Cyber Security

Question 1

What is Information Security?

Answer 1

Information security is the preservation of confidentiality, integrity and availability of information.

• Confidentiality:
• The property that information is not disclosed to unauthorised individuals, entities or processes
• Integrity:
• The property of safeguarding the accuracy and completeness of assets
• Availability:
• The property of being accessible and usable upon demand by an authorised entity

Question 2

Asset

Answer 2

Anything that has value to the organisation, its business operations and its continuity

Question 3

Threat

Answer 3

A potential cause of an incident that may result in harm to a system or organisation

Question 4

Vulnerability

Answer 4

A weakness of an asset or group of assets that can be exploited by one or more threats

Question 5

Impact

Answer 5

The result of an information security incident, caused by a threat, which affects assets

Question 6

Risk

Answer 6

The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organisation

Question 7

Information Security definitions and terminology:

Answer 7

. Preservation of confidentiality, integrity and availability of information.
* Assets; Threats; Vulnerabilities; Impacts; Risks.

Question 8

Information System assets:

Answer 8

• Primary assets: Business processes & activities; Information.
• Supporting assets: Hardware; Software; Network; Personnel; Site; Organisation’s structure.

Question 9

Information Security Governance

Answer 9

Information Security Governance refers to the framework, policies, procedures, and processes that an organization implements to manage and oversee its information security efforts effectively. It involves establishing structures and mechanisms to ensure that information assets are protected in line with the organization’s goals, objectives, and risk tolerance.

• How organisations control, direct communicate their cybersecurity risk management activities
• Policies, Standards, Guidelines and Procedures
• Security, Education, Training and Awareness (SETA)
• Incident Response

Question 10

Assets

Answer 10

• Primary assets:
  * Business processes & activities
  * Information
• Supporting assets
  (on which the primary assets rely)
  
  • Hardware
  • Software
  • Network
  • Personnel
  • Site
  • Organization’s structure

Each component has its own strengths and weaknesses, and each has its own security requirements

Question 11

Information

Answer 11

• Business critical information for the exercise of the organisation’s mission
• Personal information, as can be defined specifically in the sense of the national laws regarding privacy
• Strategic information required for achieving objectives determined by the strategic orientations
• High-cost information whose gathering, storage, processing and transmission require a long time and/or involve a high acquisition cost

Question 12

Business Processes

Answer 12

• Processes that contain secret processes or processes involving proprietary technology
• Processes that, if modified, can greatly affect the accomplishment of the organisation’s mission
• Processes that are necessary for the organisation to comply with contractual, legal or regulatory requirements
• Business processes/procedures (i.e., documented instructions to accomplish a certain task) are often overlooked
• They are information assets in their own right

Question 13

Hardware

Answer 13

• This is the physical technology that
  * houses and executes the software
  * stores and carries the data
  * provides the interface for data
  entry/removal from the system
• Traditional physical security like locks and keys restrict access to and the interaction with the hardware components
• Securing the physical location of the hardware is important as physical access may mean info can be extracted

Question 14

Software

Answer 14

• The software component of IS comprises
  * applications
  * operating systems
  * assorted command utilities
• It’s arguably the most difficult IS component to secure
• Unfortunately, software development is often under resourced
• As such, information security is usually only added as an afterthought rather than being embedded as an integral part
• The exploitation of software errors in software programming accounts for a substantial proportion of attacks on information

Question 15

Networks

Answer 15

Component that increased need for information security; challenges emerge as information systems are increasingly interconnected

• Manage the network perimeter
  * Use firewalls
  * Prevent malicious content
• Protect the internal network
  * Segregate network
  * Secure wireless access
  * Enable secure administration
  * Configure the exception handling processes
  * Monitor the network
  * Assurance processes

Question 16

Personnel

Answer 16

Often overlooked in computer security considerations, but people make mistakes, fall victim of social engineering, may susceptible to
bribery/blackmail

• Produce a user security policy
• Establish a staff induction process
• Maintain user awareness of the security risks faced by the organisation
• Support the formal assessment of security skills
• Monitor the effectiveness of security training
• Promote an incident reporting culture
• Establish a formal disciplinary process

Question 17

Policies, Standards, Guidelines and Procedures

Answer 17

• Policy A principle or rule to guide decisions and achieve rational outcomes
• Standards Detailed statements, quantifying what must be done to comply with policy
• Guideline A set of recommended actions to assist in complying with policy
• Procedure A list of steps that constitute instructions for performing some action or accomplishing some task

Question 18

Disseminating Policies:

Answer 18

• Policies should be promoted/supported by a security education, training, and awareness (SETA) programme that helps employees do their jobs securely
• Education:
  * Not everyone needs formal degree or
  certificate in info security
  * But some roles may require certain
  employees to hold/attain info security
  academic qualifications or industry certification
• Training:
• EVERYONE in an organisation needs to be trained and aware
  of information security
• Provides employees with hands-on instruction and detailed
  info designed to prepare them to perform duties securely
• Management of info security can develop customised in-house
  training or outsource training
• Awareness:
• keeps info security at forefront of the user’s mind
• can be as simple as security posters, newsletters, flyers, etc
• may include printed mouse-pa

Question 19

What is cryptography?

Answer 19

Cryptography is a way of turning plaintext (our secret message) into ciphertext (an unreadable version that can later be turned back into the plaintext).
Encrypting something links four elements together:
* the plaintext m
* the ciphertext c
* the key k (like a password)
* the algorithm E
The encryption algorithm turns the plaintext into the ciphertext by means of the key; so
c = Ek (m)

Question 20

Principles of modern cryptography

Answer 20

Modern algorithms (some of which we shall look at) abide by the following principles:
1. Large enough key space to resist exhaustive search
2. Resistant to frequency analysis
3. Small change in plaintext results in large change in ciphertext
4. Security depends only on secrecy of key, and not on secrecy of algorithm (Kerckhoff’s principle)

Question 21

Cryptographic Algorithms

Answer 21

Come in two broad categories: symmetric and asymmetric:

• Symmetric encryption uses the same “secret key” to encipher and decipher message
• Encryption methods can be extremely efficient, requiring minimal processing
• Both sender and receiver must possess encryption key
• If either copy of the key is compromised, an intermediate can decrypt and read messages
• Asymmetric encryption (public-key encryption) uses two different but related keys to encrypt/decrypt messages:
• If Key A encrypts message, only Key B can decrypt
• Highest value when one key serves as the private key and the other serves as the public key
• Typically used to encrypt a symmetric session key rather than the plaintext message(s)

Question 22

Symmetric cryptography, Asymmetric cryptography

Answer 22

• Symmetric cryptography same key (shared by two or more parties) used to encrypt and decrypt, e.g., AES.
  Hybrid approach utilises advantages of both
• Asymmetric cryptography two different keys: secret key (known to only one party) used to decrypt messages that were encrypted using the public key (known to all), e.g., RSA. Enables the creation of digital signatures.

Question 23

Caesar Cipher

Answer 23

• Shift the outer wheel on by k letters
• Encrypt: Find each plaintext letter in outer wheel and replace with letter below.
• Decrypt: Find each ciphertext letter in inner wheel and replace with letter above.

