Information Systems and Cyber Security

Questions and Answers

Which of the following is the BEST example of an intangible asset for an organization?

• Services availability
• Customer Data (correct)
• IT and Network Infrastructure
• Office buildings

In the context of information security, what does 'availability' primarily ensure?

• Data is protected from unauthorized disclosure.
• Data cannot be altered by unauthorized individuals.
• Data is accessible to authorized users when needed. (correct)
• The system's integrity is maintained at all times.

Which of the following examples represents a scenario requiring a 'high level of integrity'?

• Inaccurate patient information that could result in serious harm or death. (correct)
• An anonymous online poll.
• A web site that offers a forum to registered users to discuss some specific topic.
• A publicly available restaurant menu.

Which of the following scenarios exemplifies a situation that demands a 'high level of authenticity'?

A banking application that holds sensitive financial information, where users must prove their identity using multiple authentication factors. (D)

What is the PRIMARY goal of 'accountability' in the context of information security?

Tracing actions of an entity uniquely to that entity. (C)

Which of the following BEST describes a 'vulnerability' in the context of cybersecurity?

A weakness in a system that can be exploited. (A)

Which of the following scenarios BEST describes the threat of 'masquerading'?

Fabrication of information purported to be from someone who is not actually the author. (A)

An employee who has all rights and access associated with being an employee represents with source of security threats?

Pure Insider (D)

Which of the following attacks is considered a passive attack?

Eavesdropping on network transmissions to capture sensitive data. (A)

A vulnerability in a web application's code that allows an attacker to execute arbitrary commands on the server is an example of which type of attack surface?

Software attack surface (A)

Which of the following BEST describes the primary goal of social engineering?

Tricking individuals into revealing sensitive information or violating security practices. (C)

In the context of social engineering, what does 'pretexting' involve?

Creating a false story or scenario to deceive a target. (C)

Which of the following is an example of a technical security control?

Intrusion detection system (B)

Which security control directly mitigates the threat of weak passwords?

Multi-Factor Authentication (MFA) (B)

In the context of maintaining data integrity, what is the PRIMARY purpose of cryptographic hashing?

To verify that data has not been altered or corrupted. (D)

Which of the following controls BEST addresses the threat of Denial-of-Service (DoS) attacks targeting availability?

DDoS mitigation. (B)

What motivates 'hacktivists'?

Political or ideological goals. (C)

What is the primary objective of the 'reconnaissance' stage in hacking?

Gathering information about the target. (C)

During which stage of hacking does the attacker attempt to exploit identified vulnerabilities to gain unauthorized access to a system?

Gaining access (C)

In which phase of a cyber attack does data exfiltration typically occur?

Maintaining Access (B)

What is the purpose of the 'covering tracks' stage in a cyber attack?

Hiding or deleting evidence of unauthorized access. (A)

What is the initial step in the Cyber Kill Chain methodology?

Reconnaissance (A)

An ethical hacker is contracted to perform a penetration test but is given no information about the target system's infrastructure or security measures. Which type of testing is this?

Black Box Testing (D)

In the context of ethical hacking, what is the primary purpose of 'attack phase'?

Attempts to penetrate the network and execute attacks. (D)

An ethical hacker exceeds the defined scope of a penetration test, causing damage to a critical system. Which legal implication is MOST likely to arise?

The client may be compelled to take legal action. (A)

Which principle of security design suggests that user interfaces should be intuitive, and security-related settings should align with user expectations?

Psychological Acceptability (D)

Which security design principle involves ensuring that cost of circumventing a security mechanism should be compared with the resources of an attacker when designing a security scheme?

Work Factor (B)

What are five categories in a DREAD threat model?

Damage, Reproducibility, Exploitability, Affected Users, and Discoverability (B)

In threat modeling, what do the final nodes (leaf nodes) in an attack tree represent?

Different ways to initiate an attack. (D)

Which of the following activities is associated with security management rather than incident response?

Conducting regular vulnerability assessments (D)

Which of the following refers to the concept of ensuring that data is accurate and complete?

