Basic Computer Security Concepts

Questions and Answers

What is the primary goal of computer security?

• To replace easily replaceable hardware
• To ensure the protection of assets in the computer or computer system (correct)
• To protect the _weakest point_ of a system
• To control all possible entry points

Which of the following is an example of a computer asset?

• The 'Principle of Easiest Penetration'
• Network gear (correct)
• A computer environment
• An intruder discovering the weakest point

An intruder is most likely to use which method of penetration?

• The 'strongest link'
• The 'weakest point' (correct)
• All possible points
• The most secure point

Which action is associated with the 'Prevention' classification of protection?

Measures to stop assets from being damaged (B)

What is the computer security goal of Confidentiality about?

Ensuring assets are available only to authorized parties (A)

What is the computer security goal of Integrity about?

Assets can be modified only by authorized parties (D)

What is the computer security goal of Availability about?

Assets are accessible to authorized parties when needed without any delay (B)

Which of the following is not part of the CIA triad?

Accounting (B)

What does the AAA framework primarily focus on?

User management (C)

What does 'Authentication' mean in the AAA framework?

Who the user is? (D)

What is a computer 'vulnerability'?

A weakness in the system that can be exploited (D)

What is a 'threat' to a computing system?

A set of circumstances that has the potential to cause loss or harm (D)

Which of the following is a 'Security Threat'?

Interruption (C)

Which term refers to unauthorized access to an asset?

Interception (C)

Which of the following describes a 'random attack'?

The attacker wants to harm any computer or user (C)

Which factor is NOT required for a successful attack?

Harm (C)

Which method helps to make a system secure, focusing on user access?

System Access Control (D)

Which aspect is associated with 'identification' in system access control?

Valid username (C)

What can be used as technical controls to defend against threats?

Firewalls and encryptions (B)

Computer security aims to protect assets of a computer system.

True (A)

The principle of easiest penetration suggests intruders will use any available means, including the "strongest point".

False (B)

Prevention involves measures that allow you to recover assets from damage.

False (B)

A burglar alarm is an example of prevention from physical world security.

False (B)

Encryption can be used as a preventative measure against credit card fraud.

True (A)

The CIA triad includes confidentiality, integrity, and accessibility.

False (B)

Confidentiality ensures assets are available only to authorized parties.

True (A)

Integrity means assets can be modified by anyone.

False (B)

Denial of service (DoS) is the opposite of availability.

True (A)

AAA refers to assets point of view.

False (B)

Authentication verifies what a user can access.

False (B)

A vulnerability is a weakness in the system.

True (A)

A threat is a potential cause of harm.

True (A)

Interception involves destroying an asset of the system.

False (B)

Modification an unauthorized party tampers with an asset.

True (A)

A 'threat agent' always refers to a software program.

False (B)

Loss of electrical power is an example of a nonhuman threat.

True (A)

A 'directed attack' always targets every computer in a network.

False (B)

Lack of access control is a computer vulnerability.

True (A)

Hardware vulnerabilities only include unintentional machine-slaughter.

False (B)

Flashcards

What is computer security?

Protecting computer system assets, which are items of value.

Types of computer assets

Hardware, software, data, processes, storage media, and people

Principle of Easiest Penetration

An intruder will use the easiest method of unauthorized entry.

Prevention (in security)

Taking action to prevent asset damage.

Detection(in security)

Taking action to notice damage when and how it occurs.

Reaction(in security)

Allowing to recover assets or from damage to assets.

Confidentiality

Assets are available only to authorized parties

Integrity

Assets can be modified only in authorized ways by authorized people

Availability

Assets are accessible when needed without delay by authorized parties.

AAA in security

Authentication, authorization, and accounting

What is a vulnerability?

A weakness that can be exploited.

What is a threat?

Set of circumstances that can cause loss or harm.

Interruption threat

Asset is disrupted or unavailable.

Interception threat

Unauthorized access to an asset's info.

Modification threat

Unauthorized alteration of an asset.

Fabrication threat

Inserting fake objects into the system.

What is a control?

One way to counter threats

System Access Control

Authentication, authorization, and accounting functions for system access.

Strong passwords

Using other characters than just a-z and long passwords.

Effective controls

People cooperating and overlapping must effective controls is used.

Easiest Penetration Point

The “weakest point” attackers target for unauthorized access.

Confidentiality Access

Assets are available for reading, viewing, or printing by authorized parties.

Subject (in access control)

The person, process, or program that is attempting to access data.

Object (in access control)

The data item being accessed.

Access Mode

The type of interaction someone has with data (read, write, execute)

Access Control Policy

The authorization rules specifying who can access what data and how.

Integrity (precise)

Assets modified only by authorized parties in acceptable ways.

Integrity (authorized)

Assets modified by authorized people in acceptable ways..

Denial of Service (DoS)

Availability is hindered; authorized users cannot access critical resources.

Authentication

Verifying a user's identity to grant access

Authorization

The permission that the user is allowed to access resources

Accounting

Tracking user activities and events on system.

Exploit

Using a weakness to cause damage or loss.

Random Attack

An attack that targets any computer or user.

Directed Attack

An attack that targets specific computers or groups.

Physical Controls

Locking doors or physical barriers to block access.

Procedural Controls

Policies, procedures, or agreements to enforce security standards.

Technical Controls

Software, hardware, or protocols like encryption to manage system access.

Amateurs (as attackers)

People who observe flaw in security system that wants to access valuable.

Data Access Control

Monitoring who can access what data and for what purposes.

Study Notes

### Basic Security Concepts
- Computer security protects assets of a computer or system, including hardware, software, data, processes, storage, media, and people.
- Intruders use any available means of penetration, including the 'weakest point', computer security specialists must consider all possible means of penetration.
- Computer systems that include hardware, software and data have value and deserve security protection.
- The three classifications of computer security are: prevention, detection, and reaction.
- Prevention involves taking measures to prevent assets from being damaged.
- Detection involves taking measures to detect when, how, and by whom an asset has been damaged.
- Reaction involves taking measures to recover assets or to recover from damage to assets.
- In terms of physical security, prevention is locks on doors or window bars, as well as walls around the property.
- In terms of physical security, detection is a burglar alarm going off after a break-in, in addition to CCTV cameras identifying intruders.
- In terms of physical security, reaction is calling police or replacing a stolen item.
- In the cyber world, prevention is using encryption or merchants performing checks before accepting credit card orders.
- In the cyber world, detection is unauthorized transactions appearing on credit card statements.
- In the cyber world, reaction is asking for a new credit card number, or possibly recovering fraudulent costs.

### CIA Triad
- Security goals are achieved through Confidentiality, Integrity, Availability (CIA).
- Confidentiality means assets of computing systems are available only to authorized parties and are sometimes known as secrecy or privacy.
- Integrity means assets can be modified only by authorized parties or in authorized ways.
- Availability means assets are accessible to authorized parties when needed without any delay.
- CIA is from the assets point of view; not the user's.
- Confidentiality also means giving access only to those who should have it.
- Access includes reading, viewing, printing, and knowing that the asset exists.
- Subject, object, access mode, and policy all help grant confidentiality.
- Integrity is about having assets be modified in authorized ways by authorized parties.
- Ensuring integrity includes precise information, accurate information, unmodified information, modified only in acceptable ways or by acceptable people or processes, and consistant information.
- Welke & Mayfield state that integrity includes: authorized actions, separation and protection of resources, and error detection and correction.
- Availability applies to both data and services, also called info and info processing.
- Definition of availability depends on whether the asset is in usable form, has the capacity to meet needs, has bounded waiting time if in wait mode, and is completed in an acceptable time period.
- Denial Of Service (DoS) can cause a lack of Availability.

### AAA
- AAA refers to Authentication, Authorization, and Accounting
- Authentication: Identifying who the user is.
- Authorization: Determining what the user can do with the system.
- Accounting: Tracking user activity.
- AAA is from the user's point of view.

### Vulnerabilities and Threats
- Vulnerability is a weakness in the system that might be exploited to cause harm. For instance, a system that does not verify user identities can be vulnerable to data manipulation.
- A threat to a computing system is a set of circumstances that has the potential to cause loss or harm.
- A threat blocked by control of a vulnerability.

### CIA from Different Perspective
- Interception harms confidentiality.
- Interruption harms availability.
- Modification harms integrity.
- Fabrication harms integrity.

