Computer Security: Concepts and Objectives

Questions and Answers

Before the common use of data processing equipment, how was the security of information primarily maintained by organizations?

• By physical and administrative controls. (correct)
• Through advanced encryption algorithms.
• Using sophisticated software applications.
• Via complex network protocols.

What led to the need for automated tools to protect files and information stored on computers?

• The increase in physical theft of computer hardware.
• The development of advanced hacking techniques.
• New government regulations mandating data protection.
• The introduction of the computer. (correct)

Which development significantly influenced security by enabling data exchange between terminal users and computers?

• The creation of the World Wide Web.
• The standardization of database management systems.
• The introduction of distributed systems. (correct)
• The invention of the microprocessor.

What is the generic term that describes a collection of tools designed to protect data and prevent unauthorized access?

Computer security. (A)

What does Internet security primarily aim to achieve?

To deter, prevent, detect, and correct security violations. (C)

According to the NIST Computer Security Handbook, what are the three main objectives of computer security?

Integrity, availability, and confidentiality. (C)

What is the primary goal of data confidentiality?

Preventing unauthorized access or disclosure of information. (A)

How does privacy, as a computer security objective, relate to personal information?

It gives individuals control over how their information is collected, stored, and disclosed. (B)

What does data integrity ensure?

Data is changed only in a specified and authorized manner. (A)

Which aspect of computer security ensures that a system operates without unauthorized manipulation?

System integrity. (A)

What is the primary goal of availability in computer security?

To ensure systems work promptly and are accessible to authorized users. (C)

In the context of computer security, what does the term 'authenticity' refer to?

Verifying that users are who they claim to be. (C)

What security goal requires that actions performed on a system can be traced back to a specific entity?

Accountability. (A)

Which level of security breach impact could lead to a severe or catastrophic adverse effect on organizational assets?

High. (D)

Which of the following assets requires a high level of confidentiality?

Student Grades. (D)

What level of integrity would be assigned to a website that offers a forum for registered users?

Moderate. (B)

What makes computer security challenging?

The need for constant monitoring. (B)

What is a Security Attack?

Any action that compromises the security of information owned by an organization (D)

What is a Security Mechanism?

A process designed to prevent, detect, or recover from a security attack (A)

What is a Security Service?

A processing or communication service that enhances the security of data processing systems (B)

According to RFC 4949, what is the definition of a Threat?

A potential violation of security that exists which can breach security and cause harm (A)

According to RFC 4949, what is the definition of an Attack?

An intelligent act to evade security services and violate the security policy of a system (B)

What is the primary difference between passive and active security attacks?

Active attacks attempt to alter system resources, while passive attacks do not. (A)

Which type of passive attack focuses on obtaining information being transmitted?

Traffic analysis. (C)

What does a masquerade attack involve?

One entity pretending to be another. (D)

What activity characterizes a replay attack?

Capturing and retransmitting data units for unauthorized effect. (D)

Which type of active attack involves altering a portion of a legitimate message?

Modification of messages. (B)

What is the goal of a denial-of-service attack?

To prevent or inhibit the normal use of communication facilities. (D)

According to X.800, what is a security service defined as?

A protocol layer ensuring system security and data transfer protection. (B)

Based on the X.800 service categories, what service ensures that a communication is authentic?

Authentication. (C)

Which security service limits and controls access to host systems through communication links?

Access Control. (B)

What does data confidentiality primarily protect against?

Passive attacks. (A)

What does the security service of nonrepudiation prevent?

Denial of a transmitted message by sender or receiver. (C)

What does the Availability Service protect against?

Denial of Service attacks (C)

What is the purpose of Traffic Padding as a security mechanism?

To frustrate traffic analysis attempts (A)

Flashcards

Computer security

The generic name for the collection of tools designed to protect data and to thwart hackers.

Internet security

Measures to deter, prevent, detect, and correct security violations involving information transmission.

Data confidentiality

Ensuring private information is not available or disclosed to unauthorized individuals.

Privacy

Assuring individuals control what information is collected, stored, and by whom.

Data integrity

Assures that information and programs are changed only in a specified and authorized manner.

System integrity

A system performs its intended function in an unimpaired manner, free from unauthorized manipulation.

Availability

Systems work promptly and service is not denied to authorized users.

Authenticity

Verifying that users are who they say they are and that input comes from a trusted source.

Accountability

The security goal that actions of an entity can be traced uniquely to that entity.

Security attack

Any action that compromises the security of information owned by an organization.

Security mechanism

A process to detect, prevent, or recover from a security attack.

Security service

Service that enhances the security of data processing systems and information transfers.

Threats

A potential violation of security due to circumstances, capability, or action.

Attack

An assault on system security from an intelligent threat, evading security services.

Passive attack

Attempt to learn or use information without affecting system resources.

Active attack

Attempt to alter system resources or affect their operation.

Masquerade

One entity pretends to be a different entity.

Replay

Involves the passive capture of a data unit and its subsequent retransmission.

Modification of messages

A portion of a legitimate message is altered, delayed, or reordered.

Denial of service

Prevents or inhibits the normal use or management of communications facilities.

Security service(X.800)

A service that ensures adequate security of systems or data transfers.

Security service (RFC 4949)

A processing or communication service providing protection to system resources.

Authentication

Assuring communication is authentic; recipient knows message source.

Access control

Limit and control access to host systems and applications.

Data Confidentiality

Protecting transmitted data from passive attacks.

