Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key


Play button


Play button




Click to flip

45 Cards in this Set

  • Front
  • Back
  • 3rd side (hint)
No Read Up, No Write Down describes what Security Model
Bell LaPadula
Concerns Confidentiality only
Biba, Clark Wilson, and Non-Interference models cover what aspect of security
Which among the CIA triad?
Execution and memory space assigned to each process is called a _______ _______
Protection Domain
The Boundary that separates the TCB from the rest of the system.
Security Perimeter
Programming technique used to encapsulate methods and data in an object
Information Hiding
System component that manages and enforces access controls on objects
Reference Monitor
Security Kernel
Operates at the highest level of information classification where all users must have clearances for the highest level
System High mode
Lack of parameter checking leaves a system vulnerable to this type of attack
Buffer overflow
Also called a maintenance hook
Trap door
Attack that exploits difference in time when a security control is applied and a service is used
TOC/TOU attack
This recovery mode permits access by only privileged users from privileged terminals
Maintenance mode
Design where a component failure allows the system to continue to function
Design where a failure causes termination of processes to protect the system from compromise
Design where a failure causes non-critical processes to terminate, and system runs in a degraded state
Fail-soft or Resilient
Design where a failure causes the system to use backup spare components to compensate for failed ones
This standard includes levels of assurance, from D (Least secure) to A (Most secure)
TCSEC (Trusted Computer Security Evaluation Criteria)
TCSEC Minimal Protection (one class)
D (Minimal Protection)
TCSEC Discretionary Protection (two classes)
C1 (User logon, Groups allowed)
C2 (Individual Logon, password, auditing)
TCSEC Mandatory Protection (three classes)
B1 (MAC)
B2 (MAC with Trusted path and assurance)
B3 (MAC with proven mathematical model)
TCSEC Verified Protection (one class)
A1 (Mathematical model must be proven)
European counterpart to TCSEC
ITSEC (Information Technology Security Evaluation Criteria)
ITSEC separately evaluates ____ and _____
Functionality and Assurance
The ITSEC subject of an evaluation is called the ___ __ _____
Target of Evaluation (TOE)
Combination of ITSEC, TCSEC, and Canada's CTCPEC
Common Criteria
Unit of evaluations levels in the Common Criteria
Evaluation Assurance Level
4 Phases of DITSCAP and NIACAP accreditation
1. Definition
2. Verification
3. Validation
4. Post Accreditation
This Access Control model specifies the rights that a subject can transfer to an object, or that a subject can take from another subject.
Take-Grant model
TCSEC Level that addresses covert storage channels
TCSEC level that addresses both covert storage and timing channels
B3, A1
Consolidation of power should not be allowed in a secure system, this is called
Separation (or segregation) of duties
Two operators are needed to perform a function. This is called
Dual Control
Two operators review and approve each other's work. This is called
Two-man control
Operators are given varying assignments for a time period, then their assignment changes. This is called
Rotation of duties
This type of recovery is required for only B3 and A1 TCSEC levels
Trusted Recovery
Operating system loaded without the front-end security enabled, is only done in this mode
Single-user mode
Required tracking of changes to a system under B2, B3, and A1 is called
Configuation Management
This refers to the data left on media after erasure
Data Remanence
Separation of duties, least privilege, personnel security, configuration control, Record retention, are examples of what type of controls?
Administrative Controls
Software controls, media controls, hardware controls, physical access controls are examples of what type of controls?
Operations Controls
A weakness in a system which might be exploited
An event that can cause harm to a system and create a loss of C, I , A
Exposure Factor
(Percentage of Asset Loss caused by threat)
Single Loss Expectancy
(Asset Value x Exposure Factor)
Annualized Rate of Occurence
Frequency of threat occurence per year
Annualized Loss Expectancy