Chapter 1 - Introduction

Question 1

assets

Answer 1

items you value

Question 2

vulnerability

Answer 2

a weakness in the system that might be exploited to cause loss or harm.

Question 3

threat

Answer 3

a set of circumstances that has the potential to cause loss or harm

Question 4

attack

Answer 4

A human who exploits a vulnerability

Question 5

availability:

Answer 5

the ability of a system to ensure that an asset can be used by any authorized parties

Question 6

integrity:

Answer 6

the ability of a system to ensure that an asset is modified only by authorized parties

Question 7

confidentiality:

Answer 7

the ability of a system to ensure that an asset is viewed only by authorized parties

Question 8

authentication:

Answer 8

the ability of a system to confirm the identity of a sender

Question 9

nonrepudiation or accountability

Answer 9

the ability of a system to confirm that a sender cannot convincingly deny having sent something

Question 10

Auditability

Answer 10

ability of a system to trace all actions related to a given asset.

Question 11

subject

Answer 11

the person, process, or program

Question 12

object

Answer 12

the data item

Question 13

access mode

Answer 13

the kind of access (such as read, write,

or execute)

Question 14

the authorization

Answer 14

policy

Question 15

Nonmalicious

Answer 15

someone’s accidentally spilling a soft drink on a laptop, unintentionally deleting text, inadvertently sending an email message to the wrong person, and carelessly typing “12” instead of “21” when entering a phone number or clicking “yes” instead of “no” to overwrite a file.

Question 16

malicious, human-caused harm

Answer 16

person actually wants to cause harm, and so we often use the term attack

Question 17

random attack

Answer 17

the attacker wants to harm any computer or user;

Question 18

directed attack

Answer 18

the attacker intends harm to specific computers, perhaps at one organization or belonging to a specific
individual

Question 19

advanced persistent threat

Answer 19

attacks come from organized, well financed, patient
assailants. Often affiliated with governments or quasi-governmental groups, these attackers engage in long term campaigns. They carefully select their targets, crafting attacks that appeal to specifically those targets; email messages called spear phishing are intended to seduce their recipients.

Question 20

harm

Answer 20

The negative consequence of an actualized threat

Question 21

risk management

Answer 21

Involves choosing which threats to control and what

resources to devote to protection.

Question 22

residual risk.

Answer 22

The risk that remains uncovered by controls

Question 23

impact

Answer 23

the amount of damage it can cause

Question 24

likelihood

Answer 24

threat is not just one that someone might want to pull off but rather one that could actually occur.

Question 25

feasibility

Answer 25

Is it even possible to accomplish the attack?

Question 26

method

Answer 26

the skills, knowledge, tools, and other things with which to perpetrate the attack.

Question 27

script kiddie

Answer 27

describes someone who downloads a complete attack code package and needs only to enter a few details to identify the target and let the script perform the attack.

Question 28

Opportunity

Answer 28

the time and access to execute an attack

Question 29

motive

Answer 29

reason to want to attack.

Question 30

“attractive targets,”

Answer 30

very appealing to attackers

Question 31

attack surface

Answer 31

the system’s full set of vulnerabilities—actual and

potential.

Question 32

control or countermeasure

Answer 32

a means to counter threats

Question 33

Physical controls

Answer 33

stop or block an attack by using something tangible

Question 34

Procedural or administrative controls

Answer 34

use a command or agreement that requires or advises people how to act

Question 35

Technical controls

Answer 35

counter threats with technology (hardware or software),

Question 36

overlapping controls or defense in depth:

Answer 36

more than one control or more than one class of control to achieve protection.