Integrity (D)

What type of hacker is MOST likely to use readily available tools and scripts without a deep understanding of how they work?

Script kiddie (B)

Which activity is MOST representative of the 'weaponization' phase in the cyber kill chain?

Packaging malware with an exploit for delivery (A)

Which of the following BEST illustrates the concept of 'least privilege'?

Granting users only the minimum access rights needed to perform their job functions (A)

Your organization's security policy states that all employees must attend security awareness training annually. What type of control is this?

Administrative control (D)

In a penetration test, a security tester tries to discover vulnerabilities and gain access to a company's network. Which of the following activities is MOST important for the tester to perform?

Plan the scope of the test and get the approval before start. (C)

Which of the following statements describes an implication of Computer Misuse Act(UK 1990)?

Covers unauthorised access to computer systems, damaging or altering data, and distributing hacking tools, with provisions to address cyberattacks that threaten security or critical infrastructure. (D)

An insider poses as a system administrator to gain unauthorized access to sensitive financial records. Which security principle is being violated?

Least privilege (A)

What is the definition of the Exploitation stage in cyber kill chain?

Once delivered, the weapon's code is triggered, exploiting vulnerable applications or systems. (C)

Flashcards

Cyber Security Definition

The protection afforded to an automated information system in order to attain the applicable objectives of preserving integrity, availability, and confidentiality.

Confidentiality Objective

Ensuring authorized subjects can access protected data.

Integrity Objective

Ensuring authorized subjects can modify protected data.

Availability Objective

Ensuring info and resources are available on demand to authorized subjects.

Authenticity Objective

Verifying users are who they say and input comes from a trusted source.

Accountability Objective

The security goal that generates trace-ability requirements for entity actions.

Exploit

A piece of software that performs unauthorized actions by exploiting a vulnerability

Breach

A violation of CIA tenets.

Attack Vector

Method used by a threat actor to gain unauthorized system access.

Vulnerability

A weakness in a system that can be exploited by a threat actor.

Risk

Possibility of loss, injury, or other adverse circumstances.

Threat Actor

Individuals who conduct malicious activities on a system.

Threats

Vulnerabilities, events, or individuals causing potential harm.

Security Controls

Measures to mitigate or counter identified threats.

Network Vulnerabilities

Open ports, weak encryption protocols and improper firewall rules.

Physical Vulnerabilities

Unlocked server rooms and lack of surveillance/hardware protection.

Human Vulnerabilities

Lack of training and weak passwords.

Software Vulnerabilities

Software flaws like buffer overflows, SQL Injection and cross-site scripting (XSS).

Supply Chain Vulnerabilities

Compromised third-party software, tampered hardware, dependency on unverified vendors.

Eavesdropping

When unauthorized individual overhear private communication.

Alteration

When information is modified by unauthorized individuals.

Interruption

Interruption or degradation of a data service or information access.

Masquerading

Fabrication of information as if it's from someone who’s not actually the author.

Repudiation

The denial of a commitment or data receipt.

Insider Threat

Threats from entities inside the security perimeter.

Outsider Threat

Threats initiated from outside the security perimeter.

Social Engineering

An attempt to decieve people info revealing sensitive information.

Passive Attack

When attackers try to learn about or make use of information from the system.

Active Attack

When attackers try to alter system resources or affect their operation.

Attack Surface

Reachable and exploitable system vulnerabilities.

State-sponsored Hackers

Hackers sponsored by governments and states to conduct advanced cyberattacks.

Reconnaissance

Collecting information using passive attacks and open source.

Scanning

Scanning and enumeration to find entry points.

Gaining Access

Breaking into the network with targeted malware.

Maintaining Access

Maintaining a foothold, access extension and assault.

Covering Tracks

Hiding or deleting any evidence of access.

Black box testing

Testing without system knowledge.

White box testing

Testing with full system knowledge.

Gray box testing

Testing with partial information

Technical attack

Designed to simulate tech based attacks from inside or outside.

