Threat Modelling, Secure Design and Threat Detection Flashcards

1
Q

What is a cyber threat?

A

“any circumstance or event with the potential to adversely impact an asset through unauthorised access, destruction, disclosure, modification of data, and/or denial of service” (ENISA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a short description of a threat?

A

A set of circumstances that has the potential to cause loss or harm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are 3 non-human threats?

A
  • natural disasters
  • loss of electrical power
  • failure of a component
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

why use threat models?

A

to put yourself into the shoes of the attacker so you can better protect your systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the 2 types of models?

A

Attack Models and Adversarial Models

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

what are the 3 goals of computer security?

A

confidentiality, integrity, availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

what 3 things must an attacker have to ensure access?

A

method, opportunity and motive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

what are the 7 stages of an attack?

A
  • reconnaissance
  • weaponization
  • delivery
  • exploitation
  • installation
  • command and control
  • act on objectives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does STIX stand for?

A

Structured Threat Information Expression

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is STIX?

A

a graph based representation of attackers, campaigns and victims.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is STRIDE?

A

a system developed my Microsoft for thinking about computer security threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is spoofing?

A

an agent pretends to be somebody else

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does tampering do?

A

violates the integrity of an asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is repudiation?

A

an agent denies having performed an action to escape responsibility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does information disclosure do?

A

violates the confidentiality of an asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does denial of service do?

A

violates the availability of an asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is elevation of privileges?

A

an agent gains more privileges beyond its entitlement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

what are the components of DREAD?

A
Damage
Reproducibility
Exploitability
Affected users
Discovery
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the DREAD equation?

A

Risk_DREAD = (D + R + E + A +D) /5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are the 7 stages of the security development lifecycle?

A
  1. training
  2. requirements
  3. design
  4. implementation
  5. verification
  6. release
  7. response
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

what is a methodology?

A

a body of practices, procedures, and rules used by those who work in a discipline or engage in an inquiry; a set of working methods.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is coupling?

A

how independent each module is

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is cohesion?

A

How well do the modules work together

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the ideal coupling/cohesion state?

A

loosely couples, highly cohesive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What does the model in model-view-controller do?

A

directly manages data, logic and rules of the application

26
Q

What does the view in model-view-controller do?

A

outputs representation of information

27
Q

What does the controller in model-view-controller do?

A

accepts inputs and converts it to commands for the model

28
Q

What is Model-View-Presenter?

A

a variant of MVC where presentation logic is pushed to a presenter.

29
Q

What does the presentation model do

A

represents the state and behaviour of the presentation independently of the controls used in the interface

30
Q

What does MVP enable?

A

Deployment of the program, in the real world faster

Design follows capacity of the development team

31
Q

What are the 4 kinds of testing?

A

Unit Testing
Integration testing
System Testing
Acceptance Testing

32
Q

What does Virtualization do?

A

Enables you to run multiple operating systems on the hardware of a single physical machine.

33
Q

What does containerization do?

A

Enables you to deploy multiple applications using the same operating system on a single virtual machine or server.

34
Q

What’s the difference between virtualization and emulation?

A

virtualization directly accesses the hardware, whereas emulation does not run on the physical hardware.

35
Q

What is the standard risk model?

A

Risk = likelihood * impact

36
Q

Intrusion Detection System

A

passive - incident handling for response

37
Q

Intrusion Prevention System

A

active - Firewall ++

38
Q

What are the components of an IDS/IPS?

A

audit subsystem
analysis component
response component

39
Q

What does the audit subsystem do?

A

captures audit data

40
Q

What does the analysis component do?

A

performs a statistical analysis of the audit data

41
Q

What does the response component do?

A

reacts to intrusions

42
Q

What are intrusion detection systems classified by?

A

location, detection mechanism and response mechanism

43
Q

What are the options for the location of a IDS?

A

host-based, network-based, or hybrid

44
Q

What are the options for the detection mechanism of an IDS?

A

signature-based, anomaly detection, or hybrid

45
Q

What are the options for the response mechanism of an IDS?

A

passive or active (IPS)

46
Q

What are some pros of host based IDS?

A

any from:

  • pure software
  • not affected by network encryption or switched networks
  • decisions can depend on outcome
  • most complete view on data
  • can detect insider attacks
47
Q

What are some cons of host-based IDS?

A

any from:

  • takes up host resources
  • cannot detect attacks on the whole system
  • may be disabled by the intruder
  • strong dependency on OS
48
Q

What are some pros of network based IDSs?

A

any from:

  • can monitor many hosts, OSs and OSI layers
  • has a global view of activity, can detect port scans
  • takes no resources of monitored hosts
  • invisible to intruder
  • centralized, so easy to maintain and cheap
49
Q

What are some cons of network based IDSs?

A

any from:

  • packet reassembly is time consuming and error-prone
  • can be affected by encryption and switched networks
  • limited understanding of semantics
  • attacks from insiders usually undetected
50
Q

What is misuse detection?

A

actions that match the pattern of a known attack are considered intrusive

51
Q

What is a misuse signature?

A

an IDS signature is a pattern possible to identify from traffic data

52
Q

What are the pros of misuse detection?

A
  • good attack identification

- no training required

53
Q

What are the cons of misuse detection?

A
  • detects only know attacks
  • signatures must be updated in a timely fashion
  • little robustness against small attack variations
  • quite easy to evade
54
Q

What are the 3 methods for detecting anomalies?

A

Statistical based, knowledge based and machine learning based

55
Q

What are the advantages of anomaly detection?

A
  • can often identify not previously know attacks

- can serve as a source for signature-based IDS

56
Q

What are the cons of anomaly detection?

A
  • prone to false alarms
  • requires extensive training
  • machine learning techniques are hard to debug
57
Q

What are the 4 types of alerts?

A
  • True Positive
  • False Positive
  • True Negative
  • False Negative
58
Q

Where is a firewall typically placed?

A

at a perimeter

59
Q

What are the components of real time monitoring and management in a security operation centre.

A
  • aggregate logs and data
  • proactive efforts
  • report about new vulnerability
  • coordinate response
  • suggest remediation
60
Q

Who are attacks that are spotted by SOCs reported to?

A

executives, auditors, security staff

61
Q

What are the 2 components of post-incident analysis

A

forensics and investigation

62
Q

What are some SOC needs?

A
  • internal/external security devices management
  • proactive vs. reactive incident handling
  • forensics
  • vulnerability management
  • audit/pen test