Introduction Flashcards
What are the 4 components involved in building dependable systems?
Policy ( what you are supposed to achieve)
Mechanisms (measures and controls used to implement the policy)
Assurance (amount of reliance you can place on each mechanism and how well the mechanisms work together)
Incentive (motive of people guarding and maintaining the system to do their job properly and motive over attackers to jeopardise the policy)
Define asset
Something that has value to the organisation (tangible or intangible)
Define threat
Potential cause of an incident that may harm the assets of an organisation
Define threat agent
Party that is responsible for opposing a threat to a system.
Could be human (intentional vs unintentional) or natural (e.g. disaster)
Define vulnerability
A weakness in a system that can be exploited by a threat agent
Define risk
The potential that a threat agent would exploit the vulnerability and adversely impact the system.
risk = impact * likelihood
Define attack
Action of exploiting a vulnerability to compromise a system
Define security policy
Set of rules that defined the assets to protect, the security objectives to achieve, the standards to follow and constraints of a security program
Define security controls
Measures to protect a system according to a security policy
Define confidentiality
Protecting information and assets from unauthorised access
Define integrity
Ensuring accuracy and completeness of data and processes and protecting them from unauthorised modification
Define availability
Ensuring that data and services are available to the system users and preventing unorganised impairment of functionality
Define accountability
Actions can be traced to responsible users/entities
Define non-repudiation
Committed actions cannot be denied by responsible actors
Define authentication
Verifying the identity of the user of process to grant access to resources
What are the types of security activities?
Source code auditing (manual or automated review of source code to identify flaws and sources of vulnerabilities)
Software component analysis (investigating third-party and source software components for security risks)
Vulnerability scanning (using automated scanners to identify potential vulnerabilities or flaws)
Vulnerability assessment (manual verification of vulnerabilities to confirm exposure, without exploiting)
Penetration testing (exploiting identified vulnerability to gain further access, simulating and attack)
Red teaming (holistic offensive approach to simulate how real world adversaries can attack a system)
Security audit (evaluation of security controls in relation to their compliance with security objectives, policies or standards)
Security review (verifying that security policy and standards have been applied through performing gap analysis and reviewing design/implementation documents, code reviews and testing reports)
What are the types of security flaw classifications?
Input validation and representation
API abuse
Security features
Time and state
Errors
Code quality
Encapsulation
+1 Environment
