Feature-based Risk Flashcards
How can adding features to software introduce risk?
It can open up a new attack surface, potentially leading to compromise or breach.
What is a primary risk associated with location-based services?
Collection of data on user location and habits, raising privacy concerns.
What are some uses for location-based services?
Finding local stores/attractions, tracking fleets/employees/deliveries, targeted promotions.
What does RFID stand for?
Radio Frequency Identifier.
What are RFID tags often used for?
Tracking assets (laptops, phones), inventory, physical access (who was where).
What is a potential fraud risk with RFID in retail?
Swapping tags between items to pay a lower price.
What does NFC stand for?
Near Field Communications.
List common applications of NFC.
Contactless payments (tap-to-pay), door entry systems, exchanging files between nearby devices.
What security risks are associated with NFC?
Potential for stealing personal data or creating fraudulent transactions.
What are embedded systems?
Computing processes built into other products (like cars, thermostats), usually performing a specific function.
What makes patching embedded systems often difficult?
They may not be easily accessible physically or technologically.
Why is the long lifespan of embedded systems a security concern?
They may remain in use long after vulnerabilities are discovered, potentially without security designed in initially.
What challenge exists in isolating functions within embedded systems like cars?
It can be difficult to securely separate critical systems (driving controls) from non-critical ones (radio, Bluetooth) connected via network.
What environmental conditions must some embedded systems tolerate?
Humidity, high/low temperatures, and other difficult environmental factors.
What is firmware?
Low-level software embedded onto read-only memory (ROM) or flash memory on hardware chips.
What is a supply chain risk related to firmware?
Chips could be infected with malicious code or backdoors during the manufacturing process.
What technology allows the logic on some chips to be altered after manufacturing?
Field-Programmable Gate Arrays (FPGAs).
What are PLDs or PLCs?
Programmable Logic Devices / Programmable Logic Controllers.
What is a concern for programmable logic devices regarding power loss?
Ensuring they don’t lose their configuration if power fails.
What is a TPM?
Trusted Platform Module; a chip often added to a motherboard for security functions.
What is a primary function of a TPM?
Secure storage of cryptographic keys.
What process can utilize a TPM to enhance security during startup?
A secure boot process, requiring authentication before the main operating system loads.
What fundamental problem led to vulnerabilities like Spectre and Meltdown?
Lack of proper isolation between different processes running on the same processor chip.
How can vulnerabilities like Spectre/Meltdown bypass software controls?
They operate at the hardware level, potentially allowing access to memory regions or permissions intended for other processes.
What is required to mitigate hardware vulnerabilities like Spectre?
Firmware and software updates to re-establish or improve process isolation and fix configuration issues.
What is the purpose of the Common Criteria?
To provide internationally recognized standards (ISO 15408) for evaluating and testing the security of IT products.
In Common Criteria terms, what is the “Target of Evaluation” (TOE)?
The specific product or system that is being tested.
What does a “Protection Profile” (PP) define in Common Criteria?
A description of the type of security or protection a category of product provides.
What does the “Security Target” (ST) specify?
The specific security goals or aims of the particular product being evaluated.
What does “Evaluation Assurance Level” (EAL) represent?
The level of rigor and depth of the testing performed, indicating the level of trust in the evaluation results.
What components beyond application software need vulnerability assessment and mitigation?
Operating systems, firmware, database management systems, embedded systems, and other supporting infrastructure.
