Computer Security Overview

Question 1

C.I.A. Triad

Answer 1

Confidentiality, Integrity, & Availability

Question 2

preventing unauthorized disclosure of information

Answer 2

Data Confidentiality

Question 3

The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).

Answer 3

Computer Security

Question 4

preventing unauthorized collection of personal information

Answer 4

Privacy

Question 5

preventing unauthorized changes to data and programs

Answer 5

Data integrity

Question 6

Two types of Confidentiality

Answer 6

Data & Privacy

Question 7

Two types of Integrity

Answer 7

Data & System

Question 8

ensuring that the system can perform as intended

Answer 8

System integrity

Question 9

Ensuring that systems work promptly and service is not denied to authorized users

Answer 9

Availability

Question 10

Encryption, Access Control, Authentication, Authorization, and Physical Security are methods for achieving what?

Answer 10

Confidentiality

Question 11

transforming the information so it is useful only to the intended recipient or user

Answer 11

Encryption

Question 12

rules and policies that limit access to private information

Answer 12

Access Control

Question 13

determining who the user is (e.g., password, token, fingerprint)

Answer 13

Authentication

Question 14

determining the level of access (per access control policies)

Answer 14

Authorization

Question 15

for example, placing sensitive data in a closed room with no communication links, so one would need to be in the room to access the data

Answer 15

Physical Security

Question 16

Backups, checksums, and Data correcting codes are methods for achieving what?

Answer 16

Integrity

Question 17

periodic archiving, to support restoration.

Answer 17

Backups

Question 18

computing a numerical value based on the contents of an entire file, to support the detection of alterations

Answer 18

Checksums

Question 19

low-level codes for automatically correcting errors, such as for retransmitting packets when communicating.

Answer 19

Data correcting codes

Question 20

Physical protections and Computational redundancies are methods for achieving what?

Answer 20

Availability

Question 21

Backup power supplies and redundant disk storage help achieve what?

Answer 21

Availability

Question 22

infrastructure meant to keep information available even in the event of physical challenges

Answer 22

Physical protections

Question 23

computers and storage devices that serve as fallbacks in the case of failures

Answer 23

Computational redundancies

Question 24

the property of being genuine and being able to be verified and trusted
i.e., that users are who they say they are, and each input arriving at the
system is from a trusted source

Answer 24

Authenticity

Question 25

The primary tool of ___ is digital signatures, to support nonrepudiation

Answer 25

Authenticity

Question 26

the property that actions of an entity (person, system) be uniquely traced to that entity
i.e., to trace a security breach to a responsible party

Answer 26

Accountability

Question 27

activity logs to support nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action and legal action is an example of…

Answer 27

Accountability

Question 28

security breach loss could be expected to have a limited adverse effect on organization operations, assets, or individuals

Answer 28

Low impact

Question 29

security breach loss could be expected to have a serious adverse effect on organization operations, assets, or individuals

Answer 29

Moderate impact

Question 30

security breach loss could be expected to have a severe or catastrophic adverse effect on organization operations, assets, or individuals

Answer 30

High impact

Question 31

Truly ___systems are not yet achievable

Answer 31

secure

Question 32

___ need to find only a single weakness, but ___ must find all weaknesses

Answer 32

Attackers, developers

Question 33

Users and system managers tend not to see the benefits of ___ until a failure occurs

Answer 33

security

Question 34

___ is often considered as an add-on after the system is fully designed

Answer 34

Security

Question 35

Often considered as an impediment to efficient and user-friendly operation

Answer 35

security

Question 36

An entity that attacks, or is a threat to, a system

Answer 36

Adversary (threat agent)

Question 37

An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system.

Answer 37

Attack

Question 38

An action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken

Answer 38

Countermeasure

Question 39

An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a prticular harmful result.

Answer 39

Risk

Question 40

A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources

Answer 40

Security Policy

Question 41

Data contained in an information system; or a service provided by a system; or a system capability, such as processing power or communication bandwidth; or an item of system equipment (i.e., a system component–hardware, firmware, software, or documentation); or a facility that houses system opertations and equipment.

Answer 41

System Resource (Asset)

Question 42

A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a ___ is a possible danger that might exploit a vulnerability.

Answer 42

Threat

Question 43

A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.

