Information Security

Front 1

Define information security.

Back 1

It is about maintaining integrity, confidentiality, and availability.

Front 2

Describe integrity

Back 2

Integrity is about ensuring that the data is protected from modification by unauthorized users. only trustworthy data can be considered valuable. an example is a student hacking into a database and changing grades.

Front 3

Describe confidentiality

Back 3

confidentiality is about ensuring that the data is only visible to people with the appropriate security access. it is the principle of restricting access to information. examples of confidentiality breach are the loss of disk containing sensitive information.

Front 4

Describe availability

Back 4

Availability is about ensuring that the data is always accessible for when required by a stakeholder. Concerned with keeping systems containing the data running. example is a system taken out by a disaster.

Front 5

What is a threat?

Back 5

A threat is a potential danger to an asset.

Front 6

What is an attack?

Back 6

an attack is an action that exploits a vulnerability.

Front 7

what is a vulnerability?

Back 7

A vulnerability is a weakness in a system that enables an attack.

Front 8

Give an example of threats, vulnerabilities, and attacks.

Back 8

consider a database system. A threat is an unauthorised person that could access the database. a vulnerability would be an unremoved test account with a default password. an attack is an actual intrusion trying to download the data of the database.

Front 9

What are security controls?

Back 9

Security controls are processes or mechanisms put into place to ensure the integrity, confidentiality, and availability of an asset.

Front 10

Name three types of security controls.

Back 10

Administrative(which includes staff training policies etc.), technological(fire walls, encryption algorithms, and antivirus programs) and physical controls(alarms, security guards etc.)

Front 11

What is the purpose of the security officer(SO)

Back 11

A security officer is a person who is responsible for handling the information security in an organisation. might be a team in larger companies and just an added responsibility in smaller companies.

Front 12

What are the responsibilities of a security officer

Back 12

Defines the corporate security policies. Defines the specific system security policies. trains the staff on security matters. creates and maintains a plan for implementing controls. appoints auditors.

Front 13

How does an SO fit into the hierarchy of company.

Back 13

An SO should be reporting to the CEO or board of directors of the company and might even be a member of the board. an so is like an intermediary between management and the users. It is important for an SO to have support from the board as they might otherwise be questioning financial costs of controls and ignore potential risks. Board members might also be afraid of increased responsibility for unknown risks.

Front 14

What is risk assessment?

Back 14

It is a tool to help understand what is at risk at a company(identifying assets), how much is at risk(values), where are the risks coming from(threats and vulnerabilities),how can the risk be reduced(identifying counter meassures) and what is the cost of such a reduction.

Front 15

Describe SLE

Back 15

Single loss expectancy(SLE) is a way of calculating the impact of a specific threat occurring from a cost perspective.

It is calculated as SLE = AV * EF
where AV is asset value and ef is the exposure factor which is the factor of the asset that is lost when a threat actually occurs. SLE is usually measured on an annual basis.

Front 16

What is EF?

Back 16

EF is the exposure factor which meassures what factor of an asset that is lost when a threat occurs. usually in the range between 0-1

where 1 is the value completely lost.

Front 17

What is Av

Back 17

AV is the asset value which is the total value of an asset under threat.

Front 18

What is ARO

Back 18

The annual rate of occurrence. This represents the frequency at which a threat occur per year.

Front 19

How is ALE calculated

Back 19

ALE = SLE * ARO
i.e. The annual loss expectancy is the single loss expectancy times the annual rate of occurrence.

Front 20

How do you calculate the effect of a counter measure on the ALE?

Back 20

We calculate the reduced risk by taking ALE(before) - ALE(after) and then we subtract the cost of the countermeasure:
ALE(before) - ALE(after) = -AC(control) where AC is accumulated cost.

Front 21

How does risk assessment apply to information security?

Back 21

We need to analyse a few aspects, the value of the information system and its assets, the possible threats to the system, vulnerabilities of the systems and the cost of the counter measures.

Front 22

How do we measure risk?

Back 22

Risk is a function of the threat, vulnerability and the asset value. this risk can be reduced using controls.