Study Notes

Information Systems

• Assets of an organisation can be tangible (IT infrastructure, service availability) or intangible (customer data, intellectual property, financial data, reputation, productivity)
• Tangible assets of information systems are the user domain, workstation domain, LAN domain, remote access domain, LAN-to-WAN domain, system/application domain, and WAN domain
• Key components of information systems are hardware, software, people and data which interact via different processes

Cyber Security Fundamentals

• According to the NIST Computer Security Handbook, cyber security is the protection of automated systems to preserve integrity, availability, and confidentiality of information including hardware, software, firmware, data, and telecommunications.
• The CIA triad objectives:
  • Confidentiality: Ensuring only authorized subjects can access protected data
  • Integrity: Ensuring only authorized subjects can modify protected data
  • Availability: Ensuring information and resources are available on demand to authorized subjects
• Some security experts argue that Authenticity and Accountability should also be included in the CIA security triad.
• Confidentiality means ensuring private information is not available or disclosed to unauthorised individuals.
  • Privacy ensures individuals control what information is collected and stored about them.
  • Student grades have high confidentiality, internal company documents have moderate confidentiality, and restaurant menus have low confidentiality.
• Data Integrity means information and programs are changed only in an authorised manner.
  • System Integrity makes sure a system performs its functions without any manipulation.
  • Patient information needs a high level of integrity, websites require a moderate level, and an online poll has low integrity.
• System Availability makes sure that the system works and the service is not denied to authorised users.
  • Data Availability ensures data is available for authorized users to access.
  • Critical components have high availability, public university websites have moderate availability, and a telephone directory has low availability.
• Authenticity verifies that users are who they say they are and the input comes from a trusted source
  • Banking applications need high authenticity, online gaming platforms need a moderate level, and public guestbooks need low authenticity.
• Accountability is a security goal where actions of an entity are traced uniquely to that entity.
  • Electronic health records need a high level of accountability, corporate email systems need moderate accountability, and public library computers require a low level.

NCSC Definitions

• Breach is a violation of any CIA security tenets.
• Security Controls are measures that are put in place to mitigate or counter identified threats.
• Exploit is a piece of software or commands that takes advantage of a vulnerability to perform unauthorised actions.
• Attack Vector is the method or pathway used by a threat actor to gain unauthorized access or exploit a vulnerability.
• Vulnerability is a weakness in a system that can be exploited by a threat actor, or affected by a hazard.
• Threat Actors are individuals, groups, or organisations that conduct malicious activities on a system.
• Risk is the possibility of a loss, injury, or other adverse circumstance.
• Threats are vulnerabilities, events, individuals or organisations that could cause something bad to happen if exploited

Vulnerabilities and Attacks

• Vulnerabilities are weaknesses in the system that can lead to one or more security objectives violation.
  • Corrupted data can lead to integrity violations, data leaks to confidentiality violations, and a loss of service to availability violations.
• CVSS (Common Vulnerability Scoring System) scores and prioritizes threats using a numerical severity rating scale:
  • None: 0, Low: 0.1-3.9, Medium: 4.0-6.9, High: 7.0-8.9, Critical: 9.0-10.0
• CVE (Common Vulnerabilities and Exposures) identifies and tracks vulnerabilities via a list maintained by MITRE with unique reference numbers
• Categories of vulnerabilities include software, network, physical, human, configuration, and supply chain.
• Breaches can occur due to eavesdropping, alteration, interruption, masquerading, or repudiation.
• Sources of security threats can be insiders or outsiders
  • Insiders can be pure, elevated pure, associate, or affiliate.
  • Outsiders can be affiliates

Categories of Threats and Examples

• Malware Threats include viruses, ransomware, worms, trojans, and spyware
• Social Engineering involves phishing emails, pretexting, baiting, and tailgating
• Physical Threats involve theft of devices, fire floods, or natural disasters
• Insider Threats involve disgruntled employees, accidental data leaks, or privileged access misuse
• Network Threats include denial-of-service, man-in-the-middle, or eavesdropping
• Advanced Persistent Threats (APTs) involve state-sponsored attacks or long-term espionage
• Supply Chain Threats involve tampered software updates, backdoors, or dependency on compromised vendors.
• Zero-Day Threats involve exploits targeting unknown software vulnerabilities.
• Attacks are either passive or active.
  • Passive attacks learn or use information from the system but do not affect resources and involve eavesdropping.
  • Active attacks alter the system resources or affect their operation and involve modifying the data stream.
• The Attack Surface consists of the reachable and exploitable vulnerabilities in a system and can be categorised through the network, software or human attack surface.
• Social engineering tricks people into revealing information or violating security practices and relies on ignorance, and be dangerous and effective.
• Social Engineering has physical, physical object and psychological attacks.
• Psychological attacks use elements such as Elicitation, Pretexting and Influence

