Cybersecurity Impact Assessment

Questions and Answers

What is the highest level of impact described in the content?

Catastrophic

Moderate

Limited

High (correct)

Which of these are potential consequences of a "Moderate" impact breach?

Serious disruption to organizational operations (correct)

Limited disruption to organizational operations

Severe disruption to organizational assets

Catastrophic effect on organizational individuals

Which of these options is NOT a potential area of impact described in the content?

Organizational assets

Individual privacy

Organizational operations

Financial performance (correct)

A breach that causes a limited disruption to organizational operations is most likely to be categorized as which level of impact in the content?

Low (D)

Which of the following is an example of a potential consequence of a 'High' impact breach?

Significant financial loss (C), Loss of customer trust (D), All of the above (E)

What are the four key courses of action involved in security implementation?

Prevention, detection, response, recovery (B)

Which of the following is NOT a factor considered when developing a security policy?

Popularity of the system (D)

What is the primary goal of security assurance?

Ensuring security measures function as intended (D)

Which of the following is a trade-off commonly encountered in security design?

Cost of security vs. cost of failure and recovery (C)

Which of the following is NOT a category of active attacks?

Eavesdropping (C)

What is the purpose of an attack tree?

To map out possible attack paths and their complexities (B)

What is the main goal of a passive attack?

To gain information from the system (B)

Which type of active attack involves the retransmission of a captured data unit to produce an unauthorized effect?

Replay (A)

Which type of passive attack involves monitoring the traffic patterns to gain information?

Traffic analysis (C)

Which type of attack occurs when an entity pretends to be another entity?

Masquerade (B)

What type of attack is characterized by altering or delaying messages to produce an unauthorized effect?

Modification of messages (D)

Which type of attack aims to prevent the normal use of communication facilities?

Denial of service (B)

Which of the following is NOT a characteristic of active attacks?

Focus on obtaining information from the system (C)

Which of these is NOT a type of data integrity service, as described in the content?

Message-level integrity (A)

What is the primary function of a connectionless integrity service?

Protecting against message modification (C)

Which of these is NOT a key aspect of non-repudiation, as defined in the content?

Ensuring message confidentiality (B)

Which security service is directly impacted by denial-of-service (DoS) attacks?

Availability (B)

What is the key difference between connection-oriented and connectionless integrity services?

Connection-oriented services handle streams of messages, while connectionless services deal with individual messages (D)

Which of the following is NOT a security mechanism commonly associated with security services?

Physical security measures (D)

Why is it often impossible for a single security mechanism to provide all necessary security services?

Different security services address different security threats (D)

What is the primary goal of availability service according to the content?

Ensuring that systems remain operational (B)

What does modularity in security design principles emphasize?

Developing security functions as separate, protected modules (C)

How does layering enhance security in information systems?

By utilizing multiple, overlapping protection approaches (A)

What is meant by the principle of least astonishment in security design?

The authorization mechanism should operate transparently to the user (C)

What is a consequence of failing to implement modularity in security systems?

The failure of one protection approach could compromise the whole system (A)

Which aspect does layering NOT address in information systems?

User engagement in security processes (A)

Which of the following is an example of an "active" attack?

Launching a denial-of-service attack against a web server (A)

Which of the following is NOT considered an asset of a computer system?

Security personnel (C)

What is the main goal of threat agents when they exploit vulnerabilities?

To gain unauthorized access to or control over system resources (D)

Which category of vulnerability is associated with the loss of confidentiality?

Leaky (A)

Which of the following best represents a passive attack?

Monitoring network traffic for sensitive data (B)

What is the relationship between vulnerabilities and threats?

Threats are caused by vulnerabilities, enabling attackers to exploit them (A)

Which of the following is a countermeasure used to reduce risk?

Vulnerability scanning (A)

What is the primary goal of imposing countermeasures?

To prevent threats from exploiting vulnerabilities (A)

Flashcards

Modularity

Development of security functions as separate, protected modules.

Layering

Using multiple, overlapping protection approaches in security design.

Least Astonishment Principle

User interfaces should behave in predictable ways to avoid surprising users.

Redundancy in Security

Failure of one protection means others still secure the system.

Intuitive Understanding

Users should grasp how security mechanisms relate to goals easily.

Low Level of Impact

Limited adverse effect on organizational operations or assets.

Security Policy

A formal set of rules regulating how an organization ensures security for sensitive resources.

