〇：The security kernel implements and executes the reference monitor

The Trusted Computing Base (TCB) is a complete combination of protection mechanisms for a system. These are in the form of hardware, software, and firmware. These same components also comprise the security kernel. Reference monitors are access control concepts implemented and enforced by the security kernel via hardware, software, and firmware. In doing so, it ensures that the security kernel, the subject, has the proper permissions to access the object it is requesting. The subject, be it a program, user, or process, cannot access the requesting file, program, or resource until it is proven that it has the proper access rights.

×：The reference monitor is the core of the Trusted Computing Base (TCP), which is comprised of the security kernel.

This is incorrect because the reference monitor is not the core of the TCB. The core of the TCB is the security kernel, and the security kernel implements the concepts of the reference monitor. The reference monitor is a concept about access control. It is often referred to as an “abstract machine” because it is not a physical component.

×：The reference monitor implements and executes the security kernel.

The reference monitor does not implement and execute the security kernel, which is incorrect. On the contrary, the security kernel implements and executes the reference monitor. The reference monitor is an abstract concept, while the security kernel is a combination of hardware, software, and firmware in a trusted computing base.

×：The security kernel, i.e., the abstract machine, implements the concept of a reference monitor.

This is incorrect because abstract machine is not another name for security kernel. Abstract machine is another name for the reference monitor. This concept ensures that the abstract machine acts as an intermediary between the subject and the object, ensuring that the subject has the necessary rights to access the object it is requesting and protecting the subject from unauthorized access and modification. The security kernel functions to perform these activities.

〇：A virtual firewall in bridge mode allows the firewall to monitor individual traffic links, while a firewall integrated into the hypervisor can monitor all activity taking place within the host system.

Virtual firewalls can be bridge-mode products that monitor individual communication links between virtual machines. They can also be integrated within a hypervisor in a virtual environment. The hypervisor is the software component that manages the virtual machines and monitors the execution of guest system software. When a firewall is embedded within the hypervisor, it can monitor all activities that occur within the host system.

×：A virtual firewall in bridge mode allows the firewall to monitor individual network links, while a firewall integrated into the hypervisor can monitor all activities taking place within the guest system.

A virtual firewall in bridge mode is incorrect because the firewall can monitor individual traffic links between hosts and not network links. Hypervisor integration allows the firewall to monitor all activities taking place within the guest system rather than the host system.

×：A virtual firewall in bridge mode allows the firewall to monitor individual traffic links, while a firewall integrated into the hypervisor can monitor all activities taking place within the guest system.

A virtual firewall in bridge mode is wrong because the firewall can monitor individual traffic links, and the hypervisor integration allows the firewall to monitor all activity taking place within the host system, but not the guest system. The hypervisor is the software component that manages the virtual machines and monitors the execution of the guest system software. A firewall, when embedded within the hypervisor, can monitor all activities taking place within the system.

×：A virtual firewall in bridge mode allows the firewall to monitor individual guest systems, while a firewall integrated into the hypervisor can monitor all activities taking place within the network system.

A virtual firewall in bridge mode allows the firewall to monitor individual traffic between guest systems, and a hypervisor integrated allows the firewall to monitor all activity taking place within the host system, not the network system, so Wrong.

〇：Keys will need to be distributed via a secure transmission channel.

For two users to exchange messages encrypted with a symmetric algorithm, they need to figure out how to distribute the key first. If the key is compromised, all messages encrypted with that key can be decrypted and read by an intruder. Simply sending the key in an email message is not secure because the key is not protected and can easily be intercepted and used by an attacker.

×：Computation is more intensive than in asymmetric systems.

That is incorrect because it describes the advantages of symmetric algorithms. Symmetric algorithms tend to be very fast because they are less computationally intensive than asymmetric algorithms. They can encrypt and decrypt relatively quickly large amounts of data that take an unacceptable amount of time to encrypt and decrypt with asymmetric algorithms.

×：Much faster operation than asymmetric systems

Symmetric algorithms are faster than asymmetric systems, but this is an advantage. Therefore, it is incorrect.

×：Mathematically intensive tasks must be performed

Asymmetric algorithms are wrong because they perform a mathematically intensive task. Symmetric algorithms, on the other hand, perform relatively simple mathematical functions on bits during the encryption and decryption process.

