Viktiga begrepp PDF

Confidentiality (Beskrivning från boken, s.39/40 ) “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.” Confidentiality: This term covers two related concepts: - Data confidentiality = Assures that private or confidential information is not made available or disclosed to unauthorized individuals. - Privacy: Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed. Förklaring (ChatGPT): “Is the principle of keeping sensitive or private information secure and ensuring it is only accessible to authorized individuals.” Integrity (Beskrivning från boken s.39/40) Integrity: This term covers two related concepts: Data integrity: Assures that information and programs are changed only in a specified and authorized manner. System integrity: Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. “Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information. Availability (Beskrivning från boken – s.39/40) “Assures that systems work promptly and service is not denied to authorized users. Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. Access control (Beskrivning från boken – from 192) Access control involves following functions: Authentication – verification of credentials of user/system are valid Authorization – Granting permission to the system to access system resources. Determines who is trusted Audit – A review of system records and activities to check if controls are adequate, ensure rules are followed, identify security issues, and suggest improvements to controls, policies, and procedures An access control system manages who can use system resources like apps, files, and databases. First, it checks if the user or process is allowed to access the system (authentication). Then, it decides if the user has permission for the specific action they’re trying to take. A security administrator sets up rules in a database that define what each user is allowed to do. The system uses this database to approve or deny access and keeps records of all user activity. Access control is often handled by multiple components, including the operating system, security tools, and specific applications like databases. Firewalls and other external devices can also help control access. Discretionary access control (DAC): Access is managed based on who is making the request and rules about what they are allowed to do. It’s called discretionary because someone with access can choose to allow others to use the resource. Mandatory access control (MAC): Access is controlled by matching security labels (showing resource sensitivity) with security clearances (showing who is allowed access). It’s called mandatory because users can’t decide on their own to give access to others. Role-based access control (RBAC): Controls access based on the roles that users have within the system Attribute-based access control (ABAC): Access is controlled based on the user’s attributes, the resource, and the current environment. The basic parts of access control are: 1. Subject: The user or process trying to access a resource. A subject acts on behalf of a user or application and inherits their permissions. Actions by subjects are recorded in logs to track security-related activities. There are three types of subjects: ○ Owner: The creator or designated administrator of a resource. ○ Group: A set of users with shared access rights. ○ World: All other users with the least access permissions. 2. Object: The resource being accessed, such as files, directories, or programs. Objects can also include smaller elements like records, messages, or even hardware like processors or ports. The type and number of objects depend on the system's security needs and its complexity. 3. Access Rights: Define what actions a subject can perform on an object, such as: ○ Read: View or copy information. ○ Write: Add, change, or delete data. ○ Execute: Run a program. ○ Delete: Remove files or records. ○ Create: Make new resources. ○ Search: Look through directories. The balance between security and usability determines how these elements are applied. Authentication & authorization Authentication: Verifying a user’s identity (e.g., password, biometrics). Authorization: Granting permissions to access specific resources based on a user's identity and role. DoS (Denial of Service) 3. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks DoS: ○ Overloads a network or server with traffic, making it unavailable to legitimate users. ○ Example: Sending large volumes of requests to exhaust server resources. DDoS: ○ A distributed attack using multiple devices (often part of a botnet) to amplify the impact of a DoS attack. ○ Targets include websites, online services, or network infrastructure. Intrusion with or without data breaches Intrusion with or without Data Breaches: Intrusion: Unauthorized access to a system or network. Data Breach: A specific intrusion where sensitive data is accessed or stolen. Intrusion with Data Breach: Definition: An unauthorized entry into a system where sensitive data is accessed, stolen, or exposed. This can include personal information, financial records, or intellectual property. Implications: Data breaches are severe because they compromise sensitive information (e.g. patient records), leading to potential e.g. legal consequences for the affected organization. Detection and Response: Involves identifying unauthorized data access, stopping data exfiltration, and assessing the full extent of data exposure. Response often includes notifying affected individuals and implementing further data protection measures. Intrusion without Data Breach: Definition: An unauthorized entry where no sensitive data is accessed or stolen. The attacker may explore the network, probe for weaknesses, or install malware without exfiltrating any data. However, remember that an intrusion without data breach is much less common than with data breach. This is because once an intrusion has happened, the data breach happens almost immediately after. The question is what kind of data breach is it? In terms of what kind of data has been possible to access. Implications: Although less immediately damaging, this type of intrusion still indicates a vulnerability. Attackers may return later with the intent to escalate their access or cause other harm, such as a denial-of-service attack or installing ransomware. Detection and Response: Focuses on identifying and closing vulnerabilities, tracking the attacker’s movements, and removing any backdoors or malware planted. Preventative actions are taken to secure the system against future