CISSP: 11 Answers to Domain 3 Questions

Updated: Sep 15, 2020

Preliminary Notes

Understanding the philosophy behind security solutions helps to limit your search for the best controls for specific security needs. In this domain we

  1. Discuss security models, including state machine, Bell-LaPadula, Biba, Clark-Wilson, Take-Grant, and Brewer and Nash.

  2. Describe Common Criteria and other methods governments and corporations use to evaluate information systems from a security perspective; and

  3. Discuss commonly encountered design flaws and other issues that can make information systems susceptible to attack.

Objects and Subjects

Controlling access to any resource in a secure system involves two entities:

  • Subject

  • The subject is the user or process that makes a request to access a resource. Access can mean reading from or writing to a resource.

  • Object

  • The object is the resource a user or process wants to access.

For example, process A may ask for data from process B. To satisfy process A's request, process B must ask for data from process C. In this example

  • First request

  • subject = process A

  • object = process B

  • Second request

  • subject = process B

  • object = process C

Transitive Trust

  • Transitive trust is the concept that if A trusts B and B trusts C, then A inherits trust of C through the transitive property.

  • Transitive trust is a serious security concern because it may enable bypassing restrictions or limitations between A and C, especially if A and C both support interaction with B.


  • To ensure the security of a system, you need to allow subjects to access only authorised objects. A control uses access rules to limit the access of a subject to an object.

  • Access rules state which objects are valid for each subject. Further, an object might be valid for one type of access and be invalid for another type of access. For example, a file can be protected from modification by making it read-only for most users but read-write for a small set of users who have the authority to modify it.

There are both

  • Mandatory access controls (MAC) and

  • Discretionary access controls (DAC)

With MACs

  • Static attributes of the subject and object are considered to determine the permissibility of an access.

  • Each subject possesses attributes that define its clearance, or authority, to access resources.

  • Each object possesses attributes that define its classification.


  • Differ from MACs in that the subject has some ability to define the objects to access. This access control list serves as a dynamic access rule set that the subject can modify.

Both MAC and DAC controls limit the access to objects by subjects. The primary goal of controls is to ensure the confidentiality and integrity of data by disallowing unauthorised access by authorised or unauthorised subjects.

Security Models

In information security, models provide a way to formalise security policies. They provide a way for designers to map abstract statements into a security policy that prescribes the algorithms and data structures necessary to build hardware and software. Thus, a security model gives software designers something against which to measure their design and implementation.

Trusted Computing Base (TCB)

  • A TCB is a combination of hardware, software, and controls that work together to form a trusted base to enforce your security policy.

  • It is the only portion of that system that can be trusted to adhere to and enforce the security policy.

  • TCB components in a system are responsible for controlling access to the system. It is the responsibility of TCB components to ensure that a system behaves properly in all cases and that it adheres to the security policy under all circumstances.

State Machine Model

  • The state machine model describes a system that is always secure no matter what state it is in. It is based on a the computer science definition of a finite state machine (FSM).

  • An FSM combines an external input with an internal machine state to model all kinds of complex system. Given an input and a state, an FSM transitions to another state and may create an output.

  • According to the state machine model, a state is a snapshot of a system at a specific moment in time. If all aspects of the state meet the requirements of the security policy, that state is considered secure.

  • A transition always results in a new state called a state transition. If each possible state transition results in another secure state, the system can be called a secure state machine.

  • A secure state machine model system always

  • boots into a secure state

  • maintains a secure state across all transitions; and

  • allows subjects to access resources only in a secure manner compliant with the security policy.

Information Flow Model

  • The information flow model focuses on the flow of information. It is based on a state machine model. The Bell-LaPadula and Biba models are both information flow models, but

  • Bell-LaPadula is concerned with preventing information flow from a high security level to a low security level

  • Biba is concerned with preventing information flow from a low security level to a high security level

  • Information flow models

  • Do not necessarily deal with only the direction of information flow; they can also address the type of flow.

  • Are designed to prevent unauthorised, insecure, or restricted information flow, often between different levels of security.

  • Information flow can be between subjects and objects at the same classification level as well as between subjects and objects at different classification levels.

  • Are used to establish a relationship between two versions or states of the same object when those two versions or states exist at different points in time.

Noninterference Model

  • The noninterference model is loosely based on the information flow model. However, instead of being concerned about the flow of information, the noninterference model is concerned with how the actions of a subject at a higher security level affects the system state or the actions of a subject at a lower security level.

  • The actions of Subject A (high) should not affect the actions of Subject B (low), or even be noticed by Subject B. If this occurs, Subject B may be placed in an insecure state or be able to deduce or infer information from a higher level of classification. This is a type of information leakage and implicitly creates a covert channel.

  • The noninterference model can be imposed to provide a form of protection against damage caused by malicious programs such as Trojan horses.

**In computer security, a covert channel is a type of attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy.

Composite Theories

  • Some other models that fall into the information flow category build on the notion of how inputs and outputs between multiple systems relate to one another - which follows how information flows between systems rather than within an individual system. These are called composite theories because they explain how outputs from one system relate to inputs to another system:

  • Cascading

  • Input for one system comes from the output of another system.

  • Feedback

  • One system provides input to another system, which reciprocates by reversing those roles.

  • Hookup

  • One system sends input to another system but also sends input to external entities.

Take-Grant Model

  • The Take-Grant model employs a directed graph to dictate how rights can be passed from one subject to another or from a subject to an object. There are two primary rules:

  • A subject with the grant right can grant another subject or object any other right they possess.

  • A subject with the take right can take a right from another subject.

  • In addition to these two primary rules, the Take-Grant model may adopt a create rule and a remove rule to generate or delete rights.

  • The create rule allows a subject to create new rights.

  • The remove rule allows a subject to remove rights it has.

Access Control Matrix

  • An access control matrix is a table of subjects and objects that indicates the actions or functions that each subject can perform on an object.

  • Each column of the matrix is an access control list (ACL).

  • Each row is a capabilities list.

  • An ACL is tied to the object: it lists valid actions each subject can perform.

  • A capability list is tied to the subject; it lists valid actions that can be taken on each object.

  • Access control matrixes are used by systems to quickly determine whether the requested action by a subject for an object is authorised.

Bell-LaPadula Model

  • The Bell-LaPadula model is focused on maintaining the confidentiality of objects. It does not address the aspects of integrity or availability for objects.

  • This model is built on a state machine concept and the information flow model.

  • There are three basic properties of this state machine:

  • The Simple Security Property states that a subject may not read information at a higher sensitivity level (no read up).

  • The *(star) Security Property states that a subject may not write information to an object at a lower sensitivity level (no write down). This is known as the Confinement Property.

  • The Discretionary Security Property states that the system uses an access matrix to enforce discretionary access control.

  • In summary

  • A subject cannot read an object that is classified at a higher level than it is cleared for.

  • Because objects at one level have data that is more sensitive or secret than data in objects at a lower level, a subject (who is not a trusted subject) cannot write data from one level to an object at a lower level. That action action would be similar to pasting a top-secret document into an unclassified document file.

  • An exception states that a "trusted subject" is not constrained or restricted by the *(star) Security Property. The trusted subject is allowed to perform a write-down.

  • The third property (Discretionary Security Property) enforces a subject's need-to-know in order to access an object.

Biba Model

  • The Biba model addresses integrity. It is also

  • built on a state machine concept

  • based on information flow; and is

  • a multilevel model.

  • Biba appears to be pretty similar to the Bell-LaPadula model, except inverted.

  • The Simple Integrity Property states that a subject cannot read an object at a lower integrity level (no read-down).

  • The *(star) Integrity Property states that a subject cannot modify an object at a higher integrity level (no write-up).

** Simple is always about reading, and star is always about writing.

In summary, Biba was designed to address three integrity issues:

  • Prevent modification of objects by unauthorised subjects.

  • Prevent unauthorised modification of objects by authorised subjects.

  • Protect internal and external object consistency.

Clark-Wilson Model

  • The Clark-Wilson model uses three-part relationship of subject/project/object (or subject/transaction/object) known as a triple or an access control triple.

  • Subjects do not have direct access to objects.

  • Objects can be accessed only through programs. Each program has specific limitations on what it can and cannot do to an object (such as a database or other resource). This effectively limits the subject's capabilities. This is known as a constrained interface.

  • Through the use of two principles - well-formed transactions and separation of duties - the Clark-Wilson model provides an effective means to protect integrity.

Clark-Wilson defines the following items and procedures:

  • A constrained data item (CDI) is any data whose integrity is protected by the security model.

  • An unconstrained data item (UDI) is any data item that is not controlled by the security model. Any data that is to be input and hasn't been validated, or any output, would be considered an unconstrained data item.

  • An integrity verification procedure (IVP) is a procedure that scans data items and confirms their integrity.

  • Transformation procedures (TPs) are the only procedures that are allowed to modify a CDI. The limited access to CDIs through TPs forms the backbone of the Clark-Wilson integrity model.

The Clark-Wilson model uses security labels to grant access to objects, but only through transformation procedures and a restricted interface model.

  • The restricted interface model uses classification-based restrictions to offer only subject-specific authorised information and functions. This ensures that data is protected from unauthorised changes from any user; enforcing separation of duties.

Brewer and Nash Model (aka Chinese Wall)

  • The Brewer and Nash model was created to permit access controls to change dynamically based on a user's previous activity - making it a kind of state machine model as well.

  • It seeks to create security domains that are sensitive to the notion of conflict of interest.

  • This model is known as the Chinese wall because it creates a class of data that defines which security domains are potentially in conflict and prevents any subject with access to one domain that belongs to a specific conflict class from accessing any other domain that belongs to the same conflict class.

