Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CS6035 > Chapter 1 > Flashcards

Chapter 1 Flashcards

1
Q

Data Confidentiality (Confidentiality)

A

Assures that private or confidential information is not made available or disclosed to unauthorized individuals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Privacy (Confidentiality)

A

Assure that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Data integrity (Integrity)

A

Assures that information and programs are changed only in a specified and authorized manner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

System integrity (Integrity)

A

Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Availability

A

Assures that systems work promptly and service is not denied to authorized users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Authenticity

A

The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. This means verifying that users are who they say they are and that each input arriving at the system came from a trusted source.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Accountability

A

The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. Because truly secure systems are not yet an achievable goal, we must be able to trace a security breach to a responsible party. Systems must keep records of their activities to permit later forensic analysis to trace security breaches or to aid in transaction disputes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Adversary (threat agent)

A

An entity that attacks, or is a threat to, a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Attack

A

An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Countermeasure

A

An action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Risk

A

An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Security Policy

A

A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

System Resource (Asset)

A

Data contained in an information system; or a service provided by a system; or a system capability, such as processing power or communication bandwidth; or an item of system equipment (i.e., a system component - hardware, firmware, software, or documentation); or a facility that houses system operations and equipment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Threat

A

A potential for violation of security, which exists when there is a circumstance, capability, action, or event, that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Vulnerability

A

A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Unauthorized Disclosure

A

A circumstance or event whereby an entity gains access to data for which the entity is not authorized

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Exposure (Unauthorized Disclosure)

A

Sensitive data are directly released to an unauthorized entity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Interception (Unauthorized Disclosure)

A

An unauthorized entity directly access sensitive data traveling between authorized sources and destinations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Inference (Unauthorized Disclosure)

A

A threat action whereby an unauthorized entity indirectly accesses sensitive data (but not necessarily the data contained in the communication) by reasoning from characteristics or by-products of communications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Intrusion (Unauthorized Disclosure)

A

An unauthorized entity gains access to sensitive data by circumventing a system’s security protections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Deception

A

A circumstance or event that may result in an authorized entity receiving false data and believing it to be true

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Masquerade (Deception)

A

An unauthorized entity gains access to a system or performs a malicious act by posing as an authorized entity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Falsification (Deception)

A

False data deceive an authorized entity.

24
Q

Repudiation (Deception)

A

An entity deceives another by falsely denying responsibility for an act.

25
Q

Disruption

A

A circumstance or event that interrupts or prevents the correct operation of system services and functions

26
Q

Incapacitation (Disruption)

A

Prevents or interrupts system operation by disabling a system component

27
Q

Corruption (Disruption)

A

Undesirably alters system operation by adversely modifying system functions or data

28
Q

Obstruction (Disruption)

A

A threat action that interrupts delivery of system services by hindering system operation.

29
Q

Usurpation

A

A circumstance or event that results in control of system services or functions by an unauthorized entity

30
Q

Misappropriation (Usurpation)

A

An entity assumes unauthorized logical or physical control of a system resource

31
Q

Misuse (Usurpation)

A

Causes a system component to perform a function or service that is detrimental to system security.

32
Q

Major threat to computer system hardware

A

threat to availability

33
Q

Key threat to software

A

attack on availability

34
Q

Passive attacks

A

attempts to learn or make use of information from the system but does not affect system resources

35
Q

2 types of passive attacks

A

release of message contents and traffic analysis

36
Q

Active attacks

A

involve some modification of the data stream or the creation of a false stream and can be subdivided into 4 categories:
replay, masquerade, modification of messages, and denial of service

37
Q

replay

A

involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect

38
Q

Economy of mechanism (fundamental security design principle)

A

the design of security measures embodied in both hardware and software should be as simple and small as possible.

39
Q

Fail-safe default (fundamental security design principle)

A

access decisions should be based on permission rather than exclusion

40
Q

Complete mediation (fundamental security design principle)

A

every access must be checked against the access control mechanism

41
Q

Open design (fundamental security design principle)

A

The design of a security mechanism should be open rather than secret

42
Q

Separation of privilege (fundamental security design principle)

A

a practice in which multiple privilege attributes are required to achieve access to a restricted resource

43
Q

Least privilege (fundamental security design principle)

A

Every process and every user of the system should operate using the least set of privileges necessary to perform the task

44
Q

Least common mechanism (fundamental security design principle)

A

the design should minimize the functions shared by different users, providing mutual security

45
Q

Psychological acceptability (fundamental security design principle)

A

the security mechanisms should not interfere unduly with the work of users, while at the same time meeting the needs of those who authorize access

46
Q

Isolation (fundamental security design principle)

A

a principle that applies three contexts.

  1. public access systems should be isolated from critical resources (data, processes, etc.) to prevent disclosure or tampering
  2. The processes and files of individual users should be isolated from one another except where it is explicitly desired
  3. Security mechanisms should be isolated in the sense of preventing access to those mechanisms
47
Q

Encapsulation (fundamental security design principle)

A

a specific form of isolation based on object oriented functionality

48
Q

Modularity (fundamental security design principle)

A

refers both to the development of security functions as separate, protected modules and to the use of a modular architecture for mechanism design and implementation

49
Q

Layering (fundamental security design principle)

A

refers to the use of multiple, overlapping protection approaches addressing the people, technology, and operational aspects of information systems.

50
Q

Least astonishment (fundamental security design principle)

A

a program or user interface should always response in the way that is least likely to astonish the user

51
Q

Attack Surface

A

Consists of the reachable and exploitable vulnerabilities in a system

52
Q

Network attack surface

A

Refers to vulnerabilities over an enterprise network, wide-area network, or the Internet. Included in this category are network protocol vulnerabilities, such as those used for a denial-of-service attack, disruption of communications links, and various forms of intruder attacks.

53
Q

Software attack surface

A

Refers to vulnerabilities in application, utility, or operating system code. A particular focus in this category is Web server software

54
Q

Human attack surface

A

Refers to vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders.

55
Q

Attack Tree

A

a branching, hierarchical data structure that represents a set of potential techniques for exploiting security vulnerabilities

56
Q

Comprehensive security strategy

A

3 aspects:
Specification/policy: What is the security scheme supposed to do?

Implementation/mechanisms: How does it do it?

Correctness/assurance: Does it really work?

57
Q

Security implementation involves 4 complementary courses of action:

A

Prevention, detection, response, recovery

CS6035 (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions