Lecture 19: 22nd November 2019

Question 1

What is a risk?

Answer 1

Risk = the probability of a threat and the resulting impact should it occur

Question 2

What is a threat?

Answer 2

Threat = An attack vector: a means by which an attacker may exploit system vulnerabilities.

Question 3

What is risk management?

Answer 3

The investigation, identification, analysis, evaluation, and mitigation or addressing of cybersecurity risks facing an entity.

Question 4

What are the 3 main steps of risk assessment according to NIST?

Answer 4

1. Risk Assessment
2. Risk Mitigation
3. Evaluation and Assessment

Question 5

What are the levels of threat impact under NIST800-30?

Answer 5

high: high cost; high harm to reputation or mission; human death or serious injury possible.
medium: some cost; some harm to reputation or mission; may result in injury.
low: little cost; little harm to reputation or mission

Question 6

When are risks acceptable under NIST800-30?

Answer 6

If the cost of performing the attack to enact the risk >= the gain for the attacker or the impact of the risk is below some predefined threshold.

Question 7

What is Failure on Demand?

Answer 7

Different classifications of the frequency of a system failure.

Question 8

What is a Risk Matrix?

Answer 8

A table showing how risks are composed and allowing users to easily find the risk from the probability and impact of a risk.

Question 9

How does a Risk Matrix work?

Answer 9

Columns of impact levels (low, medium, high) and rows of probability (low, medium, high). Resultant risks in cells from multiplying column by row: impact by probability.

Question 10

What is a Threat Tree?

Answer 10

A model used to relate threats in testing and auditing that aims to find the weak points in a system and identify root causes of different threats.

Question 11

How does a Threat Tree work?

Answer 11

Risks are joined by dependencies that build the graph from a root action. If you can remove the root node (if one) you remove all risks. If you remove the root of a subtree you remove all risks in the subtree. So removing a parent node (root cause) removes all child node risks.

Question 12

What is SWOT analysis?

Answer 12

An analysis method that aims to find the weakest and strongest points in a system by listing its strengths, weaknesses, opportunities, and threats.

Question 13

What is a failure?

Answer 13

An issue with a system that prevents it from functioning as required.

Question 14

What is failure frequency?

Answer 14

The rate at which a given failure is estimated to occur, i.e. the number of times it will happen in a given time.

Question 15

What is a system boundary?

Answer 15

An artificially defined edge of a set of information resources allocated to a computer system, including but not limited to security services, virtualization components, servers (web, application, database, DNS, etc.), and network components. Complex computer systems may have several sub-systems that are separated, with their own boundaries.

Question 16

What is an internal boundary?

Answer 16

Boundaries between component sub-systems within a larger single computer system

Question 17

What is an external boundary?

Answer 17

The boundary at the edge of a computer system, i.e. not any within itself defining subsystems

Question 18

Where are system boundaries commonly used?

Answer 18

Critical systems such as cockpit systems vs movies and lights in a plane, ATC vs A/C in a tower, life support vs coffee machine in a hospital

Question 19

What is the advantage of using system boundaries? Why can this, however, be a bad thing?

Answer 19

Allows modularity between systems that makes them more manageable and can prevent the transmission of failures between them.

System boundaries can compartmentalise information and analysts within different boundaries, which can make it more likely that failures that act across multiple boundaries may not be fully identified or understood before they have a damaging effect. It also means minor systems may be prioritised to such a low extent and independent of more important ones that they are not protected.

Question 20

What is OCTAVE?

Answer 20

Operationally Critical Threat, Asset and Vulnerability Evaluation = a set of tools for building a security plan.

Question 21

What steps does OCTAVE use to build security plans?

Answer 21

• Identify enterprise knowledge
• Identify operational area knowledge
• Identify staff knowledge
• Establish security requirements
• Map high priority information assets to information - infrastructure
• Perform an infrastructure vulnerability evaluation
• Conduct a multidimensional risk analysis
• Develop a protection strategy

Question 22

What are some risk assessment methodologies?

Answer 22

• CRAMM
• COBRA
• FBI’s adversarial matrix
• FARES
• SPRINT
• SARA

Question 23

What is DREAD? What does it stand for?

Answer 23

A threat assessment model used while building systems.

• Damage potential – how bad and costly would an attack be?
• Reproducibility – how easy is it to reproduce the attack?
• Exploitability – how much work is it to launch the attack?
• Affected users – how many people will be impacted?
• Discoverability – how easy is it to discover the threat?

Question 24

What is STRIDE? What does it stand for?

Answer 24

A threat modeling and analysis framework.

• Spoofing - can an attacker gain access by the use of a false identity?
• Tampering - is data integrity in the system hard to compromise - hard to change in-flight data?
• Repudiation - can you prove who did, or did not do, an attack after it finishes?
• Information disclosure - want info to stay confidential, e.g. PII
• Denial of Service - can DoS attacks easily be carried out or is the system strongly available?
• Elevation of Privilege - Can an attacker raise their access level?

Question 25

Who uses DREAD?

Answer 25

Microsoft

Question 26

WHo uses STRIDE?

Answer 26

Symantec

Question 27

How can Unix logging be used for access control and audit?

Answer 27

Built-in logs exist:
/usr/adm/lastlog = last user login
/usr/adm/wtmp = user logins and logouts
/var/adm/acct = records all executed commands

Question 28

What is TCSEC?

Answer 28

Trusted Computer System Evaluation Criteria = processes to assess the effectiveness of cybersecurity measures.

Question 29

How does TCSEC work?

Answer 29

Classify cybersecurity measures into several categories based on how strong or advanced attacks would have to be to surpass them:

• D: Minimal Protection
• C1: Discretionary Protection (DAC, ID and authentication)
• C2: Controlled Access Protection (track individuals)
• B1: Labelled Security Protection (MAC, security models)
• B2: Structured Protection (MAC, trusted paths, covert channel analysis)
• B3: Security Domains (tamperproofing, admin guide)
• A1: Verified Protection (assurance, formal methods)

Question 30

What are the ISO 2700-series standards?

Answer 30

A body of standards relating to the management of information risks through information security controls.

Question 31

What does ISO27002 pertain to?

Answer 31

• Risk assessment and treatment
• Information security policy
• Organization of information security
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
• Access control
• Information systems acquisition, development and maintenance
• Information security incident management
• Business continuity management
• Compliance

Question 32

What is the Common Criteria Methodology?

Answer 32

Methods and frameworks for analysing cybersecurity risks that have International agreement and participation.

Question 33

What is a SOA?

Answer 33

Service-oriented architecture = a style of software design where services are provided to the other components by application components, through a communication protocol over a network. The basic principles of service-oriented architecture are independent of vendors, products, and technologies.

A service is a discrete unit of functionality that can be accessed remotely and acted upon and updated independently, such as retrieving a credit card statement online.

Question 34

What is the CSA Cloud Control Matrix?

Answer 34

A cybersecurity control framework for cloud computing, composed of 133 control objectives that are structured in 16 domains covering all key aspects of the cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation and provides guidance on which security controls should be implemented by which actors within the cloud supply chain.

A meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. CCM provides organizations with the needed structure, detail, and clarity relating to information security tailored to cloud computing. CCM is currently considered a de-facto standard for cloud security assurance and compliance.

The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives a detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains.

Question 35

How does the CSA Cloud Control Matrix work?

Answer 35

Given control domain (something to control with security, e.g. how encryption keys are managed), finds atomic actions that you should do (e.g. have identifiable owners) similar to tasks from stories, where in systems that will need to be done (e.g. end-user devices, apps, and network infrastructure), which cloud services it relates to, and the relevant recommendations of other standards, such as ISO.

Question 36

How does the Common Criteria Methodology work?

Answer 36

The CC Security Assurance requirements document outlines a process that includes analysis and checking or processes and procedures, verification, functional testing, analysis of vulnerabilities and penetration testing of the TOE (Target of Evaluation).

A TOE is divided into components for assurance, each with objectives and dependencies. An Evaluation Assurance Level is given for each component:

• EAL1: functionally tested
• EAL2: structurally tested
• EAL3: methodologically tested and checked (config man., vulnerability testing)
• EAL4: methodologically design, tested and reviewed
• EAL5: semiformally designed and tested
• EAL6: semiformally verified the design and tested
• EAL7: formally verified the design and tested