Security Controls

• Measures that are put in place to mitigate/counter identified threats and can be technical, administrative or physical.

• Examples of Security Controls:

  • Technical controls:
    • Network Protocols: IPSec, TLS, SSH, SSL, HTTPS, S/MIME, PGP, and others
    • Device/Network Security: Passwords, Proxy server, Intrusion Detection/Prevention, Honeypots, Antivirus
    • Web/Software Security: Defensive Programming, Code Auditing
    • Cryptography: Encryption, Digital Signature, Hashing and Checksums
  • Administrative controls: Policies, guidelines and manuals.
  • Physical controls: Locks, CCTV/Cameras, Security Guards, Security Dogs, Fences

• Examples of how Threats can be solved with Controls for each aspect:

  • Confidentiality
    • Insider Threats, Phishing/Social Engineering, Data Breaches and weak Passwords can be countered with Authentication, Network Security, Education and Encryption.
  • Integrity
    • Ransomware, Data Tampering and Unauthorised Modification can be countered with Cryptographic Hashing and version control.
  • Availability
    • DDos attacks, Dos attacks and Hardware failures etc - can be countered with Load balancing, Backups and Redundancy and DDos mitigation

Hackers and Pen testers

• Hacker's motivations can be a victimless crime, Robin Hood ideal, patriotism, educational value or curiosity.
• Hackers perform for a motive using available means and can find an opportunity.
• Types of hacker include script kiddies, amateurs, hacktivists, hackers and state-sponsored hackers

Modern hacking

• Hacking methodologies contains five distinct stages:
• Reconnaissance
• Scanning and enumeration
• Gaining Access
• Maintaining Access
• Covering Tracks

Malicious Hacking Steps

• Reconnaissance: passively acquires victim's system information.
• Scanning: uses the collected info to actively acquire in depth victim's system information.
• Infiltration & Escalation: exploits identified vulnerabilities to attempt
• Exfiltration: gains elevated access to a point where the attacker can access resources and information
• Access Extension: installs more tools to continue to access the system in future.
• Assault: a destructive phase where attackers cause damage.
• Obfuscation: covering tracks and removing evidence of their presence

Cyber Kill Chain

• Reconnaissance: Research, identification, and selection of targets.
• Weaponisation: Pairing remote access malware with exploit into a deliverable payload
• Delivery: Transmission of weapon to target through email attachments, websites, or USB drives
• Exploitation: Once delivered, the weapon's code is triggered, exploiting vulnerable applications or systems.
• Installation: Installs a backdoor allowing persistent access and control
• Command & Control: Outside Command center communicates with weapon Actions on Objective: Reaches objectives such as exfiltration

Phases

• Initial Recon: Vulnerability identified.
• Initial Compromise: Exploit a vulnerability
• Establish Foothold: Sustained access. Maintain Presence: More targets found.
• Internal Recon: Moving through system.
• Escalate Privileges and moving through
• Complete Mission: system takeover

Ethical Hacking

• Require same skill sets as a Malicious Hacker and include
  • Using knowledge and skills Understanding hacker mindset
  • Using same rules of engagement set
  • Simulating attacks
• Use same care and gain permission for exploits and offer reports that include test results and recommendations

