Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
40 Cards in this Set
- Front
- Back
|
Name some perimeter defenses.
|
Firewalls,
Demilitarized zones (DMZ), Bastion hosts |
|
|
Why are perimeter defenses absolutely necessary and critical?
|
With globalization and the changing landscape in the way we do business today, there is a need to allow access to our internal systems and applications, the boundaries that demarcated our internal systems and applications from the external ones are slowly thinning and vanishing.
|
|
|
Name some primary reasons as to why there is a prevalence of insecure SW
|
Iron Triangle Constraints,
Security as an Afterthought, Security vs. Usability |
|
|
What are the three components of the Iron Triangle
|
Scope (resources),
Budget (cost), Schedule (time) |
|
|
What does the Iron Triangle Constraints in the context of SW security tell?
|
SW development in and of itself is a resource, schedule (time) and budget intensive process. Adding the need to incorporate security into the software is seen as having the need to do ‘more’ with what is already deemed ‘less’ or insufficient.
Constraints in scope, schedule and budget, the components of the Iron Triangle are often the reasons why security requirements are left out of the sw. If the sw development project’s scope, schedule (time), and budget are very rigidly defined, it gives little to no room to incorporate even the basic od sw security, |
|
|
Why tend developers and Manegement tend to think that security add any business value?
|
It is hard to show a one to one return of security investment.
|
|
|
What does the Iron Triange Constraints often lead to?
|
They lead to add-on security, wherin security is bolted on and not bolted in the sw.
|
|
|
Why is it important to build into the software and not onto?
|
it has been proven that the cost to fix insecure sw earlier in the sw development life cycle (SDLC) is insignificant when compared to having the same issue addressed at a later stage of the SDLC,
|
|
|
What is meant by Security vs. Usability?
|
The incorporation of secure features is viewed as rendering the software to become very complex, restrictive and unusable.
This is true if the sw design does not factor in the concept known as psychological acceptability. SW security must be balanced with usability and performance. |
|
|
True or False. Quality means Security?
|
No, Quality assurance checks are indicative of the fact that the sw is reliable ( functioning as designed ) and that it is functional (meets the requirements as specified by the business owner).
A software product that is secure will add to the quality of that software but the inverse is not always necessarily true. |
|
|
What are the Core Security Concepts?
|
Confidentiality,
Integrity, Availability, Authentication. Authorization, Accountability (Logging/Auditing) |
|
|
What are the Design Security Concepts?
|
Least Privilege,
Separation of Duties, Defense in Depth, Fail Secure, Economy of Mechanism, Complete Mediation, Open Design, Least Common Mechanism, Psychological Acceptebility, Weakest Link, Leveraging Existing Components |
|
|
Explain Confidentiality.
|
Confidentiality is the security concept that has to do with protection against unauthorized information disclosure.
|
|
|
Explain Integrity.
|
Integrity is the measure of software resiliency and it has to do with the alternation or modification of data and the reliable functioning of software.
|
|
|
Explain Availability.
|
Availability is the security concept that is related to the access of the software or the data or information it handles.
|
|
|
Why is the concept of Availability not only a business concept?
|
The overall purpose of a business continuity program (BCP) may be to ensure that downtime is minimized and that the impact upon business disruption is minimal.
But it is a software security concept as well. Access must take into account the “who” and “when” aspects of availability. |
|
|
What question does the security concept Authentication answer?
|
Are you whom you claim to be?
|
|
|
With which factors can authentication be achieved?
|
Knowledge,
Ownership, Characteristic |
|
|
What is knowledge based authentication?
|
The identifying information provided in this mechanism for validation is something that one knows like username/password.
|
|
|
What is ownership based authentication?
|
The identifying information provided in this mechanism for validation is something that you own or have like a none (one time token) or a smartcard.
|
|
|
What is characteristic based authentication?
|
The identifying information provided in this mechanism for validation is something you are. Fingerprints, iris patterns or your signature are examples.
|
|
|
What means Multifactor authentication?
|
It is the use of more than one factor to authenticate.
|
|
|
What is Authorization?
|
Authorization is the security concept in which access to objects is controlled based on the rights and privileges that are granted to the requestor by the owner of the data or system or according to a policy.
|
|
|
True or False. Authorization decisions are layered on top of authentication and must never precede authentication.
|
True. You do not authorize before you authenticate, unless your business requirements require you to give access to anonymous users.
|
|
|
What is Auditing?
|
Auditing is the security concept in which privileged and critical businesses transactions are logged and tracked. It is a passive detective control mechanism.
|
|
|
What audit fields must be included at a bare minimum for all administrative (privilege) or critical transactions as defined by the business?
|
Who (the subject which may be a user or process) did
what (operations such as create, read, update, delete etc. ), where (the object on which the operation is performed such as a file or table) and when (timestamp of the operation) along with a before and after snapshot of the information that was changed must be logged for all administrative (privilege) or critical transactions as defined by the business. |
|
|
How can accountability to ensure non-repudiation be accomplished?
|
Accountability to ensure non-repudiation can be accomplished by auditing when used in conjunction with identification.
|
|
|
Why can Auditing be a deterrent control?
|
The fore knowledge of being audited could potentially deter a user from taking unauthorized actions.
|
|
|
True or False. Auditing is a passive detective control?
|
True
|
|
|
Which challenges gives auditing?
|
Performance impact,
Information overload, Capacity limitation, Configuration interfaces protection, Audit log protection |
|
|
What means Least Privilege?
|
It is security principle in which a person or process is given only the minimum level of access rights (privileges) that is necessary for that person or process to complete an assigned operation. This right must be given only for a minimum amount of time that is necessary to complete the operation.
|
|
|
What means Separation of Duties (or) Compartmentalization Principle?
|
It is a security principle which states that the successful completion of a single task is dependent upon two or more conditions that need to be met and just one of the conditions will be insufficient in completing the task by itself.
|
|
|
What means Defense in Depth (or) Layered Defense?
|
It is a security principle where single points of complete compromise are eliminated or mitigated by the incorporation of a series or multiple layers of security safeguards and risk-mitigation countermeasures.
|
|
|
What means Fail Secure?
|
It is a security principle that aims to maintaining confidentiality, integrity and availability by defaulting to a secure state, rapid recovery of software resiliency upon design or implementation failure. In the context of software security, fail secure is commonly used interchangeably with fail safe, which comes from physical security terminology.
|
|
|
What means Complete Mediation?
|
It is a security principle that ensures that authority is not circumvented in subsequent requests of an object by a subject, by checking for authorization (rights and privileges) upon every request for the object. In order words, the access requests by a subject for an object is completed mediated each time, every time.
|
|
|
What means Open Design?
|
The open design security principle states that the implementation details of the design should be independent of the design itself, which can remain open, unlike in the case of security by obscurity. The review of the design itself will not result in the compromise of the safeguards in the software.
|
|
|
What means Least Common Mechanisms?
|
It disallows the sharing of mechanisms that are common to more than one user or process if the users and processes are at different levels of privilege.
|
|
|
What means Psychological Acceptability?
|
It is a security principle that aims at maximizing the usage and adoption of the security functionality in the software by ensuring that the security functionality is easy to use and at the same time transparent to the user.
|
|
|
What means Weakest Link?
|
The Weakest Link security principle states that the resiliency of your software against hacker attempts will depend heavily on the protection of its weakest components.
|
|
|
What means Leveraging Existing Components?
|
The Leveraging Existing Components security principle focuses on ensuring that the attack surface is not increased and no new vulnerabilities are introduced by promoting the reuse of existing software components, code and functionality.
|
