Information Security

Question 1

In the context of information security what do you need to assess before you can determine the risk you are facing?

Answer 1

Asset values, threats, and vulnerabilities.

Question 2

Briefly explain the difference between Constrained Data Items (CDIs) and Un-constrained Data Items (UDIs).

Answer 2

CDIs are data items for which the integrity has to be upheld. Data items for which this is not the case are called UDIs.

Question 3

Is a person who certies Transformation Procedures allowed to execute them?

Answer 3

No, this would violate the concept of separation of duty: dierent subparts of a task should be executed by dierent persons to make fraud more dicult.

Question 4

Briefly describe the basic tendency of human nature that is exploited during a social engineering attack and give a brief example of an attack using this approach.

Answer 4

Authority, liking, reciprocation, consistency, social validation, scarcity.

Question 5

Briefly explain the dierence between an arbitrated and an adjudicated protocol.

Answer 5

An arbitrated protocol always requires a trusted third party in order to work. In an adjudicated protocol the trusted third party only gets involved if there is a dispute.

Question 6

Briefly describe the three most common ways of authenticating users.

Answer 6

• Something you have”: a physical device e.g., a key
• Something you know”: present secret knowledge e.g., a password
• Something you are”: physical appearance e.g., an iris scan

Question 7

Briefly explain the main difference between a restricted cryptographic algorithm and a key-based one.

Answer 7

i. The security of a restricted algorithm relies on being kept secret.
ii. In a key-based algorithm the algorithm itself can be published, all the security lies in the key.

Question 8

Which is a better choice - restricted cryptographic algorithm and a key-based one?

Answer 8

The security of a key-based algorithm can be scrutinised by experts in the field, uncovering potential weaknesses (making the algorithm more secure). If a participant using the algorithm loses the trust of the group, they only need to
switch to another secret key (and not replace the whole algorithm).

Question 9

Give a brief definition of the term demilitarized zone (DMZ) in the context of firewalls.

Answer 9

Part of the network that is visible to the outside world including services such as a web server, mail proxy, and other proxies. May be connected to the outside via a
simple packet filter. The connection of the DMZ to the internal network is protected by further filters.

Question 10

List four warning signs that indicate that a social engineering attack may be taking place.

Answer 10

• Unusual request
• Refusal to give callback number
• Claim of authority
• Stresses urgency
• Threatens negative consequences in case of non-compliance
• Shows discomfort when questioned or challenged
• Name dropping
• Compliments or flattery
• Flirting

Question 11

In an extension of Role-Based Access Control (RBAC), roles are allowed to be members of other roles, creating a hierarchy of roles - What is the main advantage of this extension?

Answer 11

There is often an overlap between different roles in terms of permitted transactions, i.e., roles higher up in the hierarchy may execute a superset of the transaction of roles lower in the hierarchy. A hierarchical approach makes this more manageable.

Question 12

How could you map the following roles of a development team and the transactions they are allowed to execute to this RBAC extension?

Answer 12

The role project member may execute runCode and runTest. A test engineer is a member of the role project member and has one additional transaction: modifyTest.
A programmer is also a member of the role project member and has one additional transaction: modifyCode. A project supervisor is a member of both, test engineer and programmer, with the additional transaction releaseCode.

Question 13

In risk assessment, what is the difference between an attack and a vulnerability? Provide one example for each of these terms.

Answer 13

An attack is an action that actually leads to a violation of security.
An example of an attack is an employee illegitimately reading confidential material.
A vulnerability is a weakness that makes an attack possible.
An example of a vulnerability is an office computer that does not have an up to date virus detection software.

Question 14

Describe the 5 steps in the Flaw Hypothesis Methodology framework.

Answer 14

1 Information gathering: testers try to become as familiar with system as possible (in their role as external or internal attackers)
2 Flaw hypothesis: drawing on knowledge from step 1 and known vulnerabilities, testers hypothesize flaws
3 Flaw testing: tester try to exploit possible flaws identified in step 2. If flaw does not exist, go back to step 2. If flaw exists, go to next step
4 Flaw generalization: testers try to find other similar flaws, iterate test again (starting with step 2)
5 Flaw elimination: testers suggest ways of eliminating flaw

Question 15

In cryptography what is the difference between a symmetric algorithm and an asymmetric algorithm?

Answer 15

These algorithms relate to two different approaches of encryption/decryption. In a symmetric algorithm, the same key is used for both encryption and decryption, whereas in an asymmetric algorithm the key used for encryption is different to the key used for decryption.

Question 16

How might the hacker determine whether the passwords have been salted?

Answer 16

Salting passwords is designed to prevent the same password mapping to the same hash value for storage in the password file. Hence a hacker can determine that a salt
has been used if the password hashes are all unique.

Question 17

Assuming the password file has not been salted, how might the hacker use this information to greatly increase the chance of cracking a password?

Answer 17

If a salt has not been used, then a hash value might appear multiple times in the password file. The hacker should extract all the unique hashes and sort them by greatest
frequency. A high frequency hash value is likely to have been generated by a very commonly used password. Hence the hacker can then try a brute force attack on these high frequency hashes using a set of the most commonly used passwords.

Question 18

In order to gain access to your bank account at an ATM you only need a 4 digit password. Why is such a weak password acceptable in this case?

Answer 18

This is primarily due to the fact that the ATM limits the number of guesses, after 3 wrong guesses the account is blocked.

Question 19

Briefly describe the rˆole of a Commercial Licensed Evaluation Facility.

