Eigen vragen Flashcards
What are ways to handling risks
- Ignore
- Avoid
- Mitigate
- Accept
- Transfer
What is Risk appetite
Risicobereidheid is het risiconiveau dat een organisatie bereid is te aanvaarden bij het nastreven van haar doelstellingen, en voordat wordt bepaald dat actie moet worden ondernomen om het risico te beperken.
Noem een paar Best practises
Owasp
ITIL
Noem de 2 approach
Reactive: How to crash a computer, hacker
Proactive approach: Create a secure systems. mitigate threats upfron. secure design
SQL Injection
Een SQL-injectie is een soort cyberaanval waarbij een hacker een SQL-codefragment (Structured Query Language) gebruikt om een database te manipuleren en om toegang te verkrijgen tot mogelijk waardevolle informatie.
XXE
• An XML External Entity attack is a type of attack against an
application that parses XML input.
• This attack occurs when XML input containing a reference to an
external entity is processed by a weakly configured XML parser.
• Mitigation:
• The XML processor should be configured to use a local static DTD
and disallow any declared DTD included in the XML document
CSRF
In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user’s account.
what is Non-repudiation
Onweerlegbaarheid. Iets is gebeurt en dit is niet te weerleggen. Je tekent met je private key jou digital singnature die met een public key wordt ge decrypt om er zeker van te zijn dat dit bericht niet veranderd
Noem de random modules
os.urandom
/dev/urandom
XOR relies on randomness
Eigenschappen symmetric
Same key to encode / decode.
• Key exchange problem:When these keys are shared over an unsecured connection, they are vulnerable to being intercepted by malicious third parties
- Block-based or Stream-based
- Relatively Fast (disk-encryption)
- Modes: to encrypt large plaintext
Eigenschappen assymetric
- Different key to encode / decode.
• Public key can be published
• Limited code-space
• Relatively Slow
Noem de guidelines
How to program
How to review
how to test
how to deploy
Redenen voor zwakheden in code
- Gebruik maken van shortcuts
- Gebrek aan kennis
- Focus op resultaat ipv kwaliteit
Wat is test as specification
- Test define behavior
* Create test together with specification
What is regression Test
Regression Testing is defined as a type of software testing to confirm that a recent program or code change has not adversely affected existing features. To not allow new features to break the current software
Noem examples of Hardening
Removal of maintenance hooks
Removal of debugging code and flags in code.
Removal of dead code / unused code
Removal of comments
Noem voorbeelden van Defence in dept(DiD)
Access rights
Elevated accounts
Account per application (or sub-application)
Separate read-only for modifiable data (static / dynamic)
Restrict use of resources
Be aware of command-escapes in the program.
Restrict Sudo
Hoe kun je een programma monitoren
Check program against signature
- Read-only
Check running processed
- Unexpected processed / Missing processes
Check network ports and connections
- Unexpected listens
- Unexpected src/dst ip's
- Unexpected ports
Check filesystem
- Unexpected files in directories
Check logfiles
- Unexpected error, Exceptional casesNoem de controls(Les4)
Detective controls Preventive controls Deterrent controls Corrective controls Compensating controls
