Eksamen 2017

Question 1

1. Write the definition (approximately) of information security according to ISO27000.

Answer 1

Information security is the preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved.

Question 2

2. Write the definition (approximately) of availability according to ISO27000.

Answer 2

Availability is the property of being accessible and usable upon demand by an authorized entity.

Question 3

3. Which is the most relevant threat against availability?
   - Cryptanalysis
   - Zero-day exploit
   - SQL injection
   - Phishing email
   - DDoS attack

Answer 3

DDoS attack

Question 4

4. Explain authorization in a way consistent with the definition of confidentiality.

Answer 4

Authorization is to specify access and usage permissions for entities, roles or processes.

Question 5

7. State the meaning of the abbreviation ISMS

Answer 5

Information Security Management System.

Question 6

5. Explain authorization in a way consistent with the definition of confidentiality.

Answer 6

Authorization is to specify access and usage permissions for entities, roles or processes

Question 7

9. Briefly explain the term security control, and mention the three (3) general categories of security controls. Give one example security control of each category.

Answer 7

1 - Security controls are practical mechanisms, actions, tools or procedures that are used to provide security services.

2 - Physical controls, with relevant example

3 - Technical controls, with relevant example

4 - Administrative controls, with relevant example

Question 8

10. Mention the three (3) functional types of security controls. Give one example security control of each functional type.

Answer 8

1 - Preventive controls, with relevant example

2 - Detective controls, with relevant example

3 - Corrective controls, with relevant example

Question 9

15. Some well-known hash functions are:
    - MD5 (Message Digest 5)
    - SHA-1 (Secure Hash Algorithm 1)
    - SHA-2
    - SHA-3

Indicate if their exists attacks for each one of them.

Answer 9

MD5: Attacks exist
SHA-1: Attacks exist
SHA-2: No attacks exist
SHA-3: No attacks exist

Question 10

16. The SHA-2 hash algorithm can have four (4) different output block sizes. Specify three of the four output block sizes (in bits) of the SHA-2 hash algorithm.

Answer 10

224, 256, 384 or 512 bits

Question 11

17. Alice wants to send a message M together with a message authentication code MAC(M) to Bob. Alice and Bob share a secret key k, and have agreed on using a specific MAC algorithm MACfunc that takes input parameters M and k, i.e. MAC(M) = MACfunc(M, k).

Outline the steps that Alice must follow when creating MAC(M), and the steps that recipient Bob must follow for verifying MAC(M).

Answer 11

MAC generation by Alice:
i. Alice prepares message M.

ii. Alice applies the secure MAC algorithm MACfunc with input parameters M and k to produce MAC(M) = MACfunc(M,k).
iii. Alice transmits message M and MAC(M) to Bob, together with her unique name and specification of the MAC algorithm she used.

MAC validation by Bob:
i. Bob receives message M’ (denoted as M’, not M, because from Bob’s point of view the message origin is still uncertain), as well as MAC(M).

ii. Bob applies MACfunc on M’ to produce MAC(M’ ) = MACfunc(M’,k).
iii. Bob checks whether MAC(M) =? MAC(M’). If TRUE, then MAC(M) is valid, meaning that M’ = M. Bob therefore is convinced that Alice sent message M. If FALSE, then the signature MAC(M) is invalid, meaning that M’ ≠ M. Bob therefore does not know who created the received message M’. He might then decide to reject the message, or use it knowing that its

Question 12

18. What is the purpose of sending a message with a MAC ?
    i) Any third party can authenticate the message origin.
    ii) It provides non-repudiation of message origin.
    iii) The recipient can authenticate the message origin.
    iv) It protects the message confidentiality.

Answer 12

iii) The recipient can authenticate the message origin

Question 13

19. “A trusted system or component is one that can break your security policy”.

Briefly explain the meaning of this proposition ?

Answer 13

If the system is trusted, then it is relied upon to enforce the security policy. So the security policy will be broken when the trusted system does not work as expected. A non-trusted system on the other hand is not relied upon to enforce the security policy, so when it breaks it does not lead to a breach of security policy.

Question 14

20. TPM (Trusted Platform Module) is a hardware chip which supports three (3) main security services on computing platforms.

List these three main TPM-supported services:

Answer 14

• Authenticated/measured boot
• Sealed Storage / Encryption
• Remote attestation

Question 15

23. Specify four elements that are relevant to include in the IR (Incident Response) policy.

i) List of potential threat agents. ii) Chain of escalation
iii) Security awareness guidelines.
iv) List of known security vulnerabilities
v) Criteria for calling the police.
vi) List of ranked security risks.
vii) Who has the responsibility to make decisions.
viii) List of systems that can be taken offline.

Answer 15

ii - Chain of escalation.
v - Criteria for calling the police.
vii - Who has the responsibility to make decisions.
viii - List of systems that can be taken offline.

Question 16

24. The type of IR (Incident Response) team depends on how it is manned (i.e. where its members come from). Mention the names and briefly describe the three (3) types of IR teams.

Answer 16

IR teams
- Permanent IR team, where the IR members’ principal job role is to handle security incidents

• Virtual IR team, where the IR team members have other main job roles, and are only called upon to handle security incidents whenever needed.
• Hybrid IR team, where some are permanent members, and some are virtual members.

Question 17

25. The activities of IR (Incident Response) can be divided into three (3) main phases. Mention the three phases, as well as one (1) specific procedure of each phase.

Answer 17

IR activities:

• Detection phase, with one of:
  i) weed out false positive
  ii) categorise event
• Respond phase, with one of:
  i) collect data
  ii) mitigate damage
  iii) isolate systems
  iv) analyse and track adversary
  v) report to police if necessary.
• Recovery phase, with one of:
  i) fix the problem
  ii) improve the IR policy
  iii) disclosure

Question 18

29. Mention and briefly describe the two types of synchronised authentication tokens, as well as one type of authentication tokens not based on synchronisation.

Answer 18

• Clock-synchronised tokens, where the token and server generate equal OTPs based on time from synchronised clocks as input, together with other data such as a secret key and user Id.
• Counter-synchronised tokens, where the token and server generate equal OTPs based on counter values from synchronised counters as input, together with other data such as a secret key and user Id.
• Challenge-response tokens, where the server sends a challenge (random number) to the token which returns the response computed as a function of the challenge in addition to e.g. a secret key and the user identity.

Question 19

30. Requirements for different AALs (Authentication Assurance Levels) are e.g. specified by the internationl standard ISO 29115 ‘Entity authentication assurance framework’ and by the Norwegian Framework for Authentication and Non-Repudiation (Rammeverk for autentisering og uavviselighet).

• How many AALs do the ISO framework and the Norwegian framework specify ?
• How many authentication factors are at least required for the highest AAL ?
• How many authentication factors are at least required for the lowest AAL ?

Answer 19

• 4 AALs specified in the ISO framework and the Norwegian framework
• The highest (AAL 4) requires at least two (2) authentication factors
• The lowest (AAL 1) requires at least one (1) authentication factor

Question 20

34. NGFW (Next Generation Firewalls) are advanced 3rd generation firewalls that support multiple functions. Select the functions that are typically supported by NGFWs.
    - Deep packet inspection
    - Email spam filtering
    - Inspection of TLS/SSL encrypted traffic
    - Intrusion detection and prevention
    - Penetration testing
    - Software fuzzing
    - Vulnerability scanning
    - X.509 certificate generation

Answer 20

• Deep packet inspection
• Inspection of TLS/SSL encrypted traffic
• Intrusion detection and prevention
• X.509 certificate generation

Question 21

37. Briefly explain how a user can know whether the TLS-encrypted traffic from a workstation in a company to a remote server on the Internet is being inspected in the company gateway firewall.

Answer 21

The user must view the certification path of the received server certificate, and know the difference between a Browser PKI root certificate and the internal proxy root certificate used for validation. If the certification path leads to an authentic root certificate of the Browser PKI, then there is no TLS inspection. If the certification path leads to the internal proxy root CA, then there is TLS inspection.

Question 22

39. Mention the meaning of the acronym OWASP, and describe what ‘OWASP Top 10’ is.

Answer 22

OWASP: Open Web Application Security Project 1p for: The OWASP Top 10 describes the most critical and common web application security flaws currently found in online applications.