Basic Security Concepts

Questions and Answers

Which of the following is NOT a characteristic of an item with preserved integrity?

It is consistent.

It's accurate.

It's always modified. (correct)

It's precise.

What does 'availability', when referring to assets, primarily ensure?

That assets are accessible to authorized parties at appropriate times. (correct)

That assets are only modified by authorized personnel.

That assets are precisely cataloged.

That assets are internally consistent in their records.

According to the provided content, what is the term 'denial of service (DoS)' considered the opposite of?

Integrity.

Authorization.

Availability. (correct)

Authentication.

What aspect of the AAA framework is concerned with verifying the identity of a user?

Authentication.

Which of the following best describes the core focus of the CIA triad?

Asset protection in computing systems

Of the following, which is NOT an area of particular aspects of integrity mentioned?

User authentication and authorization.

In the context of computer security, what does 'confidentiality' primarily aim to protect?

Information from unauthorized access

What does 'integrity' within the CIA triad primarily focus on?

Authorized and appropriate modification of data.

If a computing asset is inaccessible to authorized users, which principle of the CIA triad is affected?

Availability

Which term describes the entity trying to access a computer resource, within a security context?

Subject

Which of the following is considered an example of a non-malicious human threat?

Accidentally deleting a crucial file.

What type of harm is best described by the 'interruption' of data?

Loss of data.

Which term defines a potential cause of harm?

Threat

Which of these options, relates to a hardware vulnerability?

Accidental damage to a machine.

What does a 'random' attack typically target?

Any computer or user accessible.

What is a vulnerability in the context of a computing system?

A weakness in the system that could be exploited.

What is the main difference between a threat and a vulnerability?

A threat is a circumstance with potential to cause harm, while a vulnerability is an exploitable weakness.

Which of the following best describes how a threat is blocked?

By controlling the vulnerability.

What are the four acts characterizing security threats?

Interception, interruption, modification, and fabrication.

In the context of a security threat, what does 'interception' refer to?

Unauthorized access to system or data.

A "wiretap" can be considered a form of "modification" in the security context.

False

In the context of security, adding records to a file without authorization is an example of "fabrication."

True

Disabling the file management system is an example of an attack focused on "confidentiality."

False

Altering a program to make it function differently is an example of "modification."

True

A network is considered a destination in the "interception" attack model.

True

Confidentiality ensures that assets of computing systems are available to anyone.

False

Integrity means assets can be modified only by authorized parties in authorized ways.

True

Availability guarantees that assets are accessible to authorized parties without any delay.

True

In the CIA triad, confidentiality is concerned with the privacy of assets.

True

Assets can be viewed and printed by anyone under the principle of confidentiality.

False

A malicious attack can only be directed.

False

A vulnerability is a potential cause of harm.

False

A threat agent is always malicious.

False

A 'weak authentication' vulnerability is a hardware vulnerability.

False

A threat can occur without an exploit.

True

Computer security is the protection of items that have value.

True

Detection in computer security means only identifying physical intrusions.

False

Locks on doors and burglar alarms are examples of reaction measures.

False

Encryption is a preventive measure in credit card fraud cases.

True

Recovery of assets after a loss falls under the classification of prevention.

False

Study Notes

Basic Security Concepts

• Computer security is the protection of computer system assets (items that have value).
• Assets include hardware, software, data, processes, storage media, and people.
• The Principle of Easiest Penetration: Intruder will use any available means.
• There are three classifications of computer protection:
  • Prevention: measures to stop damage.
  • Detection: measures to identify damage and who caused it.
  • Reaction: measures to recover from damage.

Examples

• Physical world example:
  • Prevention: locks, window bars, walls.
  • Detection: burglar alarm, CCTV cameras.
  • Reaction: calling the police, replacing the stolen item.
• Cyber world example (credit card fraud):
  • Prevention: Encryption, merchant checks, not using credit cards on the internet.
  • Detection: unauthorized transactions appearing on statements.
  • Reaction: getting new card numbers, recovering costs.

Security Goals - CIA Triad

• Confidentiality: Assets of computing systems are available only to authorized parties (secrecy or privacy).
• Integrity: Assets can only be modified by authorized parties or only in authorized ways.
• Availability: Assets are accessible to authorized parties when needed without any delay.
• Security is achieved through a combination of these three principles, from the asset's point of view, not the user.

Confidentiality

• Ensures that computer-related assets are accessed only by authorized parties.
• Access is given only to those who should have access to something.
• "Access" includes viewing, printing, and knowing the asset exists.

Integrity

• Assets can be modified only by authorized parties in authorized ways.
• Modification includes writing, changing, changing status, deleting, and creating.
• Integrity means different things in different contexts.
• Integrity of an item can mean: accurate, precise, unmodified, modified only in acceptable ways, modified only by authorized people, modified only by authorized processes, consistent, internally consistent, meaningful, and usable.

Availability

• Assets are accessible to authorized parties at appropriate times.
• Access to particular sets of objects should not be prevented from persons/systems who have legitimate access.
• Availability is sometimes known by its opposite - denial of service (DoS).
• Availability applies to data (information) and services.
• Definition of availability depends on has enough capacity to meet service needs.

Other Protection Requirements (AAA)

• AAA system is from the user point of view. It's a three-process framework used to manage user access, enforce policies, and measure network resource consumption.
• Authentication: Who the user is? (genuine user)
• Authorization: What can the user do? (permission to access resources)
• Accounting: Tracking user activities and events.

Vulnerabilities and Threats

• A vulnerability is a weakness (in procedures, design, or implementation) that can be exploited to cause harm.
• A threat to a computer system is a set of circumstances that has the potential to cause loss or harm.

Security Terminology

• Asset: The item being protected (car stereo).
• Threat: The potential harm (loss of stereo).
• Threat Agent: The entity causing the threat (thief).
• Vulnerability: The weakness that allows the threat to occur (fence hole).
• Exploit: Taking advantage of the vulnerability (thief going through fence hole).
• Risk: The likelihood of a threat occurring (likelihood of theft).

Kinds of Threats

• Natural threats: disasters like fire, floods, power failure.
• Human threats: benign (accidental acts) or malicious (intentional acts).
• Types of malicious threats: Random attacks, directed attacks (e.g., impersonation).

Computer Network Vulnerabilities

• Radiation: Interference or data breaches.
• Tapping: Unauthorized access to communications lines and data.
• Cross-talk: Interference between lines.
• Improper Connections/Cross-Coupling: Physical connection issues that can compromise data integrity or access.
• Systems programmer: Issues with disabling or revealing protective features or revealing hidden measures.
• Hardware: Failure of protection circuits, contributing to software failures, failure of protection features, access control bounds control.
• Software: Improper connections, systems programmer issues, bugs

Security Threats

• Interception: Unauthorized party gains access.
• Interruption: System is destroyed or unusable.
• Modification: Unauthorized party tampers with an asset.
• Fabrication: Unauthorized party inserts fake objects into the system.

Computer Vulnerabilities (List)

• Weak authentication
• Lack of access control
• Errors in programs
• Finite or insufficient resources
• Inadequate physical protection
• Hardware vulnerabilities
• Involuntary machine-slaughter: accidental acts.
• Voluntary machine-slaughter: intended to do harm.
• Software vulnerabilities (deletion, modification, logic bomb, theft)
• Data vulnerabilities (data confidentiality, data integrity).
• Storage media/networks/access

Methods of Defense

• Encryption: Provides confidentiality, integrity, basis for protocols.
• Policies: Frequent password changes, security policy training, legal and ethical controls, codes of ethical controls.
• Physical Controls: Locks, backup copies, physical site planning, reduce natural disasters.
• Software/Hardware Controls: Internal program controls, operating system controls, development controls, hardware controls, implement encryption, locks/cables, devices to verify user identity.

Types of Attackers

• Amateurs: Individuals who exploit security flaws without malicious intent.
• Crackers: Individuals, often students, seeking unauthorized access to computing facilities.
• Career criminals: Individuals with organized criminal activity, including electronic espionage.
• Hackers: Individuals knowledgeable about operating systems, but typically non-malicious.

Method-Opportunity-Motive

• Malicious attackers succeed by having method, opportunity, and motive.
• To prevent attacks, prevent any of these factors from existing.
• Risk, remaining uncovered by controls after these steps are called residual risk.
• Minimize risk by performing risk management, assessing likelihood of occurrence, and magnitude of impact.

How to Make the System Secure

• System Access Control: Restrict unauthorized access.
• Data Access Control: Monitor data access and purposes.
• System and Security Administration: Perform procedures (system administrator's responsibilities/training).
• System Design: Take advantage of basic hardware and software security.

Controls

• A control or countermeasure is a means to counter threats.
• Harm occurs when a threat is realized against a vulnerability.
• To protect against harm, neutralize the threat, close the vulnerability, or both.
• The possibility of harm to occur is called risk and can be managed by several methods.
  • Prevent, Deter, Deflect, Mitigate, Detect, Recover.

Types of Controls

• Physical Controls: Tangible measures (locks, walls, fences).
• Procedural/Administrative Controls: Rules, regulations, policies, procedures.
• Technical Controls: Technology-based protection (passwords, firewalls, encryption).

System Access Control

• Identification and authentication.
• How the system authenticates a user.
• (3) ways to prove user identity.
  • Something the user knows (passwords, PINs, passphrases).
  • Something the user is (biometrics).
  • Something the user has (tokens, keys, smart cards).

System Access- Username/Password

• Typical first line of defense.
• Username—Login ID – Identification.
• Password—Authentication.
• Successful login requires correct username and password.

System Access- Password Control

• User plays an important role in password protection (compromised if shared).
• Common password threats: Password guessing, password spoofing, compromised password file.

Choosing Strong Passwords

• Use characters, choose long passwords.
• Avoid actual names or words.
• Use variants and change regularly; do not write down or share passwords.

System Access - Password Security

• Compulsory to set a password.
• Changing default passwords, password length, format, and avoidance of obvious passwords.
• Password checkers, password generation, password ageing, login attempts limit, and informing users.

Data Access

• Subject may observe or alter an object.
• Common access modes: observe and change.
• Access rights in the Bell-LaPadula model.
• Access rights are defined for subjects and objects (actions).

Effectiveness of Controls

• Awareness of security requirements is needed for effective cooperation.
• Controls should be easy to use for effective implementation.
• Overlapping controls are beneficial and combined use is preferable.
• Effective controls need periodic review to evaluate effectiveness.

Description

This quiz explores the foundational principles of computer security, including asset protection and the three classifications of computer protection: prevention, detection, and reaction. It also delves into real-world examples to illustrate these concepts and introduces the CIA triad of security goals. Test your knowledge on how to secure valuable computing resources effectively.