Introduction to Information security Flashcards
What is a threat
A potential occurence that can have an adverse effect on the assets and resources of a system
What is a vulnerability
A characteristic in a system that allows for a threat to occur. A weakness in the system that makes the threat possible.
What is an attack
An action that involves exploiting a system vulnerability in order to cause an existing threat to occur
What are the 4 types of threats?
Disclosure, deception, disruption and usurpation
What is disclosure?
When information is available or leaked to an attacker
What is deception?
Providing false information or tricking someone to do what you want them to do.
What is disruption?
Preventing communication from happening, for example disrupting information from being shared
What is disruption?
Preventing communication from happening, for example disrupting information from being shared
What is usurpation?
When someone gets unauthorized access to a system or parts of a system.
What is snooping?
And disclosure attack where someone is getting and viewing information they weren’t supposed to have. Usually done with direct access to a machine
What is the CIA triad that is used to uphold computer security?
Upholding the three properties of confidentiality, integrity and availablility
What is confidentiality?
Prevention of disclosure of authorized information
What is integrity?
Prevention of unauthorized modification of information
What is availability?
The ability to withstand unauthorized withholding of information.
The necessary and promised data and system functionality should be available for indiviuals when they need them to be.
What is accountability in respect to of information security?
Who can you blame or account resources to
What is non-repudiation?
Not being able to deny one’s actions or repudiate, because of evidence or records of the action happening
What is computer security?
A system needs to behave in the way the designer intended it to.
Preventing attackers from achieven objectives through unautherized acces or use of systems.
How a system behaves in respect to integrity, confidentiality and availability.
What are security policies?
Policies set by organizations to keep their organization secure.
Tells what you are and aren’t supposed to do (i.e. going to certain websites on a work computer, downloading apps)
What is security mechanisms?
Ways to enforce security policies to make them work in practice.
What is one way that a security policy can be viewed as successful/effective?
When the policy handles multiple states of a system (secure states, insecure state) and there is no way for a system to transition to move from a secure to an insecure state. The system must also begin in a secure state.
What are three concept that can be used in security mechanisms to enforce security policies
Prevention (making sure aspects of the policy can’t be violated)
Detection (detecting policy violation, or determining when the policy was violated).
Recovery (Being able to revert back to a secure state after violation).
What are some types of security mechanisms?
Physical controls: Physical mechanisms that stop things from happening (locks)
Hardware and software controles: Mechanisms that can run checks/test to ensure a policy is held (access control, authorization).
Cryptography: Enforces confidentiality and integrity inside computer systems.
What are some methods to decide what security mechanisms to put into practice?
Evaluate added cost to possible mechanisms when their in use - mitigating (how to make things expensive for an attacker)
Laws and regulations
Risk analysis and assesment (likelyhood, possible consequences, how tolerable is the risk)’
Cost-benefit analysis (calculates the benefits of implementation and the associated cost of doing so)
Human issues (usability): Prioritizing mechanisms that are easy for users to use or realistic that users actually will use properly
What does security mechanisms want to accomplish?
Making the system so difficult to attack or so expensive to penetrate that it is no longer worth it for an attacker to do so
What does security mechanisms want to accomplish?
Making the system so difficult to attack or so expensive to penetrate that it is no longer worth it for an attacker to do so
What is mitigantion in regards to information security?
Reduction of severity or seriousness of an event. Centered around limiting impact of threats
What is hacktivism?
The action of hacking with politically or socially motivated purposes
What is an hobbyist hacker?
A hacker who’s is not employed by the government or an organization
What happens during a security breach
A system has transitioned from a secure state to an insecure state
What is security by designation
A user grants authority, so the user has the necessary context to know why it should be granted.
What is security by admonition?
The program initiates the request for authority. A user might not understand if it should be granted or not. A user may not have the context to decide whether to grant it.
When is security by admonition required?
When a user is likely to grant an actor the ability to do something that the user doesn’t want.
What is the principle of “Path of least resistance”?
The most natural way of executing a task should also be the safest
What is the principle “Appropriate boundaries”?
(TODO)
What is the principle of “Explicit authorization”?
A user’s authority should only be granted to
another actor through an explicit user action understood to imply
granting.