Answer 43

Vulnerability

Question 44

Hardware, Software, Data, and Communication facilities and networks

Answer 44

Assets of a Computer System

Question 45

computer systems, other data processing, data storage, and data communications devices

Answer 45

Hardware

Question 46

operating system, system utilities, applications

Answer 46

software

Question 47

files, databases, security-related data (e.g. password files)

Answer 47

data

Question 48

LAN and WAN links, bridges, routers, etc.

Answer 48

Communication facilities and networks

Question 49

a weakness that can be exploited by an attack

Answer 49

Vulnerability

Question 50

Corrupted (loss of integrity), Leaky (loss of confidentiality), Unavailable or very slow (loss of availability). These are catagories of…

Answer 50

vulnerabilities

Question 51

something or someone that is capable of exploiting a vulnerability; represents a potential security harm to a system resource

Answer 51

threat

Question 52

a threat that is carried out by some action by a threat agent; if successful, results in a violation of the system’s security policy

Answer 52

attack

Question 53

Active, Passive, inside, and outside are types of…

Answer 53

attacks

Question 54

attempt to alter system resources or affect their operation

Answer 54

active attack

Question 55

attempt to learn or make use of information from the system without affecting system resources

Answer 55

passive attack

Question 56

initiated by an entity (“insider”) inside the security perimeter

Answer 56

inside attack

Question 57

initiated from the outside, by an unauthorized or illegitimate user (“outsider”) of the system.

Answer 57

Outside attack

Question 58

any means to prevent, detect, or recover from a security attack

Answer 58

Countermeasure

Question 59

Despite countermeasures, residual ___ may remain

Answer 59

vulnerabilities

Question 60

Countermeasures can themselves introduce new…

Answer 60

vulnerabilities

Question 61

The goal of ___ is to minimize the residual level of risk to the assets

Answer 61

countermeasures

Question 62

access control, identification and authentication, system and communication protection, and system and information integrity. These are examples of functional security requirements that primarily involve ___ measures.

Answer 62

technical

Question 63

awareness and training; audit and accountability; certification, accreditation, and security assessments; contingency planning; maintenance; physical and environmental protection; planning; personnel security; risk assessment; and systems and services acquisition.
These are examples of functional security requirements that primarily involve ___ controls and procedures .

Answer 63

management

Question 64

Most functional security requirements most are either primarily ___ or have some ___ component (same word)

Answer 64

management

Question 65

i.e., keep it simple

Answer 65

economy of mechanism

Question 66

e.g., default is lack of access

Answer 66

fail-safe defaults

Question 67

i.e., do not rely on cached answers to grant access

Answer 67

complete mediation

Question 68

i.e., publish encryption algorithms, but keep keys secret

Answer 68

open design

Question 69

e.g., multifactor user authentication

Answer 69

separation of privilege

Question 70

every process/user should have least ___ to perform task

Answer 70

privilege

Question 71

i.e., separate user functions as much as possible

Answer 71

least common mechanism

Question 72

i.e., security should intrude minimally with user work

Answer 72

psychological acceptability

Question 73

i.e., separate systems/processes/files as much as possible

Answer 73

isolation

Question 74

i.e., object-oriented concept for protecting data

Answer 74

encapsulation

Question 75

i.e., use a modular architecture, to facilitate upgrades/maintenance

Answer 75

modularity

Question 76

i.e., provide multiple levels of security

Answer 76

layering

Question 77

i.e., programs and UIs should respond in understandable ways

Answer 77

least astonishment

Question 78

___ are the reachable and exploitable vulnerabilities in a system

Answer 78

Attack surfaces

Question 79

a hierarchical data structure; represents iterative refinement of the steps an attacker could take to achieve a particular security breach

Answer 79

attack tree

Question 80

An overall strategy for providing ___ often consists of policy, implementation, assurance, and evaluation.

Answer 80

computer security

Question 81

typically, a formal statement of rules and practices specifying how a system or organization provides security services to protect system assets

Answer 81

Security policy

Question 82

covers the measures for prevention, detection, response, and recovery

Answer 82

Security implementation

Question 83

covers analysis determining the “degree of confidence” that the system’s security measures will work as intended

Answer 83

Assurance

Question 84

examining a computer product or system with respect to formal criteria; can include testing and/or formal mathematical analysis. e.g., analysis and testing of a new encryption algorithm

Answer 84

Evaluation

Question 85

the assurance that someone cannot deny the validity of something.

Answer 85

Non-Repudiation