Basic Security Terminology Flashcards
What does a system contain?
- Assets
What is an asset of a system?
- Functionality users depend on
- Data that is accepted, stored, manipulated or transmitted by the system
What is a weakness?
- Underlying defect that modifies behavior or functionality (resulting in incorrect behavior) or allows unverified or incorrect access to data
If a weakness is vulnerable to external influence what does this mean?
- The weakness is exploitable
If a weakness is exploitable what is it called?
- A vulnerability
What is an actor?
- An individual or process external to the system
If an actor has malicious intent what are the potential consequences?
- They may try to exploit a vulnerability
What causes a threat event?
- An actor with malicious intent tries to exploit a vulnerability by altering conditions to create opportunities to attempt exploitation
What is a threat event?
- When an adversary makes an attempt (successful or not) to exploit a vulnerability with an intended objective or outcome
What creates value in a system
- A combination of data and functionality
What is meant by exploitability?
A measure of how easily an attacker can make use of a weakness to cause harm
What is a vulnerability?
A means for an adversary with malicious intent to cause some sort of damage to a system by exploiting a weakness in the system
What is a zero-day vulnerability?
Vulnerabilities that exist in a system that are previously undiscovered
How are zero-day vulnerabilities different from other vulnerabilities?
They are likely to be unresolved and the potential for exploitation may be elevated.
What is the CWE database?
The common weakness enumeration database is a taxonomy of security weaknesses
What is the CWE database used for?
It’s referenced when investigating system design concerns
What is meant by severity of a weakness?
The amount of damage that can be caused by successful exploitation of a vulnerability
What is Impact?
If a weakness or vulnerability is exploited there will be some impact to the system
How is severity related to impact
When assessing severity the impact is a measure of the potential loss of functionality/data as a result of the successful exploitation of a weakness or vulnerability
What is an actor with malicious intent called?
An adversary
What is an actor with malicious intent called?
An adversary
What is a threat?
A non-zero probability of an attacker taking advantage of a vulnerability to negatively impact the system in a particular way
What does loss occur
Loss occurs when one (or more) impacts affect functionality and/or data as a result of an adversary causing a threat event
What is risk?
A combination of the potentially exploited target’s value, costs to mitigate, and the likelihood a negative impact may be realized
How is risk used?
Used to decide on the priority of an issue and to decide whether to fix the issue
What does CVSS stand for?
Common Vulnerability Scoring System
What is the purpose of CVSS scores?
It identifies severity and it’s components
What is a CVSS score?
It’s a calculation used to determine the severity of an issue.
What is a CVSS score based on?
It’s based upon the likelihood of a successful exploitation of a vulnerability, and a measurement of potential impact (or damage)
What does a CVSS not tell you?
A measure of the risk of an attacker exploiting the vulnerability
What is the foundation on which all things security are built upon?
- confidentiality
- integrity
- availability
How does a system achieve confidentiality?
It has to guarantee access to the data entrusted to it exclusively to those who have the appropriate rights, based on their need to know the protected information
When does Integrity exist?
When the following conditions are met:
- When the authenticity of data or operations can be verified.
- The data or functionality has not been modified or made unauthentic through unauthorized activity
What does availability mean in the context of the core security pillars?
Authorized actors are able to access system functionality and/or data whenever they have the need or desire to do so
What is availability compromised?
When the system is unavailable because of a malicious action by an adversary
What is privacy?
The right of not having information exposed to unauthorized third parties
What is a prerequisite for privacy?
Confidentiality
To support many security objectives what must an actor be granted?
- An unique identifier meaningful to the system
What must-have information is associated with an identity?
- Information that allows a system to positively identify the actor
How is identity proven to a system?
- using credentials such as passwords or security tokens
What is authentication?
- Actors using a system provide satisfactory proof of their identity so the system can verify it’s communicating with the right actor
What is authentication?
- Actors using a system provide satisfactory proof of their identity so the system can verify it’s communicating with the right actor
What is a prerequisite to authorization in a system?
- A user must be authenticated with the system
What is authorization in a system?
- A user is granted privilege’s within the system, based on an authorization scheme, to preform operations or access functionality or data
When a actor is authenticated with a system what is the system able to do?
- The system can assign rights to the actor
What does MAC stand for in the context of an access control scheme?
- Mandatory Access Control scheme
What is the MAC control scheme?
- System constrains the authorization of actors
What DAC stand for in the context of an access control scheme?
- Discretionary Access Control
What is the discretionary access control scheme?
- Actors can define privilege’s for operations
What does RBAC stand for in the context of access control schemes?
- Role Based Access Control
What is role based access control?
- Actors are grouped by meaningful ‘roles’ and these roles define privilege assignments
What is capability based access control?
- Authorization subsystem assigns rights through tokens that actors must request(and be granted) in order to perform operations
What is zero trust?
- A common approach to system design and security compliance
What is assumed with zero-trust?
- The best outcome is assumed for an operation and any prior trust relationship is ignored. Verification takes place before establishing a trust relationship for each operation
What Designed by Contract?
- Assumes whenever a client calls a server the input coming from the client will be of a certain fixed format and will not deviate from it.
What does Designed by Contract address?
- zero trust by ensuring every interaction follows a fixed protocol
What is the principal of least privilege?
- an operation should run with only the most restrictive privilege level that still enables the operation to succeed
What is an authorization context?
- an operating system, an application, databases
When does the principle of least privilege apply?
- for every system that has an authorization context
What is defense in depth?
- a multifaceted and layered approach to defend a system and it’s assets
What is considered an effective ‘layer’ in defense in depth?
- any factor that acts as a ‘bump in the road’ and makes an attack costlier in terms of time, money, complexity
What is meant by ‘no secret sauce’?
- Don’t rely on obscurity as a means of security. System design should be resillient to attack even if every detail is known and published.
What is meant by ‘separation of privilege’?
- Segregating access to functionality or data within the system so one actor doesn’t hold all the rights
What is an example of ‘separation of privilege’?
- A person(or process) makes a request for an operation to occur and set the parameters but another user or process is required to authorize the transaction to proceed.
What is the goal of ‘separation of privilege’?
- Prevents a single entity from performing malicious activities unimpeded or without oversight
What does it mean to ‘consider the human factor’?
- Decide on how much security will be acceptable to users
What are the implications of not ‘considering the human factor’?
- Users stop using the system
- Users find workarounds to bypass security measures
- MGMT stops supporting security because it impairs productivity
What does a security analysis need to answer from looking at logs?
- Who preformed an action that caused an event to be recorded?
- When was the action preformed or the event recorded?
- What data or functionality was accessed by the process or user?
What is nonrepudiation?
- have a set of transactions indicating who did what.
- each transaction has integrity maintained as a property
What is meant by ‘fail secure’?
- when the system encounters an error condition it doesn’t reveal too much information to a potential adversary
What is meant by ‘fail secure’ in the context of a component or logic?
- if failure occurs the result is a secure one
What is meant by ‘built in, not bold on’?
- Security, privacy, safety should be fundamental properties of the system and any security features of the system should be built in from the beginning
