Chapter 3 Flashcards

1
Q

Systems engineering activities intended to deter and/or delay exploitation of critical technologies in a system in order to impede countermeasure development, unintended technology transfer, or alteration of a system.

A

Anti-tamper (AT)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A chronological record of system activities, which includes records of system accesses and operations performed in a given period.

A

Audit Log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

An individual entry in an audit log related to an audited event.

A

Audit Record

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security-relevant transaction from inception to final result.

A

Audit Trail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A record showing who has accessed an information technology (IT) system and what operations the user has performed during a given period.

A

Audit Trail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

To confirm the identity of an entity when that identity is presented.

A

Authenticate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

A

Authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A security measure designed to protect a communication system against acceptance of fraudulent transmission or simulation by establishing the validity of a transmission, message, originator, or a means of verifying an individual’s eligibility to receive specific categories of information.

A

Authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A copy of files and programs made to facilitate recovery, if necessary.

A

Backup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A software and/or hardware product that is commercially ready-made and available for sale, lease, or license to the general public.

A

Commercial-off-the-shelf (COTS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Establishment of and charter for a group of qualified people with responsibility for the process of controlling and approving changes throughout the development and operational lifecycle of products and systems; may also be referred to as a change control board.

A

Configuration Control Board

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

An aggregation of information system components that is designated for configuration management and treated as a single entity in the configuration management process.

A

Configuration Item

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Item or aggregation of hardware, software, or both, which is designated for configuration management and treated as a single entity in the configuration management process.

A

Configuration Item

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A collection of activities focused on establishing and maintaining the integrity of information technology products and information systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.

A

Configuration Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The set of parameters that can be changed in hardware, software, or firmware that affect the security posture and/or functionality of the information system.

A

Configuration Settings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Management policy and procedures used to guide an enterprise response to a perceived loss of mission capability.

A

Contingency Plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Information security strategy integrating people, technology, and operation capabilities to establish variable barriers across multiple layers and missions of the organization.

A

Defense-in-depth

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

The cryptographic transformation of data to produce ciphertext.

A

Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Communications encryption in which data is encrypted when being passed through a network, but routing information remains visible.

A

End-to-end Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Safeguarding information in an information system from point of origin to point of destination.

A

End-to-end Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.

A

Least Privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A determination within the executive branch in accordance with directives issued pursuant to this order that a prospective recipient requires access to a specific classified information in order to perform or assist in a lawful and authorized governmental function.

A

Need-to-know

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Protection against an individual falsely denying having performed a particular action.

A

Non-repudiation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Provides the capability to determine whether a given individual took a particular action such as creating information, sending a message, approving information, and receiving a message.

