Repeat this 10 times:
TCSEC is the Orange Book, and contains a security assurance classification system from D to A.
Did you repeat it 10 times? Don’t think of it as me telling you what to do, because I promise once you repeat it ten times, you’ll have a better technique to answer any exam questions pertaining to TCSEC, Trusted Computer Security Evaluation Criteria.
Some points about TCSEC:
- Created by the NSA in the 1980s
- The first attempt to implement access control on systems with difference security levels
- It is no longer used today, but will be on the exam
- Enforces confidentiality NOT integrity
- Security clearance and classification labels (Mandatory Access Control) do not apply until Division B
- Division A is the most secure system
- Division D is the least secure system
Let’s break down each of the classes within each division for further analysis, and also because it is on the exam.
Division D: Minimal Protection
A “D” rating fails to meet any of the below classification assurance levels.
Division C: Discretionary Protection
Deals with subjects and object using Discretionary Access Control (DAC).
A “C” rating has two different classes of individual assurance.
Class 1 (C1 Rating): Discretionary Security Protection
- Users have the same security levels (there is no secret, top secret…)
- Subjects and objects are separated requiring identification and authentication for access
- Lower-level executions should not affect higher-level executions
- Provides low security, but still trusted
- Required documentation:
- System Design
- Protection Mechanisms
- Test documents
- Facility manual (description of proper environment in which to configure system)
Class 2 (C2 Rating): Controlled Access Protection
- Provides an audit feature
- Does not allow data to be remnant after use (No Object Reuse!)
- Temporary files and objects in use must be erased after use to prevent compromise
- Assurance is suitable enough for commercial applications and programs
- Provides more strict access control between subjects and objects
- Most reasonable for commercial products
- For systems that require accountability
Division B: Mandatory Protection
Deals with security labels. Remember the Bell-LaPadula model? How it deals with only confidentially through the use of security labels?
Think of Mandatory Access Control (MAC) when thinking of the Division B assurance level.
Class 1 (B1): Labeled Security
- Subjects must have clearance, objects must have classification label
- Subject’s access to objects must correlate between clearance and label
- Based on informal security policy
- For systems that handle classified data
Class 2 (B2): Structured Protection
- Trusted communication between subject and object; cannot be bypassed
- NO COVERT CHANNELS
- More granular review and testing process than B1
- Based on formal security policy that is CLEARLY DEFINED and DOCUMENTED
- For systems that contain sensitive data
- Operators and administrators must have separate environments and roles (user level vs kernel level)
- Must be somewhat defensible to penetration and compromise
- Requires higher level of security and contains sensitive data
Class 3 (B3): Security Domains
- Design must not be too complex, as that increases vulnerabilities
- Unnecessary programming code is taken out of protection mechanisms
- System must recover from failures and reboot securely
- Must be highly defensible to penetration and compromise
- For highly secure environments with sensitive information
Division A: Verified Protection
The difference between B and A is not so much in it’s requirements, but in HOW it is evaluated. Class A is evaluated very strictly with formal methods.
Class 1 (A1): Verified Design
- Similar to the B3 rating
- Highly detailed and granular evaluation of this system
- Even the transportation of the system is to be subject of evaluation
- System CANNOT be compromised as it contains top-secret data
Not really as exciting as many of the other domains, but it is important learn. Building a system securely provides an exceptional level of protection mechanisms to reduce risk (risk= threat x vulnerability).