COMP1806 Information Security

Questions and Answers

What is the primary goal of cyber security?

• To prevent unauthorized access, deletion, or modification of digital data. (correct)
• To ensure all data is stored in a single, easily accessible location.
• To promote open sharing of information regardless of risk.
• To maximize data accessibility for all users.

According to the material, what can be a consequence of cyber crime?

• It can be very expensive and seriously affect the functioning of businesses/economies. (correct)
• It primarily affects the entertainment industry.
• It has no impact on individual users.
• It only affects large corporations and governments.

What does the acronym 'CNSS' refer to in the context of information security?

• Centralized National Security System
• Certified Network Security Specialist
• Cyber Network Security Standards
• Committee on National Security Systems (correct)

What is the main characteristic of 'availability' within the context of information security?

Enabling authorized users to access information without interference. (B)

What event related to computer security occurred in 1993?

The DEF CON conference was held. (B)

What shift occurred as computer networks became more common in the 1990s?

The ability to physically secure the physical computer was lost. (D)

In the context of information security, what does 'access' refer to?

The ability to use, manipulate, modify, or affect another subject or object. (C)

According to the material, what is a 'threat agent'?

The specific instance or component of a threat. (D)

Which of the following is an example of a 'control' or 'safeguard' in information security?

Security policies. (D)

What is a key characteristic of the 'bottom-up' approach to information security implementation?

It emphasizes the technical expertise of individual administrators. (D)

What critical feature is lacking in the 'bottom-up' approach to information security implementation?

Organizational staying power. (C)

In contrast to the 'bottom-up' approach, what is a defining characteristic of the 'top-down' approach to information security implementation?

It is initiated by upper management. (C)

Which of the following is a typical responsibility of a Chief Information Officer (CIO)?

Advising senior executives on strategic planning. (B)

Which of the following is the primary responsibility of a Chief Information Security Officer (CISO)?

Assessment, management, and implementation of Information Security. (C)

What is the implication of 'Security as a Social Science'?

Understanding human behavior is critical to information security. (C)

What is emphasized by 'Security as Art'?

The need for creativity and adaptability in dealing with security threats. (A)

What is the meaning of 'Risk' in Key Information Security Concepts?

Expected impact of an unwanted occurrence. (A)

What does the material suggest about balancing information security and access?

Security should balance protection with reasonable access. (B)

According to the reading, what contributed to software failures?

Hardware failures. (D)

What does the term 'Integrity' describe?

Whole, complete, and uncorrupted. (C)

What does Security mean, according to the module?

Protecting systems and hardware. (D)

Why is Defence a requirement for Cyber Security?

To prevent hacking. (D)

What is a vulnerability in Key Information Security?

Weaknesses or faults that cause damage. (B)

According to the indicative lecture topics, which of these topics are not directly addressed?

Network Infrastructure Design. (B)

Which one of these is described as a "high impact factor scientific journal or magazine"?

IEEE Security & Privacy Magazine. (B)

Consider a scenario where an organization implements stringent data loss prevention (DLP) measures, including tight controls on removable media and network file sharing. While significantly reducing the risk of data exfiltration, these measures result in employees spending substantially more time accessing and sharing necessary files, leading to project delays and reduced productivity. What security concept would an observer most likely cite to describe this situation?

Balancing Information Security and Access. (A)

An organization identifies that its web servers are vulnerable to SQL injection attacks. The CISO proposes the following three options: 1) Implement a Web Application Firewall (WAF) with pre-configured rules to block common SQL injection attempts. 2) Retrain all developers on secure coding practices, emphasizing input validation and parameterized queries. 3) Conduct regular penetration testing to identify and patch SQL injection vulnerabilities. Which of the following options demonstrates a 'top-down' strategic approach?

Options 1,2 and 3 together, representing comprehensive strategy. (B)

Imagine a company that has recently suffered a significant data breach. In response, the newly appointed CISO mandates the implementation of a complex multi-factor authentication system for all internal and external applications. The system utilizes biometric scanning, time-based one-time passwords, and requires users to answer a rotating set of security questions. While the system drastically reduces the risk of unauthorized access, it also introduces significant friction into daily workflows, leading to widespread user frustration, resistance, and a noticeable decline in overall productivity. Many users begin circumventing the system where possible, logging fewer support tickets to resolve any issues. What is the most strategic action the CISO should consider to prevent more negative outcomes?

