Division D Minimal Protection Division C Discretionary Protection

C1 Discretionary Security Protection Identification and authentication Separation of users and data Discretionary protection of resources C2 Controlled Access Protection More finely grained DAC Individual accountability through login procedures Object reuse Protect audit trail Resource isolation Required System Documentation and user manuals.

Division B Mandatory Protection

B1 Labeled Protection Labels and mandatory access control Process isolation in system architecture Design specifications and verification Device labels Informal statement of the security policy model Data sensitivity labels Mandatory Access Control (MAC) over select subjects and objects Label exportation capabilities All discovered flaws must be removed or otherwise mitigated Design specifications and verification B2 Structured Protection -Config Mgt* Device labels and subject sensitivity labels Trusted path Separation of operator and administrator functions* Covert channel analysis Security policy model clearly defined and formally documented DAC and MAC enforcement extended to all subjects and objects Covert storage channels are analyzed for occurrence and bandwidth Carefully structured into protection-critical and non-protection-critical elements Design and implementation enable more comprehensive testing and review Authentication mechanisms are strengthened Trusted facility management is provided with administrator and operator segregation Strict configuration management controls are imposed B3 Security Domains Security administrator role defined* Trusted recovery* Monitor events and notify security personnel Satisfies reference monitor requirements Structured to exclude code not essential to security policy enforcement Significant system engineering directed toward minimizing complexity Security administrator role defined Audit security-relevant events Automated imminent intrusion detection, notification, and response Trusted system recovery procedures Covert timing channels are analyzed for occurrence and bandwidth An example of such a system is the XTS-300, a precursor to the XTS-400

Division A Verified Protection (very few)

A1 Verified Design Formal methods of design and testing Functionally identical to B3 Formal design and verification techniques including a formal top-level specification Formal management and distribution procedures

Bell-LaPadula (MAC) Biba (Integrity) NO WRITE DOWN NO WRITE UP NO READ UP NO READ DOWN USER<=File to write USER =>File to Write

Clark-Wilson Integrity Separation of Duties App Authentication 1. Least Privelege 2. Separation of Duty 3. Rotation of duties Concept Exposure Factor Singel Loss Expectancy Annualized Rate of Occurance (ARO) Annualized Loss of Expectancy (ALE)

Column Atribute Degree CAD / CRT Cardinality Rows Tuple

Confidentiality Integrity Availability CIA / DAD Disclosure Alteration Destruction

Formula % of Loss caused by threat Asset Value x Exposure Factor (EF) Frequency of threat occurance per year Single Loss Expectancy (SLE) x Away Pizza Sausage Take Not Do Please A Priest Saw Ten Nuns Doing Pushups OSI Application Presentation Session Transport Network Datalink Physical

EAL 1 Functionally tested EAL 2 Structurally tested EAL 3 Methodically tested and checked EAL 4 Methodically designed, tested, and reviewed EAL 5 Semiformally designed and tested EAL 6 Semiformally verified design and tested EAL 7 Formally verified design and tested EAL measures how the needs are met Protection Profiles describe objectives, and the environmental, functional, and assurance level expectations Target of Evaluation (TOE) Product proposed to provide the needed security solution Security Target Written by vendor explaining mechanisms that meet security and assurance requirements Evaluated Products List EPL- list of evaluated products Threat Agents Can Exploit A Vulnerability Resulting in A Risk Virus Lack of antivirus software Virus Infection Hacker services running on a server Unauthorized access to information Fire Lack of fire extinguishers System malfunction CANONS Protect society, the commonwealth, and the infrastructure Act honorably, honestly, justly, responsibly, and legally Provide diligent and competent service to principals

Advance and protect the profession

TCP/IP Application

Transport Internet Network Interface