1
Q
A malware that constantly scans the Internet, searching for vulnerable computers.
A
Worm
2
Q
Other word for cybercrime network
A
botnet
3
Q
Security decision-making falls into three categories:
A
- Rule-based decisions
- Relativistic decisions
- Requirements-based decisions
4
Q
These are made for us by external circumstances or established, widely accepted guidelines (example:car ignition locks).
A
Rule-based decisions
5
Q
These try to outdo others who are faced with similar security problems (example: hunter’s dilemma)
A
Relativistic decisions
6
Q
These are based on a systematic analysis of the security situation (example: the risk management framework)
A
Requirements-based decisions
7
Q
Both rule-based and relativistic decisions often arise from _______, which identify various security controls one might use
A
security checklists
8
Q
A way to assess cybersecurity risks when developing large-scale computer systems
A
Risk Management Framework
9
Q
6 steps in Risk Management Framework:
A
- Establish system and security goals
- Select security controls
- Implement security controls
- Assess security controls
- Authorize the information system
- Monitor security controls
10
Q
Proprietor’s Risk Management Framework (PRMF) steps:
A
- Establish system and security goals
- Select security controls
- Validate the information system
- Monitor security controls
11
Q
System engineering process:
A
- Planning - early phases lay out the projects’s expectations and requirements
- Trade-off analysis - early phases compare alternative solutions against the project’s requirements to ensure the best outcome
- Verification - later phases verify that the implemented system meets requirements established in earlier phases
- Iteration - if a later phase detects a problem with the results of earlier phases, then revisit the earlier phases to correct the problem
12
Q
A process based on the Continuous Improvement principle never end at the final step. Instead, any step in the process may suggest a change that will improve the result. To implement the change, we return to earlier steps in the cycle. Once we make the change, we continue the process.
A
Continuous Improvement
13
Q
The RMF begins with a high-level estimate of the impact caused by cybersecurity failures. This is called the ___________.
A
security category
14
Q
Three general security properties:
A
- Confidentiality - The organization is obliged to keep some information confidential
- Integrity - Computer systems misbehave or fail entirely if programs or data suffer undesired or unintended modifications
- Availability - Computer systems support the enterprise’s ongoing operations
15
Q
Four-point scale that indicates the potential impact for each property:
A
- Not applicable
- Low impact
- Moderate impact
- High impact
16
Q
We express the SC in terms of a particular type of information or system, indicated below by name:
A
SC name = {(confidentiality, impact), (integrity, impact), (availability, impact)}
17
Q
Amawig’s website provides publicity to company products and describes the company in general. Everything it provides is public information. The website is not the only one that provides access to Amawig products. In fact, a potential customer needs to go to a distributor or retailer to buy products in any case. To assess the 3 security properties
A
- Confidentiality: Not applicable, since all information is public.
- Integrity: Low, since a site outage will not prevent customer sales.
- Availability: Also low, since a site outage doesn’t prevent customer sales
18
Q
Not all websites pose such a small risk. Let us reconsider the risks after Amawig expands its business. As part of a new product introduction, Amawig has decided to offer the product directly to customers via a new website and not sell it through distributors. The new sales site represents the only way to purchase that product. Aftersix months, the new product represents a small, but significant, source of revenue. We need to reassess the three security properties
A
- Confidentiality: Moderate, since the website handles some electronic payment information from customers.
- Integrity: Moderate, since the website handles some electronic payment information from customers, it specifies product prices, and it directs product shipments.
- Availability: Moderate, since an interruption would visibly affect sales, but would not cause long-term damage to the company
19
Q
list of security requirements called
A
security policy
20
Q
Risk assessment detailed steps
A
- Identifying risks
- Prioritizing risks
- Establish requirements
21
Q
someone who is motivated to attack our assets
A
threat agent
22
Q
an attempt by a threat agent to exploit the assets without permission
A
attack
23
Q
We call a threat agent an ____when action replaces inclination and the attack actually takes place.
