Data and IT Security Concepts

Questions and Answers

In the context of risk analysis, what are the three primary classification methods?

Qualitative, quantitative and risk matrix.

Briefly define 'informationelle Selbstbestimmung' and its relevance to 'Datenschutz'.

It refers to informational self-determination, a core principle that Datenschutz aims to protect, ensuring individuals control their personal data.

Name the three fundamental security goals for data security.

Confidentiality, integrity, and availability.

What is the purpose of a Message Authentication Code (MAC) in a symmetric authentication system?

To verify the authenticity and integrity of a message.

Why is LSB steganography generally considered insecure?

It introduces statistical anomalies that can be detected through analysis.

Describe how 'vertraulichkeit' is maintained in data security?

By ensuring information is accessible only to authorized individuals.

Describe the core function of 'Integrität' as a security goal.

Ensuring that information remains accurate, complete, and unaltered.

Name the three factors authentication relies upon?

Knowledge, possession, biometrics.

In the context of cloud computing, differentiate between Infrastructure as a Service (IaaS) and Platform as a Service (PaaS).

IaaS provides virtualized infrastructure resources, while PaaS offers platforms for developing and running applications.

What are the key advantages and disadvantages of using microservices architecture?

Advantages include improved scalability and independent development; disadvantages include increased complexity and communication overhead.

Explain the concept of horizontal scaling and its benefits.

Adding more servers to the system to distribute the load, offering unlimited scalability and improved fault tolerance.

Contrast Type 1 and Type 2 hypervisors.

Type 1 hypervisors run directly on hardware, while Type 2 hypervisors run on an existing operating system.

Differentiate between packet-based and flow-based load balancing.

Packet-based load balancing distributes each packet separately, while flow-based load balancing maintains a consistent path for each connection.

A company wants to ensure high consistency across all its microservices. Considering the principle of microservices, what architectural challenges might they face and how could they address them?

Challenge: Maintaining data consistency can be complex due to the distributed nature of microservices. Solutions: Employing eventual consistency patterns or distributed transactions, but these can impact performance and complexity.

You are designing a system to store highly sensitive data. You can choose to use either full disk encryption, or implement a complex steganographic system, hiding data in subtle electromagnetic variations of the hard drive itself. Which approach is better? Explain and defend your selection.

Full Disk Encryption is superior. While electromagnetic steganography is theoretically possible, its reliability, practicality, and detection resistance are questionable. Full Disk Encryption provides robust, proven data protection against unauthorized access, and has standardized processes for key management and recovery. Any custom, obscure steganographic approach introduces significant risks of data loss or undetectable compromise.

Flashcards

Was ist Sicherheit?

Sicherheit bedeutet, Gefährdungen und Risiken werden kontrolliert oder ausgeschlossen, um Systeme/Informationen zu schützen.

Was ist ein IT-Sicherheitskonzept?

Ein strukturiertes Dokument, das Maßnahmen und Strategien zur Gewährleistung der Schutzziele der IT-Sicherheit beschreibt.

Was ist eine qualitative Risikoanalyse?

Eine subjektive Bewertung von Risiken.

Was ist eine quantitative Risikoanalyse?

Eine mathematische Bewertung von Risiken (z. B. Schadenshöhe × Eintrittswahrscheinlichkeit).

Was ist Datenschutz?

Umfasst alle Maßnahmen, die verhindern, dass personenbezogene Daten unbefugt verarbeitet werden. Ziel ist der Schutz der informationellen Selbstbestimmung.

Welche drei grundlegenden Schutzziele gibt es?

Vertraulichkeit, Integrität und Verfügbarkeit.

Was ist Authentifizierung?

Der Prozess, bei dem ein Subjekt seine Identität nachweist, basierend auf Wissen, Besitz oder Biometrie.

Wie funktioniert eine digitale Signatur?

Der Sender erzeugt aus der Nachricht mit seinem privaten Schlüssel eine digitale Signatur. Der Empfänger prüft diese mit dem öffentlichen Schlüssel des Senders.

