Information Security Fundamentals

Questions and Answers

Why is knowledge of IT security crucial for IT experts, according to the information provided?

• To understand vulnerabilities and contribute to solutions. (correct)
• To become part of the problem in IT systems.
• To avoid learning about IT security altogether.
• To solely focus on developing IT systems.

What is the primary aim of studying information security in the context of dynamic environments regarding security challenges?

• To ignore the vulnerabilities of the information system.
• To avoid the use of proactive countermeasures.
• To understand prominent security challenges. (correct)
• To disregard response and recovery capabilities.

In which of the following states is information considered vulnerable to threats?

• During processing (use) only.
• During storage only.
• During storage, transmission, and processing (use). (correct)
• Only during transmission.

Why is it impossible to solve all information security problems once and for all?

Due to rapid innovation introducing new vulnerabilities. (A)

According to the Ponemon Institute's data on cyber attacks, which type of attack was most prevalent among the 254 companies surveyed?

Malware (D)

According to Arbor Networks' analysis of security trends, which type of attack poses a major concern of service providers?

DDoS attacks. (A)

In the context of DDoS attacks, what is the primary goal of volumetric attacks?

To exhaust the bandwidth of the target network. (B)

Which of the following is a common motivation behind DDoS attacks?

Nihilism/vandalism (B)

According to the attack target mix, what is the most common target of cyber attacks?

Customers (B)

What is the main objective of Computer Security as defined?

Preserving the integrity, availability, and confidentiality of information system resources (D)

What are the three properties that define the traditional definition of information security?

CIA - Confidentiality, Integrity, Availability (C)

Which of the following is the MOST accurate definition of 'Confidentiality' in the context of information security?

Protecting information from unauthorized disclosure. (B)

What is the primary goal of 'Data Integrity' in information security?

To prevent unauthorized data modification or destruction. (B)

What is the main threat that 'Availability' aims to address?

Denial of Service (DoS) (C)

What is the primary purpose of Data Privacy concerning personal information?

To protect specific aspects of information related to natural persons. (A)

In the context of security, what is the main goal of authentication?

Verifying a claimed identity. (C)

What type of attack is mitigated by techniques that attempt to consume the connection state tables?

TCP State-Exhaustion (C)

What is the primary goal of non-repudiation in security?

Making sending and receiving messages undeniable. (B)

What is the main goal of accountability in the context of security?

Tracing actions to a specific user and holding them responsible. (B)

What is the primary function of authorization in IT security?

Specifying access and usage permissions. (C)

What is a zero-day vulnerability?

A vulnerability that is unknown to the vendor or public. (C)

Which phase of IAM(Identity and Access Management) includes Registration, Provisioning, and Authorization?

Configuration phase. (D)

In the context of security, what is an 'attack'?

An abstract entity of information which may vary according to the situation (C)

Which element is essential for an attacker or threat to successfully harm a target system?

A method, opportunity, and motivation (A)

Within the realm of threats, which action involves gaining unauthorized access to an asset?

Interception (D)

In cybersecurity, what constitutes a 'vulnerability' in a System?

An aspect of a system or network that leaves it open to attack. (C)

What is an 'intrusion' in the context of cybersecurity?

An activity that does not respect the system's security policy (B)

What does an 'alert' typically describe in the context of cybersecurity?

A description of an attack conveyed by monitoring system parameters (A)

When considering different visions of cyber-attacks, what concept does a 'threat' primarily involve?

Outcome and probability. (D)

What are security services primarily aimed at?

Supporting specific controls. (A)

Which of these is classified as a physical security control?

Facility protection (B)

Which of the following security controls aims/aims to prevent attempts to exploit vulnerabilities?

Preventive controls (B)

In the context of security countermeasures, what is a proactive measure?

Security awareness training (B)

What type of vulnerability is being addressed if a vulnerability mitigation is available?

Reactive (A)

Which of the following statements is true about system authentication?

Can be the corroboration (verification) that a peer entity (system) connection is the one claimed (X.800). (D)

Which of the following attacks attempts to consume the bandwidth?

Volumetric Attacks (B)

What's the goal of sending and receiving messages being undeniable?

Non-Repudiation (A)

Flashcards

Information Security

Protecting information from damage or harm.

Information Security

Protecting information assets from harm or damage.

Assets to protect

Data, software, IT equipment, and infrastructure.

Information States

Storage, transmission, and during processing.

Computer Security

The protection afforded to an automatic information system to attain applicable objectives of preserving integrity, availability, and confidentiality of information system resources.

Security Services

The protection to an automatic information system to attain applicable objectives of preserving integrity, availability, and confidentiality of information system resources.

