Security Principles

Question 1

What are the terms for the security triad?

Answer 1

CIA:

Confidentiality
Integrity
Avaliability

Question 2

What does C in CIA stand for, and what does it mean?

Answer 2

Confidentiality

It ensures that only the intended persons or recipients can access the data

Question 3

What does I in CIA stand for, and what does it mean?

Answer 3

Integrity

It aims to ensure that the data cannot be altered; moreover, we can detect any alteration if it occurs

Question 4

What does A in CIA stand for, and what does it mean?

Answer 4

Avaliability

It aims to ensure that the system or service is available when needed

Question 5

What are two other terms that can be used beyond CIA?

Answer 5

Authenticity

Nonrepudiation

Question 6

What does Authenticity mean?

Answer 6

Authentic means not fraudulent or counterfeit. Authenticity is about ensuring that the document/file/data is from the claimed source

Question 7

What does Nonrepudiation mean?

Answer 7

Repudiate means refusing to recognize the validity of something. Nonrepudiation ensures that the original source cannot deny that they are the source of a particular document/file/data. This characteristic is indispensable for various domains, such as shopping, patient diagnosis, and banking

Question 8

What are the terms of the triad for attacking a system?

Answer 8

DAD

Disclosure
Alteration
Destruction/Denial

Question 9

What does the first D in DAD stand for, and mean?

Answer 9

Disclosure

It is the opposite of confidentiality. In other words, disclosure of confidential data would be an attack on confidentiality

Question 10

What does the A in DAD stand for, and mean?

Answer 10

Alteration

It is the opposite of Integrity. For example, the integrity of a cheque is indispensable

Question 11

What does the second D in DAD stand for, and mean?

Answer 11

Destruction/Denial

It is the opposite of Availability

Question 12

What does the Bell-LaPadula Model aim to achieve, and what are its three rules?

Answer 12

Confidentiality

Simple Security Property
Star Security Property
Discretionary-Security Property

Question 13

What is the Simple Security Property of the Bell-LaPadula Model?

Answer 13

This property is referred to as “no read up”; it states that a subject at a lower security level cannot read an object at a higher security level. This rule prevents access to sensitive information above the authorized level

Question 14

What is the Star Security Property of the Bell-LaPadula Model?

Answer 14

This property is referred to as “no write down”; it states that a subject at a higher security level cannot write to an object at a lower security level. This rule prevents the disclosure of sensitive information to a subject of lower security level

Question 15

What is the Discretionary-Security Property of the Bell-LaPadula Model?

Answer 15

This property uses an access matrix to allow read and write operations. An example access matrix is shown in the table below and used in conjunction with the first two properties

Question 16

What does the Biba Model aim to achieve, and what are the two rules?

Answer 16

Integrity

Simple Integrity Property
Star Integrity Property

Question 17

What is the Simple Security Property of the Biba Model?

Answer 17

This property is referred to as “no read down”; a higher integrity subject should not read from a lower integrity object

Question 18

What is the Star Security Property of the Biba Model?

Answer 18

This property is referred to as “no write up”; a lower integrity subject should not write to a higher integrity object

Question 19

What does the Clark-Wilson Model aim to achieve and what are the following concepts?

Answer 19

Integrity

Constrained Data Item (CDI)
Unconstrained Data Item (UDI)
Transformation Procedures (TPs)
Integrity Verification Procedures (IVPs)

Question 20

What is the Constrained Data Item (CDI) of the Clark-Wilson Model?

Answer 20

This refers to the data type whose integrity we want to preserve

Question 21

What is the Unconstrained Data Item (UDI) of the Clark-Wilson Model?

Answer 21

This refers to all data types beyond CDI, such as user and system input

Question 22

What is the Transformation Procedures (TPs) of the Clark-Wilson Model?

Answer 22

These procedures are programmed operations, such as read and write, and should maintain the integrity of CDIs

Question 23

What is the Integrity Verification Procedures (IVPs) of the Clark-Wilson Model?

Answer 23

These procedures check and ensure the validity of CDIs

Question 24

What does Defence-in-Depth refer to?

Answer 24

It refers to creating a security system of multiple levels

It is also called Multi-Level Security

Question 25

What are the five Architectural principles of ISO/IEC 19249?

Answer 25

Domain Separation Layering Encapsulation Redundancy Virtulization

Question 26

What are the five Design principles of ISO/IEC 19249?

Answer 26

Least Privilege Attack Surface Minimisation Centralized Parameter Validation Centralized General Security Services Preparing for Error and Exception Handling

Question 27

What is Trust But Verify?

Answer 27

This principle teaches us that we should always verify even if we trust an entity and it's behavior, an entity being a user or system.

Question 28

What is Zero Trust?

Answer 28

This principle treats trust as a vulnerability, and after considering it as such, zero trust tries to eliminate it. It indirectly teaches, "never trust, always verfy". In other words, every entity is considered adversarial until proven otherwise.

Question 29

What is a Vulnerability?

Answer 29

Vulnerable means susceptible to attack or damage. In information security, a vulnerability is a weakness

Question 30

What is Risk?

Answer 30

The risk is concerned with the likelihood of a threat actor exploiting a vulnerability and the consequent impact on the business

Question 31

What is Threat?

Answer 31

A threat is a potential danger associated with this weakness or vulnerability