Basic Security Concepts

Questions and Answers

Which of the following is NOT a characteristic of an item with preserved integrity?

• It is consistent.
• It's accurate.
• It's always modified. (correct)
• It's precise.

What does 'availability', when referring to assets, primarily ensure?

• That assets are accessible to authorized parties at appropriate times. (correct)
• That assets are only modified by authorized personnel.
• That assets are precisely cataloged.
• That assets are internally consistent in their records.

According to the provided content, what is the term 'denial of service (DoS)' considered the opposite of?

• Integrity.
• Authorization.
• Availability. (correct)
• Authentication.

What aspect of the AAA framework is concerned with verifying the identity of a user?

Authentication. (C)

Which of the following best describes the core focus of the CIA triad?

Asset protection in computing systems (D)

Of the following, which is NOT an area of particular aspects of integrity mentioned?

User authentication and authorization. (D)

In the context of computer security, what does 'confidentiality' primarily aim to protect?

Information from unauthorized access (D)

What does 'integrity' within the CIA triad primarily focus on?

Authorized and appropriate modification of data. (D)

If a computing asset is inaccessible to authorized users, which principle of the CIA triad is affected?

Availability (A)

Which term describes the entity trying to access a computer resource, within a security context?

Subject (A)

Which of the following is considered an example of a non-malicious human threat?

Accidentally deleting a crucial file. (C)

What type of harm is best described by the 'interruption' of data?

Loss of data. (B)

Which term defines a potential cause of harm?

Threat (D)

Which of these options, relates to a hardware vulnerability?

Accidental damage to a machine. (C)

What does a 'random' attack typically target?

Any computer or user accessible. (D)

What is a vulnerability in the context of a computing system?

A weakness in the system that could be exploited. (D)

What is the main difference between a threat and a vulnerability?

A threat is a circumstance with potential to cause harm, while a vulnerability is an exploitable weakness. (A)

Which of the following best describes how a threat is blocked?

By controlling the vulnerability. (B)

What are the four acts characterizing security threats?

Interception, interruption, modification, and fabrication. (D)

In the context of a security threat, what does 'interception' refer to?

Unauthorized access to system or data. (D)

A "wiretap" can be considered a form of "modification" in the security context.

False (B)

In the context of security, adding records to a file without authorization is an example of "fabrication."

True (A)

Disabling the file management system is an example of an attack focused on "confidentiality."

False (B)

Altering a program to make it function differently is an example of "modification."

True (A)

A network is considered a destination in the "interception" attack model.

True (A)

Confidentiality ensures that assets of computing systems are available to anyone.

False (B)

Integrity means assets can be modified only by authorized parties in authorized ways.

True (A)

Availability guarantees that assets are accessible to authorized parties without any delay.

True (A)

In the CIA triad, confidentiality is concerned with the privacy of assets.

True (A)

Assets can be viewed and printed by anyone under the principle of confidentiality.

False (B)

A malicious attack can only be directed.

False (B)

A vulnerability is a potential cause of harm.

False (B)

A threat agent is always malicious.

False (B)

A 'weak authentication' vulnerability is a hardware vulnerability.

False (B)

A threat can occur without an exploit.

True (A)

Computer security is the protection of items that have value.

True (A)

Detection in computer security means only identifying physical intrusions.

False (B)

Locks on doors and burglar alarms are examples of reaction measures.

False (B)

Encryption is a preventive measure in credit card fraud cases.

True (A)

Recovery of assets after a loss falls under the classification of prevention.

False (B)

Flashcards

Data Integrity

Ensuring data is accurate, consistent, and unmodified, except for authorized changes.

Availability

Guaranteeing authorized users can access data and services when needed.

Authentication

Verifying a user's identity before granting access.

Authorization

Defining what actions a user is permitted to perform.

CIA Triad

A security model protecting information through three pillars: Confidentiality, Integrity, and Availability.

Vulnerability

A weakness in a computer system that can be exploited by an attacker.

Threat

A potential cause of harm to a computer system or its data.

Exploit

The act of taking advantage of a vulnerability to gain unauthorized access or cause harm.

Threat Agent

A person or entity that carries out a threat against a computer system.

Asset

A valuable asset in a computer system, such as data, software, or hardware.

Confidentiality

Information is only accessible to authorized individuals. Think of it as keeping secrets safe!

Integrity

Information can only be changed by authorized individuals in authorized ways. This ensures accuracy and trustworthiness.

Subject

A person, process, or program that tries to access information.

Object

Information or data that is being accessed.

Access Mode

The type of access permitted, like reading, writing, or executing.

