SB 3: Security Basics Flashcards

1
Q

Briefly explain confidentiality in security and give examples of mechanisms that support it

A

The concealment of information or resources. Indicates that data exists. It is possible to conceal the existence of data as well albeit more expensive and difficult.
Mechanisms: access control mechanisms, i.e. cryptography.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Briefly explain integrity in security and give examples of mechanisms that support it

A

The trustworthiness of data or resources. Ensuring that data is accurate and has not been tampered with. Preventing unauthorized or improper change of data.
Data integrity: the content of the information
Origin integrity: the source of the data (aka authentication)
Mechanisms:
1. prevention - blocking unauthorized change
2. detection - reports integrity violations by analyzing events or data
Evaluation can be difficult as you have to rely on assumptions about trustworthiness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Briefly explain availability in security

A

The ability to use information or resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are four broad classes of threats?

A

Disclosure: unauthorized access to information
Usurpation: unauthorized control of (some parts) of a system
Deception: acceptance of false data
Disruption: interruption or prevention of correct operation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Give examples of common attacks and “CIA” services that can help counter them

A

Snooping/eavesdropping: unauthorized interception. A passive attack. Passive wiretapping. Counter: Confidentiality services
Modification/alteration: unauthorized change. Active attack. Active wiretapping. Man-in-the-Middle attack. Counter: integrity services
Masquerading/spoofing: impersonation of an entity. Passive or active. Counter: integrity services.
Repudiation of origin: a false denial that an entity sent (or created) something. Counter: integrity services.
Denial of receipt: a false denial that an entity received something. Counter: integrity and availability services.
Delay: a temporary inhibition of a service. Counter: availability services.
Denial of Service: long-term inhibition of a service. Can be due to an attack or disruptions unrelated to security. Counter: availability services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the difference between a security policy and a security mechanism?

A

A policy is a (set) of statements about what is or is not allowed. It also describes secure and non-secure states.
A mechanism is used to enforce a policy, like preventing disallowed actions to be performed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a measure for trust and ways of measuring it?

A

Called assurance, consists of a number of steps that can give some proof of the systems trustworthiness.
- Specification: statement of the desired functioning of the system
- Design: translates the specification into components that will implement them. Satisfies the specification if the design is not allowed to violate them.
- Implementation: proving a system satisfies the design. Proof of correctness.
If done properly –> minimizes problems and difficulties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the two assumptions policies always make?

A
  1. It correctly and unambiguously partitions system states into secure and non-secure states.
  2. Security mechanisms prevent the system from entering a non-secure state.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What assumptions are required to trust that mechanisms work?

A
  1. each implement part of the policy
  2. the union implements all aspects of the policy
  3. tamper-proof
  4. implemented, installed and administered correctly.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly