Threat Modelling, Secure Design and Threat Detection Flashcards
What is a cyber threat?
“any circumstance or event with the potential to adversely impact an asset through unauthorised access, destruction, disclosure, modification of data, and/or denial of service” (ENISA)
What is a short description of a threat?
A set of circumstances that has the potential to cause loss or harm
What are 3 non-human threats?
- natural disasters
- loss of electrical power
- failure of a component
why use threat models?
to put yourself into the shoes of the attacker so you can better protect your systems
What are the 2 types of models?
Attack Models and Adversarial Models
what are the 3 goals of computer security?
confidentiality, integrity, availability
what 3 things must an attacker have to ensure access?
method, opportunity and motive
what are the 7 stages of an attack?
- reconnaissance
- weaponization
- delivery
- exploitation
- installation
- command and control
- act on objectives
What does STIX stand for?
Structured Threat Information Expression
What is STIX?
a graph based representation of attackers, campaigns and victims.
What is STRIDE?
a system developed my Microsoft for thinking about computer security threats.
What is spoofing?
an agent pretends to be somebody else
What does tampering do?
violates the integrity of an asset
What is repudiation?
an agent denies having performed an action to escape responsibility
What does information disclosure do?
violates the confidentiality of an asset
What does denial of service do?
violates the availability of an asset
What is elevation of privileges?
an agent gains more privileges beyond its entitlement
what are the components of DREAD?
Damage Reproducibility Exploitability Affected users Discovery
What is the DREAD equation?
Risk_DREAD = (D + R + E + A +D) /5
What are the 7 stages of the security development lifecycle?
- training
- requirements
- design
- implementation
- verification
- release
- response
what is a methodology?
a body of practices, procedures, and rules used by those who work in a discipline or engage in an inquiry; a set of working methods.
What is coupling?
how independent each module is
What is cohesion?
How well do the modules work together
What is the ideal coupling/cohesion state?
loosely couples, highly cohesive.
What does the model in model-view-controller do?
directly manages data, logic and rules of the application
What does the view in model-view-controller do?
outputs representation of information
What does the controller in model-view-controller do?
accepts inputs and converts it to commands for the model
What is Model-View-Presenter?
a variant of MVC where presentation logic is pushed to a presenter.
What does the presentation model do
represents the state and behaviour of the presentation independently of the controls used in the interface
What does MVP enable?
Deployment of the program, in the real world faster
Design follows capacity of the development team
What are the 4 kinds of testing?
Unit Testing
Integration testing
System Testing
Acceptance Testing
What does Virtualization do?
Enables you to run multiple operating systems on the hardware of a single physical machine.
What does containerization do?
Enables you to deploy multiple applications using the same operating system on a single virtual machine or server.
What’s the difference between virtualization and emulation?
virtualization directly accesses the hardware, whereas emulation does not run on the physical hardware.
What is the standard risk model?
Risk = likelihood * impact
Intrusion Detection System
passive - incident handling for response
Intrusion Prevention System
active - Firewall ++
What are the components of an IDS/IPS?
audit subsystem
analysis component
response component
What does the audit subsystem do?
captures audit data
What does the analysis component do?
performs a statistical analysis of the audit data
What does the response component do?
reacts to intrusions
What are intrusion detection systems classified by?
location, detection mechanism and response mechanism
What are the options for the location of a IDS?
host-based, network-based, or hybrid
What are the options for the detection mechanism of an IDS?
signature-based, anomaly detection, or hybrid
What are the options for the response mechanism of an IDS?
passive or active (IPS)
What are some pros of host based IDS?
any from:
- pure software
- not affected by network encryption or switched networks
- decisions can depend on outcome
- most complete view on data
- can detect insider attacks
What are some cons of host-based IDS?
any from:
- takes up host resources
- cannot detect attacks on the whole system
- may be disabled by the intruder
- strong dependency on OS
What are some pros of network based IDSs?
any from:
- can monitor many hosts, OSs and OSI layers
- has a global view of activity, can detect port scans
- takes no resources of monitored hosts
- invisible to intruder
- centralized, so easy to maintain and cheap
What are some cons of network based IDSs?
any from:
- packet reassembly is time consuming and error-prone
- can be affected by encryption and switched networks
- limited understanding of semantics
- attacks from insiders usually undetected
What is misuse detection?
actions that match the pattern of a known attack are considered intrusive
What is a misuse signature?
an IDS signature is a pattern possible to identify from traffic data
What are the pros of misuse detection?
- good attack identification
- no training required
What are the cons of misuse detection?
- detects only know attacks
- signatures must be updated in a timely fashion
- little robustness against small attack variations
- quite easy to evade
What are the 3 methods for detecting anomalies?
Statistical based, knowledge based and machine learning based
What are the advantages of anomaly detection?
- can often identify not previously know attacks
- can serve as a source for signature-based IDS
What are the cons of anomaly detection?
- prone to false alarms
- requires extensive training
- machine learning techniques are hard to debug
What are the 4 types of alerts?
- True Positive
- False Positive
- True Negative
- False Negative
Where is a firewall typically placed?
at a perimeter
What are the components of real time monitoring and management in a security operation centre.
- aggregate logs and data
- proactive efforts
- report about new vulnerability
- coordinate response
- suggest remediation
Who are attacks that are spotted by SOCs reported to?
executives, auditors, security staff
What are the 2 components of post-incident analysis
forensics and investigation
What are some SOC needs?
- internal/external security devices management
- proactive vs. reactive incident handling
- forensics
- vulnerability management
- audit/pen test