Front 23

give an example of reducing a threat.

Back 23

do a background check on employees.

Front 24

give an example on how to reduce a vulnerability

Back 24

keep systems up to date by installing patches and firewalls etc.

Front 25

give an example of how to reduce asset value

Back 25

encrypting the data so that it is worthless to an observer.

Front 26

Detail the stages of the overall assessment process

Back 26

It starts with asset valuation. from there either a threat assessment, vulnerability assessment or risk determination can be applied. from the risk determination, safeguards are assessed which lead to a decision support analysis which can either lead to a re-evaluation of the assets or the introduction of another safeguard assessment.

Front 27

Detail two types of assets

Back 27

Intangible assets(software and information)
Tangible assets(hardware, buildings etc.)

Front 28

How can we evaluate intangible information assets?

Back 28

The delphi method can be applied. It starts with experts being questioned on the value of an asset and the reasoning for their valuation. after a round of questioning has been completed, a facilitator summarises the answers from the experts. The summary is then given back to the experts anonymously and a new round of questioning is started where the experts review their answers.

Front 29

What is Zareer pavris method for measuring the value of information assets?

Back 29

To use either a cost based and/or an income generating approach to arrive at concreate numbers.

The cost approach tries to put a fair market value on the assets.

the income approach tries to measure the income stream generated by the products/services associated with the information asset.

Can not be considered an exact science.

Front 30

Detail two types of threats

Back 30

Accidental - threats caused by whether or accidents

intentional - caused by entities with an intention of exploiting a threat.

Front 31

Why can it be difficult to perform a threat analysis?

Back 31

because it can be very easy to overlook some of the threats.

Front 32

What is a vulnerability analysis?

Back 32

it is an attempt at identifying the vulnerabilities of a system or organisation. Some people argue that vulnerability analysis should be done before threat analysis since if there are no vulnerabilities then there are no threats but this is often impractical as many vulnerabilities might not be identified during an analysis.

Front 33

How can one start a vulnerability analysis?

Back 33

it can be very tedious and time consuming to perform such a process however there are databases that provide examples of documented vulnerabilities.

Front 34

how do we perform risk assessment?

Back 34

we need to find vulnerabilities and map these to threats and what assets are affected by these threats.

Front 35

What is risk modelling?

Back 35

risk modelling aims to answer a few questions: what could happen(threat/vulnerability), how bad could it be(impact), how often might it occur(frequency and probability), how certain can these answers be(uncertainty)

the first question is answered through threat and vulnerability analysis)

the second through asset valuation

uncertainty can be modelled as bounded distribution

Front 36

What kind of data is often relied upon when performing risk modelling?

Back 36

statistical data from internal sources, employees, customers and risk assessment tools etc.

Front 37

What is quantitative risk assessment?

Back 37

It is when trying to put a number on everything in the assessment process. ALE is an example of a quantitative risk assessment. it relies on reliable data and the application of appropriate tools to produce usable results.

If care is not taken, quantitative assessment can lead to false security.

Front 38

What is a qualititative assessment?

Back 38

it is when rankings of the risks are used instead of numbers. Threats may have various levels and assets can be valued based on importance.

It is easier to understand for most people but can easily be subjective and results of cost/benefits can be harder to determine.

Front 39

What is important when looking for accreditation?

Back 39

concrete methodology is important, i.e performed by a knowledgeable person and in a systematic way

Front 40

What are hybrid approaches?

Back 40

Hybrid approaches are when a mix of quantitative and qualitative processes are used to perform the risk assessment.

Front 41

What is CRAMM?

Back 41

Cramm is a tool for performing risk assessment. it uses a risk matrix and is a qualitative approach to risk assessment which are mapped to different levels of ALE. It allows you to apply controls from a data base.

Front 42

what is a penetration study?

Back 42

it is when an organisation bring in experts that try to exploit vulnerabilities.

Front 43

What is the flaw hypothesis methodology?

Back 43

it is a framework for conducting penetration studies and have the following steps:

vulnerabilities are identified through information gathering.

flaws are hypothesised,

flaws are tested.

flaws are generalised,

and finally flaws are eliminated.

