Threat Modelling, Secure Design and Threat Detection Flashcards

1
Q

What is a cyber threat?

A

“any circumstance or event with the potential to adversely impact an asset through unauthorised access, destruction, disclosure, modification of data, and/or denial of service” (ENISA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a short description of a threat?

A

A set of circumstances that has the potential to cause loss or harm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are 3 non-human threats?

A
  • natural disasters
  • loss of electrical power
  • failure of a component
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

why use threat models?

A

to put yourself into the shoes of the attacker so you can better protect your systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the 2 types of models?

A

Attack Models and Adversarial Models

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

what are the 3 goals of computer security?

A

confidentiality, integrity, availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

what 3 things must an attacker have to ensure access?

A

method, opportunity and motive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

what are the 7 stages of an attack?

A
  • reconnaissance
  • weaponization
  • delivery
  • exploitation
  • installation
  • command and control
  • act on objectives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does STIX stand for?

A

Structured Threat Information Expression

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is STIX?

A

a graph based representation of attackers, campaigns and victims.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is STRIDE?

A

a system developed my Microsoft for thinking about computer security threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is spoofing?

A

an agent pretends to be somebody else

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does tampering do?

A

violates the integrity of an asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is repudiation?

A

an agent denies having performed an action to escape responsibility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does information disclosure do?

A

violates the confidentiality of an asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does denial of service do?

A

violates the availability of an asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is elevation of privileges?

A

an agent gains more privileges beyond its entitlement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

what are the components of DREAD?

A
Damage
Reproducibility
Exploitability
Affected users
Discovery
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the DREAD equation?

A

Risk_DREAD = (D + R + E + A +D) /5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are the 7 stages of the security development lifecycle?

A
  1. training
  2. requirements
  3. design
  4. implementation
  5. verification
  6. release
  7. response
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

what is a methodology?

A

a body of practices, procedures, and rules used by those who work in a discipline or engage in an inquiry; a set of working methods.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is coupling?

A

how independent each module is

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is cohesion?

A

How well do the modules work together

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the ideal coupling/cohesion state?

A

loosely couples, highly cohesive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What does the model in model-view-controller do?
directly manages data, logic and rules of the application
26
What does the view in model-view-controller do?
outputs representation of information
27
What does the controller in model-view-controller do?
accepts inputs and converts it to commands for the model
28
What is Model-View-Presenter?
a variant of MVC where presentation logic is pushed to a presenter.
29
What does the presentation model do
represents the state and behaviour of the presentation independently of the controls used in the interface
30
What does MVP enable?
Deployment of the program, in the real world faster | Design follows capacity of the development team
31
What are the 4 kinds of testing?
Unit Testing Integration testing System Testing Acceptance Testing
32
What does Virtualization do?
Enables you to run multiple operating systems on the hardware of a single physical machine.
33
What does containerization do?
Enables you to deploy multiple applications using the same operating system on a single virtual machine or server.
34
What's the difference between virtualization and emulation?
virtualization directly accesses the hardware, whereas emulation does not run on the physical hardware.
35
What is the standard risk model?
Risk = likelihood * impact
36
Intrusion Detection System
passive - incident handling for response
37
Intrusion Prevention System
active - Firewall ++
38
What are the components of an IDS/IPS?
audit subsystem analysis component response component
39
What does the audit subsystem do?
captures audit data
40
What does the analysis component do?
performs a statistical analysis of the audit data
41
What does the response component do?
reacts to intrusions
42
What are intrusion detection systems classified by?
location, detection mechanism and response mechanism
43
What are the options for the location of a IDS?
host-based, network-based, or hybrid
44
What are the options for the detection mechanism of an IDS?
signature-based, anomaly detection, or hybrid
45
What are the options for the response mechanism of an IDS?
passive or active (IPS)
46
What are some pros of host based IDS?
any from: - pure software - not affected by network encryption or switched networks - decisions can depend on outcome - most complete view on data - can detect insider attacks
47
What are some cons of host-based IDS?
any from: - takes up host resources - cannot detect attacks on the whole system - may be disabled by the intruder - strong dependency on OS
48
What are some pros of network based IDSs?
any from: - can monitor many hosts, OSs and OSI layers - has a global view of activity, can detect port scans - takes no resources of monitored hosts - invisible to intruder - centralized, so easy to maintain and cheap
49
What are some cons of network based IDSs?
any from: - packet reassembly is time consuming and error-prone - can be affected by encryption and switched networks - limited understanding of semantics - attacks from insiders usually undetected
50
What is misuse detection?
actions that match the pattern of a known attack are considered intrusive
51
What is a misuse signature?
an IDS signature is a pattern possible to identify from traffic data
52
What are the pros of misuse detection?
- good attack identification | - no training required
53
What are the cons of misuse detection?
- detects only know attacks - signatures must be updated in a timely fashion - little robustness against small attack variations - quite easy to evade
54
What are the 3 methods for detecting anomalies?
Statistical based, knowledge based and machine learning based
55
What are the advantages of anomaly detection?
- can often identify not previously know attacks | - can serve as a source for signature-based IDS
56
What are the cons of anomaly detection?
- prone to false alarms - requires extensive training - machine learning techniques are hard to debug
57
What are the 4 types of alerts?
- True Positive - False Positive - True Negative - False Negative
58
Where is a firewall typically placed?
at a perimeter
59
What are the components of real time monitoring and management in a security operation centre.
- aggregate logs and data - proactive efforts - report about new vulnerability - coordinate response - suggest remediation
60
Who are attacks that are spotted by SOCs reported to?
executives, auditors, security staff
61
What are the 2 components of post-incident analysis
forensics and investigation
62
What are some SOC needs?
- internal/external security devices management - proactive vs. reactive incident handling - forensics - vulnerability management - audit/pen test