  • Thus, this model uses the principle of data isolation within each conflict class to keep users out of potential conflict-of-interest situations.

  • Because company relationships change all the time, dynamic updates to members of and definitions for conflict classes are important.

Goguen-Meseguer Model

  • This is an integrity model and said to be the foundation of noninterference conceptual theories.

  • It is based on predetermining the set or domain - a list of objects that a subject can access. This means

  • Subjects are allowed only to perform predetermined actions against predetermined objects.

  • When similar users are grouped into their own domain, the members of one subject domain cannot interfere with the members of another subject domain.

Sutherland Model

  • It is an integrity model. It focuses on preventing interference in support of integrity.

  • It is formally based on the state machine model and the information flow model.

  • It is based on the idea of defining a set of system states, initial states, and state transitions. Through the use of these predetermined secure states, integrity is maintained and interference is prohibited.

  • A common example is its use to prevent a covert channel from being used to influence the outcome of a process or activity.

Graham-Denning Model

  • This model is focused on the secure creation and deletion of both subjects and objects. It is a collection of eight primary rules or actions that define the boundaries of certain secure actions:

  • Securely create an object

  • Securely create a subject

  • Securely delete an object

  • Securely delete a subject

  • Securely provide the read access right

  • Secure provide the grant access right

  • Securely provide the delete access right

  • Securely provide the transfer access right

Question #1 Matthew is the security administrator for a consulting firm and must enforce access controls that restrict users’ access based upon their previous activity. For example, once a consultant accesses data belonging to CloudTAC, a consulting client, they may no longer access data belonging to any of CloudTAC's competitors. What security model best fits Matthew’s needs?

  • Clark-Wilson

  • Biba

  • Bell-LaPadula

  • Brewer-Nash


  • Clark-Wilson

  • Biba

  • Bell-LaPadula

  • Brewer-Nash

The Brewer-Nash model allows access controls to change dynamically based upon a user’s actions. It is often used in environments like Matthew’s to implement a “Chinese wall” between data belonging to different clients.

Referring to the figure shown here, what is the earliest stage of a fire where it is possible to use detection technology to identify it?

  • Incipient

  • Smoke

  • Flame

  • Heat

The topic of physical and environmental security is referenced in several domains but the two primary occurrences are in

  • Domain 3: Security Architecture and Engineering; and

  • Domain 7: Security Operations

The purpose of physical security is to protect against physical threats. The most common physical threats are

  • fire and smoke

  • water

  • earth movement (earthquakes, landslides, volcanoes)

  • storms (wind, lightning, rain, snow, sleet, ice)

  • sabotage/vandalism

  • explosion/destruction

  • building collapse

  • toxic materials

  • utility loss (power, heating, cooling, air, water)

  • equipment failure

  • theft

  • personnel loss (strikes, illness, access, transport)

Fire Prevention, Detection, and Suppression

Protecting personnel from harm should always be the most important goal of any security or protection system. In addition to protecting people, fire detection and suppression is designed to keep damage caused by fire, smoke, heat, and suppression materials to a minimum.

  • The three corners of the triangle represent fire, heat, and oxygen. The center of the triangle represents the chemical reaction among these three elements. The point of the fire triangle is to illustrate that if you remove any of these elements from the fire triangle, the fire can be extinguished:

  • Water suppresses the temperature (heat).

  • Soda acid and other dry powders suppress the fuel supply.

  • CO2 suppresses the oxygen supply.

  • Halon substitutes and other nonflammable gases interfere with the chemistry of combustion and/or suppress the oxygen supply.

In addition to understanding the fire triangle, you should understand the four most vital stages of fire:

  • Stage 1: The Incipient Stage

  • At this stage, there is only air ionisation but no smoke. Ionisation of the air atoms occurs because the temperature is high enough to cause the atoms to knock into each other and rip off electrons. Therefore, in a flame, the amount of ionisation depends on the temperature.

  • Stage 2: The Smoke Stage

  • Smoke is visible from the point of ignition.

  • Stage 3: The Flame Stage

  • This is when a flame can be seen with the naked eye.

  • Stage 4: The Heat Stage

  • There is an intense heat buildup and everything in the area burns.

The earlier a fire is detected, the easier it is to extinguish and the less damage it and its suppression mediums can cause.

To properly protect a facility from fire requires installing an automated detection and suppression system. There are many types of fire detection systems:

  • Fixed-temperature detection systems

  • Trigger suppression when a specific temperature is reached.

  • Rate-of-rise detection systems

  • Trigger suppression when the speed at which the temperature changes reaches a specific level.

  • Flame-actuated systems

  • Trigger suppression based on the infrared energy of flames.

  • Smoke-actuated systems

  • Use photoelectric or radioactive ionisation sensors as triggers.

  • Incipient smoke detection systems (aspirating sensors)

  • Detect the chemicals typically associated with the very early stages of combustion before a fire is otherwise detectible via other means.


