Scenario 1: Email from “IT Support”

● Email Content:
Subject: Urgent: Account Security Notice
From: [email protected]
Dear User,
Due to recent suspicious activity detected on your university account, immediate
password verification is required.
[Click Here to Verify Your Account]
Failure to act within 24 hours will result in account suspension.
Thank you,
IT Security Team
● Comment on tactic and indicators of malicious intent 1
Scenario 2: Phone Call Scenario (Transcript)
● Caller:

"Hi, this is Margaret from Microsoft Technical Support. We’ve noticed your
computer is reporting several critical security errors. I can assist you right
now to fix it. Could you please provide remote access so we can resolve
this before your computer is accessed by a threat actor?"

● Comment on tactic and indicators of malicious intent

2
Scenario 3: USB Stick Found in a Campus Parking Lot
● Situation:

You find a USB labeled "Confidential Staff Salaries 2025.xlsx" lying near
your car in the campus parking lot.

● Comment on tactic and indicators of malicious intent

3
CSE298 Cybersecurity - Lecture 21
Combating Social Engineering and
Building Cybersecurity Culture
Spring 2025
Mark Erle
Questions Based on Last Lecture
● Common tactics covered: phishing, pretexting, baiting, tailgating, quid pro
quo, vishing, smishing
● Why do attackers often find social engineering attacks more effective than
purely technical exploits?
● Consider the Twitter Bitcoin scam from 2020 discussed in the last lecture.
What specific human traits or behaviors were targeted, and how could
employees have responded differently?
● Suppose you find an unlabeled USB stick near a campus computer lab. What
should your response be, and why?

5
Prevention and Mitigation Strategies
● Technical Controls
○ Email filtering and detection tools
○ Multi-factor authentication (MFA)
● Policies & Procedures
○ Verification and authorization requirements
○ Clear reporting mechanisms
● Continuous Monitoring
○ Real-time detection systems (EDR, SIEM integration)
○ Incident response readiness

6
Security Awareness Training
● Goals
○ Reduce human vulnerability through education
○ Foster proactive security behaviors
● Components of Effective Training
○ Interactive content and engagement
○ Simulated campaigns
○ Regular training refreshers
○ Role-based training tailored to job functions
● Evaluating Effectiveness
○ Metrics: reduced incidents, improved reporting rates, participation levels
● What are two key reasons why organizations need both technical and
human-focused strategies to combat social engineering attacks?

7
Building a Culture of Cybersecurity Vigilance
● Importance of Culture
○ Human element as first and last line of defense
○ Long-term behavior change reduces risk
● Leadership’s Role
○ Demonstrating commitment to security
○ Empowering employees to act securely
● Encouraging Reporting
○ Non-punitive reporting culture
○ Recognition for proactive behavior

8
Follow-up on Building a Culture of Cybersecurity Vigilance
● How does a positive cybersecurity culture impact employee behavior in the
context of security?
● Give an example of how security awareness training can be evaluated
effectively.

9
Social Engineering Training Exercise (slide 1 of 2)
1. Planning and Conception
● Define clear objectives (e.g., assess vulnerability to phishing)
● Identify target audience (departments, roles, etc.)
● Select relevant tactics to simulate (phishing, vishing, pretexting)
2. Exercise Design
● Develop realistic scenarios (email campaigns, phone scripts)
● Create believable content reflecting common attacks
● Set technical infrastructure (e.g., simulated phishing platforms)
3. Pre-Exercise Communication
● Notify leadership and IT/security stakeholders
● Decide if employees receive advance notice or remain unaware
● Establish clear guidelines and policies to handle sensitive outcomes 10
Social Engineering Training Exercise (slide 2 of 2)
4. Execution
● Conduct the simulated attack campaign over a defined period
● Monitor employee interactions in real-time
● Record response metrics (click rates, credential submissions, reporting)
5. Data Collection and Analysis
● Compile and analyze collected data against objectives
● Identify patterns, weaknesses, and strengths
● Evaluate overall effectiveness of existing security measures
6. Feedback and Reporting
● Share anonymized findings transparently with staff
● Provide targeted education based on identified weaknesses
● Recommend and implement improvements for future exercises 11
CSE298 Cybersecurity - Lecture 22
Incident Response & Monitoring
Spring 2025
Mark Erle
Security Failings in the UK Government’s One Login
Digital ID System
● Recent investigation revealed serious cybersecurity and data protection shortcomings in UK Government’s flagship digital
identity system, One Login - used to access various government services.
● According to whistleblower reports and subsequent correspondence from the National Cyber Security Centre (NCSC), the
system suffered from:
○ Insufficient security personnel and governance: The digital identity team lacked enough qualified staff to provide
effective cybersecurity oversight.
○ Lack of risk assessment and documentation: No comprehensive risk or threat assessments were conducted, and
there was no evidence that security requirements had been properly identified or managed.
○ Inadequate security monitoring: There were gaps in monitoring for indicators of compromise and privileged access,
increasing the risk of undetected breaches.
○ Non-compliant system administration: Administrators accessed the live production environment using non-compliant
devices, raising the risk of malware or phishing attacks.
○ High volume of unresolved vulnerabilities: Over half a million vulnerabilities were identified in the live system,
including more than 10,000 critical and 7,000 high-severity issues.
○ Concerns over personnel security clearance: Nearly 40% of production administrators lacked the appropriate security
clearance, despite handling sensitive citizen data.
○ Potential conflicts of interest in assurance processes: The same consultancy involved in developing the system was
also responsible for its security assurance, raising questions about the independence of risk assessments.
● The NCSC concluded the system had “severe shortcomings” and “top-level risks,” including the potential for bulk personal
data breaches and mass fraud through impersonation.
13
Accenture and Google Launch AI-Powered Security
Operations for Government
● On April 8, 2025, Accenture Federal Services announced a new partnership with Google
Public Sector to launch a Managed Extended Detection and Response (MxDR) solution
specifically for government agencies
● This new offering integrates Google’s Security Operations (SecOps) platform with
Accenture’s federal cybersecurity expertise and leverages security-specific generative AI
technology to enhance threat detection and response capabilities.
● Key features of the solution include:
○ Real-time, intelligence-based threat detection using advanced AI and machine
learning.
○ Automated response playbooks to streamline and modernize incident response.
○ Customizable dashboards tailored for federal use cases.
○ 24/7 support and compliance with federal cybersecurity controls.
● The collaboration aims to help federal agencies improve their cybersecurity resilience,
streamline security operations, and reduce costs.
14
Introduction to Security Operations
● Functions:
○ Developing operational policies and enforcing them (governance)
○ Preparing for, detecting, responding to, and recovering from
cybersecurity incidents
● Importance:
○ Real-time threat detection
○ Minimizing damage from incidents
○ Ensuring regulatory compliance
● Why is timely incident response critical for organizations?

15
Incident Response Lifecycle
1. Preparation – Building a capable response team and clear policies
2. Identification – Detecting and confirming incidents
3. Containment – Limiting damage and isolating the threat
4. Eradication – Removing threats and restoring affected systems
5. Recovery – Returning to normal operations securely
6. Lessons Learned – Reviewing and improving incident response strategies

Which phase do you think is most challenging for organizations, and why?

16
Incident Response Team
● Roles and Responsibilities:
○ Team Leader
○ Incident Analysts
○ IT Support
○ Public Relations
○ Legal Advisors
● Why is cross-departmental coordination essential in incident response?

17
Security Monitoring and Logging
● Importance of logs:
○ Provide audit trails
○ Enable incident detection
○ Support regulatory compliance
● Types of logs:
○ Event logs
○ Access logs
○ Application logs
● How can logging facilitate incident response?

18
Security Information and Event Management (SIEM)
● Definition: Integrated tool for collecting, analyzing, and managing security data
● Core functionalities:
○ Real-time monitoring
○ Threat detection and correlation
○ Incident response support
○ Reporting and compliance
● What advantages does a SIEM provide compared to manual log analysis?

19
Example SIEM Tools
● Splunk
● QRadar
● LogRhythm
● Wazuh (open source!)
● What factors should an organization consider when selecting a SIEM tool?

20
“The Case of the Stolen Intellectual Property”
● Scenario: A tech startup, InnoSoft, suspects an employee leaked proprietary
AI algorithms to a competitor. The incident was flagged when a rival company
filed a patent suspiciously similar to InnoSoft’s unpublished work.
● Questions
○ What evidence might you be searching for?
○ How open or covert should your investigation be?
○ What tools could you use? What if exfiltrated data were encrypted?
○ What care needs to be taken with regard to evidence?
○ If you identify a suspect, what steps should you take and when?
○ What should you communicate to stakeholders and when?

