Security Essentials: Certificates, Identity, and Access Control
Classified in Computers
Written at on English with a size of 3.09 KB.
1. Cookies: Temporary data stored on the client-side, encrypted if SSL is used.
2. Types of Certificates:
- Site
- Personal
- Software Vendor
- Anonymous
3. Identity: Used for:
- Authentication
- Accountability
- Identifying principle
4. Principal: A unique identity. Identity is used to identify the principal, which is a computer representation of an entity.
5. Goals of a Certificate Regarding Identity: To bind the correct identity to a distinguished name.
6. Malicious Logic: A set of instructions that cause a site's security policy to be violated.
7. Predictable Computer Usage Patterns: Yes, my usage is statistically predictable. I often work from home, so the patterns between work and home are similar. I check email, run the browser, run Visual Studio, NetBeans, a text editor, and SQL Server. Frequent use of Microsoft Word or PowerPoint would be an anomaly. At home, I also occasionally use iTunes and Windows Media Player. I rarely install new programs in either location.
8. Preventing Drib's Employees from Accessing the Internet (Bell-LaPadula Model): No writes down. The internet is unclassified, while the internal network is classified (or higher). Drib's employees cannot write to the internet, which is disallowed by Bell-LaPadula. Reading from the internet is permitted. If an employee were to write something to the internet, it would be a write-down, violating Bell-LaPadula.
9. Preventing Developers from Writing to the Web Server in the DMZ (Biba Integrity Model): No writes up. Only a trusted administrator can write to the DMZ web server. Developers are not trusted to do so. This is a case of no write-up. The integrity of the developer is less than the integrity of the DMZ website.
10. Confidentiality Concerns: Customer Service Group Access to web-cl1 (Bell-LaPadula):
The web-cl1 machine will be ported to the DMZ web server; hence, information on it should be unclassified. However, the Customer Service Group (CSG) has access to credit card information, which is classified. Bell-LaPadula prohibits write-down.
11. Integrity Concerns: Customer Service Group Access to web-cl1 (Biba):
The web-cl1 machine must have high integrity because it will be copied to the DMZ web server and be accessible to the public. Members of the Customer Service Group (CSG) probably have no web programming skills, i.e., their integrity is low, and they might inadvertently make modifications to the web-cl1 machine that will break the web application. Biba does not allow write-up from a lower integrity level to a higher one.
12. Preventing Malicious Logic in the Drib System: A mail server proxy in the DMZ.
13. Relevant Principles for Failing to Securely Store and Protect Data: Least privilege, open design, and separation of privilege.