A

Non-repudiation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
A security-focused description of an information system, its operational policies, classes of users, interactions between the system and its users, and the system's contribution to the operational mission.
Security Concept of Operations
26
A suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans.
Security Content Automation Protocol (SCAP)
27
An occurrence (e.g., and auditable event or flag) considered to have potential security implications to the system or its environment that may require further action (such as noting, investigating, or reacting).
Security-relevant Event
28
Based on Department of Defense policy and security controls, an implementation guide geared to a specific product and version.
Security Technical Implementation Guide (STIG)
29
Contains all requirements that have been flagged as applicable for the product which have been selected on a DoD baseline.
Security Technical Implementation Guide (STIG)
30
Always keep the problem and solution spaces separate.
Security Engineering Principle to Avoid Inefficiency
31
The problem space is defined by the customer's mission or business needs.
Security Engineering Principle to Avoid Inefficiency
32
The systems engineer and information systems security engineer define the solution space, driven by the problem space.
Security Engineering Principle to Avoid Inefficiency
33
Review web pages, operational procedures and documents, annual reports, and CONOPS and mission needs statement (MNS).
ISSE Methods for Analyzing Organizational and Operational Environments
34
Includes: (i) stakeholder perspective, (ii) system perspective, and (iii) trades perspective.
Protection Needs Perspectives
35
Focuses on what is of value to the stakeholder.
Stakeholder Perspective
36
Based on those assets that are deemed necessary for the system to execute correctly and securely to manage its execution, and to provide for its own protection.
System Perspective
37
Considers protection need aspects associated with all feasible alternatives, as well as those related to a specific decision.
Trades Perspective
38
Specify security capability, performance, effectiveness, and the associated verification and validation measures, and also express constraints on system requirements.
Security Requirements
39
Describe the stakeholder-oriented view of desired capability; include operational, protection, safety, and other needs and expectations of stakeholders, including legal, policy, regulatory, statutory, certification, policy, and other constraints for solutions that support the mission or business.
Stakeholder Requirements
40
Intended to achieve adequate security and help the system meet security objectives set forth for the system.
Design Constraints
41
Allows the team to move forward in the systems engineering process and continue with requirements; must be validated before the design is finalized.
Design Assumption
42
Develop an understanding of the customer's mission or business.
Determine System Protection Needs Task
43
Help the customer determine what information management is needed to support the mission or business.
Determine System Protection Needs Task
44
Create a model of that information management, with customer concurrence.
Determine System Protection Needs Task
45
Document the results as the basis for defining information systems that will satisfy the customer's needs.
Determine System Protection Needs Task
46
Contains information types often aggregated together into information domains, and these domains contain the following elements: (i) users or members of the information domain; (ii) rules, privileges, roles, and responsibilities that apply to the users in managing all the information; (iii) and information objects being managed, including processes.
Information Management Model (IMM)
47
Formal documents that cover the official plan for testing a system, subsystem, or component.
Security Test Plan (STP)
48
References the "objective" or "requirement" to be met, the assessment method, and the "object" to be tested.
Security Test Plan (STP)
49
Executed by a security control assessor (SCA); should be an independent third party.
Security Test Plan (STP)
50
Includes: (i) security architecture and design, (ii) security capability and intrinsic behaviors, and (iii) life cycle security.
Security Design Principles
51
Application of these principles is intended to permit a demonstration of system trustworthiness through assurance based on reasoning about relevant and credible evidence.
Security Design Principles
52
Describes the layers of security mechanisms and security architectures that delay, prevent, or deter attacks against the system.
Defense in Depth
53
Involves policies and procedures, training and awareness, physical security, personnel security, system security administration, and facilities countermeasures.
People
54
Involves information assurance, architecture framework areas, IA criteria such as security, PKI, acquisition integration of evaluated products, and system risk assessments.
Technology
55
Principles are centered around people, technology, and operations.
Defense in Depth Principles
56
Involves security policy, assessment and authorization, readiness assessments, security management, key management, attack sensing and warning response, and recovery and reconstitution.
Operations
57
Includes: (i) passive, (ii) active, (iii) close-in, (iv) insider, and (v) distribution.
Classes of Attacks
58
Include traffic analysis, monitoring of unprotected communications, decrypting weakly encrypted traffic, and capture of authentication information.
Passive Attack
59
Can give adversaries indications and warnings of impending actions.
Passive Attack
60
Can result in disclosure of information or data files to an attacker without the consent or knowledge of the user.
Passive Attack
61
Consists of a regular type individual's attaining close physical proximity to networks, systems, or facilities for the purpose of modifying, gathering, or denying access to information.
Close-in Attack
62
Can be malicious or non-malicious; malicious result from intentional acts and non-malicious result from carelessness, lack of knowledge, or intentional circumvention.
Insider Attack
63
Focus on the malicious modification of hardware or software at the factory or during distribution.
Distribution Attack
64
Include attempts to circumvent or break protection features, introduce malicious code, or steal or modify information.
Active Attack
65
The concept that should a system fail, it fails in a safe state (e.g., anti-tamper encryption measures).
Fail-safe Default
66
Occur when a network converges to a single point.
Single Point of Failure (SPoF)
67
Tasks include: (i) define the system boundaries and interfaces, (ii) document security allocations to the target system and external systems, and (iii) identify data flows between the target system and external systems and the protection needs associated with those data flows.
Define System Security Requirements
68
A high-level diagram in which the boundary of the entire system and the composite protection needs for the target system are reflected.
Initial System Security Context Diagram
69
Describes how the system will work, including connectivity and information flows through the systems and remote sites.
Security CONOPS
70
Covers all of the functionality, missions, or business needs and addresses the inherent risk in operating the system.
Security CONOPS
71
Should be clear, concise, and verifiable.
System Security Requirements
72
Allows a better understanding of what the system has to do; the ways in which it can do it; and to some extent, the priorities and conflicts associated with lower-level functions. It provides information essential to optimizing physical solutions.
Functional Analysis and Allocation
73
Includes: (i) functional flow block diagram, (ii) timeline analysis, and (iii) requirements allocation sheet.
Functional Analysis Key Tools
74
A system engineering document that shows the flow of data between functions and the decisions made by the system.
Functional Flow Block Diagram
75
Informs the team of the duration of various functions over time.
Timeline Analysis Sheet (TLS)
76
Traces functions to the associated detailed specifications; includes: (i) function name, (ii) functional performance and design requirements, and (iii) configuration items.
Requirements Allocation Sheet (RAS) / Requirements Matrix
77
Ensure compliance with a security architecture, design constraints, perform trad-off studies, and define system security design elements.
Develop System Security Design Components Tasks