Definitions & Tools Flashcards
Asset (System Resource)
- Data in an information system
- Service provided by a system
- System capability (e.g., processing power, bandwidth, ..)
- Component of a system (hardware, software, ..)
Vulnerability
Flaw/weakness in a system’s design, implementation, functionality, or management
Threat
possible danger that might exploit a vulnerability
Risk
An expected loss (usually, in terms of probability) that a threat will exploit a particular vulnerability with a specific harmful result
Total Risk =
threat x vulnerabilities x asset
Adversary (Threat Agent)
An entity that attacks or is a threat to a system
Attack
An assault on security of a system. A deliberate attempt (in terms of method or technique) to evade security or security policy. A threat that has been carried out and causes violation of security when successful
Attack Vector
a path or means (method) by which an attacker can launch an attack against the target system
Attack Surface
- All (sum/collection) of the public and privately exposed system elements/connection points of the system
- Minimizing attack surface is a basic security measure
Attack Categories
Active, Passive, Insider, Outsider
Threat Consequence (1)
Unauthorized Disclosure
Exposure
Sensitive data directly released to unauthorized entity
Interception
Authorized entity directly access sensitive data while that are in transit between authorized end points
Inference
authorized entity indirectly access sensitive data through reasoning or, as by-products of communication
Intrusion
Authorized entity gains access by circumventing system’s security protections
Threat Consequence (2)
Deception & Usurpation which both are threats to data/system integrity
Threat Action (attack)
masquerade, falsification, repudiation, misappropriation, misuse
Threats & consequences of attacks (3)
disruption (availability issue), attack: incapacitation (destruction/damage of system), obstruction (interference/blocking of system)
Security Policy
Set of rules and practices that specifies and regulates the security provisions of a system
Countermeasure
- Action, device, process, technique, tool that reduces a vulnerability or a threat by minimizing the risk
- Detect, deter, or recover from an attack
Encryption
Tool for Confidentiality. The transformation of information using a secret, called an encryption key, so that the transformed information can only be read using another secret, called the decryption key (which may, in some cases, be the same as the encryption key)
Access Control
rules and policies that limit access to confidential information to those people and/or systems with a “need to know.”
Authorization
The determination if a person or system is allowed access to resources, based on an access control p
Authentication
The determination of the identity or role that someone has. This determination can be done in a number of different ways, but it is usually based on a combination of one or more attributes: Something you know, have, are.
Tools for Integrity:
Backup, Checksums, Data correcting codes
Backups
periodic archiving of data
Checksums
computation of a function that maps the contents of a file to a numerical value. A checksum function depends on the entire contents of a file and is designed in a way that even a small change to the input file (such as flipping a single bit) is highly likely to result in a different output value.
Data Correcting Codes
methods for storing data in such a way that small changes can be easily detected and automatically corrected
Tools for Availability
Physical Protections, Computational Redundancies, Recovery Mechanism
Physical Protections
infrastructure meant to keep information available even in the event of physical challenges.
Computational Redundancies
computers and storage devices that serve as fallbacks in the case of failures.
Recovery Mechanism
restoring service or information back to its usual state with minimal disruption
Digital Signature
Cryptographic computations that allow a person or system to commit to the authenticity of their documents in a unique way that achieves nonrepudiation, which is the property that authentic statements issued by some person or system cannot be denied.
Tools for Anonymity:
Aggregation, Mixing, Proxies, Pseudonyms
Aggregation
combining of data from many individuals so that disclosed sums or averages cannot be tied to any individual.
Mixing
intertwining of transactions, information, or communications in a way that cannot be traced to any individual.
Proxies
trusted agents that are willing to engage in actions for an individual in a way that cannot be traced back to that person.
Pseudonyms
fictional identities that can fill in for real identities in communications and transactions, but are otherwise known only to a trusted entity.