Fundamentals of Information Security - D430 Chapter Exercises (ALL)
If the web servers in your environment are based on Microsoft's Internet Information Services (IIS) and a new worm is discovered that attacks Apache web servers, what do you not have?
A risk
Explain the difference between a vulnerability and a threat.
A threat has the potential to cause harm but can only cause harm if there is a vulnerability the threat can exploit. Without a vulnerability, the threat cannot cause harm. A vulnerability is a flaw or weakness in an asset's design, implementation, or operation and management that could be exploited by a threat. A threat is a potential for a threat agent to exploit a vulnerability. A risk is the potential for loss when the threat happens.
What is a Threat?
A threat is something that has the potential to cause harm. Threats tend to be specific to certain environments. i.e. a virus may be problematic on a Windows OS but the same virus will be unlikely to have any effect on a Linux OS.
What is a vulnerability?
A vulnerability is a weakness or hole that threats can exploit to cause you harm. Might involve a specific OS or application that you're running, the physical location of your office building, a data center that is overpopulated with servers and producing more heat than its air-conditioning system can handle, a lack of backup generators, or other factors.
What is the difference between vulnerability assessment and penetration testing?
A vulnerability scan looks for known vulnerabilities in your systems and reports potential exposures. A penetration test is designed to exploit weaknesses in the architecture of your systems.
What is the benefit of logging?
Logging enables us to view the record of what happened after it has taken place, so we can quickly take action. Also, it gives us a history of the activities that have taken place in the environment being logged.
Why does access control based on the media access control address of the systems on our network not represent strong security?
Access control based on the MAC address of a system does not represent strong security because it is very simple to locate the MAC address for the system you want. MAC addresses are not hard identifiers and usually a large part of the address can be looked up the Internet.
Why might you want to use RAID?
Advantages of RAID include the following: Improved cost-effectiveness because lower-priced disks are used in large numbers. Using multiple hard drives enables RAID to improve the performance of a single hard drive. Increased computer speed and reliability after a crash, depending on the configuration.
Given an environment containing servers that handle sensitive customer data, some of which are exposed to the internet, would you want to conduct a vulnerability assessment, a penetration test, or both? Why?
Both. It will increase our security posture as well as resisting attacks. We would want to conduct both. First, the vulnerability assessment to get an idea of what type of vulnerabilities the system has, and then penetration testing to test out the assessment's theory in a real world occasion, posing as an attack from a malicious hacker.
Define competitive counterintelligence.
Competitive intelligence is the process of gathering and analyzing information about competitors to gain insights into their strategies, strengths, weaknesses, and market positioning. It involves monitoring competitors' online presence, marketing campaigns, pricing, product offerings, and customer feedback.
How do compliance and security relate to each other?
Compliance provides the framework needed for implementing security measures that protect sensitive data and information. Security practices help organizations comply with various regulations by providing the controls and procedures necessary to protect sensitive data.
Based on the Parkerian hexad, what principles are affected if you lose a shipment of encrypted backup tapes that contain personal and payment information for your customers?
Confidentiality (someone unauthorized has this data)Integrity (your backups)Availability (you no longer have access to safe backups)Possession (obvs you don't have it anymore)Utility (payment info can be very useful to malicious threats)
If you're using an eight-character password that contains only lowercase characters, would increasing the length to ten characters represent any significant increase in strength? Why or why not?
Not really because you're not adding any complexity. Adding numbers, symbols and uppercase/lowercase characters makes the password much stronger and more complex.
If you're using an identity card as the basis for your authentication scheme, what steps might you add to the process to allow you to move to multifactor authentication?
Use two more different factors are something you know (password), something you are (Iris scan), something you have (swipe card), something you do (gait (walking) recognition), and the place you are (at a specific terminal).
Why is it important to use strong passwords?
Using a strong password is essential because it helps protect your personal and sensitive information from unauthorized access. Hackers and cybercriminals use various methods to crack weak passwords, such as dictionary attacks, brute force attacks, and social engineering.
What term might you use to describe the usefulness of data?
Utility refers to how useful the data is to you.
What would you use if you needed to send sensitive data over an untrusted network?
