Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Information Systems Security > Intro > Flashcards

Intro Flashcards

1
Q

What can loss mean?

A
  • financial loss both direct and indirect
  • recovery cost
  • productivity loss
  • business disruption
  • reputation damage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What can we say about the complexity of the ICT scenario?

A

Complexity is an enemy of obscurity. Related to this there is the first axiom of engineering: “The more complex a system is, the more difficult its correctness verification will be, meaning its implementation, management, operation”. Based on it there is the KISS concept: Keep It Simple, Stupid

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How can we perform a risk estimation and which approaches can we have?

A

We have to take into account:
* service
* a service is implemented via an asset = set of good, data, Human Resources
* there are some event related to the asset:
* vulnerabilities: intrinsic weaknesses of that asset, including natural events
- threats: possibile deliberate action (Attack) or accidental event that can produce the loss of a security property by exploiting a vulnerability

  • the consequences of these events are measured on their impact and their probability of happening
  • from these measures we get to estimating the risk by listing all the possible risks prioritizing them by their impact and by the available time and budget

How to represent the risk estimation:
- risk assessment matrix
- risk heat map

Approaches:
1. address the most important risk
2. maximize the number of risks covered

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which are the basic problems in the ICT scenario insecurity?

A
  • humans: they are not aware of the possibile risks, they have a natural instinct to trust, they don’t understand complex architectures…
  • attackers use social techniques: they target users via mail, phone, …, they put psychological pressure on people or they study their their habits to make them lower their level of defense
  • most networks are insecure: communication in clear, via broadcast, with shared links, using third party routers
  • weak user authentication, often password based + no server authentication
  • software with many bugs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a Zero Trust Architecture?

A

It is an architecture implemented above the concept “the enemy is everywhere”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Incident - data breach - data disclosure

A

Incident: a security event that compromises the integrity, confidentiality, availability of an asset (security properties)

Data breach: and incident that results in the disclosure or potential exposure of data

Data disclosure: a breach for which it was confirmed that data was actually disclosed and not just exposed to an unauthorized party

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is C.I.A. in the security field?

A

Confidentiality, integrity, availability (pyramid)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which are the components of a cyber threat?

A
  1. Actors + Motivation
    • actors = pyramid: people who do it just for fun-> criminal who do it for profit -> organized crime -> terrorists -> APTs (Advanced Persistent Threats, for example governments)
    • motivation: MICE = Money, Ideology, Compromise, Ego
  2. Vulnerable target
  3. Vectors = Vulnerabilities + context
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which are the standardization Bodies for cybersecurity?

A

ISO, ITU… TODO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which are the security principles? Just list them

A
  • security in depth
  • security by default
  • neet-to-know
  • least privilege
  • security by design
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Security in depth

A

It is one of the security principles.

It refers to the practice of using multiple layers of security controls (defensive mechanisms) throughout an information system. The idea is that if one layer fails, another will stop the threat, thereby providing a comprehensive defense strategy against a wide range of threats.

Example: An organization might implement a firewall to prevent unauthorized access from the internet, use encryption to protect data in transit, deploy antivirus software to detect and remove malware, and enforce strong authentication mechanisms. Even if a hacker bypasses the firewall, the encryption and antivirus layers provide additional barriers to protect the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Security by default

A

It is one of the security principles.

It means that the default configuration settings of software products and systems are set to the most secure settings possible. This principle ensures that without any additional configuration, the system will operate in a secure manner, minimizing the risk of vulnerabilities due to misconfiguration or default weak settings.

Example: When a person get a wifi modem from a company he is forced to change the password in order to use it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Need-to-Know

A

It is one of the security principles.

The need-to-know principle restricts aims to give access to information only to parties that require it to carry out their duties. This can lead to reduce the risk of unauthorized disclosure or access.

Example: consider a company that has various departments, each handling different types of sensitive data. Under the Need-to-Know principle, employees in the finance department would have access to financial records and reports, but not to the human resources files, unless their job explicitly requires access to both.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Least privilege

A

It is one of the security principles.

The principle of least privilege involves providing individuals or systems the minimum levels of access—or permissions—needed to perform their duties. This reduces the risk of accidental or deliberate misuse of permissions and limits the potential damage from incidents, in fact the more the permission the more the possible attacks.

Example: A system administrator may have access to all systems for maintenance purposes, but a regular employee is only given access to the network resources necessary for their job, such as email, specific databases, or certain applications, and nothing beyond that.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Security by Design

A

It is one of the security principles.

Security by Design means that security is integrated into IT systems from the earliest stages of development, rather than being added as an afterthought. This approach entails considering security in all aspects of system design and architecture, thereby ensuring that the system is fundamentally secure from the ground up.

Example: When developing a new software application, the development team incorporates input validation checks, secure authentication mechanisms, and encryption of sensitive data right from the planning and design phases, rather than retrofitting these security measures into an existing product.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When can we say that something is secure?

A

To say that something is secure means nothing, to say that something follows some of the security properties means a lot.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which cases of data protection we have to consider in applying a security property?

A
  • data in transit
  • data at rest: in the device storage
  • data at work: in RAM to be used
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

List all the security properties

A
  • authentication: simple or mutual, peer or data
  • authorization
  • non-repudiation: formal proof, acceptable by a court of justice, that gives undeniable evidence of the data creator. It is not present when something is automatic
  • privacy: of a communication, of data/action/position…
  • integrity: this property leads to the detection of data modification, cancellation or filtering
  • confidentiality: if data are changed this property doesn’t give the possibility to detect the changes ≠ integrity
  • availability
  • traceability, accountability
  • serialization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which types of enemy actions we have?

A
  • MITM: Man In The Middle
  • MATE: Man At The End, inside one peer
  • MITB: Main In The Browser, inside one specific component of a peer

These actions can be active or passive:
- active: read, modify, delete, create
- passive: read only

20
Q

Which are the security pillars?

A
  1. planning
  2. Avoidance using FW, VPN, etc.
  3. Detection using IDS, monitor, etc.
  4. Investigation with forensic analysis, internal audit, … -> 1
21
Q

What is a Trojan?

A

It is a program containing a dangerous payload. It is a malware vector.
The problem is that even if network channels are more protected, user terminals are less protected: they use devices such as Smartphone, smart-TV, they use IoT (Internet-of-Things) and they are often “ignorant” users

A trojan can be implemented as classic attack tools (e.g. keylogger as part of a game) or as modern ones (e.g. browser extension)

It is often used to create a
- MATE = Man-At-The-End
- MITB = Man-In-The-Browser

22
Q

What is a Zeus?

A

Zeus, also know as Zbot, is currently a major malware + botnet. it is the father of all bots.
It was discovered (born?) on 2007 and sold (?) on 2010.

It can be used:
- directly: e.g. MITB for keylogging or form grabbing
- indirectly, to load other malware (e.g. the CryptoLocker ransomware)

It is very difficult to discover and remove, couse it hides itself with stealth techniques.
For example it presents itself as driver for a keyboard.

There are about 3.6 M active copies just in the USA

TODO: slide 62

23
Q

Which malware categories do we have? List them

A
  • Trojan
  • virus
  • worm
  • rootkit
  • backdoor
  • Potentially Unwanted Application - PUA: it’s a sort of grayware, not directly dangerous
  • Ransomware
24
Q

Virus and worm

A

They are malware.

A virus damages the target and replicates itself. It is propagated by humans (involuntarily)

A worm damages the target by replicating itself (resource saturation) by automatic propagation.

The problem with virus and worms are their replicas, not the process they start itself. For example if the virus/worm enters the network it can crash the whole system because every device connected to that network will be infected.

They require complicity (may be involuntary) from: the user (gratis, free, urgent, important, …), the sys manager (wrong configuration), the producer (automatic execution, trusted, …)

Countermeasures:
- user awareness
- correct configuration / secure sw
- install antivirus (and keep updated!)

25
Q

Backdoor

A

It is a malware category and it is an unauthorized access point. Programmers often hide it in case they get not paid for their work.

