Introduction to Computer Security

Questions and Answers

Which of the following would be considered a prevention measure against a credit card fraud?

Reporting fraudulent transactions to the police.

Checking credit card statements regularly to identify fraudulent charges.

Using a secure website to make purchases. (correct)

Canceling a credit card after a fraudulent transaction has occurred.

Which type of security measure is represented by CCTV cameras used to identify intruders?

Deterrence

Reaction

Prevention

Detection (correct)

Which of the following is NOT considered a computer security asset?

Operating system software

Physical server hardware

Stored user data

A company's marketing strategy (correct)

Identify an example of a reaction measure when someone tries to access your computer system without authorization.

Changing the network password to prevent further access.

What is the principle of easiest penetration in computer security?

Attackers will always try to exploit the weakest point in a system.

What are examples of human threats in computing that can cause harm?

Accidentally spilling a drink on a laptop

Which of the following describes a random attack in computing security?

Malicious code on a website accessible by any user

Which of the following is NOT classified as a vulnerability in computing systems?

Natural disasters such as floods

What factor does NOT typically contribute to vulnerabilities in computing systems?

Adequate physical protection of hardware

Which statement best reflects malicious harm in the context of computer security?

Malicious code specifically designed to damage computers

Which type of security threat involves an unauthorized party gaining access to an asset without altering it?

Interception

What type of security threat involves the destruction or unavailability of a system's asset?

Interruption

Which scenario best exemplifies a modification attack?

A hacker accesses a database and changes user passwords

What defines the fabrication type of security threat?

Inserting counterfeit objects into the system

Which of the following is NOT an example of interruption as a security threat?

Altering a program's functionality

What is the primary distinction between a vulnerability and a threat in a computing system?

A threat refers to the potential for harm, while a vulnerability is the weakness that can be exploited.

Which of the following represents a common form of harm as outlined in the security threats?

Interception of data

In the context of the content provided, how can the control of a vulnerability directly impact the associated threat?

By blocking the threat through management of the vulnerability.

Which one of the following is NOT one of the four acts that characterize harm caused to assets in the context of security threats?

Creation

What scenario best illustrates the concept of a threat exploiting a vulnerability?

An outdated firewall allowing malware access.

A malicious code posted on a website represents a directed attack, targeting specific individuals or systems.

False

Errors in programs are the only vulnerability that can lead to data modification.

False

Accidental deletion of data falls under the category of involuntary machine-slaughter as a hardware vulnerability.

False

Finite or insufficient resources cannot be considered a vulnerability in computing systems.

False

A human mistakenly sending an email to the wrong person constitutes a malicious human-caused harm.

False

A vulnerability always leads to the exploitation of a threat.

False

Interception, interruption, modification, and fabrication are acts that characterize harm to assets in the context of security threats.

True

A system is considered secure if it has a vulnerability but has implemented strong monitoring procedures.

False

The CIA triad refers to the core principles of confidentiality, integrity, and accessibility.

False

Controlling a vulnerability is essential for blocking a threat from causing harm.

True

Confidentiality in computing security ensures that assets are accessible to all parties regardless of authorization.

False

Integrity in the CIA triad refers to assets being modifiable only by authorized parties in authorized manners.

True

Availability guarantees that assets are accessible to unauthorized parties when needed.

False

An access mode refers to the level of authorization given to a subject for interacting with an object.

True

The CIA triad applies to the user's point of view regarding security characteristics.

False

Encryption is primarily used to provide confidentiality and integrity for data.

True

Logical bombs operate independently and do not require any trigger to execute.

False

Physical controls can include locks and cables to deter theft.

True

Interception and fabrication of messages refers to unauthorized modifications to data without the intent to send altered information.

False

Denial of service attacks are classified under network vulnerabilities.

True

Study Notes

Introduction to Computer Security

• Computer security protects computer assets (items of value).
• Assets include hardware, software, data, processes, storage media, and people.
• The principle of easiest penetration means intruders will use readily available means.
• Computer systems (hardware, software, and data) need security protection.
• There are 3 classifications of protection: prevention, detection, and reaction.

Prevention

• Measures in place to avoid damage to assets.
• Example: Locks on doors and window bars in the physical world.

Detection

• Measures to identify when and how assets were damaged.
• Example: Burglar alarms, CCTV cameras.

Reaction

• Measures to recover assets or from damage to assets.
• Example: Calling the police or replacing a stolen item.

Example from Cyber Security - Credit Card Fraud

• Prevention: Use encryption when ordering and relying on merchant checks; do not use credit card numbers online.
• Detection: Unauthorized transactions on credit card statements.
• Reaction: Requesting a new card number, recovering cost of fraud from the issuer.

Security Goals - CIA Triad

• Confidentiality: Assets are available only to authorized users.
• Integrity: Assets can be only modified by authorized users/parties and in authorized ways.
• Availability: Assets are accessible only to authorized users when needed.

Confidentiality

• Ensures computer-related assets are accessed only by authorized parties.
• Access is limited to those authorized and given access to something.

Integrity

• Assets can be only modified by authorized users/parties.
• Integrity means different contexts. Some forms include accurate, unmodified, precise, consistent, and usable.

Availability

• Assets are accessible to authorized parties at appropriate times.
• Denial of service (DoS) is the opposite of availability.

Other Protection Requirements

• AAA system: Authentication, Authorization, and Accounting.

Vulnerabilities and Threats

• A vulnerability is a weakness in the system (design or implementation) that can cause loss or harm.
• A threat is a set of circumstances that has the potential to cause loss or harm.

