Chapter 1

Question 1

Computer Security:

Answer 1

The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).

Question 2

Data confidentiality:

Answer 2

Assures that private or confidential information is not made available or disclosed to unauthorized individuals.

Question 3

Privacy:

Answer 3

Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.

Question 4

Data integrity:

Answer 4

Assures that information and programs are changed only in a specified and authorized manner.

Question 5

System integrity:

Answer 5

Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system

Question 6

Availability:

Answer 6

Assures that systems work promptly and service is not denied to authorized users.

Question 7

Confidentiality:

Answer 7

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information

Question 8

Integrity:

Answer 8

Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity. A los

Question 9

Availability:

Answer 9

Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.

Question 10

Authenticity:

Answer 10

The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. This means verifying that users are who they say they are and that each input arriving at the system came from a trusted source.

Question 11

Accountability:

Answer 11

The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. Because truly secure systems are not yet an achievable goal, we must be able to trace a security breach to a responsible party. Systems must keep records of their activities to permit later forensic analysis to trace security breaches or to aid in transaction disputes.

Question 12

Low:

Answer 12

The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.

Question 13

Moderate:

Answer 13

The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect means that, for example, the loss might (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious, life-threatening injuries.

Question 14

High:

Answer 14

The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A severe or catastrophic adverse effect means that, for example, the loss might (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries.

Question 15

Adversary (threat agent)

Answer 15

An entity that attacks, or is a threat to, a system.

Question 16

Attack

Answer 16

An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system

Question 17

Countermeasure

Answer 17

An action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken

Question 18

Risk

Answer 18

An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result.

Question 19

Security Policy

Answer 19

A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.

Question 20

System Resource (Asset)

Answer 20

Data contained in an information system; or a service provided by a system; or a system capability, such as processing power or communication bandwidth; or an item of system equipment (i.e., a system component— hardware, firmware, software, or documentation); or a facility that houses system operations and equipment.

Question 21

Threat

Answer 21

A potential for violation of security, which exists when there is a circumstance, capability, action, or event, that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability

Question 22

Vulnerability

Answer 22

A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.

Question 23

Hardware:

Answer 23

Including computer systems and other data processing, data storage, and data communications devices

Question 24

Software:

Answer 24

Including the operating system, system utilities, and applications

Question 25

Data:

Answer 25

Including files and databases, as well as security-related data, such as password files.

Question 26

Communication facilities and networks:

Answer 26

Local and wide area network communication links, bridges, routers, and so on.

Question 27

In the context of security, our concern is with the vulnerabilities of system resources. [NRC02] lists the following general categories of vulnerabilities of a computer system or network asset

It can be ________ so that it does the wrong thing or gives wrong answers. For example, stored data values may differ from what they should be because they have been improperly modified.

Answer 27

It can be corrupted, so that it does the wrong thing or gives wrong answers. For example, stored data values may differ from what they should be because they have been improperly modified.

Question 28

In the context of security, our concern is with the vulnerabilities of system resources. [NRC02] lists the following general categories of vulnerabilities of a computer system or network asset

It can become _____. For example, someone who should not have access to some or all of the information available through the network obtains such access.

Answer 28

It can become leaky. For example, someone who should not have access to some or all of the information available through the network obtains such access.

Question 29

In the context of security, our concern is with the vulnerabilities of system resources. [NRC02] lists the following general categories of vulnerabilities of a computer system or network asset

It can become ________ or very slow. That is, using the system or network becomes impossible or impractical.

Answer 29

It can become unavailable or very slow. That is, using the system or network becomes impossible or impractical.

Question 30

Corresponding to the various types of vulnerabilities to a system resource are _______ that are capable of exploiting those vulnerabilities. A ______ represents a potential security harm to an asset. An _____ is a threat that is carried out (_____ ______) and, if successful, leads to an undesirable violation of security, or threat consequence. The agent carrying out the ______ referred to as an ______ or _____ agent. We can distinguish two types of attacks:

Answer 30

Corresponding to the various types of vulnerabilities to a system resource are threats that are capable of exploiting those vulnerabilities. A threat represents a potential security harm to an asset. An attack is a threat that is carried out (threat action) and, if successful, leads to an undesirable violation of security, or threat consequence. The agent carrying out the attack is referred to as an attacker, or threat agent. We can distinguish two types of attacks:

Question 31

Active attack:

Answer 31

An attempt to alter system resources or affect their operation

Question 32

Passive attack:

Answer 32

An attempt to learn or make use of information from the system that does not affect system resources.

