General Security Flashcards
What is information security (in general, not by ISO definition)
Information Security is the protection of information assets from damage or harm.
What are the assets to be protected?
Data files, software, IT equipment and infrastructure.
Information Security:
- Covers both intentional and accidental events
- Threat agents can be humans or acts of nature
- People can cause harm by accident or by intent
What is the definition of information security according to ISO27000?
Preservation of confidentiality, integrity and availability of information.
What is Information Security Management, and what does it focus on?
IS management consists of activities to control and reduce risk of damage to information assets.
IS management focuses on:
- Evaluate threats, vulnerabilities and risks
- Control security risks by reducing vulnerability to threats
- Detection and response to attacks
- Recovery from damage caused by attacks
- Investigate and collect evidence about incidents (forensics)
What’s the difference between threat actor and threat scenario?
Threat Actor: An active entity which can execute a threat scenario.
Threat Scenario: The set of steps executed in a (potential) cyber attack.
(When simply using the term “threat”, it usually means a threat scenario)
What’s a vulnerability?
Weaknesses or opportunities allowing a threat scenario to be executed
What’s a security risk?
The likelihood (ease of executing a threat scenario), combined with the potential damage in case of an incident (successful attack).
What’s a security control?
A method for removing vulnerabilities and reducing security risk.
Name the three general security control types, and explain them.
Preventive controls:
prevent attempts to exploit vulnerabilities
Example: encryption of files
Detective controls:
warn of attempts to exploit vulnerabilities
Example: Intrusion detection systems (IDS)
Corrective controls:
correct errors or irregularities that have been detected.
Example: Restoring all applications from the last known good image to bring a corrupted system back online
Use a combination of controls to help ensure that the organisational processes, people, and
technology operate within prescribed bounds.
Information security involves protecting information assets from harm or damage.
“Information” is considered in one of three possible states:
During storage
- Information storage containers
- Electronic, physical, human
During transmission
- Physical or electronic
During processing (use)
- Physical or electronic
- Security controls for all information states are needed
What is the relation between security services and goals?
A security service supports a general security goal. The traditional definition of information security is to ensure the three CIA security services/ goals for data and systems, which is Confidentiality, Integrity and Availability.
CIA are the three main security services and goals.
DATA PRIVACY is an additional goal which relies on CIA. —> CIAP
What is the definition of integrity according to ISO2700?
The property of accuracy and completeness.
What are the two types of integrity?
Data integrity:
The property that data has not been altered or destroyed in an unauthorised manner.
System integrity:
The property of accuracy and completeness.
Can include the accountability of actions
What are the main threats to integrity?
- Data and system corruption
- Loss of accountability
What are the security controls for integrity?
- Hashing, cryptographic integrity check and encryption
- Authentication, access control and logging
- Software digital signing
- Configuration management and change control (system integrity)
General controls also include:
Secure System Development, Incident Response
What is the definition of Confidentiality according to ISO27000?
The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
Can be divided into:
Secrecy: Protecting business data
Privacy: Protecting personal data
Anonymity: Hide who is engaging in what actions
What is the main threat to Confidentiality?
The main threat to confidentiality is information theft and unintentional disclosure.
What are the security controls for Confidentiality?
Security controls for Confidentiality is:
- Encryption
- Access control
- Perimeter defence.
General controls includes secure systems development and incident response.
What is the definition of Integrity according to ISO27000?
The property of accuracy and completeness.
What is the main threat to Integrity?
Denial of Service (Dos)
Also, the prevention of authorized access to resources or the delaying of time critical operations.
What are the security controls for Integrity?
Security controls for availability includes:
- Redundancy of resources
- Load balancing
- Software
- Data backups.
As general controls also include secure system development and incident response.
What type of data is protected by the GDPR regulation?
Personal identifying information
How can we protect aspects of Data Privacy? (Personal identifying information)
- To protect specific aspects of information that may be related to natural persons (personal information).
- Prevent unauthorized collection and storage of personal information.
- Prevent unauthorized use of collected personal information
- Make sure your personal information is correct
- Ensure transparency and access for data subjects
- Adequate information security (CIA) of personal information
- Define clear responsibilities around personal information
- GDPR (General Data Protection Regulation) became EU law on 25 May 2018, its Norwegian translation became the new Personopplysningsloven on 20 July 2018.
The CIA services/goals are quite general. Name the four types of Authentication:
- User authentication
- Organisation authentication
- System authentication
- Data origin authentication
User Authentication
The process of verifying a claimed identity of a legal user when accessing a system or an application.
- Identification, are you who you claimed to be? - Authentication of identification, can you prove that you are who you claim to be? - Main threat: spoofed identity and false login - Security controls: passwords, personal cryptographic tokens, biometrics, cryptographic security/ authentication protocols.
Organisation authentication
The process of verifying a claimed identity of a legal organisation in an online interaction/ session.
System Authentication (Peer entity authentication)
The verification that a peer entity (system) in an association (connection, session), is the one claimed.
- The goal is to establish the correct identity of organisations/ remote hosts. - The main threat is network intrusion, masquerading attacks, replay attacks, ddos attacks. - Security controls includes cryptographic authentication protocols based on hashing and encryption algorithms(TLS, VPN, IPSEC).
Data Origin Authentication (message authentication)
The verification that the source of data received is as claimed.
- The goal is that the recipient of a message (data), can verify the correctness of claimed sender identity. (But 3rd party may not be able to verify it.) - The main threats to data origin authentication is false transactions, false messages and data. - Security controls for data origin authentication is Encryption with shared secret key, MAC (Message Authentication Code), Security protocols, digital signature with private key, electronic signature (digital evidence).
Non repudiation
This is a strong form of data authentication.
Goal: Making sending and receiving messages undeniable through unforgible evidence.
Non-repudiation of origin: proof that data was sent.
Non-repudiation of delivery: proof that data was received.
NB: imprecise interpretation: Has a message been received and read just because it has been delivered to your mailbox?
Main threats:
Sender falsely denying having sent message
Recipient falsely denying having received message
Control: digital signature
- Cryptographic evidence that can be confirmed by a third party
- Data origin authentication and non-repudiation are similar
- Data origin authentication only provides proof to recipient party
- Non-repudiation also provides proof to third parties
Accountability
Goal: Trace action to a specific user and hold them responsible
Audit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party (TCSEC/Orange Book)
Main threats:
- Inability to identify source of incident
- Inability to make attacker responsible
Controls:
- Identify and authenticate users
- Log all system events (audit)
- Electronic signature
- Non-repudiation based on digital signature
- Forensics