Was unterscheidet Signaturen von Authentifikation?

Authentifikation überprüft Identität; Signaturen binden Inhalte an eine Identität.

Was ist Steganographie?

Steganographie verbirgt Nachrichten in unauffälligen Medien wie Bildern oder Audiodateien.

Wie funktioniert steganographische Ersetzung im Detail?

Die niederwertigsten Bits eines Pixels werden durch Bits der Nachricht ersetzt.

Was ist Cloud Computing?

Die Nutzung von virtualisierten IT-Diensten über das Internet.

Was ist Software-as-a-Service (SaaS)?

Bereitstellung von Software-Anwendungen über die Cloud.

Was ist Virtualisierung?

Abstraktion physischer Ressourcen in virtuelle Ressourcen.

Was ist Load Balancing?

Verteilt eingehenden Netzwerkverkehr gleichmäßig auf mehrere Server.

Study Notes

Data Security

• Security is defined as a state where threats and risks are controlled or eliminated, safeguarding a system or information.
• Absolute security is unattainable; security measures only reduce but cannot completely eliminate risks.
• Security is a continuous and dynamic process.

IT Security Concepts

• An IT security concept is a structured document detailing measures and strategies to ensure IT security goals like confidentiality, integrity, and availability.

Requirement and Risk Analysis

• Requirement analysis defines the security needs of a system.
• Risk analysis assesses threats and vulnerabilities.
• Measures are implemented based on the results of risk analysis.

Risk Analysis Classification

• Qualitative risk analysis involves subjective risk assessment.
• Quantitative risk analysis mathematically evaluates risks, using metrics like damage amount × probability of occurrence.
• A risk matrix combines the extent of damage and probability of occurrence.

Data Protection

• Data protection encompasses all measures to prevent the unauthorized processing of personal data, aiming to ensure informational self-determination.
• Individuals have the right to informational self-determination, access, rectification, erasure, restriction of processing, data portability, and to object.

Data Security Goals

• The three fundamental protection goals are confidentiality, integrity, and availability.
• In cryptography, an additional goal is accountability.

Detailed Protection Goals

• Confidentiality means that information is accessible only to authorized individuals.
• Integrity means that information is accurate, complete, and unaltered, or clearly marked if it is not.
• Availability means that information is accessible when needed.

Authentication

• Authentication is the process of verifying a subject’s identity, based on knowledge (e.g., password), possession (e.g., chip card), or biometric data (e.g., fingerprint).
• The typical authentication process involves identifying a user, providing authentication evidence (password, token, or biometric), system verification, and granting access upon successful verification.

Digital Signatures

• The sender creates a digital signature from the message using their private key.
• The recipient verifies the signature using the sender’s public key.
• The digital signature ensures integrity and accountability.

Differences Between Signatures

• Conzelation (Encryption): Encryption protects confidentiality, whereas signatures ensure integrity and accountability.
• Authentifikation (Authentication): Authentication verifies identity whereas signatures bind content to an identity.

Symmetric Authentication

• Symmetric authentication uses a secret key known to both communication partners.
• A Message Authentication Code (MAC) is calculated for authentication.
• The sender computes a MAC using the message and secret key and sends it with the message.
• The receiver computes a MAC from the received data and compares it with the received MAC and authenticity is verified if they match.

Verifying a MAC

• The receiver independently computes the MAC from the received data and compares it to the received MAC.

Steganography

• Steganography hides secret messages within inconspicuous media like images or audio files.
• Steganography is used in secret communication, to circumvent censorship, or to protect sensitive data.

Steganography Methods

• Methods include LSB replacement, masking, filter techniques, and frequency domain modifications.
• Substitution techniques insert message bits into the least significant bits of image pixels.
• Additive steganography adds a random noise signal to cover data.
• Selective steganography embeds data in specific data areas to avoid attention.
• Synthetic steganography creates new data without modifying existing cover data.

Steganographic Replacement

• The least significant bits of pixels or samples are replaced with the message bits.

