Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Threat Modeling (a practical guide for developers) > Basic Security Terminology > Flashcards

Basic Security Terminology Flashcards

1
Q

What does a system contain?

A
  • Assets
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is an asset of a system?

A
  • Functionality users depend on
  • Data that is accepted, stored, manipulated or transmitted by the system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a weakness?

A
  • Underlying defect that modifies behavior or functionality (resulting in incorrect behavior) or allows unverified or incorrect access to data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

If a weakness is vulnerable to external influence what does this mean?

A
  • The weakness is exploitable
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

If a weakness is exploitable what is it called?

A
  • A vulnerability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is an actor?

A
  • An individual or process external to the system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

If an actor has malicious intent what are the potential consequences?

A
  • They may try to exploit a vulnerability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What causes a threat event?

A
  • An actor with malicious intent tries to exploit a vulnerability by altering conditions to create opportunities to attempt exploitation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a threat event?

A
  • When an adversary makes an attempt (successful or not) to exploit a vulnerability with an intended objective or outcome
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What creates value in a system

A
  • A combination of data and functionality
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is meant by exploitability?

A

A measure of how easily an attacker can make use of a weakness to cause harm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a vulnerability?

A

A means for an adversary with malicious intent to cause some sort of damage to a system by exploiting a weakness in the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a zero-day vulnerability?

A

Vulnerabilities that exist in a system that are previously undiscovered

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How are zero-day vulnerabilities different from other vulnerabilities?

A

They are likely to be unresolved and the potential for exploitation may be elevated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the CWE database?

A

The common weakness enumeration database is a taxonomy of security weaknesses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the CWE database used for?

A

It’s referenced when investigating system design concerns

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is meant by severity of a weakness?

A

The amount of damage that can be caused by successful exploitation of a vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is Impact?

A

If a weakness or vulnerability is exploited there will be some impact to the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

How is severity related to impact

A

When assessing severity the impact is a measure of the potential loss of functionality/data as a result of the successful exploitation of a weakness or vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is an actor with malicious intent called?

A

An adversary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is an actor with malicious intent called?

A

An adversary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is a threat?

A

A non-zero probability of an attacker taking advantage of a vulnerability to negatively impact the system in a particular way

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What does loss occur

A

Loss occurs when one (or more) impacts affect functionality and/or data as a result of an adversary causing a threat event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is risk?

A

A combination of the potentially exploited target’s value, costs to mitigate, and the likelihood a negative impact may be realized

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

How is risk used?

A

Used to decide on the priority of an issue and to decide whether to fix the issue

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What does CVSS stand for?

A

Common Vulnerability Scoring System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is the purpose of CVSS scores?

A

It identifies severity and it’s components

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is a CVSS score?

A

It’s a calculation used to determine the severity of an issue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is a CVSS score based on?

A

It’s based upon the likelihood of a successful exploitation of a vulnerability, and a measurement of potential impact (or damage)

30
Q

What does a CVSS not tell you?

A

A measure of the risk of an attacker exploiting the vulnerability

31
Q

What is the foundation on which all things security are built upon?

A
  • confidentiality
  • integrity
  • availability
32
Q

How does a system achieve confidentiality?

A

It has to guarantee access to the data entrusted to it exclusively to those who have the appropriate rights, based on their need to know the protected information

33
Q

When does Integrity exist?

A

When the following conditions are met:

  • When the authenticity of data or operations can be verified.
  • The data or functionality has not been modified or made unauthentic through unauthorized activity
34
Q

What does availability mean in the context of the core security pillars?

A

Authorized actors are able to access system functionality and/or data whenever they have the need or desire to do so

35
Q

What is availability compromised?

A

When the system is unavailable because of a malicious action by an adversary

36
Q

What is privacy?

A

The right of not having information exposed to unauthorized third parties

37
Q

What is a prerequisite for privacy?

A

Confidentiality

38
Q

To support many security objectives what must an actor be granted?

A
  • An unique identifier meaningful to the system
39
Q

What must-have information is associated with an identity?

A
  • Information that allows a system to positively identify the actor
40
Q

How is identity proven to a system?

A
  • using credentials such as passwords or security tokens
41
Q

What is authentication?

