Ethics and Security Flashcards
4 High Level Security Properties
**Confidentiality: **Preventing unauthorized parties from accessing (or even knowing about) secured data.
Integrity: Ensuring that only authorized parties can manipulate data, and only in an approved manner.
Availability: Resources should always be accessible by authorized users on appropriate occasions.
Accountability: It should be possible to know how subjects interact with sensitive systems and data.
4 key security terms
- assets
- subjects (anyone trying to access info)
- policies (govern access)
- threats
understanding (4 dimensions)
understand the system to understand impact of types of attacks:
- physical (ex: access to a workstation)
- system (ex: how react to an attack)
- network (ex: man in the middle attack)
- human (ex: befriend an employee)
Analysis (3 attacker types)
understand how and why a subject would want to violate security policies, types of attackers:
- disgruntled employee
- curious attacker (see if they can)
- state actors (political/monitary gain)
DREAD Threat Modeling
For a Risk Score, score these on a 10 point scale, add and divide them:
- Damage: how bad could attack be?
- Reproducibility: how easy to reproduce attack?
- Exploitability: how hard is it to perform attack?
- Affected Users: how many users impacted?
- Discoverability: how hard it is to find vulnerability?
Mitigation: STRIDE Threat Model
Spoofing: pretend to be another subject.
**Tampering: **modifying data.
Repudiation: denying performing a task.
**Information disclosure: **access private data.
**Denial of service: **halt service.
**Elevation of privilege: **gaining unauthorized rights.
cannot rely on only:
- passwords
- firewalls
- pen testing
- update policies
4 validation approaches
- code review
- static analysis
- dynamic analysis
- pen testing
what testing technique is complimentary to validation? and why?
fuzz testing
- generates a lot of stuff to try to trick the system
What is the principle of defence in depth in security?
A small breach shouldn’t cause a major failure.
Security is layered—not only at the perimeter but also internally.
Helps prevent failure propagation, though it can increase complexity and reduce usability.
What does the least privilege principle mean?
Users should have only the access they need, nothing more.
Prevents accidental or malicious misuse of data.
Commonly implemented using roles and access control lists.
What is separation of duties, and why is it important?
No single user should perform a critical or sensitive action alone.
Protects against both accidents and abuse.
Often used in accounting and compliance systems via multi-party approvals.
What is strong authentication?
Makes it harder for unauthorized access.
Uses strong passwords and multi-factor authentication.
Requires both something you know (password) and have (phone, fob, etc.).
What does non-repudiation mean in system security?
Ensures users can be held accountable for actions.
Involves auditing system usage.
Helps trace breaches and deter misuse, but audit logs must be secured.
What is the goal of hardware infrastructure security at Google?
Uses in-house designs for servers and networking gear
Reduces risk of unknown hardware operating in secure environments
How is service deployment secured (google)?
All communication is encrypted
Services can only interact with authorized peers
Data access is restricted
Services run in separate hypervisors or independent machines
How is user identity managed for Google employees?
Uses multi-factor authentication internally
Grants fine-grained, restricted access to services and data
How does Google ensure secure data storage?
All data is encrypted with rotating keys
Manages data deletion carefully (addresses data remanence)
Distributed nature of data presents unique challenges
What role does the Google Front End (GFE) play in internet communication?
Ensures perfect forward security and correct certificate configuration
Can mitigate DoS attacks via throttling and load balancing
What are key aspects of Google’s operational security?
Uses secure coding practices (code reviews, static/dynamic analysis)
Leverages security-aware frameworks and libraries
Collaborates with open-source projects to fix vulnerabilities
What is the purpose of the ACM Code of Ethics?
To guide software engineers in understanding their professional and ethical responsibilities, raise awareness of potential ethical issues, and reduce “unknown unknowns” in decision-making.
What are the key ideas in the General Principles section of the ACM Code?
Avoid harm (including unintended harm)
Act with honesty and fairness
Respect privacy and confidentiality
Recognize their societal impact
What does the Professional Responsibilities section of the ACM Code emphasize?
How software engineers should work ethically and responsibly in team settings to implement the general principles.
What is covered in the Professional Leadership Responsibilities section of the ACM Code?
Engineers in leadership or influential roles must model ethical behavior and ensure ethical technical decision-making across teams.
Why has explainable AI become more important?
ML models are less transparent than traditional code, making it harder to detect bias. Explainable AI helps engineers understand and correct unfair outcomes.
What is k-anonymity in data privacy?
k-anonymity ensures that each individual’s data cannot be distinguished from at least k−1 others in the dataset. This helps protect identities by making it hard to link specific records to individuals.
GPLv3 licence
A strong copyleft license:
- code can be used, shared, and modified, - must remain under GPL if redistributed or changed
- Projects using GPLv3 code cannot be relicensed under less restrictive terms.
How does LGPLv3 differ from GPLv3?
Still a copyleft license, but more flexible.
If used as a library, the product does not need to adopt LGPL.
Only modifications to the LGPL library itself must be shared.
MPLv2
A file-based copyleft license:
- only modified files licensed under MPL need to be released, making it more flexible than GPL or LGPL.
What are CC-by licenses used for?
Created by Creative Commons for licensing creative works.
**CC-by: **Free to use, modify, and share with attribution.
**CC-by-SA: ** Same as CC-by, but modified versions must be shared under the same license.