Virtual Private Network (VPN)
What is a substitution cipher?
A Substitution Cipher substitutes each letter in the alphabet with a different one. A substitution cipher replaces bits, characters, or blocks of information with other bits, characters, or blocks.
What part did George Washington play in the creation of operations security?
"Even minutiae should have a place in our collection, for things of a seemingly trifling nature, when enjoined with others of a more serious cast, may lead to a valuable conclusion." Which means that even small items of information, which are worthless individually, can be of great value in combination. Washington was also quoted for saying "For upon secrecy, Success depends in most Enterprizes of the kind, and for want of it, they are generally defeated." He was referring to an intelligence gathering program and the need to keep its activities secret.
What is the first law of OPSEC?
"If you don't know the threat, how do you know what to protect?" You need to know both the actual and potential threats that your critical data may face. Thus, matches with the 2ndstep of OPSEC process.
Try to decrypt this message using the information in this chapter: V qb abg srne pbzchgref. V srne gur ynpx bs gurz. --- Vfnnp Nfvzbi.
(hint: it's a caesar cipher with a 13-character shift, i.e., ROT-13; if stumped, try http://www.xarg.org/tools/caesar-cipher/). I DO NOT FEAR COMPUTERS I FEAR THE LACK OF THEM ---ISAAC ASIMOV
Name three reasons why an identity card alone might not make an ideal method of authentication.
1.) an identity card can be stolen. 2.) an identity card can be faked. 3.) an identity card information can change.
Explain how 3DES differs from DES.
3DES is simply DES used to encrypt each block three times, with three different keys.
What are some of the differences between access control lists and capabilities?
ACLs define the permissions based on a given resource, an identity, and a set of permissions, while capabilities are oriented around the use of a token that controls access.
What is the difference between a block and a stream cipher?
Block ciphers operate on a predetermined number of bits at a time. Stream ciphers operate on a single bit at a time. A block cipher takes a predetermined number of bits (or binary digits, which are either a 1 or a 0), known as a block, and encrypts that block. Blocks typically have 64bits, but they can be larger or smaller depending on the algorithm used and the various modes the algorithm can operate in. A stream cipher encrypts each bit in the plaintext message one bit at a time. You can make a block cipher act as a stream cipher by setting the block size to one bit.
How does public key cryptography work?
Asymmetric Key Cryptography (AKA Public Key Cryptography), used two keys: a public key and a private key. You use the public key to encrypt data, and anyone can access the key. You can see them included in email signatures or posted on servers that exist specifically to host public keys. Private keys, used to decrypt messages, are carefully guarded by the receiver.
ECC is classified as which type of cryptographic algorithm?
Asymmetric. Elliptic curve cryptography (ECC) is a class of cryptographic algorithms, although people sometimes refer to is as though it were a simple algorithm. Named for the type of mathematical problem on which its cryptographic functions are based, elliptic curve cryptography has several advantages over other types of algorithms.
What is the difference between verification and authentication of an identity?
Authentication is the establishment that a claim to one's identity is true, while verification is just more support for who they are claiming to be.
Which should take place first, authorization or authentication?
Authentication should take place first, because you need to confirm that who the person or system claims they are is really who they are. Until you know this information you should not be authorizing the person/system to be doing anything.
Discuss the difference between authorization and accountability.
Authorization is the process of determining exactly what an authenticated party can do. You typically implement authorization using access controls, which are the tools and systems you use to deny or allow access. To hold people accountable for their actions, you have to trace all activities in your environment back to their sources. That means you have to use identification, authentication, and authorization processes so you can know who a given event is associated with and what permissions allowed them to carry it out. Authorization is what an individual or party can do or access. Accountability is holding an individual or party accountable for an event which occurred using their access or "what they can do."
Discuss the difference between authorization and access control.
Authorization specifies what a user can do, and access control enforces what a user can do
Why might using the wireless network in a hotel with a corporate laptop be dangerous?
Avoid logging into sensitive accounts while on hotel WiFiThis is because anyone on the hotel's WiFi network could access your accounts and view sensitive information, steal your identity or gain access to other information.
Why are industry regulations, such as PCI DSS, important?
