620 Info, Privacy, Security

Front 1

Confidentiality (formal)

Back 1

X = set of entities I = information

I has the property of confidentiality with respect to X if no member of X can obtain information about I.

Front 2

Integrity (formal)

Back 2

X= set of entities I = info or resource

I has integrity property with respect to X if all members of X trust I.

Front 3

Availability (formal)

Back 3

X = set of entities. I = resource

I has availability property with respect to X if all members of X can access I.

Front 4

What is the commonality (relation) between privacy and security?

Back 4

Confidentiality

Front 5

Privacy

Back 5

Connected to user preference, customizable, user defined. What is privacy to one individual may not be to another (FB). Personal issue only.

If your personal privacy preferences are fulfilled than confidentiality is maintained at the level you choose.

Front 6

Integrity

Back 6

-Accuracy of information

-Trust for source

-policy protects data/source from modification

Front 7

What platform is Availability important to?

Back 7

Cloud computing

Front 8

Non-Repudiation

Back 8

Non-denial. Trust. Sender cannot deny that they sent something if it includes their digital signature or private key (identity)

Front 9

Security Policy

Back 9

Defines X and I

States set of rules--what/who is allowed/not allowed in a system

-to create, identify threats and define requirements to ensure a secure system

Front 10

Security Mechanisms

Back 10

Method, tool, or procedure that implement/enforces security policy

Ex. Firewall, blacklist, biometrics, passwords

Front 11

Threat / Threat Vector

Back 11

Probable risk of attack, probable path of attack (system vulnerability)

Front 12

Attack / Attack Vector

Back 12

Active exploitation of system vulnerability or weakness

Front 13

System States-what are they used for in security?

Back 13

Used to formulate security policy

Identify secure/insecure states to design policy

Front 14

3 solutions for Security policy Mechanisms

Back 14

Front 15

Security Mechanism Development

Back 15

Uses software development model:

1 Threat analysis

2 Specifications (security policy)

3 Design (development)

4 Implementation (execute design)

5 Operation (use of mechanism-important part of security-must be used to be effective)

Hint 15

Software development model

Front 16

What is a major security consideration?

Back 16

Human issues-

- customs, cultures, etc (privacy)

- Employee behavior

- Social engineering

- organization

Front 17

Cost-benefit analysis

Back 17

Is it more expensive to:

-prevent an attack

-recover from an attack

Determines how you approach security policy

Front 18

Risk Analysis

Back 18

Risk=chance

-Identify assets

-Determine chance assets could be compromised/attacked

-"should we protect? How strongly?"

Front 19

Chinese Wall Model

Back 19

A model of a security policy that refers equally to confidentiality and integrity.

-Used in situations that involve conflict of interest-- stock exchange, investment houses

-users can only have access to one dataset in a COI (conflict of interest) class

-uses notion of "past access" to reduce coi

Front 20

Confidentiality

Back 20

- the concealment of information or resources from unauthorized entities

- Security provides confidentiality preferences for privacy.

-Information that has had no unauthorized access (secure) is confidential.

-core of privacy

Front 21

PII

Back 21

Personally Identifiable Information

-data that provides identity to an entity.

-must be removed to provide privacy if data is to be shared

Front 22

Attacks on Integrity

Back 22

-IP spoofing (source integrity)

-

Front 23

Access Control Models

Back 23

DAC - discretionary access control

MAC - mandatory access control

RBAC - role-based access control

Front 24

Discretionary Access Control

Back 24

Discretion of user which resources should be accessed and by whom (ex . FB)

Front 25

Mandatory Access Control

Back 25

Not user dictated (even admin has no control)

ex. Operating System Access Control

Front 26

Role-based Access Control

Back 26

Identify all subjects and objects and group by roles to build a control matrix.

Each role has rights, individuals have roles (no individual rights)

Ex. FB "friends", "friends of friends"

Front 27

Multi Level Security Model

Back 27

Uses security levels to enforce access to information.

Top Secret

Secret

Confidential

Unclassified

Ex. Bell-Lapadula

Front 28

Crux of Integrity

Back 28

Trust

Front 29

Crux of confidentiality

Back 29

Access (disclosure)

Front 30

Bell-Lapadula

Back 30

Multi level security mechanism developed by DoD and used by gov't agencies.

Front 31

Security Levels

Back 31

Top Secret

Secret

Confidential

Unclassified

Front 32

Security Clearance

Back 32

Security levels relative to subjects

ex. An employee has secret clearance

Front 33

Security Label

Back 33

Security level relative to objects

ex. The document is top secret

Front 34

Why is Integrity Policy hard to enforce?

Back 34

Deals with trust, trust is not easy to assess or understand.

No way to prove 100% of the time that integrity has been maintained

Front 35

Quasi Identifier

Back 35

Not a direct identifier (PII), but info that can be linked together to identify someone.

Front 36

Authentication

Back 36

The mechanism of binding an identity to an entity/subject

A matching process--your claim to be someone is matched against a saved profile to gain access.

Front 37

Encryption

Back 37

Plaintext + key = ciphertext

-can be an authenticator-ownership of a key can prove identity

Front 38

What are the 3 Authentication Mechanisms?

Back 38

-what an entity knows (pswd-most widely used)

-what an entity has (key/token)

-what an entity is (biometric-fingerprint)

Hint 38

Knows

Front 39

Authorization

Back 39

The process of granting access.

