U402 SAC Notes Flashcards
Q8) Propose a set of evaluation criteria to measure the effectiveness of the organisation’s security practices
1) How well does the organisation implement software security controls to protect the data
2) Are the physical security controls in place functioning correctly?
3) Are policies revisited on a regular basis?
4) Is there a backup strategy/s in place for any data loss
5) Is the DRP (Disaster Recovery Plan) comprehensive?
6) How capable are staff in their training and awareness of potential risks
Examples of Accidental Threats
- Physical loss of hardware
- Deletion of files without having a backup
- Saving files in the wrong format, causing them to be corrupt
How to protect against accidental threats
Always having a backup is KEY.
Also through employee training, they can be informed of the importance of data security, raising awareness about the potential risks and dangers of data loss, ensuring that correct handling of sensitive information
Examples of Event-based threats
- Hardware failure
- Power failure
- Software freezing
- Natural disasters
How to protect againt Event-based threats
- Having a backup OFFSITE
- 3-2-1 Backup (3 backups, 2 mediums -> cloud storage and tape backup for instance, as they are manageable and data is easy to store)
- Regular software updates, so that the computers/networks have the latest security patches
- Disaster Recovery Plan
- Plan ahead of time, being prepared early for any incident
- Anticipating any potential risk, being able to take action ASAP
How to protect against Deliberate Threats
- Encrypting the data, so that the data is unreadable for any unauthorised party
- Honeypot intrusion → using active logs & tracing, traffic can alert the admins on the network of any intrusion
- Validation of user input from SQL Injection and Cross-site scripting, which protects the users from the attacks
- Firewalls → only allowing traffic that meets the certain criteria
- User authentication, enhancing the security
- Ensure that all users are trained in recognising the attacks and also social engineering attacks
Q10) Summarise how the relevant legislation must be adhered to
Privacy Act:
1) Open and transparent policy
2) Notification of the collection of personal information
3) Security of personal information
4) Collection of solicited and unsolicited information, with the individual’s consent
5) Use & Disclosure of Personal Information, organisations must only use or disclose information for the purpose that it was orginally collected for
6) Quality of personal information
7) Access to personal information
8) Individuals will know why their personal information is being collected, how it will be used and who it will be disclosed to
9) have the option of not being identified.
Copyright Act:
- copyright owners must grant a licence for certain uses of their work
- Copyrighted work can enter the public domain after 70 years of the owner’s death
- individuals can copy 10% of a reference book WITHOUT permission
Health Records Act:
- Organisations can share personal information with other organisations for the SOLE PURPOSE OF RESEARCH, as long as the information is DE-IDENTIFIED.
Q11) Discuss any legal or ethical considerations and consequences to the ORGANISATION for ineffective security practices
1) If private personal information is lost, damaged or exposed, organisations may be prosecuted under the Privacy Act
2) If tax records are lost, they may be penalised by the Australian taxation office
3) Customer health data, under the health act
4) To recreate lost or damaged data, and repair or replace damaged/stolen equipment, there is lots of money to pay
5) After a breach, the organisation may also damage its reputation, reducing customer loyalty
6) Loss of income as the business may not be able to carry on as they are unable to pay wages-> Decline in stock market value
7) Loss of productivity
Q7) Discuss the impact of ineffective security practices on data integrity
1) Data loss (big one), as ineffective backup and disaster recovery procedures can result in data loss
2) Data corruption
Malware or other viruses can corrupt the data, making it inaccurate
3) Unauthorised tampering of data
- Unauthorised individuals can tamper with the data, altering critical information
4) Data Theft
- The data can be stolen, especially sensitive information
5) Ineffective security practices can result in data breaches and non-compliance with data protection regulations, leading to prosecution, fines, and damage to the organization’s reputation.
6) Data trustworthiness (CORRECTEDNESS OF DATA)
- After the data is compromised, the data’s reliability weakens, and the data may be untrustworthy
7) The authenticity of data is affected, as the data is no longer from a trusted source
8) Data can be distributed to other people
Q5) Identify any Software security and data security vulnerabilities
1) Data breaches
- Customer personal information can be stolen or lost, from malware
2) MITM attacks
- Gaining access to a user’s data by inserting themselves in the middle of the communication that the user is having with the information system, packet sniffing (eavesdropping and intercepting)
3) DDOS attacks
- Flooding of targeted web servers, overloading them with traffic (IP Requests)
4) Social Engineering
The manipulation of human nature to persuade the victim to provide personal information
For instance, phishing and tailgating people into unauthorised places
5) Cross-site scripting
Allows malicious script to be inserted into the web page form, with the instructions issued to the server giving access to the personal data
6) SQL Injection
- Where the user injects their own code into the query, by adding a statement that is true will give them access to the entire database, compromising the sensitive data
7) Cross-Site Request Forgery
- Unauthorized actions are performed on behalf of a user who is tricked into executing malicious requests.
8) Weak authentication
- weak passwords, easy to crack-> huge vulnerability to sensitive data
Q4) Software auditing strategies
1) Penetration testing
Challenging every page and line of code in the application to check for any vulnerabilities and weaknesses in the solution
2) Access Logs
Records that identify any suspicious behaviour, detailed report of who did what, when and where , within the system, through user identification and capturing timestamps, and more.
3) Static Application Security Testing (SAST)
- Testing that analyses the source code to identify security vulnerabilities
- Helps identify security vulnerabilities in the initial stages of development, providing real-time feedback to the developers, to quickly resolve issues early on
- Does not require code to be executed or the application to be running (static)
4) Dynamic Application Security Testing (DAST)
Helps identify security vulnerabilities in your application in runtime after it is deployed
- Does not need source code to be running
- Tests the running application
User authentication advantages
Prevents unauthorised users from gaining access to sensitive data and the information system, with the use of complex passwords and MFA, this becomes even harder
Levels of access advantages
1) Limits the risk of unauthorised access to sensitive data, protecting its confidentiality.
2) Data Integrity is preserved, as Access control levels reduce the chances of data modification by unauthorised people
Encryption advantages
1) Data being sent is unreadable, ensuring that any unauthorised parties cannot read the data, even if intercepted
Version control definition and advantages
What is it?
Software that keeps track of the modifications made to the source code, managing it
1) The integrity of software code is maintained by tracking changes made to the codebase, detecting any malicious modifications
2) There is a record of any changes to the code, which can help trace the origin of any security vulnerabilities and identify WHEN they were implemented