Being PCI compliant reduces data breaches, protects the data of cardholders, avoids fines, and improves brand reputation. PCI compliance is not required by law but is considered mandatory through court precedent. Noncompliance can trigger a variety of consequences, depending on the set of regulations in question. In the case of industry compliance, you may lose the privileges associated with being compliant. For instance, if you fail to comply with the PCI DSS regulations that govern processing credit card transactions and protecting associated data, you may face hefty fines or lose your merchant status and be unable to process further transactions. For a business that depends heavily on credit card transactions, such as a retail store, losing the ability to process credit cards could put them out of business. In the case of regulatory compliance, you may face even stiffer penalties, including incarceration for violating the laws in question.
How might you train users to recognize phishing email attacks?
Broadly, you should teach your users to be suspicious of anything that seems unusual, including atypical requests or emails in their inboxes and strangers in their working environments, even when these occurrences seem wrapped in a layer of normalcy. Ask people to trust but verify when faced with even the slightest doubt.
What two items are an indicator of which sets of compliance standards your company might fall under?
Industry compliance, Regulatory compliance
Why might you want to use information classification?
Information classifications help prioritize data protection efforts to increase data security and regulatory compliance. Among its benefits are improved user productivity and decision making and reduced costs by eliminating data that's not needed.
Considering the CIA triad and the Parkerian hexad, what are the advantages and disadvantages of each model?
CIA considers unauthorized access to the data. Parkerian Hexad allows more depth with the addition of possession/control, utility and authenticity.
What type of data is COPPA concerned with?
COPPA only applies to personal information collected online from children, including personal information about themselves, their parents, friends, or other persons.
Can you give three examples of physical controls that work as deterrents?
Cable Locks. Hardware Locks. Video surveillance & guards.
Can you give an example of how a living organism might constitute a threat to your equipment?
Insects and small animals that have gained access to our equipments may cause electrical shorts, interfere with cooling fans, chew on wiring, and generally wreak havoc.
Using the concept of defense in depth, what layers might you use to secure yourself against someone removing confidential data from your environment on a USB flash drive?
Data- encryptionApplication- not allowing copying of dataHost- multi-factor authenticationAll layers can use Logging and auditing as well as Pen testing and vulnerability analyses
What issues might make conducting an international information security program difficult?
Differences in laws Difference in available technology One major challenge is that certain countries do not place a high priority on protection of personal information or intellectual property Matters such as attributing attacks to a particular party or assessing the damage resulting from an attack.
Which NIST Special Publication forms the basis for FISMA and FedRAMP?
FISMA and FedRAMP have the same high-level goals of protecting government data and reducing information security risk within federal information systems. Both are also built on the foundation of NIST Special Publication 800-53A controls. Two of the most common government compliance standards are the Federal Information Security Management Act (FISMA) and the Federal Risk and Authorization Management Program (FedRAMP), which are both based on NIST SP 800-53, "Security and Privacy Controls for Information Systems and Organizations."
From where did the first formal OPSEC methodology arise?
Government/Military OPSEC was developed as a methodology during the Vietnam War when U.S. Navy Admiral Ulysses S. Grant Sharp, commander in chief of the U.S. Pacific Command, established the Purple Dragon team to find out how the enemy obtained information on military operations before those operations took place.
What set of ISO standards might be useful for an information security program?
ISO/IEC 27001, "Information technology - Security Techniques - Information security management systems - Requirements It sets out the specification for an effective ISMS (information security management system). ISO 27001's best-practice approach helps organizations manage their information security by addressing people, processes and technology.
Why is accountability important when dealing with sensitive data?
If you don't have sufficient controls in place to deter or prevent people from breaking your rules and abusing your resources, you'll end up with security disasters. i.e. The "Equifax Breach." If you have a breach, you must disclose it to those effected which could lead to loss in business and revenue. If you do not disclose it to those effected, you will face legal consequences. If you don't comply with legal requirements, however, you'll likely be discovered eventually. When that happens, you'll face greater personal, business, and legal repercussions than if you had handled the situation properly in the first place.
What is the origin of operations security?
