Cyber Security Flashcards

Question

Primary challenge of symmetric key cryptography

Answer 1

The main problem is key distribution. Let n be the number of parties who want to communicate: * When n = 2 we need one key * When n = 3 we need three keys * When n = 4 we need six keys * When n = 5 we need ten keys * In general we need n × (n − 1)/2 keys

Answer 2

It is currently necessary for the communicating parties to share a key which is known to no one else. This is done by sending the key in advance over some secure channel such as private courier or registered mail. A private conversation between two people with no prior acquaintance is a common occurrence in business, however, and it is unrealistic to expect initial business contacts to be postponed long enough for keys to be transmitted by some physical means. The cost and delay imposed by this key distribution problem is a major barrier to the transfer of business communications to large teleprocessing networks

Answer 3

Diffie-Hellman key exchange uses asymmetric encryption to exchange session keys. These are limited-use symmetric keys for temporary communications; they allow two entities to conduct quick, efficient, secure communications based on symmetric encryption, which is more efficient than asymmetric encryption for sending messages * DH based key establishment incorporated into in a number of standard protocols: * TLS/SSL (Transport Layer) * IPSec (Network Layer) * and is used in a variety of applications: * GlobalProtect VPN * Whatsapp * etc

Answer 4

* The most famous one is RSA: * developed by Rivest, Shamir and Adleman in 1978 * based on number-theoretical properties of natural numbers * Elliptic curves: * proposed independently in 1985 by Koblitz and Miller * uses similar ideas to RSA but using elliptic curves instead * same complexity as RSA but with smaller keys

Answer 5

Risk = likelihood x impact Component-driven approaches require the risk analyst to assess three elements of risk: threat, vulnerability and impact. Threat is the individual, group or circumstance which causes a given impact to occur, e.g., lone hacker, state-sponsored group, staff member who has made a mistake, or high-impact weather. The purpose of assessing threat is to improve the assessment of how likely a given risk is to be realised.

Answer 6

There are a number of Risk Assessment Methods/Frameworks * NIST 800-30 * ISO/IEC 27005 * ISACA COBIT * ISF IRAM 2 * HMG Information Assurance Standard 1 2 * Octave Allegro * ISACA COBIT 5 * Equally, there are a number of Information Security Management Frameworks: * NIST CSF * ISO/IEC 27000 series * etc

Answer 7

*Identify: Understand and prioritize cybersecurity risks, assets, and governance. Asset Management: Track all hardware, software, and data. Business Environment: Align cybersecurity with organizational goals. Governance: Define roles, responsibilities, and policies. Risk Assessment: Regularly evaluate and prioritize risks. Risk Management Strategy: Plan to mitigate identified risks. *Protect: Implement safeguards against cyber threats. Access Control: Manage access to systems and data. Awareness and Training: Educate employees on cybersecurity. Data Security: Encrypt and control access to data. Processes and Procedures: Establish cybersecurity guidelines. Maintenance: Update security measures regularly. Protective Technologies: Use tools to defend against threats. *Detect: Identify cybersecurity events promptly. Anomalies and Events: Spot unusual activities. Continuous Monitoring: Monitor systems and networks. Detection Processes: Have procedures to quickly identify threats. *Respond: Address detected cybersecurity incidents. Response Planning: Plan for incident responses. Communications: Report and manage incidents. Analysis: Investigate incidents to understand impact. Mitigation: Reduce incident impact. Improvements: Enhance response capabilities. *Recover: Restore services after a cybersecurity incident. Recovery Planning: Prepare for recovery. Improvements: Learn from incidents to improve recovery. Communications: Inform stakeholders during recovery.

Answer 8

Risk Assessment and Risk Management are essential to effectively implementing an Information Security Framework Risk Assessment * Risk = likelihood × impact * Qualitative vs Quantitative * Outputs prioritised list of relative risks Risk Control and Management * Control Strategies: * Avoid; Accept; Reduce; Transfer * Risk Management is a continual process * Identify, Analyse, Treat, Monitor * Limitations of Risk Methods and Frameworks

Answer 9

Identify risk identification * Identification of Assets * Identification of Threats * Identification of Existing Controls * Identification of Vulnerabilities * Identification of Consequences Analyse risk assessment * Assessment of consequences * Assessment of incident likelihood * Level of risk determination Treat risk treatment * Risk modification * Risk retention * Risk avoidance * Risk sharing Monitor monitoring and review

Answer 10

Uses scale of qualifying attributes to describe magnitude of consequences/likelihood (VL,L,M,H,VH) * Advantage - ease of understanding by all relevant personnel * Disadvantage - Dependence on subjective choice of the scale May be used: * As initial screening, to identify risks requiring detailed analysis * Where this analysis is sufficient for decisions * Where numerical data/resources inadequate for quotative analysis

Answer 11

Uses scale of objective numerical values for consequences/likelihood * Uses data from variety of sources * Quality of analysis depends on accuracy/completeness of numerical data * Typically uses historical incident data: * Advantage - related directly to info security objectives/concerns of organization * Disadvantage - Lack of data on new risks * Disadvantage - Accurate/missing data in general could create illusion of worth/accuracy of risk assessment * Uncertainty and variability of consequences/likelihood are to be considered and communicated

Answer 12

Retain/Accept risk retention - organisation may tolerate (but not ignore) risk * Avoid/Terminate risk avoidance - organisation may decide not to do the thing that incurs risk * Share/Transfer risk sharing - transfer risk via an insurance policy or a third party * Modify/Reduce risk modification - adopt controls to lower the current level of risk * by reducing likelihood . by reducing impact

Answer 13

Identify: Recognize potential risks. Analyse: Assess impact and likelihood of risks. Treat: Develop strategies to mitigate, transfer, avoid, or accept risks. Monitor: Continuously review and adjust risk management efforts.

Answer 14

* Limits of a ‘reductionist’ approach * Lack of variety * Limits of a ’fixed state’ approach * Lack of feedback and control * Losing risk signals in the ’security noise’ * System operation * Information opacity * Noise from misguided analysis * Noise from bias * Assumed determinability * Abstraction through labelling * The limits of using matrices * Limits in the way uncertainty is presented * The effect risk relationships have on impact * The adverse effect of intervention * Impacts are not limited to the scope of assessment * The effect of time on risk

Answer 15

The Common Weakness Enumeration (CWE) is a list of software security vulnerabilities maintained by MITRE, a non-profit R&D group. It provides descriptions and mitigation for each vulnerability. MITRE and the SANS Institute developed the CWE/25, listing the 25 most critical software vulnerabilities. A similar list is the OWASP Top 10 Project, which shares many vulnerabilities with the CWE/25.

Answer 16

XSS is improper neutralization of input during web page generation. Vulnerabilities occur when: .Untrusted data enters a web app. .The app dynamically generates a web page with this data. .The app fails to prevent executable data entry (e.g., JavaScript, HTML tags). .A victim visits the generated page containing the script. .The browser executes the script in the context of the web server's domain. .This violates the same-origin policy, allowing scripts to access resources across domains.

Answer 17

* Type 1: Reflected XSS (or Non-Persistent) Server reflects data in HTTP request back in HTTP response. Attacker makes victim supply bad content to vulnerable web app, which is reflected back and executed by victim’s browser. * Type 2: Stored XSS (or Persistent) App stores bad data in a database, message forum, visitor log, or other trusted data store. The dangerous data is later read back into the application and included in dynamic content.

Answer 18

* RULE 0 Never insert untrusted data except in allowed locations * RULE 1 HTML escape before inserting untrusted data into HTML element content * RULE 2 Attribute escape before inserting untrusted data into HTML common attributes * RULE 3 JavaScript escape before inserting untrusted data into JavaScript data values * RULE 3.1 HTML escape JSON values in an HTML context and read the data with JSON.parse * RULE 4 CSS escape And strictly validate before inserting untrusted data into HTML style property values * RULE 5 URL escape before inserting untrusted data into HTML URL parameter values * RULE 6 Sanitize HTML markup with a library designed for the job * RULE 7 Avoid JavaScript URL’s * RULE 8 Prevent DOM-based XSS * Bonus 1 Use HTTPOnly cookie flag * Bonus 2 Implement content security policy * Bonus 3 Use an auto-escaping template system * Bonus 4 Use the X-XSS-Protection response header * Bonus 5 Properly use modern JS frameworks

Answer 19

* Secure development is everyone’s concern * Keep your security knowledge sharp * Produce clean maintainable code * Protect your code repository * Secure the build and deployment pipeline * Continually test your security * Plan for security flaws * Secure your development environment

Answer 20

Security testing needs to consider: * effectiveness of defensive coding * protection against malware and code injection through interfaces * backup and recovery of data * access control * auditing and behavioural analysis * communications security * resilience

Answer 21

* Any change to software risks introducing new bugs/vulns * Formal change control processes manage these risks * Separation of duties ensures the person responsible for testing the code isn’t also responsible for its implementation non-technical * Two person control requires that an additional person signs off on the code changes, to reduce accidental or malicious flaws non-technical * Version Control Systems (e.g., git and svn)

Answer 22

Every software application and operating system contains bugs * Code complexity and size makes it impossible to test 100% of execution paths * Bugs have varied impacts on confidentiality, integrity and availability * Once found and fixed suppliers issue a patch that can be installed in order to remove the vulnerability * Patches should be rolled out at the earliest opportunity * Vulnerability may already be known to and exploited by attackers * Attackers may also try to reverse engineer patches to create new exploits * But, patches should be tested before roll out * patches should be tested in a non-live environment

Answer 23

* Certification – provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements. * Accreditation – formal recognition by an independent body, generally known as an accreditation body, that a certification body operates according to international standards. * Accredited certification typically mandated for safety/security critical systems * Formal review process to approve information security architecture, policy and procedures before the new/updated product/service/system is deployed/used * Will typically require periodic review and re-accreditation