chap 1

Question 1

Basic components of security

Answer 1

CIA

Question 2

what is confidentialty

give an example

Answer 2

keep data and resources hidden

ex: ”For example, military and civilian institutions in the government often restrict access to information to those who need that information. ”

Question 3

Which tool/access control mechnamism is it for confidentialty?

how does it support confidenitalty?

how can it be used by people that have access to the information?

what is important to protect here except the information that is consider as confidential?

Answer 3

-cryptography it transforming data to make it obegriplig.

-by a crypgraphic key ”controls access to the untransformed data,”

-the crypto key as well is important to protect

Question 4

confidentality can be used to hide information but also…

Answer 4

resources such as network configurations as well as systems they use so other unothrized user dont know about it

Question 5

what is integrity about?

-Which are the integiry mechanisms? and what do they do?

Answer 5

data integrity (integirty)- data is not corrupt
orgin integrity (authentic) - that the source of information is authentic

-Prevention and detection

P: block unatorized users attempt
D: analyze system events and report integrity failures

Question 6

Give an example of integirty and authentification where authentification is not correct

Answer 6

”A newspaper may print information from a leak at the White House but refer it to the wrong source. The information is printed as received (preserving data integrity), but its source is incorrect (corrupting origin integrity)”

Question 7

explain prevention mechanism (integiry) by blocking any unauthorized attempts to change the data or any attempts to change the data in unauthorized ways.”

Answer 7

first: unauhorized attemps - ”The former occurs when a user tries to change data that she has no authority to change” ex: ”Someone breaks into the system and tries to modify the accounting data”

latter: when a user authorized to make certain changes in the data tries to change the data in other ways” ex:autorized user tries to change data by entering the money to a swiss account instead of meain there books.

Question 8

Detection mechanisms is what?

Answer 8

they report that the data integirty is not trustworthy and analyze system and report about integiry failures

Question 9

avaiability is about?

Answer 9

ensure access to data and resources

Question 10

Attempts to block availability is called

-why is it hard to find?

Answer 10

DOS (denial of service) attack becuase

-hard to find becuase analyst must deciide if the unsusal access can be becuase of manipulation of resourses or of environemnt (designed that way)

Question 11

what is a threat?

Answer 11

is a potenital violation of security, it does not have to happen in order to be consider as threat.

Question 12

what is attack? who do attacks? how to prevent threaths for the system

Answer 12

executed threats that happens

-attackers do them

-CIA

Question 13

4 types of threaths

Answer 13

-disclosure - unathorized access to information (snooping)

-deception - acceptance of false data (modification, spoofing, repudation of orgin, denial of receipt, fabrication

-distruption -modification

usurpation : unauthorized control of some parts of system

Question 14

snooping , which of cia services try to prevent this

Answer 14

unathorized access to antoher persons data. ex passive looking of email that appears or what happens in another computer sceen or watch when someonelse is typing.

confidentialty services

Question 15

modification is what, which cia try to prevent this

Answer 15

an unauthorized change of information, its active and it results from an entity changing information.

Question 16

active wiretapping is what. an example. which cia service is trying to previent this

Answer 16

when data moving on the network new data is injected or other part of the data is deleted. its active. ex man-in-the-middle

-integirty service

Question 17

masquering /spoofing. give an example. which cia service try to prevent this

Answer 17

one entiy says is someone its not. ex user tries to read a web page but attack has arrange user to be given another page. (can be both passive or active)

integrity try to solve this

Question 18

which masquering is allowd?

Answer 18

delegation of susan delegate thomas the authority to act on her behalf. bu saying im thomas on susan behalf.

Question 19

repudiation of orgin is what. give example

Answer 19

false deny that an enity sent something.

ex: customer send a iphone to vendor and agree pay for the product. vendor send iphone and dempand thepayment. customer recieve it and according to law can keep it becuase vendor should ship when product is payed.

integrity service try to solve this

Question 20

definal of receipt is what. example of it. which mechanism try to prevent this?

Answer 20

false defial that entity recived information. ex i order iphone and vendor dont ship before payment. i ask when i will get the iphone even though she has it, can olny vendor prove she got it by reciving it. integiry and avaiablity mechnism try to prevent this

Question 21

Delay is what. give examples of it. which cia mechanism try to solve this?

Answer 21

temporary interup a service ex an attacker force a deliver to take more time than ussal, the attack has succed in delay delivery. it can be two poeple sending email

-avaiabilty

Question 22

what is policy?

Answer 22

it says what is and what is not allowed. can be expressed in text or mathematics

Question 23

what is mechanism? and what is mechanism realtion to policies? give example of mechanism

Answer 23

mechanism is a tool, method, procedure to control that an system ex enforce the policy.

ex: the requirment that user have a password to authenticate herself before using computer.

Question 24

what is composition of polices, give exmaple

Answer 24

if policies conflict, they migh create security vulnerabilites. they need to agree on what to do ex if one policy allows students and faculity to acces all data and other one allow only faculity access to all the data, then it must be resolved

Question 25

goal of security in security polices

Answer 25

prevention - prevent attacker from violating security policy ex passwrods

detection - detect attackers violation of security policy, ex warning when someone write wrong password 4 times

recovery - stop attack assess and repair damage, ex file delted, take it back from backup, continue to work correctly even though under attack

Question 26

assurance is about what? give an axemple of what they consider as assurance in medicine

Answer 26

how much to trust a system.

-in medicine if the medicine is delivered in a box that will get destroyed if doctors put other chemical things in it, the box will break. thereby they consider it as safe from other chemicals.

Question 27

cost benefit analysis is measured how

example

Answer 27

benefit of computer security agianst toal cost if system is attacked

if a company has a database with information about peoples salary, the analyst must decide if the salaries info is revelead including lawsuit, change in policy and personal and affect of future buisness. these need to be take into account when counting on paying for a integrity mechanism for protecting database

Question 28

risk analysis decide what?

Answer 28

if an asset should be protexted and to what level and the potantial threath that its happening.

Question 29

law and customs does it affect mechanism and polcies?

Answer 29

yes they need to take into account laws and legal considerations. ex if an hacker dowland my files and its illeagl and the user observe it they have read the attacker and that is illeagl.

Question 30

implement computer security controls is complex why?

Answer 30

beacuse they can be hard to understand or if they are used inncorrect it can be useless and dangerous.

Question 31

organizational problems

Answer 31

the responsblie people have the power to enforce it, ex security mechanism.

problem with security aspect:
ex securty admin is respobile for security but security officer can make the rules.

Question 32

people problems:

Answer 32

outsider and inderers can be seen as threaths, autorized or not to use the computer.

security problem also that insiders cause cause 90% problems

Question 34

social engineering

Answer 34

manupilate oher people to break in and get informatiom. ex fishing where the email seems serious and you want poeple to click on link and add information