26
Q

Rootkit

A

It is a malware category.
A rootkit is a collection of softwares, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.
Rootkit installation can be automated, or an attacker can install it after having obtained root or administrator access.

27
Q

What is a Malware Food Chain?

A

TODO
slide 61

“Food Chain malware” as food chain in nature is composed by a number of people who behave on the basis of taking advantage on someone else, in the case of malware is own economic benefit.
This process starts with the discovery of a vulnerability in a system, then a programmer creates a malware and sells it (on vulnerability marketplace) to a number of people. Afterwards, one of the buyers of the code exploits (modify it) and sell the code on the market toolkit market to a bigger number of people. Finally, one of the second-time buyers decides to conduct an attack.

28
Q

Ransomware

A

It is a malware oriented to get a ransom. The target can be:
- a desktop or a laptop (disk content made unreadable)
- also a tablet and a smartphone (made unusable)

These are unblocked (not always) after paying a certain amount of money.

Countermeasures (and problems):
- encrypted data
- backup
- do it and try it on another computer to control that you can read it -> this helps in avoiding the silent ransomware: it stays silent and watches every time you do a backup
- it has to be done offline
- it has to be stored at minimum 30 km away and not near magnetic fields that could ruin it
- good to have a system that can compute the difference between the new backup and the last one

29
Q

RaaS, example

A

Ransomware-as-a-service
It is a business model adopted by cybercriminal made of:
- developers of ransomware that lease them out to the attackers
- attackers who actually launch the ransomware
- often a payment system

example: TOX malware (server in the TOR anonymous network):
- ask for the ransom and handles the payment (with a 20% service fee)
- the “customer” has only the task to distribute it to the victims
- fast growth

30
Q

What is Stuxnet?

A

It is the prototype of a new kind of attack made of worm + virus for Windows. It is a malware for cyberphysical systems.

Goals:
- attempt to propagate to other systems
- attempt to damage the SCADA systems (of a specific
manufacturer) attached to the infected nodes

Attack and propagation vectors:
- 1 known vulnerability with available patch
- 1 known vulnerability with no patch
- 2 “zero-day” vulnerabilities

Timing:
- 17/6/10 first detection
- 24/6/10 detected the use of a first signature certificate to appear as valid MS software !()
- revoked on 17/7/10
- … but the malware starts using a second signature certificate!
- 14-15-16/7/10 security bulletins by CERT and MS
- patches gradually released through October ’10
- self-stopped its propagation on 24/6/2012

Geographic distribution:
- 52% Iran
- 17% Indonesia, 11% India, …

Distribution and propagation:
- USB key as initial attack vector: likely first infection via a USB key of a maintenance technician
- shared disks (network share)
- disguised as a driver: with a digital signature validated by Microsoft!!! + uses two different certificates
- access from the infected node to the back-end DB thanks to a shared default pwd (!!!) on every node

Lessons learnt
- systems protected with physical separation
(air gap) but without other standard protections such as anti-virus, patch, firewall are not good
- unnecessary services active are not good: MS-RPC, shared network print queues, shared network disks
- validation list for software to be installed

31
Q

Mirai

A

todo pag 88-89

32
Q

Source address spoofing attack

A

Someone uses the address of another host to take its place as a client or as a server.
Typically it is forged the IP address but it is equally easy to forge the level 2 address ➜ its better to call this attack as “source address spoofing”

By changing just the IP the attacker is detectable

Attacks:
- data forging
- unauthorized access to system

Countermeasures: do never use address-based authentication

33
Q

Shadow/fake server attack: definition, attacks, countermeasures

A

Host that manages itself to victims as a service provider without having the right to do so

Techniques:
- request sniffing and response spoofing. This is difficult because to do so the shadow server must be faster than the real one or this one must be unable to respond for example due to DDoS
- wrong mapping for example with routing or DNS manipulation

Attacks:
- issue wrong answers by providing thus a “wrong” service to victims instead of the real one
- capture victim’s data provided to the wrong service

Countermeasures: server authentication

34
Q

Packet sniffing attack

A

It is the detection of packets in transit in a network and their analysis to steal sensitive information.
It’s easy to do it in broadcast networks (LANs, …) or at the switching nodes

Attack:
- intercept anything

Countermeasures:
- non broadcast networks (impossible to not use them at all)
- encryption of PAYLOAD data
- protection from the statistical analysis of traffic by sending a continuous stream and continuous data
- protect the ports of routers and switches
- take care of the printers which obtain the information in clear.