Security of LSB Replacement

• LSB replacement is considered insecure because it introduces statistical anomalies detectable through analysis.
• LSB replacement doesn't offer high protection against targeted steganography analysis.

Attacks on LSB Replacement

• Visual attacks reveal structures or patterns by visualizing the least significant bits.
• Histogram attacks reveal hidden information through changes in the image histogram.
• Statistical analyses detect hidden information by exploiting statistical properties.

Practical Application in Grayscale

• Message bits are hidden in the grayscale bits of an image, requiring algorithms to minimize conspicuous changes.
• The secret message is embedded in the least significant bit of each pixel.
• Pixel values change minimally, so visual changes are barely noticeable.

Cloud Computing Basics

• Cloud computing uses virtualized IT services delivered over the Internet, based on pay-as-you-go, on-demand, and user-configurable services.
• Essential characteristics include on-demand usage, broadband Internet access, resource pooling, and scalability.

Cloud Computing Pros

• Reduced costs through consumption-based billing.
• Reduced maintenance effort.
• Increased availability and performance.
• Location and device-independent access.
• Efficiency through resource optimization.
• Scalability.

Cloud Computing Cons

• Lack of guaranteed 100% availability.
• Loss of data sovereignty.
• Vendor lock-in.
• Need to adapt existing IT infrastructure.
• Data security concerns.

Cloud Computing Types

• Infrastructure as a Service (IaaS) provides virtual machines, storage, and networks.
  • Pros: High control, flexibility, scalability.
  • Cons: High administrative effort.
• Platform as a Service (PaaS) offers development platforms.
  • Pros: Reduced admin effort, auto-scaling, multi-tenant support.
  • Cons: Vendor dependency.
• Software as a Service (SaaS) provides ready-made software products.
  • Pros: No maintenance effort.
  • Cons: Little control over infrastructure and data.

Scalability

• Scalability describes a system's ability to adapt to growing demands, requiring resource virtualization, horizontal or vertical infrastructure scaling, load balancing, and automation.

Virtualization

• Virtualization abstracts physical resources into virtual resources.
• Vertical virtualization adds resources to existing nodes, limited by hardware.
• Horizontal virtualization adds more nodes.

Hypervisor Types

• Type 1 ("bare-metal") hypervisors run directly on hardware.
• Type 2 ("hosted") hypervisors run on an existing operating system.

Load Balancing Types

• Packet-based: Distributes each packet separately.
• Flow-based: Chooses a target host per connection.

Load Balancing Algorithms

• Algorithms include round robin, weighted round robin, random, least connections, and least traffic.

DNS Balance

• DNS load balancing distributes loads across multiple IPs via DNS entries.
• It doesn't account for current server load, and DNS caching can bypass it.

Container Pros

• Lower overhead than virtual machines.
• Faster startup times.
• Easy portability through standardized images.

Container Placement

• Containers bridge classic apps and VMs, sharing OS resources and encapsulating apps.

Container Composition

• Single-container applications.
• Multi-container applications using orchestration tools (Docker Swarm, Kubernetes).

Microservices Architecture

• Microservices consist of small, independent services, adhering to a "shared-nothing" principle and communicating via REST interfaces.

Microservices v Container Pros and Cons

• Individual team development.
• Better component scalability.
• Complex architecture and increased overhead for monitoring and logging.

REST Basics

• REST (Representational State Transfer) employs resources identified by URIs and HTTP verbs (GET, POST, PUT, DELETE), using formats like JSON or XML.
• REST services use hypermedia to modify a client's state (HATEOAS).
• REST security:
• Authentication
• Authorization
• Encryption
• Input validation

REST Structure

• REST is resource-oriented, simple interfaces with OpenAPI/Swagger.
• SOAP employs XML-based messaging with WSDL interface descriptions, including optional headers and a message body.

Continuous Deployment and Integration

• Continuous deployment uses pipelines that automatically tests code, builds and deploys builds via GitLab CI/CD reduces errors and increase feedback.
• Continuous deployment tools include Gitlab CI/CD and Docker Composition.