Lecture 1 - Introduction

Question 1

What is the Milennium Bug?

Answer 1

An example of a classic cybersecurity issue is the millenium bug. These were coding errors that people assumed would happen at the turn of the millenium. Luckily, this didn’t turn out to be a problem. But did it turn out this way because organisations actually did something about it or was the risk overhyped?

Question 2

What happened at Cambridge Analytica?

Answer 2

Cambridge Analytica is an organization that profiled and characterized individuals in order to show them specific ads.

Question 3

What happened with Strava?

Answer 3

Strava lets you track your running and riding with GPS. To show how much people used their software, the company uploaded a map with all the locations where Strava was used, accidentally exposing a secret US military base.

Question 4

What happened at the OPCW?

Answer 4

The OPCW (Organisation for Prohibition of Chemical Weapons) was victim of a hacking attempt, involving on site infiltration. Russia was accused of this cyberattack on the chemical weapons watchdog.

Question 5

What happened at diginotar?

Answer 5

Diginotar is a company that gives out certificates for confirmed authentic websites, but because of lack of security they were hacked and were consequently not trusted anymore.

Question 6

What happened at Maastricht University

Answer 6

Maastricht University was attacked with ransomware and was eventually forced to pay the ransom money.

Question 7

What is Stuxnet?

Answer 7

Stuxnet is a worm created for the specific purpose of harming the systems of a nuclear power reactor in Iran. It spread to other systems, but as it was designed only to harm the reactor systems, it did no damage to others

Question 8

What happened at Schiphol?

Answer 8

Schiphol airport had a bug in the fuelling system, so workers weren’t able to refuel the planes properly, resulting in extensive delays. (oopsie) Sometimes it is easier to say its a cyberattack instead of a bug, as to avoid admitting incompentency. However, sometimes it is easier to do it the other way around as well. Saying something was a bug instead of a cyberattack could result in less consequences.

Question 9

What happened to Dutch Banks?

Answer 9

Dutch banks were targeted by heavy some time. DDoS attacks and their websites were down for These attacks disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.

Question 10

How to do Data-backup properly?

Answer 10

You can back up data according to the 3-2-1 method; 3 copies of your data, 2 are local and 1 is further away like in the form of external harddisks or external harddrives. Using this method will make sure that there is no single point of failure.

Question 11

Why do we care about Cybersecurity?

Answer 11

1. Protection of critical national infrastructure
2. Privacy and sensitive data
3. Financial reasons

Question 12

How is cybersecurity illustrated in the three-layer onion model.

Answer 12

The inner core consists of three-layer model: technical solutions to make cyberspace safe.

The middle layer is socio-technical, as it is where the people come in. Meaning how the people work with the technical systems.

The outer layer is the governance layer, consisting of how society deals with cybersecurity issues on a political, legal and public administration level.

Question 13

What is the CIA-Triad?

Answer 13

Confidentiality The protected information is only available to authorised entities. Confidentiality can not only be breached through hacking, but also through accidental wrong attachments in an email or materials not removed or disposed of correctly.
Integrity It is certain that the data is true with no unauthorised undetected changes made to the data. Integrity is breached through: Deleting data Changing data Adding data
Data is available when needed and people who should have access, do have access.

Question 14

What does CIA-Confidentiality entail?

Answer 14

a. The assignment of a value to a set of information to indicate the level of secrecy and the access restrictions required to prevent unauthorized people from viewing it. A typical example of a confidentiality scale is: (i) Public Use (ii) Internal Use (iii) Confidential (iv) Strictly Confidential and (v) Restricted.

Question 15

What does CIA-Integrity
entail?

Answer 15

a. A value that can be assigned to a set of information to indicate how sensitive it is to degradation of accuracy (such as unauthorized modification) or data loss. Loss in this context is about losing information without the ability for anyone to recover it from the system it was entered into (it is not about theft). Often this value is expressed or translated into a scale of time. For example, data with the highest possible integrity rating could be given a value of ‘no data loss permitted.’ If it were permitted to lose up to 4 hours of data that had been processed, the value would be ‘4 hours.’ Usually, if any data loss is permitted, it means that there will be other processes in place to address the loss of the electronic information. The integrity value assigned to any system or application is used to set the frequency that the information is subject to backup, or in very sensitive systems with no data loss permitted, establishes the need for a permanent secondary failover system.

Question 16

What does CIA-Availability entail?

Answer 16

a. The assignment of a value to a set of information to indicate how much disruption or outage the owner considers to be acceptable. Often this is expressed or translated into a scale of time. Data with the highest possible availability rating would be required to be readily accessible at all times (no downtime permitted), often through the use of a fully redundant failsafe. The value assigned to the information’s availability is used by the owner of an application or service to set the recovery time objective.

Question 17

What is Cybersecurity?

Answer 17

Cybersecurity is the protection of digital devices and their communication channels to keep them stable, dependable and reasonably safe from danger or threat. Usually the required protection level must be sufficient to prevent or address unauthorized access or intervention before it can lead to substantial personal, professional, organizational, financial and/or political harm

Question 18

What is a Digital Device?

Answer 18

A Digital Device is any electronic appliance that can create, modify, archive, retrieve or transmit information in an electronic format. Desktop computers, laptops, tablets, smartphones and Internet-connected home devices are all examples of digital devices

Question 19

What is Defense in Depth?

Answer 19

Defense in depth is the use of multiple layers of security techniques to help reduce the chance of a successful attack. The idea is that if one security technique fails or is bypassed, there are others that should address the attack. The latest (and correct) thinking on defense in depth is that security techniques must also consider people and operations (for example processes) factors and not just technology.

Question 20

What is a Virus

Answer 20

Virus is a form of malicious software that spreads by infecting (attaching itself) to other files and usually seeks opportunities to continue that pattern. Viruses are now less common than other forms of malware. Viruses were the main type of malware in very early computing. For that reason, people often refer to something as a virus when it is technically another form of malware.

Question 21

What is the Darwin Effect in Cyberspace

Answer 21

Darwin effect in cyberspace is that those who adapted to the advantages of connected technologies were (and are) gaining advantages and thriving. Those organizations that were (and are) not evolving to use connected technologies are mostly shrinking or perishing.

Question 22

What is Cryptoanalysis?

Answer 22

Cryptoanalysis is the art of examining ciphered information to determine how to circumvent the technique that was used to encode or hide it. In other words; analyzing ciphers (coded messages).

Question 23

What is the Cloud?

Answer 23

The Cloud = An umbrella term used to identify any technology service that uses software and equipment not physically managed or owned by the person or organization (customer) using it. This usually provides the advantage of on-demand scalability at lower cost. Examples include applications that are hosted online, online file storage areas, and even remote virtual computers. Using a cloud means the equipment managing the service is run by the cloud provider and not by the customer. But although the customer does not own the service, he or she is still accountable for the information that he or she chooses to store and process through it. Usually a cloud service is identified by an ‘aaS’ suffix. For example – SaaS (Software as a Service), IaaS (Infrastructure as a Service) and PaaS (Platform as a Service).

Question 24

What is a Vulnerability?

Answer 24

Vulnerability = a weakness, usually in design, implementation or operation of software (including operating systems), that could be compromised and result in damage or harm.

Question 25

What is an Attack Vector?

Answer 25

In the cybersecurity world, any potential vulnerability that might be leveraged is called an attack vector.

Question 26

What is the bleeding edge?

Answer 26

Bleeding edge is Using inventions so new, they have the likelihood to cause damage to their population before they become stable and safe.

Question 27

What are Cyber Controls?

Answer 27

Controls = A method of regulating something, often a process, technology or behavior, to achieve a desired outcome, usually resulting in the reduction of risk. Depending on how it is designed and used, any single control may be referred to as preventive, detective or corrective.

