L16: Security Engineering Flashcards
What is security engineering?
Security engineering is concerned with how to develop systems that can resist malicious attacks.
The tools, techniques and methods to support the development and maintenance of systems that can resist malicious attacks intended to damage a computer-based system or its data.
What is security?
A system property that reflects the system’s ability to protect itself from accidental or deliberate external attack.
Security is important. Most systems are networked so that external access to the system through the network is possible.
Security is an essential pre-requisite for availability, reliability and safety.
What is an asset?
Something of value which has to be protected. The asset may be the software system itself or data used by that system.
What is an attack?
An exploitation of a system’s vulnerability. Generally, this is from outside the system and is a deliberate attempt to cause some damage.
What is a control?
A protective measure that reduces a system’s vulnerability. Encryption is an example of a control that reduces a vulnerability of a weak access control system.
What is exposure?
Possible loss or harm to a computing system. This can be loss or damage to data, or can be a loss of time and effort if recovery is necessary after a security breach.
What is a threat?
Circumstances that have potential to cause loss or harm. You can think of these as a system vulnerability that is subjected to an attack.
What is vulnerability?
A weakness in a computer-based system that may be exploited to cause loss or harm.
What is confidentiality in security?
Information in a system may be disclosed or made accessible to people or programs that are not authorised to have access to that information
What is integrity in security?
Information in a system may be damaged or corrupted making it inconsistent or unreliable.
What is availability in security?
Access to a system or its data, which is normally available, may not be possible
What are the levels of security in an organisation?
- Infrastructure security
- Application security
- Operational security
What is infrastructure security?
Infrastructure security is concerned with maintaining the security of all systems and networks that provide an infrastructure and a set of shared services to the organisation.
Infrastructure security is a systems management problem where the infrastructure is configured to resist attacks.
What is application security?
Application security is concerned with the security of individual application systems or related groups of systems.
Application security is a software engineering problem where the system is designed to resist attacks.
What is operational security?
Operational security is concerned with the secure operation and use of the organisation’s systems.
Operational security is primarily a human and social issue