Week 10 - Systems Security

Question 1

Achieving the security of CIA and non-repudiation depends on?

Answer 1

Authentication - identity to entity

Question 2

Malware is?

Answer 2

intrusive software designed to damage or take control of a system

Question 3

NCSC - reduce reliance on passwords

Answer 3

use single sign on (SSO) - ues MFA to check identity then grants a token that can be used instead of password.

Question 4

NCSC -implement technical solutions

Answer 4

use controls such as max number of authentication attempts

Question 5

NCSC - protect all password

Answer 5

encryption

Question 6

NCSC - password overload

Answer 6

human factor, password management systems, good practices and against password expiry

Question 7

NCSC - help generate better passwords

Answer 7

use machine generated passwords, or “three random words”

Question 8

NCSC - training

Answer 8

provide guidance and advice

Question 9

DoS is?

Answer 9

Denial of service, high level of requests over a network which floods the machine/network, responses fail

Question 10

combination of authentication and authorisation is?

Answer 10

access control

Question 11

Access control list (ACL)

Answer 11

a list of who has authorisation to communicate with whom

Question 12

Specifying authorisation rules, terms used?

Answer 12

subject entity

object the asset on which the operation is being performed

action the operation being attempted

permission allowed or denied

Question 13

two key security properties that authorisation enables in a system:

Answer 13

least privilege
authorisation to perform minimal set of operations to complete function

separation of privileges
separation of duties so that no 1 employee is given enough privilege to misuse the system

Question 14

Mandatory access control (MAC)?

Answer 14

Access to resources is strictly controlled by the operating system (OS) as specified by the system administrator

Question 15

Advantages of MAC?

Answer 15

high level security, every subject and object has sensitivity label with NWU and NRD

Question 16

Disadvantages of MAC?

Answer 16

large surface area, human error with assigning labels, wrong input gives access to unauthorised personnel or denies access to correct entity

high admin and maintenance costs

Question 17

Discretionary Access Control (DAS)?

Answer 17

widely used, subjects set access control on objects they own. based on trust

Question 18

DAC -permissions?

Answer 18

grants entities the right to read, write or execute object

Question 19

DAC - read?

Answer 19

abrv - (r) open make no changes

Question 20

DAC - write

Answer 20

abrv - (w) make changes

Question 21

DAC - execute

Answer 21

abrv - (x) run a program

Question 22

Advantages of DAC?

Answer 22

easy to implement, users gives permissions and security

Question 23

Disadvantages of DAC?

Answer 23

lack of accountability, difficult to execute in larger settings, not good for limited access permissions

Question 24

Role based access controls (RBAC)

Answer 24

users assigned roles, object accessing by user with appropriate roles

Question 25

advantages of RBAC?

Answer 25

sets roles across and organisation, users automatically assigned the correct transactions once in a roles, users cannot receive permissions outside of role.

Question 26

disadvantages of RBAC?

Answer 26

creating roles more difficult than DAC, role explosion (creating more roles if not checked).

Question 27

Reference monitor?

Answer 27

enforces access control rules, if not rules - default is applied.

Question 28

three main types of accountability?

Answer 28

**non-repudiation** cannot deny **digital forensics** traces in the log, logs of interacting entities **compliance** erating in accordance with the relevant standards, regulations, or internal policies.

Question 29

GDPR?

Answer 29

general data protection regulation privacy and security law, what personal information can be collected, regulates how data is processed or stored

Question 30

Accountability challenges ?

Answer 30

volume of logs,