CH13

Question 1

The three security levels include _________ security, ______ security, and __________ security.

Answer 1

Infrastructure, Application, Operational.

Question 2

Name the security level:
which is concerned with maintaining the security of all systems and networks that provide an infrastructure and a set of shared services to the organization.

Answer 2

Infrastructure security

Question 3

Name the security level:
which is concerned with the security of individual application systems or related groups of systems.

Answer 3

Application security

Question 4

Name the security level:
which is concerned with the secure operation and use of the organization’s systems.

Answer 4

Operational security

Question 5

Application security is a software engineering problem where the system is _________ to resist attacks.

Answer 5

designed

Question 6

Infrastructure security is a systems management problem where the infrastructure is ________ to resist attacks.

Answer 6

configured

Question 7

___________ is the tools, techniques and methods to support the development and maintenance of systems that can resist malicious attacks that are intended to damage a computer-based system or its data.

Answer 7

Security engineering

Question 8

What are the 3 security dimensions?

Answer 8

• Confidentiality
• Integrity
• Availability

Question 9

Name the security dimension:
Access to a system or its data that is normally available may not be possible.

Answer 9

Availability

Question 10

Name the security dimension:
Information in a system may be disclosed or made accessible to people or programs that are not authorized to have access to that information.

Answer 10

Confidentiality

Question 11

Name the security dimension:
Information in a system may be damaged or corrupted making it unusual or unreliable.

Answer 11

Integrity

Question 12

T/F: Application Security is primarily a human and social issue, concerned with ensuring the people do not take actions that may compromise system security.

Answer 12

F, Operational Security not application security

Question 13

The ________ of a system is a system property that reflects the system’s ability to protect itself from accidental or deliberate external attack.

Answer 13

security

Question 14

Security is essential as most systems are networked so that external access to the system through _________ is possible.

Answer 14

the Internet

Question 15

________ is an essential pre-requisite for availability, reliability and safety.

Answer 15

Security

Question 16

If a system is a networked system and is insecure then statements about its reliability and its safety are _______.

Answer 16

unreliable

Question 17

Name threat type:
________ threats that allow an attacker to gain access to an asset.
ex. A possible threat to the Mentcare system might be a situation where an attacker gains access to the records of an individual patient.

Answer 17

Interception

Question 18

_________ threats that allow an attacker to make part of the system unavailable.
ex. A possible threat might be a denial of service attack on a system database server so that database connections become impossible.

Answer 18

Interruption

Question 19

_________ threats that allow an attacker to tamper with a system asset.
ex. In the Mentcare system, a modification threat would be where an attacker alters or destroys a patient record.

Answer 19

Modification

Question 20

________ threats that allow an attacker to insert false information into a system.
ex. a threat in a banking system, where false transactions might be added to the system that transfer money to the perpetrator’s bank account.

Answer 20

Fabrication

Question 21

Name the 3 ways in which security can be assured?

Answer 21

• Vulnerability avoidance
• Attack detection and elimination
• Exposure limitation and recovery

Question 22

_______ is a system characteristic that reflects its ability to resist and recover from damaging events.

Answer 22

Resilience

Question 23

T/F: it is very difficult to make an insecure system secure after it has been designed or implemented.

Answer 23

T, Security should be designed into a system

Question 24

Adding security features to a system to enhance its security affects other attributes of the system such as ________ and ________.

Answer 24

Performance;
Additional security checks slow down a system so its response time or throughput may be affected.

Usability;
Security measures may require users to remember information or require additional interactions to complete a transaction. This makes the system less usable and can frustrate system users.

Question 25

Two fundamental issues have to be considered when designing an architecture for security are ________ and _________.

Answer 25

Protection and Distribution

Question 26

T/F: Considering protection and distribution when designing security architecture is potentially conflicting.

Answer 26

T, If assets are distributed, then they are more expensive to protect. If assets are protected, then usability and performance requirements may be compromised.

Question 27

________ protection, ________ protection, and ________ protection lead to a layered protection architecture.

Answer 27

Platform-level, application-level, record-level

Question 28

__________ protection is the specific protection mechanisms built into the application itself e.g. additional password protection.

Answer 28

Application-level

Question 29

________ protection is protection that is invoked when access to specific information is requested.

Answer 29

Record-level

Question 30

__________ protection is the top-level controls on the platform on which a system runs.

Answer 30

Platform-level

Question 31

Programs without array bound checking can crash so actions taken to improve program _______ can also improve system ________.

Answer 31

reliability, security.

Question 32

T/F: Vulnerabilities are often language-specific.

Answer 32

True

Question 33

Name 4 dependable programming guidelines:

Answer 33

1. Limit the visibility of information in a program
2. Check all inputs for validity
3. Provide a handler for all exceptions
4. Minimize the use of error-prone constructs
5. Provide restart capabilities
6. Check array bounds
7. Include timeouts when calling external components
8. Name all constants that represent real-world values

Question 34

___________ is testing the extent to which the system can protect itself from external attacks

Answer 34

Security testing

Question 35

A team is established whose goal is to breach the security of the system by simulating attacks on the system.
This is _________ testing

Answer 35

Penetration

Question 36

The system is reviewed and analysed against the types of attack that are known to the validation team.
This is ___________ testing.

Answer 36

Experience-based

Question 37

Various security tools such as password checkers are used to analyse the system in operation.
This is ____________ analysis.

Answer 37

Tool-based

Question 38

The system is verified against a formal security specification.
This is ________ verification

Answer 38

Formal

Question 39

Name the 4 ways in which security is validated:

Answer 39

• Experience-based testing
• Penetration testing
• Tool-based analysis
• Formal verification