Cybersecurity Fundamentals Week 2 Quiz
22 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What principle ensures that access levels are minimized to only what is necessary for an application to function?

  • Default Access
  • Least Privilege (correct)
  • Excess Privilege
  • Complete Access
  • Which of the following describes privilege creep?

  • Immediate revocation of all user access privileges
  • Accumulation of access rights beyond what is necessary (correct)
  • Temporary granting of elevated privileges for tasks
  • Strict reduction of permissions to improve security
  • What is essential for complete mediation in security?

  • Checks should be burdensome to ensure security
  • Users self-manage their access permissions
  • Access is never denied once granted
  • All access must be verified every time (correct)
  • Which strategy helps to prevent unnecessary privilege accumulation in an organization?

    <p>Regularly auditing user access privileges</p> Signup and view all the answers

    What is the recommended default practice for application access?

    <p>No access until explicitly granted</p> Signup and view all the answers

    Which component contributes to a layered defense strategy?

    <p>Firewalls, IDS, encryption, and access control</p> Signup and view all the answers

    Which approach involves granting elevated privileges only as needed?

    <p>Least Privilege Principle</p> Signup and view all the answers

    What does the principle of Secure Defaults emphasize in software design?

    <p>Only essential features should be enabled by default to minimize risk.</p> Signup and view all the answers

    How does the Least Privilege Principle enhance software security?

    <p>It ensures that users have only the minimum privileges required to perform their tasks.</p> Signup and view all the answers

    What is the purpose of Separation of Duty in software security?

    <p>To ensure critical tasks are divided among different individuals to reduce risk.</p> Signup and view all the answers

    What is Privilege Creep and why is it a concern in software security?

    <p>It occurs when users accumulate unnecessary privileges as their roles change, increasing vulnerability.</p> Signup and view all the answers

    What is Complete Mediation and how does it affect system security?

    <p>It requires that all access requests be checked against current permissions every time.</p> Signup and view all the answers

    What does the concept of 'Least Privilege' emphasize?

    <p>Access should be based on the principle of need-to-know.</p> Signup and view all the answers

    Which of the following best describes 'Secure Defaults'?

    <p>Applications are deployed with secure configurations by default.</p> Signup and view all the answers

    In coding practices, what measure is advised to maintain security by limiting access?

    <p>Limiting global variables and using local data.</p> Signup and view all the answers

    What does 'Deny by Default' imply in access control?

    <p>Everything not explicitly allowed is forbidden.</p> Signup and view all the answers

    Complete mediation in security contexts refers to what?

    <p>The restriction of caching information to ensure that all access checks are validated.</p> Signup and view all the answers

    What is a potential consequence of privilege creep?

    <p>Security risks increase due to excessive user privileges.</p> Signup and view all the answers

    Which mechanism helps ensure that access to sensitive information requires multiple conditions to be met?

    <p>Two-person rule</p> Signup and view all the answers

    What principle stresses minimizing shared mechanisms among users in a system?

    <p>Least Common Mechanism</p> Signup and view all the answers

    Failure in a system should be designed to do what according to fail-safe principles?

    <p>Cause no or minimal harm to other systems or users.</p> Signup and view all the answers

    Which of the following reflects a proper understanding of 'Separation of Duty'?

    <p>Dividing responsibilities among multiple individuals to prevent fraud.</p> Signup and view all the answers

    Study Notes

    Course Information

    • Course Name: Cybersecurity Fundamentals
    • Course Code: CSC 1029

    Week 2 Agenda

    • What is Cybersecurity and Types of Attacks
    • Cybersecurity Objectives
    • What are we protecting
    • Cost of Cybersecurity
    • Your Next Move: Software Developer Vulnerabilities
    • Threat Model: STRIDE
    • Types of Attacks
    • Importance of Software Security
    • TODO and Resources for Help

    Objectives

    • Understanding cybersecurity and its importance
    • Knowing what is being protected from attackers
    • Learning from historical and current events, emerging trends

    What is Cybersecurity?

    • Read CompTIA article (link provided).
    • Watch YouTube video (link provided).

    Objectives of Cybersecurity

    • Read CompTIA resource on the State of Cybersecurity for 2024 Market Overview through to Policy (link provided).
    • Students to determine top objectives for Cybersecurity.

    What are we Protecting?

    • Review 16 Critical Infrastructure Sectors (link provided).

    Cost of Cybersecurity

    • Estimated global cost of cybercrime in 2021: $6.1 trillion.
    • Estimated global spending on cybersecurity in 2022: $172.5 billion.
    • U.S. job openings requesting cybersecurity-related skills: 714,548 (Source: CyberSeek).