Question 33

We can also classify attacks based on the origin of the attack:

Inside attack:

Answer 33

Initiated by an entity inside the security perimeter (an “insider”). The insider is authorized to access system resources but uses them in a way not approved by those who granted the authorization.

Question 34

We can also classify attacks based on the origin of the attack:

Outside attack:

Answer 34

Initiated from outside the perimeter, by an unauthorized or illegitimate user of the system (an “outsider”). On the Internet, potential outside attackers range from amateur pranksters to organized criminals, international terrorists, and hostile governments.

Question 35

Exposure:

Answer 35

Exposure: This can be deliberate, as when an insider intentionally releases sensitive information, such as credit card numbers, to an outsider. It can also be the result of a human, hardware, or software error, which results in an entity gaining unauthorized knowledge of sensitive data. There have been numerous instances of this, such as universities accidentally posting student confidential information on the Web.

Question 36

Unauthorized Disclosure

Answer 36

A circumstance or event whereby an entity gains access to data for which the entity is not authorized.

Question 37

Interception:

Answer 37

Interception is a common attack in the context of communications. On a shared local area network (LAN), such as a wireless LAN or a broadcast Ethernet, any device attached to the LAN can receive a copy of packets intended for another device. On the Internet, a determined hacker can gain access to e-mail traffic and other data transfers. All of these situations create the potential for unauthorized access to data.

Question 38

Inference:

Answer 38

An example of inference is known as traffic analysis, in which an adversary is able to gain information from observing the pattern of traffic on a network, such as the amount of traffic between particular pairs of hosts on the network. Another example is the inference of detailed information from a database by a user who has only limited access; this is accomplished by repeated queries whose combined results enable inference.

Question 39

Intrusion:

Answer 39

An example of intrusion is an adversary gaining unauthorized access to sensitive data by overcoming the system’s access control protections.

Question 40

Deception

Answer 40

is a threat to either system integrity or data integrity. The following types of attacks can result in this threat consequence:

Question 41

Masquerade:

Answer 41

One example of masquerade is an attempt by an unauthorized user to gain access to a system by posing as an authorized user; this could happen if the unauthorized user has learned another user’s logon ID and password. Another example is malicious logic, such as a Trojan horse, that appears to perform a useful or desirable function but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic.

Question 42

Falsification:

Answer 42

This refers to the altering or replacing of valid data or the introduction of false data into a file or database. For example, a student may alter his or her grades on a school database.

Question 43

Repudiation:

Answer 43

In this case, a user either denies sending data or a user denies receiving or possessing the data

Question 44

Disruption

Answer 44

Disruption is a threat to availability or system integrity. The following types of attacks can result in this threat consequence:

Question 45

Corruption:

Answer 45

Corruption: This is an attack on system integrity. Malicious software in this context could operate in such a way that system resources or services function in an unintended manner. Or a user could gain unauthorized access to a system and modify some of its functions. An example of the latter is a user placing backdoor logic in the system to provide subsequent access to a system and its resources by other than the usual procedure.

Question 46

Obstruction:

Answer 46

Obstruction: One way to obstruct system operation is to interfere with communications by disabling communication links or altering communication control information. Another way is to overload the system by placing excess burden on communication traffic or processing resources.

Question 47

Incapacitation:

Answer 47

Incapacitation: This is an attack on system availability. This could occur as a result of physical destruction of or damage to system hardware. More typically, malicious software, such as Trojan horses, viruses, or worms, could operate in such a way as to disable a system or some of its services

Question 48

Usurpation

Answer 48

Usurpation is a threat to system integrity. The following types of attacks can result in this threat consequence:

Question 49

Misappropriation:

Answer 49

Misappropriation: This can include theft of service. An example is a distributed denial of service attack, when malicious software is installed on a number of hosts to be used as platforms to launch traffic at a target host. In this case, the malicious software makes unauthorized use of processor and operating system resources.

Question 50

Misuse:

Answer 50

Misuse: Misuse can occur by means of either malicious logic or a hacker that has gained unauthorized access to a system. In either case, security functions can be disabled or thwarted.

Question 51

Access Control:

Answer 51

Access Control: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.

Question 52

Awareness and Training:

Answer 52

Awareness and Training: (i) Ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, regulation, and policies related to the security of organizational information systems; and (ii) ensure that personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.

Question 53

Audit and Accountability:

Answer 53

Audit and Accountability: (i) Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.

Question 54

Certification, Accreditation, and Security Assessments:

Answer 54

Certification, Accreditation, and Security Assessments: (i) Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.