Conduct a thorough cost-benefit analysis of the security measures, focusing on usability, and seeking input from end users. (A)

After numerous successful social engineering attacks targeting its employees, a large corporation assembles an 'Information Security Project Team' to address the issue. The team composition includes a project champion, a team leader, systems administrators, and security professionals. Which additional role is most crucial for developing realistic and effective security controls in this specific scenario?

End Users from Various Departments and Levels of Technical Knowledge (A)

In a hypothetical scenario, a nation-state adversary is suspected of launching a sophisticated cyberattack against a critical infrastructure target (e.g., a power grid). The attack exploits a previously unknown vulnerability in a widely used industrial control system (ICS) protocol ($CVE-XXXX-YYYY$). In the aftermath of the attack, incident responders discover evidence of custom-developed malware designed to specifically target the affected ICS protocol and subtly manipulate its behavior. Furthermore, the malware exhibits advanced anti-forensic capabilities, making analysis and attribution extremely challenging. Which strategy would be most strategic in this severe case?

Implement network segmentation and intrusion detection systems to contain the spread of the attack. (A)

A team discovers a brand-new variant of ransomware employing a combination of never-before-seen techniques. Its encryption algorithm has been verified as quantum-resistant, thwarting decryption via any current methods. Further frustrating efforts, command-and-control infrastructure exists on the dark web, obfuscated through multi-layered proxies, and payment requires an untraceable cryptocurrency. Given this, which action would have the highest impact on defending against this new variant?

Offline backups. (D)

An organization mandates end-to-end encryption for all communications, even for mundane internal messages. However, this increases work friction. How would one solve this problem?

Automated, seamless, and user-friendly cryptography. (C)

Why is 'Attack' an important concept in information security?

Because it can compromise info and systems. (B)

Who should an Information Security Project Team consist of?

End users, champion, leader. (D)

Flashcards

Cyber security mission?

Prevent unauthorized access, deletion, or modification of digital data.

Malware

Software designed to infiltrate and damage computer systems.

Denial-of-Service (DoS)

Overloading a service to make it unavailable to legitimate users.

0-day attack

Exploiting a vulnerability before a patch is available.

Confidentiality (C)

An attribute of information ensuring it is shielded from unauthorized disclosure.

Integrity (I)

An attribute of information ensuring it is complete and uncorrupted.

Availability (A)

Ensuring authorized users can access information when needed.

C.I.A. triad

A standard based on confidentiality, integrity, and availability.

Access in security?

The ability to use, manipulate, modify, or affect another object.

Asset in cybersecurity?

A protected resource.

Attack

An intentional or unintentional act that can compromise information.

Control, safeguard, or countermeasure

Security mechanisms, policies, or procedures to counter attacks.

Exploit

A technique used to compromise a system.

Exposure

State of being exposed.

Risk

Impact from an unwanted occurrence.

Threat

Any event or circumstance that can adversely affect operations and assets.

Threat Agent

The specific instance or component of a threat.

Threat event

An event caused by a threat agent.

Vulnerability

Faults in system expose information to attack.

Bottom-Up Approach

Attempt to improve security by individual administrators.

Top-Down Approach

Issuing policies and processes from upper management.

Study Notes

Module Structure

• COMP1806 is the course code for Information Security.
• Lecturers for the course are Sadiq (S) and Manos (M).
• There are 11 lectures and 11 tutorials in 11 weeks.
• Tutorials elaborate on lecture content, solve problems, and encourage discussions.
• Check the timetable for specific class times and locations.

Module Guide

• Slides provide a course outline.
• Prepare questions for lecturers to ask in advance.
• Stay updated on security-related news through online monitoring.
• Reliable sources for security news include threatpost.com, theregister.co.uk/security/, hackmageddon.com, and bbc.co.uk/news/topics/cp3mvpd-p1r2t/cyber-attacks.
• Use internet resources to research subject material.
• Exercise caution with results from Google and Wikipedia and cross-reference with authoritative sites.