Moderate Level of Impact

Serious adverse effect on organizational operations or assets.

Security Implementation

The process of applying various actions like prevention, detection, response, and recovery to achieve security.

Assurance

The confidence level that security measures effectively protect a system and its data.

High Level of Impact

Catastrophic adverse effect on organizational operations or assets.

Security Breaches

Incidents that compromise the confidentiality, integrity, or availability of information.

Evaluation

The process of assessing a system against specified criteria for security effectiveness.

Adverse Effects

Negative outcomes resulting from security breaches at multiple levels.

Trade-offs in Security

Balancing ease of use with security, and the cost of security versus potential recovery costs.

Passive Attack

Attempts to learn from a system without altering its resources.

Active Attack

Attempts to alter system resources or affect their operation.

Eavesdropping

Listening to or monitoring transmissions without consent.

Traffic Analysis

Examining the traffic patterns of data transmissions.

Replay Attack

Capturing and retransmitting data to create unauthorized effects.

Masquerade Attack

When one entity pretends to be another to gain access.

Modification of Messages

Altering part of a legitimate message to change its meaning.

Denial of Service

Inhibits normal use of communication facilities.

Data Integrity

Ensures that messages are received as sent without alteration.

Connection-Oriented Integrity Service

Assures messages are received without duplication, alteration, or reordering.

Connectionless Integrity Service

Protects individual messages primarily against modification only.

Nonrepudiation

Prevents sender or receiver from denying a transmitted message.

Availability

Ensures system remains accessible, protecting against denial-of-service attacks.

Security Mechanism

A method for preventing, detecting, or recovering from an attack.

Cryptographic Techniques

Common methods used in security mechanisms to protect data.

Denial-of-Service Attack

An attempt to make a service unavailable to its users.

Assets of a Computer System

Components such as hardware, software, and data that need protection.

Vulnerabilities

Weaknesses in a system that can be exploited by threats.

Threats

Potential causes of asset harm, capable of exploiting vulnerabilities.

Attacks

Actual instances where threats exploit vulnerabilities, harming assets.

Insider Threats

Security breaches initiated by someone within the organization.

Outsider Threats

Security breaches initiated by entities outside the organization.

Study Notes

Chapter 1 Overview

• Chapter 1 provides an overview of computer security concepts.

NIST Computer Security Handbook Definition

• The NIST Computer Security Handbook defines computer security as the protection afforded to an automated information system.
• The goal is to achieve the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources.
• These resources include hardware, software, firmware, information/data, and telecommunications.

CIA Triad

• The CIA triad comprises three key aspects of computer security.
• Confidentiality protects data from unauthorized access.
• Integrity assures that data is accurate and trustworthy.
• Availability ensures that authorized users can access data and resources when needed.
• Accountability refers to the ability to track actions of users or entities.

Computer Security Objectives

• Confidentiality: Assures private or confidential information isn't disclosed to unauthorized individuals. Privacy is a key aspect: users control information about themselves.
• Integrity: Ensures information and programs are changed only in authorized ways. This includes system integrity—the system performs intended functions without unauthorized manipulation.
• Availability: Guarantees systems work promptly and service isn't denied to authorized users.

Other Security Objectives

• Authenticity: Verifies system inputs are genuine and trustworthy. Data and source authentication are key aspects.
• Accountability: Actions of an entity are uniquely traced to that entity. This includes non-repudiation, fault isolation, intrusion detection/prevention, after-action recovery, and legal action.

Breaches of Security Levels of Impact

• Breaches of security can have varying impacts, ranging from limited to severe or catastrophic adverse effects on organizational operations, assets, or individuals.

Computer Security Challenges

• Computer security isn't always as simple as it may seem to beginners.
• Attackers may only find a single weakness, necessitating developers to discover every possible weakness.
• Users/managers may not recognize the importance of security until a failure occurs. That is why security requires regular and constant monitoring.

Adversary (Threat Agent), Attack, Countermeasure, Risk

• An adversary is an entity that attacks a system.
• An attack is an assault on system security, an intelligent act to breach security policies.
• A countermeasure reduces a threat, vulnerability, or attack.
• Risk is the probability that a particular threat exploits a specific vulnerability with a harmful outcome.
• Security policies regulate system security.

System Resources (Assets)

• System assets include data, services, communications bandwidth, equipment, documentation, and supporting facilities.

