Basic Computer Security Concepts

Questions and Answers

What is the primary goal of computer security?

• To install the latest software.
• To make computers run faster.
• To make computers more accessible.
• To protect the assets of a computer or computer system. (correct)

Which of the following is an example of a computer asset?

• A computer's hardware (correct)
• A computer's packaging
• An electrical outlet
• A computer virus

What does the principle of 'easiest penetration' suggest for computer security?

• Penetration is impossible if a system is well-defended.
• Attackers will try to exploit the weakest point of a system. (correct)
• Attackers will always use the most complex methods.
• Security specialists should only consider known vulnerabilities.

Which of the following is a classification of security protection?

Prevention (A)

In the context of computer security, what does 'detection' refer to?

Discovering when, how, and by whom an asset has been damaged. (D)

What does 'reaction' in computer security involve?

Recovering assets or recovering from damage. (C)

What does the acronym CIA stand for in the context of security goals?

Confidentiality, Integrity, Availability (A)

In the CIA triad, what does 'Confidentiality' primarily ensure?

Assets are available only to authorized parties. (D)

Which of the following ensures that assets can only be modified by authorized parties?

Integrity (C)

What does 'Availability' mean in the CIA triad?

Assets are accessible to authorized parties when needed. (C)

If a system legitimately allows a user to read a specific file, but an attacker modifies the file's content without authorization, which security goal is primarily violated?

Integrity (B)

Which of the following scenarios best exemplifies the security principle of 'defense in depth'?

Implementing both antivirus software and an intrusion detection system. (D)

In the context of computer security, what is the key difference between a 'threat' and a 'vulnerability'?

A threat is a potential cause of harm, while a vulnerability is a weakness. (A)

An organization implements biometric authentication for building access and requires complex passwords for network access. What security principle does this demonstrate?

Multi-factor Authentication (C)

Which of the following scenarios represents a violation of the 'Availability' principle of the CIA triad?

A server crashes due to a power outage, preventing users from accessing critical applications. (D)

An attacker intercepts network traffic and replays a previous valid authentication sequence to gain unauthorized access. Which security threat is this?

Replay Attack (B)

A disgruntled employee, authorized to access sensitive data, intentionally modifies financial reports to cover up embezzlement activities. Which security principle is directly compromised?

Integrity (D)

What is the primary purpose of data Encryption as a preventative measure in computer security?

To allow only authorized parties to access sensitive information. (D)

An organization implements a policy requiring employees to use strong, unique passwords and change them every 90 days. This policy primarily addresses which type of vulnerability?

Weak Authentication (B)

Which of the following actions would be considered a 'procedural control' in computer security?

Enforcing a mandatory vacation policy for employees with sensitive access. (D)

Computer security involves protecting valuable items, known as assets, of a computer system.

True (A)

Intruders should exclusively be expected to target the most heavily defended aspects of a computer system.

False (B)

The three classifications of protection are prevention, detection and reaction.

True (A)

In the context of credit card fraud, prevention can involve using encryption when placing an order online.

True (A)

Confidentiality ensures that only authorized parties can access computing systems.

True (A)

Integrity means ensuring assets can only be modified by unauthorized parties.

False (B)

Availability ensures assets must be inaccessible to authorized parties when needed.

False (B)

The CIA triad is from the user's point of view.

False (B)

AAA framework stands for assessment, authentication and accounting.

False (B)

A vulnerability is a weakness in a system, while a threat is a potential for harm that could exploit that weakness.

True (A)

Computer security exclusively protects hardware from physical damage, and ignores data or software.

False (B)

The principle of easiest penetration suggests intruders will always target the most secure aspects of a system.

False (B)

Detection measures in computer security involve actions taken to recover assets after damage has occurred.

False (B)

A transaction that appears on your credit card statement that you did not authorize is an example of Detection in the context of Security.

True (A)

In the CIA triad, Integrity ensures that assets are accessible to authorized parties without any delay.

False (B)

In the context of confidentiality, 'access' only refers to the ability to read a data item, not viewing or printing it.

False (B)

In the AAA framework, authentication involves determining what a user is permitted to do with system resources.

False (B)

In computer security, a vulnerability is a potential circumstance that may cause harm or loss to a computer system.

False (B)

In the context of security threats, 'interruption' refers to an unauthorized party gaining access to an asset.

False (B)

A 'directed attack' is when an attacker intends to harm any computer or user at random.

False (B)

Flashcards

What is computer security?

Protecting computer assets and systems; includes hardware, software, data, and people.

Principle of Easiest Penetration

Intruders exploit the weakest access points when attempting unauthorized system access. Security specialists need to consider all potential entry methods.

Three classifications of protection

Prevention stops asset damage. Detection finds when/how damage occurs. Reaction recovers/repairs assets post-damage.

Confidentiality

Ensuring computer-related assets are accessed only by authorized parties. Keeping data secret from unauthorized users.

