Security

Question 1

Why is it important?

Answer 1

Clients expect it

Service providers require risks to be handled with care

Question 2

Confidentiality attacks

Answer 2

Interception of data
Make sure info transmitted is only visible to authorised parties
Encrypt

Question 3

Integrity attacks

Answer 3

Data is changed
Digital signatures
Encryption

Question 4

Authenticity attacks

Answer 4

Can't replay old messages
Impersonation
Unsecured URLs
Counterfeit objects put into system
Web spoofing - webpage that looks exactly the same as another webpage (two factor authentication as solution) 
Encryption

Question 5

What is web spoofing?

Answer 5

webpage that looks exactly the same as another webpage

Type of authenticity attack

Question 6

Availability attacks

Answer 6

Cutting communication lines
Destroying servers
Interrupting data
Disable file management system
Denial of service attacks
Governments block
(eg. DOS attacks)

Question 7

What is a solution to web spoofing?

Answer 7

Two factor authentication

Question 8

Explain TFA

Answer 8

Two factor authentication. Uses username and password

Question 9

Top 10 Security Threats according to OWASP

Answer 9

1) SQL injection: instead of typing in name of user, user types in SQL command
2) Broken Authentication and Session Management: if using public computer and you close tab, you should not remain logged in
3) XSS: Cross Site Scripting is when malicious scripts are injected into sites
4) Insecure Direct Object References:
5) Security Misconfiguration
6) Sensitive Data Exposure
7) Missing Function Level Access Control
8) Cross Site Request Forgery (CSRF)
9) Using Components with Known Vulnerabilities
10) Unvalidated Redirects and Forwards

Question 10

What types of XSS exist?

Answer 10

Persistent and Non Persistent

Question 11

What is the idea of risk management?

Answer 11

Identifying things that can go wrong with projects. These must be documented, identified and reviewed.

Question 12

What types of risks exist?

Answer 12

Client
Schedule
Technology
Operational

Question 13

What is the risk management approach?

Answer 13

Identify
Assess
Document
Monitor and review
Repeat

Question 14

What is a client risk?

Answer 14

Client does something silly.

Question 15

What is a schedule risk?

Answer 15

This is related to project management - running out of time or poor planing

Question 16

What is a technology risk?

Answer 16

Relying on unproven or new technologies

Question 17

What is an operational risk?

Answer 17

Communicational or team cooperation risks

Question 18

Explain the risk matrix

Answer 18

This is a 2d matrix combining likelihood with level of impact.

Question 19

What columns exist within the risk analysis form?

Answer 19

1) Risk
2) Trigger (event that provides signs risk is happening, measurable trigger but only measures this one risk)
3) Likelihood: likely, possible, unlikely
4) Impact: extent to which we will suffer
5) Contingency plans: what we will do

Question 20

What does it mean if a risk has been ‘realised’?

Answer 20

It is happening

Question 21

What is a rubber hose attack?

Answer 21

Beat someone with rubber hose until they tell you password or shit you want to know

Question 22

What is social engineering?

Answer 22

Exploit vulnerabilities of people

Question 23

What types of attacks are there (tech)?

Answer 23

Confidentiality
Integrity
Authenticity
Availability