to an object w/higher integrity level.
Clark Wilson
Defines each data item and then restricts the programs that can access it.
Uses security labels to grant access
CDI - Contrained data item
UDI - unconstrained data item
IVP - Integrity Verification Procedure -
TP - Modifies data item from UID - CDI via IVP
Information Flow Model
controls all data flow from S to O and back.
Users access matrix to define every valid information transfer.
Biba and Bel-LaPadula are limited IFM's.
Non Interference Model
objects in one security level have no effect on an object in a different level.
make sure state change in one object doesn't bleed to another at a different level.
Covert Channel
Method to exchange information which is not normal.
Storage (B2 or above)
Initialization/failure state
inserting code during init/fail state.
ensure that security procedures are not unloaded first or loaded last.
Parameter checking
malformed packets lead to buffer overflow
sql injection
Undocumented mechanism to access system to bypass security protection.
Remote Access Trojan
Open port to allow remote access to device.
Common Criteria
Evaluation Assurance Levels
EAL1 Functionality
EAL2 Structural
EAL3 Methodically tested and checked
EAL4 Methodically Designed, tested, and reviewed
EAL5 Semi formal designed and tested
EAL6 Semi formal verified design and tested
EAL7 Formally verified design and tested.
Orange A
Verified Protection
A1 Verified Design
Orange B
Mandatory Protection
B1 Security Labels
B2 Structured Protection (No Covert Channel)
B3 Security Domains (Assurance of Isolation)
Orange C
Discretionary Protection
C1 Discretionary Security Protection (Users/Groups) ID
C2 Controlled Access Protection (Unique Users)
Orange D
Minimal Security
/ 54

Leave a Comment ({[ getComments().length ]})

Comments ({[ getComments().length ]})


{[ comment.comment ]}

View All {[ getComments().length ]} Comments
Ask a homework question - tutors are online