Define the principle of “Visibility” in secure interaction design
The interface should let the user easily review any active authority relationships that could affect security decisions.
Define the principle of “Recoverability” in secure interaction design
The interface should let the user easily revoke authority
that the user has granted, whenever revocation is possible.
Define the principle of “Expected ability” in secure interaction design
The interface should not give the user the impression of having authority that the user does not actually have.
Define the principle of “Trusted path” in secure interaction design
The user’s communication channel to any entity that manipulates authority on the user’s behalf must be unspoofable and free of corruption.
Define the principle of “Identifiability” in secure interaction design
The interface should ensure that identical objects or
actions appear identical and that distinct objects or actions appear different
Define the principle of “Expressiveness” in secure interaction design
The interface should provide enough expressive
power to let users easily express security policies that fit their goals.
Define the principle of “Clarity” in secure interaction design
The effect of any authority-manipulating user action should
be clearly apparent to the user before the action takes effect.
What are the 5 steps in the methodology for physical security?
Assessment, assignment, arrangement, approval, action
What is assesment in physical security methodology?
A thorough examination of the facility to be protected
- Scope of the property
- Establish all points of entry and egress
- Potential points of entry and egress
- Existing security measures
- Evaluation of physical property
- Risk assessment (how much risk is there)
What is assignment in physical security methodology?
Establish the required level of security for specific areas and assets within the facility
- High level (data centers, executive offices, finance and acconting)
- Medium (Entry and egress, reception, elevators)
- Low level (Common areas, cubicle farm)
What is approval in physical security methodology?
Submit all plans, costs to get them approved
- Hardware (quotes form vendors)
- Costs (plan A-B-C - have multiple plans, flexibility, options)
- Schedules (time frame from completion, interference with business operations)
What is action in physical security methodology?
Implement the proper security plans
- Construction (construction, inspection, corrections)
- Training (security officers, users, policy)
- Testing (ensure systems works as planned, compliance testing)
What are the four fundamental design principles?
Principle of open design, principle of sweeping simplifications, principle of design iteration and principle of least astonishment
What is the principle of open design in design principles?
Get others to comment and give feedback on you design. “Given enough eyeballs, all bugs are shallow”.
The more people that looks at the system, the bigger a chance that flaws, vulnerabilities and errors are found.
What is the principle of sweeping simplifications in design principles? (KISS - keep it simple stupid)
The less complicated something is, the less likely it is that someone made an error in the design or implementation of the system.
Complexity is the enemy of security.
To achieve this in complex systems, implement layering where each layer implement the principle of sweeping simplifications, and only communicate with the adjacent layers.
What is the principle of design for iteration in design principles?
Design your software in a way that makes it possible to implement changes later on.
Important since priorities and threats change over time.
Being able to adapt and update a system over time
What is the principle of least astonishment in design principles?
As software are written for the user, if any error occurs, these should be presented in a way that makes sense to the user. The system should create an experience that follows what the user thinks should happen.
Connected to the principle of phsycological acceptability. Security mechanisms should be comprehensable and fit efficiantly into user activities.
What is the principle of minimizing secrets in design principles?
Secrets shoul be few and should be easily changable.
These should not be baked into the code, and changing them should not require chenging of the source code.
Should never assume that the attacker can’t see the code - the code itself is not secret.
The security of a mechanism should not depend upon secrecy of it’s design or implementation (obscurity).
Secrets should also maximize entropy, meaning they should increase an attacker’s work factor
What is the principle of complete mediation in design principles?
All access to objects should be checked to ensure allowed access. One of the most vital parts of system security is access control.
This principle is often embedded in the piece of software called reference monitor, which checks the authenticity, authorization and integrity of access requests. Every request should be checked.
Access rights are always completely validated, every time an access occurs.
What is the principle of fail safe defaults in design principles?
The default values in a system should be sane and secure.
The idea is to “fail-closed”, meaning to fail in a way that does not compromise other parts of the system. “Fail-open” would allow an attacker to achieve some objective. Default behaviour of a system should be a safe one. Don’t fail and then let all requests in, rather fail and let no requests in.
No access by default - for example.
