Lecture 12, April 26

Discussion Problem. What do you think of the following homework assignment?

The Task

Student is to perform a remote security evaluation of one or more computer systems. The evaluation should be conducted over the Internet, using tools available in the public domain.

What the student must submit

In conducting this work, you should imagine yourself to be a security contracted by the owner of the computer system(s) to perform a security evaluation.

The student must provide a written report which has the following sections: Executive summary, description of tools and techniques used, dates and times of investigations, examples of data collected, evaluation data, overall evaluation of the system(s) including vulnerabilities.

Important note: This is not an assignment for this class. I am only asking what you think of it. The assignment is reported on the web at http://isc.sans.org/diary.php?storyid=1155.

Lecture outline.

1. Greetings and felicitations!
   1. Midterm will be on Wednesday, May 1, in class; it is open book but you may not use your computer (so if your notes are electronic, print them out!)
   2. There is a study guide, a sample midterm, and answers to it on SmartSite.
2. Goals of confidentiality policies
3. Bell-LaPadula Model with levels only
   1. Security levels
   2. Simple security property
   3. *-property
   4. Discretionary security property
4. Full Bell-LaPadula Model
   1. Add in compartments
   2. dom relation
   3. BLP as lattice structure
   4. Simple security property
   5. *-Property
   6. Discretionary security property
5. Range of levels
6. Basic Security Theorem
7. Example: DG/UX B2 System
8. Tranquility
   1. Declassification problem
   2. Strong tranquility
   3. Weak tranquility