In 1988, President Ronald Reagan signed National Security Decision Directive (NSDD) 298. This document established the National Operations Security Program and named the Director of the National Security Agency as the executive agent for inter-agency OPSEC support.
What is pretexting?
In pretexting, attackers use information they've gathered to assume the guise of a manager, customer, reporter, co-worker's family member, or other trusted person. Using a fake identity, they create believable scenarios that convince their targets to give up sensitive information or perform actions they wouldn't normally do for strangers. A form of social engineering in which one individual lies to obtain confidential data about another individual.
Which category of attack is an attack against confidentiality?
Interception attacks allow unauthorized users to access your data, applications, or environments, and they are primarily attacks against confidentiality.
Why might a compliance audit be a positive occurrence?
It can help the participating company to educate its employee, find and fix compliance issues, revisit the compliance policy to be consistent with standards
What are the differences between the MAC and DAC models of access control?
MAC (Mandatory Access Control) is a model of access control in which the owner of the resource does not get to decide who gets access to it, but instead access is decided by a group or individual who has the authority to set access on resources. DAC (Discretionary Access Control) is a model of access control based on access being determined by the owner of the resource in question.
Why shouldn't you allow employees to attach personal equipment to your organization's network?
Malware and Intellectual Property Issues. While using personal devices for remote work can be beneficial in terms of convenience and cost, it comes with inherent security risks. Some companies choose not to allow personal devices due to the risks they create, incompatibility concerns, and possible legal consequences.
Which access control model could you use to prevent users from logging into their accounts after business hours?
Mandatory access control
If you're developing a multifactor authentication system for an environment where you might find larger-than-average numbers of disabled or injured users, such as a hospital, which authentication factors might you want to use or avoid? Why?
May want to avoid fingerprints and do retina scans. It might be inconvenient if they are wearing gloves and cannot reach the authentication device.
What do you call the process in which the client authenticates to the server and the server authenticates to the client?
Mutual authentication
What are the potential impacts of being out of compliance?
Non-compliance leaves you at risk for financial losses, security breaches, license revocations, business disruptions, poor patient care, erosion of trust, and a damaged reputation.
Why might auditing your installed software be a good idea?
Organizations often audit software licenses as well. The software you use should have a license that proves you obtained it legally. If an outside agency were to audit you and found that you were running large quantities of unlicensed software, the financial penalties could be severe. It is often best if you can find and correct such matters yourself before receiving a notification from an external company.
Which tools can you use to sniff traffic on a wireless network?
Packet Sniffers
Name five items you might want to audit.
Passwords -How often they are being changed -Strength or Complexity of the password Software Licenses -License which proves software was obtained legally Internet Usage -Websites Employees are visiting -Instant Messaging -Email -File Transfers
What are six items that might be considered logical controls?
Passwords, encryption, logical access controls, firewalls, intrusion detection systems, access control lists.
What are the three major concerns for physical security, in order of importance?
People Data Equipment
What biometric factor describes how well a characteristic resists change over time?
Permanence
How is physical security important when discussing the cryptographic security of data?
Physical security keeps your employees, facilities, and assets safe from real-world threats. These threats can arise from internal or external intruders that question data security. Physical attacks can cause a safe area to break into or the invasion of a restricted area part. Physical security is the protection of personnel, hardware, software, networks and data from physical actions and events that could cause serious loss or damage to an enterprise, agency or institution. This includes protection from fire, flood, natural disasters, burglary, theft, vandalism and terrorism.
Define tailgating. Why is it a problem?
Physical tailgating, or piggybacking, is the act of following someone through an access control point, such as secure door, instead of using the credentials, badge, or key normally needed to enter. The authorized person may let you in intentionally or accidentally.
How can you more effectively reach users in your security awareness and training efforts?
Posters Gamification Offer repeated and varied avenues for communication Make the training more interesting and produce positive results
What type of physical access control might you put in place to block access to a vehicle?
Preventative
Which category of physical control might include a lock?
Preventative
What is your primary tool for protecting people?
Preventative Controls
What is physical security's most important concern?
Protecting People
What is residual data, and why is it a concern when protecting the security of your data?
Residual data is data that remains after it has been used; not erasing or destroying it may be exposing data that we would not normally want made public.