Computer Network Vulnerabilities

• Different parts of a computer network are susceptible/have vulnerabilities:
  • Radiation
  • Communication lines
  • Tapping
  • Cross talk
  • Unauthorized access of files
  • Hardware and software failures
  • Maintenance
  • Systems programming features
  • Improper connections/cross coupling
  • Attachments of recorders

Security Threats

• Interruption: An asset is destroyed or becomes unusable impacting availability.
• Interception: An unauthorized party gains access to an asset impacting confidentiality.
• Modification: Unauthorized parties access and tamper with an asset impacting integrity.
• Fabrication: Unauthorized parties insert counterfeit objects/assets into the system impacting integrity.

Examples of Security Techniques

• Interruption: Destruction of hardware (e.g., hard disk), cutting communication lines, and disabling systems.
• Interception: Wiretapping or illicit copying of files.
• Modification: Data alterations or program changes.
• Fabrication: Addition of records or inserting spurious messages.

Security Terminology

• Asset: Value/resource to be protected.
• Threat: Potential cause of loss/harm.
• Threat Agent: Individual/entity carrying out the threat.
• Vulnerability: Weakness/flaw/fault that allows exploitation of an asset by a threat agent/ entity.
• Exploit: An action that takes advantage of a vulnerability causing loss or harm.
• Risk: Probability of a threat (being realized against a vulnerability).

Kinds of Threats

• Non-human threats: Natural disasters (e.g., fires, floods), electrical power problems, failure of components (communication cables, processor chips, disk drives), and radiation issues.
• Human Threats: Benign (e.g., accidental data deletion, mistyping, sending an incorrect email), and Malicious (e.g., malicious code, impersonations, random attacks, and directed attacks)

Computer Vulnerabilities

• Weak authentication
• Lack of access controls
• Program errors
• Insufficient resources
• Inadequate physical protection

Data Vulnerabilities

• Data confidentiality
• Data integrity
• Interception and modification of messages.

Other Exposed Assets

• Storage media require backups.
• Networks easily multiply security problems (exposed medium).
• Access to systems, data, or software can be compromised.
• Key personnel leaving or illness.

Methods of Defense

• Encryption: Confidentiality, Integrity, and a basis of protocols.
• Policies: frequent password changes, training, legal/ethical codes.
• Physical Controls: locks on doors, backups, physical site planning.
• Software/Hardware Controls: internal program controls, operating systems, development controls, hardware/smartcard implementations, encryption.

Types of Attackers

• Amateurs: normal people who exploit flaws, valuable access
• Crackers: typically students or young adults, unauthorized access to computer facilities.
• Career Criminals: understand computer crime targets (groups), spies, and brokers.
• Hackers: knowledgeable about OS systems.

Method-Opportunity-Motive

• Malicious attackers require these 3 factors to ensure success:

  • Method: "how" of the attack
  • Opportunity: "when" of the attack
  • Motive: "why" of the attack

• Denial of these factors can lead to unsuccessful attacks.

• Harm minimization through risk assessments for identifying likelihood and severity of events.

• Residual risk is the uncovered risk that remains after controls have been implemented.

How to Make the System Secure

• System access control: unauthorized user access prevention.
• Data access control: Monitoring who can access which data.
• System and security administration: Implementing procedures/training to administrators.
• System design: Utilizing basic hardware and software security practices.

Controls

• Controls/countermeasures are methods of countering threats.
• Harm occurs if a risk is realized.
• Protection involves neutralizing threats, closing vulnerabilities, or both.
• Several ways to deal with harm include prevention, deterrence, deflection, mitigation, detection, and recovery.

Types of Controls

• Physical controls: Tangible objects (locks, walls, fences, guards).
• Procedural/Administrative controls: Rules, policies, procedures, laws, regulations, agreements.
• Technical controls: Technology-based (passwords, access controls, firewalls, encryption, and network traffic flow regulators).

System Access Control: Username and Password

• First line of security defense.
• User name (Login ID): Identification
• Password: Authentication
• Successful login requires valid username and password.

System Access Control: Common Threats/Solutions

• Password guessing (brute force, intelligent search)
• Password spoofing
• Compromise of password file

Choosing Strong Passwords

• Use diverse characters (beyond a-z).
• Choose longer passwords.
• Avoid common words/names.
• Use various passwords for different accounts.
• Regularly change passwords.
• Do not write down passwords.
• Do not share passwords.

System Access Control - Defending Password Security

• Compulsion to generate a password.
• Changing default passwords.
• Establishing password length requirements.
• Defining password formats (e.g., mix of numbers and letters).
• Avoiding obvious passwords.
• Implementation of password checkers.
• Adopting password generation tools.
• Employing password aging (expiration dates).
• Limiting login attempts.
• Informing users about best practices.

Data Access Control

• Subjects may observe/alter objects.
• Access modes are observe and change.
• Access rights can be determined in models like the Bell-LaPadula Model.

Effectiveness Considerations

• Awareness of security to cooperate with security requirements to understand the value.
• Use of necessary controls that are easy to use and appropriate, and use combinations of overlapping controls.
• Periodic reviews for effectiveness.

Description

This quiz covers the fundamentals of computer security, including the protection of computer assets such as hardware, software, and data. It delves into the three main classifications of protection: prevention, detection, and reaction, providing examples relevant to both physical and cyber security. Test your knowledge on how to secure valuable information and identify potential threats.