Cybersecurity Fundamentals Week 2 Quiz

Questions and Answers

What principle ensures that access levels are minimized to only what is necessary for an application to function?

• Default Access
• Least Privilege (correct)
• Excess Privilege
• Complete Access

Which of the following describes privilege creep?

• Immediate revocation of all user access privileges
• Accumulation of access rights beyond what is necessary (correct)
• Temporary granting of elevated privileges for tasks
• Strict reduction of permissions to improve security

What is essential for complete mediation in security?

• Checks should be burdensome to ensure security
• Users self-manage their access permissions
• Access is never denied once granted
• All access must be verified every time (correct)

Which strategy helps to prevent unnecessary privilege accumulation in an organization?

Regularly auditing user access privileges (D)

What is the recommended default practice for application access?

No access until explicitly granted (C)

Which component contributes to a layered defense strategy?

Firewalls, IDS, encryption, and access control (B)

Which approach involves granting elevated privileges only as needed?

Least Privilege Principle (A)

What does the principle of Secure Defaults emphasize in software design?

Only essential features should be enabled by default to minimize risk. (C)

How does the Least Privilege Principle enhance software security?

It ensures that users have only the minimum privileges required to perform their tasks. (A)

What is the purpose of Separation of Duty in software security?

To ensure critical tasks are divided among different individuals to reduce risk. (C)

What is Privilege Creep and why is it a concern in software security?

It occurs when users accumulate unnecessary privileges as their roles change, increasing vulnerability. (C)

What is Complete Mediation and how does it affect system security?

It requires that all access requests be checked against current permissions every time. (D)

What does the concept of 'Least Privilege' emphasize?

Access should be based on the principle of need-to-know. (A)

Which of the following best describes 'Secure Defaults'?

Applications are deployed with secure configurations by default. (B)

In coding practices, what measure is advised to maintain security by limiting access?

Limiting global variables and using local data. (C)

What does 'Deny by Default' imply in access control?

Everything not explicitly allowed is forbidden. (A)

Complete mediation in security contexts refers to what?

The restriction of caching information to ensure that all access checks are validated. (B)

What is a potential consequence of privilege creep?

Security risks increase due to excessive user privileges. (C)

Which mechanism helps ensure that access to sensitive information requires multiple conditions to be met?

Two-person rule (A)

What principle stresses minimizing shared mechanisms among users in a system?

Least Common Mechanism (A)

Failure in a system should be designed to do what according to fail-safe principles?

Cause no or minimal harm to other systems or users. (C)

Which of the following reflects a proper understanding of 'Separation of Duty'?

Dividing responsibilities among multiple individuals to prevent fraud. (A)

Flashcards

Coding Error

A mistake in the code of a software application, leading to unexpected or undesired behavior.

Defense in Depth

A security strategy that uses multiple layers of defense to protect a system. If one layer fails, other layers can still protect the system.

Least Privilege

A security principle that limits a user's access to only the resources they need to perform their tasks, and nothing more.

Privilege Creep

The gradual accumulation of excessive access rights by a user beyond what is required for their job, potentially creating security risks.

Tampering

An attack that involves unauthorized modification of data or software.

Denial of Service (DoS)

An attack that prevents legitimate users from accessing a service or resource, usually by overwhelming it with requests.

Complete Mediation

Every access attempt to a protected resource must be checked and verified before use.

Software Security

The practice of designing and developing software that resists malicious attacks, ensuring it continues to function correctly even under attack.

Attack Surface Reduction

Minimizing the number of ways attackers can access and exploit a system, focusing on making your software harder to attack.

Basic Privacy

Protecting sensitive user information by giving users control over how their data is collected, used, and shared.

Threat Modeling

Analyzing potential threats to a software system and identifying vulnerabilities that could be exploited.

Separation of Privilege/Duty

Ensuring access to resources depends on multiple conditions.

Multi-factor Authentication

Security method needing more than one verification method.

Least Common Mechanism

Minimize shared resources reduces potential attack points.

Secure Defaults

Deploy applications with strong security settings pre-configured.

Fail-safe Defaults

Security system responds to failure in a safe manner.

Deny by Default

Access is restricted unless explicitly granted.

Study Notes

Course Information

• Course Name: Cybersecurity Fundamentals
• Course Code: CSC 1029

Week 2 Agenda

• What is Cybersecurity and Types of Attacks
• Cybersecurity Objectives
• What are we protecting
• Cost of Cybersecurity
• Your Next Move: Software Developer Vulnerabilities
• Threat Model: STRIDE
• Types of Attacks
• Importance of Software Security
• TODO and Resources for Help

Objectives

• Understanding cybersecurity and its importance
• Knowing what is being protected from attackers
• Learning from historical and current events, emerging trends

What is Cybersecurity?

• Read CompTIA article (link provided).
• Watch YouTube video (link provided).

Objectives of Cybersecurity

• Read CompTIA resource on the State of Cybersecurity for 2024 Market Overview through to Policy (link provided).
• Students to determine top objectives for Cybersecurity.

What are we Protecting?

• Review 16 Critical Infrastructure Sectors (link provided).

Cost of Cybersecurity

• Estimated global cost of cybercrime in 2021: $6.1 trillion.
• Estimated global spending on cybersecurity in 2022: $172.5 billion.
• U.S. job openings requesting cybersecurity-related skills: 714,548 (Source: CyberSeek).

Your Next Move: Software Developer

• Read CompTIA blog on Your Next Move Software Developer (link provided).

Vulnerabilities

• Review the National Vulnerability Database (link provided).
• Explore visualizations of vulnerabilities.

Threat Model: STRIDE

• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privilege

Types of Attacks

• Social engineering (organization penetration, IT infrastructure exploration, phishing, spam, spoofing, man in the middle)
• Attacks on application's software (Cross-site scripting (XSS), Buffer overflows, SQL code injection, Time/logic bombs, Back door)
• Attacks on supporting infrastructure (Denial of Service (DoS), Viruses, Worms, Trojans, Spyware, Adware)
• Physical attacks (external drives, flash sticks, bringing down the system, stealing hardware)

Importance of Software Security

• Engineering software to function correctly under malicious attacks
• Addressing security vulnerabilities in early stages of development.
• Security as a risk management practice (link to article provided)
• Software Security refers to many aspects related to software including detecting malicious attack, Continuing function under attack, and maintaining confidentiality, integrity, and availability

Cybersecurity Principles

• Complete provided interactive lesson

SDL Secure Design Principles

• Safer applications start with secure design
• Assume all applications can be compromised
• Core SDL secure design principles: Attack Surface Reduction, Basic Privacy, Threat Modeling, Defense in Depth, Least Privilege, Secure Defaults.

Attack Surface Reduction

• Attack surface is any part of an application human or another program can access
• Minimize exposed attack surface - malicious users find and exploit

Basic Privacy

• Privacy vs Security (empowering users to control personal information and security establishing measures protecting confidentiality).
• Privacy and security are key factors in trusted applications.

Threat Modeling

• Process to understand threats to an application
• Threats and vulnerabilities different
• Vulnerabilities are specific ways a threat is exploitable (e.g., coding errors)
• Steps are identifying, defining, validating, mitigating, and validating.

Defense in Depth

• Assumes that software and hardware will fail
• Trusted applications (security and privacy features).
• Most applications can be compromised when only one layer is breached (firewall)
• Layers defend the application

Least Privilege

• If an application is compromised, the potential damage is contained and minimized
• Trust with reluctance, need-to-know
• Evaluate application minimally (default is no access)
• Minimum access level for application functions.
• Privileges elevated only when needed, release afterward.

Privilege Creep and Complete Mediation

• Gradual accumulation of access rights beyond what an individual needs for their job.
• Occurs when a job changes and new privileges are granted.
• Every access check must be efficient, restricting caching of information

Separation of Privilege or Duty

• Access based on multiple conditions (multi-factor authentication)
• Separation of duties/two-person rule
• Coding with limited global variables, local data and arguments
• Permission to access = Authorization
• Define access to objects and who should access them

Least Common Mechanism

• Minimize mechanism common to multiple users (dependence on all users)
• Every shared mechanism is a potential information path

Secure Defaults

• Deploy applications with secure configurations by default
• Ensures safer user experience from the start.
• Favor white-listing over black-listing (if some action fails, the default is deny-access)
• Simplicity is favored

Deny by Default and Fail-Safe

• Everything not explicitly permitted is forbidden (by default)
• Fail-safe engineering design responds in the event of a specific failure type, avoiding harm
• System design to prevent unsafe consequences

MGM Casino Cyberattack (2023)

• Read article on the attack (link provided)
• Evaluate if MGM followed secure design principles (Attack Surface Reduction, Basic Privacy, Threat Modeling, Defense in Depth, Least Privilege, Secure Defaults).

Pre-work Grade/TODO's

• Post weekly discussion question and research solution to D2L.
• Complete Week 2 Content Module to 100% in D2L.

Questions/Help/Clarification

• Student office hours (appointments and drop-ins).
• Email address
• RRCC on-campus tutoring
• 24/7 online tutoring available in D2L

Description

Test your understanding of the key concepts covered in Week 2 of Cybersecurity Fundamentals. This quiz includes questions on types of attacks, cybersecurity objectives, and the importance of software security. Dive deeper into what we are protecting against cyber threats and the associated costs.