SB 3: Security Basics Flashcards
Briefly explain confidentiality in security and give examples of mechanisms that support it
The concealment of information or resources. Indicates that data exists. It is possible to conceal the existence of data as well albeit more expensive and difficult.
Mechanisms: access control mechanisms, i.e. cryptography.
Briefly explain integrity in security and give examples of mechanisms that support it
The trustworthiness of data or resources. Ensuring that data is accurate and has not been tampered with. Preventing unauthorized or improper change of data.
Data integrity: the content of the information
Origin integrity: the source of the data (aka authentication)
Mechanisms:
1. prevention - blocking unauthorized change
2. detection - reports integrity violations by analyzing events or data
Evaluation can be difficult as you have to rely on assumptions about trustworthiness.
Briefly explain availability in security
The ability to use information or resources.
What are four broad classes of threats?
Disclosure: unauthorized access to information
Usurpation: unauthorized control of (some parts) of a system
Deception: acceptance of false data
Disruption: interruption or prevention of correct operation
Give examples of common attacks and “CIA” services that can help counter them
Snooping/eavesdropping: unauthorized interception. A passive attack. Passive wiretapping. Counter: Confidentiality services
Modification/alteration: unauthorized change. Active attack. Active wiretapping. Man-in-the-Middle attack. Counter: integrity services
Masquerading/spoofing: impersonation of an entity. Passive or active. Counter: integrity services.
Repudiation of origin: a false denial that an entity sent (or created) something. Counter: integrity services.
Denial of receipt: a false denial that an entity received something. Counter: integrity and availability services.
Delay: a temporary inhibition of a service. Counter: availability services.
Denial of Service: long-term inhibition of a service. Can be due to an attack or disruptions unrelated to security. Counter: availability services.
What is the difference between a security policy and a security mechanism?
A policy is a (set) of statements about what is or is not allowed. It also describes secure and non-secure states.
A mechanism is used to enforce a policy, like preventing disallowed actions to be performed
What is a measure for trust and ways of measuring it?
Called assurance, consists of a number of steps that can give some proof of the systems trustworthiness.
- Specification: statement of the desired functioning of the system
- Design: translates the specification into components that will implement them. Satisfies the specification if the design is not allowed to violate them.
- Implementation: proving a system satisfies the design. Proof of correctness.
If done properly –> minimizes problems and difficulties
What are the two assumptions policies always make?
- It correctly and unambiguously partitions system states into secure and non-secure states.
- Security mechanisms prevent the system from entering a non-secure state.
What assumptions are required to trust that mechanisms work?
- each implement part of the policy
- the union implements all aspects of the policy
- tamper-proof
- implemented, installed and administered correctly.