Fundamental Security Design Principles Quiz

Questions and Answers

Which security principle emphasizes that a system's security should not rely on keeping its design or implementation secret?

• Complete Mediation
• Separation of Privilege
• Open Design (correct)
• Economy of Mechanism

What term describes a security practice where multiple privilege attributes are required to access a restricted resource?

• Economy of Mechanism
• Complete Mediation
• Open Design
• Separation of Privilege (correct)

In the context of security, what does 'Complete Mediation' refer to?

• Dependence on secrecy of system's design
• Only allowing authorized access based on privileges (correct)
• Requiring multiple factors for authentication
• Making encryption algorithms publicly available

Which security principle suggests that the security mechanisms should be simple to understand and operate?

Economy of Mechanism (A)

What is the benefit of implementing 'Fail-safe Defaults' in security systems?

It blocks all traffic by default except allowed (D)

Which practice ensures that encryption algorithms are open for public study while keeping encryption keys secret?

Open Design (A)

'Multiple-factor authentication' aligns with which security principle?

'Separation of Privilege' (C)

'Testing transparency and visibility' is a key aspect of which security principle?

'Open Design' (A)

'Requiring every file access to check permissions' exemplifies which security principle?

'Complete Mediation' (A)

'Identifying and correcting flaws through expert reviews' is facilitated by which security principle?

'Open Design' (B)

Flashcards are hidden until you start studying

Study Notes

Fundamental Security Design Principles

• The principles provide a framework for creating secure systems and help designers and developers think about security throughout the design process.

Economy of Mechanism

• Definition: Systems should be designed to be as simple and small as possible.
• Benefit: Simplicity helps ensure fewer opportunities for security flaws and makes it easier to test and verify security properties.
• Examples: Prefer fewer lines of code or less complex protocols in software, and fewer physical points of entry that need to be secured in hardware.

Fail-Safe Defaults

• Definition: The default state of a system, in the event of failure, should be secure.
• Benefit: In case of a system failure, the system remains secure and does not accidentally expose resources to unauthorized users.

Least Privilege

• Definition: Users and systems should only have the minimum levels of access necessary to perform their tasks.
• Benefit: Minimizes potential damage from accidents or malicious actions by limiting access rights for users.
• Examples: A database user account that can only read data, not write, if its purpose is to generate reports.

Least Common Mechanism

• Definition: Minimize the amount of functions/mechanisms shared by different users, providing mutual security.
• Benefit: Reduces the chance of a breach in one user affecting all users.
• Examples: Individual user sessions in an operating system as opposed to a shared session.

Psychological Acceptability

• Definition: Security mechanisms should not make the resource more difficult to access in the interest of security than if the mechanisms were not present.
• Benefit: If security mechanisms are too restrictive or cumbersome, users may attempt to bypass them, leading to greater risk.
• Examples: Usable security like single sign-on, which reduces the number of times a user must enter their credentials.

Isolation

• Definition: Components of a system are isolated from one another, with interactions only occurring through defined methods.
• Benefit: Isolation contains faults or security breaches within the compromised component, preventing them from spreading.
• Examples: Virtual machines that are isolated from each other, even though they run on the same physical host.