Cybersecurity Threats and Principles

Questions and Answers

Which of the following is an example of a confidentiality threat?

Distributed denial of service attack

Data theft (correct)

Virus

Ransomware

Ransomware primarily affects the integrity of data.

True

What are the two key principles that should be established according to authentication and authorization standards?

Strong authentication and proper access permissions

An attacker might launch a ______ to make a system unavailable to its users.

Distributed denial of service attack

Which of the following is NOT a threat to integrity?

Cyber bullying

Match the security threats with their categories:

Virus = Software threat Ransomware = Availability threat Data theft = Confidentiality threat Distributed denial of service = Availability threat

Security updates should be applied as soon as they become available.

True

What does proper system infrastructure management entail?

Proper configuration and timely security updates

What is the main purpose of operational security?

To help users maintain security

Multi-factor authentication increases the likelihood of an intruder gaining access to the system with stolen credentials.

False

What should be implemented to ensure you keep undamaged copies of program and data files?

Backup policies

SQL poisoning attacks take advantage of situations where user input is used as part of an ______.

SQL command

Match the following types of attacks with their descriptions:

Buffer overflow attacks = Involves exceeding memory allocation limits SQL poisoning attacks = Uses malicious SQL to gain database access User command logging = Tracks user commands for security reviews Auto-logout = Automatically logs users out after inactivity

Which of the following is NOT a strategy for minimizing the effects of an attack?

Ignoring unauthorized access

Injection attacks utilize valid input fields to execute malicious code.

True

What is one common type of injection attack?

SQL poisoning

What is the main goal of user lockout attacks?

Lock users out to deny them access to the service

Brute force attacks typically involve attackers using weak passwords.

True

What is authentication?

The process of ensuring that a user is who they claim to be.

Attackers create different passwords and try to login with each of these in a ________ attack.

brute force

Match the type of attack with its definition:

User lockout attack = Locks users out after failed authentication attempts Brute force attack = Attempts multiple password combinations to gain access Authentication = Process of verifying user identity Denial of service attack = Prevents legitimate users from accessing services

What outcome may occur if accounts are not locked after failed validation attempts?

Brute-force attacks on the system

Authentication is only necessary for software that does not contain user information.

False

What tactic do attackers often use to speed up brute force attacks?

Using lists of common passwords.

What does allocating users to groups in access control manage?

Group-based permissions

Encryption transforms readable data into an unreadable format.

True

What is used by the encryption algorithm to transform data?

a secret key

Modern encryption techniques can make data practically __________ using current technology.

uncrackable

Match the following resources with their corresponding permissions:

Resource A = Read Resource B = Execute Resource C = Create, Delete Resource D = Read, Edit

What potential future technology may necessitate a new approach to encryption on the Internet?

Quantum computing

All encryption methods used today are guaranteed to remain secure indefinitely.

False

What is the reverse process of encryption called?

decryption

What does the public key of the CA include?

Key size and encryption algorithm

The public key can be used to encrypt the digital signature.

False

What does TLS stand for?

Transport Layer Security

The server's public key is included in the digital __________ sent to the client.

certificate

What is the purpose of the RS and RC numbers generated during the TLS process?

They help compute the symmetric key for data encryption.

What is a primary function of a Key Management System (KMS)?

Maintaining encryption keys

To verify the identity of the client, the server encrypts the RS using its public key.

False

Data protection regulations do not require archival data to be encrypted.

False

What is the minimum retention period for tax and company data in the UK?

six years

What needs to be checked regarding the digital certificate sent from the server?

Issuer and validity

Younger people tend to be less inhibited about sharing personal information on ______.

social networks

Data is exchanged using a __________ key computed from RS and RC.

symmetric

Why should encryption keys be changed regularly?

To reduce the risk of security breaches

Match the following components with their roles in TLS:

Public key = Used to decrypt the digital signature Private key = Encrypts the RS Digital certificate = Includes the server's public key Symmetric key = Used to encrypt data during the session

Match the following terms with their correct definitions:

Encryption = The process of converting data into a secure format Key Management System = A system for managing encryption keys Archival Data = Data retained for compliance and reference Privacy = The appropriate use of personal information by third parties

The process ends after the exchange of data using the symmetric key.

True

Cultural and age differences influence individuals' views on privacy.

True

What should be maintained by KMS for decrypting backup data and archives?

multiple, timestamped versions of keys

Study Notes

Introduction to System Analysis and Design

• BIS301 is an introductory course to System Analysis and Design
• Lecture notes are based, in part, on work by Ian Sommerville

Software Security

• Software security is a high priority for developers and users
• Failure to prioritize security leads to losses from malicious attacks
• Attacks can put product providers out of business
• Customer data compromise leads to subscription cancellations
• Recovery from attacks requires significant time and effort, better spent on software security

Types of Security Threats

• Availability Threats: Attempt to deny access to legitimate users. Example: Distributed Denial of Service (DDoS) attack
• Integrity Threats: Attempt to damage the system or its data. Example: Viruses or Ransomware
• Confidentiality Threats: Attempt to gain access to private information. Example: Data theft

System Infrastructure Stack

• Operational Environment
• Application
• Frameworks and application libraries
• Browsers and messaging
• System libraries
• Database
• Operating system
• Software infrastructure
• Network

Security Management

• Authentication and Authorization: Establish standards and procedures to ensure strong authentication and proper access permissions
• System Infrastructure Management: Ensure proper configuration and timely application of security updates to patch vulnerabilities
• Attack Monitoring: Regularly check for unauthorized access and put in place resistance strategies to minimize the effects of detected attacks
• Backup: Implement policies to keep undamaged copies of program and data files

Operational Security

• Focuses on helping users maintain security
• User attacks trick users into disclosing credentials or accessing malware-laden websites (e.g., key-logging systems)
• Security Procedures/Practices:
  • Auto-logout: Addresses the problem of users forgetting to log out of shared computers
  • User command logging: Discovers actions taken by users that damage system resources, either deliberately or accidentally.
  • Multi-factor authentication: Reduces the chance of intruders gaining access with stolen credentials

Injection Attacks

• Malicious users inject malicious code or commands into input fields/database commands, executing these commands.
• This may damage the system or leak system data to attackers
• Examples include buffer overflow attacks and SQL poisoning attacks

SQL Poisoning Attacks

• Attacks exploit input to an SQL command
• Malicious users utilize form input fields to insert SQL fragments that affect data access
• This allows the attacker to get the desired information

Cross-Site Scripting Attacks

• Another form of injection attack
• Attacker inserts malicious JavaScript code into web pages
• Scripts executed when pages are loaded or when pages interact with the server
• Potential for stealing customer information or directing users to malicious websites
• Can steal cookies, enabling session hijacking attacks
• Avoidable with input validation

Session Hijacking Attacks

• Attackers get hold of a session cookie to impersonate legitimate users
• Involves capturing traffic between client and server
• Session Hijacking can also be done by malicious scripts (like cross-site scripting attacks)
• The attacker gets access to the session content and potentially compromise the entire session

Actions to Reduce the Likelihood of Hacking

• Traffic Encryption: Encrypt network traffic (e.g., use https, not http) to make it harder to monitor session cookies
• Multi-factor Authentication: Require multiple forms of authentication before a user accesses a resource or performs an action. (Example: password + one-time passcode)
• Short Timeouts: Limit session length, requiring new authentication after inactivity reduces chances for exploitation of accounts after legitimate users forget to log out.

Denial of Service Attacks

• Attack intends to make a system unavailable
• Distributed Denial-of-Service (DDoS) attacks are the most common type
• Involve numerous hijacked computers in a botnet sending flood of requests to a system, overwhelming it and denying legitimate users access
• Other types target user authentication, locking users out for failed login attempts or using email addresses to gain unauthorized access

Brute-Force Attacks

• Attackers try multiple combinations of login names and passwords to gain unauthorized access to the system.
• Use brute force to gain unauthorized access to a system or account
• Some attackers use a string generator to create all possible combinations of symbols
• To speed things up, some attackers start by trying common passwords

Authentication

• Verifying the identity of a user.
• Essential for protecting sensitive information
• Different methods depending on the system
• Example: Knowledgeable, possession, attribute-based
• Usage of authentication to learn about users helps personalize their product experience

Authentication Approaches

• Knowledge: Using something the user knows. Example: password
• Possession: Using something the user has. Example: a mobile device
• Attribute: Using something inherent to the user. Example: fingerprint

Authentication Methods

• Knowledge-based: Using secret/personal information
• Possession-based: Using a physical device such as mobile phone
• Attribute-based: Using unique biological attributes such as fingerprint

Weaknesses of Password-Based Authentication

• Insecure passwords: Passwords that are easy-to guess are vulnerable
• Phishing attacks: Scams that trick users into giving up passwords or login credentials
• Password reuse: Using the same password for multiple services
• Forgotten passwords: Security risks if password recovery mechanisms are not robust or easily exploited

Federated Identity

• Authentication approach using external authentication services
• Example "Login with Google" and "Login with Facebook"
• One set of credentials stored by a trusted service
• Easier for users and reduces chances of security breaches

Authorization

• Determining which resources a user is permitted to access based on their identity and access control policies.
• Examples:
  • Shared Folder permissions on Dropbox
  • Defining who has access to information and resources and the types of access.

Access Control Policies

• Rules defining what information and programs are accessible and how.
• Important for legal compliance and technical reasons.
• Data protection rules limit information accessible to users.
• Security breaches from incomplete or noncompliant policies can have legal implications
• Can be used as the starting point for setting up a complete access control scheme. Example: access rights for different users or different groups (e.g., students)

Access Control Lists (ACLs)

• Tables that link users with resources and specify permissible actions.
• Can become large; groups and permissions are more efficient
• Example: reviewers can read and annotate a document without edit or delete access

Encryption

• Making a document unreadable by applying transformation rules
• A secret key is the basis for transformation

Symmetric Encryption

• Same key used for encrypting and decrypting
• Secure message exchange requires secure key exchange
• Security risk if the key is compromised.

Asymmetric Encryption

• Different keys for encryption and decryption
• Public key for encryption, private key for decryption
• Public keys are publicly available
• Private keys are kept secure.
• Used for authentication and secure communication.

Encryption and Authentication

• Asymmetric encryption can verify sender identity
• Sender uses recipient's public key for encryption
• Recipient uses recipient's private key for decryption

TLS and Digital Certificates

• https protocol for secure communication over web
• Includes a Layer for Encryption called TLS (Transport Layer Security)
• Use of digital certificates for server validation.
• CA (Certificate Authority) issues and validates certificates.

Encryption Levels

• Application, database, files, media.
• Data will be encrypted and decrypted at different levels.

Key Management

• Process of securely generating, storing, and distributing encryption keys.
• KMS (Key Management System) is a specialized database for key management.
• Important for protecting data.

Long-Term Key Storage

• Need to maintain encryption keys for long periods (e.g., financial records)
• Archival data should use separate keys to reduce security risk
• Key management systems need backup and timestamped key versions

Privacy

• Social concept, encompassing collection, use, and dissemination of personal information
• Importance varies across cultures and demographics.
• Legal and/or ethical considerations

Business Reasons for Privacy

• Compliance with privacy laws is critical for sales
• Protects business products from legal action (e.g., lawsuits)
• Reputational damage when privacy is violated

Data Protection Laws

• Laws protecting individual privacy, limiting data collection use, etc
• GDPR affects all companies collecting user data
• Companies responsible for securely storing, managing and distributing data.

Data Protection Principles

• Key aspects that must be upheld

Privacy Policy

• Defines how an organization collects, stores, and uses sensitive data
• Must be auditable, written in plain language.

Description

Test your knowledge on various cybersecurity threats, including confidentiality and integrity concerns. This quiz will also cover key principles related to authentication and authorization standards. Assess your understanding of proper system management practices as well.