Interchangeable with access control

ex. Guard at door is doing access control, person cleared by guard is authorized.

Front 40

Availability

Back 40

The ability to use the info or resource desired.

Front 41

Attacks on Availability

Back 41

Denial of service

Front 42

4 classes of threats

Back 42

Disclosure--passive threat (ex. snooping)

Deception--active (data modification/alteration, masquerading)

Disruption--

Usurpation--unauthorized control of part of a system

Front 43

Bell-Lapadula rule

Back 43

No read up, No write down

Formally:

Front 44

BIBA Integrity Model

Back 44

Consists of a set of subjects, set of objects and set of integrity levels.

Data at a higher level is more accurate/reliable than data at lower levels. Determines "trustworthiness".

Front 45

Subject (access control)

Back 45

Representation of an entity within a system

Active entity. Can do stuff with/to objects

Processes (admin, user,etc people are processes)

Front 46

Object (access control)

Back 46

Passive entity

Receives instructions

Files, docs, DBs

Front 47

What implements access control?

Back 47

Operating system

Front 48

Rights (access control)

Back 48

Allows you to perform certain actions

Read, write, execute, own, append

Subject has rights on objects

Object has NO rights on subject

Front 49

Access control matrix

Back 49

S = {s1, s2, s3,....sn} set of subjects

O = {o1,o2, o3,....on} set of objects

R={r1,r2,r3,....rn} set of rights

Set up in a matrix (grid)

Front 50

Protection State

Back 50

Index of an access control matrix. If state changes, this is a state transition.

Front 51

An example of the Confidentiality Property

Back 51

Class cheating policy

Front 52

How is an Authentication System Defined?

Back 52

Using the ACFLS quintuple

Front 53

Elements of Authentication system (ACFLS quintuple)

Back 53

A- type password at interface

C- pswd hash or clear text

F- function decides how to save info in system (hash, salt, clear text)

L- set of functions that establish or prove identity

S- registration, change/ del pswd, create new subject

Front 54

Password Verification (L and C from ACFLS)

Back 54

L (functions) checks for match against C (password hash or clear text)

L: if A == C (clear)

If F(A) == C (hash)

Verifies identity

Front 55

3 goals of Security

Back 55

1 prevention

2 detection

3 recovery

Front 56

Operational issues of security

Back 56

Cost-benefit analysis

Risk analysis

Front 57

Assurance

Back 57

Measure of how well the system meets security requirements

Done by following software development model

Front 58

States: 2 things to determine when formulating policy?

Back 58

What states are secure in the system?

What states are reachable in the system?

If Reachable > secure = insecure system

Front 59

Vulnerability

Back 59

A weakness in: software, system, whatever you are protecting.

Front 60

2 types of Password Attacks

Back 60

Online- entering guesses in real time

Offline- brute force using hash tables

Front 61

K- anonymity

Back 61

K anonymity will make one person indistinguishable from k-1 other people.

Hides the individual within a collection

Remove any info that makes an individual uniquely identifiable.

Front 62

Digital certificate

Back 62

used for machine authentication. (Since they don't have passwords!)

Used by browser to verify identity claim of a server.

Front 63

Certificate Authority

Back 63

Issues digital certificates.

Verisign

Front 64

What does a digital certificate include?

Back 64

Certificate authority signature

Expiration date

Public key

Front 65

How do we authenticate identity of a system?

Back 65

With digital certificates, authenticated by the client-agent (browser)

Front 66

What is Identity?

Back 66

A collection of claims (different attributes of you)

Strongly connected to representation

Front 67

What is Anonymity?

Back 67

Hiding claims to ensure privacy. Hiding identity.

Front 68

What is a Capabilities list?

Back 68

Conceptually like a row of an access control matrix. Each subject has set of pairs, each pair contains object and a set of rights for that object.

Front 69

Access control list (acl)

Back 69

Each column is stored with the object it represents. Each object has a set of pairs, each pair contains a suject and a set of rights.

Front 70

Pillars of Security

Back 70

Confidentiality

Integrity

Availability

Non-repudiation

Front 71

What Is the distinction between a military (govt) security policy and a commercial security policy?

Back 71

Military policy designed primarily to provide confidentiality

Commercial policy designed primarily to provide integrity.

Front 72

What are some rights?

Back 72

Read, write, execute, Append, own

Front 73

What are cookies?

Back 73

Key value pairs saved on your machine to make communication over the internet faster. Ex. Amazon shopping cart

Security hole

Front 74

Describe the crypto system as a quintuple

Back 74

M = set of plain text

C = set of cipher text

K = set of keys

E = set of encryption functions

E = M + K -> C

D = set of decryption functions

D = C + K -> M

Front 75

Name security components that can be achieved using asymmetric cryptography

Back 75

*Confidentiality--private key decryption means only authorized subject can access info

*Integrity--key encrypted data cannot be modified even if intercepted

*Non Repudiation--Private key can be used for identity. Owner of key used for encryption cannot deny message.

Front 76

What is security?

Back 76

The guarding of information; access control. Has many factors, requires fine balance

Front 77

Difference between privacy and security

Back 77

Preference. Privacy is based on preference of the user and what privacy means to them. Security has no focus on preference but only on guarding information based in requirements.