64 Questions
Which security requirement focuses on ensuring that data is not disclosed to unauthorized parties?
Confidentiality
What is the main purpose of the OSI Security Architecture?
To provide a framework for understanding computer security concepts
Which type of attack involves an unauthorized individual eavesdropping on network communications?
Passive attack
What are attack surfaces and attack trees used for?
To identify and analyze potential security vulnerabilities
Which of the following best describes asymmetric encryption?
Used to conceal small blocks of data
What is the main purpose of data integrity algorithms?
To protect blocks of data from alteration
What do authentication protocols aim to do?
Authenticate the identity of entities
What does computer security aim to achieve?
Preserve the integrity, availability, and confidentiality of information system resources
Which of the following is NOT one of the three security objectives listed in the NIST standard FIPS 199?
Authenticity
What does a loss of availability refer to?
Disruption of access to or use of information or an information system
Which of the following is NOT mentioned as an additional concept that some in the security field feel is needed to present a complete picture of security objectives?
Confidentiality
What is the purpose of accountability in computer security?
To trace actions of an entity to that entity
Which of the following is true about security mechanisms?
They can be quite complex
What should be considered when developing a security mechanism or algorithm?
The potential attacks on security features
Why are security mechanisms often counterintuitive?
Because they are complex and elaborate
What is the advantage that attackers have in computer and network security?
They only need to find a single weakness
Which of the following is an example of a severe or catastrophic adverse effect according to the security policy document?
Loss of mission capability
Which of the following is an example of an asset with a high requirement for integrity?
Hospital patient's allergy information
Which of the following is an example of an asset with a low availability requirement?
Online telephone directory lookup application
Which of the following is an example of an asset with a moderate level of integrity requirement?
Web site that offers a forum
Which form of masquerade attack involves capturing and replaying authentication sequences to obtain unauthorized privileges?
Replay
What is the purpose of the denial of service attack?
To prevent or inhibit the normal use of communications facilities
Which type of attack involves altering legitimate messages or delaying/reordering messages?
Modification of messages
What is the main objective of a masquerade attack?
To impersonate an authorized entity
Which type of attack involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect?
Passive capture
What can an authorized entity with few privileges obtain through a masquerade attack?
Extra privileges
Which of the following best describes a security attack?
An action that compromises the security of information owned by an organization
What is the main objective of a passive attack?
To learn or make use of information from the system
Which of the following is an example of a passive attack?
Traffic analysis
What is the main purpose of encryption in preventing passive attacks?
To prevent an opponent from learning the contents of messages
Which of the following best describes a security attack?
An action that compromises the security of information owned by an organization
What is the difference between a passive attack and an active attack?
A passive attack attempts to learn or make use of information from the system, while an active attack attempts to alter system resources
What is the goal of a passive attack?
To monitor transmissions and obtain information
What is a masquerade attack?
When one entity pretends to be a different entity
True or false: Asymmetric encryption is used to protect blocks of data from alteration.
False
True or false: Data integrity algorithms are used to conceal small blocks of data.
False
True or false: Authentication protocols are schemes based on the use of cryptographic algorithms.
True
True or false: Computer security aims to preserve the confidentiality, availability, and integrity of information system resources.
True
True or false: Cryptographic algorithms and protocols are mainly used for network and internet security.
True
True or false: Symmetric encryption is used to conceal the contents of blocks or streams of data of any size.
True
True or false: The X.800 security architecture is used for OSI.
True
True or false: Attack surfaces and attack trees are used to identify and analyze potential security threats.
True
True or false: A severe or catastrophic adverse effect can result in major financial loss.
True
True or false: Student grade information is an asset with a low confidentiality rating.
False
True or false: Inaccurate information about a patient's allergy can result in serious harm or death.
True
True or false: An online telephone directory lookup application typically has a high availability requirement.
False
Passive attacks involve altering system resources or affecting their operation.
False
Active attacks attempt to learn or make use of information from the system without affecting system resources.
False
Passive attacks include eavesdropping on or monitoring transmissions.
True
Active attacks involve the release of message contents and traffic analysis.
False
True or false: Availability ensures that systems work promptly and service is not denied to authorized users.
True
True or false: Confidentiality refers to preserving authorized restrictions on information access and disclosure.
True
True or false: Integrity involves guarding against improper information modification or destruction.
True
True or false: Authenticity means verifying that users are who they say they are and that each input arrived from a trusted source.
True
True or false: The OSI security architecture provides a systematic approach for defining security requirements and characterizing security approaches.
True
True or false: Successful attacks on security mechanisms often exploit unexpected weaknesses that result from looking at the problem in a different way.
True
True or false: Security mechanisms typically involve only a particular algorithm or protocol and do not require participants to possess any secret information.
False
True or false: In computer and network security, the attacker only needs to find a single weakness, while the designer must find and eliminate all weaknesses to achieve perfect security.
True
True or false: A masquerade attack involves capturing and replaying authentication sequences to obtain unauthorized privileges.
True
True or false: Modification of messages in a masquerade attack means altering a legitimate message to produce an unauthorized effect.
True
True or false: Denial of service attack prevents or inhibits the normal use or management of communications facilities.
True
True or false: A masquerade attack involves delaying or reordering messages to produce an unauthorized effect.
False
True or false: A masquerade attack involves suppressing all messages directed to a particular destination.
True
True or false: A passive attack involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect.
False
Study Notes
Computer Security Concepts
- Computer security is defined as the protection of automated information systems to attain the objectives of preserving the confidentiality, integrity, and availability of information system resources.
Key Security Objectives
- Confidentiality: Assures that private or confidential information is not made available or disclosed to unauthorized individuals, and includes data confidentiality and privacy.
- Integrity: Assures that information and programs are changed only in a specified and authorized manner, and includes data integrity and system integrity.
- Availability: Assures that systems work promptly and service is not denied to authorized users.
The CIA Triad
- The CIA triad is a term used to describe the three key security objectives: confidentiality, integrity, and availability.
- These objectives are fundamental to the security of both data and information and computing services.
Additional Security Concepts
- Authenticity: The property of being genuine and being able to be verified and trusted.
- Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.
Security Services
- Authentication: Verifying the identity of entities.
- Access Control: Controlling access to resources based on authorized permissions.
- Data Confidentiality: Protecting data from unauthorized disclosure.
- Data Integrity: Protecting data from unauthorized modification or deletion.
- Nonrepudiation: Ensuring that a sender of a message cannot deny having sent the message.
- Availability: Ensuring that systems and data are available when needed.
The OSI Security Architecture
- The OSI security architecture is a systematic approach to defining security requirements and characterizing approaches to satisfying those requirements.
- It focuses on security attacks, mechanisms, and services.
- Security attacks: Actions that compromise the security of information.
- Security mechanisms: Processes or devices that detect, prevent, or recover from security attacks.
- Security services: Processing or communication services that enhance the security of data processing systems and information transfers.
Challenges of Computer Security
-
Security is not as simple as it might first appear.
-
Developing security mechanisms requires considering potential attacks.
-
Security mechanisms are often complex and counterintuitive.
-
It is necessary to decide where to use security mechanisms.
-
Security mechanisms involve more than just algorithms or protocols.
-
Computer and network security is a battle of wits between perpetrator and designer.
-
Users and system managers often view security as an afterthought.
-
Security requires regular monitoring.
-
Security is often viewed as an impediment to efficient and user-friendly operation.### Internet Security Glossary
-
The International Telecommunication Union (ITU) is a United Nations-sponsored agency that develops standards, called Recommendations, relating to telecommunications and to open systems interconnection (OSI).
Security Threats and Attacks
- A threat is a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.
- An attack is an assault on system security that derives from an intelligent threat, which is a deliberate attempt to evade security services and violate the security policy of a system.
Types of Security Attacks
- Passive attacks:
- Attempt to learn or make use of information from the system but do not affect system resources.
- Examples: eavesdropping, monitoring of transmissions, release of message contents, and traffic analysis.
- Difficult to detect because they do not involve any alteration of the data.
- Prevention is usually done by means of encryption.
- Active attacks:
- Attempt to alter system resources or affect their operation.
- Examples: masquerade, replay, modification of messages, and denial of service.
- Subcategories:
- Masquerade: one entity pretends to be a different entity.
- Replay: passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect.
- Modification of messages: altering a portion of a legitimate message to produce an unauthorized effect.
- Denial of service: preventing or inhibiting the normal use or management of communications facilities.
Test your knowledge of cybersecurity with this quiz on security attacks, mechanisms, and services. Learn about the different types of attacks that can compromise information, the processes and devices designed to prevent or recover from attacks, and the communication services that enhance the security of data processing systems. Put your cybersecurity expertise to the test!
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free