Cybersecurity Assessment Questions & Answers.

Cybersecurity Assessment Questions & Answers. What is Cyber Security? A necessary science for protecting people and their values from security threats over the internet Threat Possible danger Possible Dangers for Computer systems Viruses Worms Trojan Horses Spyware Adware Backdoors Logic bombs others Possible dangers for organizations (Companies, banks, etc) Cyber Piracy Denial of Service Intrusion Unauthorized access Disclosure of information Modification of data Possible dangers for countries Cyber Warfare Cyber Vandalism Cyber Espionage Cyber Terrorism Possible dangers monetary dangers Computer Fraud Phishing Vishing Identity theft Theft of information Theft of assets Possible dangers for people Cyber trolling Cyber stalking Cyber harassment Cyber bullying Cyber extortion First electronic computers (year) 1940s Start of computer industry (year) 1950s Software comes into its own. Multi user systems emerged, needing mechanisms to protects systems from users (year) 1960s Age of the mainframe. Needing sensitive data protection, access control, encryption (year) 1970s Age of the PC. Multi Level Security (MLS), information flow, security research, viruses and worms (year) 1980s Age of the internet. Increased exposure to Hostile environments (year) 1990s Age of the web. The paradise of hackers Communication security, network security, web security. (year) 2000's Starting point of computer security in 1972 dealing with the Air Force. Anderson report. Insider Fraud Case Study (1966) Programmer for bank wrote code to ignore overdrafts in his bank account. Discovered when computer went down and account balances were processed manually. Identity Fraud Case Study (1971) Two competing companies with mutual customer. One company's employee obtains customers number that he uses to call companies. Calls competitor using that number pretending to be customer and requests codes and punch cards to be sent. Discovered when company asks customer about these things and customer has no idea about it. Denial of Service Case Study (2004) A worm spread through email and Kazza P2P File Sharing platform. Looked like a genuine error message. When opened created a denial-of-service attack on Password Sniffing Case Study (1978) Student wrote program for "time sharing" and left on flash drive sitting out for curious students to pick up. Upon execution, program would "crash" and then ask for username and password, obtaining users login information. Telecommunication Fraud First gen cell phones' user identifiers transmitted unprotected and were easy to intercept, used by hackers to make long distance calls, charged to the user SMS Fraud Text sent to number asking them to call back a number and they were then redirected to a long distance number and charged for it. Attacks may exploit weak points of _____ beyond just technical weak points. "Business model" Security problems can rarely be ______ but they can be ______. Eliminated, managed. Reliability Deals with accidental failures Usability addresses problems arising from operating mistakes made by users. Security Security deals with intentional failures: there is at some stage a decision by a person do something he is not supposed to do. Protection of the assets of an organisation is the responsibility of management. To be effective, security policies must be supported by ________. They should issue a ________. top management, security charter Security Charter A crisp document explaining general rules ______________________ should be part of the general security strategy. Security awareness programs Not every member in an organisation has to become a security expert, but all members should know -Why security is important for themselves and for the organisation. -What is expected of each member. -Which good practices they should follow. Price paid for security should not exceed the value of the assets you want to protect. To decide what to protect you should perform some kind of risk analysis Assets can include Hardware, software, Data & Information, Services & revenue,Reputation of enterprise, trust, brand name, Employees' time Hardware (As an asset) includes: laptops, servers, routers, PDAs, mobile phones, smart cards Software (as an asset) includes: applications, operating systems, database systems, source code, object code Data & Information (as an asset) includes: essential data for running and planning your business, design plans, digital content, data about customers, ... Damages can include: Disclosure of information Modification of data Being unable to do your job because required resources are not available Identity spoofing (identity "theft") Unauthorised access to services Lost revenue Damaged reputation Theft of equipment ... Is this system secure? Asking the wrong question. Need to be more specific about protection requirements... ie: -Protect PC from virus and worm attacks? -No unauthorized access to corporate LAN? -Keep sensitive documents secret? -Verify identity of partners in a business transaction? Security policies formulate security objectives The NIST Computer Security handbook defines computer security as "The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources" (includes hardware, software, firmware, information/data, and telecommunications). The CIA triad Confidentiality, Integrity, Availability Confidentiality (As Key security concept) Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information Integrity (As Key security concept) Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity Availability (As Key security concept) Ensuring timely and reliable access to and use of information Levels of Impact - Low The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals Levels of Impact - Moderate The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals Levels of Impact - High The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals Attacker only needs to find ________ while developers must find __________ one single weakness / all possible weaknesses Users and system managers tend to not see the benefits of security until a failure occurs Security requires ______________ monitoring regular and constant An entity that attacks, or is a threat to, a system. Adversary (Threat Agent) An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system. Attack An action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken. Countermeasure An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result Risk A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources Security Policy Data contained in an information system; or a service provided by a system; or a sysem capability; System Resource (Asset) A potential violation of security; which exists when there is a circumstance capability, action, or event that could breach security and cause harm. Threat A flaw or weakness in a systems design vulnerability Assets of a computer system Hardware, Software, Data, Communication facilities and networks Some thing is Corrupted(Category of vulnerability) = loss of integrity Some thing is Leaky (Category of vulnerability) loss of confidentiality Some thing is Unavailable or very slow (Category of vulnerability) loss of availability Attack= a threat carried out attempt to learn or make use of information from the system that does not affect system resources Passive Attack attempt to alter system resources or affect their operation Active attack initiated by an entity inside the security perimeter Insider attack initiated from outside the perimeter Outsider attack Means used to deal with security attacks Prevent Detect Respond Recover Exposure (intentional releases of sensitive information), interception (a determined hacker can gain access to communication traffic and other data transfers between two persons or entities. ) , interference (adversary gains information from analyzing the network traffic. ), intrusion(adversary gaining unauthorized access to sensitive data information.) cause unauthorized disclosure Masquerade (an attempt by an unauthorized user to gain access to a system by posing as an authorized user; ), falsification (a student may alter his or her grades on a school database), and repudiation(., a user denies sending or receiving data.) are threat actions that cause __________ threat consequences. Deception Incapacitation (physical destruction of a system hardware), corruption (Malicious software operates in such a way that system resources or services function in an unintended manner), obstruction (disabling communication links or altering communication control information. ) are threat actions that cause _____ threat consequences Obstruction Misappropriation (a distributed denial of service attack,) and misuse (disabling or thwarting security functions of a service) are threat actions that cause ______ threat consequences usurpation a threat to confidentiality Unauthorized disclosure a threat to system integrity Deception a threat to availability to system integrity disruption a threat to system integrity usurpation Network Attack Surface Vulnerabilities over an enterprise network, wide-area network, or the Internet Software Attack Surface Vulnerabilities in application, utility, or operating system code Human Attack Surface Vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders Used to analyse how an attack is executed in detail. To get a clear picture of potential threats, attack trees can be constructed. Attack trees Computer security strategy consists of Security policy, Security implementation, Assurance, Evaluation