Front 44

What are common criticism of penetration studies?

Back 44

they are used by security companies to improve their rep.

Front 45

What is an important and commonly overlooked part of implementing information security?

Back 45

putting sensible procedures and practices in place.

Front 46

what is a security policy?

Back 46

it is a set of documents stating an organisation's philosophy, strategy and practices with regards to confidentiality, integrity and availability of information.

Front 47

Why is it important to apply policies as well as technology to ensure security?

Back 47

They help tieing in upper management, it allows for a paper trail for detailing how a company complies with its obligations. it also helps defining a strategy with regards to what to protect and to what cost. it also helps as a guide for employees.

Front 48

how do one create a security policy?

Back 48

First find out about the risk, the policy should then cover control mechanisms to cover the risks found in the risk assessment, in order to get risk down to an acceptable level.

Front 49

Detail important aspects of security policies.

Back 49

Classification and access control models.

Front 50

What is Discretionary access control(DAC)

Back 50

it is where each data object is own by a user and the user decides which other users will have access to the data object.

This is commonly used in operating systems

Front 51

What is Mandatory Access control(MAC)

Back 51

It is when access control is mandated using an entire system(system-wide) policy with no user control. often used by military.

Front 52

What is an access control matrix?

Back 52

an access control matrix is used to describe the protection state of information or a system.

It has objects (o) which need protection.

there are subjects(s) which wants access to the objects.

an there are rights(r(o,s)) which define which type of rights a subject have to access to an object.

This can be organized in a matrix.

It specifies permissions on an abstract level and limits the damage certain subjects can cause.

Front 53

What are problems with access control matrices?

Back 53

they dont scale well, i.e. they require a large number of entries for representation.

many entries may also be empty taking up unused memory space.

Front 54

What are capability lists and what are their drawbacks?

Back 54

It is when storing access control as a list for each user. this uses less memory than the access control matrices however they are costly to look up as each list need to be traversed to find several users access rights.

Front 55

What are access control lists?

Back 55

this is when storing the access control matric column wide where each asset is a row and all users access rights are stored in that row. easier to look up multiple users rights compared to capability lists but still doesn't scale well.

Front 56

How can access control lists be improved?

Back 56

One can utilize groups and tracking which members are part of a group. This is often used by operating systems.

Ownership of a file is still controlled by a user which can delegate rights.

this might not be scalable for larger organizations.

Front 57

What is the belll la padula model?(BLP)

Back 57

In the BLP, every document has a security classification.

More sensitive information has a higher security level.

Every user has a clearance(level).

The classification and clearance is not done by users, instead by some authoritative entity.

Had military origin.

Front 58

Detail the Bell la padula model.

Back 58

Assume objects(o) and subjects(s)

let c(o) be the classification of the object and c(s) be the clearance of the subject.

s may have access to o only if c(o) <= c(s)

s only has write access if c(o) <= c(p) which seems counter intuitive but is designed to avoid sensitive information becoming accessible to users with lower clearance.

Front 59

How can the Bell la padula model be extended through categories?

Back 59

each data object can be assigned different categories which will provide an additional filter level that would allow for subjects to only view information that they really need.

Front 60

How can categories be visualized?

Back 60

as a lattice with all categories and 0 representing data objects with no category.

Front 61

Describe the Clark-wilson integrity model.

Back 61

The CW model is concerned with protecting the integrity of data as well as the user access.

It uses two important mechanisms

well-formed transactions which are constraints users in how they can manipulate the data.

And separation of duty, which separates the processes of an action over multiple entities

Front 62

What are constrained and unconstrained data in the Clark-Wilson model?

Back 62

these are data objects that either can be modified or cannot which would uphold the integrity of the data.

Front 63

How is the integrity policy defined in the CW model.

Back 63

Using integrity verification procedures(IPV) and transformation procedures.

IPVs check all the constrained data items(CDI) in a system to conform to integrity and confirms upon completion that the integrity was maintained. An example of this might be that an auditor confirms that the change to a book is reconciled and accurate.

