Computer Security Ch 1

The flashcards below were created by user mjweston on FreezingBlue Flashcards.

  1. Computer Security
    the protection afforded to an automated information system in order to attain the applicable objectives of preserving the integriy, availability, and confidentiality of information system resources
  2. data confidentiality
    assures that private or confidential information is not made available or disclosed to unauthorized individual
  3. privacy
    assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed
  4. data integrity
    assures that information and programs are changed only in a specified and authorized manner
  5. system integrity
    assures that a system performs its intended function in an unimpared manner, free from deliberate or inadvertent unauthorized manipulation of the system
  6. data confidentiality
    two concepts of confidentiality
  7. data integrity
    system integrity
    two concepts of integrity
  8. Confidentiality
    three key objectives that are at the heart of computer security
  9. availability
    assures that systems work promptly and service is not denied to authorized users
  10. confidentiality
    preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.  A loss of this is the unauthorized disclosure of information.
  11. integrity
    guarding against improper information modification or destruction, including ensuring information nonrepudiation and anthenticity.  A loss of this is the unauthorized modification or destruction of information.
  12. availability
    ensuring timely and reliable access to and use of information.  A loss of this is the disruption of access to or use of information or an information system.
  13. authenticity
    the property of being genuine and being able to be verified and trusted
  14. accountability
    the security goal that generates the requirement for actions of an entity to be traced uniquely to that entity
  15. can be corrupted - does the wrong thing or gives wrong answers
    can become leaky - ex: someone who shouldn't have access gains access
    can become unavailable - using the system becomes impossible or impractical
    Three types of vulnerability
  16. threat
    a potential security harm to an asset
  17. attack
    a threat that is carried out, and if successful, leads to an undesirable violation of security or threat consequence
  18. threat agent or attacker
    agent carrying out the attack
  19. active attack
    an attempt to alter system resources or affect their operation
  20. passive attack
    an attempt to learn or make use of information from the system that does not affect system resources
  21. inside attack
    an attack initiated by an entity insid the security perimeter
  22. outside attack
    an attack initiated from outside the perimeter, by an unauthorized or illegitimate user of the system
  23. vulnerability
    a flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy
  24. adversary (threat agent)
    an entity that attacks, or is a threat to, a system
  25. countermeasure
    an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, etc.
  26. risk
    an expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result
  27. security policy
    a set of rules and practices that specify or regulate how a system or organization provides security sevices to protect sensitive and critical system resources
  28. system resource (asset)
    data contained in an information system; or a service provided by a system; or a system capability, such as processing power or communication bandwidth; or an item of system equipment; or a facility that houses system operations and equipment
  29. unauthorized disclosure
    a circumstance or event whereby an entity gains access to data for which the entity is not authorized
  30. deception
    a circumstance or event that may result in an authorized entity receiving false data and believing it to be true
  31. disruption
    a circumstance or event that interrupts or prevents the correct operation of system services and functions
  32. usurpation
    a circumstance or event that results in control of system services or functions by an unauthorized entity
  33. exposure
    types of attacks that can result in unauthorized disclosure
  34. masquerade
    types of attacks that can result in deception
  35. incapacitation
    types of attacks that can result in disruption
  36. misappropriation
    types of attacks that can result in usurpation
  37. exposure
    sensitive data are directly released to an unauthorized entity
  38. interception
    an unauthorized entity directly accesses sensitive data traveling between authorized sources and destinations
  39. inference
    a threat action whereby an unauthorized entity indirectly accesses sensitive data (but not necessarily the data contained in the communication) by reasoning from characteristics or by-products of communications
  40. intrusion
    an unauthorized entity gains access to sensitive data by circumventing a system's security protections
  41. masquerade
    an unauthorized entity gains access to a system or performs a malicious act by posing as an authorized entity
  42. falsification
    false data deceive an anuthorized entity
  43. repudiation
    an entity deceives another by falsely denying responsibility for an act - or a user either denies sending, receiving, or possessing the data
  44. incapacitation
    prevents or interrups system operation by disabling a system component.  ex: Trojan horses, viruses, or worms
  45. corruption
    undesirably alters system operation by adversely modifying system functions or data.  an attack on system integrity
  46. obstruction
    a threat action that interrupts delivery of system services by hindering system operation.  ex: interfere with communications or overload the system
  47. misappropriation
    an entity assumes unauthorized logical or physical control of a system resource.  ex: theft of service, distributed denial of service attack
  48. misuse
    causes a system component to perform a function or service that is detrimental to system security.  ex: a hacker gains access to a system and disables security functions
  49. release of message contents
    traffic analysis
    what are two types of passive attacks
  50. replay - capture of data and its retransmission to produce an unauthorized effect
    masquerade - one entity pretends to be another entity
    modification of messages - portion of a legitimate message is altered
    denial of service - prevents or inhibits the normal use or management of communications facilities
    four categories of active attacks
  51. access control
    limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise
  52. awareness and training
    ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and are trained to carry out their assigned information security-related duties and responsibilities
  53. contingency planning
    establish, maintain, and implement plans for emergency response, backup operations, and postdisaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations
  54. security attack
    any action that compromises the security of information owned by an organization
  55. security mechanism
    a mechanism that is designed to detect, prevent, or recover from a security attack
  56. security service
    a service that enhances the security of the data processing systems and the information transfers of an organization - intended to counter security attacks
  57. nonrepudiation
    provides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication - ie: prevents either sender or receiver from denying a transmitted message
  58. peer entity authentication
    data origin authentication
    two types of authentication services
  59. peer entity authentication
    provides for the corroboration of the identity of a peer entity in an association - two entities are considered peer if they implement the same protocol in different systems
  60. data origin authentication
    provides for the corroboration of the source of a data unit
  61. access control
    the ability to limit and control the access to host systems and applications via communications links
  62. encipherment
    the use of mathematical algorithms to transformdata into a form that is not readily intelligible (ex: encryption)
  63. digital signature
    data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery
  64. authentication exchange
    a mechanism intended to ensure the identity of an entity by means fo information exchange
  65. traffic padding
    the insertion of bits into gaps in a data stream to frustrate traffic analysis attempts
  66. routing control
    enables selection of particular physically secure routes for certain data and allows routing changes, especially when a breach of security is suspected
  67. notarization
    the use of a trusted third party to assure certain porperties of a data exchange
  68. specific security mechanisms
    may be incorporated into the appropriate protocol layer in order to provide some of the OSI security services
  69. pervasive security mechanisms
    mechanisms that are not specific to any particular OSI security service or protocol layer
  70. trusted functionality
    that which is perceived to be correct with respect to some criteria (ex: as established by a security policy)
  71. security label
    the marking bound to a resource (which may be a data unit) that names or designates the security attributes of that resource
  72. event detection
    detection of security-relevant events
  73. security audit trail
    data collected and potentially used to facilitate a security audit, which is an independent review and examination of system records and activities
  74. security recovery
    deals with requests from mechanisms, such as event handling and management functions, and takes recovery actions
  75. specification/policy - what is the security scheme supposed to do?
    implementation/mechanisms - how does it do it?
    correctness/assurance - does it really work?
    three aspects that a comprehensive security strategy involves
  76. prevention
    four security implementation courses of action
  77. assurance
    degree of confidence one has that the security measures work as intended to protect the system and the information it processes
  78. denial of service
    prevents or inhibits the normal use or management of communications facilities
Card Set:
Computer Security Ch 1
2013-09-17 18:06:17

Computer Security
Show Answers: