Midterm Prep

Question 1

Weakness in an information system that could be exploited or triggered by a threat source.

Answer 1

Vulnerablility

Question 2

A circumstance or event or event that results in control of system services or functions by an unauthorized entity.

Answer 2

usurpation

Question 3

An event involving the exposure of information to entities not authorized access to the information

Answer 3

Unauthorized disclosure

Question 4

Inference of information from observable characteristics of data flow, even when the data is encrypted or otherwise not directly available.

Answer 4

Traffic analysis

Question 5

Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.

Answer 5

system integrity

Question 6

A database that provides data of a statistical nature, such as counts and averages.

Answer 6

statistical database

Question 7

A service that enhances the security of the data processing systems and the information transfers of an organization. The services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service.

Answer 7

security service

Question 8

A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.

Answer 8

security policy

Question 9

A mechanism that is designed to detect, prevent, or recover from a security attack.

Answer 9

security mechanism

Question 10

Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles.

Answer 10

role-based access control

Question 11

An exception of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result.

Answer 11

risk

Question 12

Denial by one of the entities involved in a communication of having participated in all or part of the communication.

Answer 12

repudiation

Question 13

An attack in which a service already authorized and completed is forged by another, duplicate request in an attempt to repeat authorized commands.

Answer 13

replay

Question 14

Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.

Answer 14

privacy

Question 15

An attempt to learn or make use of information from the system that does not affect system resources.

Answer 15

passive attack

Question 16

An attack initiated by an entity outside the security perimeter (an “outsider”)

Answer 16

outside attack

Question 17

A management-oriented security standard that focuses on the OSI model and on networking and communications aspects of security.

Answer 17

OSI security architecture

Question 18

Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the senders identity, so neither can later deny having processed the information.

Answer 18

non-repudiation

Question 19

A major application, general support system, high impact program, physical plant, mission critical system, or a logically related group of systems.

Answer 19

asset

Question 20

The degree of confidence one has that the security measures, both technical and operational, work as intended to protect the system and the information it processes.

Answer 20

assurance

Question 21

A threat that is carried out and if successful, leads to an undesirable violation of security

Answer 21

attack

Question 22

Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

Answer 22

authentication

Question 23

The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.

Answer 23

Authenticity

Question 24

The property of a system or a system or a system resource being accessible and usable upon demand by and authorized system entity.

Answer 24

availability

Question 25

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Answer 25

confidentiality

Question 26

An attack on system on system integrity. Malicious software in this context could operate in such a way that system resources or services function in an unintended manner. Or a user could gain unauthorized access to a system and modify some of its functions

Answer 26

corruption

Question 27

Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of information system.

Answer 27

countermeasure

Question 28

The property that information is not made available or disclosed to unauthorized individuals, entities, or processes

Answer 28

Data confidentiality

Question 29

The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner.

Answer 29

data integrity

Question 30

The prevention of authorized access to resources or the delaying of time-critical operations.

Answer 30

denial of service.

Question 31

A threat to availability or system integrity

Answer 31

disruption

Question 32

The conversion of plaintext or data into unintelligible form by means of a reversible translation, based on a translation table or algorithm

Answer 32

encryption

Question 33

The process of examining a computer product or system with respect to certain criteria.

Answer 33

evaluation

Question 34

Can be deliberate, as when an insider intentionally releases sensitive information, such as credit card numbers, to an outsider. It can also be the result of a human, hardware, or software error, which results in an entity gaining unauthorized knowledge of sensitive data.

Answer 34

exposure

Question 35

The altering or replacing of valid data or the introduction of false data into a file or database.

Answer 35

falsification

Question 36

An attack on system availability. This could occur as a result of physical destruction of or damage to system hardware. More typically, malicious software, such as Trojan horses, viruses, or worms, could operate in such a way as to disable a system or some if its services.

Answer 36

incapacitation

Question 37

A threat action whereby an unauthorized entity indirectly accesses sensitive data by reasoning from characteristics or byproducts of data to which the entity does have access.

Answer 37

inference

Question 38

An attack initiated by an entity inside the security perimeter. The insider is authorized to access system resources but uses them in a way not approved by those who granted the authorization.

Answer 38

inside attack

Question 39

A term that covers the related concepts of data integrity and system integrity.

Answer 39

integrity

Question 40

A threat action whereby an unauthorized entity directly accesses sensitive data traveling between authorized sources and destinations.

Answer 40

interception

Question 41

A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system without having authorization to do so.

Answer 41

intrusion

Question 42

This is the principle that access control should implemented so that each system entity is granted the minimum system resources and authorizations the the entity needs to do its work. This principle tends to limit damage that can be caused by an accident, error, or fraudulent or unauthorized act.