What tool might you use to scan for devices on a network?
Scanners such as Nmap
If you have a file containing sensitive data on a Linux operating system, would setting the permissions to rw-rw-rw- cause a potential security issue? If so, which portions of the CIA triad might be affected?
Setting the permissions to rw-rw-rw- would cause a security issue. The portions of the CIA triad that would be affected would be Confidentiality, Integrity and Availability.
Why might clicking a shortened URL from a service such as bit.ly be dangerous?
Shortened URLs, such as those from bit.ly and goo.gl make it easy to type in a web address quickly, but difficult to determine where the web browser will actually take you. Criminals will use shortened URLs to direct victims to phishing sites or initiate a download of malicious software on to your device.
Explain the difference between signature and anomaly detection in IDS.
Signature-based and anomaly-based detections are the two main methods of identifying and alerting on threats. While signature-based detection is used for threats we know, anomaly-based detection is used for changes in behavior.
Why is it important not to use the same password for all your accounts?
Simply put, if a hacker were to gain access to one of your accounts, they'd be able to gain access to all of them if you were using the same password.
A key would be described as which type of authentication factor?
Something you have
What factors might you use when implementing a multifactor authentication scheme for users who are logging onto workstations that are in a secure environment and are used by more than one person?
Something you know: Password & Badge ID# or Password & Badge Scanner.
What type of cipher is a Caesar cipher?
Substitution Cipher because it substitutes each letter in the alphabet with a different one.
The Bell-LaPadula and Biba multilevel access control models both have a primary security focus. Can these two models be used together?
The Bell-LaPadula and Biba multilevel access control models can be used in conjunction because the Biba model protects integrity by ensuring that the resource can only be written by those with a high level of access and that those with a high level of access don't access a resource with a lower classification, while the Bell-LaPadula model ensures that while you're handling classified information, that you cannot read any higher that your clearance level, and can't write any classified data down to a lower level.
What does the Brewer and Nash model protect against?
The Brewer and Nash model protects against conflicts of interests, which means it protects against users from modifying data in a data set they were not authorized to use. For further explanation, a user can be authorized to view a certain amount of things, but once they try to access something that is not within their authorization, they will not be able to access it based on the Brewer and Nash model
Select one of the US laws applicable to computing covered in this chapter and summarize its main stipulations.
The Children's Internet Protection Act (CIPA) of 2000 requires schools and libraries to prevent children from accessing obscene or harmful content over the Internet. CIPA requires policies and technical protection measures to be in place to block or filter such content. -Institutions must monitor the activities of minors. -Provide education regarding appropriate online behavior. -CIPA provides cheap internet access for eligible institutions that choose to comply with these standards rather than impose penalties for noncompliance.
What is the function of the IOSS?
The Interagency OPSEC Support Staff [IOSS] carries out national-level interagency Operational Security [OPSEC] training for executives, program and project managers, and OPSEC specialists; acts as consultant to Executive departments and agencies in connection with the establishment of OPSEC programs and OPSEC surveys and analyses; and provides an OPSEC technical staff, as required, for the National Security Council [NSC].
Explain the concept of segmentation.
The concept of segmentation is taking a network and dividing it into multiple smaller networks, these networks acts as their own small network and are called subnets. It might be done to control the flow of traffic between subnets and being able to allow and disallow traffic based on variety of factors. It can also help isolate threats from spreading to the whole network. Lastly it makes monitoring network traffic easier.
Explain how the confused deputy problem could allow users to carry out activities for which they are not authorized.
The confused deputy problem allows privilege escalation to take place because when there is software with access to a resource that has a greater level of permission to access the resource than the user who is controlling the software, the user can trick the software into misusing its greater level of authority, which means the user could carry out an attack.
What is the key point of Kerckhoffs's second principle?
The enemy knows the system Kerckhoffs' surviving principle nr. 2 (of initially six design principles for military ciphers) says nothing else than that you have to look at the security of your crypto under the aspects of "the enemy knows the algorithm" and maybe even "the enemy carries the message". The system should be indecipherable in practice, if not theoretically. The system's design should not require secrecy and its compromise should not be a hassle for a correspondent. The encryption key should be memorized and recalled without notes and should be convenient to modify
What are the main differences between symmetric and asymmetric key cryptography?
The main difference is that symmetric encryption uses the same key to encrypt and decrypt data. In contrast, asymmetric encryption uses a pair of keys - a public key to encrypt data and a private key to decrypt information. Both symmetric and asymmetric algorithms provide authentication capability.
What are the three main kinds of physical security measures?
The physical security framework is made up of three main components: access control, surveillance and testing. The success of an organization's physical security program can often be attributed to how well each of these components is implemented, improved and maintained.
Why are people the weak link in a security program?
The reason for this is that humans are fallible and make mistakes. Mistakes in cyber security can have disastrous consequences, as we have seen with high-profile data breaches in recent years. Humans are also the easiest target for cybercriminals.
Describe nonrepudiation.
The term nonrepudiation refers to a situation in which an individual is unable to successfully deny that they have made a statement or taken an action, generally because we have sufficient evidence that they did it. You may be able to produce proof of the activity directly from system or network logs or recover such proof through the use of digital forensic examination of the system or devices involved. Another example is when a system digitally signs every email that is sent from it, making it impossible for someone to deny the fact that the email came from that system.
When you have cycled through the entire operations security process, are you finished?
This is an iterative process, and you'll likely need to repeat the cycle more than once to fully mitigate any issues. Each time you go through the cycle, you take into account the knowledge and experience you gained from your previous mitigation efforts, allowing you to adjust your solution for an even greater level of security.
How do you measure the rate at which you fail to authenticate legitimate users in a biometric system?
This is measured through two metrics the False Rejection Rate (FRR) and False Acceptance Rate (FAR). Ideally, we want the two to equal each other.
In the operations security process, what is the difference between assessing threats and assessing vulnerabilities?
Threat assessment that includes the identification and analysis of potential threats against your organization. Events are typically categorized as terrorism, criminal, natural or accidental. Vulnerability analysis is where we correlate assets and threats and define the method or methods for compromise.
When dealing with legal or regulatory issues, why do you need accountability?
To ensure compliance. If you keep employees accountable and inform them that you are tracking and watching what they do or access, this leads to decreased risk in breaches and legal issues.
Why is it important to identify your critical information?
Understanding how a threat could potentially exploit vulnerabilities to compromise your personal information and learning different countermeasures to prevent it are key to ensuring critical information doesn't land in the adversary's hands.
For what might you use the tool Kismet?
We might use the tool Kismet to detect wireless devices. More specifically it is commonly used to detect wireless access points.
What impact can accountability have on the admissibility of evidence in court cases?
When you seek to introduce records into legal settings, you're more likely to have them accepted when they're produced by a regulated and consistent tracking system. For instance, if you plan to submit digital forensic evidence for use in a court case, you'll likely have to provide a solid and documented chain of custody for the evidence in order for the court to accept it. That means you need to be able to track information such as the location of the evidence over time, how exactly it passed from one person to another, and how it was protected while it was stored. Your accountability methods for evidence collection should create an unbroken chain of custody. If it doesn't, your evidence will likely only be taken as hearsay, at best, considerably weakening your case.
What are the three main types of wireless encryption?
Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and Wi-Fi Protected Access version 2 (WPA2).
Why would you use a honeypot?
You might set up a honeypot to provide an early warning system for a corporation, to discover an attacker's methods, or as an intentional target to monitor the activities of malware in the wild.
How do you know at what point you can consider your environment to be secure?
You never really can be fully sure. You conduct regular Pen tests and vulnerability assessments while encrypting your data. No single activity or action will make you sure in every situation. Defining when you're not secure is easier to explain: -Not applying security patches or application updates to your systems. -Using weak passwords such as "password" or "1234". -Downloading programs from the internet. -Opening email attachments from unknown senders. -Using wireless networks without encryption.
If you develop a new policy for your environment that requires you to use complex and automatically generated passwords that are unique to each system and are a minimum of 30 characters in length, such as "Qa4(j0nO$&xnl%2AL34ca#!Ps321$," what will be adversely impacted?
unauthorized activities
