Threat Modelling, Secure Design and Threat Detection

Question 1

What is a cyber threat?

Answer 1

“any circumstance or event with the potential to adversely impact an asset through unauthorised access, destruction, disclosure, modification of data, and/or denial of service” (ENISA)

Question 2

What is a short description of a threat?

Answer 2

A set of circumstances that has the potential to cause loss or harm

Question 3

What are 3 non-human threats?

Answer 3

• natural disasters
• loss of electrical power
• failure of a component

Question 4

why use threat models?

Answer 4

to put yourself into the shoes of the attacker so you can better protect your systems

Question 5

What are the 2 types of models?

Answer 5

Attack Models and Adversarial Models

Question 6

what are the 3 goals of computer security?

Answer 6

confidentiality, integrity, availability

Question 7

what 3 things must an attacker have to ensure access?

Answer 7

method, opportunity and motive

Question 8

what are the 7 stages of an attack?

Answer 8

• reconnaissance
• weaponization
• delivery
• exploitation
• installation
• command and control
• act on objectives

Question 9

What does STIX stand for?

Answer 9

Structured Threat Information Expression

Question 10

What is STIX?

Answer 10

a graph based representation of attackers, campaigns and victims.

Question 11

What is STRIDE?

Answer 11

a system developed my Microsoft for thinking about computer security threats.

Question 12

What is spoofing?

Answer 12

an agent pretends to be somebody else

Question 13

What does tampering do?

Answer 13

violates the integrity of an asset

Question 14

What is repudiation?

Answer 14

an agent denies having performed an action to escape responsibility

Question 15

What does information disclosure do?

Answer 15

violates the confidentiality of an asset

Question 16

What does denial of service do?

Answer 16

violates the availability of an asset

Question 17

What is elevation of privileges?

Answer 17

an agent gains more privileges beyond its entitlement

Question 18

what are the components of DREAD?

Answer 18

Damage
Reproducibility
Exploitability
Affected users
Discovery

Question 19

What is the DREAD equation?

Answer 19

Risk_DREAD = (D + R + E + A +D) /5

Question 20

What are the 7 stages of the security development lifecycle?

Answer 20

1. training
2. requirements
3. design
4. implementation
5. verification
6. release
7. response

Question 21

what is a methodology?

Answer 21

a body of practices, procedures, and rules used by those who work in a discipline or engage in an inquiry; a set of working methods.

Question 22

What is coupling?

Answer 22

how independent each module is

Question 23

What is cohesion?

Answer 23

How well do the modules work together

Question 24

What is the ideal coupling/cohesion state?

Answer 24

loosely couples, highly cohesive.

Question 25

What does the model in model-view-controller do?

Answer 25

directly manages data, logic and rules of the application

Question 26

What does the view in model-view-controller do?

Answer 26

outputs representation of information

Question 27

What does the controller in model-view-controller do?

Answer 27

accepts inputs and converts it to commands for the model

Question 28

What is Model-View-Presenter?

Answer 28

a variant of MVC where presentation logic is pushed to a presenter.

Question 29

What does the presentation model do

Answer 29

represents the state and behaviour of the presentation independently of the controls used in the interface

Question 30

What does MVP enable?

Answer 30

Deployment of the program, in the real world faster | Design follows capacity of the development team

Question 31

What are the 4 kinds of testing?

Answer 31

Unit Testing Integration testing System Testing Acceptance Testing

Question 32

What does Virtualization do?

Answer 32

Enables you to run multiple operating systems on the hardware of a single physical machine.

Question 33

What does containerization do?

Answer 33

Enables you to deploy multiple applications using the same operating system on a single virtual machine or server.

Question 34

What's the difference between virtualization and emulation?

Answer 34

virtualization directly accesses the hardware, whereas emulation does not run on the physical hardware.

Question 35

What is the standard risk model?

Answer 35

Risk = likelihood * impact

Question 36

Intrusion Detection System

Answer 36

passive - incident handling for response

Question 37

Intrusion Prevention System

Answer 37

active - Firewall ++

Question 38

What are the components of an IDS/IPS?

Answer 38

audit subsystem analysis component response component

Question 39

What does the audit subsystem do?

Answer 39

captures audit data

Question 40

What does the analysis component do?

Answer 40

performs a statistical analysis of the audit data

Question 41

What does the response component do?

Answer 41

reacts to intrusions

Question 42

What are intrusion detection systems classified by?

Answer 42

location, detection mechanism and response mechanism

Question 43

What are the options for the location of a IDS?

Answer 43

host-based, network-based, or hybrid

Question 44

What are the options for the detection mechanism of an IDS?

Answer 44

signature-based, anomaly detection, or hybrid

Question 45

What are the options for the response mechanism of an IDS?

Answer 45

passive or active (IPS)

Question 46

What are some pros of host based IDS?

Answer 46

any from: - pure software - not affected by network encryption or switched networks - decisions can depend on outcome - most complete view on data - can detect insider attacks

Question 47

What are some cons of host-based IDS?

Answer 47

any from: - takes up host resources - cannot detect attacks on the whole system - may be disabled by the intruder - strong dependency on OS

Question 48

What are some pros of network based IDSs?

Answer 48

any from: - can monitor many hosts, OSs and OSI layers - has a global view of activity, can detect port scans - takes no resources of monitored hosts - invisible to intruder - centralized, so easy to maintain and cheap

Question 49

What are some cons of network based IDSs?

Answer 49

any from: - packet reassembly is time consuming and error-prone - can be affected by encryption and switched networks - limited understanding of semantics - attacks from insiders usually undetected

Question 50

What is misuse detection?

Answer 50

actions that match the pattern of a known attack are considered intrusive

Question 51

What is a misuse signature?

Answer 51

an IDS signature is a pattern possible to identify from traffic data

Question 52

What are the pros of misuse detection?

Answer 52

- good attack identification | - no training required

Question 53

What are the cons of misuse detection?

Answer 53

- detects only know attacks - signatures must be updated in a timely fashion - little robustness against small attack variations - quite easy to evade

Question 54

What are the 3 methods for detecting anomalies?

Answer 54

Statistical based, knowledge based and machine learning based

Question 55

What are the advantages of anomaly detection?

Answer 55

- can often identify not previously know attacks | - can serve as a source for signature-based IDS

Question 56

What are the cons of anomaly detection?

Answer 56

- prone to false alarms - requires extensive training - machine learning techniques are hard to debug

Question 57

What are the 4 types of alerts?

Answer 57

- True Positive - False Positive - True Negative - False Negative

Question 58

Where is a firewall typically placed?

Answer 58

at a perimeter

Question 59

What are the components of real time monitoring and management in a security operation centre.

Answer 59

- aggregate logs and data - proactive efforts - report about new vulnerability - coordinate response - suggest remediation

Question 60

Who are attacks that are spotted by SOCs reported to?

Answer 60

executives, auditors, security staff

Question 61

What are the 2 components of post-incident analysis

Answer 61

forensics and investigation

Question 62

What are some SOC needs?

Answer 62

- internal/external security devices management - proactive vs. reactive incident handling - forensics - vulnerability management - audit/pen test