What is the principle of least privilege in design principles?
Privileges should only be granted such that an individual can perform their duty, and nothing more. Permissions must also be granular enough to only grant the permission nedded to fulfill the duty. This principle also ensures privacy
What is the principle of economy of mechanism in design principles?
Security mechanisms should be as simple as possible. Complex security mechanisms leads to errors.
What is the principle of least common mechanism in design principles?
Mechanisms used to access resources should not be shared. Shared resources can lead to denial-of-service attacks or other attacks.
An example is when seperate processes execute with shared CPU/RAM resources, the different processes can affect each other (?).
What is security by obscurity?
When a system tries to increase security by hiding parts of the system. For example hide design or implementation. This is not good and will not work, as one should always assume an attacker has access to the source code.
What is the principle of separate privileges in seure design patterns?
A protection mechanism is more flexible if it requires two seperate keys to unlock - allowing for two person control.
An example are dual-keys for safety deposit boxes.
What is the principle of Physological aceptability in secure design principles?
A policy interface should reflect the user’s mental model of protection. This is to avoid users using a mechanism incorrectly if the mechanism does not make sense to them.
Passwords fail this, even though people know they should use strong passwords, not share them, and not re-use them, people will still do that.
What is the physical security principle of “work factor”?
Stronger security will make the attacker work harder, in software security this would translate to trial-and-error attempts. Larger and more complex password and encryptions will lead to more attempts required to guess them. However, as attackers penetrate system by exploiting vulnerabilities that does not rely on trial-and-error this principle does not necessarily relate to all software security situations.
What is the physical security principle of “compromise recording”?
A system should keep attack records even if the attacks aren’t blocked.
In software security the benefit of these records can be questionable. If a system weren’t able to prevent an attack that modified data, the attack records themselves may have been modified - questionable integrity.
What is the security principle of Defence in depth?
A system shouold be built with independant security layers, making it necessary for an attacker to break through multiple security measures.
This echoes the least common mechanism - but targets a separate problem
What is the security principle of Chain of control?
Ensure that trustworthy software is being executed, or that the software’s behaviour is restricted to enforce the intended security policy. Malware should not be able to redirect the CPU to execute its code with enough privileges.
What is the principle of Transitive trust?
If A trust B, and B trust C, then A also trusts C.
What is the principle of duty?
Decompose a critical task into separate elements performed by seperate individuals or entities.
What is threat modelling?
Reflecting on what can happen to a system, where is the vulnerabilities, what is the security issues?
What are you concerned about an attacker doing?
How can we go about addressing these conserns?
Find out what parts of the system are prioritized, what needs protection and what doesn’t.
Which ways would you protect the different parts of a system?
Think about the integrity of the different parts of the system, and the information stored there.
What are the steps in the security life cycle (threat modelling)
- Threats: What threats do we have?
- Policy: What policies is put in place to mitigate those threats
- Specification: Specify how the policies would work in the system
- Design: Design the system
- Implementation: Implement the system
- Operation and maintenance
As new threats or new things comes up in the cycle, the steps needs to be moved through again to adapt to these changes.
What is a threat?
Something that can happen to a system
(data leak, data modification…)
What is a vulnerability?
A weakness in a system that allows for a threat to occur.
What is an attack?
An action that exploits a vulnerability to cause a threat to occur.
How do you use risk to decide which security mechanisms to implement?
As security mechanisms can affect things like performance and costs, complex and unecessary security mechanisms shouldn’t be implemented unless there’s a big enough risk.
What are assets?
Data, personell, devices, facilities and systems that allows the organization to achieve its purpose.
What is done during threat modelling?
First we need to get an understanding of the system we are protecting (study the details, are there any design flaws, how does the system work).
Then the assets and resources we are trying to protect are identified.
Then we try to predict who the adversaries/threats against our assets are, and what they might do to try and gain access to the assets (attack trees, attack graphs). What resources and abilities do they have?
Remember, attackers get better over time. If a system is deployed to last over many years, the mitigations should last as long.
Then we try to determine the risk associated with the asstes.
Finally, necessary security techniques are deployed to mitigate the attacks we have.
You prioritize security analysis and develop mitigations based on the potential severity of things.