  • Incipient

  • Smoke

  • Flame

  • Heat

Fires may be detected as early as the incipient stage. During this stage, air ionisation takes place, and specialised incipient fire detection systems can identify these changes to provide early warning of a fire.

Question #2 Ralph is designing a physical security infrastructure for a new computing facility that will remain largely unstaffed. He plans to implement motion detectors in the facility but would also like to include a secondary verification control for physical presence. Which one of the following would best meet his needs?

  • CCTV

  • IPS

  • Turnstiles

  • Faraday cages

The use of physical access controls and monitoring personnel and equipment entering and leaving; as well as auditing/logging all physical events are key elements in maintaining overall organisational security.

Perimeter Security Controls

  • Fence, gates, turnstiles, and mantraps

  • Fences are used to clearly differentiate between areas that are under a specific level of security protection and those that aren't.

  • A gate is a controlled exit and entry point in a fence. When a gate is closed, it should not offer any additional access vulnerabilities. When they are not protected by guards, use of dogs or CCTV is recommended.

  • A turnstile is a form of gate that prevents more than one person at a time from gaining entry and often restricts movement in one direction.

  • A mantrap is a double set of doors that is often protected by a guard. Its purpose is to immobilise a subject until their identity and authentication is verified.

  • Lighting

  • Security guards and dogs

Internal Security Controls

  • Keys and combination locks

  • Badges, identification cards, and security IDs

  • Motion detectors

  • Infrared motion detector - monitors for significant or meaningful changes in the infrared lighting pattern of a monitored area

  • Heat-based motion detector - monitors for significant or meaningful changes in the heat levels and patterns in a monitored area

  • Wave pattern motion detector - transmits a consistent low ultrasonic or high microwave frequency signal into a monitored area and monitors for significant changes or disturbances in the reflected pattern

  • Capacitance motion detector - senses changes in the electrical or magnetic field surrounding a monitored object.

  • Intrusion alarms

  • Deterrent alarms may engage additional locks, shut doors, and so on; making further intrusion or attack more difficult

  • Repellant alarms usually sound an audio siren or bell and turn on lights

  • Notification alarms are often silent but record data about the incident and notify administrators, security guars, and law enforcement.

  • Local alarm systems must broadcast an audible alarm that can be heard up to 400 feet away and must be protected from tampering and disablement.

  • Central station system - this alarm is usually silent locally, but offsite monitoring agents are notified so they can respond to the security breach.

  • Auxiliary alarm systems can be added to either local or centralised alarm systems. When the security is breached, emergency services are notified to respond to the incident and arrive at the location.

Secondary verification mechanisms

  • When motion detectors, sensors, and alarms are used, secondary verification mechanisms should be in place.

  • CCTV is a security mechanisms related to motion detectors, sensors, and alarms. It requires personnel to watch the captured video to detect suspicious and malicious activities and to trigger alarms. It is a preventive measure, whereas reviewing recorded events is a detective measure.


  • CCTV

  • IPS

  • Turnstiles

  • Faraday cages

Question #3 Harry would like to retrieve a lost encryption key from a database that uses m of n control, with m = 4 and n = 8. What is the minimum number of escrow agents required to retrieve the key?

  • 2

  • 4

  • 8

  • 12

Cryptographic Basics

The following sections review the goals of cryptography, an overview of the basic concepts of cryptographic technology, and look at the major mathematical principles used by cryptographic systems.

Goals of Cryptography

  • Security practitioners use cryptographic systems to meet four fundamental goals:

  • confidentiality

  • integrity

  • authentication

  • nonrepudiation

Cryptographic Concepts

  • Plaintext message

  • Before a message is put into a coded form, it is known as a plaintext message and is represented by the letter P when encryption functions are described.

  • Encrypt

  • The sender of a message uses a cryptographic algorithm to encrypt the plaintext message.

  • Ciphertext

  • The encryption of the plaintext message by the algorithm produces a ciphertext message, represented by the letter C.

  • The ciphertext message is transmitted by some physical or electronic means to the recipient.

  • Decrypt

  • The recipient then uses a predetermined algorithm to decrypt the ciphertext message and retrieve the plaintext version.

  • Keys

  • All cryptographic algorithms rely on keys to maintain their security. Every algorithm has a specific key space which is defined by its bit size.

  • It is absolutely critical to protect the security of secret keys.

  • Cryptography

  • The art of creating and implementing secret codes and ciphers.

  • Cryptanalysis

  • The study of methods to defeat codes and ciphers.

  • Cryptology

  • Refers to cryptography and cryptanalysis.

  • Cryptosystems

  • Specific implementations of a code or cipher in hardware and software.

Cryptographic Mathematics

Boolean Mathematics

  • Boolean mathematics defines the rules used for the bits and bytes that form the nervous system of any computer. The Boolean mathematics of cryptography uses a variety of logical functions to manipulate data

  • AND

  • The AND operation checks to see whether two values are true.

  • OR

  • The OR operation checks to see whether at least one of the input values is true.

