Outcome 4

Question 1

Reasons for Implementing Physical Controls

Answer 1

Minimizes or removes the risk of:
- harm to people
- information being accessed inappropriately

Question 2

Ways to Physically Secure the Building

Answer 2

• CCTV
• Motion Sensors
• Physical Barriers to stop entry
• Security passes to authorize access to secure areas
• Biometric Authentication
• Alarm systems
• Security Guards

Question 3

Ways of Protecting Development

Answer 3

• Version Control
• User Authentication
• Encryption
• Software Updates

Question 4

Version Control

Answer 4

The practice of tracking and managing changes to source control.

Protects the integrity of the source code. Can also be used as a logging system - allows developers to check who added code to a solution

Question 5

Single Factor Authentication

Answer 5

simplest method of authentication, just something you know
e.g. password

Question 6

Two Factor Authentication

Answer 6

involves something you know, and something you have

e.g. a password AND an access token

Question 7

Multi Factor Authentication

Answer 7

most complex form,
involves something you know, something you have, and something you are

e.g. a password, an access token and a biometric scan

Question 8

Software Auditing

Answer 8

Designed to reduce the risks to software.

Not testing - instead looks at the quality of the software, not if it works etc

Question 9

Software Auditing Examples

Answer 9

• Testing the software for security compliance (pen testing)
• Considering levels of user training required to operate the solution
• seeing if internal documentation is adequate
• identifying assets required to operate the solution

Question 10

Data Breaches

Answer 10

Happens when personal information is accessed or disclosed without authorization

Question 11

Man in the Middle Attacks

Answer 11

Eavesdropping attack that could occur when a transmission takes place, that causes communications and data to be exposed to unauthorized third-parties.

Causes a communication to be transmitted through a third computer system (which an attacker controls), which then forwards the data to both sides of the conversation.

Often sensitive data is harvested, such as login information, or bank details

Question 12

Man in the Middle Attacks - Ways to Protect

Answer 12

• Reset all users passwords periodically
• Use encryption (HTTPS/VPN’s)
• Use 2FA
• Look out for unusual activity
  
  • Such as a login from Russia

Question 13

Social Engineering

Answer 13

Relies on the manipulation of human nature to persuade the victim to provide personal information or to initiate a transaction.

Uses basic tricks of con artists, such as flattery and friendliness to gain trust.

Question 14

Social Engineering

Answer 14

• train users
• keep anti-virus software up to date
• Use spyware detection software
• Do not open email or SMS attachments
• refuse to give information over phone or by email
• use 2FA

Question 15

XSS

Answer 15

Cross Site Scripting

Occurs when an web application includes user-supplied data in a page sent to the browser without properly validating or escaping the content prior to acceptance from the server.

Allows malicious scripts to be interested into other peoples web browsers

Question 16

SQL Injection

Answer 16

When user input causes the resulting SQL query to change from its intended action

Question 17

SQL Injection - can result in

Answer 17

• data being maliciously modified, leaked, deleted or edited

Question 18

SQL Injection - to avoid

Answer 18

• Don’t use dynamic SQL Queries
• Prevent user supplied inputs from affecting the logic of the query

Question 19

Ways to Manage Risks Posed by Third Parties

Answer 19

• Limit third parties access to data
• Use a confidentiality agreement to reduce the risk of the third party sharing data
• Only use third parties that are covered by Australian law - international third parties are not subject to aussie law

Question 20

Accidental Threats

Answer 20

Threats that are made as the result of poor training or poor design of UI

e.g. deleting important data because the solution didn’t show a warning box

Question 21

Event Based Threats

Answer 21

threats external to the organization and beyond the immediate control or influence of security planning to prevent

Question 22

Deliberate Threats

Answer 22

Threats that are made as the result of deliberate, malicious acts

Question 23

Main Characteristics of data Integrity

Answer 23

Correctness
Accuracy
Authenticity
Reasonableness
Relevance
Timeliness

acronym: CARART

Question 24

Characteristics of Data Integrity - Accuracy

Answer 24

• Completeness - data is complete
• Clarity - data that isn’t ambiguous
• Consistency - data that is completely consistent

Question 25

Characteristics of Data Integrity - Authenticiity

Answer 25

Data can be confirmed to come from a verified origin

Question 26

Characteristics of Data Integrity - Reasonableness

Answer 26

checks if the data is plausible, makes logical sense, and satisfies common sense

Question 27

Characteristics of Data Integrity - Relevance

Answer 27

measures how closely a resource - such as a document, database or webpage corresponds to that persons desire for information

Question 28

Characteristics of Data Integrity - Timeliness

Answer 28

refers to the speed it takes for the data to be retrieved

Question 29

Examples of Ethical Issues in Software Development

Answer 29

• Relationship between software developers and end users -> consider those who are put at risk as a result of the solution being built
• Acknowledging work - especially open source code