Chapter 1 Introduction Flashcards
blackout
A long term interruption (outage) in electrical power availability.
McCumber cube CNSS
policy-education-technology
confidentiality-integrity-availability
storage-processing-transmission
host intrusion detection and prevention system ( HIDPS)
alerts security administrators when a critical file was modified or deleted
weakness of CNSS
- omits the discussion guidelines and policies that directs the implementation of controls.
- in HIDPS example it concerns only the infosec community but not the other communities
CNSS main purpose is to identify infosec gaps.
CIA plus
privacy identification authentication authorisation accountability
measures for confidentiality
information classification secure storage application of security policies education of info custodians and endusers cryptography (encryption)
measures for integrity
- checking size, cash value or checksum of a file can help to see whether a virus or worm changed the integrity
- low voltage signal carrying a digital bit can cause the recording of data incorrectly.
- during transmission; algorithms, hash values, and error-correcting codes ensures integrity.
Measures for availability
- availability when needed by authorised user, not for everyone.
- for library presenting identification can help to see the collection in appropriate language and formats.
measures for privacy
-information will be used only in ways approved by the provider.
- collecting and combining information from several different sources
- > information aggregation
- Identification
- Authentication
- Authorisation
- Accountability
- user ID
- secure ID, password
- access to creating, reading, writing, deleting
4.activity can be attributed to a person or automated process…. audit logs..
attack….an act exploit..a technique loss… a single instance threat.. has the potential threat agent.. the specific instance or a component of threat vulnerability… a potential weakness
.
threat vs attack
always present - exist only when a specific act may cause a loss.
example: threat of thunderstorm during summer is always present in some areas. but attack and its potential risk of loss exist only the duration of actual thunderstorm.
prioritisation of threat
- based on the particular security situation
- organisational strategy regarding risk
- exposure level of asset
most common intellectual property breach
unlawful use or duplication of software
availability distruption
- internet service issues
- communication and other
- power irregularities:
1. Black out
2. Brown out
3. fault
4. sag
5. spike
6. Surge
- internet service issues - SLA can be used
- communication and other .. water, trash pickup, gas, telephone…
- power irregularities… UPS can be used
- black out - LT cut
- brown out - LT reduction
- fault - ST error
- sag - ST decrease eg. when turning on air conditioning
- spike - ST increase eg. when turning off air conditioning
- surge - LT increase eg. lightening
Espionage and Trespass
Advanced persistent threat (APT) competitive intelligence industrial espionage Brute force password attack Dictionary password attack rainbow table
penetration tester expert hacker professional hacker novice hacker packet monkey script kiddie
rooting
jail breaking
shoulder surfing trespass privilege escalation pretexting phreaker
Espionage and Trespass - unauthorised access - confidentiality
Advanced persistent threat (APT)
competitive intelligence - legal information collection
industrial espionage - above legal and ethical threshold
Brute force password attack : trying every possible characters and numbers in it…
-always change the default password.
-controls limiting number of unsuccessful attempts
Dictionary password attack : a variation of brute force attack, based on target’s personal info
-controls require special characters
rainbow table: if encrypted password file is stolen, hash values and plain text can be vlooked up to identify matches
penetration tester
expert hacker
professional hacker
novice hacker: inexperienced
packet monkey: a script kiddie doing DOS attacks
script kiddie: inexperienced, uses expertly written scripts
rooting… usually for android or linux
jail breaking… usually for ios
shoulder surfing
trespass : unauthorised entry into real or virtual property
privilege escalation
pretexting : usually by phone and pretending to be an authority
phreaker : free calls from public phones
Force of Nature
Fire Flood Electrostatic discharge (ESD)Dust contamination Solar Landslide Tornado hurricane tsunami
Fire - indirect damage from water sprinkel
Flood - indirect damage from high humidity and moisture.. good to keep the data center on higher floors
Electrostatic discharge (ESD): en employee walking on a cool dry carpet can produce electricity which can damage the electronics
Dust contamination, Solar, Landslide, Tornado..
Human Error
Social engineering:
advanced fee fraud (AFF)
phishing
spear pishing
Human error or failure often can be prevented by training, ongoing awareness activities and controls
Social engineering:
advanced fee fraud (AFF): 4-1-9 fraud Nigerian
National Petroleum Company
phishing: usually by email, embedded code, targeting as many people as possible spear pishing: targeted message pretending to be from colleague etc.
Information extortion
Demanding compensation for the return or for an agreement not to disclose
Ransomware: payment for the key needed to unlock the encryption
- No guarantee of the return of the info or key
- Frequent backup and testing the backups controls are good
Sabotage or Vandalism
cyberwarfare: government or state against another government or state
hacktivist : a havker who is against the policies, operations of an organization or government agency. cyberactivist.
*control against website defacement can be web site back up, close monitoring of web site, minimizing the use of software such as scripts, plug ins and APIs.
Software Attack
Back door, trap door, maintenance hook Boot virus Bot, zombie DNS poisoning DOS and DDOS mail bomb man in the middle packet sniffer- network sniffer pharming polymorphic threat spoofing virus, worm, trojan horses
Back door, trap door, maintenance hook: hard to detect.
Boot virus
Bot, zombie
DOS and DDOS: hard to defend against. system connected to internet and providing TCP based network services is vulnerable
mail bomb
man in the middle: monitors(sniffs) packets, modifies and puts back in the network
packet sniffer- network sniffer: can monitor data traffic on network. hard to detect, high risk as in organization data is sent as plain text
pharming: modifying the url, network traffic without the knowledge or active participation.
DNS poisoning: a type of pharming
polymorphic threat spoofing worm: worm can replicate itself until filling memory, space, network bandwith. trojan horse: eg. readme file virus and worms can create back door.
Technical Hardware Failure or Errors
Mean time between failures (MTBF)
Mean time to diagnose (MTTD)
Mean time to failure (MTTF)
Mean time to repair (MTTR)
Murphy’s Law: If something can possible can go wrong, it will.
MTBF = MTTF + MTTD + MTTR
Mean time between failures (MTBF): presumes item can be repaired
Mean time to diagnose (MTTD)
Mean time to failure (MTTF): presumes item must be replaced
Mean time to repair (MTTR)
Technical Software Failures or Errors
OWASP is dedicated to helping organizations to create and operate software applications they can trust.
SQL injection Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) Magic url buffer overflow Format string problems Integer overflow Catching exceptions failure to handle errors poor usability not updating easily much privilege Sins of mobile code weak, home made cryptographic algorithms trusting network name
SQL injection: can lead improper access
(XSS) and (CSRF): malicious content appears to be coming from a trusted source
Magic url : if ID is passed as a parameter in the url, this can be modified and used for spoofing.
buffer overflow Format string problems Integer overflow Catching exceptions failure to handle errors poor usability not updating easily much privilege Sins of mobile code weak, home made cryptographic algorithms trusting network name
Management :
informational role
interpersonal role
decisional role
Leader:
Autocratic: do as I said. van be effective but not good when the knowledge of leader lacks
Democratic: too much discussion but maybe better for complex issues to consult
laissez-faire: laid back, makes minimal decision. Can work fine when things are going well.
a combination is best.
