General Security

Question 1

What is information security (in general, not by ISO definition)

Answer 1

Information Security is the protection of information assets from damage or harm.

What are the assets to be protected?
Data files, software, IT equipment and infrastructure.

Information Security:

• Covers both intentional and accidental events
• Threat agents can be humans or acts of nature
• People can cause harm by accident or by intent

Question 2

What is the definition of information security according to ISO27000?

Answer 2

Preservation of confidentiality, integrity and availability of information.

Question 3

What is Information Security Management, and what does it focus on?

Answer 3

IS management consists of activities to control and reduce risk of damage to information assets.

IS management focuses on:

• Evaluate threats, vulnerabilities and risks
• Control security risks by reducing vulnerability to threats
• Detection and response to attacks
• Recovery from damage caused by attacks
• Investigate and collect evidence about incidents (forensics)

Question 4

What’s the difference between threat actor and threat scenario?

Answer 4

Threat Actor: An active entity which can execute a threat scenario.

Threat Scenario: The set of steps executed in a (potential) cyber attack.

(When simply using the term “threat”, it usually means a threat scenario)

Question 5

What’s a vulnerability?

Answer 5

Weaknesses or opportunities allowing a threat scenario to be executed

Question 6

What’s a security risk?

Answer 6

The likelihood (ease of executing a threat scenario), combined with the potential damage in case of an incident (successful attack).

Question 7

What’s a security control?

Answer 7

A method for removing vulnerabilities and reducing security risk.

Question 8

Name the three general security control types, and explain them.

Answer 8

Preventive controls:
prevent attempts to exploit vulnerabilities
Example: encryption of files

Detective controls:
warn of attempts to exploit vulnerabilities
Example: Intrusion detection systems (IDS)

Corrective controls:
correct errors or irregularities that have been detected.
Example: Restoring all applications from the last known good image to bring a corrupted system back online

Use a combination of controls to help ensure that the organisational processes, people, and
technology operate within prescribed bounds.

Question 9

Information security involves protecting information assets from harm or damage.

“Information” is considered in one of three possible states:

Answer 9

During storage

• Information storage containers
• Electronic, physical, human

During transmission
- Physical or electronic

During processing (use)

• Physical or electronic
• Security controls for all information states are needed

Question 10

What is the relation between security services and goals?

Answer 10

A security service supports a general security goal. The traditional definition of information security is to ensure the three CIA security services/ goals for data and systems, which is Confidentiality, Integrity and Availability.

CIA are the three main security services and goals.

DATA PRIVACY is an additional goal which relies on CIA. —> CIAP

Question 11

What is the definition of integrity according to ISO2700?

Answer 11

The property of accuracy and completeness.

Question 13

What are the two types of integrity?

Answer 13

Data integrity:
The property that data has not been altered or destroyed in an unauthorised manner.

System integrity:
The property of accuracy and completeness.

Can include the accountability of actions

Question 15

What are the main threats to integrity?

Answer 15

• Data and system corruption

- Loss of accountability

Question 15

What are the security controls for integrity?

Answer 15

• Hashing, cryptographic integrity check and encryption
• Authentication, access control and logging
• Software digital signing
• Configuration management and change control (system integrity)

General controls also include:
Secure System Development, Incident Response

Question 15

What is the definition of Confidentiality according to ISO27000?

Answer 15

The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Can be divided into:
Secrecy: Protecting business data
Privacy: Protecting personal data
Anonymity: Hide who is engaging in what actions

Question 15

What is the main threat to Confidentiality?

Answer 15

The main threat to confidentiality is information theft and unintentional disclosure.

Question 16

What are the security controls for Confidentiality?

Answer 16

Security controls for Confidentiality is:

• Encryption
• Access control
• Perimeter defence.

General controls includes secure systems development and incident response.

Question 17

What is the definition of Integrity according to ISO27000?

Answer 17

The property of accuracy and completeness.

Question 18

What is the main threat to Integrity?

Answer 18

Denial of Service (Dos)

Also, the prevention of authorized access to resources or the delaying of time critical operations.

Question 19

What are the security controls for Integrity?

Answer 19

Security controls for availability includes:

• Redundancy of resources
• Load balancing
• Software
• Data backups.

As general controls also include secure system development and incident response.

Question 21

What type of data is protected by the GDPR regulation?

Answer 21

Personal identifying information

Question 22

How can we protect aspects of Data Privacy? (Personal identifying information)

Answer 22

• To protect specific aspects of information that may be related to natural persons (personal information).
• Prevent unauthorized collection and storage of personal information.
• Prevent unauthorized use of collected personal information
• Make sure your personal information is correct
• Ensure transparency and access for data subjects
• Adequate information security (CIA) of personal information
• Define clear responsibilities around personal information
• GDPR (General Data Protection Regulation) became EU law on 25 May 2018, its Norwegian translation became the new Personopplysningsloven on 20 July 2018.

Question 23

The CIA services/goals are quite general. Name the four types of Authentication:

Answer 23

• User authentication
  
  • Organisation authentication
  • System authentication
  • Data origin authentication

Question 24

User Authentication

Answer 24

The process of verifying a claimed identity of a legal user when accessing a system or an application.

- Identification, are you who you claimed to be?
- Authentication of identification, can you prove that you are who you claim to be?
- Main threat: spoofed identity and false login
- Security controls: passwords, personal cryptographic tokens, biometrics, cryptographic security/ authentication protocols.

Question 25

Organisation authentication

Answer 25

The process of verifying a claimed identity of a legal organisation in an online interaction/ session.

Question 26

System Authentication (Peer entity authentication)

Answer 26

The verification that a peer entity (system) in an association (connection, session), is the one claimed.

- The goal is to establish the correct identity of organisations/ remote hosts. 
- The main threat is network intrusion, masquerading attacks, replay attacks, ddos attacks.
- Security controls includes cryptographic authentication protocols based on hashing and encryption algorithms(TLS, VPN, IPSEC).

Question 27

Data Origin Authentication (message authentication)

Answer 27

The verification that the source of data received is as claimed.

- The goal is that the recipient of a message (data), can verify the correctness of claimed sender identity. (But 3rd party may not be able to verify it.)
- The main threats to data origin authentication is false transactions, false messages and data.
- Security controls for data origin authentication is Encryption with shared secret key, MAC (Message Authentication Code), Security protocols, digital signature with 	private key, electronic signature (digital evidence).

Question 28

Non repudiation

Answer 28

This is a strong form of data authentication.

Goal: Making sending and receiving messages undeniable through unforgible evidence.

Non-repudiation of origin: proof that data was sent.
Non-repudiation of delivery: proof that data was received.
NB: imprecise interpretation: Has a message been received and read just because it has been delivered to your mailbox?

Main threats:
Sender falsely denying having sent message
Recipient falsely denying having received message

Control: digital signature

• Cryptographic evidence that can be confirmed by a third party
• Data origin authentication and non-repudiation are similar
• Data origin authentication only provides proof to recipient party
• Non-repudiation also provides proof to third parties

Question 29

Accountability

Answer 29

Goal: Trace action to a specific user and hold them responsible
Audit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party (TCSEC/Orange Book)

Main threats:

• Inability to identify source of incident
• Inability to make attacker responsible

Controls:

• Identify and authenticate users
• Log all system events (audit)
• Electronic signature
• Non-repudiation based on digital signature
• Forensics