    Your Next Move: Software Developer

    • Read CompTIA blog on Your Next Move Software Developer (link provided).

    Vulnerabilities

    • Review the National Vulnerability Database (link provided).
    • Explore visualizations of vulnerabilities.

    Threat Model: STRIDE

    • Spoofing
    • Tampering
    • Repudiation
    • Information Disclosure
    • Denial of Service
    • Elevation of Privilege

    Types of Attacks

    • Social engineering (organization penetration, IT infrastructure exploration, phishing, spam, spoofing, man in the middle)
    • Attacks on application's software (Cross-site scripting (XSS), Buffer overflows, SQL code injection, Time/logic bombs, Back door)
    • Attacks on supporting infrastructure (Denial of Service (DoS), Viruses, Worms, Trojans, Spyware, Adware)
    • Physical attacks (external drives, flash sticks, bringing down the system, stealing hardware)

    Importance of Software Security

    • Engineering software to function correctly under malicious attacks
    • Addressing security vulnerabilities in early stages of development.
    • Security as a risk management practice (link to article provided)
    • Software Security refers to many aspects related to software including detecting malicious attack, Continuing function under attack, and maintaining confidentiality, integrity, and availability

    Cybersecurity Principles

    • Complete provided interactive lesson

    SDL Secure Design Principles

    • Safer applications start with secure design
    • Assume all applications can be compromised
    • Core SDL secure design principles: Attack Surface Reduction, Basic Privacy, Threat Modeling, Defense in Depth, Least Privilege, Secure Defaults.

    Attack Surface Reduction

    • Attack surface is any part of an application human or another program can access
    • Minimize exposed attack surface - malicious users find and exploit

    Basic Privacy

    • Privacy vs Security (empowering users to control personal information and security establishing measures protecting confidentiality).
    • Privacy and security are key factors in trusted applications.

    Threat Modeling

    • Process to understand threats to an application
    • Threats and vulnerabilities different
    • Vulnerabilities are specific ways a threat is exploitable (e.g., coding errors)
    • Steps are identifying, defining, validating, mitigating, and validating.

    Defense in Depth

    • Assumes that software and hardware will fail
    • Trusted applications (security and privacy features).
    • Most applications can be compromised when only one layer is breached (firewall)
    • Layers defend the application

    Least Privilege

    • If an application is compromised, the potential damage is contained and minimized
    • Trust with reluctance, need-to-know
    • Evaluate application minimally (default is no access)
    • Minimum access level for application functions.
    • Privileges elevated only when needed, release afterward.

    Privilege Creep and Complete Mediation

    • Gradual accumulation of access rights beyond what an individual needs for their job.
    • Occurs when a job changes and new privileges are granted.
    • Every access check must be efficient, restricting caching of information

    Separation of Privilege or Duty

    • Access based on multiple conditions (multi-factor authentication)
    • Separation of duties/two-person rule
    • Coding with limited global variables, local data and arguments
    • Permission to access = Authorization
    • Define access to objects and who should access them

    Least Common Mechanism

    • Minimize mechanism common to multiple users (dependence on all users)
    • Every shared mechanism is a potential information path

    Secure Defaults

    • Deploy applications with secure configurations by default
    • Ensures safer user experience from the start.
    • Favor white-listing over black-listing (if some action fails, the default is deny-access)
    • Simplicity is favored

    Deny by Default and Fail-Safe

    • Everything not explicitly permitted is forbidden (by default)
    • Fail-safe engineering design responds in the event of a specific failure type, avoiding harm
    • System design to prevent unsafe consequences

    MGM Casino Cyberattack (2023)

    • Read article on the attack (link provided)
    • Evaluate if MGM followed secure design principles (Attack Surface Reduction, Basic Privacy, Threat Modeling, Defense in Depth, Least Privilege, Secure Defaults).

    Pre-work Grade/TODO's

    • Post weekly discussion question and research solution to D2L.
    • Complete Week 2 Content Module to 100% in D2L.

    Questions/Help/Clarification

    • Student office hours (appointments and drop-ins).
    • Email address
    • RRCC on-campus tutoring
    • 24/7 online tutoring available in D2L

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Related Documents

    Description

    Test your understanding of the key concepts covered in Week 2 of Cybersecurity Fundamentals. This quiz includes questions on types of attacks, cybersecurity objectives, and the importance of software security. Dive deeper into what we are protecting against cyber threats and the associated costs.

    More Like This

    Criminal Fundamentals of Cybersecurity
    40 questions
    Cybersecurity Basics Quiz
    20 questions
    Cybersecurity Fundamentals Week 02
    20 questions
    Use Quizgecko on...
    Browser
    Browser