System Security Overview

Question 1

What is non-repudiation?

Answer 1

Non-repudiation is a security objective aimed at ensuring an individual cannot deny performing a specific action or transaction.

Question 2

What is a system?

Answer 2

A system is a collection of functional components, whether human or digital, that collaborate to accomplish a specific goal.

A system that combines both cyber and human elements is considered to be a ”cyber-physical-social-system”

Question 3

What are the six components of an information system?

Answer 3

The six components of an information system are:

1. Hardware: The physical devices and equipment used in the system.
2. Software: The programs and applications that run on the hardware.
3. Data: The information that the system processes and manages.
4. People: The users and IT professionals who interact with the system.
5. Processes: The procedures and operations performed within the system to achieve its goals.
6. Networks: The communication systems that connect the hardware components and enable data exchange.

Question 4

What is an interface?

Answer 4

An interface is a point of interaction between different components, systems, or devices, allowing them to communicate and work together. In technology, it often refers to the boundary where two different systems or software applications meet, facilitating data exchange or user interaction.

Question 5

What are the different interfaces in an information system?

Answer 5

In an information system, there are several interfaces where different entities interact:

1. User Interface (UI): This is where the user interacts with the system, such as through a web page in a web-based information system.
2. Application Programming Interface (API): This software interface allows different software components, like a database and a web server, to communicate with each other at the application layer.
3. Host Layer: This is where the software components, like the web server and database, interact with the hardware of the computers they run on and the network components that enable their communication.
4. Operating System (OS): The OS acts as the interface that allows software in the application layer to communicate with the system’s hardware.
5. Network Layer: This layer facilitates interaction between different computers running the system’s components, using hardware-based network interfaces to ensure connectivity between devices.

Question 6

What is an information system?

Answer 6

An information system consists of interrelated components working together to collect, process, store and disseminate information to support decision-making, coordination, control, analysis and visualisation in an organisation.
* Laudon and Laudon (2013, p. 143)*

Question 7

How do Assets, Vulnerabilities, Threats, Security Mechanisms and Exploits relate to each other?

Answer 7

• Assets are things of value, either tangible or intangible. Their value can be monetary or based on their importance to system functionality.
  Examples of assets include the system itself, along with the data, software, and hardware that comprise it.
• Assets are targets for threats: Threats may involve theft or actions that hinder, distort, or disrupt a system or its functions. The level of threat varies depending on the context.
  For instance, theft is more likely in urban areas than in rural ones, and computer peripherals are more prone to theft than internal components like a hard drive.
• Assets can be attacked through vulnerabilities: If not properly secured, assets are susceptible to attacks.
  For example, unsecured peripherals can be stolen or misplaced, and poorly designed applications can be manipulated to malfunction. An exploit refers to unauthorised access to a system asset.
• Assets may contain vulnerabilities: Attackers seek to exploit these weaknesses.
  In software and applications, vulnerabilities are often unnoticed programming or logic errors that attackers use to disrupt or halt system functions.
• A security mechanism responds to attacks: Security mechanisms ensure that a system’s security objectives are met by responding to attacks.
  For example, at the application layer, multi-factor authentication helps protect against attacks that attempt to impersonate an authorised user.

Question 8

What Security Mechanisms could be used to satisfy security objectives like CIA and AAA?

Answer 8

Availability: Ensuring the system remains fully operational and accessible to users is achieved by implementing multiple, redundant instances of critical components, such as web and database servers, and maintaining regular backups of data.

Authentication: Multi-factor authentication is used to verify that only legitimate users can access the system.

Authorisation: Access control techniques, like role-based access control, restrict specific operations to designated users. For example, only system administrators would have permission to modify the software on web and database servers.

Confidentiality: Cryptography and access control measures ensure that only authorised users can access the system’s data.

Integrity: By using a combination of cryptography and access control, the system ensures that only authorised users can modify the data it handles.

Accounting and Non-repudiation: Mechanisms that log all actions performed on the system, including the identity of the user and the date and time, provide accountability and non-repudiation capabilities.

Question 9

What is an Attack Vector?

Answer 9

An attack vector is the method or pathway through which an attacker gains unauthorised access to a system or network. It includes the techniques and tools used to exploit vulnerabilities in order to carry out malicious activities, such as phishing, malware, or exploiting software bugs.

Question 10

What are the different categories of Attack Vector?

Answer 10

• Interception: An interception attack vector refers to methods used by an attacker to secretly capture or eavesdrop on communications or data transfers between systems or users. Interception involves preventing someone or something from reaching its intended destination without being compromised. This can include techniques such as network sniffing, wiretapping, or man-in-the-middle (MitM) attacks, where the attacker intercepts and potentially alters the data being transmitted without the knowledge of the sender or receiver.
  BREACHES: Confidentiality (and subsequently integrity)
• Modification: A modification attack vector involves an attacker intercepting data, altering it, and then sending it on to its intended recipient. Often, interception serves as a precursor to modification, allowing the attacker to tamper with the original data. As a result, the recipient may receive altered information, leading to an integrity breach where the data no longer reflects its original state, potentially causing confusion or harm.
  BREACHES: Integrity (preceded by breach of confidentiality and Subsequently breach of authentication)
• Interruption: An interruption attack vector involves an attacker deliberately halting the continuous flow of communication or the operation of a system. In information security, this occurs when an attacker disrupts the communication between a sender and a receiver, preventing them from interacting. Interruptions typically arise from attacks on the communications infrastructure, such as the network, or on specific system components like servers or the applications running on them, leading to a breakdown in the system’s functionality or availability.
  BREACHES: Integrity, availability (preceded by confidentiality breach and Subsequently breach of authentication and non-repudiation)
• Replay: A replay attack vector is somewhat akin to both interception and modification, but falls in between the two. In a replay attack, an attacker first intercepts data and then retransmits an exact copy of that data, unaltered, to either the sender or receiver after a delay. The purpose of this tactic is often to elicit a response from the recipient that could reveal valuable information to the attacker, such as an encryption key or authentication credentials.
  BREACHES: Confidentiality (Subsequently, a breach of integrity, availability, authentication and non-repudiation)
• Fabrication: A fabrication attack vector involves creating or inventing false data or messages. In information security, this means an attacker generates a fraudulent message or data and sends it to the recipient, making it appear as though it came from a legitimate source. This type of attack is an extension of the replay attack vector but goes further by fabricating entirely new content rather than retransmitting intercepted data. The attacker typically bases the fabricated message on observations of previous exchanges, effectively mimicking the behaviour of a legitimate sender.
  BREACHES: Confidentiality, integrity, authentication and non-repudiation.

Question 11

What are the ISO 27000 series of standards used for?

Answer 11

The ISO 27000 series is a collection of international standards developed by the International Organisation for Standardisation (ISO) that provides comprehensive guidelines for establishing, implementing, maintaining, and continually improving Information Security Management Systems (ISMSs). These standards are designed to help organisations systematically manage sensitive information, ensuring its confidentiality, integrity, and availability while addressing various security risks.

Adhering to these standards indicates that an organisation has achieved a certain level of information security maturity. Accreditation can be obtained following an audit by qualified auditors, and a conformance certificate can be issued if desired.

The standards provide recommendations to establish, implement, operate, monitor, maintain, review and improve an ISMS implementation by addressing the following functions:

• Risk assessment
• Security policy
• Asset management
• Security of human resources
• Physical and environmental security
• Access control
• Information system acquisition, development and maintenance (i.e., securing applications when they are designed or purchased)
• Information security incident management and response management
• Business continuity management
• Compliance.

Question 12

What 8 types of standards are encapsulated within the ISO 27000 standards series?

Answer 12

• ISO/EC 27001: Requirements of ISMS
• ISO/IEC 27002: Code of controls for information security
  controls
• ISO/EC 27003: ISMS implementation guidelines
• ISO/EC 27004: Monitoring, measurement, analysis and
  evaluation of information security management
• ISO/EC 27005: Information security risk management
• ISO/EC 27006: Guidelines for audit and certification of
  ISMS (accreditation agencies)
• ISO/IEC 27007: Guidelines for ISMS audits
• ISO/EC 27008: Guidelines for auditors on information security controls

Question 13

What are the benefits of an ISO 27001 certification?

Answer 13

ISO 27001 is widely recognised as the leading international standard for information security management. It ensures that business security risks are managed in a cost-effective manner. Implementing ISO 27001 helps organisations meet data and privacy protection requirements set by regulations like the General Data Protection Regulation (GDPR) and provides an effective response to potential security threats.

Adopting ISO 27001 enables businesses to:

• Enhance risk management.
• Standardise interoperability between different organisations or within groups of an organisation.
• Demonstrate robust security practices, offering a competitive edge.
• Secure business opportunities with companies in regulated industries.
• Achieve regulatory compliance (such as GDPR) and meet the prerequisites for major contracts.
• Build a strong market reputation for secure practices.
• Avoid financial losses and regulatory penalties due to security breaches.