35
Q

Connection hijacking / data spoofing

A

Hijacking (or Man In The Middle) is the hijacking of a connection by a part of an individual by manipulating packets: data are inserted/modified/cancelled during their transmission.

It can be a logical or physical MITM:
- physical level: the attacker is placed in the communication channel between two nodes and for example it can cut the cable
- logical (by receiving packets on the one hand, handling, and redirecting to the other)

Attacks:
- reading, insertion of false data and modification of data exchanged between two parties
- Phishing
- DoS
- Replay
- Eavesdropping
- Chosen-ciphertext
- Substitution

Countermeasures:
- confidentiality, authentication, integrity and serialization of each individual packet to guarantee that all the packets arrived and none is missing
- the authentication must be performed non just when the connection is created because a MITM arrives after

36
Q

DoS

A

The functionality of a service is limited or disrupted. This is done by keeping a host busy so that it cannot provide its services

➜ when other attacks are impossible to make

Discovering this type of attack is difficult because it is often not easy to identify whether it is actually an attack or a simple malfunction (not to mention the fact that the inaccessibility of the service makes it difficult to diagnose it).

Attack:
- block the use of a system/service

examples:
- mail/log saturation
- ping flooding (bombing): ICMP empty packets without waiting for the response
- SYN attack

Countermeasures: being a predominantly brute force attack, there is no simple method to protect against it other than by increasing the agility and flexibility of the system in question, perhaps by increasing the number of servers and connections or by improving the efficiency of security software

37
Q

DDoS

A

Software for DoS are installed on many nodes that are called daemon/zombie/malbot to create a Botnet. These daemons are remotely controlled by a master that makes them work in synchro

effect = DoS * #daemons

A DDoS attack can be improved by:
* using a reflector: to hide the attacker’s tracks, to multiply the attackers
* using an amplification factor N:1: look for a reflector server with response|&raquo_space; |request|, it depends on the attack protocol used (easy with UDP and ICMP)

Examples:
- command & control infrastructures
- C/S or P2P communications
- ecrypted or “covert” channels: e.g. UDP packet over ICMP (= the UDP packet is set as the payload of an ICMP packet so that it seems a ping when it is not)
- auto-update capability

38
Q

Defacement attack

A

Website defacement is an attack on a website that changes the visual appearance of a website or a web page

39
Q

Replay attack

A

A replay attack is a type of network attack where a valid data transmission is maliciously or fraudulently repeated or delayed. This attack is often executed by an attacker who intercepts data and retransmits it to deceive the receiver into believing they are receiving a legitimate message, thereby potentially gaining unauthorized access to a system or service.

example: intercepting data in a bank system that enable a payment and sending them repeatedly.

Countermeasures:
* authentication
* nonce
* timestamp

40
Q

Phishing attack

A

Phishing is an attack that uses the social engineering and can be achieved using Connection Hijacking (MITM). It aims to attract the victim via email or instant messaging convincing it to provide sensitive personal information (password to access the bank account, credit card number, etc …).

There are two variants:
- Spear phishing: increase the credibility of the message by entering some personal information from the victim or very accurate data that give the message an apparent authenticity.
- Whaling: aims to “bite” important people (eg CEOs), in fact the higher the hierarchical level, the lower the level of expertise especially on technology.

Countermeasures:
- Be careful to visit non secure sites. In case of request for personal information, account numbers, passwords, or credit card, never send this kind of information
- it is good practice to forward a copy to the competent authorities and notify the bank or other interested parties, so that they can take further measures against the fake site and inform their users.
- Check the icon, lock icon in all browsers, indicating that it is established a secure
connection (eg SSL / TLS).

41
Q

Spoofing attack

A

It can be data spoofing or source address spoofing

42
Q

Explain what social engineering is, give an example of this attack, indicate the countermeasures that a company can take to defend itself.

