comp3521 chapter 13

Questions and Answers

Which of the following best describes the focus of security engineering?

• Providing a framework for ethical hacking practices.
• Developing systems that can resist malicious attacks. (correct)
• Creating systems that are user-friendly and accessible.
• Ensuring systems operate efficiently under normal conditions.

Which security dimension is primarily concerned with preventing unauthorized access to information?

• Integrity
• Accountability
• Confidentiality (correct)
• Availability

What is the main goal of infrastructure security?

• Securing individual application systems.
• Protecting against physical threats to hardware.
• Maintaining the security of all systems and networks that provide shared services. (correct)
• Ensuring the secure operation and use of an organization's systems by users.

In which layer of a system are reusable components and libraries most likely to be compromised?

Application (B)

Which of the following describes application security?

A software engineering problem where the system is designed to resist attacks. (D)

What is the primary focus of operational security?

Ensuring that people do not take actions that compromise system security. (B)

How does security relate to dependability in a networked system?

An insecure, networked system's reliability and safety claims are unreliable. (B)

Which of the following best describes a 'threat' in security terminology?

Circumstances that have the potential to cause loss or harm. (A)

In the context of the Mentcare system, which scenario exemplifies an interruption threat?

A denial-of-service attack on the system's database server. (A)

What is the goal of 'vulnerability avoidance' as a security assurance technique?

To design the system so that vulnerabilities do not occur. (C)

How does security relate to system reliability?

Security breaches can compromise system reliability. (D)

What is the primary aim of most resilience work on networked software systems?

Deterring, detecting, and recovering from cyberattacks. (A)

What is the main purpose of organizational security policies?

To inform everyone in the organization about security. (D)

What is a key consideration when determining the level of protection required for different types of assets?

The sensitivity and potential consequences of loss for those assets. (C)

Which factor primarily drives risk management according to the text?

An organizational security policy. (A)

What is the main goal of performing a preliminary risk assessment?

To identify generic risks and determine if an adequate security level can be achieved at a reasonable cost. (B)

During which phase of the system development life cycle does design risk assessment take place?

Throughout the system development life cycle. (A)

What does operational risk assessment primarily focus on?

The use of the system and the potential risks arising from human behaviour. (D)

How do security specifications differ from safety requirements specifications?

Attackers may conceal the cause of the failure. (C)

Which type of security requirement is concerned with ensuring that users cannot deny performing an action?

Non-repudiation requirements. (B)

What is the main goal of risk avoidance requirements?

To design the system so that certain risks cannot arise. (A)

In the preliminary risk assessment process, what follows 'threat identification'?

Attack assessment (C)

Which step in security risk assessment involves determining the potential damages associated with each asset?

Exposure assessment (B)

In the Mentcare system asset analysis, what is the primary exposure associated with the loss of the patient database?

High financial loss and possible patient harm. (B)

Which control is proposed to mitigate the threat of unauthorized users gaining access as system managers and making the system unavailable?

Only allow system management from physically secure locations. (A)

What security requirement is directly related to protecting patient information at the start of a clinic session?

Download patient information to a secure area on the system client. (B)

Which of the following corresponds to an interruption threat?

Attacker makes part of a system unavailable. (C)

What is the attack in a Mentcare system's 'intercept transfer' misuse case?

A network monitor being added to the system. (B)

What protocol is using certificate-based authentication and encryption for All communications between the client and the server must use

Secure Socket Layer (SSL) (D)

When designing a secure system, what should happen with security?

Security should be designed into a system (C)

How can additional security checks affect a sysetm?

It slows down a system. (C)

Why might a system's design be re-evaluated?

Vulnerabilities that arise from design choices (B)

If a system separates patient and treatment information does this limit the amount of information that needs to be protected?

Yes (B)

In system distribution, what may each platform have?

Separate protection features (D)

Which is considered a security guideline?

Avoid a single point of failure (B)

If a user maintains a log of user actions, what can that do?

Can be analyzed to discover who did what (A)

Which guideline can simplify recoverability after a successful attack?

Design for recoverability (D)

How can program reliability improve system security?

Programs without array bound checking can crash (B)

Which action is specified for dependable programming?

Provide a handler for all exceptions. (A)

What are security requirements?

Security requirements are 'shall not' requirements (A)

How might security engineering be described?

A subfield of computer security, utilizing tools and techniques to develop systems that resist malicious attacks. (D)

How is system 'integrity' defined as a security dimension?

Maintaining the accuracy and reliability of information within a system. (C)

Which security level focuses on the secure operation and use of an organization's systems?

Operational security (D)

Why is application security considered a software engineering problem?

Because applications must be designed to resist attacks. (A)

What is the importance of 'attack monitoring, detection, and recovery' in system security management?

To prevent unauthorized access through proactive system surveillance and strategic response planning. (C)

How can an insecure networked system affect statements about its reliability and safety?

It makes the statements unreliable because intrusion can alter the system's data and/or execution. (A)

In the context of security terminology, what does 'exposure' refer to?

Possible loss or harm to a computing system following a security breach. (A)

What exemplifies a modification threat?

An attacker altering or destroying a patient record. (D)

What does 'exposure limitation and recovery' achieve in security assurance?

It minimizes the adverse consequences of a successful attack through measures like backup policies. (D)

How does a system being attacked and its data corrupted affect its reliability?

It compromises the reliability of the system, potentially leading to system failures. (C)

Why is security considered a business issue rather than just a technical one?

Because security risk analysis is a business process that impacts security decisions and organizational policy. (B)

What is the purpose of organizational security policies?

To set out general information access strategies that apply across the organization and define security goals. (C)

Why might it not be cost-effective to apply stringent security measures to all organizational assets?

Because many assets are not confidential and can be made freely available. (D)

What primarily drives risk management in an organization?

An organizational security policy (C)

What is the aim of a preliminary risk assessment?

To identify generic risks applicable to the system and determine if an adequate security level is achievable at a reasonable cost. (A)

What factor informs design risk assessment during the system development life cycle?

Technical system design and implementation decisions (B)

What is the focus of operational risk assessment?

The use of the system and possible risks arising from human behaviour. (B)

How do security specifications contrast with safety requirements specifications?

Safety specifications focus on accidental problems, while security specifications address threats from intelligent adversaries. (A)

Which type of security requirement ensures that risks are prevented by system design?

Risk avoidance requirements (A)

In the preliminary risk assessment process, what action follows 'asset value assessment'?

Exposure assessment (B)

According to the asset analysis for the Mentcare system, what is the primary exposure of the information system?

High financial loss due to clinic cancellations, costs of system restoration, and possible patient harm if treatment is affected. (C)

What control could mitigate the threat of an unauthorized user gaining access as a system user and accessing confidential information?

Requiring all users to authenticate themselves using biometrics and logging all changes to patient information. (D)

In the Mentcare system, what is a specified security requirement?

Patient information must be downloaded at the start of a clinic session to a secure area on the system client, for use by clinical staff. (B)

What is an 'interception threat'?

A threat that allows an attacker to gain access to an asset. (A)

According to misuse cases, what type of threat is 'impersonate receptionist'?

Interception threat (C)

How should security be considered in relation to system design?

Security should be a primary consideration and designed into a system from the outset. (A)

How might additional security checks affect a system's attributes?

They may enhance security but can slow down the system and reduce usability. (B)

When is design risk assessment performed?

During the system development life cycle and after deployment. (D)

In a system that separates patient and treatment information, what is the benefit?

It limits the amount of information that needs to be protected. (B)

What is typically a characteristic of each platform in a distributed system?

Each platform has separate protection features that may be different from other platforms. (A)

Base security decisions on an explicit security policy' is an example of what?

A design guideline (B)

What is the benefit of maintaining a log of user actions?

It can be analyzed to discover who did what, potentially deterring irresponsible behaviour. (C)

Which security guideline can simplify recoverability after a successful attack?

Design for recoverability (C)

What is the goal of dependable programming?

To prevent coding errors that affect program reliability and thus system security. (C)

What is the primary focus of security testing?

Assessing the extent to which the system can protect itself from external attacks. (D)

What distinguishes security validation from other forms of testing?

It explicitly checks which security requirements shouldn't happen. (A)

What constitutes Experience-based security testing?

The system being analyzed against known attack methods. (D)

Flashcards

Security engineering

Tools, techniques, and methods to develop and maintain systems that resist malicious attacks.

Confidentiality

Ensuring information isn't disclosed to unauthorized people or programs.

Integrity

Ensuring information is not damaged or corrupted, making it unreliable.

Availability

Ensuring access to a system and its data is possible when needed.

Infrastructure security

Maintaining the security of systems and networks that provide shared services.

Application Security

Concerned with the security of individual application systems or related groups of systems.

Operational Security

The secure operation and use of the organization's systems

User and permission management

Adding, removing users, and setting up appropriate permissions for users.

Software deployment and maintenance

Installing and configuring systems to avoid vulnerabilities

Attack monitoring, detection, and recovery

Monitoring the system, designing resistance, and developing recovery strategies.

System security

The system's ability to protect itself from accidental or deliberate external attacks.

Asset

Something of value which has to be protected

Attack

An exploitation of a system's vulnerability, often external and deliberate.

Control

A protective measure that reduces a system's vulnerability

Exposure

Possible loss or harm to a computing system, like data loss or time wasted.

Threat

Circumstances with the potential to cause loss or harm.

Vulnerability

A weakness in a system that can be exploited to cause loss or harm.

Interception threats

Allow an attacker to gain access to an asset

Interruption threats

Allow an attacker to make part of the system unavailable.

Modification threats

Allow an attacker to tamper with a system asset

Fabrication threats

Allow an attacker to insert false information into a system

Vulnerability avoidance

Designing systems so vulnerabilities do not occur.

Attack detection and elimination

Designing systems to detect and neutralize attacks before they cause exposure.

Exposure limitation and recovery

Designing systems to minimize the adverse consequences of a successful attack.

Security and resilience

A system characteristic reflecting the ability to resist and recover from damaging events.

Security policies

General information access strategies that apply across the organization

Security risk assessment and management

Concerned with assessing possible losses from attacks and balancing with security costs.

Preliminary risk assessment

To identify generic risks applicable to the system for adequate security at reasonable cost.

Design risk assessment

Takes place during development, informed by system design and implementation.

Operational risk assessment

Focuses on how the system is used and risks from human behavior.

Risk avoidance requirements

Set out risks that should be avoided by design.

Risk detection requirements

Define mechanisms that identify and neutralize the risk before losses occur.

Risk mitigation requirements

Set out how the system should recover from and restore system assets after a loss.

Asset identification

Identify system assets that need to be protected.

Asset value assessment

Estimate the value of identified assets.

Exposure assessment

Assess potential losses associated with each asset.

Threat identification

Identify the most probable threats to system assets.

Attack assessment

Decompose threats into possible system attacks.

Control identification

Propose controls to protect assets.

Feasibility assessment

Assess the technical feasibility and cost of controls.

Security requirements definition

Define system security requirements for infrastructure or applications.

Misuse cases

Instances of threats to a system.

Security design

Must be designed into a system from beginning

Design compromises

Adding features to a system that enhance its security

Design Risk Assessment

Assess vulnerabilities that arise from design choices

Protection requirements

Protection requirements can be made when there is knowledge of system distribution

Platform-level protection

Top-level controls on the platform on which a system runs.

Application-level protection

Mechanisms built into the application itself.

Record-level protection

Invoked when access to specific information is requested.

Distribution

Attacks on one system do not cause the entire sysetm to collapse.

Security guidelines

Base security decisions on a explicit security policy

Avoid a single point of failure

Results when there is more than one failure in security procedures

Fail securely

Ensure sensitive information cannot be accessed when security procedures are unavailable

Balance security and usability

Security measures easy to access and user friendly

Log user actions

Log that can be analyzed to find out who did what

Use redundancy and diversity to reduce risk

Multiple copies of data or diverse infrastructure so a vulnerability isn't one point of failure

Specify the format of all system inputs

Check all system inputs are in range and don't cause problems

Compartmentalize your assets

System so assets are in seperate areas, and only have access to information that is needed

Design for deployment

Design the system to avoid deployment problems

Design for recoverability

Design the system to simplify recoverability after a successful attack

Dependable programming guidelines

Ensures program's reliability is strong

Security testing

Testing the extent where a system can protect itself from external attacks

Experience-based testing

System is reviewed and analyized against types attacks

Penetration testing

Team tries to breach systems security

Tool-based analysis

Tools like password checker can be used to analyize system

Formal verification

System is verified against formal security specification

Study Notes

Security Engineering

• Security engineering involves using tools, techniques, and methods to develop and maintain systems resilient to malicious attacks aiming to damage computer-based systems or their data.
• Security engineering is a subfield of computer security.

Security Dimensions

• Confidentiality ensures that information in a system is not disclosed or made accessible to unauthorized people or programs.
• Integrity ensures that information in a system is not damaged or corrupted, maintaining its accuracy and reliability.
• Availability ensures authorized users can access a system or its data when needed.

Security Levels

• Infrastructure security maintains the security of all systems/networks providing shared services to an organization.
• Application security focuses on securing individual application systems or related groups of systems.
• Operational security ensures the secure operation and use of organizational systems.

System Layers

• Security can be compromised in various system layers, including:
  • Application
  • Reusable components and libraries
  • Middleware
  • Database management
  • Generic, shared applications (browsers, emails)
  • Operating System
  • Network
  • Computer hardware

Application Security vs. Infrastructure Security

• Application security is a software engineering challenge where the system is designed with security in mind.
• Infrastructure security is a systems management challenge where the infrastructure is configured for security.

System Security Management

• User and permission management involves adding/removing users and setting appropriate permissions.
• Software deployment and maintenance involves installing/configuring software and middleware to avoid vulnerabilities.
• Attack monitoring, detection, and recovery involves monitoring for unauthorized access, designing resistance strategies, and developing backup/recovery plans.

Operational Security

• Operational security is a human and social issue focused on preventing actions that compromise system security.
• Users might take insecure actions for convenience, thus system security must be balanced against system effectiveness and usability.

Security and Dependability

• Security is a system property reflecting its ability to protect itself from accidental or deliberate external attacks.
• Security is essential for networked systems due to the possibility of external access via the internet.
• Security is a prerequisite for availability, reliability, and safety.
• Insecure networked systems lead to unreliable statements about system safety and reliability.
• Intrusion can alter the executing system and/or its data, thus invalidating reliability and safety assurances.

Security Terminology

• Asset: Something of value, such as software or data, that must be protected.
• Attack: Exploitation of a system’s vulnerability, often from outside the system, intending to cause harm.
• Control: A protective measure, like encryption, that reduces a system's vulnerability.
• Exposure: Possible loss or harm to a computing system, such as data loss or the time and effort for recovery.
• Threat: Circumstances with potential to cause loss or harm, like a system vulnerability being targeted by an attack.
• Vulnerability: A weakness in a computer-based system that can be exploited to cause harm.

Security Terminology (Mentcare example)

• Asset: Patient records.
• Exposure: Potential financial loss, legal action, or reputation damage due to data breaches.
• Vulnerability: Weak password systems.
• Attack: Impersonation of an authorized user.
• Threat: Unauthorized access via password guessing.
• Control: Password checking systems banning dictionary words.

Threat Types

• Interception threats allow attackers to gain access to an asset, exemplified by unauthorized access to patient records.
• Interruption threats make part of the system unavailable, potentially through a denial of service attack.
• Modification threats allow attackers to tamper with a system asset, like altering or destroying patient records.
• Fabrication threats enable attackers to insert false information into a system, such as adding false transactions.

Security Assurance

• Vulnerability avoidance designs the system to avoid vulnerabilities, for instance, by eliminating external connections.
• Attack detection and elimination detects and neutralizes attacks on vulnerabilities before they cause exposure.
• Exposure limitation and recovery minimizes the consequences of successful attacks; for example, a backup policy allows for compromised information to be restored.

Security and Reliability

• Attacks that corrupt a system or its data can induce system failures, compromising reliability.

Security and Availability

• A common web-based system attack to affect availability is a denial of service, which floods the web server with a high volume of service requests.

Security and Safety

• An attack that corrupts the system or its data means that assumptions about safety may not hold
• Altered safety assumption may induce safety-related failures and invalidate the safety case made for the software.

Security and Resilience

• Resilience is a system characteristic that reflects its ability to resist and recover from damaging events.
• Resilience is aimed at deterring, detecting and recovering from cyberattacks..

Security as a Business Issue

• Security is expensive, so security decisions are to be made in a cost-effective manner.
• A security risk analysis is a business process, not a technical process.
• There is no point in spending more than the value of an asset to keep that asset secure.
• Organizations use a risk-based approach to support security decision making with a defined security policy.

Organizational Security Policies

• Security policies offer strategies for information access across the organization.
• The security policy should be concise and informative, not a detailed technical document.
• The security policy defines the security goals of the organization; security engineering implements these.

Security Policies Topics

• Assets that must be protected, focusing on cost-effectiveness.

• The level of protection required for assets, based on sensitivity.

• Responsibilities of individual users, managers, and the organization, such as defining password practices.

• Existing security procedures and technologies that should be maintained even with known limitations, based on practicality and cost.

Security Risk Assessment and Management

• Risk assessment & Management assesses losses from system attacks against the cost of risk-reducing security procedures.
• Risk management should adhere to an organizational security policy.
• Risk Management involves:
  • Preliminary risk assessment
  • Life cycle risk assessment
  • Operational risk assessment

Preliminary Risk Assessment

• The aim of initial risk assessment is to identify generic risks applicable to the system to achieve an adequate security level at a reasonable cost.
• The risk assessment focuses on identification and analysis of high-level risks.
• Risk assessment outcomes identify security requirements.

Design Risk Assessment

• This includes risk assessment during the system development life cycle that informs technical design and implementation decisions.
• Assessment results may change security requirements.
• Known vulnerabilities determine how functionalities are implemented, tested, and deployed.

Operational Risk Assessment

• This focuses on the use of the system and possible risks from human behavior.
• Assess the use of system and risks caused by human behaviour.
• This should continue after system installation.
• Organizational changes lead to new security requirements.

Security Specification Similarities

• Security specification aligns with safety requirements specification by focusing on preventing adverse incidents.

Security Specification Differences

• Safety issues are accidental or errors, but security addresses hostile attacks exploiting system weaknesses.
• The causes of safety failures may be identifiable, while attackers can conceal the cause of security failures.
• Though shutting down prevent safely failures it is sometimes the aim of attack.
• Adversarial attacks are deliberate, with attackers actively seeking to discover weaknesses over time.

Types of Security Requirements

• Identification, Authentication, Authorization, Immunity, Integrity, Intrusion detection, Non-repudiation, Privacy, Security auditing, System maintenance safety

Security Requirement Classification

• Risk avoidance sets out to avoid risks by removing the design from creating them.
• Risk detection defines mechanisms to identify and neutralize the risk.
• Risk mitigation sets out how the system should recover and restore system assets after a loss occurs.

Security Risk Assessment Process

• The process includes:
  • Asset Identification
  • Asset Value Assessment
  • Exposure Assessment
  • Threat Identification
  • Attack Assessment
  • Control Identification
  • Feasibility Assessment
  • Security Requirement Definition.

Preliminary Risk Assessment Report - Assets (Mentcare)

• The information system: Supports all clinical operations and can become potentially safety-critical.
  • Potential high financial loss if clinics are cancelled including high cost restoring system.
• The patient database: Supporting all clinical operations and potentially safety-critical.
  • High financial loss if clinics are cancelled including high cost restoring system.
• An individual Patient Record: Normally low value can become high valuable to high profile patients.
  • Low Direct losses, include possible loss of reputation.

Preliminary Risk Assessment Report - Threats (Mentcare)

• Threats include unauthorized user gaining access to the a system manager, and making the system unable to be utilized.
  • Controls include only allowing system management from specific locations that are physically safe.
    • Low cost to distribute, but keys are needed to ensure in the event of emergency.
• Unauthorized User Accesses high level of confidential Information.
  • Controls include using biometric mechanism, Log all usage of patient information.
    • Technician is feasible, but can lead to a high costing and a low user resistance to using the software.

Security Requirements For Mentcare

• Patient information must be downloaded to a secure area on the clinical Staff system client.
• Encrypt all patient information on the systems client.
• Upload patient information to database after clinic session and delete the information on the client.
• Maintain a log on a separate computer from database server by the system database.

Types of Misuse Cases

• Misuse cases are instances of threats to a system.
• Interception, interruption, Modification, and Fabrication

Mentcare system: Transfer data (Actors, data, Stimulus and comments.)

• Medical Receptionist, Patients records system
  • A receptionist can transfer data to the patient records system to update patient diagnosis, treatment and personal information.
    • Patients information, treatment summary
      • User commanded by medical receptionist.
        • Confirmation from PRS.
        • Medical Receptionist use appropriate permission to access PRS.

Mentcare system: Intercept transfer (Misuse case)

• Medical receptionist, Patient Records System, Attacker
  • A receptionist transfers data from their system to the Montcare system, where an attacker intercepts the data transfer and stores it.
    • Patients information and Patients Treatment Summary.
    • The attacker creates and adds a network interceptor and creates a fake server to send to the database to intercept.

Mentcare system: Intercept transfer (Misuse case) - Mitigation.

• Networking equipment maintained in locked room. Engineers accessing the equipment must be accredited.
  • Encrypt data transferred between client and server.
    • Client-server communication to be certificated.
• All communication must use secure socket layer such as https protocol must use all encryption standards.

Secure Systems Design

• Must design security into the system, or will be difficult to implement an insecure system.

Design Compromises

• Adding Security to system can affect attributes of the system - can affect performance and Usability to those within.

Design Risk Assessment

• Risk can be assessed while system is being developed or after it has been deployed. - All Data becomes available such as system, middleware ,Data organization. - All Vulnerabilities will be identified with development choice.

Protection Requirements

• Protection requirements derive with information presentation and system - Separation of patient and treatment limits data that personal patients data that needs to be protected.

Protection copies of records:

• Records protect local patients to protects against service attacks

Design decisions from COTS use

• Authenticate users by using name/password combination.

• Systems Architecture consists of client- server through web browser.

  • Information is then presented in a web form.

Security Requirments

• Password will available and shown on the systems administrator .

• Client System must approve and access for client systems. -All clients must use single approved web browser.

Architecture Design

• Protection , How system should organize what critical assets , Distribution how should assets be distributed - If assets are distributed then it can be more expensive to protect while having performance compromises.

Aspects of Secure Systems programming

• Vulnerabilities are often language specific.
• Array bound checking is automatic in Java, so that this is not an ability that can be exploited on the server
• Programs without bound checking can often crash so they can make improvements to increase the security system,

Design guidelines for security programming

• 1. Limit visibility, 2. Check all input for validity 3. handler for exceptions 4. Minimize for error prone structures 5.Provide restart 6.Check Array Bounds 7. Timeouts for calls 8. Name all constants real world valued

Security testing and assurance

• Extent can which a system protects from external attacks.
• security is shall not requirements, it can specify what to check in the system ( ie restraints) can be checked for the system,
• Systems that can attack is intelligent and search for vulnerabilities and loopholes within the system.

Security Validation

• Experience based - Review System and analyse team against type of attacks they know off.

• Penetration Testing - Team is established, to seek goal and reach system by simulating type hacks on the current system.

Secure Systems Programming Attributes

• Vulnerabilities are often language-specific for many attacks. - Security vulnerabilities are closely related to program reliability.
• Systems security consist of programming and languages can have different vulnerability depending on coding structures.