breaches. Introduction to Buffer Overflow (s.542 i boken) A buffer overflow, also known as a buffer overrun or buffer overwrite. Definition: “Buffer Overrun: A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Adversaries exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.” A buffer overflow occurs when a program writes more data into a buffer (a fixed-sized block of memory) than it can hold. This excess data spills into adjacent memory locations, potentially overwriting critical data such as control variables or function pointers. The consequences of this error: - corruption of data used by the program - unexpected transfer of control in the program - possible memory access violations, and very likely eventual program termination. Buffer Overflow exploits software vulnerabilities to manipulate system behavior. IT Security Management and Risk Assessment (s.786 i boken) IT security management answers questions like: - What assets do we need to protect? - How are those assets threatened? - What can we do to counter those threats? More specifically, IT security management consists of first determining a clear view of an organization’s IT security objectives and general risk profile. Definition: The formal process used to develop and maintain appropriate levels of computer security for an organization’s assets, by preserving their confidentiality, integrity, availability, accountability, authenticity, and reliability. Next, an IT security risk assessment is needed for each asset in the organization that requires protection; this assessment must answer the three key questions listed above. ChatGPT: Security risk analysis is the process of identifying, assessing, and mitigating risks to an organization's assets, information, and operations. The terms listed represent different approaches and methods used in risk analysis: Security risk analysis involves: Baseline ○ Definition: Compares the current state of security measures to a predefined standard or best practice. ○ Purpose: It helps identify gaps in compliance with established security frameworks, such as ISO 27001 or NIST guidelines. Informal ○ Definition: Less structured approach that relies on general observations, expert judgment, and brainstorming to identify and evaluate risks. ○ Purpose: It is often used when time or resources are limited or when a rapid assessment is needed. Formal ○ Definition: Uses structured, methodical approaches and quantitative or qualitative techniques to assess risks in detail. ○ Purpose: It aims to provide a comprehensive, repeatable, and evidence-based evaluation of security risks. Combines ○ Definition: Integrates elements of both baseline, informal, and formal methods to balance thoroughness with practicality. ○ Purpose: It allows organizations to leverage the strengths of multiple approaches to achieve a well-rounded risk analysis. Physical security control types Physical security refers to security of physical assets, such as data centers with servers. Here are three physical Security Control Types: Measures to protect physical assets like buildings and hardware: 1. Deterrent (avskräckande) Controls: Fences, warning signs. 2. Preventive Controls: Locks, security guards. 3. Detective Controls: Alarms, surveillance cameras. Security policy in an organization Sid. 72 A document outlining the principles, guidelines, and requirements for maintaining security within an organization. At the least, a security policy is an informal description of desired system behavior. Such informal policies may reference requirements for security, integrity, and availability. More usefully, a security policy is a formal statement of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources. In developing a security policy, a security manager needs to consider the following factors: - The value of the assets being protected - The vulnerabilities of the system - Potential threats and the likelihood of attacks Understand types of network attacks Passive or active Passive attack - attempts to learn or make use of information from the system, but it does not affect system resources. Passive attacks are in the nature of eavesdropping on, or monitoring, transmissions. The goal of the attacker is to obtain information that is being transmitted. Two types of passive attacks: Release of Message Contents: An attacker intercepts and reads sensitive data being transmitted between authorized parties, compromising data confidentiality. Traffic Analysis: The attacker observes network traffic patterns, such as the amount of data exchanged between specific hosts, to infer sensitive information without directly accessing the data itself. This can reveal communication relationships and potential targets for further attacks. Eavesdropping: Intercepting network traffic to steal data. (Wikipedia: Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent in order to gather information.) Active attack - attempts to alter system resources or affect their operation. 4 types: Active attacks aim to disrupt, alter, or destroy system resources or the information they hold. Replay: The attacker intercepts and captures a data unit and subsequently retransmits it to produce an unauthorized effect. This can disrupt service or gain unauthorized access if replayed at a later time. Masquerade: An entity pretends to be a different, authorized entity to gain unauthorized access or perform actions beyond their permissions. This can involve stealing credentials or exploiting vulnerabilities in authentication mechanisms. ○ Spoofing and phishing? Modification of Messages: The attacker alters the content of transmitted data to deceive the recipient or disrupt communication. This can compromise data integrity or manipulate transactions. ○ Man-in-the-middle (MitM) Denial of Service (DoS): DoS attacks aim to prevent legitimate users from accessing a system or service. They can target various resources, including network bandwidth, system resources, and application resources. ○ DDoS: Distributed Denial of Service using multiple devices to attack a target. Other types of Network Attacks (may include in one of the above): Phishing and social engineering: Trick users into revealing sensitive information. (Phishing is the practice of sending fraudulent communications that appear to come from a legitimate and reputable source, usually through email and text messaging) Spoofing attacks: Spoofing involves impersonating a legitimate user or device. (when fraudsters pretend to be someone or something else to win a person's trust.) Malware based attacks: Malicious