Data Security Concepts

Questions and Answers

Which of the following scenarios best illustrates a violation of data confidentiality?

• A disgruntled employee shuts down a critical server, disrupting business operations.
• An unauthorized user gains access to a database containing sensitive customer information. (correct)
• A hacker modifies financial records in a company database, causing incorrect balances.
• A network outage prevents employees from accessing important files and applications.

An organization implements redundant servers and frequent data backups. Which security objective are they primarily addressing?

• Integrity
• Confidentiality
• Non-repudiation
• Availability (correct)

Which of the following actions primarily aims to ensure data integrity within a database system?

• Regularly backing up the database to prevent data loss.
• Encrypting the database to prevent unauthorized access.
• Implementing access controls to restrict user permissions.
• Using checksums to detect alterations to data during transmission or storage. (correct)

An organization wants to improve its overall computer security posture. Which strategy would be the MOST comprehensive first step?

Developing and documenting a formal security policy. (A)

Which of the following best describes the purpose of an 'attack tree' in computer security?

To systematically decompose a potential threat into a hierarchy of possible attack vectors. (B)

Flashcards

Computer Security

Protection of automated information systems to ensure integrity, availability, and confidentiality.

CIA Triad

Key objectives of computer security: Confidentiality, Integrity, and Availability.

Confidentiality

Ensures private information is not disclosed to unauthorized individuals.

Integrity

Assures that information is accurate and untampered.

Availability

Ensures authorized users have access to information when needed.

Study Notes

Modern Network Security Threats

• This chapter discusses modern network security threats
• The topics covered include computer security concepts, definitions, models, threats, attacks, assets, security functional requirements, and fundamental security design principles, attack surfaces and attack trees, computer security strategy, security policy, security implementation, and assurance and evaluation.
• Objectives for learning the chapter include defining confidentiality, integrity, and availability; understanding various security threats and attacks; summarizing functional requirements for computer security; understanding fundamental security design principles; understanding attack surfaces and attack trees; and the principle aspects of security strategy.
• Computer security is the protection of an automated information system to maintain integrity, availability, and confidentiality of information resources.

Computer Security Concepts

• Confidentiality aims to protect private or confidential information from unauthorized access or disclosure.
• Privacy assures individuals control or influence what information about them is collected, stored, and disclosed.
• Integrity ensures information and programs are changed only in authorized ways, maintaining their accuracy and consistency.
• Data integrity makes sure information and programs are changed only through authorized methods.
• System integrity ensures that a system functions as expected without unauthorized modifications.
• Availability assures that systems and services are accessible to authorized users when needed.

Additional Concepts

• Authenticity is the assurance that something is genuine and can be verified. It includes confidence in the source of information.
• Accountability means actions can be uniquely traced to an entity. This supports non-repudiation, deterrence, and legal action.

Impact Levels

• Security breaches can have varying impacts on individuals and organizations.
• Low impact: limited effect on operations, assets, or individuals.
• Moderate impact: significant effect on operations, assets, or individuals.
• High impact: severe or catastrophic effect on operations, assets, or individuals.

Model for Computer Security

• An adversary is the entity attacking the system.
• An attack is a deliberate attempt to bypass security measures and violate security policies.
• A countermeasure reduces threats, vulnerabilities, or attacks, minimizes harm, and detects issues.
• Risk is expressed as the likelihood of a threat exploiting a vulnerability.
• Security policies specify security practices and rules.
• System resources (assets) are the data and other components targeted.
• Threats are circumstances that can violate security or cause harm.
• Vulnerabilities are flaws or weaknesses in a system's design, implementation, or operation that can be exploited.

Security Concepts and Relationships

• Owners want to minimize harm to assets.
• Threat agents may abuse or damage assets.
• Countermeasures aim to reduce risk.
• Assets are resources protected, such as hardware, software, and data.

Categories of System Resources (Assets)

• Hardware: computer systems, storage, and communication devices
• Software: operating systems, utilities, applications
• Data: files, databases, and security-related information
• Communication facilities and networks: links, bridges, routers, and LAN/WAN

Categories of Vulnerabilities

• A system can be corrupted (incorrect data)
• A system can be compromised by unauthorized access.
• A system can become slow or unavailable.

Types of Vulnerability Based on CIA

• Corresponds to threats that exploit possible vulnerabilities and potential harm to assets.
• Attacks are threats carried out.
• Active attack: Attempts to change system resources or operation.
• Passive attack: Attempts to gather information without affecting resources.

Classifying Attacks Based on Origin

• Inside attack: authorized users acting improperly.
• Outside attack: unauthorized users targeting the system.

Threats, Attacks, and Assets (Categories 1-4)

• Category 1 - Unauthorized Disclosure: Exposure, interception, inference, intrusion
• Category 2 - Deception: Masquerade, falsification, repudiation
• Category 3 - Disruption: Incapacitation, corruption, obstruction
• Category 4 - Usurpation: Misappropriation, misuse

Security Functional Requirements

• Hardware is vulnerable to attacks, including physical damage and theft.
• Software is vulnerable to attacks, including deletion and corruption.
• Data vulnerability relates to unauthorized access, modification, or destruction.
• Communication lines and networks can experience denial-of-service attacks or interruptions.

Fundamental Security Design Principles

• Economy of mechanism means using simple and efficient security measures.
• Fail-safe defaults means access denied by default unless explicitly allowed.
• Complete mediation implies every access attempt is checked against the access control mechanism.
• Open design means security mechanisms publicly accessible, except for sensitive keys.
• Separation of privilege implies different privileges for individual actions and users.
• Least privilege means using the minimum required privileges.
• Least common mechanism means sharing the fewest possible components among different users.
• Psychological acceptability means security mechanisms should not unduly hinder users' job efficiency.

Attack Surfaces

• List the components of the system that can potentially be exploited.
• Open ports
• Services available inside the firewall
• Data processing code and formats
• Software interfaces
• Social engineering vulnerabilities

Attack Surface Categories

• Network attack surface: vulnerabilities over a network
• Software attack surface: vulnerabilities in applications, utilities, or operating system code
• Human attack surface: vulnerabilities created by personnel

Attack Trees

• A hierarchical structure for analyzing vulnerabilities or threats.
• The root represents the attacker's goal.
• Leaf nodes show specific events to achieve the goal.

Computer Security Strategy

• Specification/policy: Defines the security scheme's goals.
• Implementation/mechanisms: Describes how the security scheme is implemented.
• Correctness/assurance: Evaluates if the security scheme works as intended.

Security Policy

• Need to consider the value of assets, vulnerabilities, potential threats, and likelihood of attacks.
• Tradeoffs between ease of use and security, and cost of security versus failure/recovery.

Security Implementation

• Prevention aims at preventing attacks.
• Detection seeks to identify ongoing attacks.
• Response reacts to and stops ongoing attacks.
• Recovery addresses and repairs damages from attacks.

Assurance and Evaluation

• Assurance: Degree of confidence in the effectiveness of security measures.
• Evaluation: Process of examining a system against specific criteria, potentially using formal analysis.

Description

Test your knowledge of data security principles. Questions cover confidentiality, integrity, and security strategies. Learn about attack trees and security objectives.