Introduction

Question 1

What is a Security Policy?

Answer 1

Document that goes to CEO.

Shows their assets and threats to convince CEO to develop a policy to protect from threats.

High-level description of principles, assets and properties that must hold in the system.

Question 2

What is CIA?

Answer 2

Confidentiality: only authorised individuals/systems can view sensitive or classified information.

Integrity: only authorised individuals/systems are allowed to modify the database

Availability: able to serve information when it is needed to authorised individuals/systems.

Question 3

What are four types of attacks?

Answer 3

Passive: attempt to learn or make use of information that doesn’t affect system resources.

Active: attempt to alter system resources/affect their operation.

Insider: initiated by an entity inside the security perimeter

Outsider: initiated from outside the perimeter.

Question 4

Name nine typical threats

Answer 4

Phishing
Trojans
Botnets 
Distributed Denial of Service
Theft of money
Data manipulation 
Data destruction 
Spyware/malware
Man in the Middle

Question 5

What are eight typical countermeasures against threats?

Answer 5

Firewalls. 
Network Intrusion Detection 
Access Control
Antivirus software 
Encryption
Vulnerability testing 
Physical security 
Social engineering detection (education)

Question 6

What makes up the economical model of risk and how do you measure estimates of loss and expected loss with no security?

Answer 6

Model
L = loss: value of potential loss. 
T = threat: probability of attack. 
V = vulnerability: probability that attack will succeed if it happens. 
VT = probability of a successful attack.

Risk estimates
Loss = L * T

Expected loss with no security
V * L = VT * L