Question 55

Configuration Management:

Answer 55

Configuration Management: (i) Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems.

Question 56

Contingency Planning:

Answer 56

Contingency Planning: Establish, maintain, and implement plans for emergency response, backup operations, and postdisaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.

Question 57

Identification and Authentication:

Answer 57

Identification and Authentication: Identify information system users, processes acting on behalf of users, or devices, and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Question 58

Incident Response: (

Answer 58

Incident Response: (i) Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user-response activities; and (ii) track, document, and report incidents to appropriate organizational officials and/or authorities.

Question 59

Maintenance:

Answer 59

Maintenance: (i) Perform periodic and timely maintenance on organizational information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.

Question 60

Media Protection:

Answer 60

Media Protection: (i) Protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse.

Question 61

Physical and Environmental Protection:

Answer 61

Physical and Environmental Protection: (i) Limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems

Question 62

Planning:

Answer 62

Develop, document, periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems.

Question 63

Personnel Security:

Answer 63

Personnel Security: (i) Ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures.

Question 64

Risk Assessment:

Answer 64

Risk Assessment: Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information.

Question 65

Systems and Services Acquisition:

Answer 65

Systems and Services Acquisition: (i) Allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that thirdparty providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization.

Question 66

System and Communications Protection:

Answer 66

System and Communications Protection: (i) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and (ii) employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.

Question 67

System and Information Integrity:

Answer 67

System and Information Integrity: (i) Identify, report, and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information systems; and (iii) monitor information system security alerts and advisories and take appropriate actions in response.

Question 68

Economy of mechanism

Answer 68

Economy of mechanism means that the design of security measures embodied in both hardware and software should be as simple and small as possible. The motivation for this principle is that relatively simple, small design is easier to test and verify thoroughly. With a complex design, there are many more opportunities for an adversary to discover subtle weaknesses to exploit that may be difficult to spot ahead of time. The more complex the mechanism, the more likely it is to possess exploitable flaws. Simple mechanisms tend to have fewer exploitable flaws and require less maintenance. Furthermore, because configuration management issues are simplified, updating or replacing a simple mechanism becomes a less intensive process. In practice, this is perhaps the most difficult principle to honor. There is a constant demand for new features in both hardware and software, complicating the security design task. The best that can be done is to keep this principle in mind during system design to try to eliminate unnecessary complexity.

Question 69

Fail-safe default

Answer 69

Fail-safe default means that access decisions should be based on permission rather than exclusion. That is, the default situation is lack of access, and the protection scheme identifies conditions under which access is permitted. This approach exhibits a better failure mode than the alternative approach, where the default is to permit access. A design or implementation mistake in a mechanism that gives explicit permission tends to fail by refusing permission, a safe situation that can be quickly detected. On the other hand, a design or implementation mistake in a mechanism that explicitly excludes access tends to fail by allowing access, a failure that may long go unnoticed in normal use. For example, most file access systems work on this principle and virtually all protected services on client/server systems work this way.

Question 70

Complete mediation

Answer 70

Complete mediation means that every access must be checked against the access control mechanism. Systems should not rely on access decisions retrieved from a cache. In a system designed to operate continuously, this principle requires that, if access decisions are remembered for future use, careful consideration be given to how changes in authority are propagated into such local memories. File access systems appear to provide an example of a system that complies with this principle. However, typically, once a user has opened a file, no check is made to see of permissions change. To fully implement complete mediation, every time a user reads a field or record in a file, or a data item in a database, the system must exercise access control. This resource-intensive approach is rarely used.

Question 71

Open design

Answer 71

Open design means that the design of a security mechanism should be open rather than secret. For example, although encryption keys must be secret, encryption algorithms should be open to public scrutiny. The algorithms can then be reviewed by many experts, and users can therefore have high confidence in them. This is the philosophy behind the National Institute of Standards and Technology (NIST) program of standardizing encryption and hash algorithms, and has led to the widespread adoption of NIST-approved algorithms

Question 72

Separation of privilege

Answer 72

Separation of privilege is defined in [SALT75] as a practice in which multiple privilege attributes are required to achieve access to a restricted resource. A good example of this is multifactor user authentication, which requires the use of multiple techniques, such as a password and a smart card, to authorize a user. The term is also now applied to any technique in which a program is divided into parts that are limited to the specific privileges they require in order to perform a specific task. This is used to mitigate the potential damage of a computer security attack. One example of this latter interpretation of the principle is removing high privilege operations to another process and running that process with the higher privileges required to perform its tasks. Day-to-day interfaces are executed in a lower privileged process.

Question 73

Least privilege

Answer 73

Least privilege means that every process and every user of the system should operate using the least set of privileges necessary to perform the task. A good example of the use of this principle is role-based access control, described in Chapter 4. The system security policy can identify and define the various roles of users or processes. Each role is assigned only those permissions needed to perform its functions. Each permission specifies a permitted access to a particular resource (such as read and write access to a specified file or directory, and connect access to a given host and port). Unless permission is granted explicitly, the user or process should not be able to access the protected resource. More generally, any access control system should allow each user only the privileges that are authorized for that user. There is also a temporal aspect to the least privilege principle. For example, system programs or administrators who have special privileges should have those privileges only when necessary; when they are doing ordinary activities the privileges should be withdrawn. Leaving them in place just opens the door to accidents.

Question 74

Least common

Answer 74

Least common mechanism means that the design should minimize the functions shared by different users, providing mutual security. This principle helps reduce the number of unintended communication paths and reduces the amount of hardware and software on which all users depend, thus making it easier to verify if there are any undesirable security implications.

Question 75

Psychological acceptability

Answer 75

Psychological acceptability implies that the security mechanisms should not interfere unduly with the work of users, while at the same time meeting the needs of those who authorize access. If security mechanisms hinder the usability or accessibility of resources, users may opt to turn off those mechanisms. Where possible, security mechanisms should be transparent to the users of the system or at most introduce minimal obstruction. In addition to not being intrusive or burdensome, security procedures must reflect the user’s mental model of protection. If the protection procedures do not make sense to the user or if the user must translate his image of protection into a substantially different protocol, the user is likely to make errors.

Question 76

Isolation

Answer 76

Isolation is a principle that applies in three contexts. First, public access systems should be isolated from critical resources (data, processes, etc.) to prevent disclosure or tampering. In cases where the sensitivity or criticality of the information is high, organizations may want to limit the number of systems on which that data are stored and isolate them, either physically or logically. Physical isolation may include ensuring that no physical connection exists between an organization’s public access information resources and an organization’s critical information. When implementing logical isolation solutions, layers of security services and mechanisms should be established between public systems and secure systems responsible for protecting critical resources. Second, the processes and files of individual users should be isolated from one another except where it is explicitly desired. All modern operating systems provide facilities for such isolation, so that individual users have separate, isolated process space, memory space, and file space, with protections for preventing unauthorized access. And finally, security mechanisms should be isolated in the sense of preventing access to those mechanisms. For example, logical access control may provide a means of isolating cryptographic software from other parts of the host system and for protecting cryptographic software from tampering and the keys from replacement or disclosure

Question 77

Encapsulation

Answer 77

can be viewed as a specific form of isolation based on objectoriented functionality. Protection is provided by encapsulating a collection of procedures and data objects in a domain of its own so that the internal structure of a data object is accessible only to the procedures of the protected subsystem and the procedures may be called only at designated domain entry points.

Question 78

Modularity

Answer 78

Modularity in the context of security refers both to the development of security functions as separate, protected modules and to the use of a modular architecture for mechanism design and implementation. With respect to the use of separate security modules, the design goal here is to provide common security functions and services, such as cryptographic functions, as common modules. For example, numerous protocols and applications make use of cryptographic functions. Rather than implementing such functions in each protocol or application, a more secure design is provided by developing a common cryptographic module that can be invoked by numerous protocols and applications. The design and implementation effort can then focus on the secure design and implementation of a single cryptographic module, including mechanisms to protect the module from tampering. With respect to the use of a modular architecture, each security mechanism should be able to support migration to new technology or upgrade of new features without requiring an entire system redesign. The security design should be modular so that individual parts of the security design can be upgraded without the requirement to modify the entire system

Question 79

Layering

Answer 79

Layering refers to the use of multiple, overlapping protection approaches addressing the people, technology, and operational aspects of information systems. By using multiple, overlapping protection approaches, the failure or circumvention of any individual protection approach will not leave the system unprotected. We will see throughout this book that a layering approach is often used to provide multiple barriers between an adversary and protected information or services. This technique is often referred to as defense in depth.

Question 80

Least astonishment

Answer 80

Least astonishment means that a program or user interface should always respond in the way that is least likely to astonish the user. For example, the mechanism for authorization should be transparent enough to a user that the user has a good intuitive understanding of how the security goals map to the provided security mechanism.