  • NOT

  • The NOT operation reverses the value of an input variable.

  • Exclusive OR

  • It returns a true value when only one of the input values is true. It is perhaps the most important and most commonly used in cryptographic applications.

Modulo Function

  • It is the remainder value left over after a division operation is formed. Used by algorithms such as the RSA public key encryption algorithm.

One-Way Functions

  • It is a mathematical operation that easily produces output values for each possible combination of inputs but makes it impossible to retrieve the input values.


  • A nonce is a random number that acts as a placeholder variable in a mathematical function. When the function is executed, the nonce is replaced with a random number generated at the moment of processing for one-time use.

  • The nonce must be a unique number each time it is used.

  • One of the more recognisable examples of a nonce is an initialisation vector (IV), a random bit string that is the same length as the block size and is XORed with the message, creating a unique ciphertext every time the same message is encrypted using the same key.

Split Knowledge

  • When the information or privilege required to perform an operation is divided among multiple users, no single person has sufficient privileges to compromise the security of an environment.

  • This separation of duties and two-person control contained in a single solution is called split knowledge.

Key Escrow

  • The concept of key escrow is an example of split knowledge:

  • Using key escrow, cryptographic keys, digital signatures, and even digital certificates can be stored or backed up in a special database called the key escrow database.

  • In the event a user loses or damages their key, that key can be extracted from the backup in the key escrow database. However, if only a single key escrow agent exists, there is an opportunity for fraud and abuse of this privilege.

M of N Control

  • M of N Control requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks.

  • Implementing three of eight controls would require three people out of the eight with the assigned work task of key escrow recovery agent, to work together to pull a single key out of the key escrow database.


  • 2

  • 4

  • 8

  • 12

Question #4 Bob is a security administrator with the federal government and wishes to choose a digital signature approach that is an approved part of the federal Digital Signature Standard under FIPS 186-4. Which one of the following encryption algorithms is not an acceptable choice for use in digital signatures?

  • DSA


  • RSA


Symmetric Key Algorithms

  • Symmetric key algorithms rely on a "shared secret" encryption key that is distributed to all members who participate in the communications.

  • This key is used by all parties to both encrypt and decrypt messages, so the sender and the receiver both possess a copy of the shared key.

  • It is primarily employed to perform bulk encryption and provides only for the the security service of confidentiality.

  • Symmetric key cryptography can also be called secret key cryptography and private key cryptography (with symmetric key cryptography, the word private refers to two people sharing a secret that they keep confidential. This is different from the word private used with asymmetric key algorithms).

Asymmetric Key Algorithms

  • In these systems, each user has two keys:

  • A public key which is shared with all users; and

  • A private key which is kept secret and known only to the user.

  • Opposite keys must be used in tandem to encrypt and decrypt.

Hashing Algorithms/Functions

Hash functions take a potentially long message and generate a unique output value derived from the content of the message. This value is commonly referred to as the message digest. Message digests can be generated by the sender of a message and transmitted to the recipient along with the full message for two reasons:

  1. The recipient can use the same hash function to recompute the message digest from the full message. They can then compare the computed message digest to the transmitted one to ensure that the message sent by the originator is the same one received by the recipient. If the message digests do not match, that means the message was somehow modified while in transit.

  2. The message digest can be used to implement a digital signature algorithm.

Digital Signatures

Once you have chosen a cryptographically-sound hashing algorithm, you can use it to implement a digital signature system. Digital signature infrastructures have two distinct goals:

  • Digitally-signed messages assure the recipient that the message truly came from the claimed sender. They enforce nonrepudiation.

  • Digitally signed messages assure the recipient that the message was not altered while in transit between the sender and recipient. This protects against both malicious modification and unintentional modification.

Digital signatures rely on public key cryptography and hashing functions.

If the sender wants to digitally sign a message to send to the receiver, he performs the following actions:

  1. He generates a message digest of the original plaintext message using one of the cryptographically-sound hashing algorithms, such as SHA3-512.

  2. He then encrypts only the message digest using his private key. This encrypted message digest is the digital signature.

  3. He then appends the signed message digest to the plaintext message; and

  4. Transmits the appended message to the receiver.

When the receiver receives the digitally signed message, he reverses the procedure, as follows:

  1. He decrypts the digital signature using the sender's public key.

  2. He uses the same hashing function to create a message digest of the full plaintext message received from the sender.

  3. He then compares the decrypted message digest he received from the sender with the message digest he computed himself. If the two digests match, he can be assured that the message he received was sent by the sender. If they do not match, either the message was not sent by the sender or the message was modified while in transit.

The National Institute of Standards and Technology (NIST) specifies the digital signature algorithms acceptable for federal government user in Federal Information Processing Standard (FIPS) 186-4, also known as the Digital Signature Standard (DSS). This document specifies that all federally approved digital signature algorithms must use the SHA-3 hashing functions.

