Basic Computer Security Concepts

Questions and Answers

Which of the following is the primary goal of computer security?

• To provide user-friendly interfaces.
• To ensure constant system uptime
• To maximize processing speed
• To protect assets of a computer system. (correct)

What principle suggests intruders will exploit the 'weakest point' of a system?

• Principle of Defense in Depth
• Principle of Minimum Privilege
• Principle of Easiest Penetration (correct)
• Principle of Least Effort

Which of the following is NOT one of the three classifications of security protection?

• Prevention
• Invention (correct)
• Detection
• Reaction

In the context of the CIA triad, what does 'C' stand for?

Confidentiality (C)

Ensuring that assets are accessible to authorized parties when needed refers to which aspect of the CIA triad?

Availability (D)

In security terms, an unauthorized act that could cause harm is known as a:

Threat (A)

What is a weakness in a system that can be exploited by a threat called?

Vulnerability (D)

Which of the following is NOT a type of security threat?

Compilation (D)

What is the term for measures used to counter security threats?

Controls (A)

Requiring a password containing a mix of upper and lowercase letters and numbers is an example of applying a:

Technical control (C)

Flashcards

What is computer security?

Protecting assets of a computer or computer system, where an asset is anything with value.

What are types of assets?

Hardware, software, data, processes, storage media, and people.

What is the principle of easiest penetration?

An intruder will use any available method of penetration, especially the 'weakest point'.

What is the CIA Triad?

CIA is a security model focusing on maintaining Confidentiality, Integrity, and Availability of data.

What is confidentiality?

Ensuring that computer-related assets are accessed only by authorized parties.

What is integrity?

Assets can be modified only by authorized parties in authorized methods.

What is Availability?

Assets are accessible to authorized parties at appropriate times.

What is a vulnerability?

A weakness in a system that might be exploited to cause loss or harm.

What is a threat?

A set of circumstances that has the potential to cause loss or harm.

What is a control or countermeasure?

A means to counter threats, which can neutralize a threat or close a vulnerability.

Study Notes

Basic Security Concepts

• Computer security focuses on protecting an asset of a computer or computer system.
• Types of assets that need protecting include hardware, software, data, processes, storage media, and people.
• Potential intruders will seek the weakest point in a system to penetrate it, so security specialists must consider all possible means of entry.

Classifications of Protection

• Prevention involves measures to stop assets from being harmed.
• Detection involves measures to help recognize when, how, and by whom damage has occurred.
• Reaction involves measures for recovering assets or recovering from damage.

The CIA Triad

• Security goals in computing revolve around Confidentiality, Integrity, and Availability (CIA).
• Confidentiality ensures computing system assets are available only to authorized parties; also known as secrecy or privacy.
• Integrity means assets can be modified only by authorized parties or in authorized ways.
• Availability means assets are accessible to authorized parties when needed without unnecessary delay.
• A combination of the three characteristics achieves security, from the asset point of view, not necessarily the user’s.

Confidentiality in Detail

• Guarantees computer-related assets are only accessed by authorized parties.
• Defines "access" as not only reading, but also viewing, printing, and knowing that the asset exists.
• Confidentiality involves a general statement: "A person, process, or program is (or is not) authorized to access a data item in a particular way."
• The pieces of the statement break down as: subject (who), object (what), access mode (how), and authorization policy.

Integrity in Detail

• Ensures assets can be modified only by authorized parties.
• Modification includes writing, changing status, deleting, and creating.
• Integrity can mean precision, correctness, being unmodified, acceptable modifications, authorized users, consistency.
• Welke & Mayfield identify three aspects: authorized actions, resource separation/protection, and error detection/correction.

Availability in Detail

• Ensures assets are accessible to authorized parties at appropriate times, meaning authorized users should not be prevented from accessing objects.
• Lack of availability can result in a denial of service (DoS).
• Availability depends on the form, capacity, progress status and completion time of services.

Other Protection Requirements

• AAA (Authentication, Authorization, Accounting) focuses on user access and accountability.
• Authentication: Verifying the user is genuine.
• Authorization: Defining what the user is allowed to do.
• Accounting: Tracking user activities and events.

Vulnerabilities and Threats

• A vulnerability is a weakness in a system that can be exploited to cause harm.
• A threat is a set of circumstances with the potential to cause loss or harm.
• Controlling a vulnerability blocks a threat.

Security Threats and Acts

• The CIA triad focuses on the nature of potential harm that assets can suffer.
• Security threats encompass interception, interruption, modification, and fabrication.
• Interception: An unauthorized party gains access to an asset.
• Interruption: An asset becomes unusable.
• Modification: Unauthorized tampering with an asset.
• Fabrication: Insertion of counterfeit objects into the system.
• Security threats include unauthorized access, damage or loss, and disruption.

Examples of security threats and attacks

• Interruption example: Destruction of piece of hardware or disabling the file management system,
• Interception example: Wiretapping or illicit copy of files or programs.
• Modification example: Changing values in a data file or modifying the content of messages being transmitted in a network.
• Fabrication example: Including of records to a file or the insertion of spurious messages in a network.

Security Terminology

• Asset- something important that needs to be protected
• Threat- Someone or somethings desire to cause loss or harm
• Threat Actor/Agent - someone or something that carries out the attack
• Vulnerability- a weakness that allows harm to occur
• Exploit- way of taking advantage of system weakness
• Risk- potential loss or harm

Kind of Threats

• Threats can be nonhuman or human
• Nonhuman include fires, floods, or loss of power
• Human threat can be benign or malicious
• Random attacks seek to harm any computer or user
• Directed attacks aim at specific targets

Vulnerabilities

• Weaknesses can be found within computers, hardware, software, and data
• Computer vulnerabilities include weak authentication, access control issues, program errors, limited resources, and inadequate protection
• Hardware vulnerabilities can come from involuntary or voluntary causes
• Software vulnerabilities include deletion, modification, and theft
• Data vulnerabilities can include confidentiality and data integrity concerns

Other Exposed Assets

• Storage media are vulnerable and should be backed up
• Networks can escalate security problems due to accessibility
• Authorized Access that can lead to stealing computer time or destroying data.
• Trouble can arise around key people - specifically if only one person understands how to maintain or use software.

Methods of Defense

• Encryption preserves confidentiality and integrity
• Software and hardware controls such as firewalls or internal program controls
• Physical controls such as locks
• Policies and Procedures that create ethics and legal standards.

Different type of attackers

• Amateurs who are observing a flaw in a security system
• Crackers who attempt to bypass secure facilities
• Career criminals who understand targets computer crime
• Hackers who have deep knowledge but are NOT trying to intentionally break the system

Factors of success

• an attacker must have the method, opportunity, and motive
• Negatively affect harm which can minimize risk
• Residual risk is the part that remains uncovered by controls

System Security Actions

• System Access Control: prevent unauthorized users from getting intot he system
• Data Access Control: Monitoring who can acess what type of data
• System and Security Administration
• System Design

Controls

• A control or countermeasure is a means to counter threats. Harm occurs when a threat is realized against a vulnerability.
• To protect against harm, neutralize either the threat or the vulnerability, or both.
• Prevent it, by blocking the attack or closing the vulnerability.
• Deter it, by making the attack harder but not impossible.
• Deflect it, by making another target more attractive (or this one less so).
• Mitigate it, by making its impact less severe.
• Detect it, either as it happens or some time after the fact.
• Recover from its effects.
• Physical, procedural and technical controls

Types of controls

• Physical controls stop or block an attack by using something tangible, such as walls and fences
• such as locks, walls/fences, (human) guards, sprinklers and/or fire extinguishers
• Procedural or admin controls use a command or agreement that requires or advises people how to act such as laws, regulations, policies, procedures, guidelines, copyrights, patents, contracts, and agreements
• Technical controls counter threats with technology (H/W or S/W), including: -Passwords, program or operating system access controls, network protocols, firewalls, intrusion detection systems, encryption, and network traffic flow regulatoys

System Access Control

• System provides computer security is by

• Controlling access to that system:

• Who's allowed to log in?

• How does the system decide whether a user is legitimate? Identification and authentication provide the above

• Identification is the act of asserting who a person is

• Authentication is the act of proving that asserted identity is correct: that the subject (person) is who they say they are.

• Identities are public or well known. Authentication should be private. 3 ways to prove the user

• Something the user knows (passwords, PINs, passphrases, mother maiden name)

• Something the user is (biometrics, such as face, fingerprints, voice pattern, retina pattern, handprint etc.)

• Something the user has. (tokens, keys, smart cards, etc.)

• Two or more forms can be combined; e.g., a bank card and a PIN.

Username and Password for System Access Control

• Typical first line of defense
• User name (Login ID) – identification
• Password - authentication
• Login will succeed if you entered a valid username and the corresponding password.

Password Threats and Best Practice

• User plays an important role in password protection – authentication is compromised when you give away your own password by telling others.
• The best practice is to have strong password and strong system protocols
• Do no tell anyone of the password
• Best choice passwords are other characters, and long passwords, Change the password regularly, Avoid actual names or words DO NOT write it down

System Help

• Defend password security
• Compulsory to set a password and Change default password
• Set Password length and Format
• Avoid obvious passwords
• Use Password checkers and generation
• Limit login attempts and inform users