Confidentiality

The property that information is not available or disclosed to unauthorized individuals, entities, or processes.

Integrity

The property that data has not been altered or destroyed in an unauthorized manner.

Availability

The property of being accessible and usable upon demand by an authorized entity.

User Authentication

Verifying a claimed identity of a (legal) user when accessing a system or an application.

Organization authentication

Verifying a claimed identity of a (legal) organization in an online interaction/session.

System Authentication

The corroboration (verification) that a peer entity (system) in an association (connection, session) is the one claimed.

Non-Repudiation

Goal of making sending and receiving messages undiable through unforgivable evidence

Accountability

Trace action to a specific user and hold responsible.

Authorization

Specify access and usage permissions for entities, roles or processes.

Attack

An abstract concept represented by pieces of information.

Threat

Any circumstance or event with the potential to cause harm to a target system

Interception

Gaining unauthorized access to an asset.

Interruption

Making an Asset unavailable or unusable.

Modification

Changing the content or value of an asset.

Fabrication

Creation of counterfeit assets.

Vulnerability

A feature or combination that allows an adversary to place the system in a state that is contrary to its behavior.

Intrusion

An activity that does not respect the system’s security policy.

Alert

A description of an attack conveyed by monitoring system parameters.

Security Services

An attack or threat.

Physical Controls

Facility protection,Security guards, Locks, Monitoring.

Technical Controls

Logical access control, Cryptographic controls, Security devices.

Administrative Controls

Policies & standards, Procedures & practice, Personnel screening.

Preventive Controls

Prevent attempts to exploit vulnerabilities.

Detective Controls

Warn of attempts to exploit vulnerabilities.

Corrective Controls

Correct errors or irregularities that have been detected.

Study Notes

Why Study Information Security

• IT experts need IT security knowledge, similar to how building architects need to know about fire safety
• Developing IT systems without considering security leads to vulnerable systems
• IT experts without security skills can inadvertently contribute to security problems
• Learning about IT security is essential to being part of the solution

Course Objectives

• Comprehend security challenges in dynamic environments
• Recognize a range of vulnerabilities and threats
• Learn proactive security measures for security
• Improve security incident response and recovery skills

Course Outline

• Security Fundamentals
• Security and Risk Management
• Cryptography
• Key Management and PKI
• Authentication and identity management
• Access control

Assessment Mode

• Quizzes account for 15% of the grade
• Labs account for 15% of the grade
• The midterm exam accounts for 30% of the grade
• The final exam accounts for 40% of the grade
• More than 3 absences results in not being allowed to enter the exam
• Absence in a quiz means that the quiz cannot be retaken

Security Fundamentals Objectives

• Understanding Information Security
• Identifying Security Properties
• Recognizing Threats, Attacks, and Assets
• Implementing Security Mechanisms

What is Information Security

• Focuses on protecting from damage or harm
• Assets needing protection include data files, software, IT equipment, and infrastructure
• Covers both intentional and accidental events
• Threat agents include people or acts of nature

Information States

• Information Security protects information assets from harm
• Information at rest during storage in information storage containers like electronic, physical, human
• Information in transit in physical or electronic form
• Information in processing in physical or electronic form

The Need for Information Security

• Security problems can't be solved once and for all
• Rapid innovation introduces new technology and vulnerabilities
• More activities are moving online
• Crime follows financial opportunities online
• Information security is often an afterthought
• The conclusion is that information security is a continuing process

Types of Cyber Attacks

• According to Ponemon Institute study of 254 companies:
• Malware is the most prevalent, affecting 98% of companies
• Phishing and social engineering affected 70%
• Web-based attacks affected 63%
• Ransomware affected 13%

Security Trends and Analytics

• According to Arbor Networks:
• DDoS attacks are a major concern for service providers
• Infrastructure outages also a major concern for service providers, with a 14% jump
• Bandwidth saturation is also prominent

DDoS Attacks

• Volumetric Attacks:
  • Account for 75.7% of attacks
  • Aims to consume bandwidth, leading to congestion
• TCP State-Exhaustion Attacks
  • Account for 11.8% of attacks
  • Aims to consume the connection state tables of infrastructure components
• Application-Layer Attacks: Account for 12.4% of attacks
  • Typically target Layer 7
    • Are very effect at low rates

Motivations Behind DDoS Attacks

• The most common motivations:
  • Online gaming-related (50.5%)
  • Demonstrating DDoS attack abilities to potential customers (49.1%)
    • Criminal extortion attempts (44.4%)

Attack Target Mix

• The primary target is:
  • Customers at 75%
  • Service infrastructure at 15%
  • Network infrastructure 10%

