Computer Security Concepts Overview

Questions and Answers

What is an example of high integrity data?

• Public website registration data
• An online poll
• A hospital patient’s allergy information (correct)
• Anonymous feedback forms

Which situation represents a moderate availability requirement?

• A public university website (correct)
• An online gaming platform
• A system requiring login access
• A telephone directory lookup

What integrity level is associated with an anonymous online poll?

• Critical integrity
• Low integrity (correct)
• High integrity
• Moderate integrity

What is a potential challenge of computer security mentioned?

Complexity of security measures (B)

Which type of data requires the highest integrity level?

Patient allergy information (C)

What constitutes a low availability requirement?

An online directory lookup (B)

What should a high integrity system ensure in case of data manipulation?

Recovery to a trusted state (C)

Which scenario would result in critical financial loss due to unavailability?

An authentication system for customers (D)

Which of the following assets is considered to have a very high confidentiality rating?

Student grade information (C)

What does the US FERPA Act primarily protect?

Student grades (B)

Which type of student information is considered to have moderate confidentiality?

Student enrollment information (C)

Which of the following types of information typically has a low confidentiality rating?

Directory information (C)

What is primarily affected if student grade information is improperly disclosed?

Confidentiality of students (C)

What is the significance of service authentication in information security?

It ensures confidentiality by validating user identities. (C)

Which of the following is NOT an example of a security requirement?

Mobility (A)

Which aspect of information security focuses on ensuring that only authorized individuals can access sensitive data?

Confidentiality (D)

What does the term 'confidentiality' primarily refer to in computer security?

Protecting data from unauthorized access (A)

Which objective of the CIA triad assures that systems are operational and service is not denied?

Availability (B)

What is meant by data integrity in computer security?

Information can only be altered in an authorized manner (C)

What does authenticity in computer security ensure?

The originator of a message can be verified (B)

Which of the following is NOT a key security requirement in the CIA triad?

Reputation (A)

What does accountability in computer security require?

Tracking actions uniquely to an individual (C)

Which of the following describes an attack surface?

The total area of software that can be exploited (A)

What is the primary goal of computer security according to the provided information?

To preserve the integrity, availability, and confidentiality of information (C)

What does ensuring system integrity involve?

Maintaining the system's operational functions (C)

Which security principle focuses on protecting against unauthorized disclosure?

Confidentiality (A)

What is the primary focus of computer security mechanisms?

To prevent unauthorized access and data breaches (C)

Which principle suggests that access decisions should default to no access?

Fail-safe defaults (B)

What does the concept of 'attack surface' refer to?

Potential vulnerabilities accessible by an attacker (A)

Which of the following is NOT a category of attack surface?

Database attack surface (D)

What is the purpose of attack trees in computer security?

To map out potential vulnerabilities (A)

Which principle emphasizes minimal shared functions among different users?

Least common mechanism (D)

Which of these actions represents a threat to data integrity?

Altering data without authorization (D)

In the context of computer security, what does the term 'deception' refer to?

Falsification or alteration of data (B)

What does the principle of 'separation of privileges' entail?

Multiple privileges are required to complete a task (D)

What does the principle of 'layering' in security design emphasize?

Using multiple overlapping protection measures (D)

What is a threat to confidentiality in computer security?

Exposure of sensitive data (C)

Which is a common misconception about computer security mechanisms?

They should not require constant monitoring (D)

What does the principle of 'psychological acceptability' refer to?

Users should not find security measures burdensome (B)

Which of the following is a fundamental security design principle?

Open design (C)

Study Notes

Computer Security Concepts

• Computer security aims to protect automated information systems to preserve integrity, availability, and confidentiality of resources.
• Resources include hardware, software, firmware, information/data, and telecommunications.

Threats, Attacks, and Assets

• Confidentiality ensures sensitive information is not disclosed to unauthorized individuals.
• Integrity ensures information and programs are changed only in an authorized way.
• Availability ensures systems work promptly and services are not denied to authorized users.

Security Functional Requirements

• Authenticity verifies the genuineness of a transmission, message, or originator.
• Accountability ensures actions can be traced back to a specific entity for purposes like fault isolation and non-repudiation.

