Generelle Konsepter Flashcards
Define “Confidentiality”, main threats and controls
The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
Main Threats:
- Theft
- Unintentional disclosure
Controls:
- Encryption
- Perimeter defence
- Access control
Define “Data Integrity” and “System integrity”, main threats and controls
Data integrity: The property that data has not been altered or destroyed in an unauthorized manner (X.800: Security Architecture for Open Systems Interconnection (OSI))
System integrity: The property of accuracy and completeness (ISO 27000)
Main Threats:
- Data corruption
- System corruption
Controls:
- Access control
- Cryptographic integrity check and encryption
- Perimeter defence
- Audit and verification of systems and applications
Define “Availability”, main threats and controls
The property of being accessible and usable upon demand by authorised entity (ISO 27000)
Main Threats:
-DOS-attack
Controls:
- Redundancy of resources
- Traffic filtering
- Incident recovery
- International collaboration and policing
Define “Non-repudiation”, main threats and controls
Making sending and receiving messages undeniable through unforgeable evidence.
Main Threats:
- Sender denies having sent message
- Receiver denies having received message
Controls:
- Digital signature. Cryptographic evidence that can be confirmed by third party.
Non-repudiation refers to a state of affairs where the author of a statement will not be able to successfully challenge the authorship of the statement or validity of an associated contract. The term is often seen in a legal setting wherein the authenticity of a signature is being challenged. In such an instance, the authenticity is being “repudiated”.
Define “Accountability”, main threats and controls
Trace actions to a spesific user and hold them responsible.
Main Threats:
- Inability to identify source of incident.
- Inability to make attacker responsible.
Controls:
- Identify and and authenticate users
- Log all system events
- Electronic signature
- Non-repudiation based on digital signature
- Forensics
Security controls categories:
What is Physical controls?
What is Technical controls?
What is Administrative controls?
- Physical controls: Security guards, locks.
- Technical controls: Firewall, logical access control, intrusion detection.
- Administrative controls: Policies and standards, Incident response.
Functional controls categories:
What is Preventive controls?
What is Detective controls?
What is Corrective controls?
- Preventive controls: Encryption of files
- Detective controls: Intrusion detection system
- Corrective controls: Restoring all system to last known good image to bring corrupted system back online.
What is Authentication?
What is Access control?
What is Authorization?
Authentication (User)
The process where user gives his/her password to prove his identity to the system that verifies the password.
Access control (System) The system checks the user and grants correct access to system or service.
Authorization (Authority)
Defines and grants permissions to users.
What is an Cryptoperiod and why is it important?
Cryptoperiod is the timespan during which a specific key is authorized for use. Consists of the protecting period( used for encryption and signing) and the processing period(used for reading only).
It is important because it:
- Limits the amount of information protected by a given key, that is available for cryptoanalysis.
- Limits the amount of exposure and damage if key is compromised
- Limits the use of a particular algorithm to its estimated effective lifetime
What is cryptography and cryptoanalysis?
- Cryptography is the science of secret writing with the goal of hiding the meaning of a message.
- Cryptoanalysis is the science and sometimes art of breaking cryptosystems.
What is the definition of “information security” according to ISO27000?
Information security is the preservation of
- Confidentiality,
- Integrity and
- Availability of information;
in addition, other properties such as
- Authenticity,
- Accountability,
- Non-repudiation and
- Reliability can also be involved.
Define
“User authentication” , main threats and controls
User authentication:
– The process of verifying a claimed identity of a user when accessing a system or an application. Log in!
Main Threats:
Unauthorised access.
Controls:
Passwords, tokens, biometrics, cryptographic protocols
Define
“System authentication”, main threats and controls
System authentication:
– The process of verifying correct identity of remote hosts/servers.
Main Threats:
- Network intrusion
- Masceurading attacks
- DDos attacks
- Replay attacks
Controls:
- System: cryptographic authentication protocols based on hashing and encryption algorithms.
(TSL, VPN, IPSEC)
Define
“Organisation authentication”, main threats and controls
Organisation authentication:
– The process of verifying correct identity of the organization.
Main Threats:
- Network intrusion
- Masceurading attacks
- DDos attacks
- Replay attacks
Controls:
- System: cryptographic authentication protocols based on hashing and encryption algorithms.
(TSL, VPN, IPSEC)
Define
“Data origin authentication” , main threats and controls
Data origin authentication (message authentication):
– The process of verifying the source of data received
Main Threats:
Data:
-false transactions
-false messages and data
Controls:
- Encryption with shared secret key
- MAC
- Security protocols
- Digital signature with private key
- Electronic signature.
What is symmetric encryption, and where is it used?
Symmetric Encryption
The key is the same and is agreed on before the exchange of data, in private. This is great for people, but for two computers it is impossible to meet in private to exchange the secret key. That is why this is not used on everyday computing. For that we have asymmetric encryption.
What is asymmetric encryption, and how does it work?
Asymmetric Encryption Divides the key into two, one public and one private.
Bobs “public key” is shared with everybody so anybody kan encrypt a message that they want to send to Bob. Bobs “private key” is the only one who can be used to decrypt and read the messages, and is stored on bobs computer.
Example: You have a mail box with two different keys; one for placing mail (Public) and one for opening the mailbox (Private). The postman and the newspaper delivery man has a copy of the key that must be used to place mail (The public). But you, and only you have the key to open the mailbox and get out the mail (The private).
Arymetric keys and cryptography solves security problems in open networks, but what is the main challenge when applying it?
Key distribution challenges.
Public key cryptography needs a PKI (Public key infrastructure) in order to be practical.
What is the definition of risk according to ISO31000?
“Risk is the effect of uncertainty on objectives”
What is ISO 27001?
ISO 27001:
Specifies requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of the organization. Mesure efficency etc.
The ISMS-Cycle is the model in focus, which consist of planning, risk assessment, security controls, evaluation and reporting. Tasks that are repeated to continually improve an ISMS.
What is ISO 27002?
ISO 27002:
Is a checklist to implement IT security
– Contains 14 categories (control objectives) of security controls
– In total, the standard describes 113 generic security controls
What is the ISO 27K-series?
The ISO/IEC 27000-series (also known as the ‘ISMS Family of Standards) comprises information security standards published jointly by ISO and IEC.
The series provides best practice recommendations on information security management - the management of information risks through information security controls - within the context of an overall Information security management system (ISMS).
Define these three human factors:
- Personnel integrity
- Personnel as defense
- Security usability
Personnel integrity - Making sure personnel do not become attackers
Personnel as defence - Making sure personnel do not fall victim to social engineering attacks
Security usability - Making sure users operate security correctly
What is the definition of Information security risk management (ISMS) in the ISO 27005?
ISO 27005:
“Information security risk management (ISMS) analyses what can happen and what the possible consequences can be, before deciding what should be done and when, to reduce risk to an acceptable level.”
What is a Hash function?
A Hash function is a function that is easy to compute but hard to invert.
This can be used to safely stor passwords as hash values. Authentication function first computes hash of received password, then compares against the stored hash value. That way the password is not stored in cleartext, but is still comparable when authentication is needed.
What is “salt” in cryptography?
In cryptography, a salt is random data that is used as an additional input to a one-way function that “hashes” data, a password or passphrase. The primary function of salts is to defend against dictionary attacks or against its hashed equivalent, a pre-computed rainbow table attack.
Define Entity, Identity, identifier and digital identity
Entity:
- A person, organisation or system.
Identity:
- A set of name/attributes of entity in a specific domain.
- An entity may have multiple identities in multiple domains.
- An entity may have multiple identities in a single domain.
Identifier:
- A unique identifier assigned to each entity.
Digital identity:
- Digital representation of name and attributes in a way that is suitable to be processed by computers
Identity management model, what is SILO and Federate models? Mention pros and cons.
SILO: Service provider (SP) controls the name space, provides the identity and the access credentials to the user.
Pros and cons:
+ Low cost
+ easy to implement
+ easy to deploy
- Low usability
- identity overload
- lost business
Federate: A set of agreements, standards and technologies that enable a group of service providers to recognise and trust user identities and credentials from different IDPs, CrPs and SPs.
Pros and cons:
+ Bundled services
+ Collect user data
+ Strengthen privacy by psydonym
- low privacy for user
- more dependencies
- high technical complexity
- high trust requirements
- limited scalability
- new form of silo
Name the four types of Federate Identity management models and give examples .
Four main types:
1.CF - Centralized Federation (Google):
Centralised name space and management of credentials by single IdP/CrP.
2.DICA - Distributed Identity with Centralised Authentication (Facebook):
Distributed name spaces managed by multiple IdPs. Centralised credentials authentication by single CrP.
3.CIDA - Centralized Identity with Distributed Authentication (Altinn):
Centralised name space managed by single IdP. Distributed management of credentials and authentication by multiple CrPs.
- DF - Distributed Federation (Feide):
Distributed name spaces and management of credentials by multiple IdPs and CrPs.
Identity management, define MAC, DAC, RBAC and ABAC.
MAC: Mandatory access control, access based on labels. Example: “Confidential”, “Secret”, “Sales-dep”.
DAC: Discretionary access control, access specified and enforced based on the identity of the user.
RBAC: Role based access control, user has access based on role
ABAC: Attribute based access control, access rights are granted to users through the use of policies which combine attributes together. For example: IF the requestor is a manager, THEN allow read/write access to sensitive data.
What is SSL/TSL handshake? Why is it used? And what is the difference between the two?
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) are cryptographic protocols that provide communications security over a computer network. It is used in applications such as web browsing, mail, instant messaging, and voice over IP (VoIP).
It is used to establish trust between two services online. Websites use TLS to secure all communications between their servers and web browsers.
SSL V.3 - The most used protocol used online today, it is an old version and not the safest.
TSL V.1.1 & V.1.2 - The newest protocol but not the most used, ist safer to use than SSL and should be used in new applications.
