Midterm Prep Flashcards
Weakness in an information system that could be exploited or triggered by a threat source.
Vulnerablility
A circumstance or event or event that results in control of system services or functions by an unauthorized entity.
usurpation
An event involving the exposure of information to entities not authorized access to the information
Unauthorized disclosure
Inference of information from observable characteristics of data flow, even when the data is encrypted or otherwise not directly available.
Traffic analysis
Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.
system integrity
A database that provides data of a statistical nature, such as counts and averages.
statistical database
A service that enhances the security of the data processing systems and the information transfers of an organization. The services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service.
security service
A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.
security policy
A mechanism that is designed to detect, prevent, or recover from a security attack.
security mechanism
Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles.
role-based access control
An exception of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result.
risk
Denial by one of the entities involved in a communication of having participated in all or part of the communication.
repudiation
An attack in which a service already authorized and completed is forged by another, duplicate request in an attempt to repeat authorized commands.
replay
Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.
privacy
An attempt to learn or make use of information from the system that does not affect system resources.
passive attack
An attack initiated by an entity outside the security perimeter (an “outsider”)
outside attack
A management-oriented security standard that focuses on the OSI model and on networking and communications aspects of security.
OSI security architecture
Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the senders identity, so neither can later deny having processed the information.
non-repudiation
A major application, general support system, high impact program, physical plant, mission critical system, or a logically related group of systems.
asset
The degree of confidence one has that the security measures, both technical and operational, work as intended to protect the system and the information it processes.
assurance
A threat that is carried out and if successful, leads to an undesirable violation of security
attack
Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
authentication
The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.
Authenticity
The property of a system or a system or a system resource being accessible and usable upon demand by and authorized system entity.
availability
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
confidentiality
An attack on system on system integrity. Malicious software in this context could operate in such a way that system resources or services function in an unintended manner. Or a user could gain unauthorized access to a system and modify some of its functions
corruption
Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of information system.
countermeasure
The property that information is not made available or disclosed to unauthorized individuals, entities, or processes
Data confidentiality
The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner.
data integrity
The prevention of authorized access to resources or the delaying of time-critical operations.
denial of service.
A threat to availability or system integrity
disruption
The conversion of plaintext or data into unintelligible form by means of a reversible translation, based on a translation table or algorithm
encryption
The process of examining a computer product or system with respect to certain criteria.
evaluation
Can be deliberate, as when an insider intentionally releases sensitive information, such as credit card numbers, to an outsider. It can also be the result of a human, hardware, or software error, which results in an entity gaining unauthorized knowledge of sensitive data.
exposure
The altering or replacing of valid data or the introduction of false data into a file or database.
falsification
An attack on system availability. This could occur as a result of physical destruction of or damage to system hardware. More typically, malicious software, such as Trojan horses, viruses, or worms, could operate in such a way as to disable a system or some if its services.
incapacitation
A threat action whereby an unauthorized entity indirectly accesses sensitive data by reasoning from characteristics or byproducts of data to which the entity does have access.
inference
An attack initiated by an entity inside the security perimeter. The insider is authorized to access system resources but uses them in a way not approved by those who granted the authorization.
inside attack
A term that covers the related concepts of data integrity and system integrity.
integrity
A threat action whereby an unauthorized entity directly accesses sensitive data traveling between authorized sources and destinations.
interception
A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system without having authorization to do so.
intrusion
This is the principle that access control should implemented so that each system entity is granted the minimum system resources and authorizations the the entity needs to do its work. This principle tends to limit damage that can be caused by an accident, error, or fraudulent or unauthorized act.
least privilege
A type of attack in which one system entity illegitimately poses as another entity.
masquerade
A threat action whereby an entity assumes unauthorized logical or physical control of a system resource.
misappropriation
A threat action that causes a system component to perform a function or service that is detrimental to system security
misuse.
The process of granting or denying specific requests: 1) for obtaining and using information and related information processing services; and 2) to enter specific physical facilities.
Access control
An attempt to alter system resources or affect their operation.
Active attack
An entity that attacks, or is a threat to, a system
adversary
What is computer security
The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/ data, and telecommunications)
What are the four categories of Active Attack?
Replay
masquerade
Modification of messages
Denial of service
What are the two types of Passive Attack?
Release of message contents
Traffic analysis
What is the difference between passive and active security threat?
Passive attack is to learn or make use of information from the system that does not affect system resources, and Active attack is to alter system resources or affect their operation.
Passive Attack Category:
Release of message contents
An advesary is trying to read but not alter messages contents sent from a sender and rcvr.
Passive Attack Category:
Traffic analysis
The opponent monitors the traffic from a system without altering any information.
Active Attack Category:
Involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect.
Replay
Active Attack Category:
Takes place when one entity pretends to be a different entity.
Masquerade
Active Attack Category:
Simply means that some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect.
Modification of messages
Active Attack Category:
Prevents or inhibits the normal use or management of communication facilities.
Denial of service
What are the security design principles?
Economy of mechanism Fail-safe defaults Complete mediation Open design Separation of privilege Least privilege Least common mechanism Psychological acceptability Isolation Encapsulation Modularity Layering Least astonishment
______ __ _____ means that the design of security measures embodied in both hardware and software should be as simple and small as possible.
Economy of mechanism
____-____ _____ means that access decisions should be based on permission rather than exclusion.
Fail-safe default
______ _____ means that every access must be checked against the access control mechanism.
Complete mediation
_____ _____ means that the design of a security mechanism should be open rather that secret.
Open design
______ __ _____ is defined as a practice in which multiple privilege attributes are required to achieve access to a restricted resource
Separation of privilege
____ _____ means that every process and every user of the system should operate using the lease set of privileges necessary to perform the task.
Least privilege
____ _____ _____ means that the design should minimize the functions shared by different users, providing mutual security.
Least common mechanism
________ _______ implies that the security mechanisms should not interfere unduly with the work of users, while at the same time meeting the needs of those who authorize access.
Psychological acceptability
______ is a principle that applies in three contexts. Public access systems, files of individual users, and finally security mechanisms.
Isolation
_______ can be viewed as a specific from of isolation based on object-oriented functionality.
Encapsulation
_______ refers both to the development of security functions as separate, protected modules and to the use of a _____ architecture for mechanisms design and implementations.
Modularity, modular
_____ refers to the use of multiple, overlapping protection approaches addressing the people, technology, and operational aspects of information systems.
Layering
_____ ______ means that a program or user interface should always respond in the way that is least likely to astonish the user.
Least astonishment
An ____ ____ consists of the reachable and exploitable vulnerabilities in a system.
attack surface
What are attack surfaces three categories?
network attack surface
software attack surface
human attack surface
This category refers to vulnerabilities over an enterprise network, WAN, or the internet
network attack surface
This refers to vulnerabilities in application, utility, or operating system code.
Software attack surface
This category refers to vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders
Human attack surface
An _____ ____ is a branching, hierarchical data structure that represents a set of potential techniques for exploiting security vulnerabilities.
attack tree
Explain the difference between an attack surface and an attack tree.
an attack surface is actual reachable vulnerabilities in a system, and an attack tree is a list of potential techniques of exploiting vulnerabilities.
