Definitions & Tools

Question 1

Asset (System Resource)

Answer 1

• Data in an information system
• Service provided by a system
• System capability (e.g., processing power, bandwidth, ..)
• Component of a system (hardware, software, ..)

Question 2

Vulnerability

Answer 2

Flaw/weakness in a system’s design, implementation, functionality, or management

Question 3

Threat

Answer 3

possible danger that might exploit a vulnerability

Question 4

Risk

Answer 4

An expected loss (usually, in terms of probability) that a threat will exploit a particular vulnerability with a specific harmful result

Question 5

Total Risk =

Answer 5

threat x vulnerabilities x asset

Question 6

Adversary (Threat Agent)

Answer 6

An entity that attacks or is a threat to a system

Question 7

Attack

Answer 7

An assault on security of a system. A deliberate attempt (in terms of method or technique) to evade security or security policy. A threat that has been carried out and causes violation of security when successful

Question 8

Attack Vector

Answer 8

a path or means (method) by which an attacker can launch an attack against the target system

Question 9

Attack Surface

Answer 9

• All (sum/collection) of the public and privately exposed system elements/connection points of the system
• Minimizing attack surface is a basic security measure

Question 10

Attack Categories

Answer 10

Active, Passive, Insider, Outsider

Question 11

Threat Consequence (1)

Answer 11

Unauthorized Disclosure

Question 12

Exposure

Answer 12

Sensitive data directly released to unauthorized entity

Question 13

Interception

Answer 13

Authorized entity directly access sensitive data while that are in transit between authorized end points

Question 14

Inference

Answer 14

authorized entity indirectly access sensitive data through reasoning or, as by-products of communication

Question 15

Intrusion

Answer 15

Authorized entity gains access by circumventing system’s security protections

Question 16

Threat Consequence (2)

Answer 16

Deception & Usurpation which both are threats to data/system integrity

Question 17

Threat Action (attack)

Answer 17

masquerade, falsification, repudiation, misappropriation, misuse

Question 18

Threats & consequences of attacks (3)

Answer 18

disruption (availability issue), attack: incapacitation (destruction/damage of system), obstruction (interference/blocking of system)

Question 19

Security Policy

Answer 19

Set of rules and practices that specifies and regulates the security provisions of a system

Question 20

Countermeasure

Answer 20

• Action, device, process, technique, tool that reduces a vulnerability or a threat by minimizing the risk
• Detect, deter, or recover from an attack

Question 21

Encryption

Answer 21

Tool for Confidentiality. The transformation of information using a secret, called an encryption key, so that the transformed information can only be read using another secret, called the decryption key (which may, in some cases, be the same as the encryption key)

Question 22

Access Control

Answer 22

rules and policies that limit access to confidential information to those people and/or systems with a “need to know.”

Question 23

Authorization

Answer 23

The determination if a person or system is allowed access to resources, based on an access control p

Question 24

Authentication

Answer 24

The determination of the identity or role that someone has. This determination can be done in a number of different ways, but it is usually based on a combination of one or more attributes: Something you know, have, are.

Question 25

Tools for Integrity:

Answer 25

Backup, Checksums, Data correcting codes

Question 26

Backups

Answer 26

periodic archiving of data

Question 27

Checksums

Answer 27

computation of a function that maps the contents of a file to a numerical value. A checksum function depends on the entire contents of a file and is designed in a way that even a small change to the input file (such as flipping a single bit) is highly likely to result in a different output value.

Question 28

Data Correcting Codes

Answer 28

methods for storing data in such a way that small changes can be easily detected and automatically corrected

Question 29

Tools for Availability

Answer 29

Physical Protections, Computational Redundancies, Recovery Mechanism

Question 30

Physical Protections

Answer 30

infrastructure meant to keep information available even in the event of physical challenges.

Question 31

Computational Redundancies

Answer 31

computers and storage devices that serve as fallbacks in the case of failures.

Question 32

Recovery Mechanism

Answer 32

restoring service or information back to its usual state with minimal disruption

Question 33

Digital Signature

Answer 33

Cryptographic computations that allow a person or system to commit to the authenticity of their documents in a unique way that achieves nonrepudiation, which is the property that authentic statements issued by some person or system cannot be denied.

Question 34

Tools for Anonymity:

Answer 34

Aggregation, Mixing, Proxies, Pseudonyms

Question 35

Aggregation

Answer 35

combining of data from many individuals so that disclosed sums or averages cannot be tied to any individual.

Question 36

Mixing

Answer 36

intertwining of transactions, information, or communications in a way that cannot be traced to any individual.

Question 37

Proxies

Answer 37

trusted agents that are willing to engage in actions for an individual in a way that cannot be traced back to that person.

Question 38

Pseudonyms

Answer 38

fictional identities that can fill in for real identities in communications and transactions, but are otherwise known only to a trusted entity.