Types of Security Requirements Flashcards

1
Q

Core Security Requirements

A

Confidentiality, Integrity, Availability, Authentication, Authorization, Accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

General Security Requirements

A

Session Management, Error/Exceptions Management, Configuration Parameters Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Operational Security Requirements

A

Deployment environment, Archiving, Anti-piracy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Other Security Requirements

A

Sequencing & Timing, International, Procurement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Confidentiality Requirements

A

address protection against the unauthorized discplosure of data or information that are private/sensitive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Data classification

A

public (directory), non-public

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Confidentiality controls

A

secret writing (i.e. overt and covert), and masking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Secret writing goal

A

to prevent the disclosure of the information deemed secret, includes overt cryptographic mechanism (encryption and hashing) or covert (steganography, digital watermarking - e.g. hinding)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Describe covert

A

steganography is invisible writing (camuflaging - military spionage), digital watermarking is embedded information in audio, video or pictures - used for copyright, deterring and preventing unauthorized copying of media.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Masking

A

This is primarily used to protect against shoulder surfing attacks, which are characterized by someone looking over another’s shoulder and observing sensitive information (e.g. hiding password when typing, last 4 creditcard numbers).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

non-public data state

A

In transit (transmitted), In processing (held in computer memory or media for processing), Storage (at rest)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

time bound confidentiality

A

some information may require protection only for a certain period of time (e.g. during merge or acquisition)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Integrity requirements

A

address two primary areas of software security (reliability and protection/prevention) against unauthorized modifications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Integrity refers to

A

system integrity and data integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

data integrity

A

information and programs can be changed only in a specified and authorized manner by authorized personnel.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Example system integrity violation

A

SQL Injection that makes the software act or respond in a manner not originally designed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Integrity security controls

A

input validation, CRC and hashing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Input validatoin check

A

provides a high degree of protection against injection flaws and provides both system and data integrity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

CRC

A

useful in the detection of errors or changes made to data when it is transmitted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Hashing

A

mainly used for integrity assurance, it can also provide confidentiality assurance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Availability requirements

A

ensure the protection against destruction of the software system and/or data, thereby assisting in the prevention against DoS to authorized users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

MTD

A

Maximum Tolerable Downtime - measure of the maximum amount of time that the software can be in a state of not providing expected service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

RTO

A

Recovery Time Objective - amount of time by which the system or software needs to be restored back to the expected state of business operations for authorized business users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

RPO

A

the maximum allowed data or productivity loss when the system becomes disrupted or down

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

BIA

A

Bussiness Impact Analysis - determine the adverse impact that the unavailability of software will have on business operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Authentication requirements

A

verify and assure the legitimacy and validity of the identity (a person, a process, a hardware device) that is presenting entity claims for verification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

authentication credentials

A

different factors or a combination of factors that include knowledge, ownership or characteristics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

authentication forms

A

anonymous, basic, digest, integrated, client certificates, forms, token, smart cards, biometrics

29
Q

basic authentication

A

HTTP - client browser prompting the user to supply their credentials.

30
Q

digest authentication

A

challenge/response mechanism - send a message digest (hash value) and compare the hash values of what was previously established

31
Q

integrated authentication

A

NT challenge/response authentication, implemented in standalone authentication mechanism or in conjunction with Keberos authentication.

32
Q

client certification-based authentication

A

validate the identify of the certificate holder. the current standard for digital certificates is ITU X.509

33
Q

forms authentication

A

users to supply username and password for authentication purposes - it is advisable to first cryptographically protect the data being transmitted in addition to implementation transport layer security (TLS) such as SSL or network layer security such as IPSec

34
Q

OTP

A

One Time (dynamic) passwords (OTP) provide the maximum strength of authentication security and OTP tokens (also known as key fobs) require two factors, knowledge (something you know) and ownership (something you have).

35
Q

FIPS 201

A

Personal Identity Verification standard provides guidance that the enrollment data in systems implementing biometric based authentication needs to be changed periodically

36
Q

Biometric - Type I error

A

False Rejection error where a valid and legitimate enrollee is denied (rejected) access

37
Q

Biometric - Type II error

A

False Acceptance error where an imposter is granted (accepted) access.

38
Q

CER

A

Crossover Error Rate - used in evaluating different biometric devices and technologies (more accurate means low CER)

39
Q

Authorization requirements

A

confirm that an authenticated entity (human, process, hardware) has the needed rights and privileges to access and perform actions on a requested resource

40
Q

Subjects

A

entities (human user, system process) that are requesting access

41
Q

Objects

A

items that subject will act upon.