Data integrity

Assuring messages are received as sent, without modification.

Nonrepudiation

Preventing sender or receiver from denying a transmitted message.

Availability

Ensuring a system or resource is accessible and usable upon demand.

Encipherment

Mathematical algorithms transforming data into an unintelligible form.

Digital Signature

Data appended to ensure data origin and integrity, preventing forgery.

NIST

U.S. federal agency dealing with measurement science, standards, and tech related to U.S. Gov.

Internet Society

Organization addressing issues for the future of the Internet.

Study Notes

Computer Security Concepts

• Before the widespread use of data processing equipment, security of information was primarily ensured through physical and administrative methods.
• With computers, automated tools became necessary to protect files and stored information.
• The introduction of distributed systems and networks impacted security, requiring data transfer protection between terminal users and computers/computers.
• Computer security refers to tools protecting data and thwarting hackers.
• Internet security includes measures to deter, prevent, detect, and correct security violations involving information transmission.
• The NIST Computer Security Handbook defines computer security as protecting information systems to maintain integrity, availability, and confidentiality of resources.

Computer Security Objectives

• Confidentiality ensures that private information is not available or disclosed to unauthorized entities.
• Privacy allows individuals to control what information is collected, stored, and disclosed about them.
• Data integrity ensures that information and programs are changed only in a specified and authorized way.
• System integrity ensures a system performs unimpaired and is free from unauthorized manipulation.
• Availability ensures system works promptly and is not denied to authorized users.

Additional Security Concepts

• Authenticity confirms users are who they claim to be, and that each system input comes from a trusted source.
• Accountability ensures actions of an entity can be traced to it.

Breach of Security Levels of Impact

• High-level breaches have severe or catastrophic adverse effects on organizational operations, assets, or individuals.
• Moderate-level breaches have a serious adverse effect on organizational operations, assets, or individuals.
• Low-level breaches have a limited adverse effect on organizational operations, assets, or individuals.

Examples of Security Requirements

• Confidentiality example: Student grade information must be highly confidential.
• Integrity example: Patient information in a database must be accurate.
• Availability example: Critical services require higher availability levels.
• Online polls are an example of low-integrity requirements.
• Public websites are an example of moderate availability requirements.
• Online telephone apps are an example of low availability requirements.

Computer Security Challenges

• Security is not simple and requires considering potential attacks.
• Procedures for providing security are often counter-intuitive.
• Deciding where to use various security mechanisms is necessary.
• Requires constant monitoring.
• Often treated as an afterthought.
• Security mechanisms involve more than algorithms or protocols.
• Security is a battle of wits between perpetrators and designers.
• Security investment benefits are not always perceived until failure.
• Strong security is often seen as hindering efficiency and user-friendliness.

OSI Security Architecture

• Security attack: Any action compromising an organization’s information security.
• Security mechanism: Process/device to detect, prevent, or recover from a security attack.
• Security service: Enhances data processing/information transfer security, counters attacks, and uses security mechanisms.

Threats and Attacks (RFC 4949)

• Threat: A potential security violation due to circumstances, capability, actions, or events.
• Attack: An intelligent assault on system security, attempting to evade security services and violate policy.

Security Attacks

• Security attacks are classified as passive and active.
• Passive attack: Attempts to learn information from the system without affecting resources.
• Active attack: Attempts to alter system resources or operations.

Passive Attacks

• Passive attacks involve eavesdropping or monitoring transmissions.
• The goal is to obtain transmitted information.
• Two types: release of message contents and traffic analysis.

Active Attacks and Types

• Active attacks involve modifying data streams or creating false ones.
• Active attacks are hard to prevent due to vulnerabilities.
• Detection is the goal.
• Masquerade: When an entity pretends to be a different one.
• Replay: Passively captures and retransmits a data unit to produce an unauthorized effect.
• Modification of Messages: Alters, delays, or reorders messages to produce unauthorized effects.
• Denial of Service: Prevents or inhibits normal communications facilities.

Security Services

• Defined by X.800: A protocol layer service ensuring adequate security for systems or data transfers.
• Defined by RFC 4949: A processing/communication service providing specific protection to system resources.

X.800 Security Services

• Authentication
• Access control
• Data confidentiality
• Data integrity
• Nonrepudiation

X.800 Service Categories

• Authentication assures communication authenticity.
  • Single message case: guarantees the message's origin.
  • Ongoing interaction: assures entity authenticity and protects against interference.
• Access control limits host system/application access via communication links.
• Data confidentiality protects transmitted data from passive attacks.
  • This is achieved by limiting access to users as well as protection traffic flow through messages.
• Data integrity applies to message streams, individual messages, or selected fields.
  • Ensures no duplications or modifications to the message.
• Nonrepudiation: Prevents senders or receivers from denying transmitted messages.
  • Ensures messages are authentic.
• Availability Service ensures system and resources availability upon request.

Specific Security Mechanisms

• Implemented in protocol layers to provide OSI security services.

Pervasive Security Mechanisms

• Mechanisms are not exclusive to any OSI security or protocol layer.

NIST Standards

• NIST, US federal agency, deals with measurement science, standards, and tech related to US government and private sectors..
• NIST Federal Information Processing Standards (FIPS) impacts worldwide.

ISOC Standards

• Internet Society, pro membership society.
• Provides leadership on Internet issues.
• Oversees groups responsible for Internet infrastructure standards.
• Internet standards published as Requests for Comments (RFCs).