SB 3: Security Basics

Question 1

Briefly explain confidentiality in security and give examples of mechanisms that support it

Answer 1

The concealment of information or resources. Indicates that data exists. It is possible to conceal the existence of data as well albeit more expensive and difficult.
Mechanisms: access control mechanisms, i.e. cryptography.

Question 2

Briefly explain integrity in security and give examples of mechanisms that support it

Answer 2

The trustworthiness of data or resources. Ensuring that data is accurate and has not been tampered with. Preventing unauthorized or improper change of data.
Data integrity: the content of the information
Origin integrity: the source of the data (aka authentication)
Mechanisms:
1. prevention - blocking unauthorized change
2. detection - reports integrity violations by analyzing events or data
Evaluation can be difficult as you have to rely on assumptions about trustworthiness.

Question 3

Briefly explain availability in security

Answer 3

The ability to use information or resources.

Question 4

What are four broad classes of threats?

Answer 4

Disclosure: unauthorized access to information
Usurpation: unauthorized control of (some parts) of a system
Deception: acceptance of false data
Disruption: interruption or prevention of correct operation

Question 5

Give examples of common attacks and “CIA” services that can help counter them

Answer 5

Snooping/eavesdropping: unauthorized interception. A passive attack. Passive wiretapping. Counter: Confidentiality services
Modification/alteration: unauthorized change. Active attack. Active wiretapping. Man-in-the-Middle attack. Counter: integrity services
Masquerading/spoofing: impersonation of an entity. Passive or active. Counter: integrity services.
Repudiation of origin: a false denial that an entity sent (or created) something. Counter: integrity services.
Denial of receipt: a false denial that an entity received something. Counter: integrity and availability services.
Delay: a temporary inhibition of a service. Counter: availability services.
Denial of Service: long-term inhibition of a service. Can be due to an attack or disruptions unrelated to security. Counter: availability services.

Question 6

What is the difference between a security policy and a security mechanism?

Answer 6

A policy is a (set) of statements about what is or is not allowed. It also describes secure and non-secure states.
A mechanism is used to enforce a policy, like preventing disallowed actions to be performed

Question 7

What is a measure for trust and ways of measuring it?

Answer 7

Called assurance, consists of a number of steps that can give some proof of the systems trustworthiness.
- Specification: statement of the desired functioning of the system
- Design: translates the specification into components that will implement them. Satisfies the specification if the design is not allowed to violate them.
- Implementation: proving a system satisfies the design. Proof of correctness.
If done properly –> minimizes problems and difficulties

Question 8

What are the two assumptions policies always make?

Answer 8

1. It correctly and unambiguously partitions system states into secure and non-secure states.
2. Security mechanisms prevent the system from entering a non-secure state.

Question 9

What assumptions are required to trust that mechanisms work?

Answer 9

1. each implement part of the policy
2. the union implements all aspects of the policy
3. tamper-proof
4. implemented, installed and administered correctly.