Fundamental Security Design Principles

• Security requirements are categorized into confidentiality, integrity, and availability.
• Each requirement has different levels, including high, moderate, and low.
• The level of security required depends on the importance of the data or system.
• Examples of high confidentiality data include student grades or patient allergy information.
• Examples of high availability systems include authentication systems or hospital patient records.

Security Procedures

• Security procedures can be counterintuitive and are often an afterthought
• Security mechanisms are often regarded as an impediment to using the system, rather than an integrated part
• Many security procedures are not perceived as beneficial until a system fails
• They require constant monitoring because they are often targeted by attackers

Battle of Wits

• Security is often perceived as a battle of wits between attackers and administrators
• The goal for attackers is to find vulnerabilities and exploit them
• The goal for administrators is to defend against attacks using algorithms and secret information, such as encryption keys

Threat Consequences

• Unauthorized disclosure can lead to data exposure like interception, inference, or intrusion
• Deception can be used to masquerade as a legitimate user, falsify data, or claim that an action did not take place
• Disruption can incapacitate a system by destroying data, corrupting system logic, or obstructing communication
• Disruption can also overload a system to make it unavailable
• Usurpation, or the misuse of a system can involve misappropriation, or theft of services, as well as gaining unauthorized access

Scope of Computer Security

• Computer security encompasses protecting hardware, software, data, communications, and networks
• Security can be implemented using technical measures such as access control and identification/authentication
• Management controls and procedures are also crucial and include awareness/training, audit/accountability, and contingency planning

Fundamental Security Design Principles

• Security principles are similar to software engineering principles
• Economy of Mechanism: security measures should be simple to implement, verify, and minimize vulnerabilities
• Fail-safe default: access decisions should be based on permission and the default should be lack of access
• Complete mediation: every access should be checked against an access control system
• Open design: security algorithms and designs should be open to the public and not kept secret
• Separation of Privilege: multiple privileges should be required to access resources or complete a task
• Least Privilege: every user and process should have the least privilege necessary to complete a task
• Least Common Mechanism: designs should minimize functionality shared by different users to reduce the risk of security breaches
• Psychological Acceptability: security measures should not interfere with the work of users
• Isolation: public access should be isolated from critical resources and user files should be isolated from one another
• Encapsulation: security mechanisms should be isolated and hidden from users
• Modularity: system components and modules should be designed to be independent of each other
• Layering: multiple overlapping protection approaches should be used in a defense-in-depth strategy
• Least Astonishment: a program's behavior should not be overly surprising or confusing to users
• Transparency: security mechanisms and their limitations should be communicated to users

Attack Surfaces

• An attack surface is an exploitable vulnerability in a system
• Attack surfaces include open ports, services outside a firewall, and employees with access to sensitive information
• The three categories of attack surfaces: network, software, and human
• Network attacks target vulnerabilities in networks
• Software attacks target vulnerabilities in software
• Human attacks target user vulnerabilities, such as social engineering
• Attack analysis is used to assess the scale and severity of potential threats

Attack Trees

• A branching, hierarchical data structure that represents potential vulnerabilities
• Attack trees help to identify and exploit vulnerabilities by analyzing attack patterns
• Security analysts use attack trees to guide design and strengthen countermeasures
• Attack trees capture information from publicly available sources such as CERT, which is an organization dedicated to computer security

Security Strategy

• A security strategy defines the overall approach to providing security
• It is comprised of:
  • Policy: defines what security mechanisms should do and includes information about assets, potential threats, cost of security versus cost of failure, and ease of use versus security
  • Implementation: defines how to enforce policies and includes prevention, detection, response, and recovery measures
  • Correctness/Assurance: validates and reviews whether security measures are working as intended

Summary of Key Concepts

• Security concepts, such as threat consequences, attacker motivations, and attack surfaces
• Terminology, such as attack trees and attack analysis
• Security design principles, such as economy of mechanism, fail-safe defaults, and least astonishment
• Security strategy, including policies, implementation, and assurance

Description

This quiz covers the fundamental concepts of computer security, including the definitions and importance of confidentiality, integrity, and availability. Additionally, it explores essential security requirements such as authenticity and accountability, along with key security design principles. Test your understanding of these critical concepts in protecting information systems.