  • DSS also specifies three encryption algorithms that can be used to support a digital signature infrastructure:

  • The Digital Signature Algorithm (DSA)

  • The Rivest-Shamir-Adleman (RSA) algorithm

  • The Elliptic Curve DSA (ECDSA)


  • DSA


  • RSA


Question #5 Harry would like to access a document owned by Sally and stored on a file server. Applying the subject/object model to this scenario, who or what is the subject of the resource request?

  • Harry

  • Sally

  • Server

  • Document

Controlling access to any resource in a secure system involves two entities:

  • Subject

  • The subject is the user or process that makes a request to access a resource. Access can mean reading from or writing to a resource.

  • Object

  • The object is the resource a user or process wants to access.

For example, process A may ask for data from process B. To satisfy process A's request, process B must ask for data from process C. In this example

  • First request

  • subject = process A

  • object = process B

  • Second request

  • subject = process B

  • object = process C


  • Harry

  • Sally

  • Server

  • Document

Question #6 Michael is responsible for forensic investigations and is investigating a medium severity security incident that involved the defacement of a corporate website. The web server in question ran on a virtualisation platform, and the marketing team would like to get the website up and running as quickly as possible. What would be the most reasonable next step for Michael to take?

  • Keep the website offline until the investigation is complete.

  • Take the virtualisation platform offline as evidence.

  • Take a snapshot of the compromised system and use that for the investigation.

  • Ignore the incident and focus on quickly restoring the website.

As a security professional, you must be familiar with the various types of investigations. These include

  • administrative

  • criminal

  • civil

  • regulatory investigations; and

  • investigations involving industry standards.

You must be familiar with the standards of evidence used in each investigation type and the forensic procedures used to gather evidence in support of investigations.

Investigation Types

Administrative investigations

  • These are internal investigations that examine either operational issues or a violation of the organisation's policies.

Criminal investigations

  • These are typically conducted by law enforcement personnel.

  • They may result in charging suspects with a crime and the prosecution of those charges in criminal court.

Civil investigations

  • They do not involve law enforcement but rather involve internal employees and outside consultants working on behalf of a legal team.

  • They prepare the evidence necessary to present a case in civil court resolving a dispute between two parties.

Regulatory investigations

  • Government agencies may conduct regulatory investigations when they believe that an individual or corporation has violated administrative law.

  • Some regulatory investigations may not involve government agencies. These are based upon industry standards such as the PCI DSS.

Electronic Discovery

  • In legal proceedings, each side has a duty to preserve evidence related to the case and, through the discovery process, share information with their adversary in the proceedings.

  • This discovery process applies to both paper records and electronic records. The electronic discovery (or eDiscovery) process facilitates the processing of electronic information for disclosure.

The Electronic Discovery Reference Model

The Electronic Discovery Reference Model describes a standard process for conducting eDiscovery with nine steps

  1. Information Governance ensures that information is well organised for future eDiscovery efforts.

  2. Identification locates the information that may be responsive to a discovery request when the organisation believes that litigation is likely.

  3. Preservation ensures that potentially discoverable information is protected against alteration or deletion.

  4. Collection gathers the responsive information centrally for use in the eDiscovery process.

  5. Processing screens the collected information to perform a "rough cut" of irrelevant information, reducing the amount of information requiring detailed screening.

  6. Review examines the remaining information to determine what information is responsive to the request and removing any information protected by attorney-client privilege.

  7. Analysis performs deeper inspection of the content and context of remaining information.

  8. Production places the information into a format that may be shared with others.

  9. Presentation displays the information to witnesses, the court, and other parties.

Admissible Evidence

There are three basic requirements for evidence to be introduced into a court of law:

  • The evidence must be relevant to determining a fact.

  • The fact that the evidence seeks to determine must be material (related) to the case.

  • The evidence must be competent, meaning it must have been obtained legally.

Types of Evidence

Three types of evidence can be used in a court of law:

  • Real or Object Evidence

  • Consists of things that may actually be brought into a court of law. Such as a murder weapon. In a computer crime case, real evidence might include seized computer equipment, such as a keyboard with fingerprints on it.

  • Depending on the circumstances, real evidence may also be conclusive evidence, such as DNA.

  • Documentary Evidence

  • Includes any written items brought into court to prove a fact at hand.

  • It must be authenticated - for example, if an attorney wants to introduce a computer log as evidence, they must bring a witness -for example, a system administrator - into court to testify that the log was collected as a routine business practice and is indeed the actual log that the system collected.

  • Two additional evidence rules apply specifically to documentary evidence:

  • The best evidence rule states that when a document is used as evidence in a court proceeding, the original document must be introduced.

  • The parole evidence rule states that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no verbal agreements may modify the written agreement.

  • If documentary evidence meets the materiality, competency, and relevancy requirements, and also complies with the best evidence and parol evidence rules, it can be admitted into court.

  • Testimonial Evidence

  • Evidence consisting of the testimony of a witness, either verbal testimony in court or written testimony in a recorded deposition.

  • Witnesses may offer direct evidence: oral testimony that proves or disproves a claim based on their own direct observation.

  • A witness may offer an expert opinion based on the facts presented and their personal knowledge of the field.

  • Testimonial evidence must not be hearsay evidence - the witness cannot testify as to what someone else told them outside court. Computer log files that are not authenticated by a system administrator can also be considered hearsay evidence.

Chain of Evidence

Real evidence, like any type of evidence, must meet the relevancy, materiality, and competency requirements before being admitted into court.

Real evidence must be authenticated - this can be done by a witness who can actually identify an object as unique.

  • In many cases, it is not possible for a witness to uniquely identify an object in court. In those cases, a chain of evidence, also known as chain of custody, must be established.

  • This documents everyone who handles evidence - including

  • the police who originally collect it,

  • the evidence technicians who process it, and

  • the lawyers who use it in court.

  • The location of the evidence must be fully documented from the moment it was collected to the moment it appears in court to ensure that it is indeed the same item.

  • This requires thorough labelling of evidence and comprehensive logs noting who had access to the evidence at specific times and the reasons they required such access.

When evidence is labeled to preserve the chain of custody, the label should include:

  • General description of the evidence

  • Time and date the evidence was collected

  • Exact location the evidence was collected from

  • Name of the person collecting the evidence

  • Relevant circumstances surrounding the collection.

Evidence Collection and Forensic Procedures

The International Organisation on Computer Evidence (ICOE) outlines six principles to guide digital evidence technicians as they perform media analysis, network analysis, and software analysis in the pursuit of recovered evidence:

  • When dealing with digital evidence, all of the general forensic and procedural principals must be applied.

  • Upon seizing the digital evidence, actions taken should not change that evidence.

  • When it is necessary for a person to access original digital evidence, that person should be trained for the purpose.

  • All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.

  • An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession.

  • Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.

It is important to preserve the original evidence. When analysing digital evidence, it is best to work with a copy of the actual evidence whenever possible.

  • For example, when conducting an investigation into the contents of a hard drive,

  1. make an image of that drive

  2. seal the original drive in an evidence bag; and then

  3. use the disk image for your investigation.


  • Keep the website offline until the investigation is complete.

  • Take the virtualisation platform offline as evidence.

  • Take a snapshot of the compromised system and use that for the investigation.

  • Ignore the incident and focus on quickly restoring the website.

Michael should conduct his investigation, but there is a pressing business need to bring the website back online. The most reasonable course of action would be to take a snapshot of the compromised system and use the snapshot for the investigation, restoring the website to operation as quickly as possible while using the results of the investigation to improve the security of the site.

Question #7 Helen is a software engineer and is developing code that she would like to restrict to running within an isolated sandbox for security purposes. What software development technique is Helen using?

  • Bounds

  • Input validation

  • Confinement

  • TCB

Understand and Apply Concepts of Confidentiality, Integrity, and Availability

Confidentiality, integrity, and availability (CIA) are typically viewed as the primary goals and objectives of a security infrastructure.

Security controls are typically evaluated on how well they address these three core information security tenets.

  • Confidentiality

  • Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. Its goal is to prevent or minimise unauthorised access to data.

  • If a security mechanism offers confidentiality, it offers a high level of assurance that data, objects, or resources are restricted from unauthorised subjects.

  • Integrity

  • Integrity is the concept of protecting the reliability and correctness of data.

  • Integrity protection prevents unauthorised alteration of data.

  • It ensures that data remains correct, unaltered, and preserved.

  • If a security mechanism offers integrity,

  • It offers a high level of assurance that the data, objects, and resources are unaltered from their original protected state.

  • Alterations should not occur while the object is in storage, in transit, or in process.

  • Maintaining integrity means the object itself is not altered and the operating system and programming entities that manage and manipulate the object are not compromised.

  • Availability

  • Availability means authorised subjects are granted timely and uninterrupted access to objects.

  • It includes efficient uninterrupted access to objects and prevention of denial-of-service (DoS) attacks.

  • It also implies that the supporting infrastructure is functional and allows authorised users to gain authorised access.

Techniques for Ensuring Confidentiality, Integrity, and Availability

To guarantee the confidentiality, integrity, and availability of data, you must ensure that all components that have access to data are secure and well-behaved. Software designers use different techniques to ensure that programs do only what is required and nothing more. Although these concepts all relate to software programs, they are also commonly used in all areas of security:

  • Confinement

  • Software designers use process confinement to restrict the actions of a program. It allows a process to read from and write to only certain memory locations and resources. This is also known as sandboxing.

  • Bounds

  • Each process that runs on a system is assigned an authority level. The authority level tells the operating system what the process can do. The bounds of a process consist of limits set on the memory addresses and resources it can access.

  • More secure systems may require physically-bounded processes.

  • Isolation

  • When a process is confined through enforcing access bounds, that process runs in isolation.