Question 81

Network attack surface:

Answer 81

Network attack surface: This category refers to vulnerabilities over an enterprise network, wide-area network, or the Internet. Included in this category are network protocol vulnerabilities, such as those used for a denial-of-service attack, disruption of communications links, and various forms of intruder attacks.

Question 82

Software attack surface:

Answer 82

Software attack surface: This refers to vulnerabilities in application, utility, or operating system code. A particular focus in this category is Web server software.

Question 83

Human attack surface:

Answer 83

Human attack surface: This category refers to vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders.

Question 84

Attack Trees

Answer 84

An attack tree is a branching, hierarchical data structure that represents a set of potential techniques for exploiting security vulnerabilities

Question 85

User terminal and user (UT/U):

Answer 85

User terminal and user (UT/U): These attacks target the user equipment, including the tokens that may be involved, such as smartcards or other password generators, as well as the actions of the user.

Question 86

Communications channel (CC):

Answer 86

Communications channel (CC): This type of attack focuses on communication links.

Question 87

Internet banking server (IBS):

Answer 87

Internet banking server (IBS): These types of attacks are offline attack against the servers that host the Internet banking application

Question 88

User credential compromise:

Answer 88

User credential compromise: This strategy can be used against many elements of the attack surface. There are procedural attacks, such as monitoring a user’s action to observe a PIN or other credential, or theft of the user’s token or handwritten notes. An adversary may also compromise token information using a variety of token attack tools, such as hacking the smartcard or using a brute force approach to guess the PIN. Another possible strategy is to embed malicious software to compromise the user’s login and password. An adversary may also attempt to obtain credential information via the communication channel (sniffing). Finally, an adversary may use various means to engage in communication with the target user,

Question 89

Injection of commands:

Answer 89

Injection of commands: In this type of attack, the attacker is able to intercept communication between the UT and the IBS. Various schemes can be used to be able to impersonate the valid user and so gain access to the banking system.

Question 90

User credential guessing:

Answer 90

User credential guessing: It is reported in [HILT06] that brute force attacks against some banking authentication schemes are feasible by sending random usernames and passwords. The attack mechanism is based on distributed zombie personal computers, hosting automated programs for username- or password-based calculation.

Question 91

Security policy violation:

Answer 91

Security policy violation: For example, violating the bank’s security policy in combination with weak access control and logging mechanisms, an employee may cause an internal security incident and expose a customer’s account.

Question 92

Use of known authenticated session:

Answer 92

Use of known authenticated session: This type of attack persuades or forces the user to connect to the IBS with a preset session ID. Once the user authenticates to the server, the attacker may utilize the known session ID to send packets to the IBS, spoofing the user’s identity

Question 93

Specification/policy:

Answer 93

What is the security scheme supposed to do?

Question 94

Implementation/mechanisms:

Answer 94

Implementation/mechanisms: How does it do it?

Question 95

Correctness/assurance:

Answer 95

Correctness/assurance: Does it really work?

Question 96

Ease of use versus security:

Answer 96

Ease of use versus security: Virtually all security measures involve some penalty in the area of ease of use. The following are some examples. Access control mechanisms require users to remember passwords and perhaps perform other access control actions. Firewalls and other network security measures may reduce available transmission capacity or slow response time. Virus-checking software reduces available processing power and introduces the possibility of system crashes or malfunctions due to improper interaction between the security software and the operating system.

Question 97

Cost of security versus cost of failure and recovery:

Answer 97

Cost of security versus cost of failure and recovery: In addition to ease of use and performance costs, there are direct monetary costs in implementing and maintaining security measures. All of these costs must be balanced against the cost of security failure and recovery if certain security measures are lacking. The cost of security failure and recovery must take into account not only the value of the assets being protected and the damages resulting from a security violation, but also the risk, which is the probability that a particular threat will exploit a particular vulnerability with a particular harmful result. Security policy is thus a business decision, possibly influenced by legal requirements.

Question 98

Security implementation involves four complementary courses of action:

Prevention:

Answer 98

Prevention: An ideal security scheme is one in which no attack is successful. Although this is not practical in all cases, there is a wide range of threats in which prevention is a reasonable goal. For example, consider the transmission of encrypted data. If a secure encryption algorithm is used, and if measures are in place to prevent unauthorized access to encryption keys, then attacks on confidentiality of the transmitted data will be prevented.

