Secure Programming Overview and Characteristics

Questions and Answers

What is the main reason for the increase in security vulnerabilities in ICT systems?

• Enhanced security protocols by companies
• The rapid growth of the Internet (correct)
• Improved training for system administrators
• The complexity of software being developed (correct)

Which of the following best describes ICT security?

• Only the hardware components that ensure digital safety
• A specific set of software applications designed for security
• Only organizational rules implemented by a company
• A mix of products, services, and individual behaviors that protect ICT systems (correct)

What factor has contributed to the decrease in the average level of system administrators in recent years?

• Strain from the growing number of Internet-connected systems (correct)
• The oversaturation of the job market
• Increased complexity of tasks due to advanced technology
• A significant rise in hacker attacks

Which components are considered the main parts of any ICT system?

Hardware, OS and applications, and communication (B)

What is a common mistake made by inexperienced programmers in relation to security?

Failing to test code for security vulnerabilities (D)

What is one of the primary goals of information security?

To protect information and its critical elements (C)

Which characteristic of information security ensures that unauthorized individuals cannot access data?

Confidentiality (B)

Why are people often considered the weakest link in information security?

They can fall victim to social engineering attacks. (B)

Which type of attack involves a hacker directly using their computer to break into a system?

Direct attack (B)

What does the C.I.A. triangle stand for in the context of information security?

Confidentiality, Integrity, Availability (B)

What is a common characteristic of software that makes it difficult to secure?

It often contains complex code that can hide vulnerabilities. (A)

What role does a threat-agent play in information security?

They exploit vulnerabilities to damage or steal assets. (D)

How is an exploit defined in the context of cybersecurity?

The method used to take advantage of a vulnerability (D)

Which of these is not considered a layer of security in a well-secured organization?

Asset management (C)

What is the purpose of examining various threat categories in an organization?

To effectively protect information through policies (B)

Flashcards

System Security Attacks

Attacks target systems with weak security through methods like changing attachments or URLs in emails.

Defensive Strategies

Methods for protecting systems are often reactive responses to threats.

ICT Security

Protecting information systems using tools, rules, and behaviors.

System Components

Systems contain hardware, OS/applications, communication, and cloud (optional).

Skills Gap in Security

Lack of trained system administrators and secure-code programmers strains internet security.

Information Security

Protecting information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Confidentiality

Preventing unauthorized disclosure or exposure of information.

Integrity

Ensuring the accuracy and completeness of information.

Availability

Ensuring information and systems are accessible when needed.

Threat

Anything that can potentially harm an asset.

Vulnerability

A weakness in a system that can be exploited.

Exploit

A technique used to take advantage of a vulnerability.

Attack

The deliberate act of exploiting a vulnerability.

Direct Attack

An attack where the attacker directly uses their own system to infiltrate a target system.

Indirect Attack

An attack where a compromised system is used to attack another system.

Study Notes

Secure Programming Overview

• Secure programming aims to create software free from vulnerabilities.
• A secure organization has layered security, including physical, personal, operational, communication, and network security.
• Information security protects information and its systems and hardware.
  • Essential resources include policy, awareness, training, and technology.
  • The CIA triangle (Confidentiality, Integrity, Availability) is a key standard.

Critical Characteristics

• Confidentiality: Prevents unauthorized disclosure or exposure of information.
• Integrity: Ensures the data's completeness and accuracy (whole, uncorrupted).
  • Uses methods like checksums, error correction, and retransmission.
• Availability: Guarantees timely access to information and services when needed.

Components of an Information System

• Software: Often the most complex and vulnerable component.
  • Exploitations are a significant attack target.
• Hardware: Physical security is paramount.
  • Laptop and flash memory security is crucial.
• Data: Highly valuable asset, frequently targeted for attacks.
• People: The weakest link, requiring thorough training to prevent social engineering attacks.
• Procedures: Inadequate procedures lead to data integrity threats.
• Networks: Traditional security measures (locks and keys) are insufficient in modern network environments.

Securing Components

• Computers can be targeted as both a subject and object of an attack.
  • Attacks can use compromised systems to target other systems (indirect).
• Types of attacks:
  • Direct: Hacker directly accesses a system.
  • Indirect: Compromised system exploited to launch an attack.

Threats

• A threat is anything that poses danger to organization assets.
• Management must be aware of various potential threats and address them through policy, education, training, and technological controls.

Attacks

• An attack is a deliberate action exploiting vulnerabilities.
  • It can damage or steal information and physical assets.
  • Vulnerability is an identified weakness in the system.
  • An exploit is a technique for exploiting a vulnerability.
• A vulnerability is an identified weakness in the system preventing proper functioning of controls.

Basic Problems

• User awareness and understanding of risks are often inadequate.
• Human errors, especially under stress or overload, create security vulnerabilities.
• Complex systems can mislead users, leading to incorrect actions.
• Performance degradation as a side effect of security measures should be considered.
• Users can be tricked into engaging in attacks and compromised systems.
• Experienced users are also vulnerable, such as copying authentication links or attachments.

Roots of Insecurity

• Current defensive strategies are often reactive.
• The internet's rapid growth has strained security talent.
• The availability of complex software without secure coding practices contributes to the problem.

ICT Security

• ICT (Information and Communication Technologies) are crucial for access to information via telecommunications.
• ICT security protects an organization's ICT system through product, service, and behavior controls.
• Hardware, OS and applications, and communications (including cloud – optional) are primary components of any ICT system.