Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
76 Cards in this Set
- Front
- Back
|
Information Assurance
|
Making sure that valid information is only accessible to the right people and it's there when they ask for it.
|
|
|
Information Security
|
Protecting information form unauthorized disclosure or modification but not specifically about assuring all aspects of its accessibility
|
|
|
INFOSEC
|
AKA Information Systems Security - The protection of information systems (Electronic data systems are not the only place that information can be compromised)
|
|
|
Access
|
The ability to do something
|
|
|
Authorization
|
You are supposed to have access
|
|
|
Security Policy
|
Describes who is authorized which types of access to what
|
|
|
Mechanisms
|
Physical, electronic, and procedural means of enforcing a security policy
|
|
|
Security Architecture
|
Includes all mechanisms involved in enforcing a security policy
|
|
|
Attack
|
A deliberate attempt to circumvent some mechanism and violate a security policy
|
|
|
Vulnerability
|
Some aspect of the security architecture that my be subject to attack
|
|
|
Threat
|
A person or persons that might make an attempt to attack a system
|
|
|
Characterization of a threat
|
Knowledge / Skill of INFOSEC attacks in General and/or specific security architecture
Resources |
|
|
Name 3 Components of INFOSEC
|
COMPUSEC, Crypto, COMSEC
|
|
|
Informally define COMPUSEC
|
Security of information in computers
|
|
|
Formally define COMPUSEC
|
Measures and controls that ensure confidentiality, integrity, and availability of the information processed and stored by a computer.
|
|
|
Name 3 Types of attacks COMPUSEC deals with
|
Theft of Service (TOS)
Breach of Confidentiality (BOC) Denial of Service (DOS) |
|
|
Define TOS
|
Theft of Service - Unautorized use of computational resources; most often CPU time or disk storage space.
|
|
|
Define BOC
|
Breach of Confidentiality - unauthorized disclosure of information
|
|
|
Define DOS
|
Denial of Service - Prevention of valid discloser of valid information to valid users.
|
|
|
Name the two ends of the DOS spectrum
|
Coarse DOS
Subtle DOS |
|
|
Define Coarse DOS
|
Characterized by denying anybody access to anything
|
|
|
Define subtle DOS
|
surreptitiously altering of informatios; thus denying some valid user(s) valid information or expected service - Better catergorized in BOI
|
|
|
Defense against Breach of Integrity requires defense against:
|
Breach of confidentiality
|
|
|
Defense against Breach of Confidentiality requires defense against:
|
Breach of Integrity
|
|
|
Define BOI
|
Breach of Integrity
|
|
|
Define BOC
|
Breach of Confidentiality
|
|
|
Give an example of BOI
|
Unauthorized modification of a program
|
|
|
Give an example of BOC
|
Unauthorized disclosure of a system administrators password
|
|
|
What 2 other types of security does COMPUSEC depend on?
|
Physical Security
Personnel Security |
|
|
Define Objects
|
The data, including programs, on a computer to be protected from unauthorized access
|
|
|
Define Granularity
|
At which level is access going to be controlled
|
|
|
Give the levels of granularity
|
-Entire Computer system
-Entire Disk -A Folder -A File -A Record -A Field |
|
|
Define Subjects
|
Active entities that access objects
|
|
|
What 2 mechanisms are required for subjects?
|
-Identification
-Authentication |
|
|
Define Identification
|
Answers the question who are you?
|
|
|
Define Authentication
|
Answers the question of why should the system trust you saying who you say you are
|
|
|
Define Access Modes
|
A set of one or more operations that a system will grant or deny
|
|
|
Define Access Rights
|
The access modes authorized for a given subject or object
|
|
|
Define TCB
|
Trusted Computing Base - Consists of the software that is involved in enforcing the security policy
|
|
|
The TCB is only as trustworthy as:
|
it's least trustworthy part
|
|
|
What are the two key questions regarding the TCB
|
What does it take to make software trustworthy?