Integrity

Assets can be modified only by authorized parties in authorized ways. Avoiding improper or unauthorized changes.

Availability

Assets are accessible to authorized parties at appropriate times. Focuses on preventing denial of service.

AAA in security

Authentication (who), Authorization (permissions), and Accounting (tracking activity).

Vulnerability

A weakness in the system (procedures, design, or implementation) that might be exploited to cause loss or harm.

Threat

A set of circumstances that has the potential to cause loss or harm.

Control

A means to counter threats; blocking attacks or reducing their impact.

Prevention (cyber fraud)

Use encryption, checks, and validate call info to avoid fraudulent transactions.

Detection (cyber fraud)

Notification of unauthorized transactions on credit card statements.

Reaction (cyber fraud)

Steps for getting a new card number or recovering fraudulent costs.

Confidentiality Defined

Assets available only to authorized people, ensuring secrecy/privacy.

AAA System

A three-process framework used to manage user access and consumption of network resources (manage, enforce, and measure).

Interruption

Asset is destroyed, unavailable, or unusable. An attack on AVAILABILITY.

Interception

An unauthorized party gains access to an asset. An attack on CONFIDENTIALITY.

Modification

An unauthorized party tampers with an asset. An attack on INTEGRITY.

Fabrication

Unauthorized party inserts fake objects into the system; an attack on INTEGRITY

Random Attack

Malicious code aimed to harm any computer or user.

Identification

Used to uniquely identify a user.

Authentication

Proving an identity is correct.

Physical Controls

Locks, walls, and guards to hinder physical access.

Procedural Controls

Commands and agreements that guide behavior.

Technical Controls

Tech-based methods of countering threats, like encryption.

Awareness of Problems

Understanding how security affects you.

Opportunity

Malicious requirement for a successful attack.

Motive

Malicious requirement for a successful attack.

Method

Malicious requirement for a successful attack.

Directed Attack

An attack that targets specific computers or users.

Amateur Attacker

Someone who is not a career criminal, but observes a flaw in a system and has access to something valuable.

Cracker

University or high school students who attempt to access computing facilities for which they have not been authorized.

Hacker

Someone with deep knowledge and interest in operating systems who does not attempt to intentionally break any system (non-malicious).

Career Criminal

Understands the targets of computer crime

Assets

A value or item belonging to the computer, which needs protection (hardware, software, data, processes, media, and people).

Security Threats

An action that invalidates or threatens the integrity, confidentiality, or availability of an information system.

Risk

The possibility of suffering harm or loss.

Computer Vulnerabilities

weaknesses that can be found in authentication; lack of access control; errors in programs; finite or insufficient resources; inadequate physical protection.

Study Notes

Okay, here are the updated study notes that include the new information from the provided text:

Basic Security Concepts

• Computer security protects computer system assets, including hardware, software, data, processes, storage media, and people.
• Intruders will try to use any available means of penetration, likely choosing the 'weakest point.'
• Computer security specialists should seek out and consider all possible means of penetration

Protecting Systems

• There are 3 classifications of protection: prevention, detection, and reaction
• Prevention involves measures that stop assets from being damaged.
• Detection means to notice when, how, and by whom assets were damaged.
• Reaction refers to measures that recover your assets or recover from damage.
• Locks, window bars, and walls are physical methods of prevention
• Burglary alarms and security cameras are physical methods of detection
• The police and item replacements are examples of physical reaction
• Encryption when ordering is a protection precaustion
• Transaction reports are a cyber world example of detection
• New credit card numbers are a cyber world example of reaction

CIA Triad

• Security is achieved through a combination of Confidentiality, Integrity, and Availability.
• These are from the view of the assets, not the user

Confidentiality

• Computer-related assets are accessed only by authorized parties
• Access includes reading, viewing, printing, and simply knowing that the asset exists
• Consider the statement: "A person, process, or program is (or is not) authorized to access a data item in a particular way."
• The person, process, or program is known as a 'subject'
• The data item is known as the 'object'
• The way the data is accessed is known as the 'access mode'
• The authorization itself is known as the 'policy'

Integrity

• Assets can be modified only by authorized parties, only in authorized ways
• Modification includes writing, changing status, deleting, and creating
• Integrity refers to an item being precise, accurate, and unmodified
• It means the item is consistent, modified only in acceptable ways, and meaningful and usable
• Welke & Mayfield recognize three particular aspects of integrity: authorized actions, separation and protection of resources, and error detection and correction.

Availability

• Assets are accessible to authorized parties at appropriate times
• Availability is sometimes known as its opposite – denial of service (DoS).
• Definition of availability depends on whether it is present in a usable form, has capacity enough to meet service needs, is making clear progress (with bounded waiting time), and completes service in an acceptable period of time.

AAA System

• The AAA system is from the user's pov
• It manages user access and measures consumption of network resources
• Authentication is verifying 'Who the user is? (genuine user)'
• Authorization is checking 'What can the user do (permission to access resources)?'
• Accounting is 'Tracking user activities and events'

Vulnerabilities and Threats

• Vulnerability is a weakness in the system that might be exploited to cause loss or harm
• A threat is a set of circumstances that has the potential to cause loss or harm
• Consider a wall holding back water as an illustration: a small crack in the wall is a vulnerability, and the water is the threat.

Security Threats

• The CIA triad can be viewed from the nature of the harm caused to assets.
• Harm is characterized by four acts called Security Threats: interception, interruption, modification, and fabrication.
• Interruption is when an asset is destroyed or becomes unavailable/unusable
• Interception is when an unauthorized party gains access to an asset
• Modification is where assets are tempered with
• Fabrication is when unauthorized parties insert counterfeit objects

Examples of security threats/attacks

• Interruption can include the destruction of hardware, and loss of commuication
• Interception examples include wiretapping
• Modification examples include data alteration
• Fabrication includes adding or inserting

Security Terminology

• Key terms include asset, threat, threat agent, vulnerability, exploit, and risk

Kinds of Threats

• Sources of threats include nonhuman events and humans.
• Nonhuman threats include natural disasters, electrical power loss, and component failure.
• Human threats include benign (non-malicious) and malicious actions.
• Malicious harm (an attack) can be random or directed
• Examples can be malicious code on a general website, impersonation etc

Vulnerabilities

• Computer vulnerabilities include weak authentication, lack of access control, errors in programs, finite/insufficient resources, and inadequate physical protection
• Hardware vulnerabilities include involuntary (accidental) and voluntary (intentional) machine-slaughter.
• Software vulnerabilities include deletion, modification (trojan horse, virus, trapdoor, logic bomb), and piracy

Data Vulnerabilities

• Networks can easily multiply the problems of computer security by being very exposed
• Storage media requires safe backups
• Access issues can lead to stolen computer time or loss of service
• Key People leaving the system can cause issues

Methods of Defense

• Methods of defense can include encryption, software and hardware controls
• Physical controls can include locks
• Policies help ensure everything is being used correctly

Types of Attackers

• Amateurs are not usually career criminals, although have access to valuable systems
• Crackers frequently attempt to access unauthorized facilities
• Career criminals seek to profit from computer crime
• Hackers usually have deep knowledge about operating systems, although may be non-malicious

Method-Opportunity-Motive

• A successful malicious attacker requires method, opportunity, and motive.
• The negative consequence of an actualized threat is harm.
• Risk management is performed to minimize potential harm
• The remaining risk is called residual risk

How to Make Systems Secure

• Four methods to enhance computer security: System Access Control, Data Access Control, System and Security Administration, and System Design.

Controls

• Controls, or countermeasures, help counter threats
• The possibility for harm to occur is risk.
• Harm can be avoided by blocking the attack or closing the vulnerability
• Physical, procedural, and technical are the three categories of controls

Control Types

• Physical controls use tangible things to stop or block attacks
• Procedural controls use commands or agreements to guide actions
• Technical controls use technology to counter threats,
• Technical controls include using passwords, firewalls, and encryption

System Access Control

• Provides computer security by controlling access to the system by confirming identification, and authentication
• There are 3 ways to prove the user (i.e., to confirm user's identity):
• Something the user knows (passwords, PINs, passphrases, mother maiden name)
• Something the user is (biometrics, such as face, fingerprints, voice pattern, retina pattern, handprint etc.)
• Something the user has. (tokens, keys, smart cards, etc.)
• Two or more forms can be combined; e.g., a bank card and a PIN.

Username and Password

• Typical first line of defense for a system
• User names provide identification
• Passwords provide authentication
• Logging in will succeed if a valid username and corresponding password have been successfully input

System Access Control

• Users play an important role in password protection – authentication is compromised when you give away your own password by telling others.
• Common threats on password:
• Password guessing: exhaustive search (brute force) and intelligent search
• Password spoofing
• Compromise of the password file

Choosing Strong Passwords

• Strong password equals strong authentication
• Use characters other than just a-z
• Choose long passwords
• Avoid actual names or words
• Use a string you can remember
• Use variants for multiple passwords
• Change the password regularly
• Don't write it down
• Don't share it with others

System Access Control

• Compulsory to set a password
• Change default password
• Password length
• Password format
• Avoid obvious passwords
• Password checkers
• Password generation
• Password ageing
• Limit login attempts
• Inform users

Data Access Control

• Subjects may observe or alter an object at its most elementary level
• Common access models are defined as follows: Observe is to look, change is to modify or alter
• See the Bell-LaPadula model for further implementation
• Access rights are given through an access control matrix

Effectiveness of Controls

• Security requirements are only accepted when people understand their presence
• Controls must be used to be effective and easy to use
• Overlapping control occur with combinations of control on one single exposure
• Conduct Periodic reviews by judging the effectiveness of any, and all controls