Mandatory Access Control (MAC) and Discretionary Access Control (DAC) are well-known authorization mechanisms introduced in the Trusted Computer System Evaluation Criteria (TCSEC). Which of the following statements about the authorization mechanisms is not true?
A. MAC can exist alone without DAC
B. Privileges granted by the data owner can be reauthorized to others in DAC.
C. A subject with mere security clearance gets no access to objects.
D. MAC mediates the data flow between classification levels.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. MAC can exist alone without DAC.
The TCSEC defines criteria to evaluate trusted computing systems, which comprise four divisions; each division may be divided into classes. The Classes (B1, B2, and B3) of Division B shall meet the requirements of Division C. All MAC mechanisms (Division B) defined in TCSEC cover DAC (Division C). In other words, MAC cannot exist alone without DAC.
- It’s a common problem in DAC that privileges granted by the data owner can be reauthorized to others. Take NTFS, for example – someone granted a file with the “Full Control” permission can reauthorize the file to others.
- A subject shall have appropriate security clearance and need-to-know to get access to objects. (Special approval is required for compartmented information).
- MAC mediates the data flow between classification levels to enforce security. For example, the Bell–LaPadula model can prevent data in the higher level from flowing to the lower level because of operations of read or write.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
B. 數據所有者(data owner)授予的特權可以在DAC中重新授權給其他人。
C. 僅具有安全許可(security clearance)的主體(subject)無法訪問任何客體(object)。
D. MAC對分類級別(classification level)之間的數據流進行管制。