Question 28

What is a Hacker?

Answer 28

Hacker a person who engages in attempts to gain unauthorized access to one or more digital devices. Can be black hat (unethical) or white hat (ethical) hacker, depending on the person’s intent.

Question 29

What is a Cyber Attack?

Answer 29

Cyber Attack to take aggressive or hostile action by leveraging or targeting digital devices. The intended damage is not limited to the digital (electronic) environment.

Question 30

What is a Threat Actor?

Answer 30

Threat Actors is an umbrella term to describe the collection of people and organizations that work to create cyber attacks. Examples of threat actors can include cyber criminals, hacktivists and nation states.

Question 31

What is an Exploit?

Answer 31

Exploit To take advantage of a security vulnerability. Well-known exploits are often given names. Falling victim to a known exploit with a name can be a sign of low security, such as poor patch management.

Question 32

What is a Patch Management

Answer 32

Patch management a controlled process used to deploy critical, interim updates to software on digital devices. The release of a software ‘patch’ is usually in response to a critical flaw or gap that has been identified. Any failure to apply new interim software updates promptly can leave open security vulnerabilities in place. As a consequence, promptly applying these updates (patch management) is considered a critical component of maintaining effective cybersecurity.

Question 33

What is Malware

Answer 33

Malware shortened version of malicious software. A term used to describe disruptive, subversive or hostile programs that can be inserted onto a digital device. People can intentionally or unintentionally make these types of programs harmful. Intentionally-harmful versions are usually disguised or embedded in a file that looks harmless so the attacker who uses them can intentionally compromise a device. Malware that someone does not intend to be harmful can still disrupt a device or leak information; however, the harmful qualities can result from unintentionally poor construction quality, bad design or insecure configuration. There are many types of malware; adware, botnets, computer viruses, ransomware, scareware, spyware, trojans and worms are all examples of intentional malware. Hackers often use malware to mount cybersecurity attacks.

Question 34

What is a Botnet?

Answer 34

Botnet shortened version of robotic network. A connected set of programs designed to operate together over a network (including the Internet) to achieve specific purposes. The purpose can be good or bad. Some programs of this type are used to help support Internet connections; malicious uses include taking over control of some or all of a computer’s functions to support large-scale service attacks (see denial of service). Botnets are sometimes referred to as a zombie army.

Question 35

What is a Breach Notification Procedure?

Answer 35

Some types of information, when suspected or known to be lost or stolen, must, by law, be reported to one or more authorities within a defined time period. Usually, this type of regulation applies to personal information. The required notification time period varies, but is often within 24 hours after the known or suspected breach takes place. In addition to reporting the known or suspected loss to the authorities, the lead organization responsible for the information (referred to as the data controller) is also required to swiftly notify anyone who is affected, and later on, must submit (to appropriate regulators) a full root cause analysis and information about how the organization responded and fixed any issues that were identified. To meet these legal obligations, larger companies usually have a pre defined breach notification procedure to ensure that the timelines are met.

Question 36

What is Cyber Incident Response

Answer 36

A prepared set of processes that should be triggered when any known or suspected event takes place that could cause material damage to an organization. The typical stages are (i) verify the event is real and identify the af ected areas, (ii) contain the problem (usually by isolating, disabling or disconnecting the af ected pieces), (iii) understand and eradicate the root cause, (iv) restore the affected components to their fixed state and (v) review how the process went to identify improvements that should be made. An incident response may also be required to trigger other response procedures, such as a breach notification procedure, if any information has been lost that is subject to a notification requirement. For example – the loss of any personal information beyond what might be found in a phone book entry is usually considered a notifiable event.

Question 37

What are the cybersecurity tasks?

Answer 37

1. Management
   a. Chief Information Security Officer / Chief Cybersecurity Officer
   b. Cyber Risk Manager
   c. Cybersecurity Architect
2. Cyber Audit & Assessment
   a. Audit Manager, Auditor, Assessment Specialist, …
3. Event Monitoring and Alerts
   a. Security Incident & Events Manager
   b. Security Incident Responder
   c. Cybersecurity and Network Intrusion Analysts
4. Proactive Operations
   a. Access Administrators
   b. Security Device Administrators (firewalls and more)
   c. Encryption / Cryptography Consultant
   d. Security Risk Consultants
   e. Cybersecurity Analysts
5. Environment Testing
   a. Attack & Penetration Testers (Ethical Hackers)
   b. Vulnerability Assessors
6. Specialists
   a. Security Controls Designer
   b. External Security Specialist
   c. Digital Forensics Specialist
   d. Cryptologist
   e. Cryptanalyst
   f. Anti-Malware / Anti-Virus Specialist
   g. Software Security Specialist

Question 38

What is Policy in cyberspace?

Answer 38

A high-level statement of intent, often a short document, that provides guidance on the principles an organization follows. For example, a basic security policy document could describe the intention for an enterprise to ensure that all locations (physical and electronic) where information for which they are accountable must remain secure from any unauthorized access. A policy does not usually describe the explicit mechanisms or specific instructions that would be used to achieve or enforce the intentions it expresses; this would be described in a procedure. (ii) Alternatively, it can also be used to mean the settings (including security settings) inside a software program or operating system

Question 39

What is a procedure in cyberspace?

Answer 39

Provides guidance or specific instruction on the process (method) that should be used to achieve an objective. Traditionally provided as a document available to appropriate personnel, but increasingly replaced by instructions that are built into computer systems to enforce the required steps. In a traditional quality model, procedures may reside under a policy as an explicit instruction for meeting a particular policy objective

Question 40

Where is a Cyber Risk Manager responsible for?

Answer 40

Responsible for collecting and monitoring the cumulative set of open security risks across the digital landscape for the CISO.

Question 41

What is Risk in cyberspace?

Answer 41

A situation involving exposure to significant impact or loss. In formal frameworks, risk can be quantified using probability (often expressed as a percentage) and impact (often expressed as a financial amount). Other parameters for risk can include proximity (how soon a potential risk may be encountered, and information about which assets, services, products and processes could be affected).

Question 42

What does a cybersecurity architect do?

Answer 42

Cybersecurity Architect is A cybersecurity architect’s role is to ensure that there is a clear understanding of the permitted methods for securely integrating and extending an organization’s digital ecosystems to interact with others. Essentially they are responsible for designing a strong overall cybersecurity plan.

Question 43

What is Cyber Audit & Assessment?

Answer 43

The cyber audit and assurance function exists to check samples of operations to verify whether or not they are being performed securely and correctly – and to identify any significant gaps and any corrective actions that need to be taken. Any immediate critical risk items must be escalated up to the cyber risk register (the master list of active risks) or directly to the CISO as appropriate

Question 44

What are the Cyber Defense Points?

Answer 44

Digital locations where we could add cybersecurity controls
1. Data – any information in electronic or digital format.
2. Devices – any hardware used to create, modify, process, store or transmit data. Computers, smartphones and USB drives are all examples of devices.
3. Applications – any programs (software) that reside on any device. Usually, programs exist to create, modify, process, store, inspect or transmit specific types of data.
4. Systems – groups of applications that operate together to serve a more complex purpose.
5. Networks – the group name for a collection of devices, wiring and applications used to connect, carry, broadcast, monitor or safeguard data. Networks can be physical (use material assets such as wiring) or virtual (use applications to create associations and connections between devices or applications.)
6. Other communication channels – any other routes used to transmit or transfer any electronic data of value between devices.

Question 45

What are the cybersecurity control types?

Answer 45

1. Physical
2. Technical
3. Procedural
4. Legal (also referred to as regulatory or compliance controls)

Question 46

What are the control modes?

Answer 46

Control Modes
To protect a digital device I can use:
1. Preventive controls To protect the device before an event happens.
2. Detective controls To monitor and alert me in the event something happens.
3. Corrective controls To rectify any gaps after the problem has been identified.

Question 47

What is APT?

Answer 47

Advanced Persistent Threats (APTs) = A term used to describe the tenacious and highly evolved set of tactics used by hackers to infiltrate networks through digital devices and to then leave malicious software in place for as long as possible. The cyber attack lifecycle usually involves the attacker performing research & reconnaissance, preparing the most effective attack tools, getting an initial foothold into the network or the target digital landscape, spreading the infection and adjusting the range of attack tools in place to then exploit the position to maximum advantage. The purpose can be to steal or corrupt an organization’s digital data or to extort money from the organization and/or disrupt its operations, for financial gain, brand damage or other political purposes. This form of sophisticated attack becomes harder and more costly to resolve the further into the lifecycle the attackers are and the longer they have managed to already leave the malicious software in place. A goal with this threat type is for the intruder to remain (persist) undetected for as long as possible in order to maximize the opportunities presented by the intrusion – for example, to steal data over a long period of time

Question 48

What is DLP?

Answer 48

Data Loss Prevention (DLP) = This term can describe both (i) the technologies and (ii) the strategies used to help stop information from being taken out of an organization without the appropriate authorization. Software technologies can use heuristics (patterns that fit within certain rules) to recognize, alert and/or block data extraction activities on digital devices. For example, a DLP technology may prohibit specific types of file attachments from being sent out via Internet mail services. These technologies can also prevent or monitor many other attempts at removing or copying data. There are workarounds that can be used by skilled hackers to evade detection by these solutions, including encryption and fragmentation. Although these solutions are becoming an essential line of defense, the most secure environments aim to prevent any significant set of data from being available for export in the first place. For this reason, Data Loss Prevention is often thought of as the last line of defense (a final safety net if all other security controls have not been successful).

Question 49

Why are human the weakest links?

Answer 49

1. Inadequate cybersecurity knowledge
2. Poor capture and communication of risks
3. Culture and relationship issues
4. Under-investment in security training
5. Using trust instead of procedures
6. Absence of a single point of accountability (Gedeelde verantwoordelijkheid = geen verantwoordelijkheid)
7. Social Engineering

Question 50

What is the Attack Surface?

Answer 50

Attack Surface is The sum of the potential exposure area where an unauthorized user (the attacker) can try to enter data into or extract data from a digital landscape. This area usually includes perimeter network hardware such as firewalls and web servers hardware that hosts Internet-enabled applications. It can also include extended areas of the landscape such as external applications, supplier services and mobile devices that have permission to access information or services of value.

Question 51

What is Network Segmentation?

Answer 51

Splitting a single collection of devices, wiring and applications that connect, carry, broadcast, monitor or safeguard data into smaller sections. This allows for more discrete management of each section, allowing greater security to be applied in sections with the highest value, and also permitting smaller sections to be impacted in the event of a malware infection or other disruptive event.

Question 52

What are the steps in the killchain?

Answer 52

1. Reconnaissance
2. Tooling / preparation
3. Infection
4. Persistence
5. Communication
6. Control
7. Realizing the value

Question 53

What is IDS, IDPS and IPS?

Answer 53

Intrusion Detection System (IDS) = Computer programs that monitor and inspect electronic communications that pass through them, with the purpose to detect, log (record) and raise alerts on any suspected malicious or otherwise unwanted streams of information. IDS are a variation of Intrusion Detection and Prevention Systems, as they have no ability to block the activity; they only monitor, inspect and alert.
Intrusion Detection and Prevention Systems (IDPS) = Computer programs that monitor and inspect electronic communications that pass through them, with the purpose and ability (i) to block and log (record) key information about any known malicious or otherwise unwanted streams of information and (ii) to log and raise alerts about any other traffic that is suspected (but not confirmed) to be of a similar nature. These are usually placed in the communication path to allow the IDPS to prevent unwanted information from entering or leaving a network by dropping or blocking packets. IDPS can also clean some electronic data to remove any unwanted or undesirable packet components
Intrusion Prevention Systems (IPS) = A slight variation in IPS, compared to IDPS, is that they may not collect any detection information and may only serve to block (prevent) unwanted traffic based on direct rules or instructions they receive

Question 54

What are the main challanges of IDPS?

Answer 54

Two key challenges for these systems are:
1. Determining what a malicious or unwanted communication looks like, achieved by:
a. Storing known attack communication patterns, which are known as signatures.
b. Statistical anomaly-based detection; the programs review statistics and look for any behavior that is unusual or anomalous.
c. Stateful protocol analysis detection; detecting significant variations in protocol format.
2. People want their communications to be transmitted and received quickly and without interruption.
a. If too many rules and restrictions are in place, electronic traffic (communications) can be lost or delayed

Question 55

What is DLP?

Answer 55

Data Loss Prevention DLP
Is a term that describes blocking specific types of information from leaving an electronic device if taken out of an organization without the appropriate authorization. There are dedicated types of hardware and software that can be used to facilitate this objective.

Question 56

What are the Categories of cyber attackers (Threat actors)

Answer 56

1. Nation States
2. Terrorist groups
3. Organized criminal groups
4. Hacktivists
5. Skilled professional hackers
6. Disaffected or opportunistic insiders
7. Amateur hackers and journalists
8. Anyone

Question 57

What is Stacked Risks?

Answer 57

Stacked Risk is the phenomenon of allowing seemingly separate potential issues with potential impact (risks) affecting the same digital landscape to accumulate. Without adequate identification and resolution, individual risks can form a toxic accumulation of issues that can be leveraged together to create a risk substantially greater than the individual components suggest. Megabreaches are usually the result of stacked risk in combination with a motivated attacker.

Question 58

What is a Secure Configuration?

Answer 58

Secure configuration are ensuring that when settings are applied to any item (device or software), appropriate steps are always taken to ensure (i) default accounts are removed or disabled, (ii) shared accounts are not used and (iii) all protective and defensive controls in the item use the strongest appropriate setting(s).

Question 59

What is SIEM?

Answer 59

Security Incident & Event Management (SIEM)

Question 60

What is a Security Event?

Answer 60

Security event = A term used to describe a minor disruption to the digital landscape that is thought to be unintentional. Examples include a single failed device or a single user forgetting his or her password. Unusual patterns of security events can be an indicator of a security incident.

Question 61

What is a Security Incident?

Answer 61

The intentional damage, theft and/or unauthorized access that has direct or indirect impact to any substantial part of an organization’s information, systems, devices, services or products.

Question 62

What is the Lifecycle of a security incident?

Answer 62

1. Detection & reporting.
2. Verification.
3. Isolation (also known as quarantining).
4. Cleaning (mitigation and restoration).
5. Review (Analysis of patterns and process deficiencies).

Question 63

What is Individual Risk?

Answer 63

Managing individual risks effectively requires a consistent approach to the way in which each risk is captured and managed

Question 64

What are the key ingredients in all risk frameworks?

Answer 64

1. Ownership: Ensure that each active risk has a clearly accountable owner.
2. Lifecycle: Define and use consistent risk lifecycle to ascertain what state the risk is in.
3. Risk information: Ensure that adequate information about the risk is captured, including its probability and impact.

Question 65

What is MDM?

Answer 65

Mobile Device Management (MDM) = A technology used to securely control the operation and use of mobile devices such as tablets and smartphones. Able (for example) to remotely wipe information from a mobile device and control which applications and functions are permitted to be installed or run

Question 66

What is a Honeypot?

Answer 66

Honeypot = An electronic device or collection of data that is designed to trap would-be attackers by detecting, deflecting or otherwise counteracting their efforts. Designed to look like a real part of an enterprise’s attack surface, the honeypot will contain nothing of real value to the attacker, but will contain tools to identify, isolate and trace any intrusion.