Introduction to Computer Security

Questions and Answers

Which of the following would be considered a prevention measure against a credit card fraud?

• Reporting fraudulent transactions to the police.
• Checking credit card statements regularly to identify fraudulent charges.
• Using a secure website to make purchases. (correct)
• Canceling a credit card after a fraudulent transaction has occurred.

Which type of security measure is represented by CCTV cameras used to identify intruders?

• Deterrence
• Reaction
• Prevention
• Detection (correct)

Which of the following is NOT considered a computer security asset?

• Operating system software
• Physical server hardware
• Stored user data
• A company's marketing strategy (correct)

Identify an example of a reaction measure when someone tries to access your computer system without authorization.

Changing the network password to prevent further access. (C)

What is the principle of easiest penetration in computer security?

Attackers will always try to exploit the weakest point in a system. (B)

What are examples of human threats in computing that can cause harm?

Accidentally spilling a drink on a laptop (D)

Which of the following describes a random attack in computing security?

Malicious code on a website accessible by any user (C)

Which of the following is NOT classified as a vulnerability in computing systems?

Natural disasters such as floods (C)

What factor does NOT typically contribute to vulnerabilities in computing systems?

Adequate physical protection of hardware (A)

Which statement best reflects malicious harm in the context of computer security?

Malicious code specifically designed to damage computers (B)

Which type of security threat involves an unauthorized party gaining access to an asset without altering it?

Interception (D)

What type of security threat involves the destruction or unavailability of a system's asset?

Interruption (C)

Which scenario best exemplifies a modification attack?

A hacker accesses a database and changes user passwords (C)

What defines the fabrication type of security threat?

Inserting counterfeit objects into the system (A)

Which of the following is NOT an example of interruption as a security threat?

Altering a program's functionality (C)

What is the primary distinction between a vulnerability and a threat in a computing system?

A threat refers to the potential for harm, while a vulnerability is the weakness that can be exploited. (C)

Which of the following represents a common form of harm as outlined in the security threats?

Interception of data (C)

In the context of the content provided, how can the control of a vulnerability directly impact the associated threat?

By blocking the threat through management of the vulnerability. (B)

Which one of the following is NOT one of the four acts that characterize harm caused to assets in the context of security threats?

Creation (B)

What scenario best illustrates the concept of a threat exploiting a vulnerability?

An outdated firewall allowing malware access. (C)

A malicious code posted on a website represents a directed attack, targeting specific individuals or systems.

False (B)

Errors in programs are the only vulnerability that can lead to data modification.

False (B)

Accidental deletion of data falls under the category of involuntary machine-slaughter as a hardware vulnerability.

False (B)

Finite or insufficient resources cannot be considered a vulnerability in computing systems.

False (B)

A human mistakenly sending an email to the wrong person constitutes a malicious human-caused harm.

False (B)

A vulnerability always leads to the exploitation of a threat.

False (B)

Interception, interruption, modification, and fabrication are acts that characterize harm to assets in the context of security threats.

True (A)

A system is considered secure if it has a vulnerability but has implemented strong monitoring procedures.

False (B)

The CIA triad refers to the core principles of confidentiality, integrity, and accessibility.

False (B)

Controlling a vulnerability is essential for blocking a threat from causing harm.

True (A)

Confidentiality in computing security ensures that assets are accessible to all parties regardless of authorization.

False (B)

Integrity in the CIA triad refers to assets being modifiable only by authorized parties in authorized manners.

True (A)

Availability guarantees that assets are accessible to unauthorized parties when needed.

False (B)

An access mode refers to the level of authorization given to a subject for interacting with an object.

True (A)

The CIA triad applies to the user's point of view regarding security characteristics.

False (B)

Encryption is primarily used to provide confidentiality and integrity for data.

True (A)

Logical bombs operate independently and do not require any trigger to execute.

False (B)

Physical controls can include locks and cables to deter theft.

True (A)

Interception and fabrication of messages refers to unauthorized modifications to data without the intent to send altered information.

False (B)

Denial of service attacks are classified under network vulnerabilities.

True (A)

Flashcards

Vulnerability

A weakness in a system's design, implementation, or procedures that could be exploited to cause harm.

Threat

A set of circumstances that could potentially cause harm or loss to a system.

CIA Triad

The potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information.

Interception

Gaining access to data or systems without authorization.

Interruption

Actions that disrupt or prevent access to data or systems.

What is an asset in computer security?

Anything that has value in a computer system, including hardware, software, data, processes, storage media, and people.

Principle of Easiest Penetration

The easiest method an attacker can use to access a computer system is the method they will use.

Prevention in Computer Security

Measures taken to prevent an attack or damage to a system.

Detection in Computer Security

Methods used to detect when an attack or damage has occurred.

Reaction in Computer Security

Actions taken to recover from an attack or damage, including restoring compromised systems.

Exploit

An action that takes advantage of a vulnerability to cause harm.

Threat Agent

An entity that can cause harm to an asset.

Risk

The likelihood of a threat occurring and the impact of that threat.

Modification

An unauthorized party tampers with data or programs, changing their contents or functionality.

Fabrication

An unauthorized party inserts fake data or objects into a system, leading to false information.

Integrity Threat

An unauthorized party can access and modify sensitive information, compromising its reliability and integrity.

Confidentiality

Ensuring that only authorized parties can access computer-related assets, including reading, viewing, printing, and even knowing the asset exists.

Integrity

Ensuring that computer-related assets can only be modified by authorized parties in authorized ways.

Availability

Ensuring that authorized parties can access computer-related assets when needed, without significant delays.

Subject in computer security

A person, process, or program that seeks to access a data item.

Object in computer security

A specific data item that can be accessed, such as a file, folder, or database.

Nonhuman Threat?

A threat that could be caused by a natural event, like a fire or flood, or by a failure in a computer system, like a power outage or a broken disk drive.

Malicious Attack

Malicious actions aimed at causing harm to a computer system, usually involving human attackers.

Non-Malicious Threat

An unintentional act that leads to harm to a computer system, often caused by human error.

Denial of Service Attack

A type of attack that aims to make a computer system unavailable to legitimate users by overwhelming it with requests.

Data Integrity Threat

The unauthorized modification of data or changes to software programs to alter their functionality or contents.

Data Fabrication Threat

This attack involves a malicious party injecting fake data or objects into a system, potentially causing misleading information.

Data Interception Threat

This attack happens when an unauthorized party intercepts messages or data transmissions.

Data Replay Attack

This attack happens when intercepted messages are copied and retransmitted, possibly with malicious intent.

Data Confidentiality Threat

This refers to the ability of unauthorized individuals to access sensitive data without permission.

Study Notes

Introduction to Computer Security

• Computer security protects computer assets (items of value).
• Assets include hardware, software, data, processes, storage media, and people.
• The principle of easiest penetration means intruders will use readily available means.
• Computer systems (hardware, software, and data) need security protection.
• There are 3 classifications of protection: prevention, detection, and reaction.

Prevention

• Measures in place to avoid damage to assets.
• Example: Locks on doors and window bars in the physical world.

Detection

• Measures to identify when and how assets were damaged.
• Example: Burglar alarms, CCTV cameras.

Reaction

• Measures to recover assets or from damage to assets.
• Example: Calling the police or replacing a stolen item.

Example from Cyber Security - Credit Card Fraud

• Prevention: Use encryption when ordering and relying on merchant checks; do not use credit card numbers online.
• Detection: Unauthorized transactions on credit card statements.
• Reaction: Requesting a new card number, recovering cost of fraud from the issuer.

Security Goals - CIA Triad

• Confidentiality: Assets are available only to authorized users.
• Integrity: Assets can be only modified by authorized users/parties and in authorized ways.
• Availability: Assets are accessible only to authorized users when needed.

Confidentiality

• Ensures computer-related assets are accessed only by authorized parties.
• Access is limited to those authorized and given access to something.

Integrity

• Assets can be only modified by authorized users/parties.
• Integrity means different contexts. Some forms include accurate, unmodified, precise, consistent, and usable.

Availability

• Assets are accessible to authorized parties at appropriate times.
• Denial of service (DoS) is the opposite of availability.

Other Protection Requirements

• AAA system: Authentication, Authorization, and Accounting.

Vulnerabilities and Threats

• A vulnerability is a weakness in the system (design or implementation) that can cause loss or harm.
• A threat is a set of circumstances that has the potential to cause loss or harm.

Computer Network Vulnerabilities

• Different parts of a computer network are susceptible/have vulnerabilities:
  • Radiation
  • Communication lines
  • Tapping
  • Cross talk
  • Unauthorized access of files
  • Hardware and software failures
  • Maintenance
  • Systems programming features
  • Improper connections/cross coupling
  • Attachments of recorders

Security Threats

• Interruption: An asset is destroyed or becomes unusable impacting availability.
• Interception: An unauthorized party gains access to an asset impacting confidentiality.
• Modification: Unauthorized parties access and tamper with an asset impacting integrity.
• Fabrication: Unauthorized parties insert counterfeit objects/assets into the system impacting integrity.

Examples of Security Techniques

• Interruption: Destruction of hardware (e.g., hard disk), cutting communication lines, and disabling systems.
• Interception: Wiretapping or illicit copying of files.
• Modification: Data alterations or program changes.
• Fabrication: Addition of records or inserting spurious messages.

Security Terminology

• Asset: Value/resource to be protected.
• Threat: Potential cause of loss/harm.
• Threat Agent: Individual/entity carrying out the threat.
• Vulnerability: Weakness/flaw/fault that allows exploitation of an asset by a threat agent/ entity.
• Exploit: An action that takes advantage of a vulnerability causing loss or harm.
• Risk: Probability of a threat (being realized against a vulnerability).

Kinds of Threats

• Non-human threats: Natural disasters (e.g., fires, floods), electrical power problems, failure of components (communication cables, processor chips, disk drives), and radiation issues.
• Human Threats: Benign (e.g., accidental data deletion, mistyping, sending an incorrect email), and Malicious (e.g., malicious code, impersonations, random attacks, and directed attacks)

Computer Vulnerabilities

• Weak authentication
• Lack of access controls
• Program errors
• Insufficient resources
• Inadequate physical protection

Data Vulnerabilities

• Data confidentiality
• Data integrity
• Interception and modification of messages.

Other Exposed Assets

• Storage media require backups.
• Networks easily multiply security problems (exposed medium).
• Access to systems, data, or software can be compromised.
• Key personnel leaving or illness.

Methods of Defense

• Encryption: Confidentiality, Integrity, and a basis of protocols.
• Policies: frequent password changes, training, legal/ethical codes.
• Physical Controls: locks on doors, backups, physical site planning.
• Software/Hardware Controls: internal program controls, operating systems, development controls, hardware/smartcard implementations, encryption.

Types of Attackers

• Amateurs: normal people who exploit flaws, valuable access
• Crackers: typically students or young adults, unauthorized access to computer facilities.
• Career Criminals: understand computer crime targets (groups), spies, and brokers.
• Hackers: knowledgeable about OS systems.

Method-Opportunity-Motive

• Malicious attackers require these 3 factors to ensure success:

  • Method: "how" of the attack
  • Opportunity: "when" of the attack
  • Motive: "why" of the attack

• Denial of these factors can lead to unsuccessful attacks.

• Harm minimization through risk assessments for identifying likelihood and severity of events.

• Residual risk is the uncovered risk that remains after controls have been implemented.

How to Make the System Secure

• System access control: unauthorized user access prevention.
• Data access control: Monitoring who can access which data.
• System and security administration: Implementing procedures/training to administrators.
• System design: Utilizing basic hardware and software security practices.

Controls

• Controls/countermeasures are methods of countering threats.
• Harm occurs if a risk is realized.
• Protection involves neutralizing threats, closing vulnerabilities, or both.
• Several ways to deal with harm include prevention, deterrence, deflection, mitigation, detection, and recovery.

Types of Controls

• Physical controls: Tangible objects (locks, walls, fences, guards).
• Procedural/Administrative controls: Rules, policies, procedures, laws, regulations, agreements.
• Technical controls: Technology-based (passwords, access controls, firewalls, encryption, and network traffic flow regulators).

System Access Control: Username and Password

• First line of security defense.
• User name (Login ID): Identification
• Password: Authentication
• Successful login requires valid username and password.

System Access Control: Common Threats/Solutions

• Password guessing (brute force, intelligent search)
• Password spoofing
• Compromise of password file

Choosing Strong Passwords

• Use diverse characters (beyond a-z).
• Choose longer passwords.
• Avoid common words/names.
• Use various passwords for different accounts.
• Regularly change passwords.
• Do not write down passwords.
• Do not share passwords.

System Access Control - Defending Password Security

• Compulsion to generate a password.
• Changing default passwords.
• Establishing password length requirements.
• Defining password formats (e.g., mix of numbers and letters).
• Avoiding obvious passwords.
• Implementation of password checkers.
• Adopting password generation tools.
• Employing password aging (expiration dates).
• Limiting login attempts.
• Informing users about best practices.

Data Access Control

• Subjects may observe/alter objects.
• Access modes are observe and change.
• Access rights can be determined in models like the Bell-LaPadula Model.

Effectiveness Considerations

• Awareness of security to cooperate with security requirements to understand the value.
• Use of necessary controls that are easy to use and appropriate, and use combinations of overlapping controls.
• Periodic reviews for effectiveness.