Untitled Quiz

Questions and Answers

Study Notes

Security in Computing - Chapter 1

• Objectives: Define computer security and basic security terms, introduce the C-I-A triad, introduce access control terminology, explain basic threats, vulnerabilities, and attacks, show how controls map to threats.
• Information Security: Protects sensitive information from unauthorized activities (inspection, modification, recording, disruption, or destruction). The goal is to ensure the safety and privacy of critical data (customer accounts, financial data, intellectual property).
• Computer Security: Protection of computer system assets: hardware, software, and data.
• Assets:
• Hardware: Computer, devices (disk drives, memory, printer), network gear.
• Software: Operating system, utilities (antivirus), commercial applications (word processing, photo editing), individual applications.
• Data: Documents, photos, music, videos, email, class projects.
• Values of Assets:
• Hardware: Off the shelf, easily replaceable.
• Software: Off the shelf, easily replaceable.
• Data: Unique, irreplaceable.
• Basic Terms: Vulnerability, threat, attack, countermeasure (control).
• Vulnerability: A weakness in a security system (procedures, design, or implementation) that can be exploited.
• Threat: A set of circumstances with the potential to cause loss or harm (violation of security).
• Attack: A human (criminal) exploiting a vulnerability.
• Control (Countermeasure): An action, device, procedure, or technique to remove or reduce a vulnerability.
• Threat and Vulnerability Relationship: A threat is blocked by a control of a vulnerability. Understanding threats is key to creating effective controls.
• C-I-A Triad: Confidentiality, integrity, availability.
• Confidentiality: Ensuring that computer-related assets are accessed only by authorized parties (secrecy, privacy).
• Integrity: Ensuring that assets can be modified only by authorized parties or only in authorized ways (writing, changing, deleting, creating).
• Availability: Ensuring that assets are accessible to authorized parties at appropriate times (often known by its opposite - denial of service).
• Access Control: Policy of who, what, and how. Subject (who) + Mode of access (how) + Object (what) = Yes/No.
• Types of Threats: Natural causes (fire, power failure), human causes (benign intent - human error, malicious intent - random/directed attacks (malicious code, impersonation)).
• Types of Attackers: Hacker, individual, terrorist, organized crime member, criminal-for-hire, loosely connected group.
• Types of Harm: Interception (unauthorized access), interruption (inaccessibility), modification (tampering), fabrication (creating counterfeit objects).
• Method-Opportunity-Motive (MOM): The three things required for a malicious attacker: Method(how), opportunity (when), motive (why).
• Controls/Countermeasures: Physical, procedural, and technical.
• Types of Malware: Virus, worm, Trojan horse, bots, rootkit, remote-access trojan (RAT), spyware.
• Security Goals: Prevention, detection, recovery.

Security in Computing - Additional Chapters (from overview)

• Chapter 2: Toolbox: Authentication, Access Control, and Cryptography
• Chapter Additional Content: Describing identification versus authentication, several means of authentication (something you know, something you are, something you have - and factors related to location and behavior), concepts of cryptography (the study of encryption and decryption).
• Chapter 3: Program Security (various types of attacks), stack overflow, incomplete mediation, and more
• Chapter 4: Access Control Policies & Administration, access matrix, access control directory, privilege lists.
• Chapter 5: Multilevel Databases, sensitive attributes and associated security issues, and proposals to address these situations.
• Additional Topics Covered: Malware activation, virus effects, virus detection, code testing, good and bad design principles, various methods, example of different types of controls.
• Summary: Vulnerabilities, threats, attacks, and security controls for computers and computing systems.