Concepts Pt.2 Flashcards
A security design principle that states that every time a subject requests access to an object, the request needs to be checked to ensure that the subject has the authority to access the object.
- Least privilege
- Separation of duties
- Complete mediation
- Defense-in-Depth
Complete mediation
A security design principle that ensures that no single point of complete compromise exists by implementing multiple layers of risk mitigation controls. Also known as layered defense.
- Least privilege
- Separation of duties
- Complete mediation
- Defense-in-Depth
Defense-in-Depth
A security design principle that states that when the software is architected, the mechanisms that are common (shared) between two different users or processes must be minimized.
- Least common mechanism
- Economy of mechanism
- Least privilege
- Separation of duties
Least common mechanism
A security design principle that ensures that no one person or process can complete an operation in its entirety. It is also referred to as the compartmentalization principle.
- Separation of duties
- Defense-in-Depth
- Leveraging existing components
- Complete mediation
Separation of duties
A willingness of users to accept a particular control.
- Accountability
- Psychological acceptability
- Separation of duties
- Leveraging existing components
Psychological acceptability
A security design principle that states that the likelihood of vulnerabilities increases with the complexity of the software design.
- Least common mechanism
- Separation of duties
- Complete mediation
- Economy of mechanism
Economy of mechanism
A security design principle that ensures that the attack surface is not increased and no newer vulnerabilities are introduced because existing components of code/functionality are reused (leveraged) when architecting software.
- Defense-in-Depth
- Leveraging existing components
- Separation of duties
- Least privilege
Leveraging existing components
A security design principle that ensures that when the software fails, the confidentiality, integrity, and availability of the software is still maintained along with rapid recovery. Also known as Fail Secure.
- Open design
- Auditing
- Least privilege
- Fail safe
Fail safe
A security design principle that states that the security of the software/system should not be a secret, but be open for review.
- Authentication
- Complete mediation
- Open design
- Confidentiality
Open design
A security design principle in which a user or process is explicitly given only the necessary and minimum level of access rights (privileges) for a specified amount of time, in order to complete an operation.
- Least privilege
- Defense-in-Depth
- Complete mediation
- Non-repudiation
Least privilege
Which of the following is an acceptable approach to risk treatment or response?
- Accept risk
- Report on risk
- Measure risk
- Ignore risk
Accept risk
What is an advantage of economy of mechanism?
- To demonstrate an active security program
- To save money on IT investment
- To avoid complexity in a system’s design
- To ensure layers of defense and protection
To avoid complexity in a system’s design
What does psychological acceptability refer to?
- Management’s reluctance to enforce security policy
- The lack of privacy associated with biometrics
- The inability of IT to measure security effectiveness
- The problem that users will resist security they feel is unnecessary
The problem that users will resist security they feel is unnecessary
What technique is used to restrict the amount of data in a customer record that is visible to a user of an application that accesses a database?
- Single sign-on
- View-based controls
- Input validation
- Strong passwords
View-based controls
What is the primary purpose of Information System’s controls?
- To demonstrate due care and due diligence
- To support and protect the business mission
- To avoid unnecessary expense or liability
- To ensure that attacks will not be sucessful
To support and protect the business mission