Question 1: The Trusted Computer System Evaluation Criteria (TCSEC) had several drawbacks. They include:
(1) It only addressed confidentiality aspects and not integrity and availability of security;
(2) It focused on operating system products;
(3) Its evaluation process was too slow; and
(4) It suffered from Criteria Creep.
Recall that criteria creep is the process of refining evaluation requirements as the industry gains experience with them, making the evaluation criteria something of a moving target. (See Section 21.2.4.2 of Bishop)
How well did the Common Criteria (CC) address these four problems of TCSEC?
Question 2: This question is on Vulnerability Analysis as discussed in INFA670 Session 4. The vulnerability analysis, in practical terms, is to find what software and services are running in your enterprise, whether various systems and applications in your enterprise are properly patched, and whether they are configured correctly and, as the name indicates, what vulnerabilities exist in various infrastructure components and applications and the significance of the vulnerabilities discovered.
For this exercise, assume that you are a security officer for a large networked enterprise consisting of thousands of IP addresses (hosts, servers and devices) running thousands of services and applications on those machines.
Discuss in detail one vulnerability analysis tool that is suitable for this (deployment) environment. Justify to your CTO or CIO why the tool you have selected is appropriate for this environment from the perspectives of:
- Mapping: Determining what is running where
• Ability to identify versions and patches (or lack of them) of software
• Vulnerability Analysis (both false positive and false negative aspects should be considered)
• Performance (Is it taking a whole day to run? Or is it bringing down a system?)
You may consider one of the tools discussed in the Section 4 Discussion Forum such as SAINT (Security Administrator's Integrated Network Tool), beyondtrust Retina suite of products, and Tenable Network Security Nessus (and their derivatives). You have the liberty to consider open source or free products such as OpenVAS. You may also consider products not discussed in the class. (You may decide you need a suite of tools. That is fine too.)
State your assumptions/restrictions about the tool clearly. For example, the tool could not be employed beyond the firewall. Another example is the type of privilege the tool needs to have in order to be successful.
Question 3 :The CMMI® Model for Development has several process areas (PAs), 22 in Version 1.3 to be exact. For this exercise, we will consider the following 4 PAs: (1) Configuration Management, (2) Organizational Training, (3) Requirement Management, and (4) Risk Management. These 4 PAs are also applicable for CMMI for Services and CMMI for Acquisition. Let us suppose you are interested in achieving a higher "Capability Level" in these process areas in one project or several projects in your enterprise. (If your enterprise does not develop any software, consider improving the services you offer or acquisitions you make.) For each of these four PAs,
1. Briefly describe what the process area is and why it is needed. Enumerate improvements you expect to see for these process areas in your enterprise.
2. Describe specific goals for the process area.
3. List resources/tools you may use to assist or automating the process area.
Provide all above three answers in saparate document along with references. Write your response in 2000 words count total including all three answers