Answer 19

A commercial licensed evaluation facility (CLEF) performs security evaluations based on the international standards known as the Common Criteria. These evaluations are (usually) recognized in all countries that have officially adopted these standards.

Question 20

Alice and Bob wish to communicate using a hybrid cryptosystem, which combines a symmetric algorithm with a public-key algorithm. They have already agreed on the choice of cryptosystems to use and Alice has Bob’s public key. What are the steps Alice and Bob must perform in order to begin a session of communication?

Answer 20

1 Alice generates a random session key for the symmetric algorithm
2 She encrypts the session key using Bobs public key
3 Alice sends the ciphertext to Bob
4 Bob decrypts the ciphertext using his private key to recover the session key
Alice and Bob can now continue to communicate using the symmetric algorithm.

Question 21

What is the advantage of using a hybrid cryptosystem over using an asymmetric cryptosystem?

Answer 21

The session key is only used for a limited time and then destroyed. The longer a key is used, the higher the chances that it is vulnerable to compromise. The publickey
cryptosystem is only used very sporadically, generating a very small number of ciphertexts. The less data, the harder it is to break a code.

Question 22

What is the primary purpose of a Firewall?

Answer 22

The primary purpose of a firewall is to stand between a local network and the Internet in order to filter out traffic that might be harmful.

Question 23

Describe what a Circuit-Level Gateway firewall is designed to do, also where might you find one?

Answer 23

A Circuit-Level Gateway firewall is designed to automatically discard any data that has not been requested by a machine from within the firewall. (It does this by examining only packet address and port information.) It also acts as an intermediary between the internal network and the Internet. No machine from within the firewall can directly access the Internet. Home DSL routers are typically of this type, since it is easy to combine it with Internet sharing capabilities.

Question 24

Where are you likely to find a logic bomb?

Answer 24

Embedded in a legitimate program.

Question 25

Who, or what, is best placed to defend against logic bombs? Explain your answer.

Answer 25

It is difficult to implement operating system controls to guard against logic bombs. So it is the creator or maintainers of software who are best placed to defend against logic bombs. Security measures need to focus on the development and update of the code.

Question 26

When does the Base Rate Fallacy occur and when does it become a problem?

Answer 26

The Base Rate Fallacy occurs when the size difference in
classes is not taken into account. It only becomes a problem when there is a large difference
in class size.

Question 27

Why is the Base Rate Fallacy a problem in Intrusion detection?

Answer 27

The problem of the uneven class size makes practical
intrusion detection very difficult.

Question 28

What us a threat?

Answer 28

A threat is a potential danger to an information asset.

Question 29

What is Info Sec three key objectives?

Answer 29

1 - Confidentiality: Refers to restricting access to information.
2 - Integrity: Refers to preventing improper or unauthorised used changes of data.
3 - Availability: To ensure the data is accessible when needed by authorised users.

Question 30

What is Single Loss Expectancy and its formula?

Answer 30

Measure the expected monetary impact of a certain threat.

SLE = Asset Value * Exposure Factor

Question 31

Annualised Loss Expectancy Formula?

Answer 31

ALE = SLE * ARO

Question 32

Formula to calculate the ALE benefits?

Answer 32

(ALEbefore - ALEafter) - Annual cost of control

Question 33

What is the Discretionary Access Control (DAC)?

Answer 33

Each data object is owned by a user and a user can decide freely which others are allowed to access the data object (i.e. OS).

Question 34

What is Mandatory Access Control (MAC)?

Answer 34

Access is centrally controlled by a system wide policy with no say by users (i.e. Military).

Question 35

What is the Access Control Matrix Model?

Answer 35

Specifies permissions on an abstract level to limit the damage user can cause.

Question 36

What is Bell-La Padula Model?

Answer 36

Every object has a security level and category. Every user has a security level and category clearance. A certified entity, not users, decide on clearance.

Question 37

What is Role Based Access Control Model?

Answer 37

A certified entity grants and revokes privileges via roles. It can implement mandatory access control (MAC) or discretionary access control (DAC).

Question 38

What is the Clark-Wilson Integrity Model?

Answer 38

Enforces integrity via 2 integrity levels: CDIs and UDIs. An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules (system) and certification rules (human). Integrity Verification Process (IPV) checks that all CDI conform to integrity constraints while Transformation Protocol (TP) changes the objects state - These are done by different people to make fraud more difficult.

Question 39

Modern Cryptography uses Confusion and Diffusion, define?

Answer 39

Confusion adds an unknown key to confuse the attacker about the plaintext. Diffusion spreads the plaintext through the cipher text.

Question 40

How does an SP Network work?

Answer 40

Plaintext -> key -> SBox (lookup table) -> permutation -> key (using XOR) and so on.
Round == SBox (lookup table) -> permutation -> key

Question 41

RSA Formulas:

Answer 41

p & q // must be randomly selected prime numbers
f = (p-1)(q-1)
Public Keys
n = p * q
e = randomly choose a number such that e & f are coprime
d = such that ed/f leaves a remainder of 1

Question 42

RSA decryption formula?

Answer 42

M = c^d mod n

Question 43

RSA encryption formula?

Answer 43

C = m^e mod n

Question 44

What is a True Positive?

Answer 44

Intrusion & alarm raised (good)

Question 45

What is a False Positive?

Answer 45

no intrusion & alarm raised (bad)

Question 46

What is a False Negative?

Answer 46

Intrusion & alarm not raised (bad)

Question 47

What is a True Negative?

Answer 47

no intrusion & alarm not raised (good)