Transformation procedures(TP) correspont to a well-formed transaction that does not violate the format of the CDI.

Front 64

How does CW work?

Back 64

FIrst we start in a valid state, and we only manipulate CDIs with TPs. thus we will always be in a valid state.

Front 65

Why do IVPs and TPS in the CW model need certification?

Back 65

because we need to ensure that CDIs are only manipulated by TPs and that IVPs and TPs are well behaved.

Front 66

How are IVPs and TPs certified in the CW model

Back 66

through the security officer or similar agent. This process is rarely automated.

Front 67

How is integrity assured in the CW model?

Back 67

through enforcement (by a system)
and through certification which is done by a human.

The rules used for such certification is done through E rules and C rules.

Front 68

What are the basic framework rules of the CW model?

Back 68

C1: IVP verification, successful execution confirms that all CDIs are in a valid state.
C2: TP verification, agent specifies which TPs that apply for which CDI

E1: TP enforcement, the system maintains a list of CDIs that only allows manipulation of CDIs through the validated TPs

Front 69

What is a role based access control?

Back 69

it is a mandatory access control model that does not have secrecy levels like Bell la Padula.
It is a slightly more strict version of the ACL model where certified entitry grants and revokes access rather than users.

users are put in different groups referred to as roles.

users can access data objects based on their roles.

An example is a hospital where doctors have different rights compared to nurses.

Front 70

Detail the formal definition of the RBAC

Back 70

subject s
role r
transition t
object o
mode x

AR(s) active role of the subject
RA(s) roles that s is allowed to performed
TA(r) transactions that a role is allowed to do

A subject s may execute a transaction t if exec (t,s) is true

exec(t,s) is defined as
if t is in TA(AR(s))

Front 71

List the rules of RBAC

Back 71

1 rule assignment: all subjects must have a role to be allowed to perform an action

2 rule authorisation: for all s : AR(s) is in RA(s)
3 transaction authorization:
for all S:t : exec(t,s) is true only if t is in TA(RA(s))
4 Options on access

Front 72

How can role relationships be visualised?

Back 72

user1->role1->object1
user2->role1->object2

Think of the doctor example where two doctors can prescribe and diagnose tow different objects through their role.

Front 73

Summarize RBAC

Back 73

MAC is usually for military applicaiton
DAC not as strict
RBAC finds a middleground

Front 74

List ideal characteristics of a policy for an organisation.

Back 74

1. ligth, should not cover many pages.

2. simple and practical

3.easy to manage and maintain.

4.accessible, easy to find for members of the org.

Front 75

how should a policy be organised?

Back 75

in a hierarchical fashion:
the security framework paper which detail things such as the organisations commitment to information security, classification system, make clear that administrators are kept accountable, state clear responsibilities of individuals.

below in the hierarchy are the position papers that address specific aspects of the security policy. these should be kept focused and short.

Front 76

List common categories of a position paper:

Back 76

scope, ownership, validity over time, responsibilities, compliance, supporting documentation, position statements and review.

Front 77

What is social engineering and what is it about?

Back 77

social engineers bypass technical defences by targeting people. it is to manipulate people to aquire confidential information or perform fraudulent actions

Front 78

Give some examples of social engineering

Back 78

posing as an employee, vendor, partner company or somebody with authority. uses internal lingo to gain trust, offers help if problems occurr and then causes them. sending trojans and viruses, asking receptionist to forward faxes and emails,

Front 79

Describe the social engineering lifecycle

Back 79

1. research, where the attackers try to find as much information as possible on from online, seminars, dumpster diving etc.

2. Developing trust, uses insider infromation, identity misinterpretation, need or help from authority.

3. Exploiting trust, ask or manipulate victim in form of help to get access to information.

4. Utilise information and recycle through the previous stages if necessary

Front 80

List a set of reasons why social engineering works

Back 80

It exploits tendencies of human nature such as:
Authority: people tend to comply with other people with authority
Liking: people generally complies with a person when they like them.
Reciprocation: People feel obliged if they have received favours.

Consistency: people feel they need to honour any pledges or commitments done in public.
Social validation: people tend to perform actions similar to what other people around are doing.

