Cybersecurity

Question 1

Confidentiality

Answer 1

data confidentiality + privacy
Data confidentiality: private or confidential information is not made available or
disclosed to unauthorized individuals.
o Privacy : individuals control or influence what information related to them may be
collected and stored and by whom and to whom that information may be
disclosed.

Question 2

Integrity

Answer 2

Data integrity: information and programs are changed only in a specified and
authorized manner.
o System integrity: system performs its intended function in an unimpaired manner,
free from deliberate or inadvertent unauthorized manipulation of the system.

Question 3

Availability

Answer 3

assures that systems work promptly and

service is not denied to authorized users.

Question 4

Levels of Impact

Answer 4

Low, Moderate and HIgh

Question 5

Ccryptography

Answer 5

which leverages hard mathematical problems with “trap door” information

Question 6

Assets of computer

Answer 6

Hardware, software, Data, communication.

Question 7

Adversary (threat)agent

Answer 7

Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.

Question 8

Security Policy

Answer 8

A set of criteria for the provision of security services. It defines and constrains the activities of a data processing facility in order to
maintain a condition of security for systems and data.

Question 9

Threat

Answer 9

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or
reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access,
destruction, disclosure, modification of information, and/or denial of service.

Question 10

Vulnerability

Answer 10

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or
triggered by a threat source.

Question 11

Categories of vulnerabilities

Answer 11

• Corrupted (loss of integrity)
• Leaky (loss of confidentiality)
• Unavailable or very slow (loss of availability

Question 12

Types of Attacks

Answer 12

Passive Attack – attempt to learn or make use of information from the
system that does not affect system resources
• Active Attack – attempt to alter system resources or affect their
operation
• Insider Attack – initiated by an entity inside the security parameter
• Outsider Attack – initiated from outside the perimeter

Question 13

Counter measure

Answer 13

• prevent (best option)
o Cryptography, air gap
• detect / respond
o intrusion detection
o turn off services, trace intruder
• recover
o you do make backups, right? Right!?
• residual vulnerabilities
o countermeasures can introduce new vulnerability
o goal is to minimize residuals

Question 14

implications of IT-configured society

Answer 14

o Global many-to-many scope
o Special identity conditions
o Reproducibility

Question 15

Look at 41 slide for chapter 1

Question 16

Risk
management
techniques:

Answer 16

Accept
o Mitigate
o Avoid
o Deflect

Question 17

Fundamental security design principles

Answer 17

page 48

Question 18

Psychological Acceptability

Fail Example

Answer 18

o Hard for humans to remember, easy for computer to brute force
o Password strength requirements (length, complexity, and regular password
changes) perpetuated the problem

Would be better to:
o Passphrases: easier for human to remember, harder for computers to guess

Question 19

Attack Surface

Answer 19

Consist of the reachable and exploitable vulnerabilities in

a system

Question 20

Attack surface categories

Answer 20

Network
Software
Human

Question 21

Attack Tree Idea

Answer 21

branching hierarchical data structure that
represents a set of potential techniques for exploiting
security vulnerabilities.

Question 22

Attack tree whole process

Answer 22

Root node = attacker objective
Intermediate nodes = Subgoals
Leaf node = different ways to initiate attack
Branches = can be labeled with difficult, cost, or other attack attributes

Note = risk = probability * impact

Question 23

Computer security strategy

Answer 23

Security Policy
Security implementation
Assurance
Evaluation