ELSE
* Label A=0, B=1, C=2, etc
* Choose 0 ≤ k < 25
* Encrypt: Add k to each numeric value of
plaintext (mod 26)
* Decrypt: Subtract k from each numeric
value of ciphertext (mod 26)

Question 24

Substitution and Transposition

Answer 24

Substitution: substitute one value for another:
Mono-alphabetic cipher (uses only one alphabet)
* Each given input letter always substitutes to
the same output letter
* E.g., A7→K, B7→Y, …, Z7→S
* Decrypting is done by reversing the
substitution/mapping

Polyalphabetic (uses two or more alphabets)
* E.g., Vigen`ere cipher: a polyalphabetic code; made up of different Caesar ciphers

Transposition: rearranges values within a block

Question 25

Primary challenge of symmetric key cryptography

Answer 25

The main problem is key distribution. Let n be the number of parties who want to communicate:
* When n = 2 we need one key
* When n = 3 we need three keys
* When n = 4 we need six keys
* When n = 5 we need ten keys
* In general we need n × (n − 1)/2 keys

Question 26

Diffie-Hellman Key Exchange

Answer 26

It is currently necessary for the communicating
parties to share a key which is known to no one else. This is done by sending the key in advance over some secure channel such as private courier or registered mail. A private conversation between two people with no prior acquaintance is a common occurrence in business, however, and it is unrealistic to expect initial business contacts to be postponed long enough for keys to be transmitted by some physical means. The cost and delay imposed by this key distribution problem is a major barrier to the transfer of business communications to large teleprocessing networks

Question 27

Applications of DH Key Exchange

Answer 27

Diffie-Hellman key exchange uses asymmetric encryption to exchange session keys. These are limited-use symmetric keys for temporary communications; they allow two entities to conduct quick, efficient, secure communications based on symmetric
encryption, which is more efficient than asymmetric encryption for sending messages

• DH based key establishment incorporated into in a number of standard protocols:
• TLS/SSL (Transport Layer)
• IPSec (Network Layer)
• and is used in a variety of applications:
• GlobalProtect VPN
• Whatsapp
• etc

Question 28

Example Asymmetric Cryptosystem

Answer 28

• The most famous one is RSA:
• developed by Rivest, Shamir and Adleman in 1978
• based on number-theoretical properties of natural numbers
• Elliptic curves:
• proposed independently in 1985 by Koblitz and Miller
• uses similar ideas to RSA but using elliptic curves instead
• same complexity as RSA but with smaller keys

Question 29

Risk Management

Answer 29

Risk = likelihood x impact

Component-driven approaches require the risk analyst to assess three elements of risk: threat, vulnerability and impact.

Threat is the individual, group or circumstance which causes a given impact to occur, e.g., lone hacker, state-sponsored group, staff member who has made a mistake, or high-impact weather.

The purpose of assessing threat is to improve the assessment of how likely a given risk is to be realised.

Question 30

Information Security Risk Methods and Frameworks

Answer 30

There are a number of Risk Assessment Methods/Frameworks
* NIST 800-30
* ISO/IEC 27005
* ISACA COBIT
* ISF IRAM 2
* HMG Information Assurance Standard 1 2
* Octave Allegro
* ISACA COBIT 5

• Equally, there are a number of Information Security
  Management Frameworks:
• NIST CSF
• ISO/IEC 27000 series
• etc

Question 31

NIST Cyber Security Framework

Answer 31

*Identify: Understand and prioritize cybersecurity risks, assets, and governance.

Asset Management: Track all hardware, software, and data.
Business Environment: Align cybersecurity with organizational goals.
Governance: Define roles, responsibilities, and policies.
Risk Assessment: Regularly evaluate and prioritize risks.
Risk Management Strategy: Plan to mitigate identified risks.

*Protect: Implement safeguards against cyber threats.

Access Control: Manage access to systems and data.
Awareness and Training: Educate employees on cybersecurity.
Data Security: Encrypt and control access to data.
Processes and Procedures: Establish cybersecurity guidelines.
Maintenance: Update security measures regularly.
Protective Technologies: Use tools to defend against threats.

*Detect: Identify cybersecurity events promptly.
Anomalies and Events: Spot unusual activities.
Continuous Monitoring: Monitor systems and networks.
Detection Processes: Have procedures to quickly identify threats.

*Respond: Address detected cybersecurity incidents.