Answer 42

least privilege

Question 43

A type of attack in which one system entity illegitimately poses as another entity.

Answer 43

masquerade

Question 44

A threat action whereby an entity assumes unauthorized logical or physical control of a system resource.

Answer 44

misappropriation

Question 45

A threat action that causes a system component to perform a function or service that is detrimental to system security

Answer 45

misuse.

Question 46

The process of granting or denying specific requests: 1) for obtaining and using information and related information processing services; and 2) to enter specific physical facilities.

Answer 46

Access control

Question 47

An attempt to alter system resources or affect their operation.

Answer 47

Active attack

Question 48

An entity that attacks, or is a threat to, a system

Answer 48

adversary

Question 49

What is computer security

Answer 49

The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/ data, and telecommunications)

Question 50

What are the four categories of Active Attack?

Answer 50

Replay
masquerade
Modification of messages
Denial of service

Question 51

What are the two types of Passive Attack?

Answer 51

Release of message contents

Traffic analysis

Question 52

What is the difference between passive and active security threat?

Answer 52

Passive attack is to learn or make use of information from the system that does not affect system resources, and Active attack is to alter system resources or affect their operation.

Question 53

Passive Attack Category:

Release of message contents

Answer 53

An advesary is trying to read but not alter messages contents sent from a sender and rcvr.

Question 54

Passive Attack Category:

Traffic analysis

Answer 54

The opponent monitors the traffic from a system without altering any information.

Question 55

Active Attack Category:

Involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect.

Answer 55

Replay

Question 56

Active Attack Category:

Takes place when one entity pretends to be a different entity.

Answer 56

Masquerade

Question 57

Active Attack Category:
Simply means that some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect.

Answer 57

Modification of messages

Question 58

Active Attack Category:

Prevents or inhibits the normal use or management of communication facilities.

Answer 58

Denial of service

Question 59

What are the security design principles?

Answer 59

Economy of mechanism
Fail-safe defaults 
Complete mediation 
Open design 
Separation of privilege
Least privilege 
Least common mechanism
Psychological acceptability 
Isolation 
Encapsulation 
Modularity 
Layering
Least astonishment

Question 60

______ __ _____ means that the design of security measures embodied in both hardware and software should be as simple and small as possible.

Answer 60

Economy of mechanism

Question 61

____-____ _____ means that access decisions should be based on permission rather than exclusion.

Answer 61

Fail-safe default

Question 62

______ _____ means that every access must be checked against the access control mechanism.

Answer 62

Complete mediation

Question 63

_____ _____ means that the design of a security mechanism should be open rather that secret.

Answer 63

Open design

Question 64

______ __ _____ is defined as a practice in which multiple privilege attributes are required to achieve access to a restricted resource

Answer 64

Separation of privilege

Question 65

____ _____ means that every process and every user of the system should operate using the lease set of privileges necessary to perform the task.

Answer 65

Least privilege

Question 66

____ _____ _____ means that the design should minimize the functions shared by different users, providing mutual security.

Answer 66

Least common mechanism

Question 67

________ _______ implies that the security mechanisms should not interfere unduly with the work of users, while at the same time meeting the needs of those who authorize access.

Answer 67

Psychological acceptability

Question 68

______ is a principle that applies in three contexts. Public access systems, files of individual users, and finally security mechanisms.

Answer 68

Isolation

Question 69

_______ can be viewed as a specific from of isolation based on object-oriented functionality.

Answer 69

Encapsulation

Question 70

_______ refers both to the development of security functions as separate, protected modules and to the use of a _____ architecture for mechanisms design and implementations.

Answer 70

Modularity, modular

Question 71

_____ refers to the use of multiple, overlapping protection approaches addressing the people, technology, and operational aspects of information systems.

Answer 71

Layering

Question 72

_____ ______ means that a program or user interface should always respond in the way that is least likely to astonish the user.

Answer 72

Least astonishment

Question 73

An ____ ____ consists of the reachable and exploitable vulnerabilities in a system.

Answer 73

attack surface

Question 74

What are attack surfaces three categories?

Answer 74

network attack surface
software attack surface
human attack surface

Question 75

This category refers to vulnerabilities over an enterprise network, WAN, or the internet

Answer 75

network attack surface

Question 76

This refers to vulnerabilities in application, utility, or operating system code.

Answer 76

Software attack surface

Question 77

This category refers to vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders

Answer 77

Human attack surface

Question 78

An _____ ____ is a branching, hierarchical data structure that represents a set of potential techniques for exploiting security vulnerabilities.

Answer 78

attack tree

Question 79

Explain the difference between an attack surface and an attack tree.

Answer 79

an attack surface is actual reachable vulnerabilities in a system, and an attack tree is a list of potential techniques of exploiting vulnerabilities.