Introduction

Question 1

Define security

Answer 1

Minimizing the vulnerabilities of assets and resources

Question 2

What are assets?

Answer 2

Anything of value, in information security these are information systems.

Question 3

What is a vulnerability?

Answer 3

Any weakness that could be exploited to violate a system or the information is contains.

Question 4

What is a threat?

Answer 4

A potential violation of security

Question 5

What is the CIA triad?

Answer 5

Confidentiality
Integrity
Availability

Question 6

What is confidentiality?

Answer 6

Preventing unauthorised disclosure of information

Question 7

What is integrity?

Answer 7

Preventing unautherised (accidental or deliberate) modification or destruction of information

Question 8

What is availability?

Answer 8

Ensuring resources are accessible when required by an authorised user

Question 9

What is the OSI Security Architecture?

Answer 9

Systematic approach of providing security at each layer.

Defines security services and mechanisms that provide security for data transmitted over a network.

Defines threats (or attacks), services, mechanisms and how they are related

Question 10

What are passive threats?

Answer 10

Threats that do not alter information in a system.

Eavesdropping, traffic analysis

hard to detect, focus on preventing their success

Question 11

What is eavesdropping?

Answer 11

Attacker monitors communication.

E.g.: sniffing packets, tapping telephone

Question 12

What is traffic analysis?

Answer 12

Attacker monitor the amount, source and destination of communication.

Question 13

What are active threats?

Answer 13

Threats that alter information in the system.

These may be hard to prevent, focus on detection

Question 14

What are some examples of active threats?

Answer 14

Masquerade

replay

modification of messages

Denial of service

Question 15

What is the masquerade attack?

Answer 15

The attacker claims to be a different entity

Question 16

What is the replay attack?

Answer 16

The attacker sends a message that has already been sent.

Retransmission of a passive capture of a data unit

Question 17

What is the modification of messages attack?

Answer 17

Attacker changes messages during transmission

Question 18

What is denial of service attack?

Answer 18

The attacker prevents legitimate users from accessing resources

Question 19

What is a security service?

Answer 19

A processing or communication service to give a specific kind of protection to system resources (supports one or more of the security requirements: CIA, authenticity, accountability).

Implemented by security mechanisms.

Question 20

What is a security mechanism?

Answer 20

Method of implementing one or more security services.

A process/device that is designed to detect, prevent or recover from attacks.

Question 21

Name some security services (8)

Answer 21

Peer entity authentication

Data origin authentication

Access control

Data confidentiality

Traffic flow confidentiality

Data integrity

Non-repudiation

Availability services

Question 22

What is Peer entity authentication?

Answer 22

Provides confirmation of the claimed identity of an entity.

Protects against masquerade or replay

Question 23

What is Data origin authentication?

Answer 23

Provides confirmation of the claimed source (origin) of a data unit (message)

Question 24

What is Access control?

Answer 24

Protection against unauthorized use of resources.
Usually provided in combination with authentication and authorisation services.

Question 25

What is data confidentiality?

Answer 25

Protects data against unautherized disclosure. Protection of transmitted data prom passive attacks.

Question 26

What is traffic flow confidentiality?

Answer 26

Protects disclosure of data which can be derived from knowledge of traffic flows.

Question 27

What is data interity?

Answer 27

Detects modification, insertion, deletion or replay of data in a message or a stream of messages

Question 28

What is non-repudiation?

Answer 28

Protects against any attempt by the creator of a message to falsely deny creating the data or its content. Protects against denial by the sender, or denial by the recipient

Question 29

What is availability service?

Answer 29

Protects a system against denial of service

Question 30

What are some mechanisms? (6)

Answer 30

Encipherment Digital signature Traffic padding Authentication Routing control Notarization access control mechanisms (passwords, tokens) Integrity mechanisms (corruption detection)

Question 31

What is encipherment?

Answer 31

Transformation of data in order to hide its information content.

Question 32

What is digital signature?

Answer 32

Mechanism, cryptographic algorithms which transform data using a signing key. Signed data can only be created with the signing key.

Question 33

What are authentication exchange?

Answer 33

Protocols which exchange information to ensure identity of protocol participants. E.g. TLS

Question 34

What is traffic padding?

Answer 34

Spurious traffic generated to protect against traffic analysis. Typically used in combination with encipherment

Question 35

What are routing control mechanisms?

Answer 35

Use of specific secure routes

Question 36

What is the notarization mechanism?

Answer 36

Uses a trusted third party to assure the source or receipt of data. This third party is sometimes called a notary.

Question 37

What are the 6 categories of security services?

Answer 37

Authentication Access control Data confidentiality Data integrity Nonrepudiation Availability

Question 38

What are the 8 categories of security mechanisms?

Answer 38

Crypto algorithms Traffic padding Data integrity Routing control Digital signature Notarization Authentication exchange Access control

Question 39

What is risk management?

Answer 39

Tool in information security management: 1. identifies threats 2. Classifies threats according to likelihood and severity 3. Apply security controls based on cost-benefit analysis

Question 40

Define information security

Answer 40

Information security: Preservation of CIA, in addition to authenticity, accountability, non-repudiation, reliability

Question 41

Define network security

Answer 41

Protection of networks and their services from unautherized modification, destruction or disclosure. Assurance that the network performs its critical functions correctly.

Question 42

What is privacy?

Answer 42

Assures that individuals control or influences what information related to them may be collected and stored, and by/to whom it may be disclosed.

Question 43

What is data authenticity?

Answer 43

That the digital object is indeed what it claims to be.

Question 44

What is system integrity?

Answer 44

That a system performs its functions correctly, free from unautherized manipulation.

Question 45

What is accountability?

Answer 45

The security goal that relates to the requirement for actions of an entity to be traced uniquely to that entity.

Question 46

What type of attack is a man-in-the-middle attack?

Answer 46

Masquerade Masquerades as both client and server