A
attacker
24
Q
a weakness in the boundary that protects the assets from the threat agents
A
vulnerability
25
a security measure intended to protect the asset
defense
26
one that is no longer safe to use following an attack
compromised system
27
a collection of compromised systems controlled remotely by the attacker
botnet
28
a person who uses an attack developed by another party to attack computers. the attack may be implemented using a "scripting language," so the attacker literally executes the script to attack the computer
script kiddy
29
a person who has learned specific attacks on computer systems and can use those specific attacks. It doesn't necessarily have the technical knowledge to modify the attacks and apply them to different types of targets
cracker
30
a person who attacks telephone systems, usually to make long distance and international calls for free
phone phreak
31
nicknamed "Captain Crunch" - was a notorious phone phreak in the early 1970s
John Draper
32
a person with a high degree of knowledge and skill with computing systems, including the ability to attack them if so motivated.
hacker
33
the term hacker arose at _______
Massachusetts Institute of Technology (MIT) in the 1950s
34
a person skilled in attacking computer systems, who uses those skills to attack a sytem.
black-hat hacker
35
became notorious for both phone phreaking and computer break-ins
Kevin Mitnick
36
a person skilled in attacking computer systems, who uses those skills as a security expert to help protect systems
white-hat hacker
37
a security architecture study that focuses on security requirements and implementation
security plan
38
when we establish boundaries and doorways to address an information security problem, we produce an:
information security architecture
39
Such an architecture often relies on boundaries inside the computer to protect important information and programs from error-prone or malicious programs
information security architecture
40
features of a human threat agent:
1. driven by a specific mission and/or specific goals
2. interested in your assets and/or activities
3. has a distinct level of motivation
4. has an established modus operandi (MO) at some level
5. makes strategic decisions based on costs and benefits
41
these threat agents are usually a loosely organized source of widespread attacks. Selected targets often reflect outrage at a political, social, or cultural phenomenon.
hacktivists
42
these threat agents serve to forward the interests of particular nations
nation-level competitors
43
these are the traditional spies, people who collect information on the behalf of competing countries
intelligence agents
44
people and organizations who use remote sensing, surveillance, and intercepted communication sto spy on other countries
technical collectors
45
groups who use military force on behalf of a nation
military actors
46
people often interact with a broad range of others through their normal activities, and some of these people may be threat agents
business and personal associates
47
people who are competing against us for some limited resource: a job, sales prospects, or other things
competitors
48
people we know who would be willing to do us harm for their own benefit
malicious acquaintances
49
people who have physical access to our private living or working space
maintenance crew
50
actions of the natural environment may cause damage or loss, like severe weather or earthquakes
natural threats
51
people who have administrative access to our computing resources.
administrators
52
five-level scale based on the risk levels in NIST's RMF
1. Unmotivated
2. Scant motivation
3. Stealth motivation
4. Low motivation
5. Moderate motivation
6. High motivation
53
4 major elements of the threat agent:
1. goals
2. typical MO
3. level of motivation
4. capabilities and logical constraints
54
two integrity attacks
forgery and masquerade
55
difference of forgery and masquerade
In forgery, the attacker constructs or modifies a message that directsthe computer’s behavior.
In a masquerade, the attacker takes on the identity of a legitimate computer user, and the computer treats the attacker’s behavior as if performed by the user
56
difference of passive and active attack
a passive attack simply collects information without modifying the cyber system under attack. disclosure is the classic passive attack.
an active attack either injects new information into the system or modifies information already there
57
the computing resource itself is physically removed
physical theft
58
the use of computing data or services is lost temporarily or permanently, without damage to the physical hardware
denial of service
59
a program is modified to operate on the behalf of a threat agent
subversion
60
a person takes on the identity of another when using a computer
masquerade
61
data that should be kept confidential is disclosed. this is the classic passive attack
disclosure
62
someone composes a bogus message and sends it to a computer
forgery
63
types of attacks
1. physical theft
2. denial of service
3. subversion
4. masquerade
5. disclosure
6. forgery
64
- keeping information secret
- avoiding disclosure vulnerabilities
confidentiality
65
- protecting information from improper changes
- avoiding forgery, subversion, and masquerade attacks
integrity
66
- keepping systems available and in operation
- avoiding denial of service
availability
67
Types of Decision-Making Strategies
1. Relativistic decisions
2. Requirements-based decisions
3. Rule-based decisions
68
Describe the three strategies people often use to make security decisions.
1. Rule-based decisions - Decisions made by external circumstances or established guidelines
2. Relativistic decisions - Decisions made to try and outdo others with similar security problems
3. Requirements-based decisions - Decisions based on a systematic analysis of the security situation
69
What's the hunter's dilemma
A decision made in an attempt to one-up another "hunter," to try and be "harder to catch than your neighbor."
70
Explain Reasoned paranoia
Plays a role in the security process by making reasonable assumptions of possible security risks, and acting on these assumptions
71
Describe the six steps in NIST's risk management framework. (es-sel-iym-ass-au-mon)
1. Establish system and security goals
2. Select security controls
3. Implement security controls
4. Assess security controls — verify if working
5. Authorize the information system — approve and deploy
6. Monitor security controls, and address issues
72
Describe the four steps in the proprietor's risk management framework.
1. Establish system and security goals — find system's goals, security risks, and requirements.
2. Select security controls — find existing controls and add new ones as needed, then construct the system containing the controls
3. Validate the information system — verify that it works as needed, then deploy it
4. Monitor security controls — watch for issues and address them
73
How do the risk management frameworks compare to continuous quality improvement?
They are similar in the sense that the risk management frameworks will always find ways to improve themselves, since it is a constant cycle of deploying the security control and addressing issues identified over time.
74
What is the difference between requirements and controls in the security process?
Requirements reveal the risks, controls counter the risks.
75
Describe the relationship between assets, boundaries, threat agents, vulnerabilities, attacks and defenses
These concepts make up the elements of identifying risks. Assets are items owned by an establishment, the boundaries are what protect these assets. Threat agents carry out attacks, and are ideally countered by defenses.
76
Explain "least privilege."
A restriction on what each person may do to the asset.
77
What four things to assess when looking at boundaries?
1. How a threat may breach the boundary
2. How to control the doorways to exclude threat agents.
3. How a threat agent can pass through the doorway.
4. Trustworthiness of those allowed inside the boundary.
78
Describe the three security properties of information. (CIA)
Confidentiality — Some information must be kept secret
Integrity — Should a computer fail, how much information is still retained?
Availability — How bad is the impact while the system is not available?
79
Explain the significant features we see in threat agents. (5)
- Driven by a mission
- Wants the assets
- Is highly motivated
- Has an established MO, or modus
- Makes cost and benefit-based decisions
80
Summarize the levels of motivation with which we assess threat agents. (6)
- Unmotivated — no harm intended
- Scant motivation — limited skills and mild motivation
- Stealth motivation — skilled and exploits the system
- Low motivation — will do harm that does limited damage to assets
- Moderate motivation — will do harm and will do significant damage to assets
- High motivation — will cause critical harm to achieve goals
81
Describe the six general types of attacks on information. Which are passive attacks and which are active?
- Physical theft — is active and involves the asset being physically taken
- Denial of service — is active and temporarily or permanently cuts computing services
- Subversion — is active and involves a program that gives the threat agent control of system
- Masquerade — is passive and involves the threat agent pretending to be a user of the system
- Disclosure — is passive and involves disclosure of secret information
- Forgery — is passive and involves a false message being sent to a computer
82
Explain the purpose and use of attack matrix.
An attack matrix is a table that lists a specific set of possible attacks, and helps you identify who could be motivated to do those attacks. The list of attacks must be realistic and relevant.
A risk matrix helps one focus on relevant attacks, and disregards attacks that don't apply to the type of assets one has.
83
Explain the process for comparing the relative significance of different risks.
Relative significance is calculated with this formula:
Impact * Likelihood = RS
Where impact = cost of the asset
and likelihood = how often an attack is done
84
List the five properties of a good security policy statement.
- Each statement is numbered
- Each statement begins with "shall"
- Implementation has to be tested for relevance
- Each statement identifies which risk it prioritizes
- Statements are positive and specific
85
Briefly describe the process for constructing a list of requirements from a list of assets, threat agents, and risks.
To construct a list of requirements, one has to start with a prioritizes list of risks, which will involve its own set of threat agents, and types of attacks on assets.
86
Summarize the recommended ethical steps a security analyst takes when performing a security assessment. (3)
- Analyst needs written authorization from the organization
- Analyst needs correct tools to do the assessment
- Analyst must collect results and report them to the right people
87
Summarize the recommended process for disclosing a security vulnerability. (4)
- Legal restrictions
- National security information
- Nondisclosure agreements
- Codes of conduct
88
Vulnerability that has not been disclosed to the public.
Zero-day Vulnerability
89
Goals of a threat agent
— News coverage
— Financial gain
— Ideological victory
— Regime change?
90
Categories of threat agents
- Individuals and petty criminals
- Criminal organizations
91
Defense in depth
Improving security by providing layers of defense
92
Basic principles of information security
1. Continuous improvement
2. Least privilege
3. Defense in depth
93
Example of threat agents
- shoplifters
- malicious employees
- thieves
- identity thieves
- botnet operators
94
Writing a requirement
1. Number each requirement
2. Use the word shall
3. Each requirement should be testable
4. Each statement identifies the risks it addresses
5. Phrase the requirement in a positive and specific form
IAS
flashcards
Decks in class (13)
# Cards