21
CSE298 Cybersecurity - Lecture 23
Forensics, Investigation, and
Continuous Monitoring
Spring 2025
Mark Erle
CyberSentinel: AI-Driven Threat Detection

● The emergence of AI in cybersecurity has led to the development of systems

23
UK's Cyber Security and Resilience Bill

● The UK government has proposed the Cyber Security and Resilience Bill to
strengthen national cyber defenses.
● The legislation aims to enhance incident reporting requirements, enforce
stringent cybersecurity measures across various sectors, and improve
oversight of critical infrastructure.
● This move reflects the global trend towards regulatory frameworks that
prioritize continuous monitoring and rapid incident response.

24
Digital Forensics Overview
● What is Digital Forensics?
○ Process of collecting, analyzing, preserving, and presenting digital
evidence
○ Critical in understanding incidents, prosecuting cybercrimes, and
informing security improvements
● Importance in Security Operations
○ Incident validation and reconstruction
○ Support legal and compliance requirements
○ Provide insights for future threat prevention
● Why is maintaining the integrity of digital evidence crucial?

25
Forensic Investigation Process
● Steps of Digital Forensics
○ Identification: Determining potential evidence sources
○ Preservation: Ensuring evidence integrity
○ Collection: Systematic extraction of evidence
○ Examination: Inspecting collected data
○ Analysis: Deriving insights and conclusions
○ Reporting: Documenting and presenting findings
● Which forensic step might introduce the most significant risks if mishandled,
and why?

26
Chain of Custody
● Definition and Purpose
○ Documentation trail that records handling of evidence
○ Ensures authenticity, credibility, and admissibility in court
● Chain of Custody Essentials
○ Who handled the evidence
○ Date and time of handling
○ Actions performed on evidence
○ Secure storage conditions
● What consequences could result from a compromised chain of custody?

27
Common Forensic Tools
● Disk Imaging & Analysis: EnCase, FTK Imager, Autopsy
● Network Analysis: Wireshark, tcpdump, Zeek
● Memory Forensics: Volatility Framework
● Log Analysis: Splunk, ELK stack
● How do forensic analysts decide which tool to use?

28
Continuous Monitoring
● Definition and Purpose
○ Real-time tracking of security posture
○ Identifies threats promptly, reducing response time and impact
● Components of Effective Monitoring
○ Endpoint detection and response (EDR)
○ Network intrusion detection systems (IDS)
○ Log aggregation and SIEM integration
● How does continuous monitoring enhance the effectiveness of incident
response teams?

29
Patch Management: Overview
● Definition and purpose
○ Systematic approach to managing software updates and vulnerability
remediation
○ Critical for reducing exposure to known threats
● Patch Management Goals
○ Minimize vulnerability exposure
○ Maintain system and data integrity
○ Ensure compliance and operational continuity
● Why is proactive patch management crucial for cybersecurity?

30
Sources of Patch Information
● Common Sources:
○ Vendor advisories and security bulletins (e.g., Microsoft Security Bulletins,
Adobe Security Updates)
○ Vulnerability databases (e.g., National Vulnerability Database - NVD, CVE
databases)
○ CERT Coordination Center (US-CERT), industry-specific threat intelligence
feeds
● Where should organizations primarily obtain timely and credible patch
information?

31
Patch Testing and Validation
● Testing Considerations
○ Compatibility with existing software and infrastructure
○ Functionality impact and regression issues
○ Stability under production-like conditions
● Validation Steps
○ Create a controlled testing environment
○ Deploy patches to representative systems first
○ Monitor closely for unexpected behavior or conflicts
● Why is thorough patch testing critical before enterprise-wide deployment?

32
Communication and Coordination
● Requirements for Success
○ Clearly defined roles and responsibilities for patch management team
○ Effective notification channels (emails, intranet updates, meetings)
○ Coordination with departments to minimize disruptions during deployment
● Best Practices
○ Schedule patches during maintenance windows
○ Communicate clearly about timing, expected downtime, and potential
impacts
● How does clear communication improve the effectiveness of patch
management?

33
Tracking and Reporting Patch Status
● Tracking Techniques
○ Automated patch management solutions (e.g., SCCM, WSUS, Ivanti,
ManageEngine)
○ Dashboards and centralized reporting tools
● Reporting Essentials
○ Compliance rates
○ Systems pending patch application
○ Documenting exceptions or failures
● What benefits does centralized patch tracking provide to security management?

34
CSE298 Cybersecurity - Lecture 24
Security Assessment and Testing
Penetration Testing & Discovery

Spring 2025
Alex Clevenger
Security assessment as a principle
● What is security assessment?
● Why does it matter?
● Is there a difference between the following terms:
○ Assessment, Testing, and Continuous verification
● Assessment: evaluate the overall posture of a system, process, or
organization.
● Testing: To validate specific behaviors or outputs against expected results
● Cont. Verification: To automatically and repeatedly confirm that systems
behave securely and correctly over time.
36
How security professionals assess
● Credentialed vs. non-credentialed scans
● Common tools used:
○ Nessus
○ OpenVas
○ Tool + tuning for false positives

Question: Are these tools knowledge-based or behavior-based?

● CVSS scoring basics

37
CVSS ext.

38
Phases
● Recon → Exploit → Post‑exploit → Cleanup
● Two types of reconnaissance:
○ Passive reconnaissance: Collect information without directly targeting
the endpoint
○ Active reconnaissance: Collect information by directly targeting the
endpoint
● Exploit
○ Establish C2C channel (resource considerations)
○ Data infiltration
○ In-memory execution

39
Phases cont.
● Post-exploit
○ Credential dumping or corruption
■ Depending on the goal
○ Data exfiltration
○ Lateral movement
○ Persistence
● Cleanup
○ Log clearing
○ Remove any writes to disk in general
○ Remove persistence
○ Terminate and close C2C channel

40
PTES/OWASP Testing Guide
● Penetration Testing Execution Standard (PTES):
○ A structured, methodology-driven framework
○ Well defined phases for pentesting professionals to follow
● Open Worldwide Application Security Project (OWASP) testing guide:
○ Web application-specific framework for pen-testing
● Why do pentesters use guides like PTES and OWASP?

41
Ethics, scoping & rules of engagement
● Critically important to define scope ahead of time
○ Legal protection
● Informed consent is non-negotiable
● Company does not wanting 3rd party snooping where they shouldn’t be
● Possible to break mission critical systems
○ Hospital
● Report responsibly

42
Mitre Att&ck
● Mitre is non-profit organization that provides sophisticated frameworks for
security assessment
● Categories list of common tactics, techniques, and procedures
● Uses historical data to define attack vectors and nefarious behavior
● Not just a list of CVEs
○ A curated list of HOW previous hackers have exploited systems
● Mitre Defense is the blue-team counterpart

Where does this fit into the context of security assessment?

43
SAST, DAST, and IAST
● SAST (static): Static Application Security Testing
○ Analyze source code or bytecode without executing
● DAST (dynamic): Dynamic Application Security Testing
○ Running the application as a black-box
● IAST: Interactive Application Security Testing
○ Combines elements of both

What are some of the tradeoffs between these different approaches?

44
OWASP Top 10 overview
● A standard awareness document for developers and security professionals
● Sets standard for top 10 most critical security risks for web-apps specifically
● Updated periodically by the OWASP Foundation
● Not simply a list of bugs
○ Architectural flaws and common insecure practices
● Vast majority of CVE’s fall into these categories
○ Discovery mechanisms use this to identify patterns

45
Dependency scanning
● Looking at the dependencies in your application
○ ‘-H’ compiler flag
● Scanning specifically for known CVE’s in your third party code
● Open source tools
○ Npm, maven, pip
● System libraries
○ OpenSSL, Glib, libc

Common tools: Snyk, Dependabot

46
CSE298 Cybersecurity - Lecture 25
Security Assessment and Testing
Analyzing, Reporting, Automating

Spring 2025
Alex Clevenger
Network mapping (Nmap, masscan)
● Goal: discover and interpret the layout of a given system
● Use the right tool: breadth vs depth
● Know how to interpret the output meaningfully
● Use built-in output formats (-oX, -oG, -oN) to save and document scan results
● Automate scanning and analysis workflow
○ Cron
○ Pipelines
● Address the drawbacks of your workflow

48
Firewall rule testing & bypass techniques
● Firewall overview
○ Stateful vs. Stateless
○ Rule-based “gatekeepers”
○ Top-down evaluation and chaining
○ Default-deny and default-allow strategies
● Testing
○ Simulate various traffic types
○ hping3, nmap, curl, telnet, netcat
○ Look for holes

49
Firewall Bypass Techniques
● Tunneling: wrap the traffic inside protocols that the firewall allows
● Port knocking: Use a specific sequence of connections to try to trigger rule
changes in the firewall
● Source spoofing: test how the firewall responds to spoofed traffic
● Payload obfuscation: determine whether the firewall is inspecting the packet
payloads or just the headers
● Document findings
○ E.g. “Firewall allows telnet from X.X.X.X/y”
● Automate bypassing strategies

50
Wireless basics
● Wifi security protocols
○ WPA2 or WPA3 (Both enterprise & personal)
● WPA2
○ 4-way handshake, AES-CCMP encryption
● WPA3
○ SAE (Dragonfly), AES-CCMP encryption
● Wireless enumeration (airmon-ng, airodump-ng, kismet, or Wireshark)
○ Discover nearby SSIDs
○ Capture handshakes for WPA cracking
○ Monitor channel usage
● Rogue APs and Evil Twin
51
Wifi sniffing
● Switched vs. Non-switched traffic
○ Non-switched (e.g Hub)
■ All frames are sent to every port
○ Switched (e.g. Switch)
■ Learns MAC address per port and only forwards frames to that dest
● Promiscuous mode
○ NIC processes ALL ethernet frames it sees, not just those addressed to
its MAC address
○ Newer encryption standards enforce client isolation
● Monitor mode
○ NIC captures all raw 802.11 frames on a given channel
■ Beacons, probe requests, handshakes, etc

52
Wireless Segmentation
● VLAN: Virtual Local Area Network
○ VLAN tagging with VLAN ID
○ Switches use this tag to determine where the packet belongs
● Each VLAN is treated like its own network
○ Broadcasts, multicasts, unicast traffic stay isolated
● VLAN and RBAC
● Test and automate segmentation effectiveness

Question: Why does segmentation matter? Why go to the effort?

53
Frameworks
● MITRE ATT&CK for technique mapping
● NIST CSF: broad risk management lifecycle
○ Identify, Protext, Detect, Respond, Recover
● Kill chain (Lockheed Martin)
○ Sequence of attacker actions from recon to exfiltration
● Interpret and use threat intelligence
○ Key indicators: IPs, hashes, domains, file names, behavioral patterns
○ Learn how to correlate intel with observed behavior

54
Threat Intelligence
● Strategic Intel: high-level trends
● Tactical Intel: IOCs, attacker tools
● Operational Intel: active campaigns
● Technical Intel: raw data like exploit code

● Structured threat reporting

55
Structuring executive vs. technical reports
● Executive reporting
○ High-level
○ Non-technical crowd
○ Risk-focused summaries and business impact
● Technical reporting
○ Precise language
■ Tools versions, commands
○ Steps to reproduce
■ Logs, payloads, screenshots
○ Severity (CVSS)
○ Remediation instructions

56
Ticketing systems (Jira/ServiceNow)
● What is the purpose of ticketing systems?
○ Centralize issue tracking: incidents, bugs, vulnerabilities
● Basic fields
○ Summary, Description, Severity/Priority, Labels, Status, Assignee, Due
Date
● Lifecycle
○ Open → In Progress → Resolved → Closed
● Automation
○ Tickets can be auto-generated from scans

57
Retest planning
● Once a ticket has been “resolved” → Verify, Validate, Document
● Not simply a “re-running a scan”
○ Verifying the effectiveness of the fix
● Ensures vulnerabilities are not reintroduced or misconfigured after patching
● Prepare a clear-cut retest strategy
○ Who executes it? What will it affect? How will it happen?
● Document the outcome
● Automate where appropriate
○ CI/CD pipeline

58
DevSecOps
● What is it?
○ Embedding security into EVERY phase of SDLC
● Philosophy
○ Security is everyone’s responsibility
○ Security flaws should be addressed earlier rather than later in the
SDLC
○ Combine different roles for collaborative risk management
● Tools and testing types
○ SAST, DAST, IAST

59
Continuous Testing
● Fundamentally integrate security into CI/CD pipelines
○ Github Actions, Gitlab CI, CircleCI, etc
● Set clear thresholds for failure
○ Under what conditions should the build or push fail?
● Security testing should be automated at:
○ Code commit
○ Build
○ Pre-deployment
○ Post-deployment

60
Continuous Testing cont.
● Automated findings should be pushed to appropriate location
○ Dashboards, ticketing systems
● Measure and improve
○ Track security metrics over time w.r.t. the CI/CD pipeline
● Automate remediation when appropriate
○ Under certain circumstances, tools can be used to “auto-patch”
○ Pre-configure secure templates

Question: Are there dangers with automating remediation?