Assessment types

• In Security Assessment, a test is performed in order to assess the level of security on a network or system.
• Security Audit provides compliance checks with insights by testing if a organisation is following standards and policies.
• Vulnerability Assessment scans and tests for vulnerabilities but does not intentionally exploit them.
• Penetration Test Looks involves finding vulnerabilities and seeks to exploit vulnerabilities.
• Red Team Performs penetration testing while acting as any true outside threat to gain unauthorised access to the client’s system(s).
• Blue Team implements security policy and technical controls while detecting and defending against Red Team.
• Purple Team acts as a bridge between the Blue and Red Teams by facilitating collaboration and knowledge sharing to improve defences and security strategies

Ethical Hacking and Penetration Testing

• Is a structured and methodical means of investigating, uncovering, attacking and reporting on a target system’s strengths and vulnerabilities and penetration tests are part of IT audits. Types of Testing include: Black Box Testing: simulate how attacker views system without any knowledge White Box Testing: simulate an attack with full system knowledge Gray Box Testing simulate an attack with partial system knowledge

Categories of attacks

• Technical attack: simulates an attack against equipment.
• Administrative attack : designed to find loopholes or shortcomings in how tasks and operational processes are performed.
• Physical attack: designed to break equipment or facilities.
• Planning: A penetration testing goal is to audit an information system to identify any existing vulnerabilities.
• Discovery involves to discover vulnerabilities, in order to report it rather than to exploit them.
• Attacks involve to exploit vulnerability in a controlled manner if permitted.
• The testing cycle ends with reports that contain security controls in order to mitigate discovered vulnerabilities.

Pen Test Stages

• Pen test contain three phases:
• Pre-Attack Phase - Reconnaissance and data-gathering.
• Attack Phase - Attempts to penetrate the network and execute attacks.
• Post-Attack Phase - Cleanup to return a system to the pre-attack condition.
• Pen test deliverables usually contain a report that summarizes the test, names participants and lists all finding with recommendations.

Rules for Ethical Hackers

• Trust is established when Client believes the Hacker to perform with discretion when performing and can cause issues if ethical hacker breaks trust that can degrade trust.
• Legal Implications exist when violating limits defned by the permitted scope of testing which may cause client legal action and is compelled to take legal action if there are damages
• Laws include: -> Computer Fraud and Abuse Act (US 1986) ->Computer Misuse Act (UK 1990) ->Data Protection Act (UK 2018)

Security Design Principles

• National Centres of Academic Excellence in Information Assurance/Cyber Defence adopted a modified Saltzer and Schroeder Principles (1975):
• Psychological Acceptability: user interfaces should be well designed and intuitive, all security-related settings should adhere to what an ordinary user might expect.
• Least Common Mechanism: mechanisms allowing resources to be shared by more than one user should be minimised.
• Least Privilege: Every process and every user of the system should operate using the least set of privileges necessary to perform the task.
• Separation of Privilege which dictates that multiple conditions should be required to achieve access to restricted resources or have a program perform some action, Open Design -> The design of a security mechanism should be open rather than secret Work Factor: In designing a security scheme the cost of circumventing a security mechanism should be compared with the resources of an attacker. Recording Compromises -> Recording compromises is as important as preventing data loss Economy of Mechanism -> The design of security measures should be as simple as possible Fail Safe Defaults - Access decisions are based on permissions rather than exclusion . Default access is denied. Complete Mediation -> Every access is checked against access control mechanism

Threat modelling

• DREAD focuses to the severity impact of the attack.
• Consists of the categories -> Damage, Reproducibility, Exploitability, Affected Users, and Discoverability.
• Subjective -> it should NOT be subjective for critical security decisions
• Understanding of existing threats that allows businesses to make decisions Damage -> the impact if a threat was exploited Reproducibility -> How easy an attack is to replicate Exploitability -> how an exploit can be exploited affected Users -> Users when the threat is exploited Discoverability -> How easy it is for attacker to discover exists

Attack Tree

• Vulnerabilities -> personnel, Outsiders, Social Engineering. A branching hierarchical data structure -> represent a set of potential techniques for exploiting security vulnerabilities
• The Security Incident -> Goal -> Represented as root node of tree.
• iterative ways an attacker reaches the goals,
• Branches -> Labeled attributes
• The Final Nodes -> paths outward from the root, leaf nodes, represent different ways to initiate an attack.