4. Evidential results
a. 1 and 2
b. 2 and 3
c. 3 and 4
d. 1, 2, 3, and 4
12. Regarding the Common Criteria (CC), which of the following is not an example of mitigating the effects of a threat?
a. Restricting the ability of a threat agent in accessing IT assets to perform adverse actions
b. Making frequent backup copies of IT assets
c. Obtaining extra copies or spare parts of IT assets
d. Insuring IT assets
The other three choices are incorrect because they are examples of mitigating the effects of a threat with security controls (e.g., backup, spare parts, and insurance). Threat agents are entities that can adversely act on assets. Examples of threat agents are hackers, users, computer processes, TOE development personnel, and accidents.
Sources and References
“Common Criteria for Information Technology Security Evaluation Part 1: Introduction and General Model, Version 3.1 and Revision 1,” Common Criteria Portal, September 2006. (www.commoncriteriaportal.org/files/ccfiles).
“Engineering Principles for Information Technology Security (NIST SP800-27Revision A),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2004.
“Guidelines on Active Content and Mobile Code (NIST SP800-28V2 Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, August 2007.
“Guidelines to Federal Organizations on Security Assurance and Acquisition, Use of Tested, Evaluated Products (NIST SP 800-23),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, August 2000.
“Information Assurance Technical Framework (IATF), Release 3.1,” National Security Agency (NSA), Fort Meade, Maryland, September 2002.
“Information Technology Security Evaluation Criteria (ITSEC), Harmonized Criteria of France – Germany, the Netherlands, the United Kingdom,” Commission of the European Communities Directorate XIII/F SOG-IS, June 1991. (www.iwar.org.uk/comsec/resources/standards/itsec.htm).
“Service Component-Based Architectures, Version 2.0,” CIO Council, June 2004 (www.cio.gov).
“Underlying Technical Models for Information Technology Security (NIST SP800-33),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, December 2001.
Traditional Questions, Answers, and Explanations
1. Regarding media sanitization, which of the following is the correct order for fully and physically destroying hand-held devices, such as cell phones?
1. Incinerate
2. Disintegrate
3. Pulverize
4. Shred
a. 3, 2, 1, and 4
b. 4, 2, 3, and 1
c. 1, 4, 3, and 2
d. 1, 2, 4, and 3
Shredding is a method of sanitizing media and is the act of cutting or tearing into small particles. Here, the shredding step comes first to make the cell phone inoperable quickly. Disintegration is a method of sanitizing media and is the act of separating the equipment into component parts. Disintegration cannot be the first step because some determined attacker can assemble these parts and can make the cell phone work. Pulverization is a method of sanitizing media and is the act of grinding to a powder or dust. Incineration is a method of sanitizing media and is the act of burning completely to ashes done in a licensed incinerator. Note that one does not need to complete all these methods, but can stop after any specific method and after reaching the final goal based on the sensitivity and criticality of data on the device.