What are attack trees?
Tools used to list the threats and attacks, and reason how different activites can occur and how these can work together to achieve an attack.
Allows to systematically consider potential attacks that may realize a threat.
The parent node is the action/goal (rob a bank)
The child nodes describes what will happen to make this occur (steal a gun AND hold up the teller). When both child nodes need to happen - are dependant on each other (AND) we draw a connector between them. If only one need to happen (OR) there is no connector between the children (climb through the airvent or sneak in through the back door)
The lowest children/leaf nodes is what needs to happen to achieve their parent, and so on until we reach the root node.
What are the steps of threat modeling?
- Understand your system
- Understand what assets/resources need to be protected
- Predict who the potential attackers are against a particular asset, and what are the possible attacks?
- Perform risk assessment. Determine what is the expected risk (quantitive and qualitative) because of an attack.
- Perform risk management. Employ security mechanisms (mitigations), if needed. Determine if these are cost affective.
What is the microsoft STRIDE model?
A model used to decide what threats are possible against our system and likely to happen, and that categorizes threats into:
- Spoofing:
- Tampering
- Repudiation
- Information disclosure
- Denial of servide
- Elevation of Privilege
What is the DREAD model used in threat modeling?
A model used to rank threats in order to know what is most important to take care of immediately. The method ranks threats based on:
- Damage
- Reproducibility
- Exploitation cost
- Affected users
- Discoverability
Rate each of these from 1-5 and add these up to a total rating for the given attack.
What is risk?
Whenever there is an asset, that asset may be at risk. A risk is when there is a chance that a negative event will occur that may cause loss of value.
What is risk analysis/risk assessment/risk management?
The process of identifying assets at risk, putting measurements on potential loss and assigning a probability of a negative event occuring.
Process of planning how to control risk.
How is risk calculated mathematically?
risk = p(attack) * c(attack)
p: probability
c: consequence
What are IT assets?
Subset of assets including information, IT processes and functionality, IT systems.
What are the 4 things often done when doing risk assesment?
Risk reduction, mitigation, transfer and acceptance
What is risk reduction?
Making it less likely that a negative event happens
What is risk mitigation?
Making it so that when something negative happens, it is less impactful
What is risk transfer?
Making it so that when a negative event happens, all the negative impact does not land on you.
What is risk acceptance?
When one is willing to accept the given amount of risk
Describe the quantitive approach to risk assessment
Compute the expected monetary loss of all events that affect and asset.
Then calculate the probability of each event occuring.
Use risk formula to calculate an exact numerical risk value.
Describe the qualitative approach to risk assessment
Use categories such as low, medium and high to label events that threatens an asset and label the consequence of this event occuring.
High impact + low probability = Medium risk
Give an example of how risk is being qualitatively labeled?
The department of defense in the USA is using these labels to label risk:
Confidential: Unautherized disclosure of which reasonably could be expected to cause damage to national security
secret: Unautherized disclosure of which reasonably could be expected to cause serious damage to national security
top secret: Unautherized disclosure of which reasonably could be expected to cause exceptionally grave damage to national security
What is the advantages of using and quantitative approach to risk assesment?
It gives you an exact number that can be presented and compared with other senarios.
Good for reliability questions (disks failing, time to failure)
What is the disadvantages of using a quantitative approach in computer security?
Failures are not random. Attackers and their skill-level and motivation can drastically change a company’s risk profile.
This makes it difficult to calculate probability.
Difficult to be sure the values calculated are correct and presise, will often be inaccurate.
What is Single loss expectancy (SLE)?
The monetary loss of one asset being compromised because of a risk
What is Annual rate of occurence (ARO)
Describes the annual frequency of a threat occuring
What is Annual Loss Expectancy (ALE)
Multiply the SLE with the ARO (SLE x ARO)
What is ACS in risk assessment?
…
What is ANB in risk assessment?
…
What is a Cyber killchain and what is it’s purpose?
The model identifies what adversaries must complete in order to achieve their goal.
Understanding the steps of an attack.
When using attack trees, what are the difference between continuous labels and using boolean labels for the nodes?
Boolean labels: If a node is expensive/non-expensive, possible/impossible, easy to estimate/measure/label
Continuous label: exact cost of node (75K), difficult to measure presisely - potential large error
What does system security engineering concern?
Identifying security risk, requirements and recovering strategies.
Involves defined processes through which designers develop security mechanisms.
What does system security engineering concern?
Identifying security risk, requirements and recovering strategies.
Involves defined processes through which designers develop security mechanisms.
Give example of the 3 steps of threat modelling when dealing with a complex software system
Characterizing the system: Understanding system componentsand their interconnections, understanding assumptions, dependencies. Creating a system model emphasizing its main characteristics
Identifying assets and access points
Identifying threats: Creates the threat profile of the system. Describes which attacks needs to be mitigated and which are accepted as low risk
What is done when characterizing a system during threat modelling
Understanding system componentsand their interconnections, understanding assumptions, dependencies.
Using different modeling techniques (Network modelling, Data Flow Diagrams, to dissect a system into its functional components)
Why are Data Flow Diagrams usefull during threat modelling
Allows for easier identifying threats by following adversary’s data and command as they are processed by the system. See how they are parsed and acted on, and seeing which assets they interract with
What is done when assets and access points are identified during threat modelling
Who are the potential adversariies?
What is their motivation and goals?
How much inside information do they have?
What are access points in a system?
What attackers use to gain access to the assets (sockets, config files, read/write filesystem access)
What is a trust boundary?
Is a boundary across which there is a varied level of trust
What is a trust level?
The level of trust needed to access certain parts of a system
What is done when threats are identified during threat modelling
Stepping through each system asset and connect a list of attack goals to that asset.
Correlating threats to assets by creating adversary hypotheses
What is spoofing?
Using someone else’s credentials to gain access to an asset
What is tampering?
Changing data to mount an attack
What is repudiation?
When a user denies performing an action, but the target of the action has no way of prooving othervise
What is information disclosure?
Disclosure of information to a user who does not have permissions to see it
What is denial of service?
Reducing the ability of valid users to access resources
What is elevation og privileges?
Occurs when an unprivileged user gain privileged status
What is mitigating a risk?
Reduce the risk or the consequences with countermeasures
What is an example of transfering risk
Having insurance, giving warnings
How is attack trees built
Root node: Goal
Leaf nodes: Different ways of achieving the goal
AND nodes: Represent steps to achieving the same goals. Nodes with the same parent, that all needs to be fulfilled
OR nodes: Alternative ways to achieve the same goal
Node values: Bool (Impossible I, Possible P, legal/illegal, expensive/non-expensive), continuous (exact cost, probability…). Can combine continuous values - node have both cost and probability. Or cost and f it needs special equipment to execute. Countermeasures can affect node values: bribing would originaly be 10K, but if you pay them 80K, the new cost would be 70K.
Bool Value of OR node: Possible if any child is possible
Bool Value of AND node: Only possible if all children arepossible
Continuous value of OR node: Value of cheapest child
Continuous value of AND node: Sum of all children
How do you create attack trees?
Identify goals- these will be the root nodes of individual trees.
Think of all attacks against each goal and add them as child-nodes down the tree.
Repeat down the tree until done.
Research node values
Which three statements holds true when considering a computer system that is a finite stat automation with state transitions?
- A security policy is a statement that partitions a system into a set of secure and authorized states, and a set of non-secure or unautherized states.
- A secure system will start in an authorized state and cannot enter an unauterized state
- A breach of security occurs when a system enters an unautherized state.
What are two forms that security policies come in?
A security policy that lists a sries of rules that must be followed in order to ensure safety of the organization. Tells you what you are and aren’t supposed to do.
The second is a more technical and complete way to model a security policy. A security policy will ensure that one can only reach/transitiobn to a secure state of a system when one starts off at a secure state of the system.
Security policies for a system should take care of and ensure different security properties are being achieved. For example properties such as integrity, availability and confidentiality.
When does information have the property of confidentiality?
X are some entities, and Y are some information. Y has the property of confidentiality with respect to X if no member of X can obtain information of Y. A confidentiality policy is effective if the policy ensures Y its property of confidentiality.
When does information have the property of integrity?
X are some entities, and Y are some information. Y has the property of integrity with respect to X if Y is unmodifiable by X. A integrity policy is effective if the policy ensures Y its property of integrity.
When does information have the property of availability?
X are some entities, and Y are some information. Y has the property of availability with respect to X if all members of X can access Y. A availability policy is effective if the policy ensures Y its property of availability.
What is a security mechanism?
The thing that actually enforces a policy. The things that do the actions that prevent you from bypassing a policy.
What are the difference between security policies and security mechanisms?
policies set rules, mechanisms enforces them
What are military based security policies?
Policies design to protect information and prevent it from getting in the wrong hands.
What are commercial based security policies?
Integrity based security policies that tries to prevent people from tampering with and modify information.
What is a security model?
A model that represent a bunch of security policies to make us understand if the set of policies do infact provide the necessary protection for the system we want to protect.
Put the policies and all its actors into context.
What is a security model?
A model that represent a bunch of security policies to make us understand if the set of policies do infact provide the necessary protection for the system we want to protect.
Put the policies and all its actors into context.
What is the Bell-La Padula model (BLP)?
A model used to provide confidentiality to a system.
Have a set of subjects and objects where each subject and object has their own clearance and/or classification to them.
There is different rules of who are able to read and write to these subjects of different classification.
Classification examples: Top Secret, secret, confidential, unclassified
Who can read files in a system?
- Every person who has reason to read the given files, and whos classification is the level above the files level. Meaning people can read all files with lower (or the same) classification as themselves, that they have reason to read.
What are the two rules of the BLP model?
Simple security property:
You can only read information with the same clearance as yourself, or clearance below, that you have a reason for needing to read. Security clearance of object has to be at least as high as that of the object. L(o) <= L(s), s: subject, o: object
Start property (*-property):
People can only write to things at their level of clearance, or higher. A subject s who have read access to an object p, may have write access to an object o, as long as o has higher clearance than p, and s has discretionary write access to o. L(o) >= L(p).
What does the two rules of the BLP model want to prevent?
The two rules want to prevent classified information to leak to subjects with lower classification that the information it self. This is prevented by not allowing write-down, meaning a person who can read top level cleared information, cannot write to files below this top clearance level.
Describe the “Basic security theorem”
If you have a system with a secure initial state, and you define all the transformations according to the two rules/properties of the BLP model, a system will be secure.
Name a way in which the BLP model is impractical
People of high clearance often need to communicate with people below their clearance. However, to allow this, the *-Property of the BLP model is ignored, meaning the models theoretical guarantee of the security of a system is broken.
What is the Need to Know Principle?
If a person need to know certain information, they should be able to obtain and read it. However, if a person not necessarily needs to know a piece of information, even if the information is of the same clearance level, they should not be able to obtain it.
How is compartmentalization used in the BLP model?
Information should be appointed a compartment in addition to a clearance level. If a person want to read the information in a compartment, they would then need both the required clearance level, in addition to access to the given compartment.
What is the tranquility principle?
An assumption maked in the BLP model is that security levels of information and subjects are constant. This is however often not the case in practise.
With tranquility you want to think about how security levels within a system can change. Strong tranquility would mean that security properties will not change during the lifetime of the system, where as weak tranquility would mean that security properties will change over time, but not in a way that violates the security assumptions.
Describe the Biba Integrity model
Model focusing on integrity and has a hierarchical construction.
Each object and subject in a system is labeled with an integrity label.
If someone wishes to write to some piece of data, the data should benefit from the integrity of the individual, or at least remain neutral.
This means that a subject can only write to data equal to its level, or below.
Subject should only read data that would increase their integrity, meaning they can only read data with greater or equal integrity to their own.
Compare the BLP model and the Biba model
BLP is for confidentiality and Biba is for integrity.
The hierarchicals structure of the models are reversed:
- BLP allows read-down, but not write-down (read equal or below, write equal or above.)
- Biba allows read-up, but not write-up (read equal or above, write equal or below.)
Describe the Lipner’s model
More practical model compared to the Biba model and the BLP model.
Contains three principles that ensure an organization remains safe.
- Separation of duty: If two or more steps are required to perform a critical function, at least two different people should perform the steps.
- Separation of function: Resources such as servers, repositories, etc. should be isolated from each other based on function.
- Auditing
Describe the Lipner’s model
More practical model compared to the Biba model and the BLP model.
Contains three principles that ensure an organization remains safe.
- Separation of duty: If two or more steps are required to perform a critical function, at least two different people should be needed to perform the steps.
- Separation of function: Resources such as servers, repositories, etc. should be isolated from each other based on function. Example, don’t run testing and production code on the same systems.
- Auditing: An organization should analyze system to determine what actions took place, and who performed them. (Focus on non-repudiation)
Can use Biba and BLP to prove the system holds the necessary security properties
Describe the Clark-Wilson Integrity Model
Tackles how an entity is allowed to change data. The model formalizes the notion of information integrity. Uses transactions, which are way of doing modification of data in a database.
The model defines enforcement rules and certification rules that define data items and processes that provide the basis for an integrity policy.
One party goes and does a transaction, and another arty certifies that the transaction are accurate and follows a set of rules. As long as both parties does not collude, the system is secure.
When using the Clark-Wilson model, when transactions are done, information of the transaction is appended to a log. Why is it necessary that it is only possible to append information to this log, and not modify it in the log?
Describe the chinese wall model
The model builds on the principle of avoiding conflict of interests between different businesses, by allowing for a company to only provide services for companies that do not directly compete with each other.
Describe the chinese wall model
The model builds on the principle of avoiding conflict of interests between different businesses, by allowing for a company to only provide services for companies that do not directly compete with each other.
How would you define trust in a cyber security context?
The expectation that arises within a community of regular, honest, cooperative behaviour based on commonly shared norms.
For example, when we say we trust security mechanisms, we don’t trust the mechanisms themselves, but rather the organisation that implemented them. The reason we trust the organisation is because of our common set of norms, which include the concept that a security mechanism should protect data, and not put it at any risk.
What is a security policy with relation to trust?
Security policies are related to trust, because they are related to mechanisms, which are inherently trust decisions.
Security policies communicate to trustworthy and cooperative people that norms are expected of them. As these parties as cooperative, they will comply to these expectations.
When defining trust reliant on the concept of shared norms, a security policy is an explicit definition of the norms on which we base our trust desicions.
(Policies define what we expect of parties in regards to their behaviour and intent).
When implementing a security mechanism, what happens in regards to tryst?
A trust boundary is creating. This essentially mean that the system is divided into parts we expect untrusted-subject to have access to, and parts only trysted parties an access.
Why is trust important to consider?
If system would be designed to create trust bounderies for every possible subject, at some point the costs of implementation would exceed the cost of potential negative outcome. Therefore it is important to realise that some parties, actually most parties, are trustworthy and comply with social norms.
What three questions should we have in mind when forming security policies?
- What behaviour do we want to see upheld?
- Is our policies clear? (violation of policies are more likely to be caused my misunderstanding than of malicious intent)
- Who do we trust and distrust?
What are three things that help keeping people trustworthy and stay away from malicious actions?
- Moral pressure (we are taught from a young age toact according to social norms)
- Reputational pressure (Companies would not want to be caught doing something that could destroy their reputation)
- Institutional pressure (if penalty exceed the potential gain, most people would stay away from the action)
What three things should we think about when deciding which mechanisms to use?
- Do I trust the mechanism?
- Does the asset sit between the asset i wish to protect and the untrusted party? Does it create the proper trust boundary?
- Does the mechanism enforce the norm or desired policy?
What are the general principles of security policies?
The management of the organisation should actively take action to comply with the policies. If not, it will be difficult to get the rest of the organisation to comply.
In an organisation, who is it important that is concerned about the security aspect?
Managers, system designers, end users in some degree, company lawyers
Name the two types of security policies
Inclusive- and exclusive policies
What are inclusive policies?
Policies that specifically defines which behaviour is allowed. Behaviour that is not mentioned, is automatically not allowed.
(White list)
What are exclusive policies?
Policies that specifically defines which behaviour is not allowed. Behaviour that is not mentioned, is automatically allowed.
(Black list)
What are exclusive policies?