Question 99

ecurity implementation involves four complementary courses of action:

Detection:

Answer 99

Detection: In a number of cases, absolute protection is not feasible, but it is practical to detect security attacks. For example, there are intrusion detection systems designed to detect the presence of unauthorized individuals logged onto a system. Another example is detection of a denial of service attack, in which communications or processing resources are consumed so that they are unavailable to legitimate users.

Question 100

Response:

Answer 100

Response: If security mechanisms detect an ongoing attack, such as a denial of service attack, the system may be able to respond in such a way as to halt the attack and prevent further damage.

Question 101

Recovery:

Answer 101

Recovery: An example of recovery is the use of backup systems, so that if dat

Question 102

The NIST Computer Security Handbook [NIST95] defines _________ as the degree of confidence one has that the security measures, both technical and operational, work as intended to protect the system and the information it processes. This encompasses both system design and system implementation. Thus, assurance deals with the questions, “Does the security system design meet its requirements?” and “Does the security system implementation meet its specifications?”

Answer 102

The NIST Computer Security Handbook [NIST95] defines assurance as the degree of confidence one has that the security measures, both technical and operational, work as intended to protect the system and the information it processes. This encompasses both system design and system implementation. Thus, assurance deals with the questions, “Does the security system design meet its requirements?” and “Does the security system implementation meet its specifications?”

Question 103

__________ is the process of examining a computer product or system with respect to certain criteria. Evaluation involves testing and may also involve formal analytic or mathematical techniques. The central thrust of work in this area is the development of evaluation criteria that can be applied to any security system (encompassing security services and mechanisms) and that are broadly supported for making product comparisons.

Answer 103

Evaluation is the process of examining a computer product or system with respect to certain criteria. Evaluation involves testing and may also involve formal analytic or mathematical techniques. The central thrust of work in this area is the development of evaluation criteria that can be applied to any security system (encompassing security services and mechanisms) and that are broadly supported for making product comparisons.

Question 104

Define computer security

Question 105

What is the difference between passive and active security threats?

Question 106

List and briefly define categories of passive and active network security attacks.

Question 107

List and briefly define the fundamental security design principles

Question 108

Explain the difference between an attack surface and an attack tree.

Question 109

Consider an automated teller machine (ATM) in which users provide a personal identification number (PIN) and a card for account access. Give examples of confidentiality, integrity, and availability requirements associated with the system and, in each case, indicate the degree of importance of the requirement.

Question 110

Consider a desktop publishing system used to produce documents for various organizations.

a. Give an example of a type of publication for which confidentiality of the stored data is the most important requirement.
b. Give an example of a type of publication in which data integrity is the most important requirement.
c. Give an example in which system availability is the most important requirement.

Answer 110

Consider a desktop publishing system used to produce documents for various organizations.

a. Give an example of a type of publication for which confidentiality of the stored data is the most important requirement.
b. Give an example of a type of publication in which data integrity is the most important requirement.
c. Give an example in which system availability is the most important requirement.

Question 111

For each of the following assets, assign a low, moderate, or high impact level for the loss of confidentiality, availability, and integrity, respectively. Justify your answers.

a. An organization managing public information on its Web server.
b. A law enforcement organization managing extremely sensitive investigative information.
c. A financial organization managing routine administrative information (not privacyrelated information).
d. An information system used for large acquisitions in a contracting organization contains both sensitive, pre-solicitation phase contract information and routine administrative information. Assess the impact for the two data sets separately and the information system as a whole.
e. A power plant contains a SCADA (supervisory control and data acquisition) system controlling the distribution of electric power for a large military installation. The SCADA system contains both real-time sensor data and routine administrative information. Assess the impact for the two data sets separately and the information system as a whole

Question 112

Develop an attack tree for gaining access to the contents of a physical safe

Question 113

Consider a company whose operations are housed in two buildings on the same property, one building is headquarters, the other building contains network and computer services. The property is physically protected by a fence around the perimeter. The only entrance to the property is through the fenced perimeter. In addition to the perimeter fence, physical security consists of a guarded front gate. The local networks are split between the Headquarters’ LAN and the Network Services’ LAN. Internet users connect to the Web server through a firewall. Dial-up users get access to a particular server on the Network Services’ LAN. Develop an attack tree in which the root node represents disclosure of proprietary secrets. Include physical, social engineering, and technical attacks. The tree may contain both AND and OR nodes. Develop a tree that has at least 15 leaf nodes.

Question 114

Read all of the classic papers cited in Section 1.7. Compose a 500-1000 word paper (or 8 to 12 slide PowerPoint presentation) that summarizes the key concepts that emerge from these papers, emphasizing concepts that are common to most or all of the papers.