[CCCure CISSP] Security model question

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[CCCure CISSP] Security model question

cissp_student_01
The newark police maintain a database of addresses of convicted sex offenders
supplied by the country courthouse. They also main two other databases of the
resident addreesses supplied by the country voter registration department and those collected at local hospital, but computer controls are in place that override the updating of the sex offender addressess based on these records
what security model is being used

1) bell-lapadula
2) biba
3) clark-wilson
4) non-interference

Can anyone explain the question i find difficulty in answering this question.

regards
sameer

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] Security model question

Nandj
Ans:-  Clark - Wilson Model.

uses the following elements:•

Users-Active agents,• Transformation procedures (TPs)-Programmed abstract operations, such as read, write, and modify • Constrained data items (CDIs)-Can be manipulated only by TPs • Unconstrained data items (UDIs)-Can be manipulated by users via primitive read and write operations • Integrity verification procedures (IVPs)-Check the consistency of CDIs with external reality.

When an application uses the Clark-Wilson model, it separates data into one subset that needs to be highly protected, which is referred to as a constrained data item (CDI), and another subset that does not require a high level of protection, which is called an unconstrained data item (UDI). Users cannot modify critical data (CDI) directly. Instead, the subject (user) must be authenticated to a piece of software, and the software procedures (TPs) will carry out the operations on behalf of the user. For example, when Kathy needs to update information held within her company’s database, she will not be allowed to do so without a piece of software controlling these activities. First, Kathy must authenticate to a program, which is acting as a front end for the database, and then the program will control what Kathy can and cannot do to the information in the database. This is referred to as access triple: subject (user), program (TP), and object (CDI). A user cannot modify CDI without using a TP. So, Kathy is going to input data, which is supposed to overwrite some original data in the database. The software (TP) has to make sure this type of activity is secure and will carry out the write procedures for Kathy. Kathy (and any type of subject) is not trusted enough to manipulate objects directly. (SH-AIO-6thEd.)

Eliminating options- 1] BLP- confidentiality model- as the question in scenario is relate to Updating of records.   
2] Biba and The Bell-LaPadula model uses a lattice of security levels (top secret, secret, sensitive, and so on). These security levels were developed mainly to ensure that sensitive data were only available to authorized individuals.

4] Non-Interference:  The non-interference model is all about preventing covert channels through shared resources or inference attacks.

 

Regds,

Nandj

 

On Mon, Dec 16, 2013 at 11:48 PM, abid James <[hidden email]> wrote:

The newark police maintain a database of addresses of convicted sex offenders
supplied by the country courthouse. They also main two other databases of the
resident addreesses supplied by the country voter registration department and those collected at local hospital, but computer controls are in place that override the updating of the sex offender addressess based on these records
what security model is being used

1) bell-lapadula
2) biba
3) clark-wilson
4) non-interference

Can anyone explain the question i find difficulty in answering this question.

regards
sameer

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org



_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org