Threats, Vulnerabilities, and Attacks

• Vulnerabilities are weaknesses in systems or assets, which attackers can exploit.
• Threats are potential dangers exploiting vulnerabilities to cause harm.
• Attacks are carried out threats.
  • Passive attacks involve learning from or using information from a system without affecting it (e.g., eavesdropping).
  • Active attacks try to alter system resources or affect their operation (e.g., denial-of-service attacks).
  • Insider attacks originate from within authorized system parameters.
  • Outsider attacks originate from outside the organization.

Passive and Active Attacks

• Passive attacks—attacker learns or makes use of system information without harming it. (e.g.) eavesdropping.
• Active attacks—attacker alters the system or resources or operation(e.g.) denial-of-service attacks.

Countermeasures

• Countermeasures prevent, detect, and recover from security attacks.
• Residual vulnerabilities may still exist despite countermeasures.

Threat Consequences and Actions

• Threat consequences involve unauthorized disclosure, deception, disruption, and usurpation.
• Threat actions include exposure, interception, inference, intrusion, masquerade, falsification, repudiation, incapacitation, corruption, and obstruction. The Table below provides threat consequences and their causes as well as the different types of threat actions:

Computer System Security and Data

• Data security must be considered at multiple levels, including data within files, data in transit, and data at rest.

Computer and Network Assets

• Hardware, software, data, communication lines, and networks are examples of computer and network assets.
• Security considerations for each asset type are crucial. Examples of security breaches with examples are included.

Security Requirements

• Awareness and training concerning security risks.
• Audit and accountability mechanisms to track actions.
• Certification and accreditation to secure systems.
• Configuration management to maintain security settings across all components.
• Contingency planning to ensure system availability.
• Identification and authentication to properly authorize user access.
• Incident response capabilities to deal with security breaches.
• Maintenance routines for ongoing system security.

Security Services

• Security services protect information systems using different methods.
• Security services can be defined in various ways, with different protocols and terminology.

Authentication

• Authentication verifies the identity of a communicating entity.
• Two types of authentication are peer entity authentication (for logical connections) and data origin authentication (for one-time messages).

Access Control

• Access control limits and controls access to host systems and applications via communication links.
• Authentication is a core aspect of access control.

Data Confidentiality

• Data confidentiality protects transmitted data from passive attacks, including eavesdropping. This can concern all user data over time or can be more narrow service (focus on single message or specific fields).

Data Integrity

• Data integrity assures that received data is exactly as sent (without modification).
• Integrity services deal with streams of messages (connection-oriented), or individual messages (connectionless).

Nonrepudiation

• Nonrepudiation prevents a sender or receiver from denying a transmitted message by providing verification of the transaction.

Availability

• Availability safeguards that systems function properly and service is not refused to valid users. This is primarily focused on avoiding denial of service attacks.

Security Mechanisms

• Security mechanisms refer to methods for preventing, detecting, or recovering from security attacks.
• Cryptographic techniques are often used in security mechanisms.

Fundamental Security Design Principles

• Economy of mechanism, fail-safe defaults, complete mediation, open design, separation of privilege, least privilege, isolation, encapsulation, modularity, layering, and least astonishment are fundamental design principles for computer security.

Attack Surfaces

• Attack surfaces are exploitable vulnerabilities accessible in a security system.
• Attack surfaces involve physical access, outward-facing ports, inside-of-a-firewall services, code processing, and more.
• Attack surface categories include network, software, and human.

Defense in Depth

• Defense in depth involves layering multiple overlapping security approaches for comprehensive protection.

Attack Trees

• Attack trees outline potential attack paths for a computer system.

Security Strategy

• A security strategy outlines the security scheme and policies required for organizational information systems.
• It involves considering assets, values, vulnerabilities, and potential threats while also considering security costs and failures as well as possible trade-offs. The strategy also includes security implementation (prevention, detection, response, and recovery), assurance (ensuring security controls work), and evaluation (criteria-based evaluation).

Summary

• The summary reiterates important security concepts, principles, attack surfaces, strategies and provides a contextual overview.

Description

This quiz explores various levels of impact related to cybersecurity breaches and the consequences of different types of attacks. Test your knowledge on security policies, design trade-offs, and the goals of security assurance. Perfect for students and professionals interested in enhancing their understanding of cybersecurity.