Secure Programming Overview

Questions and Answers

What is the main purpose of understanding how a system is likely to fail?

• To improve the overall security of a system
• To build a strong system (correct)
• To prevent cyber-attacks
• To understand the needs for Secure Programming

What is the main goal of Secure Programming?

• To prevent many cyber-attacks from happening (correct)
• To assess the needs for Secure Programming
• To understand the Information Security Objectives
• To define the Key important security functions

What is cyberwarfare?

• The use of technology to improve a nation
• The use of technology to attack a nation (correct)
• The use of technology to defend a nation
• The use of technology to monitor a nation

Why are hacking tools easily accessible?

Because they are free or available as shareware (D)

What is the main advantage of Open Source software?

The freedom to study how the program works and adapt it to your needs (A)

Why do financial institutions market their secure network to potential customers?

To attract more customers (D)

What is a major challenge in securing networks today?

The complexity of networks (A)

Which industry has strict regulations for data protection?

Healthcare (D)

What is the primary reason why managers downplay vulnerabilities in their organization?

Lack of knowledge about the network (B)

What is the main goal of penetration testing?

To reduce risk to acceptable levels (A)

What is Physical Security concerned with?

Protecting personnel, critical assets, and systems (B)

What does the CIA Triad represent?

Confidentiality, Integrity, and Availability (D)

What is the purpose of a cost-risk analysis?

To compare the cost of protecting data to the risk of losing or compromising it (B)

What is the term for attacks against confidentiality, integrity, or availability?

D.A.D. attacks (C)

What is the purpose of a password policy?

To implement complex passwords (B)

What is the term for the acceptable level of risk determined by management?

Residual risk (C)

What is the primary concern of confidentiality in terms of data?

Ensuring data is accessible only to authorized personnel (C)

What is the purpose of a hash function in message integrity?

To detect unauthorized data modification (D)

What is the primary goal of authentication?

To verify the identity of a user or system (D)

What is the term for preventing unauthorized access to data during transmission?

Confidentiality (B)

What is the primary concern of non-repudiation?

Ensuring sender authenticity (D)

What is the term for holding individuals accountable for their actions on a system?

Accountability (A)

What is the primary goal of authentication mechanisms?

To confirm a user's identity (A)

What is the term for an attack that prevents or impairs the authorized use of networks, systems, or applications?

Denial of Service (DoS) (C)

What is the primary goal of accountability?

To determine who the attacker or principal is (D)

What is the term for ensuring that a transaction cannot be denied by any of the parties involved?

Non-repudiation (A)

What is the primary goal of authorization?

To check whether a user has permission to conduct an action (A)

What is an example of 'something you are' in authentication?

Fingerprint (C)

What is the primary goal of data/message integrity?

To ensure that data is not modified during transmission (A)

What is the term for an attack that involves modifying data during transmission?

Man-in-the-middle attack (D)

Study Notes

Assessing the Need for Secure Programming

• Cyber-attacks can be prevented by using secure programming
• Examples of cyber-attacks include data breaches, hacks, and cyber warfare
• Cyber warfare is the use of technology to attack a nation, causing comparable harm to actual warfare

Open Source and Reliance on the Internet

• Open source software provides freedom to:
  • Run the program for any purpose
  • Study how the program works and adapt it to your needs
  • Redistribute copies to help others
  • Improve the program and release improvements to the public
• Access to the source code is a precondition for these freedoms
• Reliance on the internet increases the need for secure programming

Industry Regulations and Complexity of Networks

• Industry regulations include:
  • Healthcare
  • Department of Defense
  • Data Protection
  • Financial institutions
• Complexity of networks today includes:
  • Diverse network technologies
  • Misconfigurations
  • Lack of knowledge about the network makes managers downplay vulnerabilities

Security

• Security is holistic and consists of:
  • Physical security
  • Technological security
  • Operational security

Physical Security

• Physical security measures protect personnel, critical assets, and systems against deliberate and accidental threats
• Physical assets include:
  • Information assets

Technological Security

• Application security includes:
  • Web browser
  • Web server
  • Database
• OS security (host)
• Network security

Operational Security

• Policies include:
  • Password policy – complexity
  • Social engineering awareness
• Standards include:
  • How policies should be implemented and enforced
• Procedures include:
  • Step-by-step instructions on how to implement policies
• Guidelines include:
  • Recommendations relating to a policy

Security Objectives - CIA Triad

• Security is concerned with the protection of assets against threats
• Threats related to confidentiality, integrity, or availability (CIA)
• Attacks against CIA are called Disclosure, Alteration, and Destruction (DAD) attacks
• A target is said to be secure when the possibility of undetected theft or tampering is kept to an acceptable level

Security Goals

• Authentication
• Authorization
• Confidentiality
• Data/message integrity
• Accountability
• Availability
• Non-repudiation

Authentication

• Authentication mechanisms use any of four qualities to confirm a user's identity:
  • Something the user knows
  • Something the user has
  • Something the user is
  • Something the user can do
• Multifactor authentication

Authorization

• Authorization is the act of checking whether a user has permission to conduct some action
• Access control list (ACL) is used by many operating systems to determine whether users are authorized to conduct different actions

Confidentiality

• Confidentiality is the protection of assets from unauthorized access

Data/Message Integrity

• Data/message integrity is the protection of assets from unauthorized modification or alteration

Availability

• Availability is the protection of assets from unauthorized denial or destruction
• A denial of service (DoS) is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources

Accountability

• Accountability is the ability to determine who the attacker or principal is in the case that something goes wrong or an erroneous transaction is identified
• Find out vulnerabilities, fix bugs, improve the application, and use digital forensics

Non-Repudiation

• Non-repudiation is the ability to ensure undeniability of a transaction by any of the parties involved

Description

Learn about the importance of secure programming in preventing cyber-attacks. Understand the key security functions and objectives of information security.