  • Process isolation ensures that any behaviour will affect only the memory and resources associated with the isolated process.

  • It is used to protect the operating environment, the kernel of the operating system (OS), and other independent applications.


  • Bounds

  • Input validation

  • Confinement

  • TCB

The use of a sandbox is an example of confinement, where the system restricts the access of a particular process to limit its ability to affect other processes running on the same system.

Question #8 What concept describes the degree of confidence that an organization has that its controls satisfy security requirements?

  • Trust

  • Credentialing

  • Verification

  • Assurance


To ensure the security of a system, you need to allow subjects to access only authorised objects.

  • A control uses access rules to limit the access of a subject to an object.

  • Access rules state which objects are valid for each subject. Further, an object might be valid for one type of access and be invalid for another type of access.

There are two categories of access controls

  • Mandatory access controls (MAC) - static attributes of the subject are considered to determine the permissibility of an access.

  • Each subject possesses attributes that define its clearance, or authority to access resources.

  • Each object possesses attributes that define its classification

  • Example: Subject A is granted access to object B if the security system can find a rule that allows a subject with subject A's clearance to access an object with object B's classification.

  • Discretionary access controls (DAC) - the subject has some ability to define the objects to access.

  • Within limits, DACs allow the subject to define a list of objects as needed. This ACL serves as a dynamic access rule set that the subject can modify.

The primary goal of controls is to ensure the confidentiality and integrity of data by disallowing unauthorised access by authorised or unauthorised subjects.

Trust and Assurance

Proper security concepts, controls, and mechanisms must be integrated before and during the design and architectural period in order to produce a reliably secure product. Security issues should not be added on as an afterthought. This causes

  • oversights

  • increased costs, and

  • less reliability

Once security is integrated into the design, it must be

  1. engineered

  2. implemented

  3. tested

  4. audited

  5. evaluated

  6. certified; and

  7. accredited.

A trusted system is one in which all protection mechanisms work together to process sensitive data for many types of users while maintaining a stable and secure computing environment.

  • Trust can be built into a system by implementing specific security features.

Assurance is the degree of confidence in satisfaction of security needs.

  • Assurance must be continually maintained, updated, and verified. This is true if the trusted system experiences a known change or if a significant amount of time has passed.

  • Assurance is an assessment of the reliability and usability of those security features in a real-world situation.


  • Trust

  • Credentialing

  • Verification

  • Assurance

Question #9 What type of security vulnerability are developers most likely to introduce into code when they seek to facilitate their own access, for testing purposes, to software they developed?

  • Maintenance hook

  • Cross-site scripting

  • SQL injection

  • Buffer overflow

Common Architecture Flaws and Security Issues

The goal of security models and architectures is to address as many weaknesses as possible. Some of the more common issues that affect computer systems in relation to vulnerabilities of security architectures include:

  • Covert channels

  • It is a method used to pass information over a path that is not normally used for communication. Because the path is not normally used for communication, it may not be protected by the system's normal security controls.

  • Buffer overflow

  • This violation occurs when programmers fail to validate input data sufficiently, particularly, when they do not impose a limit on the amount of data their software will accept as input.

  • Because data is usually stored in an input buffer, when the normal maximum size of the buffer is exceeded, the extra data is called overflow.

  • Such overflow data is often executed directly by the system under under attack at a high level of privilege or at whatever level of privilege attaches to the process accepting such input.

  • Due diligence from programmers can eradicate buffer overflows completely, but only if programmers check all input and parameters before storing them in any data structure.

  • Maintenance Hooks

  • Maintenance hooks are entry points into a system that are known only by the developer of the system. Such entry points are called backdoors.

  • The original purpose of backdoors was to provide guaranteed access to the system for maintenance reasons or if regular access was inadvertently disabled.

  • The problem is that this type of access bypasses all security controls and provides free access to anyone who knows that the backdoors exists.

  • You should explicitly prohibit such entry points and monitor your audit logs to uncover any activity that may indicate unauthorised administrator access.

  • Cross-site scripting (XSS)

  • It is a form of malicious code-injection attack in which an attacker is able to compromise a web server and inject their own malicious code into the content sent to other visitors.

  • A successful XSS attack can result in identity theft, credential theft, data theft, financial losses, or the planting of remote-control software on visiting clients.

  • Defences against XSS include

  • maintaining a patched server

  • using web application firewalls

  • operating a host-based intrusion detection system (HIDS)

  • auditing for suspicious activity

  • performing server-side input validation for length, malicious content, and meta-character filtering.

  • SQL injection

  • Structured Query Language (SQL) injection attacks use unexpected input to to a web application. However, instead of using this input to attempt to fool a user, SQL injection attacks use it to gain unauthorised access to an underlying database.

  • It allows a malicious individual to directly perform SQL transactions against the underlying database.


  • Maintenance hook

  • Cross-site scripting

  • SQL injection

  • Buffer overflow

51 views0 comments

Recent Posts

See All

© 2021 by CloudTAC