Policy

A set of rules or policies defining who can access what information and how.

Difference between Vulnerability and Threat

A vulnerability is a weakness that can be exploited to cause harm. A threat is a potential danger that could exploit that vulnerability.

Security Threats

Actions that can harm a system or data: Interception (eavesdropping), Interruption (disrupting service), Modification (altering data), Fabrication (creating fake data).

What is computer security?

Computer security involves protecting the assets of a computer or computer system, including hardware, software, data, processes, storage media, and people.

Principle of Easiest Penetration

The principle of easiest penetration suggests that intruders will exploit the easiest available method to gain access to a system. This emphasizes the importance of identifying and addressing potential weaknesses.

Security Protection Classifications

Prevention aims to stop attacks before they occur, Detection identifies attacks after they happen, and Reaction involves responding to and recovering from attacks.

Credit Card Fraud Prevention

Encryption protects credit card details during online transactions, and merchants may implement security checks to deter fraudulent purchases.

Credit Card Fraud Detection

Unauthorized transactions appearing on your credit card statement indicate a potential fraud. Reporting these transactions helps in recovering the lost funds.

Interception

An unauthorized party gains access to sensitive information. This violates confidentiality, meaning the information is no longer kept secret.

Modification

An unauthorized party alters data or a system, compromising its accuracy and trustworthiness. This affects data integrity.

Fabrication

An unauthorized party introduces false information or objects into the system, creating a false reality. This also affects data integrity.

Interruption

An attack that makes a resource inaccessible or unavailable. This impacts availability, meaning users cannot access needed information or services.

Security threats / attacks

A combination of methods that compromise the security of a system. They can be used to either steal information, disrupt service, or alter data.

Study Notes

Basic Security Concepts

• Computer security is the protection of computer system assets (items that have value).
• Assets include hardware, software, data, processes, storage media, and people.
• The Principle of Easiest Penetration: Intruder will use any available means.
• There are three classifications of computer protection:
  • Prevention: measures to stop damage.
  • Detection: measures to identify damage and who caused it.
  • Reaction: measures to recover from damage.

Examples

• Physical world example:
  • Prevention: locks, window bars, walls.
  • Detection: burglar alarm, CCTV cameras.
  • Reaction: calling the police, replacing the stolen item.
• Cyber world example (credit card fraud):
  • Prevention: Encryption, merchant checks, not using credit cards on the internet.
  • Detection: unauthorized transactions appearing on statements.
  • Reaction: getting new card numbers, recovering costs.

Security Goals - CIA Triad

• Confidentiality: Assets of computing systems are available only to authorized parties (secrecy or privacy).
• Integrity: Assets can only be modified by authorized parties or only in authorized ways.
• Availability: Assets are accessible to authorized parties when needed without any delay.
• Security is achieved through a combination of these three principles, from the asset's point of view, not the user.

Confidentiality

• Ensures that computer-related assets are accessed only by authorized parties.
• Access is given only to those who should have access to something.
• "Access" includes viewing, printing, and knowing the asset exists.

Integrity

• Assets can be modified only by authorized parties in authorized ways.
• Modification includes writing, changing, changing status, deleting, and creating.
• Integrity means different things in different contexts.
• Integrity of an item can mean: accurate, precise, unmodified, modified only in acceptable ways, modified only by authorized people, modified only by authorized processes, consistent, internally consistent, meaningful, and usable.

Availability

• Assets are accessible to authorized parties at appropriate times.
• Access to particular sets of objects should not be prevented from persons/systems who have legitimate access.
• Availability is sometimes known by its opposite - denial of service (DoS).
• Availability applies to data (information) and services.
• Definition of availability depends on has enough capacity to meet service needs.

Other Protection Requirements (AAA)

• AAA system is from the user point of view. It's a three-process framework used to manage user access, enforce policies, and measure network resource consumption.
• Authentication: Who the user is? (genuine user)
• Authorization: What can the user do? (permission to access resources)
• Accounting: Tracking user activities and events.

Vulnerabilities and Threats

• A vulnerability is a weakness (in procedures, design, or implementation) that can be exploited to cause harm.
• A threat to a computer system is a set of circumstances that has the potential to cause loss or harm.

Security Terminology

• Asset: The item being protected (car stereo).
• Threat: The potential harm (loss of stereo).
• Threat Agent: The entity causing the threat (thief).
• Vulnerability: The weakness that allows the threat to occur (fence hole).
• Exploit: Taking advantage of the vulnerability (thief going through fence hole).
• Risk: The likelihood of a threat occurring (likelihood of theft).

