INFORMATION SECURITY (CS9224) TWO MARKS UNIT: I 1. Define information Security?

It is a well-informed sense of assurance that the information risks andcontrols are in balance. 2. What is Security? Security is the quality or state of being secure-to be free fromdanger. 3. What are the basic components of computer Security? a. Confidentiality - Keeping data and resources hidden b. Integrity - Data integrity (integrity)- Origin integrity (authentication)c. Availability - Enabling access to data and resources 4. What is confidentiality? Confidentiality is the concealment of information or resources. The need for keeping informationsecret arises from the use of computers in sensitive fields such as government and industry.For example.Military and civilian institutions in the government often restrict access to informationto those who need that information. 5. What is Integrity? ata or resources, and it is usually phrased in termsof preventing or unauthorized change. (theSource of the data, often called Authentication).For exampleA newspaper The information is printed as received (preserving data integrity)But its source is incorrect (corrupting origin integrity). 6. What is Availability? Availability refers to the ability to use the information or resource desired. Availability is anImportant aspect of reliability as well as of system design because an unavailable system is at all.For example.Banks secondary system server 7. What is a threat? A threat is a potential violation of security. The violation need not actually occur for there to be athreat. 8. What is an attack? The fact that the violation might occur means that those actions that could cause it to occur must beguarded against. Those actions are called attacks.

9. What are the different broad classes of threats? 1. Disclosure - Snooping2. Deception - Modification, spoofing, repudiation of origin, denial of receipt3. Disruption - Modification4. Usurpation - Modification, spoofing, delay, denial of service 10. What do mean by snooping? Snooping, the unauthorized interception of information is a form of disclosure. It is a technique used togain unauthorized access to computers. It is passive, suggesting simply that some entity is listening tocommunications. 11. Distinguish between policy and mechanism Policy: It is a statement of what is, and what is not allowedMechanism: It is a method, tool or procedure for enforcing a security policy. 12. What are the goals of security? 1. Prevention: It means that an attack will fail2. Detection: It is most useful when an attack cannot be prevented, but it can also indicate theeffectiveness of preventative measures.3. Recovery: To stop an attack and to assess and repair any damage caused by that attack, the systemcontinuous to function correctly while an attack is underway. 13. Define Assurance System specification, design, and implementation can provide a basis for determining how much totrust a system. This aspect of trust is called assurance. 14. What are the operational issues? 1. Cost-Benefit Analysis2. Risk Analysis3. Laws and customs 15. What is cost-benefit analysis? If the data or resource is cost less, or are of less value, then their protection, adding securitymechanisms and procedures is not cost effective, because the data or resources can be reconstructed morecheaply than the protection themselves. 16. What are the human issues? 1. Organizational Problems2. People Problems 17. What is protection state? The state of the system is the collection of the current values of all memory locations, all secondarystorage and all registers and other components of the system. The subset of this collection that deals with protection is the protection state of the system. 18. What is an access control matrix model? The simplest framework for describing a protection system is the access control matrix model, whichdescribes the rights of users over files in a matrix.

19. What is copyright with an example? The copyright allows the possessor to grant rights to another. This right is often considering a flagattached to other rights, it is known as copy flag.Eg: In Windows NT, the copy flag corresponds to the P (change permission) right.

20. What is own right with an example? The own right is a special right that enables possessors to add or delete privileges for themselves. Italso allows the possessors to grant rights to others, although to whom they can be granted may be systemsor implementation dependent. 21. What is security policy? Security policy is a statement that partitions the states of the system into a set of authorized ,or secure,states and a set of unauthorized, or non secure, states. 22. What is secure system? Secure system is a system that starts in an authorized state and cannot enter an unauthorizedstate. 23. What are the types of security policies? 1. Military security policy2. Commercial security policy3. Transaction oriented integrity security policy4. Confidentiality security policy5. Integrity policy 24. What are the types of access control? 1. Identity based access control2. Mandatory access control3. Originator controlled access control 25. What is an identity based access control? If an individual user can set an access control mechanism to allow or deny access to an object, thatmechanism is a discretionary access control also called an identity based access control. 26. What is a mandatory access control? When a system mechanism controls access to an object and an individual user can not alter thataccess, the control is a mandatory access control, occasionally called as rule-based access control. 27. What is ORCON or ORGCON? An Originator controlled access control (ORCON or ORGCON) bases access on the creator of an object. 28. What is policy language? What are the different types of policy languages? A policy language is a language for representing a security policy.Types:1. High-level policy languages2. Low level policy languages