State of the Art Resources

• "Principles of information security" 6th edition from Whitman, M. E., & Mattord, H. J. (2017) is a useful resource.
• Cengage Learning publishes "Principles of information security" with ISBN-13: 978-1337102063.
• "Security engineering" from Anderson, R. (2018) is a background textbook.
• John Wiley & Sons publishes "Security engineering" with ISBN-13: 978-0470068526.
• Key scientific journals and magazines: IEEE Security & Privacy Magazine, Computers & Security Journal (Elsevier), IEEE Transactions on Dependable and Secure Computing, IEEE Transactions on Information Forensics and Security, and ACM Transactions on Privacy and Security.
• Relevant industry white papers, reports, and products.

Module Assessment

• Coursework accounts for 60% of the final grade, with specifications listed in the handbook.
• Up to 6 pages including references
• The final exam accounts for 40%, consisting of 40 multiple-choice questions answered in 1 hour.
• Refer to Handbook for details

Indicative Lectures

• L1: Introduction to Information Security (S)
• L2: Cyber attacks (M)
• L3: Cyber Security Planning (M)
• L4: Cyber Risk Assessment (M)
• L5: Cyber Defenses and Risk Management (M)
• L6: Designing Secure Systems (S)
• L7: AI-powered Cyber Security Strategies (M)
• L8: Introduction to Cryptography (S)
• L9: Applications of Cryptography (S)
• L10: Legal, ethical, and privacy issues (S)
• L11: Summary of all weeks and research topics (S)

Rationale for Cyber Security

The mission is to prevent unauthorized parties from accessing, deleting, or modifying digital data.

• Cyber security is needed because everyone is concerned.
• Cybercrime is expensive which can seriously affect businesses/economies, and can have life-threatening safety implications.
• Common dangers include malware, hacking, password theft, identity theft, and Denial-of-Service (DoS) attacks.

Goals for cyber security

• Cyber security is more of an art than a science, combining multiple disciplines and requiring experience.
• Cyber security is not a job for perfectionists, as complete success is impossible and new vulnerabilities will continue to be discovered.
• One vulnerability is sufficient to compromise a system.

Cyber Security Overview

• Billions of interconnected devices can lead to a cyber attack from anywhere due to a large attack surface.
• Examples include IoT, interconnected cars, 5G, healthcare, and smart grids.
• Attacks exploit vulnerabilities in systems, networks, and software.
• Artificial Intelligence (AI) introduces new vulnerabilities.
• Defenders use countermeasures to prevent being hacked.
• Cost is an obstacle and not just a consideration for countermeasures relating to legacy systems.
• Data breaches are frequent and costly, with over 99.2 million records breached in July 2022.
• Russian hackers are suspected of intellectual property theft related to Covid-19 vaccines.
• 2022 Data Breach Investigations Report: https://enterprise.verizon.com/en-gb/resources/reports/dbir/

History of Information Security

• It began with computer security for protection of physical locations and defending against physical theft, espionage, and sabotage.
• Development of computer security began immediately after the first mainframes.
• During World War II, Groups developed code-breaking computations.
• The German cryptographic device Enigma was broken.
• During the Cold War, Larry Roberts, the founder of the Internet, created the ARPANET project.

The 1990s

• Computer networks became more common and required connection.
• The Internet became the first global network, leading to a loss of physical control.
• Stored information was more exposed to threats.
• In early Internet deployments, security was a low priority.
• In the late 1990s and 2000s, security was integrated into large corporations.
• 1993 was the start of the Defcon conference.

2000 to present

• Antivirus products became popular.
• Information security emerged as a discipline.
• Today, the Internet has brought millions of unsecured networks into communication.
• The ability to secure data is influenced by security of every connected computer.
• The growing threat of cyber attacks has increased the emphasis on improved security.

What is Security

• Security means protection from adversaries aiming to cause intentional or unintentional harm.
• Being secure means freedom from danger and harm.
• Security involves actions to make something or someone secure.
• Security = the protection of information and its critical elements.
• Critical elements include systems and hardware that use, store, and transmit information like CNSS.

Core aspects

• Core aspects include information security management, data security, and network security.

Protection

• Information security management requires controls to protect confidentiality (C), integrity (I), and availability (A).
  • Confidentiality: Protecting information from unauthorized disclosure or exposure to unauthorized individuals or systems.
  • Integrity: Ensuring information is whole, complete, and uncorrupted.
  • Availability: Enables authorized users or computer systems to access information without interference or obstruction, and receive it in the required format. Protect digital data through data security.
• Network security involves preventing and monitoring for malicious intrusions.
  • Includes unauthorized access, misuse, modification, and Denial of resources.