### Examples of Security Threats & Attacks
- Interruption: destruction of piece of hardware, cutting of communication line, or disabiling of the file management system
- Interception: wiretapping or illicit copy of files
- Modification: changing values in data file, alters a program so it performs differently.
- Fabrication: addition of records to a file or the insertion of spurious messages in a network

### Security Terminology
- Asset: A car sterio
- Threat Agent: A theif
- Vulnerability: A hole in a fence
- Threat: Losss of the sterio
- Exploit: Going through the fence hole
- Risk: A stolen car radio

### Kinds of Threats
- Could be from nonhuman events, like natural disasters, loss of power, failure of hardware components
- Could be from humans, benign or malicious, such as unintentionally deleting text or maliciously trying to harm people.
- Malicious harm can be either random or directed attacks.
- In a random attack the attacker wants to harm any computer or user by malicious code posted on a website.
- In a directed attack, the attacker intends to harm specific computers by attacking specific organizations.

### Computer, Hardware & Software Vulnerabilities
- Computer: Includes weak authentication, lack of access control, errors in programs, finite or insufficient resources, and inadequate physical protection
- Hardware: Includes involuntary acts not intended to do damage, and voluntary machine-slaughter is intended to do harm
- Software: Includes deletion, modification via trojan horses, viruses, or logic bombs as well as theft and piracy

### Methods of Defense
- This includes encryption, hardware and software controls, policies, and physical controls.
- Encryption provides confidentiality and integrity via secure protocols.
- Software controls includes internal program controls, operating system controls, independent control programs, and development controls.
- Hardware controls includes smart cards, locks, user verification and firewalls.
- Physical controls include locks, S/W backups and reducer of natural disaster.

### Types of Attackers
- Amateurs: Not career criminals but observe flaws in a security system.
- Crackers: Students that attempt to access computing facilities for which they have not been authorized.
- Career criminals: Understands the targets of computer crime, international groups, electronic spies, information brokers.
- Hackers: Have deep knowledge but unlike the others, they don't attempt to intentionally break any system.

### Method, Opportunity, Motive
- For an attach to be successful, there nust be a method, opportunity, and motive.
- Method: How the attack happens.
- Opportunity: When the attack happens.
- Motive: Why the attack happens.
- For minimize and avoid real harm, perofrm risk management to assess likelhood of event occurence and magnitude of impact.
- There is a risk that always remains uncovered by controls which is called residual risk.

### How to Make the System Secure
- With System Access Control that doesn't let unauthorized people to gain access to a system.
- Data Access Controls monitors who can access what data and for what purposes.
- Enact System and Security Administration via regular procedures and training.
- Incoorperate System Design via taking advantage of basic hardware ands software security characteristics.

### Effective Controls
- Should consist of physical controls, procedural or admin controls, and technical controls.
- There should always be awareness of problems.
- Controls must always be easy to use and appropriate to Likelihood of use.
- There should utilize Overlapping controls in combinations.
- These controls and procedures can be maintained via Periodic review.

### System Access Control
- A system must provide Computer Security by controlling access
- Must dictate who is allow to log in and ensure the user is legitimate.
- The two parts of providing the above is Identification and Authentication.
- Identities are public and well known, or easily found, Authentication, though, should be private.
- User identity can be confirmed by having the user show something they know, something that belongs to them, or something that they literally are.

### Username and Password
- A system typically has a first line of defense
- This includes username and then a password.
- In addition, it must require a valid username and corresponding password.
- A user can easily compromise authentication by sharing their own password.
- Common password threats inlcude: Password guessing, brute forcing, password spoofing, and compromising the password file.

### Choosing Strong Passwords
- For strong authentication, utilize strong passwords that
- Use a character set of a-z plus punctuation, etc
- Use log passwords
- Avoid proper nouns or real words
- Create a string of characters that is easy to remember
- Use variants of known passwords
- Change passwords reguarly
- Keep them secrete and don't write them down.

### System Help To Password Security
- Must have compulsory to set a password
- Must utilize different default password
- Can specify different lengths and the types of characters
- Can also have automatic password checkers, and password generation

### Data Access Control
- On an elementary level, a subject may observe or alter the object.
- Common access modes include executing, appending, writing and reading.
- Model examples include the Bell-LaPadula model.

### Effectiveness of Controls
- Awareness of problems, likelihood of use, overlapping and periodic review contribute to effective controls