software is used to compromise networks or devices. SQL injection: Attackers inject malicious SQL queries into web forms to access, manipulate, or delete database data. This is a common attack on poorly secured web applications. Attacking wireless protocols (från Eriks) Wifi Eavesdropping Denial of service Wpa cracking Malicious access point RFID (Radio-Frequency Identification) /NFC (Near Field Communication) Cloning Emulating Spoofing Bluetooth Bluejacking (mousejacking) Sniffing Denial-of-service (Apple AirPods spam) Function of firewall (s.411 i boken) Firewalls, also known as Gateways. The firewall is inserted between the premises network and the Internet to establish a controlled link and to erect an outer security wall or perimeter. More generally, a firewall is a boundary system that separates different security domains within and between organizations. The aim of this system is to protect the internal network from attacks and to provide a single choke point where security and auditing can be imposed. The firewall may be a single computer system or a set of two or more systems that cooperate to perform the firewall function. Firewall Characteristics: All traffic from inside to outside, and vice versa, must pass through the firewall. It is placed at a central point to block unauthorized access while allowing legitimate traffic. Authorization rules: Only traffic that complies with an organization’s security policy is allowed. Resistance to penetration: The firewall system itself must be secure and protected against attacks. Why Firewalls are Needed: - Internet connectivity is essential for most organizations, but it also exposes their internal networks to external threats. - While each individual device in a network can be equipped with its own security features, this is often difficult and costly to manage, especially in large networks with many systems. - A firewall provides an additional layer of defense, complementing host-based security measures. "Defense in Depth": Firewalls contribute to a layered security approach, where multiple defenses work together to protect the network. Malicious Software/ Malware (s.299-300) Same thing = a program that is inserted into a system with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or otherwise annoying or disrupting the victim Different types Trojan horse A computer program that appears to have a useful function but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes it When invoked, the hidden code performs unwanted or harmful function Worm A computer program that can run independently and can propagate a complete working version of itself onto other Actively seeks out more machines to infect Can use network connections to spread from system to system Can spread through shared media such as USB drives or emails Virus A piece if software the can “infect” other programs or any type of executable content, by modifying them Makes copies of itself to keep spreading and “infecting” A virus that attaches to an executable program can do anything that the program is permitted to do ○ Executed secretly when the host program is run ○ Can for example erase files, if that is allowed by the privileges of the current user Rootkit Set of hacker tools used after an attacker has broken into a computer system and gained root-level access Usually gives the hacker access to all the functions and services Can make changes to a system to hide its existence, making it difficult for the user to determine that the rootkit is present and identify the changes Advanced Persistent Threats (APTs) Have increased in recent years Well-resourced, advanced, persistent application of a wide variety of intrusion technologies and malware to selected targets, usually business or political Cybercrime directed at business and political targets, using a wide variety of intrusion technologies and malware, applied persistently and effectively to specific targets over an extended period, often attributed to state-sponsored organizations. Ransomware Ransomware is a type of malicious software that encrypts a victim's files or locks them out of their system. Attackers demand a ransom payment, often in cryptocurrency, in exchange for restoring access. It disrupts operations and can lead to significant financial losses if backups or recovery options are unavailable. Public key in Cryptography (Beskrivning från boken, from s.102) Public-key cryptography uses two mathematically related keys: a public key (shared openly) and a private key (kept secret). It is also called asymmetric encryption, as it requires two keys, unlike symmetric encryption, which uses one. 1. Encryption & Decryption: ○ A message encrypted with the recipient's public key can only be decrypted by their private key, ensuring confidentiality. ○ Alternatively, encrypting with a private key allows anyone with the public key to verify authenticity (digital signatures). 2. Key Components: ○ Plaintext: Original message. ○ Encryption Algorithm: Scrambles the plaintext. ○ Keys: Public and private keys for encryption and decryption. ○ Ciphertext: Scrambled output. ○ Decryption Algorithm: Restores plaintext using the private key. 3. Steps for Confidential Communication: ○ Users generate a key pair (public and private keys). ○ Public keys are shared openly; private keys are kept secure. ○ Sender encrypts the message with the recipient’s public key. ○ Recipient decrypts it with their private key. While public-key cryptography ensures strong security, it requires more computational resources than symmetric encryption. It is often combined with symmetric methods for efficiency. Encryption Encryption is the process of converting plain text or readable data (plaintext) into an unreadable format (ciphertext) using a cryptographic algorithm and a key. The purpose is to ensure confidentiality, protect data from unauthorized access, and secure communication between parties. There are two different types of encryption; symmetric and asymmetric. The three encryption algorithms are symmetric, asymmetric and hashing. Exempel tentafrågor: Which software is most commonly used by organizations to manage users, groups, and privileges in internal networks? Active Directory What is not a common web application vulnerability? (flervalsfråga) These are common web application vulnerabilities: – They are ubiquitous – meaning they are everywhere – They contain lots of interesting data ($) – They can be an entry point into an organization’s internal network ($$$)

Viktiga begrepp PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue