[CCCure CISSP] Q14April-13 Some cccure Quiz question doubts

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[CCCure CISSP] Q14April-13 Some cccure Quiz question doubts

Amlan Deb
Hello everyone,
 
I have some doubts regarding some cccure Quiz questions and concepts mentioned below. Would really appreciate it if you
could take out some time and help me with them. Request you to please provide a quick reply as I need to appear for the
exam in the month of July.
 
Thanks,
Amlan
 

Doubt#14

 

1. 

1.     Question: 5 | Difficulty: 5/5 | Relevancy: 3/3

Labels are required for storage devices in which of the following Orange Book ratings?

o      C2.

o      B1.

o     B2.

o      D6.

You did not provide any answer to this question. Please review details below.

Details

Submit a comment on this question

The correct answer is: B2.

Level B2 would incorporate B1 labels, but B2 also includes system design. System design covers not only the data but also the storage devices on which the data would be stored,  this is to protect against covert channels.

The TCSEC rating description clearly mentions Device Labels at paragraph 3.2.1.3.4:

The TCB shall support the assignment of minimum and maximum security levels to all attached physical devices. These security levels shall be used by the TCB to enforce constraints imposed by the physical environments in which the devices are located.


The following answers are incorrect:

C2. Level C2 does not require the protection of labels. That is not introduced until Level B.

B1. Level B1 is the first to require labels but it pertains to data labeling and the subjects and objects that need access to it.

D6. Level D6 is a distractor as there is are no classes assigned to D.

One of the first accepted evaluation standards was the Trusted Computer Security Evaluation Criteria or TCSEC.

The Orange Book was part of this standard that defines four security divisions consisting of seven different classes for security ratings. The lowest class offering the least protection is D - Minimal protection. The highest classification would be A1 offering the most secure environment. As you go to the next division and class you inherit the requirements of the lower levels. So, for example C2 would also incorporate the requirements for C1 and D.

The divisions and classes are:

D – Minimal protection
C – Discretionary protection
      C1 – Discretionary Security Protection
      C2 – Controlled Access Protection
B – Mandatory Protection
      B1 – Labeled Security
      B2 – Structured Protection
      B3 –  Security Domains
A – Verified Protection
      A1 – Verified Design

References:

OIG CBK, Security Architecture and Design (pages 329 - 330)

AIO, 3rd edition, Security Models and Architecture (pages 302 - 306)

AIO, 4th Edition, Security Architecture and Design, pp 357-362.

Wikipedia - http://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria

TCSEC Orange book,  http://www.boran.com/security/tcsec.html

 

Modified 6/06/2007- J. Hajec; 4/14/2008 - S. Stone.
QA checked by M. Zagorski

Contributors: don murdoch, Scot Hartman, Richard Stephens, Jonathan Guymon

 

 

My doubt:   System Design is included in B1 and not B2 (as shown in the attached matrix taken from Quiz Engine Qs. 802). The answer should be B2 not because of System Design but because Device Labels are defined under B2 (as shown in the attached matrix taken from Quiz Engine Qs. 802). Please let me know if my understanding is correct?

Note: I had to include the attachment since I was unable to paste the TCSEC matrix in the body of the mail

 

 

 



 

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

TCSEC.jpg (174K) Download Attachment