Scarcity: people behave differently when a set of resources they depend on are limited.

Front 81

List some common warning signs of social engineering

Back 81

Unusual requests, refusal to give callback number, claim of authority, stresses urgency, shows discomfort when questioned or challenged, compliments or flattering and flirting.

Front 82

How can social engineering be prevented?

Back 82

By having procedures in place for handling unusual requests, training staff, explanation of the need for certain procedure.

Front 83

Name a few items that are important to teach when training staff

Back 83

Make sure that employees verifies the identity of visitors and callers, by for instance asking for id, supervisors contact details, and having trusted employees vouch for the person.

Staff also need to ask "need-to-know" questions to understand why the person need the information.

Ensuring that the staff holding on to sensitive information are aware of the consequences of sharing the information.

Staff should be trained to challenge authority when dealing with sensitive situations.

Ensure that everyone is part of the training.

The items should not be taught in long time consuming seminars, instead, they should be done through hands on exercises that simulate the real situation. such as staging fake attacks
to then debrief the trainees on how to improve their behaviour without using punitive actions.

Front 84

What is crytography?

Back 84

It is the art and science of keeping information secure.

Front 85

What is cryptoanalysis?

Back 85

the art and science of breaking a code

Front 86

what is cryptology?

Back 86

it is the branch of math needed to for cryptography and cryptoanalysis.

Front 87

How can cryptography help information security?

Back 87

It can help with confidentiality by only allowing authorised personel decrypt information

Authentification: a receiver of a message should be able to ascertain the origin of the message

integrity: the receiver should be able to validate that the information was not modified before received.

Non-repudiation: a sender should not be able to deny that they sent a message.

Front 88

What is plain text or clear text?

Back 88

it is the original message

Front 89

what is encryption?

Back 89

the process of disguising the contents of a message

Front 90

What is a ciphertext?

Back 90

it is an encrypted message.

Front 91

what is decryption?

Back 91

it is the process of turning ciphertext back in to plaintext.

Front 92

list the basic definitions of cryptography

Back 92

Plaintext P or M
Ciphertext C (usually binary data)
Encryption function E

E(M) = C

Decryption function D

D(C) = M

Front 93

What is a cryptographic algorithm? (sometimes referred to as a cipher.

Back 93

it is a mathematical function used for encryption or decryption.

Often two functions, one for encryption and one for decryption.

Front 94

What is a restricted algorithm?

Back 94

It is an algorithm which security is based on the algorithm being secret. This is usually not a useful approach as the algorithm would have to change everytime someone leaves the group.

A group might not have the knowledge to create a new cipher all the time.

Front 95

What is a key?

Back 95

A key is a value taken from a large set of possible values(key space) which is used as input to either the encrypt of decrypt function.

i.e. Eke(M) =C, Dkd(C) = M, Dkd(Ekd(M))=M

Front 96

What is a symmetric algorithm?

Back 96

A symmetric algorithm, sometimes called a conventional algorithm is when a key is identical for both decryption and encryption. anyone who has the key can encrypt the message. however two people need to agree on the key for it to work.

Front 97

What is an asymmetric key?

Back 97

Asymmetric algorithms are often called public key algorithms. They use a public key for encrypting and a private key for decrypting. public keys can be published so that anybody can encrypt messages. the private key is only used by the receiver. only works if the private key cannot be calculated from the public key in reasonable time. A good analogy is a padlock.

Front 98

What is the benefit of using a key?

Back 98

The security is stored in the key rather than in the algorithm.

The advantages of this are that the software for the algorithm can be mass-produced, eavesdroppers won't be able to read the information even if they know the algorithm and the algorithms can be analysed by experts for flaws.

Front 99

What is a cryptosystem?

Back 99

A cryptosystem consists of the algorithm, the keys and all possible plaintexts and cypher texts.

Front 100

List the 4 most important encryption techniques.

Back 100

substitution ciphers
Transposition ciphers
stream ciphers
block ciphers

Front 101

What is a substitution cipher?

Back 101

it is when each character in the plain text is substituted or mapped to another character.