29. What is a high level policy language? A policy is independent of the mechanisms. It describes constraints placed on entities and actions in asystem. A high-level policy language is an unambiguous expression of policy. Such precision requires amathematical or programmatic formulation of policy. 30. What is a low-level policy language? A low level policy language is simply a set of inputs or arguments to commands that set, or check,constraints on a system.For exampleThe UNIX-based windowing system X11 provides a language for controlling access to the console. 31. What are the examples of Academic computer security? 1. General University Policy2. Electronic Mail policy 32. Explain in terms of security and precision? Definition of the Security and precision in terms of states of systems. It can devise a generic procedurefor developing a mechanism that is both secure and precise. 33. What is a confidentiality policy? A Confidentiality policy, also called an information flow policy, prevents the unauthorized disclosureof information. Unauthorized alteration of information is secondary.For example 34. What is Bell-LaPadula Model? The Bell-LaPadula Model corresponds to military style classifications. It has influenced thedevelopment of many other models and indeed much of the development of computer securitytechnologies. 35. What is tranquility? The principle of tranquility states that subjects may not change their security levels once they have been instantiated. 36. What are the types of tranquility? 1. Strong tranquility: The security levels do not change during the life time of the system.2. Weak tranquility: The security levels do not change in a way that violates the rules of a givensecurity policy. 37. What is an integrity policy? Integrity policies focus on integrity rather than confidentiality, because most commercial and industrialfirms are more concerned with accuracy than disclosure. 38. What are the goals of integrity policies? 1. Users will not write their own programs, but will use existing production programs anddatabases.2. Programmers will develop and test programs on a non production system:3. A special process must be followed to install a program from the development system onto the production system.4. The special process in requirement 3 must be controlled and audited.5. The managers and auditors must have access to both the system state and the system logsthose are generated.
4

39. What is Biba Integrity Model? Biba studied the nature of the integrity of systems. He proposed three policies, one of which was themathematical dual of the Bell-LaPadula Model.

40. What is Ring policy? The ring policy ignores the issue of indirect and focuses on direct modification only. This solves the problems described above. The rules are as follows.1. Any subject may read any object, regardless of integrity levels.2. If s S can reads o O, then i(s)=min(i(s),i(o)),where i `(s) is the subjects integrity level after the read.3. s1 S can execute s2 S if and only if i(s2) i(s1). 41. What is Bibas Model or Strict integrity policy? This model is the dual of the Bell-LaPadulla model, and is most commonly called Bibas model. Itsrules are as follows.1. s S can read o O if and only if i(o).2. s S can write to o O if and only if i(o) i(s).3. s1 S can execute s2 S if and only if i(s2) i(s1). 42. What is Lipners integrity Matrix Model? Lipners returned to the Bell-LaPadula Model and combined it with the Biba model to create a modelthat conformed more accurately to the requirements of a commercial policy. 43. What is Clark-Wilson Integrity model? David Clark and David Wilson developed an integrity model radically different from previous models.This model uses transactions as the basic operation, which models many commercial systems realisticallythan precious models. 44. What is a patient? A patient is the subject of medical records, or an agent for that person who can give consent for the person to be treated. 45. What is personal health information? Personal health information is information about a patients health or treatment enabling that patient to be identified. 46. What is originator controlled access control? With an example. Graubert developed a policy called ORGCON (for Originator CONtrolled) in which a subjectcan give another subject rights to an object only with the approval of the creator of that object.For exampleThe secretary of Defense of the United States drafts a proposed policy document and distributes it toher aides for comment. The aids are not allowed to distribute the document any further with out permissionfrom the secretary .The secretary control dissemination; hence, the policy is ORCON. The trust in this policy is that the aides will not release the document illicitly- that is, without the permission of the secretary.

47. What is Role based access control? With an example. The ability, or need, to access information may depend on ones job functions.For exampleAllison is the bookkeeper for the Department of Mathematics. She is responsible for balancing the books and keeping track of all accounting for that department. She has access to all departmental accounts.She moves to the universitys office of Admission to become the head accountant (with a substantial raise).Because she is no longer the bookkeeper for the Department of Mathematics, she no longer has access tothose accounts. When that department hires sally as its new bookkeeper, she will acquire full access to allthose accounts. Access to the accounts is a function of the job of bookkeeper, and is not tied to any particular individual