Midterm Flashcards
confidentiality
Avoidance of the unauthorized disclosure of information
Confidentiality is crucial for protecting sensitive data.
integrity
Information has not been altered in an unauthorized way
Integrity ensures that data remains accurate and trustworthy.
availability
Information is accessible and modifiable in a timely fashion by those authorized
Availability ensures that users can access information when needed.
assurance
How trust is provided and managed in computer systems
Assurance includes methods to ensure that systems function as intended.
authenticity
Determine that statements, policies, and permissions by persons/systems are genuine
Authenticity is vital for verifying the legitimacy of data and actions.
anonymity
Certain records or transactions not to be attributable to any individual
Anonymity protects individuals’ identities in transactions.
encryption
Transformation of information using a secret called an encryption key
Encryption is a key method for securing data from unauthorized access.
access control
Rules and policies that limit access to confidential info to those who need to know
Access control is essential for maintaining confidentiality.
authentication
Determination of identity or role that someone has
Authentication verifies user identities before granting access.
authorization
Determination if a person/system is allowed access to resources
Authorization follows authentication to control access rights.
physical security
Establishment of physical barriers to limit access to computational resources
Physical security protects hardware and infrastructure from unauthorized access.
backup
Periodic archiving of data
Backups are essential for data recovery in case of loss.
checksum
Computation of a function that maps the contents of a file to a numerical value
Checksums are used to verify data integrity.
data correcting code
Methods for storing data in such a way that small changes can easily be detected and automatically corrected
Data correcting codes enhance data reliability.
digital signature
Cryptographic computations that allow a person/system to commit to the authenticity of their documents in a unique way that achieves nonrepudiation
Digital signatures provide a means of verifying the sender’s identity.
nonrepudiation
Authentic statements issued by some person/system cannot be denied
Nonrepudiation ensures accountability in communications.
eavesdropping
Interception of information intended for someone else during its transmission over a communication channel
Eavesdropping poses a significant risk to data confidentiality.
correlation
Integration of multiple data sources and information flows to analyze relationships between different data sets
Correlation helps in identifying patterns and insights.
traceback
Process of determining the source of a particular data stream or piece of information by analyzing its flow through various data points
Traceback is crucial for understanding data origins and preventing misuse.
social engineering
Manipulation of individuals into divulging confidential information
Social engineering exploits human psychology rather than technical vulnerabilities.
pretexting
Creating a story that convinces an admin or operator into revealing secret info
Pretexting is a common tactic in social engineering attacks.
baiting
Offering a kind of ‘gift’ to get a user or agent to perform an insecure action
Baiting leverages curiosity to compromise security.
quid pro quo
Offering an action or service and then expecting something in return
Quid pro quo is another tactic used in social engineering.
man-in-the-middle (MitM) attack
an active attack where the attacker intercepts and can modify the communication between two parties.
MitM attacks can lead to data theft or manipulation.
denial of service attack
disrupts or degrades a data service or access to information by overwhelming the target system with excessive traffic or exploiting system weaknesses
Economy of mechanism
simplicity in design and implementation of security measures
Fail-safe defaults
default configuration of a system be a conservative protection scheme
Complete mediation
every access to a resource must be checked for compliance with a protection scheme
Open design
security architecture/design of a system should be made publicly available
Separation of privilege
multiple conditions should be required to achieve access to restricted resources or have a program perform some action
Least privilege
each program/user of a computer system should operate with the bare minimum privileges necessary to properly function
Least common mechanism
in systems with multiple users mechanisms allowing resources to be shared by more than one user should be minimized
Psychological acceptability
user interfaces should be well designed and intuitive, and all security-related settings should adhere to what an ordinary user might expect
Work factor
cost of circumventing a security measure should be compared with the resources of an attacker when designing a security scheme
Compromise recording
sometimes more desirable to record the details of an intrusion than to adopt more sophisticated measures to prevent it
Purpose of a BIOS password
prevent unauthorized users from modifying BIOS settings or booting the system. It blocks access to the second-stage boot loader, protecting against unauthorized OS changes, boot device modifications, or bypassing security controls
Describe how hibernation files can create vulnerabilities
when a computer enters hibernation it saves the entire system state (RAM contents) to a hibernation file (hiberfil.sys) on disk, which creates vulnerabilities by allowing possible access to passwords, encryption keys, or session data
setuid
when set on an executable file, it runs with the owner’s privileges, not the user’s
setgid
when set on an executable file, it runs with the group’s privileges. When set on a directory, new files inherit the directory’s group
Describe Linux sticky bit
used on directories to prevent users from deleting or renaming files they don’t own