CIA Triad

• Successful organizations use multiple layers of security for physical infrastructure, people, operations, communications, network, and information.
• CIA triad involves maintaining Confidentiality, Integrity, and Availability.
• Focus on critical characteristics of information extends to more than CIA.

Beyond CIA

• Expanded model beyond CIA incorporates Accountability and Authenticity.

Computer Security Challenges

• Computer security is more complex than it appears.
• Security mechanisms and algorithms must consider potential attacks.
• Procedures used to provide particular services can be counterintuitive.
• Requires defining a good physical and logical placement.
• Involves secret information access control and rights management.
• Attackers only need a single weakness, whereas designers must eliminate many.
• Too often is an afterthought and not an integral part of the design process.
• Requires regular and constant monitoring.
• Users and system managers may not see benefit until failure.
• Strong security can be seen as an impediment to efficient and user-friendly operation.

Key Information Security Concepts

• Access: The ability to use, manipulate, modify, or affect another subject or object.
• Asset: A protected resource.
• Attack: An intentional or unintentional act that can damage or compromise information and systems.
• Control, safeguard, or countermeasure: Security mechanisms, policies, or procedures that can counter attacks.
• Exploit: A technique used to compromise a system.
• Exposure: a condition or state of being exposed.
• Loss: A single instance of an information asset suffering some damage or destruction (impact).
• Protection profile or security posture: entire set of controls and safeguards that protect the asset.
• Risk: Expected impact of an unwanted occurrence.
• Threat: Any circumstance that has the potential to adversely affect operations and assets.
• Threat Event: an occurrence of an event caused by a threat agent
• Vulnerability: weaknesses or faults in a system or protection mechanism.
  • Allows an attack or damage to expose sensitive data.
• Threat Agent: The specific instance or a component of a threat.
• Subject / Attacker: A computer can be the active tool to conduct a cyber attack.
• Object / Target: An entity that is being targeted by a cyber attack.

Balancing Information Security and Access

• Achieving perfect information security is impossible.
• Security is a continual process, not an absolute goal.
• Security should balance protection and availability.
• Achieve balance by providing reasonable access while safely protecting against threats.

Approaches to Information Security Implementation

• Bottom-Up Approach: Systems administrators try to improve security of their systems.
• Key advantage: technical expertise of individual administrators.
• Lacks critical features: participant support and organizational resources.
• Top-Down Approach: Management initiates security measures,.
• Issue policy, procedures, and processes.
• Dictate goals and expected outcomes.
• Determine who is countable for each of the required actions.
• Involves strong upper-management support, dedicated champion, dedicated finding , clear planning, and organizational factors.
• Involves a systems development life cycle (SDLC) strategy.

Security Professionals and Organization

A diverse information security program requires a wide range of professionals.

• Chief Information Officer (CIO): A senior technology officer advising executives.
• Chief Information Security Officer (CISO): Responsible for assessment, management, and implementation.
• CISO usually reports directly to the CIO.

Security Project Team

To develop and execute security policies and procedures, technical and administrative expertise is required.

• Champion: Promotes the project and ensures administrative and financial support.
• Team leader: Project and personnel management, and information security technical requirements.
• Security policy developers: Understand organizational culture, policies, and requirements.
• Risk assessment specialists: Financial risk assessment techniques and also the value of organizational assets.
• Security professionals: Specialists in the technical and nontechnical aspects of information security.
• Systems administrators: Responsible for administering systems that house information.
• End users: Application of realistic controls and input from diverse departments.

Security as Art or Science

• Implementation of information security = combination of art and science
• Technology is developed by computer scientists and engineers.
• specific conditions cause every action in computer systems.
• Almsot every fault is a result of the interaction of specifc hardware and software.
• With time, developers can resolve and eliminate faults.

Security as a Social Science

• Security begins and ends with the people that interact with the system, intentionally or otherwise
• Social Science is relevant to the behavior of individuals using systems.
• End users that need the information are the security's personnel's weakest security link.
• Security administrators greatly reduce the levels of risk by user compliance.