Response Planning: Plan for incident responses.
Communications: Report and manage incidents.
Analysis: Investigate incidents to understand impact.
Mitigation: Reduce incident impact.
Improvements: Enhance response capabilities.

*Recover: Restore services after a cybersecurity incident.

Recovery Planning: Prepare for recovery.
Improvements: Learn from incidents to improve recovery.
Communications: Inform stakeholders during recovery.

Question 32

Risk Assessment and Risk Management

Answer 32

Risk Assessment and Risk Management are essential to effectively implementing an Information Security Framework
Risk Assessment
* Risk = likelihood × impact
* Qualitative vs Quantitative
* Outputs prioritised list of relative risks

Risk Control and Management
* Control Strategies:
* Avoid; Accept; Reduce; Transfer
* Risk Management is a continual process
* Identify, Analyse, Treat, Monitor
* Limitations of Risk Methods and Frameworks

Question 33

Risk Assessment Steps (BS ISO/IEC 27005:2011)

Answer 33

Identify risk identification
* Identification of Assets
* Identification of Threats
* Identification of Existing Controls
* Identification of Vulnerabilities
* Identification of Consequences

Analyse risk assessment
* Assessment of consequences
* Assessment of incident likelihood
* Level of risk determination

Treat risk treatment
* Risk modification
* Risk retention
* Risk avoidance
* Risk sharing

Monitor monitoring and review

Question 34

Qualitative Risk Analysis

Answer 34

Uses scale of qualifying attributes to describe magnitude of consequences/likelihood (VL,L,M,H,VH)

• Advantage - ease of understanding by all relevant personnel
• Disadvantage - Dependence on subjective choice of the scale

May be used:
* As initial screening, to identify risks requiring detailed analysis
* Where this analysis is sufficient for decisions
* Where numerical data/resources inadequate for quotative analysis

Question 35

Quantitative Risk Analysis

Answer 35

Uses scale of objective numerical values for
consequences/likelihood

• Uses data from variety of sources
• Quality of analysis depends on accuracy/completeness of numerical data
• Typically uses historical incident data:
• Advantage - related directly to info security
  objectives/concerns of organization
• Disadvantage - Lack of data on new risks
• Disadvantage - Accurate/missing data in general could create illusion of worth/accuracy of risk assessment
• Uncertainty and variability of consequences/likelihood are to be considered and communicated

Question 36

Risk Treatment Options

Answer 36

Retain/Accept
risk retention - organisation may tolerate (but not ignore) risk

• Avoid/Terminate
  risk avoidance - organisation may decide not to do the thing that incurs risk
• Share/Transfer
  risk sharing - transfer risk via an insurance policy or a third party
• Modify/Reduce
  risk modification - adopt controls to lower the current level of risk
• by reducing likelihood
  . by reducing impact

Question 37

Risk Management Life Cycle

Answer 37

Identify: Recognize potential risks.
Analyse: Assess impact and likelihood of risks.
Treat: Develop strategies to mitigate, transfer, avoid, or accept risks.
Monitor: Continuously review and adjust risk management efforts.

Question 38

Critical Appraisal of Risk Methods and Frameworks

Answer 38

• Limits of a ‘reductionist’ approach
• Lack of variety
• Limits of a ’fixed state’ approach
• Lack of feedback and control
• Losing risk signals in the ’security noise’
• System operation
• Information opacity
• Noise from misguided analysis
• Noise from bias
• Assumed determinability
• Abstraction through labelling
• The limits of using matrices
• Limits in the way uncertainty is presented
• The effect risk relationships have on impact
• The adverse effect of intervention
• Impacts are not limited to the scope of assessment
• The effect of time on risk

Question 39

Common Software Errors

Answer 39

The Common Weakness Enumeration (CWE) is a list of software security vulnerabilities maintained by MITRE, a non-profit R&D group. It provides descriptions and mitigation for each vulnerability. MITRE and the SANS Institute developed the CWE/25, listing the 25 most critical software vulnerabilities. A similar list is the OWASP Top 10 Project, which shares many vulnerabilities with the CWE/25.

Question 40

Cross-Site Scripting (XSS )

Answer 40

XSS is improper neutralization of input during web page generation.

Vulnerabilities occur when:

.Untrusted data enters a web app.

.The app dynamically generates a web page with this data.

.The app fails to prevent executable data entry (e.g., JavaScript, HTML tags).

.A victim visits the generated page containing the script.

.The browser executes the script in the context of the web server’s domain.

.This violates the same-origin policy, allowing scripts to access resources across domains.

Question 41

Types of Cross-site scripting (XSS):

Answer 41

• Type 1: Reflected XSS (or Non-Persistent)
  Server reflects data in HTTP request back in HTTP response. Attacker makes victim supply bad content to vulnerable web app, which is reflected back and executed by victim’s browser.
• Type 2: Stored XSS (or Persistent)
  App stores bad data in a database, message forum, visitor log, or other trusted data store. The dangerous data is later read back into the application and included in dynamic content.

Question 42

XSS Prevention

Answer 42

• RULE 0 Never insert untrusted data except in allowed locations
• RULE 1 HTML escape before inserting untrusted data into HTML element content
• RULE 2 Attribute escape before inserting untrusted data into HTML common attributes
• RULE 3 JavaScript escape before inserting untrusted data into JavaScript data values
• RULE 3.1 HTML escape JSON values in an HTML context and read the data with JSON.parse
• RULE 4 CSS escape And strictly validate before inserting untrusted data into HTML style property values
• RULE 5 URL escape before inserting untrusted data into HTML URL parameter values
• RULE 6 Sanitize HTML markup with a library designed for the job
• RULE 7 Avoid JavaScript URL’s
• RULE 8 Prevent DOM-based XSS
• Bonus 1 Use HTTPOnly cookie flag
• Bonus 2 Implement content security policy
• Bonus 3 Use an auto-escaping template system
• Bonus 4 Use the X-XSS-Protection response header
• Bonus 5 Properly use modern JS frameworks

Question 43

Principles of Secure Development and Deployment

Answer 43

• Secure development is everyone’s concern
• Keep your security knowledge sharp
• Produce clean maintainable code
• Protect your code repository
• Secure the build and deployment pipeline
• Continually test your security
• Plan for security flaws
• Secure your development environment

Question 44

Acceptance processes

Answer 44

Security testing needs to consider:
* effectiveness of defensive coding
* protection against malware and code injection through interfaces
* backup and recovery of data
* access control
* auditing and behavioural analysis
* communications security
* resilience

Question 45

Change Control and Escrow

Answer 45

• Any change to software risks introducing new bugs/vulns
• Formal change control processes manage these risks
• Separation of duties ensures the person responsible for testing the code isn’t also responsible for its implementation non-technical
• Two person control requires that an additional person signs off on the code changes, to reduce accidental or malicious flaws non-technical
• Version Control Systems (e.g., git and svn)

Question 46

Patching

Answer 46

Every software application and operating system contains bugs
* Code complexity and size makes it impossible to test 100% of execution paths
* Bugs have varied impacts on confidentiality, integrity and availability
* Once found and fixed suppliers issue a patch that can be installed in order to remove the vulnerability
* Patches should be rolled out at the earliest opportunity
* Vulnerability may already be known to and exploited by attackers
* Attackers may also try to reverse engineer patches to create new exploits
* But, patches should be tested before roll out
* patches should be tested in a non-live environment

Question 47

Accreditation and Certification

Answer 47

• Certification – provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements.
• Accreditation – formal recognition by an independent body, generally known as an accreditation body, that a certification body operates according to international standards.
• Accredited certification typically mandated for
  safety/security critical systems
• Formal review process to approve information security architecture, policy and procedures before the new/updated product/service/system is deployed/used
• Will typically require periodic review and re-accreditation