Generelle Konsepter

Question 1

Define “Confidentiality”, main threats and controls

Answer 1

The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Main Threats:

• Theft
• Unintentional disclosure

Controls:

• Encryption
• Perimeter defence
• Access control

Question 2

Define “Data Integrity” and “System integrity”, main threats and controls

Answer 2

Data integrity: The property that data has not been altered or destroyed in an unauthorized manner (X.800: Security Architecture for Open Systems Interconnection (OSI))

System integrity: The property of accuracy and completeness (ISO 27000)

Main Threats:

• Data corruption
• System corruption

Controls:

• Access control
• Cryptographic integrity check and encryption
• Perimeter defence
• Audit and verification of systems and applications

Question 3

Define “Availability”, main threats and controls

Answer 3

The property of being accessible and usable upon demand by authorised entity (ISO 27000)

Main Threats:
-DOS-attack

Controls:

• Redundancy of resources
• Traffic filtering
• Incident recovery
• International collaboration and policing

Question 4

Define “Non-repudiation”, main threats and controls

Answer 4

Making sending and receiving messages undeniable through unforgeable evidence.

Main Threats:

• Sender denies having sent message
• Receiver denies having received message

Controls:
- Digital signature. Cryptographic evidence that can be confirmed by third party.

Non-repudiation refers to a state of affairs where the author of a statement will not be able to successfully challenge the authorship of the statement or validity of an associated contract. The term is often seen in a legal setting wherein the authenticity of a signature is being challenged. In such an instance, the authenticity is being “repudiated”.

Question 5

Define “Accountability”, main threats and controls

Answer 5

Trace actions to a spesific user and hold them responsible.

Main Threats:

• Inability to identify source of incident.
• Inability to make attacker responsible.

Controls:

• Identify and and authenticate users
• Log all system events
• Electronic signature
• Non-repudiation based on digital signature
• Forensics

Question 6

Security controls categories:
What is Physical controls?
What is Technical controls?
What is Administrative controls?

Answer 6

• Physical controls: Security guards, locks.
• Technical controls: Firewall, logical access control, intrusion detection.
• Administrative controls: Policies and standards, Incident response.

Question 7

Functional controls categories:
What is Preventive controls?
What is Detective controls?
What is Corrective controls?

Answer 7

• Preventive controls: Encryption of files
• Detective controls: Intrusion detection system
• Corrective controls: Restoring all system to last known good image to bring corrupted system back online.

Question 8

What is Authentication?
What is Access control?
What is Authorization?

Answer 8

Authentication (User)
The process where user gives his/her password to prove his identity to the system that verifies the password.

Access control (System) 
The system checks the user and grants correct access to system or service.

Authorization (Authority)
Defines and grants permissions to users.

Question 9

What is an Cryptoperiod and why is it important?

Answer 9

Cryptoperiod is the timespan during which a specific key is authorized for use. Consists of the protecting period( used for encryption and signing) and the processing period(used for reading only).

It is important because it:

• Limits the amount of information protected by a given key, that is available for cryptoanalysis.
• Limits the amount of exposure and damage if key is compromised
• Limits the use of a particular algorithm to its estimated effective lifetime

Question 10

What is cryptography and cryptoanalysis?

Answer 10

• Cryptography is the science of secret writing with the goal of hiding the meaning of a message.
• Cryptoanalysis is the science and sometimes art of breaking cryptosystems.

Question 11

What is the definition of “information security” according to ISO27000?

Answer 11

Information security is the preservation of

• Confidentiality,
• Integrity and
• Availability of information;

in addition, other properties such as

• Authenticity,
• Accountability,
• Non-repudiation and
• Reliability can also be involved.

Question 12

Define

“User authentication” , main threats and controls

Answer 12

User authentication:
– The process of verifying a claimed identity of a user when accessing a system or an application. Log in!

Main Threats:
Unauthorised access.

Controls:
Passwords, tokens, biometrics, cryptographic protocols

Question 13

Define

“System authentication”, main threats and controls

Answer 13

System authentication:
– The process of verifying correct identity of remote hosts/servers.

