Untitled Quiz

Questions and Answers

What is the main focus of white-box testing?

User acceptance

External user feedback

Final version testing

Internal perspective of the system (correct)

What is the primary purpose of pilot testing?

To test the final version

To evaluate the entire system

To provide a limited evaluation of the system (correct)

To replace other testing methods

Which type of testing involves real-world exposure and is the last stage of testing?

Pilot testing

Alpha testing

Beta testing (correct)

White-box testing

What is an alpha version of a software application?

An early version of the application

What is the limitation of white-box testing?

It can miss unimplemented parts of the specification

What is the main difference between alpha and beta testing?

Alpha testing is for internal users, beta testing is for external users

What is the purpose of proof of concept?

To test early pilot tests with basic functionalities

What level of software testing process can white-box testing be applied to?

Unit, integration, and system levels

What is the primary concern when implementing biometric identification systems?

Part of body to be used for identification

What is the first step in protecting data's confidentiality?

Identify sensitive information

What type of access control is based on an individual's identity?

Identity-based access control

What is a primary goal of biometric identification systems?

To identify a person's unique physical attributes

Why is identifying sensitive information crucial in protecting data confidentiality?

To determine the sensitivity level of the data

What is not a primary step in protecting data confidentiality?

Installing a firewall

What type of access control is based on a set of rules?

Rule-based access control

Why is it important to identify sensitive information in protecting data confidentiality?

To determine the sensitivity level of the data

What would be the consequence if process 2 carried out its task on the data before process 1?

The result would be much different than if process 1 carried out its tasks on the data before process 2

What type of flaw can occur when the authentication and authorization steps are split into two functions?

Race condition

What happens when two or more processes use the same resource and the sequences of steps within the software can be carried out in an improper order?

A race condition occurs

What would an attacker gain by forcing the authorization step to take place before the authentication step?

Unauthorized access to a resource

What is eavesdropping, as defined by Black's Law Dictionary?

The act of secretly listening to the private conversation of others without their consent

What is the primary goal of traffic analysis?

To deduce information from patterns in communication

In what contexts can traffic analysis be performed?

In military intelligence, counter-intelligence, or pattern-of-life analysis

What can be inferred from analyzing traffic patterns?

Information about the communication patterns

What is the main purpose of the 'no read down' integrity in the Biba model?

To prevent a subject from reading an object at a lower integrity level

According to the lattice model, what is the condition for a subject to access an object?

The security level of the subject is equal to that of the object

What is the purpose of the * (star) Integrity Axiom in the Biba model?

To prevent a subject from writing to an object at a higher integrity level

What is the result of combining two objects X and Y in the lattice model?

An object with a security level formed by the join of the levels of X and Y

What is the purpose of the lattice model in computer security?

To implement mandatory access control

What is the 'meet' of the levels of two subjects A and B in the lattice model?

The lowest common security level of A and B

What is the main difference between the Biba model and the Bell-LaPadula model?

The Biba model is used for integrity, while the Bell-LaPadula model is used for confidentiality

What is the 'no write up' integrity in the military analogy?

A Private can never issue orders to a Sergeant

What is the primary function of a security model?

To specify the data structures and techniques necessary to enforce the security policy

What is the primary purpose of a multilevel security system?

To process data at different classification levels

What is the Bell-LaPadula model primarily used for?

To enforce the confidentiality aspects of access control

How does the Bell-LaPadula model determine access control?

By using all of the above methods

What is the primary factor that determines the handling procedures for classified information?

The level of classification of the information

What is the primary goal of a security policy?

To accomplish security goals such as authentication and authorization

How is a security model typically represented?

In mathematics and analytical ideas

What is the primary function of a security model in relation to a security policy?

To map the abstract goals of the security policy to system specifications

Study Notes

White-Box Testing

• Uses internal perspective of the system and programming skills to design test cases
• Tester chooses inputs to exercise paths through the code and determine appropriate outputs
• Can be applied at unit, integration, and system levels of software testing process
• Can test paths within a unit, between units during integration, and between subsystems during system-level test
• Has potential to miss unimplemented parts of specification or missing requirements

Alpha and Beta Testing

• Alpha testing: early version of application system submitted to internal users for testing
• Alpha version may not contain all features planned for final version
• Beta testing: form of user acceptance testing, involves limited number of external users
• Beta testing is last stage of testing, involves real-world exposure

Pilot Testing

• Preliminary test that focuses on specific and predefined aspects of a system
• Not meant to replace other testing methods, but rather provide limited evaluation of system
• Proof of concept are early pilot tests – usually over interim platform and with only basic functionalities

Biometric Identification

• Unique physical attributes or behavior of a person are used for identification
• Examples: fingerprints, facial recognition, voice recognition, etc.

Protecting Data's Confidentiality

• First step: identify which information is sensitive
• Installing a firewall, implementing encryption, and reviewing user access rights are subsequent steps

Discretionary Access Control (DAC)

• Identity-based access control: based on individual's identity
• Rule-based access control: based on set of rules defined by organization
• Lattice-based access control: complex access control model based on interaction between subjects and objects

Integrity Axiom

• States that a subject at a given level of integrity must not read an object at a lower integrity level (no read down)
• States that a subject at a given level of integrity must not write to any object at a higher level of integrity (no write up)

Lattice Model

• Complex access control model based on interaction between subjects and objects
• Uses a lattice to define levels of security that an object may have and that a subject may have access to
• Subject is only allowed to access an object if security level of subject is greater than or equal to that of object

Security Models

• Map abstract goals of policy to information system terms by specifying explicit data structures and techniques
• Represented in mathematics and analytical ideas, mapped to system specifications and developed by programmers through programming code
• Examples: Bell-LaPadula model, Biba model, Lattice model

Kerberos

• Does not address availability
• Addresses confidentiality and integrity of information