Security

0.0(0)
Studied by 0 people
call kaiCall Kai
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/33

encourage image

There's no tags or description

Looks like no tags are added yet.

Last updated 11:08 PM on 4/28/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai

No analytics yet

Send a link to your students to track their progress

34 Terms

1
New cards

CIA Triad

  • Confidentiality

    • Data Confidentiality

    • Privacy

  • Integrity

    • Data Integrity

    • System Integrity

  • Availability - Timely Services to Authorised Individuals

2
New cards

Extended CIA Triad

  • Confidentiality

  • Integrity

  • Availability

  • Authenticity

  • Accountability

3
New cards

Non-repudiation

Cannot deny a previous commitment (like a contract). Can be considered part of integrity.

4
New cards

Authenticity

Messages are valid and trusted

5
New cards

Accountability

Actions can be traced

6
New cards

Threat

Circumstance that can negatively affect an organisation/user, e.g.:

  • Unauthorised access

  • Unintended data disclosure/manipulation

  • Denial of Service (DoS)

7
New cards

Threat model

Collection of threats deemed important, which dictates a set of security requirements.

8
New cards

Asset

Valued resources in a system.

Can be system resources (hardware, software, data or network infrastructure) or human resources (trust, time, confidence).

9
New cards

Risk

A measure of extent to which an asset is threatened. Typically a function of the impact of the threat and its likelihood.

10
New cards

Adversary

An entity trying to circumvent security infrastructure.

11
New cards

Vulnerability

A system artefact that exposes user, data or system to a threat.

12
New cards

System Outcomes of a Vulnerability

  • Corrupted - Incorrect response or behaviour

  • Leaky - Information disclosed to unauthorised individuals

  • Unavailable - Fails to respond quickly or at all

13
New cards

Sources of vulnerabilities

  • Flaws in software/hardware

  • Flaws in design and requirements

  • Flawed policies or misconfigurations

  • System misuse

14
New cards

Types of vulnerabilities

  • Technological (weaknesses in protocol, OS, network equipment)

  • Configuration (User accounts, misconfigured/default internet or network equipment)

  • Security Policy (lack of a written policy, lack of authentication continuity, unapplied access controls, no recovery plan)

15
New cards

Countermeasure

A security control method used by asset owners to protect resources, reduce the likelihood of a threat, and reduce the consequences of the threat.

16
New cards

Security Policy

Set of criteria to provide to security services. It defines what the services should provide and enforce, and how they are implemented.

17
New cards

Participant

An expected system entity.

Includes hardware, agents (software), people, enterprises.

All parties need to be trusted.

18
New cards

Trust

The degree to which an entity/participant has freedom to behave in the system.

Permissions and obligations, described using a trust model.

19
New cards

Trust Model

Model to describe which participant is trusted for what actions in a certain environment.

20
New cards

Trust Boundary

A point in a system where the level of trust changes

21
New cards

Attack

Process to realise a threat. Can be passive or active, and originate from inside or outside.

22
New cards

Passive Attack

Attempting to learn or use information that doesn’t affect system resources, e.g. eavesdropping

23
New cards

Active Attack

Attempting to alter system resources or affect system operation, e.g. password guessing

24
New cards

Security Perimeter

The domain for which an organisation has administrative control

25
New cards

Attack Surface

Set of reachable and exploitable vulnerabilities of a system, e.g. open ports or employees.

26
New cards

Attack vector

The specific means by which an attack is enacted, e.g. key logger

27
New cards

Threat Consequences

  • Unauthorised Disclosure (vs Confidentiality)

  • Deception (vs Integrity)

  • Disruption (vs Availability)

  • Usurpation (vs system Integrity)

28
New cards

Unauthorised Disclosure (threat consequence)

Exposure, interception, inference or intrusion of sensitive information

29
New cards

Deception (threat consequence)

Masquerading as authorised entity, falsification of data, or repudiation

30
New cards

Disruption (threat consequence)

Incapacitation, corruption, or obstruction of a system or its resources/messages.

31
New cards

Usurpation (threat consequence)

Misappropriation of a service or unauthorised/misuse of a system.

32
New cards

Security Design Principles

Widely-regarded ideas that inform the design of security mechanisms

33
New cards

Saltzer and Schroeder Principles

Access Control:

  • Fail-safe defaults - zero-trust

  • Complete Mediation - every access is checked

  • Separation of Privilege - divide access rights among entities

  • Least Privilege

Other:

  • Economy of Mechanism - least code has least flaws

  • Open Design - allow scrutiny from experts

  • Least Common Mechanism - don’t share functions too much

  • Psychological Acceptance - security measures are transparent and user-friendly

34
New cards

Important Other Security Principles

  • Isolation - restrict critical resources, isolate files and processes

  • Modularity

  • Layering - defence in depth

  • Minimized trust surface - Users and components have zero trust between each other