1. Introduction

Question 1

What does the acronym CIA stand for, and what do each of the words mean?

Answer 1

Confidentiality → Protection of sensitive information from unauthorized access or disclosure. It ensures that data or resources are accessible only to authorized individuals or entities.

Integrity → Pertains to maintaining the accuracy, consistency, and trustworthiness of data or resources. It involves preventing unauthorized or unintended modification, alteration, or destruction of information.

Availability → Relates to ensuring that data, systems, and resources are accessible and usable when needed. It involves protecting against disruptions, outages, or unauthorized denial of service to maintain continuous access to critical resources.

Question 2

What is the hierarchy of trust?

Answer 2

The hierarchy of trust refers to the levels or layers of trust within a system or network, where higher-level entities are considered more trustworthy than lower-level entities.

Entities trust themselves, and all layers of tech below them

All other trust-relations should be imposed by a higher layer entity, a user, a systems manager or a cryptographic protocol

Question 3

Who is responsible for maintaining the trust relations in the hierarchy of trust?

Answer 3

The entities or individuals at the higher levels of the trust hierarchy are primarily responsible for maintaining trust relations.

However, in decentralized systems, trust is distributed among all participants, and they collectively contribute to maintaining trust in the system.

Question 4

How does the responsibilities of the system administrators and users differ from the responsibilities of the developers of hardware and software?

Answer 4

・System administrators are responsible for the day-to-day management and security of the system, users are responsible for adhering to security policies and practices.

・Developers are responsible for creating secure hardware and software components and addressing vulnerabilities in their designs.

Question 5

How is protection between processes on the same computer done?

Answer 5

Duty of OS, based on settings from admin & user

・File-systems with privileges
・Memory-mapping systems with privileges
・Scheduling of CPU resources
・Virtualization of peripherals

Question 6

How is protection between users on the same computer done?

Answer 6

Duty of OS, based on settings from admin & user

・Passwords
・Privileges (root user)
・File system with user privileges
・Separation of processes/apps
・Scheduling of resources (to avoid DoS)

Question 7

How is protection between OSs on the same h/w done?

Answer 7

Duty of hypervisor, based on settings from admin
・Privileges in shared file systems
・Virtually separate file systems
・Supported by protection between processes
・Scheduling of resources (to avoid DoS)

Question 8

How is protection in a networked environment done?

Answer 8

Duty of sys admin & user

・Firewalls that control what traffic is allowed through
・NATs that hide n/w addresses & n/w structure
・VPNs, that logically divide a n/w into several n/ws with diff privileges
・Cryptographic protocols (encryption) that help integrity & confidentiality
・Redundancy, scheduling & capacity to support availability

Question 9

Classification of malware based on how it runs/infection

Answer 9

・Virus
・Worms
・Trojan

Question 10

Virus

Answer 10

・Piece of code that inserts itself into an existing pgm & is executed whenever host pgm is executed
・Spread by inserting themselves into other executables
・Initial infection of sys done through a pgm that only needs to run once, for e.g., which could come through a link from an email

Question 11

Worm

Answer 11

・A complete pgm on its own & can execute independently of any other pgm
・Doesn’t need a host pgm (unlike virus)
・strategies for spreading is different
・Can spread through a n/w by exploiting vulns in OS, or come as attachments/links in email. Once clicked on, it could be a link to malicious website or can download automatically & run the worm
・More visible

Question 12

What is a virus, and how does it differ from a trojan?

Answer 12

Virus:
・Malicious software that replicates itself and spreads from one computer to another.
・Attaches to files or programs and activates when they are executed.
・Can modify, delete files, disrupt system operations, and spread to other devices.
・Requires user action to initiate replication and spread.

Trojan:
・Malicious software that disguises itself as legitimate software or files.
・Does not replicate on its own.
・Relies on social engineering to trick users into executing or installing it.
・Can steal sensitive information, allow unauthorized access, or install additional malware.

Difference:
・Viruses replicate and spread, while Trojans do not.
・Viruses spread in stealth mode, trojan not
・Viruses attach to files/programs, Trojans disguise themselves.
・Viruses require user action to spread, Trojans rely on user deception.
・Both can cause significant harm to computer systems and networks.
・Finding Trojan is easier than virus

Question 13

Classification of malware based on intent

Answer 13

・Spyware
・Ransomware
・Bot
・Rootkit

Question 14

Spyware

Answer 14

・The task of spyware is to collect sensitive information from the
system it resides on and transfer this information to the attacker.
・The information can be gathered by logging keystrokes on a keyboard,
analysing the contents of documents on the system, or analysing the
system itself in preparation for future attacks.

Malware designed to covertly gather information from a user’s device without their knowledge.
* Monitors and records activities such as keystrokes, browsing habits, and personal data.
* Often used for unauthorized surveillance, stealing sensitive information, or targeted advertising.
* May be installed through deceptive downloads, software vulnerabilities, or bundled with legitimate programs.
* Primarily focuses on unauthorized data collection and invasion of privacy.

Question 15

Ransomware

Answer 15

・As the name suggests, this is malware that puts the attacker in a
position to require a ransom from the owner of the system.
・The most frequent way to do this is by rendering the system useless through encrypting vital information and requiring compensation for making it available again.

• Malware that encrypts files on a victim’s computer or network, rendering them inaccessible.
• Typically demands a ransom payment in exchange for the decryption key.
• Spreads through various methods like email attachments, infected websites, or malicious downloads.
• Focuses on financial gain by extorting victims for money.
• Can cause significant data loss and disruption to individuals and organizations.

Question 16

What is the difference between Ransomware and Spyware?

Answer 16

• Ransomware encrypts files and demands a ransom, while spyware covertly collects information.
• Ransomware aims for financial gain through extortion, while spyware focuses on unauthorized surveillance or data theft.
• Ransomware disrupts access to files, whereas spyware operates in the background without obvious signs.
• Ransomware spreads to encrypt files, while spyware often infiltrates systems through deceptive downloads or software vulnerabilities.
• Both can pose significant risks to individuals and organizations in terms of privacy, security, and financial loss.

Question 17

What is a Rootkit?

Answer 17

A set of techniques used to mask the presence of malware on a computer, usually through root or admin access to the system. Not bad in itself per se, but are usually used in malicious actions. Can be hard to detect since they can hide from anti-malware software.

Question 18

What is a DOS-attack?

Answer 18

A DOS (Denial-of-Service) attack is a malicious attempt to disrupt or disable the functioning of a computer network, service, or website by overwhelming it with a flood of illegitimate requests or excessive traffic. This flood of requests or traffic makes it difficult or impossible for legitimate users to access the targeted resource, effectively denying them the service.

Question 19

List the five functions of the Cybersecurity Framework of NIST, and explain each one of them.

Answer 19

Cyber Security seen from the point of the defender

Identify → Identify assets, valuables, risks, policies and strategies. Creates an understanding of what we have.
Protect → Educating the staff and putting protective technologies and safeguards in place, like firewalls, two-factor authentication, spam-filters etc.
Detect → Malware detection through specific processes and monitoring
Respond → Perform previously planned action to minimize the damage
Recover → Restore and recover the system to a previously secure and functioning state.

Question 20

Cyber Kill Chain

Answer 20

Cyber Kill Chain:
・The Cyber Kill Chain is a concept developed by Lockheed Martin that describes the stages of a typical cyber attack.
・ Consists of seven stages: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objective.
・Reconnaissance: Gathering information about the target.
・Weaponization: Crafting and incorporating the attack into a deliverable form.
・Delivery: Transmitting the weaponized attack to the target.
Exploitation: Exploiting vulnerabilities to gain unauthorized access.
・Installation: Establishing a persistent presence within the target’s system.
・Command and Control: Maintaining communication channels for remote control.
・Actions on Objective: Achieving the attacker’s goals, such as data exfiltration or system disruption.

Question 21

What is the difference between the Five Function of the NIST framework and the Cyber Kill Chain?

Answer 21

・NIST for defenders, Cyber Kill Chain for attackers

・NIST Framework focuses on proactive risk management and improvement, whereas the Cyber Kill Chain emphasizes understanding the attacker’s methodology.
・NIST Framework’s five functions cover the full spectrum of cybersecurity practices, while the Cyber Kill Chain focuses on the stages of an attack from the attacker’s perspective.
・NIST Framework is a broader framework for cybersecurity governance, whereas the Cyber Kill Chain is more specific to understanding attack methodologies.
・Both are valuable in developing a comprehensive understanding of cybersecurity, with NIST Framework providing guidelines for proactive risk management, and the Cyber Kill Chain offering insights into the attacker’s tactics and techniques.

Question 22

7 elements of Cyber Kill Chain

Answer 22

・Reconnaissance
・Weaponization
・Delivery
・Exploitation
・Installation
・Command & control (C2)
・Action on objective

Question 23

List and describe the seven lectured elements of the Cyber Kill Chain.

Question 24

Information Security

Answer 24

・Physical & logical access controls
・Unauthorized or accidental modification, destruction, disclosure, loss or access (to automated or manual records and files)
・loss, damage or misuse of information assets (h/w)

Question 25

NIST Framework

Answer 25

IP-DRR
・Identify
・Protect
・Detect
・Respond
・Recover

For defenders

Question 26

NIST Identify

Answer 26

• Identifying physical and software assets
  to establish an Asset Management
  program
• Identifying cybersecurity policies to
  define a Governance program
• Identifying a Risk Management Strategy
  for the organization

Question 27

NIST - Protect

Answer 27

Key point - Awareness

・Establishing Data Security protection to
protect the confidentiality, integrity, and availability
・ Managing Protective Technology to ensure
the security and resilience of systems and assists
・Empowering staff within the organization
through Awareness and Training

Question 28

NIST Detect

Answer 28

・Implementing Security Continuous Monitoring capabilities to monitor
cybersecurity events
・ Ensuring Anomalies and Events are detected, and their potential impact is
understood
・Verifying the effectiveness of protective measures

Question 29

NIST Respond

Answer 29

・Ensuring Response Planning processes are executed during and
after an incident
・Managing Communications during and after an event
・Analyzing effectiveness of response activities

Question 30

NIST Recover

Answer 30

・Ensuring the organization implements Recovery Planning processes and
procedures
・Implementing improvements based on
lessons learned
・Coordinating communications during recovery activities

Question 31

NIST

Answer 31

National Institute of Standards & Technology

(US Dept. of Commerce)