CH13 [in final] Flashcards
Security Engineering
The three security levels include _________ security, ______ security, and __________ security.
Infrastructure, Application, Operational.
Name the security level:
which is concerned with maintaining the security of all systems and networks that provide an infrastructure and a set of shared services to the organization.
Infrastructure security
Name the security level:
which is concerned with the security of individual application systems or related groups of systems.
Application security
Name the security level:
which is concerned with the secure operation and use of the organization’s systems.
Operational security
Application security is a software engineering problem where the system is _________ to resist attacks.
designed
Infrastructure security is a systems management problem where the infrastructure is ________ to resist attacks.
configured
___________ is the tools, techniques and methods to support the development and maintenance of systems that can resist malicious attacks that are intended to damage a computer-based system or its data.
Security engineering
Confidentiality, Integrity, Availability are the three Security __________.
dimensions
Name the security dimension:
Access to a system or its data that is normally available may not be possible.
Availability
Name the security dimension:
Information in a system may be disclosed or made accessible to people or programs that are not authorized to have access to that information.
Confidentiality
Name the security dimension:
Information in a system may be damaged or corrupted making it unusual or unreliable.
Integrity
T/F: Application Security is primarily a human and social issue, concerned with ensuring the people do not take actions that may compromise system security.
F, Operational Security not application security
The ________ of a system is a system property that reflects the system’s ability to protect itself from accidental or deliberate external attack.
security
Security is essential as most systems are networked so that external access to the system through _________ is possible.
the Internet
________ is an essential pre-requisite for availability, reliability and safety.
Security
If a system is a networked system and is insecure then statements about its reliability and its safety are _______.
unreliable
Name threat type:
________ threats that allow an attacker to gain access to an asset.
ex. A possible threat to the Mentcare system might be a situation where an attacker gains access to the records of an individual patient.
Interception
_________ threats that allow an attacker to make part of the system unavailable.
ex. A possible threat might be a denial of service attack on a system database server so that database connections become impossible.
Interruption
_________ threats that allow an attacker to tamper with a system asset.
ex. In the Mentcare system, a modification threat would be where an attacker alters or destroys a patient record.
Modification
________ threats that allow an attacker to insert false information into a system.
ex. a threat in a banking system, where false transactions might be added to the system that transfer money to the perpetrator’s bank account.
Fabrication
Name the 3 ways in which security can be assured?
- Vulnerability avoidance
- Attack detection and elimination
- Exposure limitation and recovery
_______ is a system characteristic that reflects its ability to resist and recover from damaging events.
Resilience
T/F: it is very difficult to make an insecure system secure after it has been designed or implemented.
T, Security should be designed into a system
Adding security features to a system to enhance its security affects other attributes of the system such as ________ and ________.
Performance;
Additional security checks slow down a system so its response time or throughput may be affected.
Usability;
Security measures may require users to remember information or require additional interactions to complete a transaction. This makes the system less usable and can frustrate system users.
Two fundamental issues have to be considered when designing an architecture for security are ________ and _________.
Protection and Distribution
T/F: Considering protection and distribution when designing security architecture is potentially conflicting.
T, If assets are distributed, then they are more expensive to protect. If assets are protected, then usability and performance requirements may be compromised.
________ protection, ________ protection, and ________ protection lead to a layered protection architecture.
Platform-level, application-level, record-level
__________ protection is the specific protection mechanisms built into the application itself e.g. additional password protection.
Application-level
________ protection is protection that is invoked when access to specific information is requested.
Record-level
__________ protection is the top-level controls on the platform on which a system runs.
Platform-level
Programs without array bound checking can crash so actions taken to improve program _______ can also improve system ________.
reliability, security.
T/F: Vulnerabilities are often language-specific.
True
Name 4 dependable programming guidelines:
- Limit the visibility of information in a program
- Check all inputs for validity
- Provide a handler for all exceptions
- Minimize the use of error-prone constructs
- Provide restart capabilities
- Check array bounds
- Include timeouts when calling external components
- Name all constants that represent real-world values
___________ is testing the extent to which the system can protect itself from external attacks
Security testing
A team is established whose goal is to breach the security of the system by simulating attacks on the system.
This is _________ testing
Penetration
The system is reviewed and analysed against the types of attack that are known to the validation team.
This is ___________ testing.
Experience-based
Various security tools such as password checkers are used to analyse the system in operation.
This is ____________ analysis.
Tool-based
The system is verified against a formal security specification.
This is ________ verification
Formal
Name the 4 ways in which security is validated:
- Experience-based testing
- Penetration testing
- Tool-based analysis
- Formal verification