Kinds of Threats

• Natural threats: disasters like fire, floods, power failure.
• Human threats: benign (accidental acts) or malicious (intentional acts).
• Types of malicious threats: Random attacks, directed attacks (e.g., impersonation).

Computer Network Vulnerabilities

• Radiation: Interference or data breaches.
• Tapping: Unauthorized access to communications lines and data.
• Cross-talk: Interference between lines.
• Improper Connections/Cross-Coupling: Physical connection issues that can compromise data integrity or access.
• Systems programmer: Issues with disabling or revealing protective features or revealing hidden measures.
• Hardware: Failure of protection circuits, contributing to software failures, failure of protection features, access control bounds control.
• Software: Improper connections, systems programmer issues, bugs

Security Threats

• Interception: Unauthorized party gains access.
• Interruption: System is destroyed or unusable.
• Modification: Unauthorized party tampers with an asset.
• Fabrication: Unauthorized party inserts fake objects into the system.

Computer Vulnerabilities (List)

• Weak authentication
• Lack of access control
• Errors in programs
• Finite or insufficient resources
• Inadequate physical protection
• Hardware vulnerabilities
• Involuntary machine-slaughter: accidental acts.
• Voluntary machine-slaughter: intended to do harm.
• Software vulnerabilities (deletion, modification, logic bomb, theft)
• Data vulnerabilities (data confidentiality, data integrity).
• Storage media/networks/access

Methods of Defense

• Encryption: Provides confidentiality, integrity, basis for protocols.
• Policies: Frequent password changes, security policy training, legal and ethical controls, codes of ethical controls.
• Physical Controls: Locks, backup copies, physical site planning, reduce natural disasters.
• Software/Hardware Controls: Internal program controls, operating system controls, development controls, hardware controls, implement encryption, locks/cables, devices to verify user identity.

Types of Attackers

• Amateurs: Individuals who exploit security flaws without malicious intent.
• Crackers: Individuals, often students, seeking unauthorized access to computing facilities.
• Career criminals: Individuals with organized criminal activity, including electronic espionage.
• Hackers: Individuals knowledgeable about operating systems, but typically non-malicious.

Method-Opportunity-Motive

• Malicious attackers succeed by having method, opportunity, and motive.
• To prevent attacks, prevent any of these factors from existing.
• Risk, remaining uncovered by controls after these steps are called residual risk.
• Minimize risk by performing risk management, assessing likelihood of occurrence, and magnitude of impact.

How to Make the System Secure

• System Access Control: Restrict unauthorized access.
• Data Access Control: Monitor data access and purposes.
• System and Security Administration: Perform procedures (system administrator's responsibilities/training).
• System Design: Take advantage of basic hardware and software security.

Controls

• A control or countermeasure is a means to counter threats.
• Harm occurs when a threat is realized against a vulnerability.
• To protect against harm, neutralize the threat, close the vulnerability, or both.
• The possibility of harm to occur is called risk and can be managed by several methods.
  • Prevent, Deter, Deflect, Mitigate, Detect, Recover.

Types of Controls

• Physical Controls: Tangible measures (locks, walls, fences).
• Procedural/Administrative Controls: Rules, regulations, policies, procedures.
• Technical Controls: Technology-based protection (passwords, firewalls, encryption).

System Access Control

• Identification and authentication.
• How the system authenticates a user.
• (3) ways to prove user identity.
  • Something the user knows (passwords, PINs, passphrases).
  • Something the user is (biometrics).
  • Something the user has (tokens, keys, smart cards).

System Access- Username/Password

• Typical first line of defense.
• Username—Login ID – Identification.
• Password—Authentication.
• Successful login requires correct username and password.

System Access- Password Control

• User plays an important role in password protection (compromised if shared).
• Common password threats: Password guessing, password spoofing, compromised password file.

Choosing Strong Passwords

• Use characters, choose long passwords.
• Avoid actual names or words.
• Use variants and change regularly; do not write down or share passwords.

System Access - Password Security

• Compulsory to set a password.
• Changing default passwords, password length, format, and avoidance of obvious passwords.
• Password checkers, password generation, password ageing, login attempts limit, and informing users.

Data Access

• Subject may observe or alter an object.
• Common access modes: observe and change.
• Access rights in the Bell-LaPadula model.
• Access rights are defined for subjects and objects (actions).

Effectiveness of Controls

• Awareness of security requirements is needed for effective cooperation.
• Controls should be easy to use for effective implementation.
• Overlapping controls are beneficial and combined use is preferable.
• Effective controls need periodic review to evaluate effectiveness.