Infosec Flashcards
What are the three foundations of security?
Confidentiality, integrity and availability
What is Kerckhoff’s principle?
- Assume that your adversary knows which
algorithm you have used. - The security of the message should
only rely on the security of the key
a cryptosystem should be secure even if everything
about the system, except the key, is public knowledge.
What is Schneier’s law?
Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break.
Should you try to make your own crypto?
No. Never, ever try to make your own crypto.
What are four network security threats?
- Communication
interruption (Attack on availability) - Eavesdropping (Attack on confidentiality)
- Modification of information (Attack on integrity)
- Fabrication
What are 3 security services?
- Authentication
- Access control
- Non-repudiation
What is PII and SPI?
PII = Personal Identifiable Information
SPI = Sensitive Personal Information
What are Isaac Asimov’s 3 laws of robotics?
- A robot may not injure a human being or, through inaction, allow a human being to come to harm.
- A robot must obey the orders given it by human beings except where such orders would conflict with the First Law.
- A robot must protect its own existence as long as such
protection does not conflict with the First or Second Laws.
What is the Heartbleed bug?
The Heartbleed bug is a vulnerability in open source software that was first discovered in 2014. Anyone with an internet connection can exploit this bug to read the memory of vulnerable systems, leaving no evidence of a compromised system. The Heartbleed attack works by tricking servers into leaking information stored in their memory. So any information handled by web servers is potentially vulnerable. That includes passwords, credit card numbers, medical records, and the contents of private email or social media messages.
What is the definition of software security according to Gary McGraw?
Software security is the practice of building software to be secure and to continue to function properly under malicious attack
The three pillars of software security:
Risk management, touchpoints and knowledge.
What are 3 types of assets?
- Information assets (ex: customer data, employe data, CRM data)
- Software assets (ex: e-mail system, online ordering system, common authentication (SSO) system)
- Physical assets (ex: Buildings, Servers, Network equipment)
What is Security Engineering?
Security engineering is about building systems to remain dependable in the face of malice, error and mischance.
As a discipline, it focuses on the tools, processes, and methods needed to design, implement and test complete systems,
and to adapt existing systems as their environment evolves.
What is the design hierarchy (3 levels)?
- Policy (what are we trying to do?)
- Protocols.. (how?)
- Hardware, crypto.. (With what?)
What does dependability mean?
Dependability is reliability AND security!
Trinity of trouble:
Connectivity, Complexity and Extensibility
What can a system be?
- a product or component (PC, smartcard,…)
- some products plus O/S, comms and infrastructure
- the above plus applications
- the above plus internal staff
- the above plus customers / external users
What is a subject, a person and a principal?
A subject is a person
A person can also be a legal person
A principal can be a person, equipment (PC, smartcard), a role (the officer of the watch), a complex role (Alice or Bob, Bob deputising for Alice)
What is secrecy, privacy and confidentiality?
Secrecy is a technical term – mechanisms
limiting the number of principals who can access information.
Privacy means control of your own secrets.
Confidentiality is an obligation to protect
someone else’s secrets.
What is anonymity, integrity and authenticity?
Anonymity is about restricting access to
metadata. It has various flavours, from not
being able to identify subjects to not being able
to link their actions.
An object’s integrity lies in its not having been
altered since the last authorised modification.
Authenticity has two common meanings:
* an object has integrity plus freshness
* you’re speaking to the right principal
What does trust imply?
A trusted system or component is one that can break my security policy
What is security policy, protection policy and security target?
Security policy = a succinct (short and clear) statement of protection goals.
Proctection policy = a detailed statement of protection goals.
Security target = a detailed statement of protection goals applied to a particular system.
What are the four levels of information?
- Top secret
- Secret
- Confidential
- Restricted
Information only flows upwards
Who said “If we had our hands tied behind
our backs … and could do only one
thing to improve software security
… we would do threat modeling”
Michael Howard and Steve Lipner
What is threat modeling?
And what does Gary McGraw call it?
A process that reviews the security of any connected system, identifies problem areas, and determines the risk associated with each area.
Gary McGraw refers to it as Architectural Risk Analysis.
What is a trust boundary?
Any place in your system that the level of the trust in the data changes (ex: behind a firewall)
What is a attack surface?
All the places an attacker can enter the system
What is a threat model?
A visual representation of four main elements:
* The assets within a system;
* The system’s attack surface;
* A description of how the components and assets interact;
* Threat actors who could attack the system and how the attack could occur
Who said “there is no single best or correct way of performing threat modeling, it is a question of trade-offs and what we want to achieve by doing it”
Adam Shostack
What does STRIDE stand for?
Spoofing - an attacker poses as another user, component or system
Tampering – an attacker modifies data
Repudiation – attackers can to deny performing some malicious activity because the system does not have sufficient evidence to prove otherwise
Information disclosure – an attacker can get read access to protected data
Denial of Service (DoS) – an attacker can prevent legitimate users from using the normal functionality of the system
Elevation of privilege – an attacker uses illegitimate means to assume a trust level with different privileges than he currently has
What was OWASP’s top 10 in 2021
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure design
- Security Misconfiguration
- Vulnerable and outdated components
- Identification and authentication failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery
What is a typical threat modeling process (6 steps)?
- Identify critical assets
- Decompose the system to be
assessed - Identify possible points of attack
- Identify threats
- Categorise and prioritize the threats
- Mitigate
What is the meaning with “penetrate and patch”?
For a long time it was normal to release new functionality, then try to find sikkerhetshull and then try to patch them.
What is a misuse case diagram?
It is used to identify security requirements. Can be used early on.
A misuse case diagram is created together with a corresponding use case diagram. The model introduces 2 new important entities (in addition to those from the traditional use case model, use case and actor: Misuse case : A sequence of actions that can be performed by any person or entity in order to harm the system.
What is attack trees?
It illustrates how an attacker can acheive an attack goal. It is a tree structure with AND/OR nodes. More techincal than misuse cases. Good basis for planning security tests.
What is a data flow diagrams?
It is used to understand the system’s attack surface. To get an overview, find trust boundaries and to understand how data flows in the system.
What is GDPR?
The General Data Protection Regulation (GDPR), which came into effect on 25th May 2018, provides a legal framework for keeping everyone’s personal data safe by requiring companies to have robust processes in place for handling and storing personal information.
What is personal data?
All informasjon relatert til en identifisert eller identifiserbar naturlig person. Dette kan omfatte oppførselsmønster: Hvor du befinner deg, hva du handler inn, hva du leser, hvem dine venner er, hva du kommuniserer.
What is sensitive personal data?
Sensitive personopplysninger omfatter rase eller etnisitet, politiske meninger, religiøse eller filosofiske trosforhold, fagforeningsmedlemskap, genetiske data, biometriske data for unik identifisering av en naturlig person, helseopplysninger, seksualliv eller seksuell orientering.
What is a data subject?
Data subject refers to any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity.
What are your 7 rights as a data subject?
- Right to be informed
- RIght to object
- Erasure: right to be forgotten
- Data portability (allows individuals to obtain and reuse their personal data for their own purposes across different services)
- Automated individual decision-making (The data subject shall have the right not to be subject to a decision based solely on automated processing)
- Restriction of processing (an individual can limit the way that an organisation uses their data)
- Transparency (The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used.)
- Right to rectification (rette opp feil data)
What are the responsibilites of the controller (Behandlingsansvarlig for personvern)?
- Data protection officer (DPO)
- Data protection impact assessment
- Privacy by design and by default
- Records of processing
- Data processing agreement
- Notification of breach
Behandlingsansvarlig er nødt til å utnevne et personvernombud, og må utføre en vurdering av personvernskonsekvenser (DPIA) før innsamling begynner. Alle systemer som behandler personopplysninger skal utvikles etter prinsippene for innebygd personvern, og personvern skal være standardvalg i alle tilfeller. Databehandleren er nødt til å føre regnskap med behandlingen av personopplysninger, og dersom en ekstern databehandler benyttes, må det foreligge en databehandleravtale. Dersom det skulle skje et brudd på personvernet, er behandlingsansvarlig pliktig til å underrette den opplysningene angår uten unødig opphold, og senest 72 timer etter bruddet er oppdaget
What are the 7 foundational principles of privacy by design?
- Proactive not Reactive; Preventative not Remedial
- Privacy as the Default setting
- Privacy embedded into design
- Full functionality - positive-sum, not zero-sum
- End-to-end security - full lifecycle protection
- Visibility and transparency - keep it open
- Respect for User privacy - keep it user centric
What are the 7 points(?) in the Guide for software development with data protection by design and by default?
- Training
- Requirements
- Design
- Coding
- Testing
- Release
- Maintenance
Hva innebærer opplæring iht guiden fra datatilsynet for å utvikle programvare med innebygget personvern?
A understanding of data protection and information security is a prerequisite for developing software. Software developers should have an established development methodology, approved by management. When developing software that processes personal data, the methodology should include data protection by design and by default, and security by design.
Developers, architects, testers, project leaders, management, all employees and suppliers should undergo training. The training should happen at the start of a development project, with updates at regular intervals and at the start of deployment.
Hva innebærer krav iht guiden fra datatilsynet for å utvikle programvare med innebygget personvern?
Setting requirements for data protection and information security for the final product. Must reflect the need for data protection and information security. To set the correct requirements, it is important to know what categories of personal data will be processed in the software. Requirements for software, products, applications, systems, solutions, or services must:
- fulfil the data-protection principle
- protect the data protection rights of the data subject
- fulfil the company’s obligations
- ensure that the settings are by default set to the most privacy-friendly option
- ensure that the end product is robust, secure, and provides enforceability of the data subject’s rights
Hva innebærer design iht guiden fra datatilsynet for å utvikle programvare med innebygget personvern?
Ensure that requirements for data protection and information security are reflected in the design. It is important to take into account the existence of threat actors that may attempt to obtain and gain access to personal data. To reduce the attack surface, it must be analysed, and the software modelled and designed to ensure a robust end product.
Data-oriented design requirements: minimmise and limit, hide and protect, separate, aggregate, data protection by default.
Process-oriented design requirements: inform, control, enforce, demonstrate
Hva innebærer coding iht guiden fra datatilsynet for å utvikle programvare med innebygget personvern?
Enable developers to write secure code by implementing the requirements for data protection and security. It is important to choose a secure and common methodology, both for coding and for enabling the developers to detect and remove vulnerabilities from the code. Automated code analysis tools should be introduced, and the company must have established procedures for static code analysis and code review. Possible measures for secure coding: create a list of approved tools and libararies, scanning of dependencies for known vulnerabilities or outdated versions, manual code review, static code analysis with security rules.
Hva innebærer testing iht guiden fra datatilsynet for å utvikle programvare med innebygget personvern?
Testers check that the requirements for data protection and information security have been implemented as planned. How to test that requirements for data protection and security have been implemented: fuzz testing, vulnerability analysis, penetration testing, threat model and attack surface review.
Hva innebærer release iht guiden fra datatilsynet for å utvikle programvare med innebygget personvern?
Planning for how the organisation effecttively can handle incidents. Incident response plan: detect, analyse and verify, report, handle, recover. Procedures for updating software. Final security review and approval.
Hva innebærer maintenance iht guiden fra datatilsynet for å utvikle programvare med innebygget personvern?
The most important element of this activity is that the organisation has implemented a plan for incident response handling and follows it. Maintenance, service and operation:
- define roles and responsibilities and authority
- handle the data subjects’ rights and request related to this, such as data access, modification, deletion, data portability, consent, information, transparency, etc.
- Continuously assess the effectiveness of technical and organisational security measures for uncovering vulnerabilities.
- Data, platform, network, and software maintenance – including suppliers
Why software security according to Gary McGraw?
“Software Security is the practice of building software to be secure and to continue to function properly under malicious attack. “
What are the 7 touchpoints (in order of effectiveness)?
- Code review
- Architectural risk analysis
- Penetration testing
- Risk-based security tests
- Abuse cases
- Security requirements
- Security operations
What is Microsoft’s history?
After multiple attacks like iloveyou, CodeRed and Nimda, Bill Gates decided to stop all development and implement the Trustworthy Computing initiative in 2002. In 2004 the Security Development Lifecycle (SDL) was introduced.
What are the top 10 software security design flaws?
- Trust (earn or give, but never assume, trust)
- Authentication (use an authentication mechanism that cannot be bypassed or tampered with)
- Authorization (authorize after you authenticate)
- Separate data from control (strictly separate data and control instructions, and never process control intructions received from untrusted sources)
- Explicit validation (define an approach that ensures all data are explicitly validated)
- Crypto (use cryptography correctly)
- Sensitive data (identify sensitive data and how they should be handled)
- Users (always consider the users)
- External components (understand how integrating external components changes your attack surface)
- The times they are a-changing (be flexible when considering future changes to objects and actors)
What are the 10 guiding principles for software security?
- Secure the weakest link
- Practice defense in depth
- Fail securely
- Follow the principle of least privilege
- Compartmentalize
- Keep it simple
- Promote privacy
- Remember that hiding secrets is hard
- Be reluctant to trust
- Use your community resources
What is OWASP?
Open Web Application Security Project. It is a nonprofit organization that works to improve the security. The project is divided into four main areas: methodologies, tools, techniques and resources.
What is an attack surface?
Everything that could potentially be exploited by an attacker. Totality of the different points. An attacker can try to enter data into or extract data from a system that could potentially be exploited.
What is an attack vector?
A specific path or means an attacker can gain access.
What are HTTP and HTTPS?
Web serves use them to allow web-based clients to connect to them and view and download files.
What is ethical hacking?
Ethical hacking is testing the resources for a good cause and for the betterment of technology. It is used for penetration testing. It is focused on securing and protecting IT systems.
Why use a web proxy?
To capture and examine requests. To manipulate requests (can be used to learn about the application). Can be used for attacks.
Why Domain Model for Security?
If we know exactly what the system should do we also know what it should not do.
What are the requirements for a domain model?
It must:
- be simple (focus on the essentials)
- be strict (so it can be a foundation for writing code)
- capture deep understanding (to make the system truly useful and helpful)
- be the best choice (from a pragmatic viewpoint)
- provide us with language we can use whenever we talk about the system
What is a domain model?
A distilled version of the domain where each concept has a specific meaning.
(Domain is a part of the real world where stuff happens).
What is bounded context?
A term or concept may have the same name in various parts of the business, but each usage may have different meaning. F.ex. package. As long as the meanings of terms, operations and concepts remain the same, the model holds. As soon as the semantics change, the mode breaks, and the boundary of the context is found. The semantic boundary of a context is interesting from a security perspective.
What is Protection Poker?
It is risk estimation in agile development teams based on Planning Poker by Laurie Williams. It is performed in the beginning of every iteration, by the full team. The goal is to rank the security risk of the features to be implemented in the iteration. Ensure common understanding in the team on the need for security in this iteration, and in general.
What is risk?
Risk = (the total value of all assets that could be exploited with a successful attack) x (the exposure), or value x exposure
How to play Protection Poker?
You assess the risk of different features etc. by looking at the value and the exposure. Then you choose one of the cards <10,20,30,40,50,60,70,80, or 100 based on your assessment, and then everyone shows their card and you discuss why you chose your card.
What are some benefits of using Protection Poker?
Deltakerne opplevde at de fikk økt kompetanse og bevissthet om sikkerhet, og kunnskap om sikkerhet ble spredt blant alle i teamet.
De viktigste risikoene ble diskutert, og diskusjonene av risiko innebar at ulike måter å minske risikoen ble identifisert og lagt til som krav.
Det tok en del tid å spille Protection Poker i starten, men etterhvert gikk det raskt å gjennomføre en spill-runde
What is Static Analysis?
Passive scanning of application code without executing it. A white box testing approach. Analyzing software “at rest”; source code, bytecode and binary.
What does weaknesses, vulnerabilities and exploits mean?
Weaknesses = errors in software implementation, code, design or architecture that if left unaddressed could result in systems and networks being vulnerable to attack. Ex. buffer overflows, format strings, structure and vailidaty problems, etc.
Vulnerability = common vulnerabilities and exposures (CVE) list. Mistake/weakness in software that could be directly used by a hacker to gain access to a system or network.
Exploit = is a piece of software containing attack vectors that can be directly used to take advantage of a vulnerability in a system.
Static analysis focuses on weaknesses.
A vulnerability is a weakness that can be exploited by an attacker. Thus, a weakness is an error, typically in the software code, that might lead to a vulnerability.
Why use Static Code Analysis for security audits?
Can catch security defects early in the SDLC. Significant aid for code review. Code review is a PCI-DSS requirement.
What are some techniques employed in SAST Tools?
It is line focused and scan line for line with f.ex. “grep” to find potential dangerous function calls. It is useful for quick code review, but very basic with lots of noise.
What is taint analysis for security audit?
Used to determine where vulnerability occurs by using the concepts of data source and data sink in Data Flow Graph. If the source of the input data is untrustworthy, then data is said to be tainted. If tainted data reaches a sensitive sink, a security issue may exist.
What are some common mistakes with SAST Tools?
- If no vulnerabilities were found it might be tempting to declare it safe, and think there is no need for assurance in other development phases.
- Fixed all the issues and therefore think that you don’t need assurance in other development phases.
- Thinking that since you have made a huge investment in SAST tool, you dont need to further invest in security.
What are some challenges and limitations of SAST Tools?
False positives and negatives.
Can be challenging to construct a model if you f.ex. have dynamic strings build at runtime.
It may fail to even detect implemented filter/control/validator.
May not test whether your filter is strong enough.
Cannot find issues in the operational environment.
Only cover half of security defects. Can not check many design issues.
Provides little insight into the exploitability of the weakness/vulnerability itself.
May not present an accurate risk picture.
What is Authentication?
The process of verifying that a user is who they claim to be.
What are some different authentication types?
Http Authentication, Certificate-based authentication, token-based authentication, biometric authentication
What are some problems with HTTP authentication basic?
It is simple and vulernable. Eavesdroping on the communication can capture everything over this channel, including passwords. Dont use it in your apps.
