Skip to main content


Showing posts with the label CISSP

CISSP - Fagan Inspection Process

Fagan Inspection Process The Fagan Inspection process consists of the following steps: Planning Overview Preparation Meeting Rework Follow-up

CISSP - Bell-LaPadula Model

This was the first formal state machine model developed to protect confidentiality. The Bell-LaPadula model focuses on data confidentiality, unlike Biba model (which focuses on integrity). It is also called "read down, write up" model. This implies trusted subjects may read content below their security level and write content above their security level. Bell-LaPadula Model The model defines two mandatory access control (MAC) rules: The Simple Security Property states that a subject at a given security level may not read an object at a higher security level . The * (star) Security Property states that a subject at a given security level may not write to any object at a lower security level . Limitations Only addresses Confidentiality (out of the three - confidentiality, integrity and availability) Covert channel communication is not addressed comprehensively

CISSP - Biba Model (Biba Integrity Model)

Origin: Published in 1977 at the Mitre Corporation, one year after the Bell La-Padula model. While BLP model addresses Confidentiality (and nothing about Integrity), Biba proposed this model to address Integrity Biba Integrity model describes a set of access control rules that are designed to ensure data integrity. Subjects and Objects are grouped into various ordered levels of integrity. Access modes of Biba Model Modify : This allows a subject to write to an object. In layman parlance, it is equivalent to write mode in other models. Observe : This allows a subject to read an object. This command is synonymous to the read command of other models. Invoke : This allows one subject to communicate with another subject. Execute: This allows a subject to execute an object. The command essentially allows a subject to execute a program which is the object This model is directed towards data integrity (rather than confidentiality). It is also called "read up, write down" model. This


What is false acceptance rate? FAR = the percent of unauthorized users incorrectly matched to a valid user's bio metric parameter What is false rejection rate? FRR = the percent of incorrectly rejected valid users What is crossover error rate? The Crossover Error Rate (CER) describes the point where the False Rejection Rate (FRR) and False Accept Rate (FAR) are equal. CER is also known as the Equal Error Rate (EER). The Crossover Error Rate describes the overall accuracy of a biometric system. Moral of the story : As the sensitivity of a biometric system increases, FRRs will rise and FARs will drop. Conversely, as the sensitivity is lowered, FRRs will drop and FARs will rise.

CISSP - Subjects and Objects

What are subjects? Subject are active entitites that access passive objects. For eg. users can be considered as subjects as they access the objects for performing some action or to accomplish a task. What are objects? Objects are passive entities such as files, accessed by subjects

CISSP - Types of Access Controls

Preventive - to stop unauthorized or unwanted activity from occurring Detective - to discover / detect unauthorized or unwanted activity Corrective - to restore systems back to normal after unauthorized or unwanted activity has occurred. Deterrent - to discourage attackers from violating security policies or take an unwanted action Recovery - to repair or restore resources and capabilities after a security policy violation Directive - to direct, confine or control the action of subjects to force or encourage compliance with security policy Compensation - to provide alternatives to existing controls to aid enforcement and support of a security policy