Definitions & Tools Flashcards
Asset (System Resource)
- Data in an information system
- Service provided by a system
- System capability (e.g., processing power, bandwidth, ..)
- Component of a system (hardware, software, ..)
Vulnerability
Flaw/weakness in a system’s design, implementation, functionality, or management
Threat
possible danger that might exploit a vulnerability
Risk
An expected loss (usually, in terms of probability) that a threat will exploit a particular vulnerability with a specific harmful result
Total Risk =
threat x vulnerabilities x asset
Adversary (Threat Agent)
An entity that attacks or is a threat to a system
Attack
An assault on security of a system. A deliberate attempt (in terms of method or technique) to evade security or security policy. A threat that has been carried out and causes violation of security when successful
Attack Vector
a path or means (method) by which an attacker can launch an attack against the target system
Attack Surface
- All (sum/collection) of the public and privately exposed system elements/connection points of the system
- Minimizing attack surface is a basic security measure
Attack Categories
Active, Passive, Insider, Outsider
Threat Consequence (1)
Unauthorized Disclosure
Exposure
Sensitive data directly released to unauthorized entity
Interception
Authorized entity directly access sensitive data while that are in transit between authorized end points
Inference
authorized entity indirectly access sensitive data through reasoning or, as by-products of communication
Intrusion
Authorized entity gains access by circumventing system’s security protections
Threat Consequence (2)
Deception & Usurpation which both are threats to data/system integrity
Threat Action (attack)
masquerade, falsification, repudiation, misappropriation, misuse
Threats & consequences of attacks (3)
disruption (availability issue), attack: incapacitation (destruction/damage of system), obstruction (interference/blocking of system)
Security Policy
Set of rules and practices that specifies and regulates the security provisions of a system
Countermeasure
- Action, device, process, technique, tool that reduces a vulnerability or a threat by minimizing the risk
- Detect, deter, or recover from an attack
Encryption
Tool for Confidentiality. The transformation of information using a secret, called an encryption key, so that the transformed information can only be read using another secret, called the decryption key (which may, in some cases, be the same as the encryption key)
Access Control
rules and policies that limit access to confidential information to those people and/or systems with a “need to know.”
Authorization
The determination if a person or system is allowed access to resources, based on an access control p
Authentication
The determination of the identity or role that someone has. This determination can be done in a number of different ways, but it is usually based on a combination of one or more attributes: Something you know, have, are.