Blog

• FIN Scan: Uses an IP-bases server’s error-handling mechanism against it.
• Operation System (OS) Identification: users an operating system’s weaknesses to obtain valuable information.
• Port sweep: Bombards a servers’s IP address with packets to identify active services.
• Evasive sweep: Identifies a server’s systems and services without ever completely connecting to it.

• Network architecture
• Protection mechanisms
• Platform architecture
• Security Models
• Enterprise architecture

Address security, integrity and information flow

• Graham-Denning: Defines the commands that a subject can execute to create or delete an object.
• Noninterference: Prevents covert channels and interference attacks.
• Brewer & Nash

Address security and integrity

• Clark-Wilson
• State Machine: Is concerned with capturing a system’s state and ensuring its security.
• Bell-LaPadula (is a statemachine)

Further Descriptions

• Lipner: Was the first security model to separate objects into data and programs
• Harrison-Ruzzo-Ullman: Comprised of generic rights and a small set of commands

• Supervisory: A system routine, or highly privileged routine, is being executed by the system.
• Ready: Processing can be resumed for an application.
• Wait: A specific event must be completed before another process resumes.
• (Needs review: Problem: An application is being run by the system.(?))

Control Objects for Information and Related Technology (COBIT)

• can be used to as the basis for internal and external security audits.
• determines the security mechanisms to be implemented for a system.

ISO / IEC 27001:2005

• can be used for certifying a company’s ISMS and making comaprisons to other companies’ ISMSs.
• Defines a company’s ISMS and how it’s structured, controlled, run, and maintained.

ISO / IEC 27002

• Defines the way in which security mechanisms should be run
• Provides guidelines for ensuring that security controls are consistent with industry best practices

Information Technology Security Evaluation Criteria (ITSEC) involves evaluation assurance by reviewing the development practices, documentation, configuration management and testing mechanisms of a system. Also, it provides separate ratings for functionality and assurance.

Trusted Computer System Evaluation Criteria aren’t a good evaluation tool for commercial systems, because it’ won’t address the issue of data integrity. It evaluates the security policy and assurance levels of a system.

Active

• Prevents any unauthorized access to objects
• Includes mechanisms for memory protection

Passive

• Prevents the unauthorized disclosure of information
• Includes the use of cryptographic techniques