A
  • Actors using a system provide satisfactory proof of their identity so the system can verify it’s communicating with the right actor
42
Q

What is authentication?

A
  • Actors using a system provide satisfactory proof of their identity so the system can verify it’s communicating with the right actor
43
Q

What is a prerequisite to authorization in a system?

A
  • A user must be authenticated with the system
44
Q

What is authorization in a system?

A
  • A user is granted privilege’s within the system, based on an authorization scheme, to preform operations or access functionality or data
45
Q

When a actor is authenticated with a system what is the system able to do?

A
  • The system can assign rights to the actor
46
Q

What does MAC stand for in the context of an access control scheme?

A
  • Mandatory Access Control scheme
47
Q

What is the MAC control scheme?

A
  • System constrains the authorization of actors
48
Q

What DAC stand for in the context of an access control scheme?

A
  • Discretionary Access Control
49
Q

What is the discretionary access control scheme?

A
  • Actors can define privilege’s for operations
50
Q

What does RBAC stand for in the context of access control schemes?

A
  • Role Based Access Control
51
Q

What is role based access control?

A
  • Actors are grouped by meaningful ‘roles’ and these roles define privilege assignments
52
Q

What is capability based access control?

A
  • Authorization subsystem assigns rights through tokens that actors must request(and be granted) in order to perform operations
53
Q

What is zero trust?

A
  • A common approach to system design and security compliance
54
Q

What is assumed with zero-trust?

A
  • The best outcome is assumed for an operation and any prior trust relationship is ignored. Verification takes place before establishing a trust relationship for each operation
55
Q

What Designed by Contract?

A
  • Assumes whenever a client calls a server the input coming from the client will be of a certain fixed format and will not deviate from it.
56
Q

What does Designed by Contract address?

A
  • zero trust by ensuring every interaction follows a fixed protocol
57
Q

What is the principal of least privilege?

A
  • an operation should run with only the most restrictive privilege level that still enables the operation to succeed
58
Q

What is an authorization context?

A
  • an operating system, an application, databases
59
Q

When does the principle of least privilege apply?

A
  • for every system that has an authorization context
60
Q

What is defense in depth?

A
  • a multifaceted and layered approach to defend a system and it’s assets
61
Q

What is considered an effective ‘layer’ in defense in depth?

A
  • any factor that acts as a ‘bump in the road’ and makes an attack costlier in terms of time, money, complexity
62
Q

What is meant by ‘no secret sauce’?

A
  • Don’t rely on obscurity as a means of security. System design should be resillient to attack even if every detail is known and published.
63
Q

What is meant by ‘separation of privilege’?

A
  • Segregating access to functionality or data within the system so one actor doesn’t hold all the rights
64
Q

What is an example of ‘separation of privilege’?

A
  • A person(or process) makes a request for an operation to occur and set the parameters but another user or process is required to authorize the transaction to proceed.
65
Q

What is the goal of ‘separation of privilege’?

A
  • Prevents a single entity from performing malicious activities unimpeded or without oversight
66
Q

What does it mean to ‘consider the human factor’?

A
  • Decide on how much security will be acceptable to users
67
Q

What are the implications of not ‘considering the human factor’?

A
  • Users stop using the system
  • Users find workarounds to bypass security measures
  • MGMT stops supporting security because it impairs productivity
68
Q

What does a security analysis need to answer from looking at logs?

A
  • Who preformed an action that caused an event to be recorded?
  • When was the action preformed or the event recorded?
  • What data or functionality was accessed by the process or user?
69
Q

What is nonrepudiation?

A
  • have a set of transactions indicating who did what.
  • each transaction has integrity maintained as a property
70
Q

What is meant by ‘fail secure’?

A
  • when the system encounters an error condition it doesn’t reveal too much information to a potential adversary
71
Q

What is meant by ‘fail secure’ in the context of a component or logic?

A
  • if failure occurs the result is a secure one
72
Q

What is meant by ‘built in, not bold on’?

A
  • Security, privacy, safety should be fundamental properties of the system and any security features of the system should be built in from the beginning

Threat Modeling (a practical guide for developers) (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions