Information security, concepts and principles

Question 1

How can software security be defined?

Answer 1

The practice of building software to be secure and to continue to function properly under malicious attack

Question 2

Is data privacy and data security the same?

Answer 2

No

Question 3

What is data privacy?

Answer 3

Compliance with data protection laws and regulations. Focuses on how to collect, process, share, archive and delete the data

Question 4

What is data security?

Answer 4

Measures that an organization is taking in order to prevent any third party from unautherized access

Question 5

What are some causes of insecure code being deployed?

Answer 5

Pressure of meeting deadlines. Instead create plans of dealing with them later.

Developers lack knowledge to mitigate issues identified.

Question 6

How many companies suffered from successful cyberattacks last year?

Answer 6

86%

Question 7

How many organizations are experiencing an IT security skill shortfall?

Answer 7

87%

Question 8

Name 6 examples of threats and attacks

Answer 8

Web defacement

Infiltration, control hijacking

Phishing

Data theft / Data loss

DoS

Ransomware

Question 9

What is web defacement?

Answer 9

Replace legitimate pages with illegitimate ones.

An attack on webpages that change the visual appearance of the page. This can be done by attackers who hack into servers and replaces hosted websites with malware or a website of their own.

Question 10

What is malware?

Answer 10

Malicious software.

Software that is created to cause harm on a computer, server, client or network, such as gain authorized access or steal/leak data.

Question 11

What are Trojan horses?

Answer 11

Malware that disguise itself as a standard program, effectively misleading users of its true intent.

Examples are malicious email attachments or fake advertisements.

Question 12

What is Infiltration

Answer 12

Attacks where an attacker gains unauthorized access to a service.

Infiltration can consist of acts such as secretly entering, observing, or extracting sensitive information from a secure system.

Question 13

What is control hijacking?

Answer 13

An attacker want so gain control of a machine, such as a webserver, by executing arbitrary code on the target. This can be done if the attacker is able to hijack the normal application control flow.

buffer- and integer overflows
format vulnerabilities

Question 14

What is phishing?

Answer 14

The attacker masquerades as a reliable source to lure the victim into giving up information such as usernames, passwords, and other sensitive information.

Attack vectors: Email, sms

Question 15

What is Data theft / Data loss attacks?

Answer 15

Unautherized acquisition. transfer or storage of confidental information belonging to an entity.

Attackers may want to sell the stolen information to other malicious parties.

Question 16

What are DoS attacks?

Answer 16

Attacks that affect the availability of a service. These attacks can be carried out by overflowing a server with packets, causing it to drop legitimate packets and becoming unavailable to legit users.

Question 17

What is ransomware?

Answer 17

Malware designed to block access to a computer system, or data, until a sum of money is payed.

A way of doing this is for an attacker to encrypt all of an entity’s data, and demand a ransom in exchange for the decryption.

Question 18

What is the CIA triad?

Answer 18

Confidentiality

Integrity

Availability

Question 19

What are 3 security goals, additional to the CIA triad?

Answer 19

Privacy

Accountability

Non-repudiation

Question 20

What is confidentiality?

Answer 20

Keeping data or communication secret. Preventing unautherized access to data or services.

Question 21

How can confidentiality be achieved?

Answer 21

Cryptography
Authentication
Authorization
Sealed envelopes

Question 22

What is integrity?

Answer 22

Protection from unautherized modification and deletion of systems.

Question 23

What is data integrity?

Answer 23

No corruption of data

Question 24

What is control integrity?

Answer 24

No control hijacking

Question 25

How can integrity be achieved?

Answer 25

Message/data hashing (MAC)

Question 26

What is availability?

Answer 26

Regards the uptime and response time of a system.

Can also be seen in regards to how much free storage space a system has.

Question 27

What is privacy?

Answer 27

Right to be left alone.

The ability for individuals to control what and how information about them are stored, processed, shared and communicated to others.

