Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Integrity metrics ?

from [Nicolas Stampf] Network Security [Permanent Link]
Subject: Integrity metrics ?
Date: Thu, 28 Oct 2004 11:07:28 +0200 
Hello,

Considering the current thread about security classifications, I
wanted to raise an issue regarding metrics for integrity.

I've seen on the list, and elsewhere, metrics with 4 or 5 levels
regarding Integrity.

Considering that security requirements (C, I and A), need, in the end,
to turn into security functionalities like access control,
authentication, signatures, etc.; there needs to be some sort of
relation between the initial requirements metrics and the technologies
for ensuring the requirements are fulfilled.

Given this, if we consider, say, confidentiality, we can map levels
with technologies, such as, for instance:
C=0 => nothing (no requirement)
C=1 => access control lists (DAC)
C=2 => ACL (MAC)
C=3 => ACL + crypto 128 bits
C=4 => ACL + crypto 256 bits

How would you do the same thing for integrity?

I came up with something such as:
I=0 => nothing
I=1 => checksum or hash (protection against errors)
I=2 => signature (protection against deliberate attacks)
and that's all. No other levels.

I can't see how other levels than these 3 (counting 0) could exist and
to what kind of technologies/practices or processes they could map.

Any thoughts, someone ?

Regards,

--
Nicolas STAMPF
http://www.ActuSecu.info
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Integrity metrics ?, Nicolas Stampf <=
Previous by Date:  Re: Policy-Procedure connection, John Blackley
Next by Date:  Security policy exceptions template?, Non Proprio
Previous by Thread:  Standards Compliance Software or Guidlines?, Andre Derek Protas
Next by Thread:  RE: Security policy exceptions template?, Non Proprio
Indexes:  [Date] [Thread] [Top] [All Lists]