Explain the Diffie Hellman key exchange
1) Both Alice and Bob agrees on a one way function and share it. (This will be available for Eve.)
2) Then Alice and Bob raises this one way function to their personal private key, to complete the function.
3) They send this function to each other. (This will also be available for Eve.)
4) Then both raises the function they receive from the other person to there own private key again.
Result: Now Alice and Bob end up with a shared private key that Eve can’t compute, because she needs one of there private key to find the new shared private key.
Explanation: https://youtu.be/YEBfamv-_do?t=2m18s
It is important to protect information assets in all states, name the three states and how to protect them.
During storage:
- Information storage containers.
- Electronic, physical, human.
During transmission:
- Physical or electronic.
During processing:
-Physical or electronic.
Mention the four types of Firewall Technology.
- Router Packet Filters: Inspects IP-header of traffic
- Stateful Packet Filters: Inspects IP- header and keeps track of traffic so that for the length of the session the return communication is let through.
- Application Layer Proxy: Splits connection, inspects payload and analyses traffic. The proxy can inspect data at any level and even modify data.
- Next Generation Firewall; End-to-end connection inspect payload, and analyses traffic.
What is a honeypot?
A honeypot is a computer configured to detect network attacks or malicious behavior. It appears to be part of a network, and seems to contain information or a resource of value to attacks.
Honeypots are isolated, are never advertised and are continuously monitored. All connections to honeypots are per definition malicious.
Honeypots can be used to extract attack signatures.
What is OWASP and the top ten vulnerability risk?
OWASP (Open web application security program) is an non-profit organisation that promotes security awareness and solutions for Web application development. They provide and maintains free tools for scanning and fixing such as: Application Security Verification Standard (ASVS) requirements for application level security.
The top ten security list provides the most critical security risks of providing online services.
What is SQL-Injection?
SQL-Injection is when the attacker disguises SQL commands as data- input. If the application that uses the SQL command is not programmed to sanitize the input, the attacker will get control of the database. He/She can then delete data, steal data from the database.
Solution: Sanitize user input.
What is Cross site scripting? XSS
Attacker disguises malicious code as user input. It is stored on the site, and when the victim uses the page, the code will run and attack the victim.
Solution:
- CHECK datatypes and length
- DISALLOW unwanted data (HTML tags, Javascript)
- ESCAPE questionable characters. (semicolon, brackets.)
- Hide information about error handling. (Because information could be used by hacker or maybe reveal sensitive information.)
What is “Broken authentication and session management”?
Developers must implement Session ID to provide continuous authentication assurance, since user auth is only at one point in time. Or else there is no guarantee that the “user is the user.” Recommendations such as those from OWASPs should be followed.
What is security by design?
Security by Design is a legal requirement under GDPR.
Secure by design, in software engineering, means that the software has been designed from the ground up to be secure. Malicious practices are taken for granted and care is taken to minimize impact when a security vulnerability is discovered or on invalid user input.
What is Agile Software Development?
it´s a process to build systems. The process is iterative and contains the following steps.
1) Requirements are specified as stories.
2) Each story implemented as sprint
3) Repeated sprint cycles until all stories are implemented
Repeat the whole process
Define SP, idP and CrP and what they do.
Service Provider (SP) – Needs to know identity of users, and needs assurance of user authenticity.
IdentityProvider(IdP)
– Controls name space of identities. Issues/registers identities for users.
Credentials Provider (CrP) – Issues/registers credentials for users. Performs authentication of users.
What is IDS and what is de difference between host based- and network based IDS?
Intrusion Detection Systems:
- Automated systems that detect suspicious activity, DS can be either host-based or network-based.
- A host based IDS is designed to detect intrusions only on the host it is installed on – monitor changes to host’s OS files and traffic sent to the host.
- Network based IDS (NIDS) detect intrusions on one or more network segments, to protect multiple hosts – monitor network/s looking for suspicious traffic.
What can be detected:
- Attempted and successful misuse, both external and internal agents
- Malware: Trojan programs, viruses and worms
- DOS (Denial Of Service) attacks
What is MAC(Message authentication code)?
In cryptography, a message authentication code (MAC), sometimes known as a tag, is a short piece of information used to authenticate a message—in other words, to confirm that the message came from the stated sender (its authenticity) and has not been changed. The MAC value protects both a message’s data integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content.
What is SHA-3? What is de difference between it and SHA-1, 2 & 3?
SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, by NIST. Although part of the same series of standards, SHA-3 is internally quite different from the MD5-like structure of SHA-1 and SHA-2.
SHA-1 160 bits.
SHA-2 og 3 224, 256, 384 or 512 bits.
The activities of IR (Incident Response) can be divided into three (3) main phases. Mention the three phases, as well as one (1) specific procedure of each phase.
IR activities:
- Detection phase, with one of:
i) weed out false positive
ii) categorise event - Respond phase, with one of:
i) collect data
ii) mitigate damage
iii) isolate systems
iv) analyse and track adversary
v) report to police if necessary. - Recovery phase, with one of:
i) fix the problem
ii) improve the IR policy
iii) disclosure