Question 28

How is integrity and confidentiality different?

Answer 28

Integrity: Who can modify data
Confidentiality: Who can read the data

Question 29

How is privacy and confidentiality different?

Answer 29

Confidentiality: The secret of business information
Privacy: The protection of personal information

Question 30

What is accountability?

Answer 30

Being able to track an incident or action down to a single entity.

Question 31

How can accountability be achieved?

Answer 31

Secure timestamping

Data integrity in logs

audit trails

Question 32

What is secure timestamping?

Answer 32

Securely keeping track of creation and modification time of data, or other actions.

Question 33

What are audit trails?

Answer 33

Audit trails stores records of system activity by processes and users.
They keep track of actions that have taken place.

Question 34

What is non-repudiation?

Answer 34

A party cannot deny creation of communication, or deny receipt of communication.

Question 35

How can non-repudiation be achieved?

Answer 35

Using signatures

Question 36

Name the 10 security guiding principles

Answer 36

1. Secure the weakest link
2. Practice defense in depth
3. Fail securely
4. Compartmentalize
5. Be reluctant to trust
6. Follow the principle of least privilege
7. Keep it simple
8. Promote privacy
9. Remember that hiding secrets is hard
10. Use your community resources

Question 37

What does the 1st security principle mean: Secure the weakest link.

Answer 37

Security is as strong as the weakest link.

Attacker only have to find one flaw, the developers need to cover all possible flaws

Question 38

What are some common weak links?

Answer 38

Weak passwords
People (Social engineering attacks, internal attacks)
Poor software

Question 39

What does the 2nd security principle mean: Practice defense in depth

Answer 39

Do not rely on one-shot security, have layers of defense.

Should have layers of protection, detection containment (emergency response plan) and recovery.

Firewall + authorization + authentication + cryptography, etc.

Swiss cheese model

Question 40

What is the swiss cheese model?

Answer 40

A model used in risk analysis and risk management. Is the principle behind layered security.

Question 41

What does the 3rd security principle mean: Fail securely

Answer 41

Expect failure of security features. There are two types of errors.

Exceptions that occur in the processing of a security control itself. These must not enable behaviour that the countermeasure would normally not allow. The failure should allow the same executing path as disallowing the operation. I.e. if firewall break - let no traffic in.

The other excpetions are in code that is not part of a security control. These are security relevant if they affect whether the application properly invokes the control. An exception can for example prevent a security method to be invoked when it should.

Question 42

What does the 4th security principle mean: Compartmentalize

Answer 42

Separate something (e.g. code) into parts.

Don’t mix those parts. For example, separate network into different zones. Run sensitive applications on separate computers.

Question 43

What does the 5th security principle mean: Be reluctant to trust

Answer 43

Skepticism is always good. Don’t trust any code library.
Should not trust or assume the validity of user inputs (sqli, xss)

Question 44

What does the 6th security principle mean: Follow the principle of least privilege

Answer 44

Use minimum access to get a job done.
Let services be active for the minimum amount of time necessary. (inactive user for a while -> log out)

Question 45

What does the 7th security principle mean: Keep it simple

Answer 45

Make systems simple. This will reduce the attack surface. Less functionality gives less security exposure. All unecessary features/functions should be turned off and close unecessary ports.

There is a tradeoff between relative security and slight inconvenience. (e.g. 2FA)

Question 46

What does the 8th security principle mean: Promote privacy

Answer 46

Do not compromise the privacy of the user.

Though some information might be “nice-to-have” if it is not necessary, it should not be stored.

Question 47

What does the 9th security principle mean: Keeping secrets is hard

Answer 47

Should not rely on security by obscurity. Attackers can find ways to probe for information or weaknesses.

Open vs. close source should be a business decision, not a security one.

Question 48

What does the 10th security principle mean: Use your community resources

Answer 48

Actively use websites and sources of information.

Be updated with “known threats” and vulnerabilities.