InfoSec Flashcards
What is a security plan?
A plan that identifies and organizes the security activities for a system/organization
What does a security plan do?
Describes the current situation and highlights the improvement
It is an official record of current security practices and a blueprint for orderly change to improve those practices
What three essential questions should a security policy answer?
Who should be allowed access?
To what system and organizational resources should access be allowed?
What types of access should each user be allowed for each resource?
What should a security policy specify?
- The organization’s security goals
- Where the responsibility for security lies
- The organization’s commitment to security
How should a security policy be written?
Not too long, complex, detailed, and fast and easy to read
What does “current security status” mean?
- An understanding of the current vulnerabilities.
- Defines the limits of responsibility for the security
What is risk analysis?
A systematic investigation of the system, its environment, and what might go wrong
And then forms the basis for describing the current security state
What’s the meaning of security requirements?
Security requirements are functional or performance demands placed on a system to ensure a desired level of security
What is the characteristics of good security requirements?
- Correctness: Are the requirements understandable? Are they stated without error?
- Consistency: Are there any conflicting or ambiguous requirements?
- Completeness: Are all possible situations addressed by the requirements?
- Realism: Is it possible to implement what the requirements mandate?
- Need: Are the requirements unnecessarily restrictive?
- Verifiability: Can tests be written to demonstrate conclusively and objectively that the requirements have been met?
- Traceability: Can each requirement be traced to the functions and data related to it so that changes in a requirement can lead to easy reevaluation?
What’s the meaning behind accountability/responsibility for implementation
A section of the security plan that will identify which people (roles) are responsible for implementing security requirements
What is the common roles in a security plan?
- Users –Regardless of if they are responsible for the security of their own machines, they have some responsibility
- Owners –Product/process/system/…
- Managers - May be responsible for seeing that the people they supervise implement security measures, and can also be legally responsible
- Administrators –Network/system/security/database/…
- Information officers - May be responsible for overseeing the creation and use of data; these officers may also be responsible for the retention and proper disposal of data
- Personnel staff members - May be responsible for security involving employees, e.g., screening employees, handling terminations, arranging security training programs
What is a timetable?
A timetable means of how and when the elements in it will be performed must be included
What is a plan maintenance?
A plan that specify the order which controls are to be implemented.
What must be included in a plan maintenance?
- New equipment will be acquired
- New connectivity requested
- New threats identified…
- The plan must include procedures for change and growth
- The plan must include a schedule for periodic review
Why does security planning need team members and commitment?
Security planning touches every aspect of an organization and therefore requires participation well beyond the security group
What three groups must contribute to making a security plan if you want it to succeed?
- Management
- The planning team
- Those affected by the security
What is a business continuity plan?
A (business) continuity plan documents how a business will continue to function during or after a computer security incident
What does a business continuity plan address?
- Catastrophic situations, in which all or a major part of a computing capability is suddenly unavailable
- Long duration, in which the outage is expected to last for so long that business will suffer
What does a business continuity plan assess?
- What are the essential assets?
- What could disrupt the use of these assets?
What us the goal of a incident response?
Be able to handle the current security incident without direct regard for the business issues
What is a security incident response plan?
It tells the staff how to deal with a security incident
A incident response plan should include?
- Define what constitutes an incident
- Identify who is responsible for taking charge of the situation
- Describe the plan of action
What is ISO/IEC 27005 about?
Information security risk management (ISRM)
What is ISO 31000 about?
(general) Risk Management (RM) (principles and guidelines)
What ISO has several terms according to it?
ISO 27000
What does risk mean?
Effect of uncertainty on objectives
What is risk management?
Coordinated activities to direct and control an organization with regard to risk
What is risk management process?
Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analyzing, evaluating, treating, monitoring and reviewing risk
What is risk assessment?
Overall process of risk identification, risk analysis and risk evaluation
What is risk identification?
process of finding, recognizing and describing risks
What is risk evaluation?
process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable
What does “Level of risk” mean?
magnitude of a risk expressed in terms of the combination of consequences and their likelihood
What does “residual risk” mean?
risk remaining after risk treatment
What does risk treatment mean
Process to modify risk
What does vulnerability mean?
Weakness of an asses or control that can be exploited by one or more threats
What does threat mean?
potential cause of an unwanted incident, which may result in harm to a system or organization
What is ISO?
the process to comprehend the nature of risk and to determine the level of risk
What is the characteristics of a risk?
- Associated loss (also known as a risk impact)
- Likelihood of occurring
- The degree to which we can change the outcome (risk control)
Strategies for dealing with risk?
- Avoid the risk by changing requirements for security or other system characteristics
- Transfer the risk by allocating the risk to other systems, people, organizations, or assets or by buying insurance to cover any financial loss should the risk become a reality
- Assume the risk by accepting it, controlling it with available resources, and preparing to deal with the loss if it occurs
What’s the steps of a risk analysis?
- Identify assets
- Determine vulnerabilities
- Estimate the likelihood of exploitation
- Compute expected annual loss
- Survey applicable controls and their costs
- Project annual savings of control
What is the pros with risk analysis?
- Improve awareness
- Relate security mission to
management objectives - Identify assets, vulnerabilities, and
controls - Improve basis for decisions
- Justify expenditures for security
What is the cons of risk analysis?
- False sense of precision and confidence
- Hard to perform
- Have a tendency to be filed and promptly forgotten
- Lack of accuracy
What is management systems?
A management system is a “set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives” (ISO/IEC 27000:2014)
What is the PDCA/continual improvement?
Also known as the demming cycle
* Used when:
* Starting from scratch, or when
* Improving or when, or when
* Performing a task
- Also, on different levels
- Strategic –Organization as a whole, policy,
long-term… - Tactical –Implements the decisions…
- Operational –Day-to-day operations…
What is cyber terrorism?
The use of computers to launch a terrorist attack
What can cyber terrorism cause?
- Significant economic damage
- Disruptions to communications
- Disruptions in supply lines
- Disruptions in national infrastructure
What is an Economic attack?
An attack that causes economic damage.
- Lost files and records
- Destroyed data
- Stolen credit cards
- Money stolen
- Time spent cleaning up
What is cryptanalysis?
the study of methods for breaking ciphertext
What is cryptography?
the use and practice of cryptographic techniques
What is cryptology?
the study of both cryptography and cryptanalysis
What is plaintext/cleartext, P?
The original form a message
What is ciphertext/cyphertext, C?
encrypted version of a message
What is a Cipher?
a pair of cryptographic algorithms, e.g., a mathematical function used for encryption and one for decryption
The character for a plaintext message?
P
The character for a ciphertext?
C
What is the cryptosystem in formal notation?
P = D(E(P))
What is an encryption algorithm?
A set of rules of how to encrypt plaintext and how to decrypt the ciphertext
The ciphertext for cipher system with a key?
C = E(K, P)
What is a symmetric cryptosystem?
- Encryption and decryption keys are the same
- Provide a two-way channel to their users
- If the key is kept secret for a pair - the system also provides authentication proof
- If the secret key is compromised, the adversary can decrypt all traffic and produce fake messages
What is an Asymmetric cryptosytem?
*One key for encryption and another key for decryption
* Keys come in pairs
* A decryption key, KD, inverts the encryption of key KE so that:
* P = D(KD, E(KE,P))
* Also called public key
What is a Stream cipher?
- Each bit/byte of the data stream is encrypted separately (low diffusion)
- Fast and encryption can take place as soon as data is read
- If errors occur, only bit/byte is affected
- Susceptible to malicious insertions and modifications
What is a block cipher?
- Encrypts a group of plaintext symbols as a single block (typically 64, 128, 256 bits or
more) (high diffusion) - Slower process, the last block needs to be padded, and an error affects more bytes
- Impossible to insert a single symbol into one block
What is The Data Encryption Standard (DES)?
- Symmetric block cipher
- Encryption and decryption algorithms are public but the design principles are classified
- Used fixed 56 bits (short) key
- Is considered insecure and was deprecated in 2017
What is The Advanced Encryption Standard (AES)?
- A replacement for DES
- Symmetric, block cipher (128) bits
- Three different key lengths: 128, 192, and 256 bits
What is the de-facto encryption standard today?
AES
- Used in e.g., WPA2, IPsec, WhatsApp, Telegram… and in hardware such as Intel & AMD processors
What is Rivest-Shamir-Adelman (RSA)?
- Asymmetric block cipher
- Public key system (i.e., one private and one public key)
- Long keys (1024-4096 bits)
- Slow algorithm
What is the Diffie-Hellman key exchange protocol?
A way in which a public channel can be used to create a confidential shared key
How does the Diffie-Hellman key exchange work?
- First agree on an arbitrary staring key
- Then pick a private key
- Mix the (public) starting key with the secret key
- Exchange the keys with each other
- Mix the other shared key with their own secret key
What is error detecting codes?
A fast and reliable way of finding out if an error in a transmission have happened
Name some simple error detecting codes?
- Parity checks
- Cyclic redundancy checks