How much software must be Trusted? |
|
|
What are the 3 things make software trustworthy?
|
-Implementation is correct with respect to it's requirements
-Requirements are correct with respect to specified security properties -The executing software has not been modified since being proven that it is correct |
|
|
What proves software is correct with respect to its requirements?
|
- The software actually does what it is required to do
- The software must not do anything its not supposed to do |
|
|
Define Levels of Assurance
|
The degree to which one is confident that the requirements and code are correct with respect to desired properties
|
|
|
What is the Common Criteria?
|
US government developed international standard which spells out several discrete levels of assurance and what is necessary to achieve them.
|
|
|
What must the TCB contain?
|
All code that is involved in protecting objects from unauthorized modification or the TCB cannont rely on any code outside the TCB
|
|
|
Give the technical definition for a TCB
|
A closed or complete set of code that makes no references to any code outside the TCB
|
|
|
Name and describe the 2 components that allow for a high confirmation of assurance of a TCB.
|
Small - In size so that easily be verified for a reasonable amount of money.
Complete or closed - no other software is referenced in enforcing the security policy outside the TCB |
|
|
Why are consumer OS's low assurance?
|
- Their TCBs contain a large part if not all of the OS and what is is include isnt known with high assurance
-There is not a sufficient economic payoff for the extra work required to make it higher assurance. |
|
|
Security must be designed when?
|
From the beginning. Security can't be added in after the fact
|
|
|
What is the informal definition of COMSEC
|
Protection of information as it is being electronically transmitted from one place to another
|
|
|
What is the formal definition of COMSEC
|
Measures and controls taken to deny unauthorized persons information derived from telecommunications and to ensure the authenticity of such telecommunications. COmmunications security includes cryptosecuirty, transmission security, emissions security, and physical security of COMSEC material
|
|
|
Name the 4 components of COMSEC
|
- Cryptosecurity
- Emission Secuirty - Physical security - Transmission security |
|
|
Define cryptosecurity
|
Security that results from the provision of technically sound cryptosystems and their proper use
|
|
|
Define Emission secuirty
|
Protection resulting from all measures taken to deny unauthorized persons information of value which might be derived from intercept and analysis of compromising emanations from crypto-equipment, automated information systems, and telecommunications systems
|
|
|
Define physical security
|
The component of communications security that results from all physical measures necessary to safeguard classified equipment, material, and documents from access thereto or observation thereof by unauthorized persons
|
|
|
Define transmission security
|
Security that results from the applications of measures designed to protect transmissions from interception and exploitation by means other than cryptanalysis
|
|
|
Define cryptography
|
The art or science concerning the principles, means, and methods for rendering plain information unintelligible, and for restoring encrypted information to intelligible form
|
|
|
Define Plain Text
|
Original Information
|
|
|
Define Cipher Text
|
The unintelligible translation of plain text
|
|
|
Define Key
|
A secret tool; in digital systems, much like a password
|
|
|
Define cryptographic engine
|
a machine or program for combining the key and the plain text to produce cipher text or vice versa
|
|
|
Informally Define Emissions Security
|
Protection against electronic eavesdropping
|
|
|
Formally Define Emissions Security
|
Protection resulting from all measures taken to deny unauthorized persons information of value which might be derived from intercept and analysis of compromising emanations from crypto-equipment, automated information systems, and telecommunications systems
|
|
|
Name the two reasons EMSEC is important
|
Sometimes even the fact that a transmission is taking place is important info
No data is ALWAYS encrypted |
|
|
What is EMSEC heavily dependent upon?
|
Physical Secuirty
|
|
|
Informally Define Transmission Security
|
Pass a folded note by hand directly to its intended recipeint and it wont matter that it is encrypted
|
|
|
Formally define transmission security
|
A component of COMSEC resulting from the application of measures designed to protect transmissions from interception and exploitation by means other than cryptanalysis
|
|
|
Informally define network security
|
Security of information on networks
|
|
|
Formally define network security
|
Protection of networks and their services from unauthorized modifications, destruction or disclosure. It provides assurance the network performs its critical functions correctly and there are no harmful side-effects
|
|
|
Informally Define OPSEC
|
We can tell something is up at the white house by keeping track of the number of pizzas delivered after midnight
|
|
|
Formally define OPSEC
|
The process denying to potential adversaries information about capabilities and or intentions by indentifying, controlling and protecting generally unclassified evidence of the planning and execution of sensitive activities
|
|
|
Informally Define physical security
|
Keeping the bad guys out of places they are not supposed to be
|
|
|
Formally define physical security
|
The physical measures necessary to safeguard equipment, material, and documents from access thereto or observation thereof by unauthorized persons
|
|
|
Informaly define personnel security
|
not hiring bad guys and keeping good guys from becoming bad guys
|
|
|
Formally define personnel security
|
The ongoing screening, selection, management and evaluation of people with security clearances, sensitive positions and or special access
|
