Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Undeleted > INFO3005.1 - Intro and Security Models > Flashcards

INFO3005.1 - Intro and Security Models Flashcards

General security terms & definitions Learn about theoretical and practical security models. Purpose: High level - to understand what is going on Theoretical - to evaluate

1
Q

Computer Security Model (wikipedia)

A

scheme for specifying and enforcing security policies.
A security model may be founded upon
a formal model of access rights,
a model of computation,
a model of distributed computing,
or no particular theoretical grounding at all.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Security is there to ensure

A
  • Confidentiality
  • Integrity
  • Availability, also;
  • Authenticity - is it from who it says its from, is it genuine, uses digital signature
  • Non-repudiation - law focused, obligation of the contract. you canot say did not send/receive. tech helps but it is law based
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

We protect hardware, software, data from

A 
Vulnerabilities
Threats
Attacks
through 
Control as a protective measure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Vulnerability

A

Weakness in the security system,
in procedures,
design, or
implementation,
might be exploited to cause loss or harm.
(e.g. unauthorized data manipulation because the system does not verify a user’s identity before allowing data access)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Threat

A

(to a computing system) is a set of circumstances that has the potential to cause loss or harm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Attack

A

A human who exploits a vulnerability perpetrates an attack on the system. An attack can also be launched by another system, as when one system sends an overwhelming set of messages to another, virtually shutting down the second system’s ability to function.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Control

A

Protective measure
a control is an action, device, procedure, or technique that removes or reduces a vulnerability
A threat is blocked by control of a vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

devising controls

A

means knowing as much about threats as possible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Four kinds of threat

A

Interception
Interruption
Modification
Fabrication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Interception

A

Unauthorized party has gained access to an asset. Can be:
person,
program,
computing system.
e.g. illicit copying of program or data files,
wiretapping to obtain data in a network.
Although a loss may be discovered fairly quickly, a silent interceptor may leave no traces by which the interception can be readily detected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Interruption

A

Asset of the system becomes lost, unavailable, or unusable.
e.g. malicious destruction of a hardware device,
erasure of a program or data file,
malfunction of an operating system file manager so that it cannot find a particular disk file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Modification

A

Unauthorized party not only accesses but tampers with an asset
e.g. someone might change the values in a database,
alter a program so that it performs an additional computation,
modify data being transmitted electronically.
It is even possible to modify hardware.
Some cases of modification can be detected with simple measures, but other, more subtle, changes may be almost impossible to detect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Fabrication

A

Unauthorised party might create a fabrication of counterfeit objects on a computing system.
The intruder may insert spurious transactions to a network communication system or add records to an existing database.
Sometimes these additions can be detected as forgeries, but if skillfully done, they are virtually indistinguishable from the real thing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Malicious attacker must have 3 things - MOM

A

Method
Opportunity
Motive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Method

A

the skills, knowledge, tools, and other things with which to be able to pull off the attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Opportunity

A

the time and access to accomplish the attack

17
Q

Security goals

A
  • Confidentiality
  • Integrity
  • Availability, also;
  • Authenticity - is it from who it says its from, is it genuine, uses digital signature
  • Non-repudiation - law focused, obligation of the contract. you canot say did not send/receive. tech helps but it is law based
18
Q

Confidentiality

A

Confidentiality ensures that computer-related assets are accessed only by authorized parties.
Only those who should have access to something will actually get that access.
By “access,” we mean not only reading but also viewing, printing, or simply knowing that a particular asset exists.
Confidentiality is sometimes called secrecy or privacy.

19
Q

Integrity

A

Integrity means that assets can be modified only by authorized parties or only in authorized ways. In this context, modification includes writing, changing, changing status, deleting, and creating.

20
Q

Availability

A

Availability means that assets are accessible to authorized parties at appropriate times. In other words, if some person or system has legitimate access to a particular set of objects, that access should not be prevented. For this reason, availability is sometimes known by its opposite, denial of service.

21
Q

More on Integrity

A 
we say that we have preserved the integrity of an item, we may mean that the item is
- precise
- accurate
- unmodified
- modified only in acceptable ways
- modified only by authorized people
- modified only by authorized processes
- consistent
- internally consistent
 meaningful and usable
or two or more of these combined
22
Q

Three aspects of integrity

A

authorised actions
separation and protection of resources
error detection and correction

23
Q

More on availability

A

applies to both data and services
(information and information processing)

an object or service is thought to be available if

  • It is present in a usable form.
  • It has capacity enough to meet the service’s needs.
  • It is making clear progress, and, if in wait mode, it has a bounded waiting time.
  • The service is completed in an acceptable period of time.
24
Q

more more on availability

A

We say a data item, service, or system is available if

  • There is a timely response to our request.
  • Resources are allocated fairly so that some requesters are not favored over others.
  • The service or system involved follows a philosophy of fault tolerance, whereby hardware or software faults lead to graceful cessation of service or to work-arounds rather than to crashes and abrupt loss of information.
  • The service or system can be used easily and in the way it was intended to be used.
  • Concurrency is controlled; that is, simultaneous access, deadlock management, and exclusive access are supported as required.
25
Q

Principle of Easiest Penetration:

A

An intruder must be expected to use any available means of penetration. The penetration may not necessarily be by the most obvious means, nor is it necessarily the one against which the most solid defense has been installed. And it certainly does not have to be the way we want the attacker to behave.
This principle implies that computer security specialists must consider all possible means of penetration. Moreover, the penetration analysis must be done repeatedly, and especially whenever the system and its security change. People sometimes underestimate the determination or creativity of attackers. Remember that computer security is a game with rules only for the defending team: The attackers can (and will) use any means they can.

26
Q

Security models are used to

A
  • test a particular policy for completeness and consistency
  • document a policy
  • help conceptualize and design an implementation
  • check whether an implementation meets its requirements
27
Q

Policies on user permissions - checking them against models

A

a policy decision determines whether a specific user should have access to a specific object; the model is only a mechanism that enforces that policy. Thus, we begin studying models by considering simple ways to control access by one user.

28
Q

Static Security Model

A 
T - some treasure
O - owner
F - a foe
D - a defence
We also need
A - access
G - a guard following 
P - a procedure
The foe may try to
B - Break the defence
There might be a
E - Code of Ethics
The Treasure could be
C - Converted into a 
T - Transformed  state (encrypt)
There also might be 
A layered defence
A guard dog
A watchdog
29
Q

An Information passing security model

A 
I - Information
C - Communicated
P - Processed
A - Leading to a resultant Action
Attack may come in these ways:
- corruption of original info
- disruption of communication
- corruption of information in transit
- interference with processing of information
- nullification of action
30
Q

Motive

A

a reason to want to perform this attack against this system

31
Q

Security is there to ensure

A
  • Confidentiality
  • Integrity
  • Availability, also;
  • Authenticity - is it from who it says its from, is it genuine, uses digital signature
  • Non-repudiation - law focused, obligation of the contract. you canot say did not send/receive. tech helps but it is law based

Undeleted (18 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions