Ch. 1 - Vocab

Question 1

attack surface

Answer 1

reachable and exploitable vulnerabilities in a system

Question 2

active attack

Answer 2

an attempt to alter system resources or affect their operation

Question 3

disruption

Answer 3

interrupts or prevents correct operation of system services, consists of incapacitation, corruption, and obstruction

Question 4

exposure

Answer 4

direct release of sensitive information

Question 5

falsification

Answer 5

altering valid data or introducing false data

Question 6

attack

Answer 6

threat that is carried out

Question 7

interception

Answer 7

receiving communications intended for another device

Question 8

intrusion

Answer 8

adversary gaining unauthorized access to sensitive data by overcoming system’s access control protections

Question 9

authentication

Answer 9

verifying that users are who they say they are

Question 10

misappropriation

Answer 10

a theft of service

Question 11

availability

Answer 11

assure systems work promptly and service is not denied to authorized users

Question 12

complete mediation

Answer 12

every access must be checked against the access control mechanism

Question 13

confidentiality

Answer 13

preserving restrictions on information access and disclosure

Question 14

unauthorized disclosure

Answer 14

event where entity gains unauthorized access to data

Question 15

countermeasure

Answer 15

any means taken to deal with a security attack

Question 16

data confidentiality

Answer 16

sensitive data is not disclosed to unauthorized individuals

Question 17

data integrity

Answer 17

data is changed only in an authorized manner

Question 18

economy of mechanism

Answer 18

hardware and software should be as simple and small as possible

Question 19

encapsulation

Answer 19

internal structure of an object is accessible only to the procedures of a protected subsystem

Question 20

fail-safe defaults

Answer 20

default situation is lack of access

Question 21

falsification

Answer 21

altering valid data or introducing false data

Question 22

inside attack

Answer 22

initialized by an entity inside the security perimeter, authorized to access system resources, but using them in a way not approved

Question 23

isolation

Answer 23

• public access systems should be isolated from critical resources
• processes should be isolated from one another
• security mechanism should be isolated

Question 24

layering

Answer 24

use of multiple, overlapping protection approaches, to prevent breaches from failures of individual approaches

Question 25

least astonishment

Answer 25

user interface should always respond in a way that is least likely to astonish the user

Question 26

least common mechanism

Answer 26

minimize the functions shared by different users

Question 27

least privilege

Answer 27

every process/user of the system should operate using the minimum amount of privileges necessary to perform the task

Question 28

modularity

Answer 28

development of security functions as separate protected modules, and use of modular architecture for mechanism design

Question 29

open design

Answer 29

design of a security mechanism should be open rather than secret

Question 30

integrity

Answer 30

guarding against improper information modification or destruction

Question 31

passive attack

Answer 31

an attempt to learn from the system that does not affect system resources

Question 32

prevent

Answer 32

create a situation where an attack does not happen in the first place

Question 33

psychological acceptability

Answer 33

security mechanisms should not interfere with the work of users

Question 34

replay

Answer 34

passive capture of a data unit and its subsequent retransmission to produce unauthorized effect

Question 35

separation of privilege

Answer 35

multiple privilege attributes are required to achieve access to a restricted resource

Question 36

system integrity

Answer 36

system performs its intended function in an unimpaired manner

Question 37

traffic analysis

Answer 37

observing the pattern of messages, taking note of the location and identity of the communicating hosts and observing the frequency and length of messages

Question 38

privacy

Answer 38

individuals control what information related to them may be collected

Question 39

deception

Answer 39

where an authorized entity receives false data and believes it to be true, consists of masquerades, falsification, and repudiation

Question 40

access control

Answer 40

limit information system access to authorized users, and the types of transactions that authorized users are permitted to exercise

Question 41

adversary (threat agent)

Answer 41

entity that conducts detrimental activities

Question 42

asset

Answer 42

system resource which users/owners wish to protect

Question 43

assurance

Answer 43

having the confidence that the system operates such that the system’s security policy is enforced

Question 44

attack tree

Answer 44

branching, hierarchical data structure that represents a set of potential techniques for exploiting security vulnerabilities

Question 45

corruption

Answer 45

system resources are made to operate in an unintended manner

Question 46

denial of service

Answer 46

inhibits the normal use of communication facilities

Question 47

evaluation

Answer 47

process of examining a computer product or system with respect to certain criteria

Question 48

incapacitation

Answer 48

a means of disabling a system or its services

Question 49

inference

Answer 49

entity indirectly accesses sensitive data by reasoning from characteristics

Question 50

masquerade

Answer 50

attempt by unauthorized user to gain access to a system by posing as an authorized user

Question 51

misuse

Answer 51

cause system component to perform a service that is detrimental to system security

Question 52

obstruction

Answer 52

interrupts delivery of system services

Question 53

repudiation

Answer 53

user denies sending/receiving data

Question 54

outside attack

Answer 54

initiated from outside the perimeter, by an unauthorized user of the system

Question 55

risk

Answer 55

extent to which an entity is threatened by potential circumstance, a function of impact and likelihood

Question 56

usurpation

Answer 56

event that results in unauthorized control of system services

Question 57

vulnerabilities

Answer 57

weakness that can be exploited by a threat source