Unit 1: Cybersecurity Principles Flashcards
“RAM”?
Random Access Memory
“ROM”?
Read Only Memory
Difference in RAM and Storage (as human equivalent)
RAM=short-term memory
Storage=long-term memory
Purpose of IEEE
Creating standards for electronics manufacturing
Complexity principle (re: compromise)
More complicated = less likely
Principle of ‘security’
Security exists only so far as the ability to prevent threats.
Outline Log4j attacks.
Hackers exploiting vulnerability in Java in the back end to access a user’s command line.
What is Catfishing?
-Attacker poses as attractive person online
-Defrauds victim who is now in love with them
Define ‘Advanced Persistent Threat’ (3)
- Sophisticated, sustained cyber attack; 2. Intruder establishes undetected presence;
- To steal data over a long time.
Difference between LAN and WAN.
LAN = Router looks inside to groups of devices;
WAN = LANs connected by Internet Service Providers.
Define ‘Source Code’.
A text listing of commands to be compiled or assembled into an executable program.
Language used to write (most) operating systems.
C
Outline ‘Supply Chain Attack’ (3)
- Attacker infects software upstream in the supply chain; 2. Malware spreads to other area in the network; 3. Allows access to sensitive data in downstream organisations.
What is a Boolean Operator? (2)
- A word or phrase connecting search terms; 2. To create a logical phrase understandable to database.
Examples of Boolean Operators (3) and their functions (3).
- AND: requires both search terms to be present.
- OR: one or the other term must be present in result.
- NOT: excludes search results that contain the search term.
Search for scissors on Italian websites using Google Dorking.
“scissors” site:.it
Search for A-Level Mathematics Results on the UCAS website only.
“A-level mathematics results” site:ucas.com
Search for cybersecurity, but only for results related to hacking.
“cybersecurity” AND “hacking”
What is a Hazard?
Potential issue that may lead to vulnerability.
What is a Vulnerability?
Actual weaknesses open to exploit.
What is a Risk?
Potential exposure to breach and the impacts of breach.
Give examples of Cybersecurity hazards (3)
- Using online database.
- Located in a particular country.
- Dealing with certain types of clients/industries.
Give examples of Cybersecurity (3)
- Physical/Social: real-world, people.
- Logical: software, network.
- External: 3rd-party dependence.
Give examples of things breaches can impact (5)
- Uptime.
- Operations.
- Damaged services.
- Costs to Reputation.
- Penalty costs.
The three protection goals in information security.
Confidentiality, integrity, availability.
Define “confidentiality”
Preventing unauthorised gain of information.
Define “integrity“
Prevention or detection of unauthorised data modification
Define “integrity“
Prevention or detection of unauthorised data modification
Define “availability”
Prevention of unauthorised deletion or disruption
Define “availability”
Prevention of unauthorised deletion or disruption
The two types of data that protection goals apply to
- Data at rest
- Data in transit.
Define “data at rest”
Data stored on a computer or on paper
Define “data in transit”
Data being sent over a network
Define “ authorised actor”
Person authorised to access a store of data
Give an example of accessibility in relation to data stored on a smart phone
Back ups to the cloud in case of machine failure
Define “authenticity” as a protection goal
Preventing actors from impersonating someone else
Define “non-repudiation” as a protection goal
Preventing actors from denying that they carried out a particular act
Why are non-repudiation and authenticity necessary protection goals?
In order to hold actors accountable
What is the goal of computer security?
To protect valuable assets
What are assets in relation to computer security? (3)
Hardware, software and data
Define “threat”
Any occurrence that may result in asset loss or damage
Define “information security”
Protection of data and any information derived from its interpretation
Define “system security” (2)
- Ensuring computer systems work as intended 2. by protecting them from attack.
What is authentication?
Requiring users to enter a password
What are access controls?
Rules that govern the information a user can access
Examples of how to achieve confidentiality in system security (2)
- Data encryption.
- combination of authentication and access controls.
What are “ cyber–physical systems”?
Systems affecting the real world
List five examples of cyber-physical systems (5)
- Traffic lights.
- Hospital respirators.
- Power plant control systems.
- Auto pilot.
- Industrial robots.
What is critical infrastructure?
Systems which have a significant impact on society if they fail
Difference between safety and security
Safety: protects against non-malicious threats
Security: protects against malicious threats
What are benign threats?
Threats due to human errors
What are malicious threats?
Threat due to bad intentions
What are random attacks?
Attacks where victim is not important so long as there is gain
What is a targeted attack?
Strategic attack directed at a particular victim
Define “vulnerability“ (2)
- A flaw or weakness in the systems design implementation or operation and management 2. that could be exploited to violate the systems security policy.
How to decide the severity of a risk
- Impact of possible attack.
- Likelihood of attack taking place.
What are the four ways of handling risks? (4)
- Avoidance.
- Mitigation.
- Transfer.
- Acceptance.
How to avoid risk
Refrain from implementing a feature
How to avoid risk
Refrain from implementing a feature
How to mitigate risks
Implement counter measures to decrease impact and/or likelihood
How to transfer risks
Buy insurance or levy impact onto another party
How to transfer risks
Buy insurance or levy impact onto another party
What is risk acceptance?
Deciding to cover the cost of an attack
What is a “negative externality “in relation to risk?
System designers transfer risk to the users of system
What is “negative externality“ in relation to risk?
Designers of system transfer threat impact to the users
Problem created by negative externality
Lower incentive for designers to create highly secure systems
Problem created by negative externality
Lower incentive for designers to create highly secure systems
Define “sensitive data” (6)
Data revealing: ethnic origin, political opinions, beliefs, trade union membership or concerning health or sex life
Define “personally identifiable information“ (3)
Information that (1) identifies, (2) describes or (3) is unique to an individual.