42
Q

Actions

A

CRUD - Create, Read, Update or Delete data

43
Q

DAC

A

Discretionary Access Control - restricting access to objects based on the identity of subjects and/or groups to which they belong

44
Q

NDAC

A

Non-Discretionary Access Control - it is unavoidably imposed on all subjects

45
Q

MAC

A

Mandatory Access Control - access to objects is restricted to subjects based on the sensitivity (represented by a label) of the information contained in the objects. All objects shall have a sensitive label. it is based on multilevel security requirements.

46
Q

RBAC

A

Role-Based Access Control - Roles are defined by job function which can be used for authorization decisions. Roles define the trust levels of entities to perform desired operations. Access that is granted to subjects is based on roles. The resource is directly mapped to the role.

47
Q

Resource-BAC

A

Resource-Based Access Control - useful in architectures that are distributed and
multi-tiered including service oriented architectures (users are unknown)

48
Q

RBAC Separation of duties

A

no individual can be assigned to two roles that are mutually exclusive in their permissions to perform operations.

49
Q

RBAC benefit

A

Simplified subjects and objects access rights administration, Ability to represent the organizational structure, Force enterprise compliance with control policies more easily and effectively.

50
Q

Impersonation and Delegation Model

A

Resource-BAC: Allowing a secondary entity to act on one’s behalf is the principle of delegation. Kerberos uses the delegation and impersonation model where the user upon successful authentication is granted a Kerberos ticket and the ticket is delegated the privileges and rights (sets of permission) to invoke services downstream.

51
Q

Trusted Subsystem Model

A

Resource-BAC: access request decisions are granted based on the identity of a resource that is trusted instead of user identities.

52
Q

Accountability Requirements

A

assist in building a historical record of user actions. Auditing requirements not only help with forensic investigations as a detective control but can also be used for troubleshooting errors and exceptions.

53
Q

General Requirements, Session Management Requirements

A

ensure that once a session is established, it remains in a state that it will not compromise the security of the software.

54
Q

Session management requirements

A

assure that sessions are not vulnerable to brute force attacks, predictability or Man-in-the-middle hijacking attempts

55
Q

General Requirements, Errors & Exception Management Requirements

A

ensure that errors and exceptions are explicitly addressed.

56
Q

Errors & exceptions

A

potential sources of information disclosure, verbose error messages and unhandled exception reports can result in divulging internal application architecture, design and configuration information

57
Q

improper error or exception management

A

using laconic error messages and structured exception handling are examples of good security design features that can thwart security threats posed.

58
Q

General Requirements, Configuration Parameters Management Requirements

A

makeup the software needs protection against hackers - these parameters and code usually need to be initialized before the software can run.

59
Q

Operational Requirements

A

requirements that impact the most efficient operations of the software itself such as Deployment environment, archiving, anti-privay.

60
Q

Other requirements

A

Sequencing & Timing, International, Procurement

61
Q

Operational Requirements identify

A

the needed capabilities and dependencies of the software as it serves the business with their intended functionality (CONOPS is a start point).

62
Q

Deployment Environment Requirements

A

identify and capture pertinent requirements about the environment such as ports and protocols are available, deployed in an Internet, Extranet or intranet environment, software need to support single sign-on (SSO)
authentication, …

63
Q

Deployment Environment Requirements Importance

A

Identifying and capturing constraints, restrictions and requirements of the environment in which the software is expected to operate alleviate deployment challenges later

64
Q

Archiving Requirements

A

maintained either as a means for business continuity or as a need to comply with a regulatory requirement or organizational policy.

65
Q

Archiving information

A

determine location, duration and format. Some questions: where data will be stored, how much space, ensure media is not re-writable, how fast to retrieve, …

66
Q

Anti-Piracy Requirements

A

Code obfuscation, code signing, anti-tampering, licensing and IP protection mechanisms should be included as part of the requirements documentation especially

67
Q

Sequencing and Timing Requirements

A

it concerns to design flaws in software that can lead to what is commonly known as race conditions or Time of Check/Time of Use (TOC/TOU) attacks. E.g. undesirable sequence of events, infinite loops and Multiple unsynchronized threads executing simultaneously for a process

68
Q

International Requirements

A

(i) Legal requirements are those requirements that we need to pay attention to so that we are not in violation of any regulations;
(ii) Technological requirements for instance Character encoding and display direction are two important international software requirements that need to be determined (e.g. unicode, UTF-32).

69
Q

Procurement Requirements

A

when procure the software instead of building
it in-house, it is important to include software security requirements in legal protection mechanisms such as contracts and SLAs.