Basic Computer Security Concepts

Questions and Answers

Which of the following best describes the 'Principle of Easiest Penetration' in computer security?

• Intruders prefer complex methods of penetration to avoid detection.
• Security specialists should only focus on known vulnerabilities.
• Intruders always target the most heavily defended parts of a system.
• Intruders will exploit any available means of entry, often the weakest point. (correct)

Which of the following is an example of 'prevention' as a classification of security protection?

• Installing CCTV cameras to record intruders.
• Using encryption when placing an order online. (correct)
• Calling the police after a burglary.
• Detecting unauthorized transactions on credit card statements.

In the CIA triad, what does 'Integrity' primarily ensure?

• Assets are available only to authorized parties.
• Assets are accessible to authorized parties without delay.
• Assets remain hidden from unauthorized users.
• Assets can only be modified by authorized parties in authorized ways. (correct)

Which of the following best illustrates the concept of 'Availability' in the context of the CIA triad?

Making sure that system resources are accessible to authorized users when needed. (B)

In security terms, if a person attempts to access a data item, which of the following is that person referred to as?

Subject (C)

According to [Welke & Mayfield], which of the following is considered a particular aspect of integrity?

Authorized actions, separation and protection of resources, error detection and correction (D)

A denial-of-service (DoS) attack is most directly an attack on which aspect of the CIA triad?

Availability (C)

Which of the following is the primary focus of the AAA system in computer security?

Managing user access and privileges. (A)

In the context of computer security, what is the difference between a 'threat' and a 'vulnerability'?

A threat is a set of circumstances with potential to cause harm; a vulnerability is a weakness that can be exploited. (B)

Which of the following best describes 'interception' as a security threat?

An unauthorized party gains access to an asset. (A)

Which security threat is exemplified by a 'man-in-the-middle' attack?

Interception (C)

Which of the following is an example of 'fabrication' as a security threat?

Inserting false records into a database. (C)

In security terminology, what is the term for the potential that a threat will exploit a vulnerability?

Risk (C)

Which of the following is an example of a 'nonhuman' threat?

A natural disaster causing a power outage. (C)

Which of the following would be classified as a hardware vulnerability?

Inadequate physical protection of servers. (D)

What is the primary purpose of 'encryption' as a method of defense in computer security?

To guarantee confidentiality. (D)

Which type of attacker is characterized by deep knowledge of operating systems but no intention to intentionally break any system?

Hackers (D)

According to the Method-Opportunity-Motive framework, what three elements must an attacker have to ensure their success?

Method, opportunity, and motive. (D)

Ensuring that unauthorized users cannot access a system relates to which of the following?

System Access Control (B)

Which of the following is NOT a strong characteristic of a good password?

Using actual names or words (D)

Computer security focuses on protecting assets, where an asset only includes hardware components.

False (B)

The principle of easiest penetration suggests that an intruder seeks the most complex and protected entry points.

False (B)

Prevention involves using mechanisms to detect how an asset has been damaged.

False (B)

In the context of credit card fraud, using encryption when placing an order is an example of detection.

False (B)

The CIA triad focuses on assets from the end user's perspective.

False (B)

Confidentiality ensures assets of computing systems are available only to authorized third parties; this is also known as obscurity.

False (B)

In the context of security, 'access' only refers to reading data, and not to viewing or printing it.

False (B)

In the context of computer security, 'object' refers to person, process, or program.

False (B)

Data integrity means ensuring data is stored in such a way that allows modification by any user.

False (B)

Availability refers to preventing legitimate users from accessing particular system resources or data.

False (B)

Denial of service is the condition opposite to availability.

True (A)

The AAA system (Authentication, Authorization, and Accounting) focuses on the system's assets point of view.

False (B)

Authentication verifies what a user can access; authorization confirms the user's identity.

False (B)

A vulnerability in a computing system is a circumstance that has the potential to cause loss or harm.

False (B)

A threat is blocked by exercising control on a vulnerability.

True (A)

In the context of security threats, 'interruption' refers to an unauthorized party gaining access to an asset.

False (B)

In the context of security threats, 'fabrication' refers to an unauthorized party tampering or modifying an asset.

False (B)

A 'threat agent' is the potential for harm in a system, whereas a 'vulnerability' is the individual or group attempting to exploit a weakness.

False (B)

If the attacker intends to target any computer or user, it is a directed attack.

False (B)

Using a mix of upper- and lower-case letters is a good way to defend a password from certain attacks.

True (A)

Flashcards

What is computer Security?

Protecting computer assets (hardware, software, data) that have value.

Types of computer assets

Hardware, software, data, processes, storage media, and people.

Principle of Easiest Penetration

Attackers use the weakest point to breach security.

Prevention

Take measures to stop assets from being damaged in the first place.

Detection

Detect when, how, and by whom an asset has been damaged.

Reaction

Take measures to recover your assets or recover from the damage.

Confidentiality

Assets are available only to authorized parties.

Integrity

Assets can be modified only by authorized parties or ways.

Availability

Assets are accessible to authorized parties when needed without delay.

What does AAA stand for?

Authentication, Authorization, and Accounting

Authentication

Verifying the user's identity.

Authorization

Defining user's permitted actions.

Accounting

Tracking user activities and events.

Vulnerability

A weakness in the system that can be exploited for harm.

Threat

A set of circumstances with the potential to cause loss or harm.

Interruption

Asset of the system is destroyed or unusable.

Interception

Unauthorized access to an asset.

Modification

Unauthorized party tampers with an asset.

Fabrication

Unauthorized party inserts counterfeit items into the system.

Control

Something to counter threats.

Security Penetration

Computer security specialists must consider all possible means of penetration to protect assets.

Confidentiality in security

Assets of computing systems are available only to authorized parties.

CIA Triad Perspective

The CIA triad focuses protection from the asset's point of view, not the user's.

Security Subject

A person, process, or program that accesses data.

Security Object

Data item accessed by a 'subject'.

Access mode

How a subject can access data

Policy in Security

A policy dictates authorization

Data integrity

Assures that assets are precise, accurate and unmodified

Denial of Service (DoS)

Availability can be known as its apposite

Computer Vulnerabilities

Weakness that causes unauthorized access.

Exploitation

Using a vulnerability for harm.

Security Threats

The nature of the harm caused to assets.

Security Risk

The chance of harm occurring.

Amateur Attacker

Someone observes a flaw in security and exploits it.

Denying the Attacker

Deny the attacker of method, opportunity, or motive.

Data Access Control

Monitoring who can access what data.

Password protection

Setting and changing strong passwords.

Study Notes

Security Goals - CIA Triad

• It is important to note that security is achieved through a combination of confidentiality, integrity, and availability.

Other Protection Requirements - AAA

• AAA system is from the user's point of view.

Vulnerabilities and Threats

• Vulnerability is a weakness in a system like procedures, design, or implementation, that can be exploited to cause loss or harm.
• A threat is a set of circumstances for computing systems that has the potential to cause loss or harm.
• A threat is controlled "blocked," by controlling the vulnerability.

Computer Network Vulnerabilities

• Vulnerabilities listed include radiation, taps, crosstalk, files, hardware, operator, systems programmer, maintenance man, software user, and remote consoles.

System Access Control - Continued

• To increase protection of passwords it is better that:
  • Set passwords that are compulsory, and are not the default setting.
• The system can help improve password security by:
  • Password checkers and password generation
  • Password ageing
  • Limit login attempts
  • Inform users

Data Access Control

• Access rights are in the Bell-LaPadula model
• Uses an access control matrix

Effectiveness of Controls

• Continued: Ongoing task in judging the effectiveness of a control.