Computer Security Principles

Questions and Answers

What type of threat violates the availability security concept?

• Malicious destruction of a hardware device (correct)
• Tampering with an asset
• Creating a fabrication of counterfeit objects
• Unauthorized access to an asset

What is an example of a modification threat?

• Erasure of a program
• Unauthorized access to an asset
• Changing values in a database (correct)
• Malfunction of an operating system file manager

What security concept is violated when an unauthorized party creates a fabrication of counterfeit objects?

• Integrity
• Authenticity (correct)
• Confidentiality
• Availability

What is an example of an unauthorized party violating the integrity security concept?

Changing values in a database (B)

What type of threat involves tampering with an asset?

Modification (A)

What is the result of an unauthorized party not only accessing but tampering with an asset?

Modification (A)

What is the primary concern of hardware security?

Physical safety of computing hardware (B)

What is 'Machinicide'?

Intentional harm to computer hardware (C)

How can hardware security be enhanced?

By using physical measures such as locks and guards (C)

Who is typically responsible for hardware security?

A relatively small staff of computing center professionals (C)

What is an example of a physical attack on hardware?

Drenching a computer with water (A)

Why is hardware security important?

To protect against physical harm to devices (D)

What type of attack involves adding devices to a system?

Visible attack (D)

What is the primary focus of Section 1.3.4.1?

Hardware vulnerabilities (B)

What is the primary goal of confidentiality in computer-related assets?

To ensure only authorized persons have access (A)

What type of security measure is confidentiality?

Access control (B)

What is the primary focus of confidentiality in computer-related assets?

Data secrecy (C)

What is the opposite of confidentiality?

Transparency (B)

What is the primary benefit of confidentiality in computer-related assets?

Increased data security (C)

What is a potential consequence of a breach of confidentiality?

Un authorized access (B)

What is the relationship between confidentiality and access control?

Confidentiality is a type of access control (B)

What is the primary aim of confidentiality in computer-related assets?

To protect data from unauthorized access (A)

What is the primary function of independent control programs?

To protect against specific types of vulnerabilities (B)

What is an example of a hardware control that can assist in providing computer security?

Firewalls (A)

What is the primary purpose of user policies and procedures?

To enforce procedures or policies among users (D)

What type of control is used to prevent software faults from becoming exploitable vulnerabilities?

Development controls (B)

What is an example of a simple control that can be achieved at essentially no cost but with tremendous effect?

Frequent changes of passwords (C)

What type of control is used to protect each user from all other users?

Operating system and network system controls (C)

What is the purpose of devices that verify users' identities?

To verify users' identities (A)

What is the primary limitation of saving all old versions of a program as a control against accidental software deletion?

It is prohibitively expensive in terms of cost of storage (D)

What is a potential harm that a company could experience from electronic espionage?

Financial loss due to unauthorized access to confidential information (A)

What control could be instituted to limit the vulnerability of a program that leaks a list of employee names earning more than a certain amount?

Implementing access controls to restrict who can view the list (D)

Which of the following is NOT a restatement of the concern over interruption, interception, modification, and fabrication?

Preserving authenticity (A)

Is an application that is insecure but still functions correctly considered 'good'?

No, because security is a critical component of quality (D)

Who might want to attack a program that displays a city's current time and temperature?

All of the above (D)

What type of harm might an attacker want to cause to a program that allows consumers to order products from the web?

All of the above (D)

What kind of vulnerability might an attacker exploit to cause harm to a program that accepts and tabulates votes in an election?

All of the above (D)

What type of harm might an attacker want to cause to a program that allows a surgeon to assist in an operation remotely?

All of the above (D)

Study Notes

Security Concepts

• Confidentiality ensures that computer-related assets are accessed only by authorized parties.
• Integrity ensures that assets are not modified without authorization.
• Availability ensures that assets are accessible and usable when needed.

Threats

• Unauthorized access, tampering, modification, or destruction of assets can compromise security.
• Examples of threats include:
  • Malicious destruction of hardware devices
  • Erasure of programs or data files
  • Malfunction of operating system file managers
  • Modification of data being transmitted electronically
  • Creation of counterfeit objects on a computing system

Vulnerabilities

• Hardware vulnerabilities:
  • Visible attacks (e.g., adding devices, changing them, removing them, intercepting traffic)
  • Physical attacks (e.g., drenching with water, burning, freezing, gassing, electrocution)
  • Machinicide (e.g., shooting with guns, stabbing with knives, smashing)
• Software vulnerabilities:
  • Operating system and network system controls
  • Independent control programs (e.g., password checkers, intrusion detection utilities, virus scanners)
  • Development controls (e.g., quality standards for design, coding, testing, and maintenance)

Controls

• Hardware controls:
  • Encryption implementations
  • Locks or cables limiting access or deterring theft
  • Devices to verify users' identities
  • Firewalls
  • Intrusion detection systems
  • Circuit boards controlling access to storage media
• Software controls:
  • Operating system and network system controls
  • Independent control programs
  • Development controls
• User policies and procedures:
  • Enforcing procedures or policies among users
  • Frequent changes of passwords
  • Other controls to prevent accidental software deletion or unauthorized access

Description

Learn about the fundamental principles of computer security, including confidentiality and access control.