Term
| What does OODA stand for? |
|
Definition
1. Observation
2. Orientation
3. Decision
4. Action |
|
|
Term
| What happens during the observation stage? |
|
Definition
| Outside information (inputs) come into the system. |
|
|
Term
| What happens during the orientation stage? |
|
Definition
| Inputs are correlated with experience, traditions, other inputs, and other embedded information. |
|
|
Term
| What happens during the decision stage? |
|
Definition
| Observations and information taken from the orientation stage is arranged into if --> then statements in order to make decisions. |
|
|
Term
| What happens during the action statge? |
|
Definition
|
|
Term
|
Definition
A concept that considers different and possibly conflicting security requirements of different parties
and strives to balance these requirements. |
|
|
Term
| What is the main security traid? |
|
Definition
1. Detect
2. Delay
3. Response |
|
|
Term
| What is the core princile of defense in depth? |
|
Definition
| Provide multiple independent safeguards on every attack path. |
|
|
Term
| What does it mean to have balanced protection? |
|
Definition
| All attack paths should be covered equally. |
|
|
Term
| What does it mean to have graded protection? |
|
Definition
| Attack paths are protected in a way commensurate with its importance, or consequence of loss. |
|
|
Term
| What are four examples of Security Collaborators and Decision-makers? |
|
Definition
1. Senior managers
2. Designers and developers
3. Administrators.
4. Security Team members. |
|
|
Term
| User communities are separated by? |
|
Definition
| Distinct use cases. Note: Trust assumptions should always be questioned. |
|
|
Term
| What are the two options for a security response? |
|
Definition
1. Deterrance: rending the target unattractive.
2. Defeat: Resiting and neutralizing the adversary. |
|
|
Term
| What are five ways on manageing security risk? |
|
Definition
1. Avoidance: remove target of attack from physical location.
2. Reduction: Reduce attactiveness of target.
3. Spreading: Employ defer and delay mechanisms to reduce access to the wole target at once
4. Transfer: insure target or otherwise share loss liability.
5. Acceptance |
|
|
Term
| Intrusion Containment (Principle) |
|
Definition
| If the presense of the perpetrator is obvious, then make it difficult to escape. |
|
|
Term
| What are the four main consideration of security policy? |
|
Definition
1. Enforcement
2. Ease of communication.
3. Available when needed
4. comprehensivness. |
|
|
Term
| Secuity requirements should have two main qualities? |
|
Definition
| Meaningful and measurable |
|
|
Term
|
Definition
| A distinct operating state during which a set of system functions are performed to a given degree. |
|
|
Term
| What are three common system modes? |
|
Definition
1. Fully operational.
2. Maintenance
3. Failure |
|
|
Term
|
Definition
| A static snapshot of the variable needed to fully describe the system's capability to perform system functions. Note: The variables do not change, just the values of the variables. |
|
|
Term
| What are the four main parts of a system function? |
|
Definition
1. Inputs
2. Outputs
3. Activation (triggers)
4. Exit criteria |
|
|
Term
| An alternative design solution should be modeled to what level of detail? |
|
Definition
| A level of detail that permits comparison against the specifications expressed in the system requirements and the performance, costs, time scales (including time to market/deployment), and risks expressed in the stakeholder requirements. |
|
|
Term
| What should a Pugh matrix contain? |
|
Definition
1. System alternative designs.
2. User/customer requirements
3. "-", "S", "+" |
|
|
Term
| Is there an ultimately right solution to the problem of system security? |
|
Definition
| No. It is a planning problem of wicked proportion, and there is merely a goal of situational improvement for which the planner has solemn accountability |
|
|