61
 CSE298 Cybersecurity - Lecture 26
Security Architecture and Engineering
- Design Principles and Models
Spring 2025
Mark Erle
Security Architecture and Engineering
● What is it?
○ Designing, building, and maintaining secure systems by applying structured
principles, models, and technologies to minimize risk and resist attacks
● Key Components
○ Architecture - High-level system design that defines trust boundaries, data
flows, access controls, and component interactions
○ Engineering - Implementation and integration of technologies (hardware,
software, cryptography) that enforce security requirements at every level
● Focus areas include:
○ Secure design principles
○ Security models
○ Integration of cryptographic mechanisms
○ Hardware and software protections
63
Importance of Security Architecture and Engineering
● Why it matters
○ Security architecture connects principles, models, and technologies into
cohesive system designs
○ Poor architecture decisions can undermine even the strongest
cryptography or policies
○ This domain addresses how we engineer secure systems that resist
real-world threats
○ It represents the capstone of what we've studied: applying layered
security thinking to complete system design
● Think about a system you trust/use (e.g., phone, cloud storage, banking app).
○ What architectural decisions might make you trust—or distrust—it?

64
Secure System Design Principles - 1 of 2
● Defense in Depth
○ Layered security mechanisms: physical, technical, administrative
○ Redundancy across security controls to reduce single points of failure
○ Examples: firewall + endpoint security + user training
● Least Privilege
○ Each process/user should operate using the minimal level of access
○ Reduces impact of exploitation or error
○ Supports containment and forensic traceability
● How do these principles relate to software you've used or built?

65
Secure System Design Principles - 2 of 2
● Separation of Duties
○ Avoids concentration of power or control in a single entity
○ Enforces accountability through task distribution
● Fail-Safe Defaults
○ Deny access by default; require explicit permission
○ Ensures predictable behavior under failure
● Economy of Mechanism
○ Simpler systems are easier to verify and secure
○ Minimal complexity reduces attack surface
● How do these principles relate to software you've used or built?

66
Bell-LaPadula (BLP) Model – Confidentiality-Focused
● Goal: To prevent unauthorized disclosure of information in systems that manage data at
different sensitivity levels (e.g., Top Secret, Secret, Confidential, Unclassified).
● Rules:
1. Simple Security Property ("No Read Up")
A subject (e.g., a user or process) cannot read data at a higher classification than their
own.
→ Prevents access to more sensitive information.
2. Star Property ("No Write Down")
A subject cannot write data to a lower classification level.
→ Prevents leaking sensitive data to less secure areas.
● Example Use: A military document system
○ A user cleared for Secret can:
■ Read Secret and Confidential files
■ Cannot read Top Secret files (No Read Up)
■ Cannot write to Confidential or Unclassified (No Write Down)
● Use in Architecture:
○ Implemented in access control policies for classified systems
○ Applies to file permissions, databases, and cloud tiering 67
Biba Model – Integrity-Focused
● Goal: To prevent unauthorized modification of data. Used when data accuracy and
trustworthiness are paramount (e.g., medical records, financial systems).
● Rules:
1. Simple Integrity Property ("No Read Down")
A subject cannot read data at a lower integrity level.
→ Avoids contamination by untrusted sources.
2. Star Property ("No Write Up")
A subject cannot write to a higher integrity level.
→ Prevents less trusted entities from corrupting more trusted data.
● Example Use: A financial system
○ A junior employee (low integrity level) can:
■ Read their own input data
■ Can read audited, high-integrity data (Reading Up allowed)
■ Cannot overwrite trusted financial reports (No Write Up)
● Use in Architecture:
○ Controls what apps or users can modify sensitive databases or logs
○ Often combined with audit trails and trusted paths 68
Clark-Wilson Model – Transaction Integrity
● Goal: To prevent unauthorized modification of data; used when data accuracy and
trustworthiness are paramount (e.g., medical records, financial systems).
● Key Concepts
○ Well-formed transactions: All data changes must occur through controlled, logged
processes
○ Separation of duties: Different roles are required to initiate, approve, and verify actions
● Example Use: In accounting
○ One user inputs an expense (can’t approve it)
○ Another user reviews and approves (can’t alter it)
○ System logs every action through controlled interfaces
● Use in Architecture:
○ Role-based access controls
○ Enforced workflows (e.g., ERP or banking systems)

69
How Are These Models Used in Practice?
● You don't directly code "Bell-LaPadula rules", but you apply the logic through:
○ Access control mechanisms (ACLs, RBAC)
○ Labeling systems (e.g., SELinux, MAC policies)
○ Security policy engines (like AppArmor or security middleware)
● In secure system architecture:
○ BLP protects secrecy
○ Biba protects data integrity
○ Clark-Wilson ensures business logic and oversight
● They inform policy decisions… Who should be allowed to access what and
under what conditions?

70