The Kerckhoffs’s principle is the idea that cryptography should be secure even if everything but the private key is known. When encrypting data, one decides on a private key and how to encrypt it using that private key. Kerckhoffs says that even if it is known how it is encrypted, it should not be deciphered as long as the secret key is not discovered. Encryption has been with the history of human warfare. The main purpose is to communicate a strategy to one’s allies without being discovered by the enemy. In battle, its designs and encryption devices may be stolen by spies. Therefore, the encryption must be such that it cannot be solved without the key, no matter how much is known about how it works.

〇：Statistically predictable

The two main types of symmetric algorithms are block ciphers and stream ciphers. Block ciphers perform a mathematical function on a block of bits at a time. Stream ciphers do not divide the message into blocks. Instead, a stream cipher treats the message as a stream of bits and performs the mathematical function on each bit individually. If it were statistically predictable, it would not be a practical encryption technique in the first place.

×：Statistically Fair Keystreams

Statistically fair keystreams are an element of good stream ciphers. Therefore, it is incorrect. Another way to say a statistically unbiased keystream is that it is a highly random keystream that is difficult to predict.

×：The repetitive pattern of bit strings treated in a keystream is long.

Another way to say the randomness of a keystream is that it is highly random, with long repetitions = rarely repeated = highly random.

×：The keystream is irrelevant to the key.

A keystream that is not related to a key is an element of a good stream cipher. Therefore, it is incorrect. This is important because the key provides the randomness of the encryption process.

〇：Known Plaintext Attacks

A known-plaintext attack is a situation in which a decryptor can obtain plaintext indiscriminately. A ciphertext-alone attack is a situation where a decryptor can acquire ciphertext indiscriminately. A known-plaintext attack acquires the plaintext but does not know what ciphertext it is paired with, meaning that decryption is attempted with only two random ciphertexts. In this situation, it is difficult to decrypt. Therefore, the correct answer is “known-plaintext attack.

×：Selective Plaintext Attack

A choice-plaintext attack is a situation in which the decryptor can freely choose the plaintext to acquire and obtain the ciphertext.

×：Adaptive Choice Plaintext Attack

An adaptive choice-plaintext attack is a situation in which the decryptor can freely choose which plaintext to acquire and acquire the ciphertext, and can repeat the acquisition again after seeing the result.

×：None of the above

It is rare for the answer to be “none of the above” when the choice is “most of the above.

〇：Digital Signature

A digital signature is a hash value encrypted with the sender’s private key. The act of signing means encrypting a hash value of a message with a private key. A message can be digitally signed, providing authentication, non-repudiation, and integrity. The hash function guarantees the integrity of the message, and the signature of the hash value provides authentication and non-repudiation.

×：Encryption Algorithms

Encryption algorithms are wrong because they provide confidentiality. Encryption is most commonly performed using symmetric algorithms. Symmetric algorithms can provide authentication, non-repudiation, and integrity as well as confidentiality.

×：Hash Algorithms

Hash algorithms are wrong because they provide data integrity. Hash algorithms generate a message digest, which detects whether modifications have been made (also called a hash value). The sender and receiver individually generate their own digests, and the receiver compares these values. If they differ, the receiver can know the message has been modified. Hash algorithms cannot provide authentication or non-repudiation.

×：Encryption paired with digital signatures

This is incorrect because encryption and digital signatures provide confidentiality, authentication, non-repudiation, and integrity. Encryption alone provides confidentiality. And digital signatures provide authentication, non-repudiation, and integrity. The question requires that it can provide authentication, non-repudiation, and integrity. It is a nasty question.

〇：Well-Formed Transaction

In the Clark-Wilson model, subjects cannot access objects without going through some type of application or program that controls how this access is done. The subject (usually the user) can access the required object based on access rules within the application software, defined as “Well-Formed Transaction,” in conjunction with the application.

×：Childwall model

This is incorrect because it is another name for the Brewer Nash model created to provide access control that can be dynamically modified according to the user’s previous behavior. It is shaped by access attempts and conflicts of interest and does not allow information to flow between subjects and objects. In this model, a subject can only write to an object if the subject cannot read another object in a different data set.

×：Access tuples

The Clark-Wilson model is incorrect because it uses access triples instead of access tuples. The access triple is the subject program object. This ensures that the subject can only access the object through the authorized program.