Attack Frequency Per Month

• 33% of respondents experience 1-10 attacks per month
• 14% experience 11-20 attacks per month
• 13% experience 21-50 attacks per month
• Only 8% experience less than 1 attack per month

Attack Duration

• 23% of attacks last less than 1 hour
• 38% of attacks last 1-6 hours
• 13% of attacks last 1-3 days
• Only 4% of attacks lasts longer than 1 month

Application Layer Attack Vectors

• DNS (82%) and HTTP (80%) are the most common
• HTTPS accounts for 61%
• SMTP accounts for 21%

Security Services

• Computer security definition from NIST 1995: the protection afforded to an automated information system to preserve the integrity, availability, and confidentiality of information system resources

The CIA Triad

• Confidentiality:
  • Is concerned with secrecy, privacy, and anonymity
  • Main threat is information theft and unintentional disclosure
• Integrity:
  • Concerns data and system accuracy and completeness
  • Includes authentication and accountability
  • Main threat is data and system corruption, and loss of accountability
• Availability:
  • Is being accessible and usable upon demand by authorized entities
  • Main threat is Denial of Service (DoS)

Data Privacy

• Addresses the personal information of natural persons
• Involves preventing unauthorized collection and use of personal info
• Ensuring data accuracy and transparency
• GDPR becomes EU law on May 25, 2018

Authenticity (Security Service)

• User Authentication:
  • Verifying the claimed identity of a legitimate user accessing a system application
• Organization Authentication:
  • Verifying the claimed identity of a legal organization in an online interaction
• System Authentication:
  • Corroborating that a peer entity (system) is the claimed identity
• Data Origin Authentication:
  • Corroborating that the source of received data is as claimed

Non-Repudiation

• The goal is to make sending/receiving messages undeniable through unforgivable evidence
  • Origin non-repudiation to prevent that data was sent
  • Delivery non-repudiation to that data was received
• Digital signatures provide cryptographic evidence
• Data origin authentication/non-repudiation both supply proof to recipient/third parties

Accountability

• Goal is to trace actions to a specific user to hold accountable
  • Audit information must be kept and protected to trace actions
• Common threats:
  • The inability to identify the source of an incident
• The inability to identify the attacker responsible
• Useful controls:
  • Identifying and authenticating users
  • Logging all system events
    • Electronic/Digital signatures

Authorization

• Specifies access and usage permissions for entities, roles, or processes
• Policies are normally defined by humans, and issued by authority within the domain
• Management translates to Sys.Admin in IT systems

Identity and Access Management (IAM)

• IAM phases:
  • Configuration (Registration, Provisioning, Authorization)
  • Operation (Identification, Authentication, Access Control)
  • Termination (Revoke authorization, Deactivate credentials, De-registration)

Security Definitions

• Attack:
  • An abstract concept represented by varying pieces of information
    • Security attacks resulte from who exploits a vulnerability
• Threat:
  • Any circumstance or event with the potential to cause harm
  • Include necessary skills, an opportunity, and a motivation
• Vulnerability:
  • A feature or combination of features that allows an adversary to compromise security
  • A feature or bug enables attacker to bypass security measures
• Intrusion:
  • Is an activity that violates the system's security policy
• Alert:
  • Is a description of an attack conveyed through monitoring

Classifying Vulnerabilities

• Application-level:
  • Operating systems
  • Web applications
  • Database applications
• Protocol
• Human-related:
  • Equipment misconfiguration
  • Weak password protection

Security Services and Controls

• Security Services (Goals/Properties): Implementation is independent and supported by specific controls Example: Confidentiality, Integrity, Availability
• Security Controls (Mechanisms): Practical mechanisms and actions used to provide security services Example: Encryption, Firewalls and Awareness

Security Control Categories

• Physical Controls:
  • Facility Protection
  • Security Guards, Locks, Monitoring etc
• Technical Controls: Logical Access/Cryptographic/Security Devices, User Authentication, Intrusion Detection, Forensics etc
• Administrative Controls: Policy/Standard/Procedure/Practice, Personnel Screening,Dev/Incident.

Security Controls Functional Type

• Preventive: Prevent Exploiting Vulnerabilities Through Encyption
• Detective:
  • Warn of Attempts to Exploit Vulnerabilites Though Intrustion Systems
• Corrective: Correct Errors and Irregularities like Restoring Corrupted Systems Combination of Controls Ensures People and Technology Operate

Security Countermeasures

• Proactive: Security Awarness, Training, Firewall, Anti-VirusGuard etc
• Detective: System Monitoring, Anti Virus IPS etc.
• Reactive: Data RestoralUpgrades, Vulnerability Mitigation.
• Compensatory: BackUp Generator and Server Isolation