notes

Question 1

CIA Triad stands for

Answer 1

Confidentiality, Integrity, Availability

Question 2

Confidentiality:

Answer 2

People can’t see things they shouldn’t

Question 3

Integrity:

Answer 3

Information cannot be modified or corrupted by unauthorised parties or system limitations

Question 4

Availability:

Answer 4

Information is available when needed - The secure information needs to be available to the right people and when those people need to access it

Question 5

High and low confidentiality:

Answer 5

High: Encrypted
Low: Open on the web

Question 6

High and low integrity:

Answer 6

High: carved in stone
Low: it’s on a wiki that anyone can edit

Question 7

Authentication:

Answer 7

Techniques for deciding that someone is who they say they are: passwords, biometrics etc

Question 8

Acess controls and permissions:

Answer 8

Techniques for deciding that given someone has a particular identity, that identity can only see what they need to see

Question 9

Access control elements:

Answer 9

Identification - claimed identity
Authentication - verifies identity
Authorization - granted access based on proven identity
Accountability - held accountable for actions

Question 10

Administrative access controls

Answer 10

Refers to institutional policies and procedures
Things like hiring, supervision, personnel controls and testing

Question 11

Physical controls

Answer 11

Methods to prevent, monitor or detect direct contact with systems or areas in a facility
Such as guards, fences, motion detection, locked doors, sealed windows etc.

Question 12

Logical/Technical controls

Answer 12

Refers to hardware/software mechanisms used
Such as authentication systems, encryption, protocols, firewalls etc

Question 13

Security protocols: need to know

Answer 13

Only allowed access to what is needed

Question 14

Security protocols: Least privilege

Answer 14

Ensure only granted privileges needed to operate as intended

Question 15

Security protocols: separation of duties

Answer 15

Sensitive functions split between individuals, preventing fraud and errors

Question 16

Discretionary access control

Answer 16

Access based on identity membership

Question 17

Non-discretionary access control

Answer 17

Controls for whole systems controlled by an administrator

Question 18

Rule based access control

Answer 18

Set of rules, filters or restrictions controlling access

Question 19

Lattice based access control

Answer 19

Objects are given security labels and users are assigned a clearance level

Question 20

Centralised access control

Answer 20

All access controlled by a single entity:
- Lower admin overheads
- Easier for a small team
- Easier to maintain consistency

Question 21

Decentralised access control

Answer 21

Various entities within the system perform access control:
- Requires more work to maintain integrity
- Sustainable for large systems
- Joins can be hidden from user with security bridges and single sign on

Question 22

Signatures:

Answer 22

Means of recording who has created or modified a file or piece of data

Question 23

Checksums

Answer 23

Determine whether a file has been modified
Hash functions allow for verification of a file

Question 24

Auditability

Answer 24

Logging by OS, router or firewall, intrusion detection system or packet capture

Question 25

Non-repudiation

Answer 25

Ensure party cannot deny they initiation a transaction

Question 26

Attack avoidance includes

Answer 26

Physical security, distribution of load, defensive code, SQL injection avoidance code, treating user input as potentially hostile

Question 27

First thing to be sure of with regard to availability is

Answer 27

The ability to recover data if things go wrong

Question 28

How is Identification and Authentication proven

Answer 28

Identification usually by entering usernames. Authentication usually by password.

Question 29

Authentication:

Answer 29

Is the process of determining that someone is who they say they are

Question 30

Risks of password reuse:

Answer 30

Hackers breaking into secure systems Systems having insecure, readable password stores. Systems allowing the password store to be linked to your personal data This data being leaked These passwords being leaked with the data

Question 31

Additional authentication methods:

Answer 31

2FA: Knowledge, Possession, Biometrics, Mobile, Combination

Question 32

What do authenticator apps use

Answer 32

Time based one time pad algorithm (TOTP) - every 30 seconds a new code is generated

Question 33

Alternatives for passwords:

Answer 33

Smart cards, token devices, biometrics

Question 34

Password management for individuals involves managing various risks:

Answer 34

Risk of account being hacked Risk of password loss due to personal error Risk of password loss due to hacking of a third party

Question 35

Rainbow tables

Answer 35

Rainbow tables are pre-computed hashes of known passwords.

Question 36

Password crackers and rippers

Answer 36

Try a lot of educated guesses, they look at dictionary words and previously cracked passwords

Question 37

Brute force

Answer 37

Try all combinations of letters, numbers and characters

Question 37

What is password entropy

Answer 37

How long it will take to crack a password Entropy = log^2(R^L) R is the size of the pool and L is the number of characters in your password

Question 37

Salting passwords:

Answer 37

Makes every password look different Adds entropy to the storage functions Include a work factor to slow down brute force

Question 38

Peppering passwords:

Answer 38

A pepper is a secret value—a random string of characters—added to a password before hashing Same for every password Are not stored in the database

Question 39

Herckhoff’s principle

Answer 39

A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

Question 40

Security by obscurity

Answer 40

If people don’t know a message is there, then they’re not going to find it.

Question 41

A code

Answer 41

Is a mapping from one semantic concept to another. This usually makes transmission easier, it doesn’t necessarily imply that the meaning is hidden. Codes are stored in codebooks or look up tables.

Question 42

A cipher

Answer 42

A cipher is a mechanical or algorithmic means of manipulating symbols. Ciphers are stored in algorithms.

Question 43

Cryptography:

Answer 43

Process of using encryption

Question 44

Cryptanalysis

Answer 44

Process of studying encryption with the goal of reading messages

Question 45

An encryption algorithm is breakable if:

Answer 45

it is possible to decipher messages without the key in a reasonable amount of time.

Question 46

Caesar cipher

Answer 46

A substitution cipher where each letter in the plaintext is shifted by a fixed number of positions in the alphabet.

Question 47

Keyed Caesar Cipher?

Answer 47

A Caesar Cipher with a keyword used to generate a shifted alphabet, followed by the rest of the unused letters.

Question 48

Polyalphabetic Cipher

Answer 48

A cipher that uses multiple Caesar ciphers based on a repeating keyword, such as the Vigenère Cipher.

Question 49

What is the One-Time Pad Cipher

Answer 49

A cipher that uses a random key as long as the plaintext, used only once, to encrypt data.

Question 50

Steganography

Answer 50

Steganography is the practice of hiding messages within other files Digitally this can be done through methods such as making the text the same colour as the background

Question 51

Information assurance:

Answer 51

Measures to protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation.

Question 52

Security Controls:

Answer 52

Preventive: stop incidents Detective: identify incidents Corrective: limit damage

Question 53

Physical controls

Answer 53

fences, doors, locks

Question 54

Procedural controls

Answer 54

incident response

Question 55

Technical controls

Answer 55

firewalls

Question 56

Legal compliance

Answer 56

privacy laws

Question 57

Risk analysis

Answer 57

Identify risks, prioritize based on likelihood and impact, treat through cost effective controls

Question 58

Risk treatment options

Answer 58

Apply controls Transfer risk Avoid risk Accept risk

Question 59

Assets in risk analysis

Answer 59

Hardware, software, information, infrastructure, people, outsourced services Risks assessed using Asset-Threat-Vulnerability model

Question 60

Component driven risk assessment

Answer 60

Focuses on individual technical elements, threats and vulnerabilities Uses tools like vulnerability scanning

Question 61

System driven risk assessment

Answer 61

Looks at the system as a whole: its functions and how it serves its purpose Identifies emergent risks from component interactions