Front 102

What is the caesar cipher?

Back 102

it is when all character in the text are shifter three characters in the original cipher.

Front 103

What are the natural numbers

Back 103

they are the positive integers.

Front 104

what is factorisation?

Back 104

it is the process of breaking up a number into smaller factors.

Front 105

what is a prime number

Back 105

it is a number that it only divisible with itself and 1

Front 106

What is prime factorisation?

Back 106

it is when a number is expressed as factors of prime numbers.

Front 107

Define modulus

Back 107

In computing, mod returns the remainder.

in number theory a=b mod n
or a is congruent to b modulo n

i.e. n is a divisor of a -b

Front 108

What are the three types of modular arithmetic?

Back 108

modular addition, modular multipication and modular exponentiation

Front 109

What is a multiplicative inverse?

Back 109

it is the number multiplied by x mod n which yields 1

Front 110

Describe xor encryption?

Back 110

C = M xor K
m = C xor K

(A symmetrical algorithm)

Front 111

What is another name for a simple substitution cipher?

Back 111

monoalphabetic substitution cipher, it is when the alphabet is mapped to a random permutation of the alphabet.

Front 112

Why are monoalphabetic substitution ciphers not very secure?

Back 112

because they are easily solved statistically using the distribution of characters in an alphabet.

Front 113

What is a homophonic substitution cipher?

Back 113

it is an encoding that tries to obsure the mappings by applying multiple values to the same character. still not very secure and can also be solved statistically.

Front 114

What is a polygram substitution cipher?

Back 114

it is an encoding that encrypts groups of letters rather than single ones. not very secure either.

Front 115

What is a polyalphabetic substitution cipher?

Back 115

it is an encryption that uses multiple simple substitution ciphers.

An example of such an cipher is the vigenere substitution which adds the keys of multiple letters and performs a modulo to map it. C= M+K this can easily be solved perodically over longer sentences.

Front 116

What is a rotor machine?

Back 116

mechanical encryption device developed in the 1920s. implemented complex polyalphabetic substitution cipher. Enigma is an example of a rotor machine.

Front 117

what is a transposition cipher?

Back 117

it is an encoding where the characters stay the same but the order is changed.

Front 118

What is a simple columnar transposition cipher?

Back 118

it is a cipher where all the characters are written as a matrix where the ciphertext is read vertically from the columns.

Front 119

What is double columnar transposition?

Back 119

a slightly more difficult encryption than simple columnar transposition cipher which a second transposition is applied.,

Front 120

What is a steam cipher

Back 120

a type of symmetrical algorithm that operates on a single bit or character at a time.

Front 121

what is a block cipher?

Back 121

it is a symmetrical algorithm that operates on multiple characters . examples play fair.

Front 122

What is confusion and diffusion?

Back 122

Confusion adds a value to the plain text symbol to confuse the attacker

Diffusion spreads the plain text information through the cipher text.

Front 123

What is an SP network?

Back 123

it is a block cipher that uses a simple combination od substitution and permutation circuits to encode the data.

Front 124

What is an S-Box

Back 124

an sbox is a substitution box which is a look-up table of permutations of input data. S-boxes depend on 1-1 mappings to enable decryption. the output of an sbox is shuffled before fed to the next stage of permutations. each stages is referred to as a round.

Front 125

How can a key be added to an SP network?

Back 125

A key is applied after each round using an xor encryption.

Front 126

What is the main reason of using an SP network?

Back 126

it saves memory space when encrypting.

Front 127

What is required to ensure security of an SP network?

Back 127

The block size need to be large enough, there need to be enough rounds and sboxes need to be chosen carefully.

Front 128

How can a small block size be decrypted

Back 128

using a dictionary. the smaller the block size is the easier it is to build such a dictionary.

Front 129

What is the avalanche effect?

Back 129

it is when a slight change to input generates a large change in the output.

Front 130

How can the avalanche effect be achieved in SP networks?

Back 130

by having a large number of rounds.

Front 131

What is important to consider when choosing s-boxes?

Back 131

to ensure that there is as much randomness as possible.