Topic 1 - Introduction Flashcards
(33 cards)
What is the formal definition of Security?
Security is the protection of assets.
What are the three main aspects of Security?
Prevention - Preventing access and damage to assets
Detection - Steps to detect the access or damage to assets
Recovery - Measures allowing people to recover from asset damage.
What is a Security Policy, and what does it outline?
It’s a concise document that explains the needs of the system in regards to security.
It outlines what should be protected and how it should be protected.
What does CIA stand for, and what do these areas mean?
Confidentiality, Integrity and Availability
Confidentiality - Prevention of unauthorised disclosure of information
Integrity - Prevention of unauthorised modification of information
Availability - Prevention of unauthorised withholding of information or resources
What are some examples of Confidentiality?
Medical records
Transfer of credit card details
What are some examples of Integrity?
Distributed bank transactions
Database records
What is Authenticity in the context of Computer Security?
Authenticity = Integrity + Freshness
Where Freshness represents the recency of data or messages, ensuring they are up to date and relevant at the time of use.
What are some examples of Availability?
Redundant power supplies
Firewall packet filtering
Backups of relevant data
What is Accountability in regards to Computer Security?
Users being held responsible for their actions
System should identify and authenticate users and ensure compliance
Audit trails must be kept
What is Non-repudiation in Computer Security?
Provides un-forgeable evidence that someone did something
Usually verified by a trusted third-party
What is the trade off between security and ease of use?
The easier the system is to use, the less security there is that’s been put in place - Interferes with working patterns
The more security in place, the harder it is to use - Increased resource demands.
What are some of the principles that good security design focuses on?
Focus of control
Complexity VS Assurance
Centralised or Decentralised Controls
Layered Security
What does ‘Focus of Control’ mean in Computer Security?
In a given application, should the focus of protection mechanisms be: Data, Operations or Users?
What does Complexity VS Assurance mean in Computer Security?
The discussion surrounding whether a company would prefer a simple approach with high assurance, or a feature-rich environment with less assurance?
What does ‘Decentralised Controls’ mean in Computer Security?
The discussion surrounding whether the definition and enforcement of security be performed by a central entity, or be left to individual components in a system?
What are the properties of the two choices made with Decentralised Controls?
Central Entity - Possible bottleneck
Distributed Solution - More efficient, but harder to manage
What are the 5 layers of Security? Specify the order of least secure to most secure
Applications
Services
OS
Kernel
Hardware
What are the two types of Cryptography that are focused on in Computer Security?
Symmetric - Both the encryption and decryption algorithms use the same key
Asymmetric - Uses a pair of keys: One public, one private
What are some of the main properties of Symmetric Cryptography?
Lightweight and Fast
Same key used to encrypt and decrypt data
Key management is difficult
What is an example of Symmetric Cryptography?
General communications
How does Symmetric Cryptography get implemented?
Implemented using block ciphers or stream ciphers
How do Stream Ciphers work?
Stream ciphers use an initial seed key to generate an infinite keystream of random looking bits
Message and keystream are then XOR’ed together to form a single stream of ciphertext.
What are some advantages of Stream Ciphers?
Encrypting long continuous streams, possibly of unknown length
Extremely fast with a low memory footprint, ideal for low-power devices
Can seek to any location in the stream
What are some disadvantages of Stream Ciphers?
Keystream must appear statistically random
Stream ciphers do not protect the ciphertext