A

By social engeniiring we mean a type of attack that does not hit the “IT” side of a company / organization, but the human side, exploiting the psychological and social weaknesses of people in prominent positions.

A very relevant and widespread example is the phishing mail which consists in sending fake emails that push the user to click on malicious links. The best countermeasure a company can employ in this regard is to educate its employees about these risks.

Countermeasures:
- Organizations must, at employee / personnel level, establish a trust infrastructure (when / where / why / how sensitive data should be treated)
- Organizations need to identify what information is sensitive and discuss its integrity in all forms (ie: social engineering, computer security, etc …)
- Organizations must establish security protocols for people who manage sensitive information (eg legal documentation for the dissemination of information)
- Employees must be trained in security protocols relevant to their position in the institution (for example, employees must identify people who are directed to sensitive information, in situations like tailgating, in which an unauthorized person sneaks into the restricted areas following those authorized, if a person’s identity can not be verified, then the employees must be trained to politely refuse access)
- The infrastructure trusted organization must be periodically checked performing test without notice.

43
Q

What do the following words mean? Vulnerability, threat, security control, assets and attack? How are they related?

A
  • Vulnerability: intrinsic weakness of an IT asset
  • Threat: An intentional or accidental event that can cause the loss of a security property by exploiting a vulnerability
  • Attack: occurrence of an “intentional event” threat
  • Security control: used to limit / prevent any type of threat to assets
  • Asset: the set of assets, data and people necessary for the provision of an IT service
44
Q

Say what the window of exposure is and where you can act to reduce it

A

The exposure window is the length of time the system is exposed to a security threat:
1. Discovery phase: an attacker exploits an unknown vulnerability:
(a) an attacker discovers a new vulnerability;
(b) the attacker develops an attack program, called an exploit, which exploits this vulnerability;
(c) the attacker begins to carry out attacks, causing the vulnerability to become public;

  1. Publishing stage: people try to limit the damage:
    (a) the victim of the attack informs the producer of the vulnerability;
    (b) the manufacturer informs all its customers of the existence of this problem;
    (c) customers update defense tools (eg IDS signatures), pending a patch;
    (d) the manufacturer releases a patch;
  2. protection phase: customers apply the countermeasure:
    (a) the patch is made available to all customers;
    (b) only when everyone installs the patch can the problem be considered solved.

To reduce it, periodic security checks can be carried out to detect vulnerabilities in advance, and notify the public as soon as possible in the event of an attack so as to minimize damage.

45
Q

Bruce Scheiner wrote “security is a process, not a product”. Explain the meaning of this statement and provide a practical example of its implementation with technical elements.

A

Buying a single product to make security is not enough to make a system protected as the single product is not free from bugs, but it is necessary to design your own security system using multiple systems in parallel, possibly from different manufacturers in order to guarantee a major defense.

The most practical example is to use a firewall from a manufacturer and an identification system from a second manufacturer (IDS), so in the event of a bug with the first product, the second takes over to stem the damage.

46
Q

Briefly explain the security property called integrity by saying which attacks it protects against both when the data it refers to is stored and when it is transmitted.

A

Integrity is a security property that ensures data is accurate, consistent, and unaltered during storage and transmission. This means that any unauthorized changes to the data can be detected.

Stored data: integrity protects against
* Malware: Integrity checks can help detect malware that tries to modify files or databases
* Insider Threats: Even authorized users may attempt to alter data maliciously

Transmitted data: integrity protects against
* MITM
* replay attacks
* eavesdropping (if data eavesdropped are modfied too)
* data forging

47
Q

Explain at least two ways to perform a sniffing attack

A

● Using a hub between the firewall and the switch. Hub is a device which input is reproduced in all of the other ports, with the help of this instrument a sniffer pc can be placed in one of the ports succeeding in obtaining all of the information going through the network because all the ethernet frames are sent to all the other ports

● Directly on the nodes of sorting (router-switch) by the administrator or someone who has access on it. In this point mail for instance can be read easily.

Information Systems Security (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions