Introduction to Computer Security

Questions and Answers

Within the CIA triad, what does 'confidentiality' primarily aim to protect?

The accuracy of data modifications by authorized personnel.

The verification of a user's identity and access privileges.

The timely accessibility of assets to authorized parties.

Restricting computer assets access to only authorized parties. (correct)

Which statement best describes the concept of 'integrity' within the CIA triad?

Maintaining a record of all access attempts.

Ensuring assets are accessible when needed without delay.

Guaranteeing that assets can only be modified in authorized ways by authorized parties. (correct)

Making sure all data is encrypted in transit.

In the context of the CIA triad, what qualifies as 'access' to an asset?

Only the ability to modify data.

Only the ability to execute code.

Only the ability to read data.

Viewing, printing, or knowing that the asset exists. (correct)

What does the term 'subject' refer to when discussing access to an asset?

A person, process, or program attempting access.

What are considered modifications, in the context of 'integrity' within the CIA triad?

Writing, changing, changing status, deleting, and creating data.

Which security threat involves making a system resource unusable?

Interruption

What type of security threat is exemplified by illicitly copying a file?

Interception

Which attack directly compromises the integrity of a system by altering transmitted messages?

Modification

Adding false records to a database is an example of which security threat?

Fabrication

Which of the following best describes 'integrity' in the context provided?

Maintaining the precision, accuracy, and unmodified state of an item, or modifying it only in acceptable and authorized ways.

Which threat targets the confidentiality of data?

Interception

According to the provided information, what is a primary concern regarding availability?

Preventing legitimate users from accessing authorized resources or services.

Which aspect is NOT a part of the three particular aspects of integrity as recognized by [Welke & Mayfield]?

Unauthorized Actions.

In the context of the AAA framework, what is the primary purpose of 'Authentication'?

Verifying that a user is who they claim to be.

Which statement best reflects the relationship between 'CIA' and 'AAA' as presented?

AAA is based on the user point of view, while CIA is based on the assets view.

What is a vulnerability in the context of a computer system?

A weakness in the system's procedures, design, or implementation.

Which of the following best describes a 'threat' to a computing system?

A potential situation that could cause harm or loss.

In the analogy of the man, water, and wall, what is the role of the crack in the wall?

It acts as a vulnerability that could be exploited by the water.

According to the 'Security Threats' model, what type of harm is caused by interception?

Obtaining unauthorized access to information.

Which of the following action is described by the term 'fabrication' as a security threat?

Creating fake data in the system.

Computer security focuses exclusively on protecting hardware.

False

The principle of easiest penetration suggests that intruders will use the most difficult means possible to compromise a system.

False

Detection measures are proactive steps to prevent damage to assets.

False

In a cyber security context, using encryption when placing an order is a reactive measure.

False

Replacing a stolen item is considered a 'prevention' method in security.

False

An attack on availability occurs when an asset of the system is enhanced or improved.

False

Wiretapping is an example of a modification attack.

False

Changing values in a data file is an example of fabrication.

False

Cutting a communication line is an example of an interruption threat that targets the confidentiality of messages.

False

In the CIA triad, confidentiality ensures that assets are accessible to anyone who requests them.

False

An unauthorized party inserting counterfeit records into a file is considered a fabrication attack, which is an attack on the system's integrity

True

Modifying an asset includes only writing new information; deleting or changing existing data is not considered modification.

False

A 'threat' is best described as the active exploitation of a vulnerability.

False

Availability ensures that authorized users can access assets without any notable delay.

True

Accidentally deleting a file is categorized as a malicious, human-caused harm.

False

An 'object' in access control is the person or process attempting to access data.

False

Lack of access control is an example of a hardware vulnerability.

False

The security goals of the CIA triad are primarily from the user's point of view.

False

Interruption resulting in a denial of service is associated with the hardware category of vulnerabilities.

True

Creating false data or records falls under the threat category labeled modification.

False

Study Notes

Introduction to Computer Security

• Computer security is the protection of computer system assets.
• Assets include hardware, software, data, processes, storage media, and people.
• The principle of easiest penetration means intruders will use the easiest method available.

Core Concepts

• Computer systems (hardware, software, and data) have value and require protection.
• There are three levels of protection:
  • Prevention: measures to prevent damage.
  • Detection: measures to identify when and how an asset is damaged.
  • Reaction: measures to recover assets or from damage.
• An example from the physical world is using locks, burglar alarms, and CCTV cameras.
• An example from the cyber world is using encryption for online purchases and checking credit card statements for unauthorized transactions.
  • Preventing theft of assets
  • Detecting and recovering from theft

Security Goals - CIA Triad

• Confidentiality: assets of computing systems are only accessible to authorized parties.
• Integrity: assets can only be modified by authorized parties using authorized methods.
• Availability: assets are accessible to authorized parties when needed without delay.
• Security is from the assets' point of view.

Data Access

• At the most basic level, a subject can observe or alter an object.
• Access modes include observe and change.
• Access rights in the Bell-LaPadula model.

Vulnerabilities and Threats

• A vulnerability is a weakness in a system (procedures, design, or implementation) that can be exploited.
• A threat is a set of circumstances that could cause harm.
• A threat, if it successfully leverages a vulnerability is called a realized threat; therefore harm occurs.
• Examples of vulnerabilities include: weak authentication, lack of access control, errors in programs, inadequate resources, insufficient hardware protection, and involuntary/voluntary machine-slaughter.
• Exploits use vulnerabilities.
• Attacks exploit vulnerabilities.

Types of Threats

• Non-human threats: natural disasters, power outages, and hardware/software failures.
• Human threats: benign (accidental) and malicious (intentional).
  • Benign: accidental data deletion, incorrect typing, or other similar errors.
  • Malicious: random and directed attacks.
  • Types of malicious attacks: interception, interruption, modification, and fabrication.
    • Random: general code placed on a public website targeting any users
    • Directed: targeting specific computer systems, or an individual.

Types of Attackers

• Amateurs: generally not career criminals, but are aware of security flaws.
• Crackers: usually students or young adults trying to access unauthorized resources.
• Career criminals: understand targets of computer crimes and often collaborate with other groups.
• Hackers: generally understand computer systems in depth and often explore system limits (can be benign or not).

Method, Opportunity, Motive

Malicious attackers have three things for success: Method, Opportunity, and Motive

System Access Control

• System Access Control: system decides whether a user is legitimate.
• Data Access Control: monitoring who can access data and for what purposes.
  • Authentication: Proving user identities.
  • Identification: Asserting user identity.
• System Administration and Security: enforcing procedures, training users, and maintaining systems.
• System Design: use of basic hardware and software security features.

System Access Controls (passwords)

• A user's role in password protection—authentication can be compromised by giving away the password to others.

• Password guessing: exhaustive search (brute force) and intelligent search.

• Password spoofing.

• Compromise of the password file.

• Choosing Strong Passwords

Effectiveness

• Awareness of security requirements, clear understanding of the importance of security, and use of appropriate controls.
• Overlapping controls and periodic reviews.
• Awareness of security problems is necessary for people to work collaboratively to solve problems
• Procedures and controls must be used correctly, and be easy to use; they may be combined.

System Controls

• Controls can counter threats using physical (locks, walls), procedural (rules, regulations), and technical (firewalls, passwords) methods.
• Access control—identifying and authenticating users.

Description

This quiz covers foundational concepts in computer security, including asset protection, core security principles, and the CIA triad. Test your knowledge on how to safeguard hardware, software, and data, as well as the various levels of protection and their applications. Prepare to explore strategies for prevention, detection, and reaction to security breaches.