CISSP- Security Architecture And Design

ISO 27000 series will assist organizations of all types to
understand the fundamentals, principles, and concepts to improve the protection
of their information assets. ISO 15408 is the common criteria which includes the
evaluation criteria for IT security. ISO 9001 provides the requirements for quality
management system. ISO 9126 is an international standard for the evaluation of
software quality. Page 679.

Th reat modeling can be used to determine the threats to your
system or software, which can be used to generate detailed countermeasure requirements.
Data classifi cation can be used to determine appropriate levels of protection
for the data that is transmitted or stored and this can be used to determine
confi dentiality, integrity or availability requirements. Determining residual and
acceptable risk thresholds can be used to generate security requirements as well.
Page 677.

Security policy documents the security requirements of
an organization. Subsequently, a security model is a specification that describes
the rules to be implemented to support and enforce the security policy. While
the security policy provides the “What” requirements needs to be met, the
security model provides “HOW” (the rules by which) the requirements will
be met. The part of the operating system where security features are located
is the security kernel. Security reference monitor is the tamperproof module
that controls the access request of software to either the data or the system.
Page 682.

Penetration testing, vulnerability assessments, and data classifi
cation may help with the identifi cation of threats and countermeasures, but do
not necessarily always translate or quantify the threats and vulnerabilities to risk.
Page 706.

Bell–LaPadula is a confi dentiality model that deals with the
prevention of information disclosure. Page 685.

Th e Graham–Denning access control model has three parts: a
set of objects, a set of subjects, and a set of rights. Bell–LaPadula is a confi dentiality
model. Biba is an integrity model. Th e Chinese Wall Model is also a confi dential
assurance model that deals with the about separation of access. Page 692.

In the accreditation phase, management evaluates the capacity
of a system to meet the needs of the organization. If management determines that
the needs of the system satisfy the needs of the organization, they will formally
accept the evaluated system, usually for a defi ned period of time. During the certifi -
cation phase, the product or system is tested to see whether it meets the documented requirements (including any security requirements). Validation and verifi cation are
usually part of the certification phase. Page 699.

While lattice-based models tend to treat similar subjects and
objects with similar restrictions, matrix-based models focus on one-to-one relationships
between subjects and objects. Th e best known example is the organization
of subjects and objects into an access control matrix. An access control matrix is a
two-dimensional table that allows for individual subjects and objects to be related
to each other. A state machine model, describes the behavior of a system as it moves
between one state and another, from one moment to another. A noninterference
model maintains activities at diff erent security levels to separate these levels from
each other. In this way, it minimizes leakages that may happen through covert
channels, because there is complete separation between security levels. Page 684.

EAL 7 is the only one that given after the product is formally
verifi ed, designed, and tested. All the other levels of assurances are not formally
verifi ed. Page 698.

Both Biba and Bell–LaPadula have the simple and * (star)
property and the strong * property is part of the confi dentiality Bell–LaPadula model. Th e Invocation property is unique to the Biba integrity model, which considers
a situation where corruption may occur because a less trustworthy subject
was allowed to invoke the powers of a subject with more trust. Page 688

While the other models listed can provide confi dentiality assurance,
it is only the Brewer–Nash Model, which is also known as the Chinese wall
model, that has a clear separation of access rights. Th e principle of Brewer–Nash
model is that users should not be able to access the confi dential information of both
a client organization and one or more of its competitors. It is called the Chinese
wall model because, like the Great Wall of China, once you are on one side of the
wall, you cannot get to the other side. Page 691.

Access control services focus on the identifi cation, authentication,
and authorization of subject entities (whether human or machine) as they are
deployed and employed to access the organization’s assets. Th ese services are concerned
with how and whether information is allowed to fl ow from one set of systems
to another, or from one state to another. Boundary control systems are intended to
enforce security zones of control by isolating entry points from one zone to another
(choke points). Integrity services focus on the maintenance of high-integrity systems
and data through automated checking to detect and correct corruption. Audit and
monitoring services focus on the secure collection, storage, and analysis of audited
events through centralized logging as well as the events themselves through intrusion
detection systems (HIDS and NIDS) and similar services. Page 706.

In computer programming, layering is the organization of
programming into separate functional components that interact in some sequential
and hierarchical way, with each layer usually having an interface only to the layer
above it and the layer below it. Data hiding maintains activities at diff erent security
levels to separate these levels from each other. Cryptography can be used in a variety
of ways to protect sensitive system functions and data. By encrypting sensitive
information and limiting the availability of key material, data can be hidden from
less privileged parts of the system. Abstraction involves the removal of characteristics
from an entity in order to easily represent its essential properties. Page 724.

Protection profi les are the common set of functional and assurance
requirements while security target is the specifi c functional and assurance
requirements that the author of the security target wants a given product to fulfi
ll. Trusted computing base and ring protection are not concepts of the common
criteria. Page 698.

Service strategy is not necessarily part of service portfolio. It
addresses new business needs and is used to generate the service portfolio, which
includes the range of all the services that will be provided. Service design focuses
on creating the services within the service portfolio. Service transition is primarily
concerned with translating the service design into operational services and once
these services have been deployed, they are transferred into steady-state service
operations. Th e metrics that is collected for each service is used for continual service
improvement. Pages 675–676.

SABSA (Sherwood Applied Business Security Architecture)
is a holistic lifecycle for developing security architecture that begins with assessing
business requirements. It generates a “chain of traceability” of security requirements
to business functionality, through the phases of strategy, concept, design,
implementation, and metrics. It represents any architecture using six layers, each
representing a diff erent perspective for the design and construction and use of the
target system. Page 672.

ISO/IEC 15408 is commonly referred to as the common
criteria. It is an internationally recognized standard provided the fi rst truly international
product evaluation criteria. It has largely superseded all other criteria, although there continue to be products in general use that were certifi ed under
TCSEC, ITSEC, and other criteria.It takes a very similar approach to ITSEC by
providing a fl exible set of functional and assurance requirements, and like ITSEC,
it is not very proscriptive as TCSEC had been. Instead, it is focused on standardizing
the general approach to product evaluation and providing mutual recognition
of such evaluations all over the world. Page 697.

Device drivers that control input/output devices are typically
installed by end-users (not necessarily administrators) and are often granted access
to supervisor state to help them run faster. Th is may allow a malformed driver to
be used to compromise the system unless other controls are in place to mitigate this
risk. Drivers are not add-ons to the operating system and usually require human
interaction for installation. Page 722.

Th ese devices share common security concerns with other
resource-constrained devices. In many cases, security services have been sacrifi ced
to provide richer user interaction when processing power is very limited. Also, their
mobility has made them a prime vector for data loss since they can be used to transmit
and store information in ways that may be diffi cult to control. Page 713.

In the initial stage, the processes are unpredictable, poorly
controlled, and reactive. During the managed stage, the processes are characterized
for projects (not the entire organization) and it is often reactive. In the defi ned
stage, the processes are characterized for the entire organization and are proactive.
In the optimizing stage the organization focuses on continuous process improvement.
Page 701.