Main Threats:

• Network intrusion
• Masceurading attacks
• DDos attacks
• Replay attacks

Controls:
- System: cryptographic authentication protocols based on hashing and encryption algorithms.
(TSL, VPN, IPSEC)

Question 14

Define

“Organisation authentication”, main threats and controls

Answer 14

Organisation authentication:
– The process of verifying correct identity of the organization.

Main Threats:

• Network intrusion
• Masceurading attacks
• DDos attacks
• Replay attacks

Controls:
- System: cryptographic authentication protocols based on hashing and encryption algorithms.
(TSL, VPN, IPSEC)

Question 15

Define

“Data origin authentication” , main threats and controls

Answer 15

Data origin authentication (message authentication):
– The process of verifying the source of data received

Main Threats:
Data:
-false transactions
-false messages and data

Controls:

• Encryption with shared secret key
• MAC
• Security protocols
• Digital signature with private key
• Electronic signature.

Question 16

What is symmetric encryption, and where is it used?

Answer 16

Symmetric Encryption
The key is the same and is agreed on before the exchange of data, in private. This is great for people, but for two computers it is impossible to meet in private to exchange the secret key. That is why this is not used on everyday computing. For that we have asymmetric encryption.

Question 17

What is asymmetric encryption, and how does it work?

Answer 17

Asymmetric Encryption 
Divides the key into two, one public and one private.

Bobs “public key” is shared with everybody so anybody kan encrypt a message that they want to send to Bob. 

Bobs “private key” is the only one who can be used to decrypt and read the messages, and is stored on bobs computer.



Example: 
You have a mail box with two different keys; one for placing mail (Public) and one for opening the mailbox (Private). The postman and the newspaper delivery man has a copy of the key that must be used to place mail (The public). But you, and only you have the key to open the mailbox and get out the mail (The private).

Question 18

Arymetric keys and cryptography solves security problems in open networks, but what is the main challenge when applying it?

Answer 18

Key distribution challenges.

Public key cryptography needs a PKI (Public key infrastructure) in order to be practical.

Question 19

What is the definition of risk according to ISO31000?

Answer 19

“Risk is the effect of uncertainty on objectives”

Question 20

What is ISO 27001?

Answer 20

ISO 27001:
Specifies requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of the organization. Mesure efficency etc.

The ISMS-Cycle is the model in focus, which consist of planning, risk assessment, security controls, evaluation and reporting. Tasks that are repeated to continually improve an ISMS.

Question 21

What is ISO 27002?

Answer 21

ISO 27002:
Is a checklist to implement IT security
– Contains 14 categories (control objectives) of security controls
– In total, the standard describes 113 generic security controls

Question 22

What is the ISO 27K-series?

Answer 22

The ISO/IEC 27000-series (also known as the ‘ISMS Family of Standards) comprises information security standards published jointly by ISO and IEC.

The series provides best practice recommendations on information security management - the management of information risks through information security controls - within the context of an overall Information security management system (ISMS).

Question 23

Define these three human factors:

• Personnel integrity
• Personnel as defense
• Security usability

Answer 23

Personnel integrity - Making sure personnel do not become attackers
Personnel as defence - Making sure personnel do not fall victim to social engineering attacks
Security usability - Making sure users operate security correctly

Question 24

What is the definition of Information security risk management (ISMS) in the ISO 27005?

Answer 24

ISO 27005:
“Information security risk management (ISMS) analyses what can happen and what the possible consequences can be, before deciding what should be done and when, to reduce risk to an acceptable level.”

Question 25

What is a Hash function?

Answer 25

A Hash function is a function that is easy to compute but hard to invert. This can be used to safely stor passwords as hash values. Authentication function first computes hash of received password, then compares against the stored hash value. That way the password is not stored in cleartext, but is still comparable when authentication is needed.

Question 26

What is "salt" in cryptography?

Answer 26

In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" data, a password or passphrase. The primary function of salts is to defend against dictionary attacks or against its hashed equivalent, a pre-computed rainbow table attack.

Question 27

Define Entity, Identity, identifier and digital identity

Answer 27

Entity: - A person, organisation or system. Identity: - A set of name/attributes of entity in a specific domain. - An entity may have multiple identities in multiple domains. - An entity may have multiple identities in a single domain. Identifier: - A unique identifier assigned to each entity. Digital identity: - Digital representation of name and attributes in a way that is suitable to be processed by computers

Question 28

Identity management model, what is SILO and Federate models? Mention pros and cons.

Answer 28

SILO: Service provider (SP) controls the name space, provides the identity and the access credentials to the user. Pros and cons: + Low cost + easy to implement + easy to deploy - Low usability - identity overload - lost business Federate: A set of agreements, standards and technologies that enable a group of service providers to recognise and trust user identities and credentials from different IDPs, CrPs and SPs. Pros and cons: + Bundled services + Collect user data + Strengthen privacy by psydonym - low privacy for user - more dependencies - high technical complexity - high trust requirements - limited scalability - new form of silo

Question 29

Name the four types of Federate Identity management models and give examples .

Answer 29

Four main types: 1.CF - Centralized Federation (Google): Centralised name space and management of credentials by single IdP/CrP. 2.DICA - Distributed Identity with Centralised Authentication (Facebook): Distributed name spaces managed by multiple IdPs. Centralised credentials authentication by single CrP. 3.CIDA - Centralized Identity with Distributed Authentication (Altinn): Centralised name space managed by single IdP. Distributed management of credentials and authentication by multiple CrPs. 4. DF - Distributed Federation (Feide): Distributed name spaces and management of credentials by multiple IdPs and CrPs.

Question 30

Identity management, define MAC, DAC, RBAC and ABAC.

Answer 30

MAC: Mandatory access control, access based on labels. Example: "Confidential", "Secret", "Sales-dep". DAC: Discretionary access control, access specified and enforced based on the identity of the user. RBAC: Role based access control, user has access based on role ABAC: Attribute based access control, access rights are granted to users through the use of policies which combine attributes together. For example: IF the requestor is a manager, THEN allow read/write access to sensitive data.

Question 31

What is SSL/TSL handshake? Why is it used? And what is the difference between the two?

Answer 31

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) are cryptographic protocols that provide communications security over a computer network. It is used in applications such as web browsing, mail, instant messaging, and voice over IP (VoIP). It is used to establish trust between two services online. Websites use TLS to secure all communications between their servers and web browsers. SSL V.3 - The most used protocol used online today, it is an old version and not the safest. TSL V.1.1 & V.1.2 - The newest protocol but not the most used, ist safer to use than SSL and should be used in new applications.

Question 32

Explain the Diffie Hellman key exchange

Answer 32

1) Both Alice and Bob agrees on a one way function and share it. (This will be available for Eve.) 2) Then Alice and Bob raises this one way function to their personal private key, to complete the function. 3) They send this function to each other. (This will also be available for Eve.) 4) Then both raises the function they receive from the other person to there own private key again. Result: Now Alice and Bob end up with a shared private key that Eve can't compute, because she needs one of there private key to find the new shared private key. Explanation: https://youtu.be/YEBfamv-_do?t=2m18s

Question 33

It is important to protect information assets in all states, name the three states and how to protect them.

Answer 33

During storage: - Information storage containers. - Electronic, physical, human. During transmission: - Physical or electronic. During processing: -Physical or electronic.

Question 34

Mention the four types of Firewall Technology.

Answer 34

- Router Packet Filters: Inspects IP-header of traffic - Stateful Packet Filters: Inspects IP- header and keeps track of traffic so that for the length of the session the return communication is let through. - Application Layer Proxy: Splits connection, inspects payload and analyses traffic. The proxy can inspect data at any level and even modify data. - Next Generation Firewall; End-to-end connection inspect payload, and analyses traffic.

Question 35

What is a honeypot?

Answer 35

A honeypot is a computer configured to detect network attacks or malicious behavior. It appears to be part of a network, and seems to contain information or a resource of value to attacks. Honeypots are isolated, are never advertised and are continuously monitored. All connections to honeypots are per definition malicious. Honeypots can be used to extract attack signatures.

Question 36

What is OWASP and the top ten vulnerability risk?

Answer 36

OWASP (Open web application security program) is an non-profit organisation that promotes security awareness and solutions for Web application development. They provide and maintains free tools for scanning and fixing such as: Application Security Verification Standard (ASVS) requirements for application level security. The top ten security list provides the most critical security risks of providing online services.

Question 37

What is SQL-Injection?

Answer 37

SQL-Injection is when the attacker disguises SQL commands as data- input. If the application that uses the SQL command is not programmed to sanitize the input, the attacker will get control of the database. He/She can then delete data, steal data from the database. Solution: Sanitize user input.

Question 38

What is Cross site scripting? XSS

Answer 38

Attacker disguises malicious code as user input. It is stored on the site, and when the victim uses the page, the code will run and attack the victim. Solution: - CHECK datatypes and length - DISALLOW unwanted data (HTML tags, Javascript) - ESCAPE questionable characters. (semicolon, brackets.) - Hide information about error handling. (Because information could be used by hacker or maybe reveal sensitive information.)

Question 39

What is "Broken authentication and session management"?

Answer 39

Developers must implement Session ID to provide continuous authentication assurance, since user auth is only at one point in time. Or else there is no guarantee that the “user is the user.” Recommendations such as those from OWASPs should be followed.

Question 40

What is security by design?

Answer 40

Security by Design is a legal requirement under GDPR. Secure by design, in software engineering, means that the software has been designed from the ground up to be secure. Malicious practices are taken for granted and care is taken to minimize impact when a security vulnerability is discovered or on invalid user input.

Question 41

What is Agile Software Development?

Answer 41

it´s a process to build systems. The process is iterative and contains the following steps. 1) Requirements are specified as stories. 2) Each story implemented as sprint 3) Repeated sprint cycles until all stories are implemented Repeat the whole process

Question 42

Define SP, idP and CrP and what they do.

Answer 42

``` Service Provider (SP) – Needs to know identity of users, and needs assurance of user authenticity. ``` IdentityProvider(IdP) – Controls name space of identities. Issues/registers identities for users. ``` Credentials Provider (CrP) – Issues/registers credentials for users. Performs authentication of users. ```

Question 43

What is IDS and what is de difference between host based- and network based IDS?

Answer 43

Intrusion Detection Systems: - Automated systems that detect suspicious activity, DS can be either host-based or network-based. - A host based IDS is designed to detect intrusions only on the host it is installed on – monitor changes to host’s OS files and traffic sent to the host. - Network based IDS (NIDS) detect intrusions on one or more network segments, to protect multiple hosts – monitor network/s looking for suspicious traffic. What can be detected: - Attempted and successful misuse, both external and internal agents - Malware: Trojan programs, viruses and worms - DOS (Denial Of Service) attacks

Question 44

What is MAC(Message authentication code)?

Answer 44

In cryptography, a message authentication code (MAC), sometimes known as a tag, is a short piece of information used to authenticate a message—in other words, to confirm that the message came from the stated sender (its authenticity) and has not been changed. The MAC value protects both a message's data integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content.

Question 45

What is SHA-3? What is de difference between it and SHA-1, 2 & 3?

Answer 45

SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, by NIST. Although part of the same series of standards, SHA-3 is internally quite different from the MD5-like structure of SHA-1 and SHA-2. SHA-1 160 bits. SHA-2 og 3 224, 256, 384 or 512 bits.

Question 46

The activities of IR (Incident Response) can be divided into three (3) main phases. Mention the three phases, as well as one (1) specific procedure of each phase.

Answer 46

IR activities: - Detection phase, with one of: i) weed out false positive ii) categorise event - Respond phase, with one of: i) collect data ii) mitigate damage iii) isolate systems iv) analyse and track adversary v) report to police if necessary. - Recovery phase, with one of: i) fix the problem ii) improve the IR policy iii) disclosure