×：Write Up and Write Down

The Clark-Wilson model is incorrect because there is no Write Up and Write Down. These rules relate to the Bell-LaPadula and Biba models. The Bell-LaPadula model contains a simple security rule that has not been read and a star property rule that has not been written down. The Biba model contains an unread simple completeness axiom and an unwritten star completeness axiom.

〇：Public key infrastructure is a mechanism configuration for public key cryptographic distribution, and public key cryptography is another name for asymmetric encryption.

Public key cryptography is asymmetric cryptography. The terms are used interchangeably. Public key cryptography is a concept within the Public Key Infrastructure (PKI), which consists of various parts such as Certificate Authorities, Registration Authorities, certificates, keys, programs, and users. Public Key Infrastructure is used to identify and create users, distribute and maintain certificates, revoke and distribute certificates, maintain encryption keys, and for the purpose of encrypted communication and authentication.

×：Public key infrastructure uses symmetric algorithms and public key cryptography uses asymmetric algorithms.

This is incorrect because the public key infrastructure uses a hybrid system of symmetric and asymmetric key algorithms and methods. Public key cryptography is to use asymmetric algorithms. Therefore, asymmetric and public key cryptography are interchangeable, meaning they are the same. Examples of asymmetric algorithms are RSA, elliptic curve cryptography (ECC), Diffie-Hellman, and El Gamal.

×：Public key infrastructure is used to perform key exchange, while public key cryptography is used to create public/private key pairs.

This is incorrect because public key cryptography is the use of asymmetric algorithms used to create public/private key pairs, perform key exchange, and generate and verify digital signatures.

×：Public key infrastructure provides confidentiality and integrity, while public key cryptography provides authentication and non-repudiation.

Incorrect because the public key infrastructure itself does not provide authentication, non-repudiation, confidentiality, or integrity.

〇：Crime Prevention by Environmental Design (CPTED)

Crime Prevention by Environmental Design (CPTED) is a method by which crime can be reduced through proper design of the physical environment. It provides guidance on appropriate facility construction and environmental elements and crime prevention. It is used to guide the physical environment to behavioral effects that reduce crime.

×：Multi-layered defense model  

The multi-layered defense model is incorrect because it is a hierarchical architecture of physical, logical, and administrative security controls. The concept is that if one layer fails, the asset is protected by other layers. Layers should be moved from the perimeter toward the asset and implemented.

×：Hiding by Ambiguity

Concealment by ambiguity is a technique of concealment secured by concealment of information and is incorrect. Basically, it is better not to consider something to be a true secret if it is logically reachable, even if it is not public.

×：Access Control

Access control is incorrect because it is guidance by the placement of doors, fences, lighting, and landscaping as people enter. It is an abstract concept and would not fit into a concrete definition that combines sociology.

〇：TOGAF

The Open Group Architecture Framework (TOGAF) is a vendor-independent platform for the development and implementation of enterprise architecture. It focuses on the effective management of enterprise data using metamodels and service-oriented architectures (SOA). Proficient implementations of TOGAF aim to reduce fragmentation caused by inconsistencies between traditional IT systems and actual business processes. It also coordinates new changes and functionality so that new changes can be easily integrated into the enterprise platform.

×：Department of Defense Architecture Framework (DoDAF)

In accordance with the guidelines for the organization of the enterprise architecture of the U.S. Department of Defense systems, this is incorrect. It is also suitable for large, complex integrated systems in the military, civilian, and public sectors.

×：Capability Maturity Model Integration (CMMI) during software development.

It is inappropriate because it is a framework for the purpose of designing and further improving software. CMMI provides a standard for software development processes that can measure the maturity of the development process.

×：ISO/IEC 42010

Incorrect because it consists of recommended practices to simplify the design and conception of software-intensive system architectures. This standard provides a kind of language (terminology) to describe the different components of software architecture and how to integrate it into the development life cycle.

A key escrow system is one in which a third-party organization holds a copy of the public/private key pair. If the private key is stolen, all ciphers can be decrypted. Conversely, if it is lost, all ciphers cannot be decrypted. Therefore, you want to have a copy. However, if you have it yourself, it may be stolen if a break-in occurs, so you leave it with a third-party organization.

〇：The sender encrypts the message digest with his/her private key.

A digital signature is a hash value encrypted with the sender’s private key. The act of digitally signing means encrypting the hash value of the message with his/her private key. The sender would encrypt that hash value using her private key. When the recipient receives the message, she performs a hash function on the message and generates the hash value herself. She then decrypts the hash value (digital signature) sent with the sender’s public key. The receiver compares the two values and, if they are the same, can verify that the message was not altered during transmission.

×：The sender encrypts the message digest with his/her public key.

The sender is wrong because if the message encrypts the digest with his/her public key, the recipient cannot decrypt it. The recipient needs access to the sender’s private key, which must not occur. The private key must always be kept secret.

×：The receiver encrypts the message digest with his/her private key.

The receiver is wrong because the message must decrypt the digest with the sender’s public key. The message digest is encrypted with the sender’s private key, which can only be decrypted with the sender’s public key.

×：The receiver encrypts the message digest with his/her public key.

The receiver is wrong because the message must decrypt the digest with the sender’s public key. The message digest is encrypted with the sender’s private key, which can only be decrypted with the sender’s public key.

〇：Data Encryption

The Advanced Encryption Standard (AES) is a data encryption standard developed to improve upon the previous de facto standard, Data Encryption Standard (DES). As a symmetric algorithm, AES is used to encrypt data. Therefore, the correct answer is “data encryption.

There are other situations where AES is used in the other choices, but encrypting data is the most focused or better answer. Thus, there are cases where all of the choices are correct.

×：Data integrity

This is a characteristic of digital signatures.

×：Key recovery

It is a property of decryption and key escrow.

×：Symmetric key distribution

Using symmetric keys for AES distribution lowers the key delivery problem.

〇：Execution Domain Switching

Execution domain switching occurs when the CPU needs to move between executing instructions for a more trusted process versus a less trusted process. Trusted Computing Base (TCB) allows processes to switch domains in a secure manner to access different levels of information based on sensitivity. Execution domain switching occurs when a process needs to invoke a process in a higher protection ring. The CPU executes the user-mode instruction back into privileged mode.

At first glance, this is a geeky problem that does not make sense. But don’t give up. Since there is no such thing as skipping, you can only get a right or wrong answer when the question is posed, so it is preferable to answer the question with some degree of prediction.

From this point on, let’s consider how to answer the questions. If you look at the question text and read it to the point where it reads, “You moved from one area to the other, and that was a security breach?” If you can read to that point, then you have two choices: deny or “stop the process,” or change or “switch the domain of execution. Next, the question text reads “if you need to access it,” which is asking how to accomplish this objective, not whether or not you should.

×：Execution of I/O operations

This is incorrect because input/output (I/O) operations are not initiated to ensure security when a process in one domain needs to access another domain in order to retrieve sensitive information. I/O operations are performed when input devices (such as a mouse or keyboard) and output devices (such as a monitor or printer, etc.) interact with an application or applications.

×：Stopping a Process

A process deactivation is one that occurs when a process instruction is fully executed by the CPU or when another process with a higher priority calls the CPU, which is incorrect. When a process is deactivated, new information about the new requesting process must be written to a register in the CPU. The TCB component must ensure that this is done, since the data replaced in the registers may be confidential.

×：Mapping from virtual memory to real memory

Incorrect because memory mapping occurs when a process needs its instructions and data processed by the CPU. The memory manager maps logical addresses to physical addresses so that the CPU knows where to place the data. This is the responsibility of the operating system’s memory manager.

〇：Graham-Denning Model

The Graham-Denning model addresses how access rights between subjects and objects are defined, developed, and integrated. It defines a basic set of rights in terms of the commands that a particular subject can execute on an object. The model has eight basic protective rights or rules on how to safely perform these types of functions

×：Brewer-Nash Model

It is incorrect because its purpose is to provide access control that can be changed dynamically according to the user’s previous actions. The main purpose is to protect against conflicts of interest due to user access attempts. For example, if a large marketing firm provides marketing promotions and materials for two banks, the employee responsible for the Bank A project should not be able to see information about Bank B, the marketing firm’s other bank customer. A conflict of interest could arise because the banks are competitors. If the project manager of the marketing firm’s Project A can see information about Bank B’s new marketing campaign, he may attempt to execute it rather than promote it to please more direct customers. Marketing firms have a bad reputation when internal employees can act irresponsibly.

×：Clark-Wilson Model

The Clark-Wilson model is incorrect because it is implemented to protect data integrity and ensure that transactions are properly formatted within the application. Subjects can only access objects through authorized programs. Segregation of duties is enforced. Auditing is required. The Clark-Wilson model addresses three integrity goals: preventing changes by unauthorized users, preventing inappropriate changes by unauthorized users, and maintaining internal and external consistency.

×：Bell-LaPadula Model

This model was developed to address concerns about the security of U.S. military systems and the leakage of classified information, and is incorrect. The primary goal of the model is to prevent unauthorized access to classified information. It is a state machine model that enforces the confidentiality aspect of access control. Matrices and security levels are used to determine if a subject has access to different objects. Specific rules are applied to control how objects interact with each other compared to the subject’s object classification.

Compromise is when what used to be secure encryption becomes insecure due to the evolution of computers. Cryptography is based on the sharing of a single answer, a key, among those communicating. The key is generated by computer calculations, and a third party must solve a difficult problem that would take several years to derive. However, as the computational power of computers has evolved, it is now possible to solve difficult problems that could not be solved before. In this case, encryption is meaningless. This is the compromise caused by evolution. Therefore, the correct answer is “Compromise.

〇：The expiration date should be set short.

Key management is critical for proper protection. Part of key management is to determine the key’s period of validity, which would be determined by the sensitivity of the data being protected. For sensitive data, periodic key changes are required and the key’s expiration date will be shortened. On the other hand, for less secure data, a key with a longer expiration date is not a problem.

×：Keys should be deposited in case of backup or emergency.

This is incorrect because it is true that keys must be deposited in the event of a backup or emergency situation. Keys are at risk of being lost, destroyed or damaged. Backup copies must be available and readily accessible when needed.

×：Keys must not be made public.

Of course. It is a key.

×：Keys should be stored and transmitted by secure means.

Wrong, since it is true that keys should be stored and transmitted by secure means. Keys are stored before and after distribution. If keys are distributed to users, they must be stored in a secure location in the file system and used in a controlled manner.

〇：Multiple processes are using the same resources.

The system uses hard drive space (called swap space) that is reserved to expand RAM memory space. When the system fills up volatile memory space, data is written from memory to the hard drive. When a program requests access to this data, it is returned from the hard drive to memory in specific units called page frames. Accessing data stored on hard drive pages takes longer than accessing data stored in memory because it requires read/write access to the physical disk. A security issue with using virtual swap space is that two or more processes can use the same resources and corrupt or damage data.

×：Allowing cookies to remain persistent in memory

This is incorrect because virtual storage is not associated with cookies. Virtual storage uses hard drive space to extend RAM memory space. Cookies are small text files used primarily by web browsers. Cookies can contain credentials for web sites, site preferences, and shopping history. Cookies are also commonly used to maintain web server-based sessions.

×：Side-channel attacks are possible.

Side-channel attacks are incorrect because they are physical attacks. This type of attack gathers information about how a mechanism (e.g., smart card or encryption processor) works from abandoned radiation, time spent processing, power consumed to perform a task, etc. Using the information, reverse engineer the mechanism to reveal how it performs its security task. This is not related to virtual storage.

×：Two processes can perform a denial of service attack.

The biggest threat within a system where resources are shared between processes is that one process can adversely affect the resources of another process, since the operating system requires memory to be shared among all resources. This is especially true in the case of memory. It is possible for two processes to work together to perform a denial of service attack, but this is only one of the attacks that can be performed with or without the use of virtual storage.

〇：Conflict condition

A race condition is present when a process performs a task on a shared resource and the sequence could be in the wrong order. 2 or more processes can have a race condition if they use a shared resource, like data in a variable. It is important that processes perform their functions in the correct sequence.

×：Backdoors

Backdoors are incorrect because they are “listening” services on certain ports. Backdoors are implemented by attackers to allow easy access to the system without authenticating as a normal system user.

×：Maintenance Hooks

Maintenance hooks are specific software codes that allow easy and unauthorized access to sensitive parts of a software product. Software programmers use maintenance hooks to allow them to get quick access to the code so that they can make fixes in immediate, but this is dangerous.

×：Data validation errors

Data validation errors are wrong because an attacker cannot operate on the process execution sequence.