100% satisfaction guarantee Immediately available after payment Both online and in PDF No strings attached
logo-home
Previously searched by you
Previously searched by you
logo
Information Security | Summary | mid-term exam [UU ] $5.44
Add to cart
Quickly navigate to
Preview
  2.  
  3. Universiteit Utrecht (UU)
  4.  
  5. Information Security (INFOSEC)

Summary

Information Security | Summary | mid-term exam [UU ]
 5 purchases
  • Course
  • Information Security (INFOSEC)
  • Institution
  • Universiteit Utrecht (UU)

This is a summary of all lectures and literature that you have to know for the UU mid-term exam of Information Security, including the introduction to information security, cyber risk management frameworks, CORAS risk analysis, cryptography, authentication and access control, web security, and unin...

[Show more]

Preview 4 out of 31  pages

Document information

  • May 28, 2022
  • 31
  • 2021/2022
  • Summary

Subjects

  • information security
  • infosec
  • informatiekunde
  • cryptography
  • coras
  • unintended harms
  • cybersecurity
  • cyber security

Written for

  • Universiteit Utrecht (UU)
  • Informatiekunde
  • Information Security (INFOSEC)
All documents for this subject (7)

Seller

avatar-seller
semstroop

Reviews received

Content preview

Information security
Introduction to information security
Ransomware: malware (malicious software) that threatens to publish the victim’s personal data or
block access to it, unless a ransom (amount of money) is paid.


Security is about protecting assets (things one values; can be software, hardware, data, people, or
processes). The value of an asset is determined by the owner’s perspective, and by timing (the value
of a company’s plan decreases once it is released).

• A vulnerability is a weakness that could be exploited to cause harm to an asset
• A threat is a set of circumstances that could potentially cause harm to an asset
✓ A control is an action/device/procedure that prevents threats from exercising vulnerabilities


Two perspectives for looking at threats: (1) What bad things can happen to assets? (2) Who or what
can cause or allow those bad things to happen?


CIA triad

Three security properties of computers (a.k.a. C-I-A triad / security triad) and later added properties:
The ability of a system to (ensure that an asset can be…)

1. Availability; …used by any authorized parties
2. Integrity; …modified only by authorized parties
3. Confidentiality; …viewed only by authorized parties
4. Authentication; …confirm the identity of a sender
5. Nonrepudiation/accountability; …confirm that a sender cannot convincingly deny having sent
something
6. Auditability; …trace all actions related to a given asset


The CIA triad can be harmed by four actions:

- Interception (unauthorized party gets access to information), attack on confidentiality
- Interruption (a system is made unavailable for authorized parties), attack on availability
- Modification (changing/adding/deleting existing information), attack on integrity
- Fabrication (creating fake information to fool the system), can affect integrity



Confidentiality

- Difficulties: Who determines which parties are authorized? | To how much of certain data
can an authorized party have access? | Can an authorized party disclose data to others?
- Subject = the party (person/program/process), object = the data item, access mode = the
kind of access (read/write/execute), policy = authorization.

,Integrity

- Integrity has three particular aspects:
o Authorized actions // error detection & correction // separation & protection of
resources


Availability

- Availability entails: timely responses to requests, resources are allocated fairly, services and
systems are fault tolerant, the system/service can be used as intended
- Viewing, modifying, and using are the basic modes of access that computer security seeks to
preserve.
- Access should be small and centralized to preserve confidentiality and integrity, but a single
point of control means that a hacker can destroy availability by focusing on that single point.



Types of threats

Threats can be human or nonhuman. Human threats can be non-malicious/benign (unintentional
harm) or malicious (intentional). Malicious human threats can be random (attacker wants to cause
harm to any computer or user) or directed.

The Common Vulnerabilities & Exposures list (CVE) is a dictionary of publicly known security
vulnerabilities and exposures, and allows for evaluating the coverage of security tools and services.
The Common Vulnerability Scoring System (CVSS) provides a standard measurement system that
allows accurate and consistent scoring of vulnerability impact.

Advanced persistent threats come from organized, well financed, patient attackers. Typically the
attacks are silent, allowing the attackers to exploit the victim’s access rights over a long time.


Types of attackers

Many attackers show symptoms of Asperger syndrome (poor social skills, restlessness, exceptional
memorability, can focus on one task only).

 Originally, attackers were individuals acting with motives of fun, challenge, or revenge
 More recent attacks involve groups of people, often driven by financial gain

The novice attacker can use a crude attack, whereas the professional attacker wants a neat, robust,
and undetectable method that can deliver rewards for a long time.

 Terrorists use computers as:
o Target of attack (e.g. for attention) | method of attack | enabler of an attack (e.g. get
locations of people) | enhancer of attack (e.g. spread propaganda to trigger radicals)

,Harm

Risk management means choosing which threats to control and what resources to devote to
protection. The risk that remains uncovered by controls = residual risk.

Spending for security is based on the impact and likelihood of potential harm, both of which are
nearly impossible to measure precisely.

A malicious attacker must have each of these 3 things to ensure success: method (how → skills,
knowledge), opportunity (when → time and access), and motive (why).

Script kiddie describes someone who downloads a complete attack code package and only needs to
enter a few details to identify the target and let the script perform the attack.

Attack surface = a system’s full set of vulnerabilities, actual and potential.


Controls

Controls/countermeasures can deal with harm in several ways:

• Prevent it, by blocking the attack or closing the vulnerability – deter it, by making the attack
harder to do – deflect it, by making the target less attractive or making another target more
attractive – mitigate it, by making its impact less severe – detect it – recover

There are 3 types of controls:

1- Physical controls (locks, guards, fire extinguishers)
2- Procedural/administrative controls (laws, regulations, policies, guidelines, copyrights,
patents, contracts, agreements)
3- Technical controls (passwords, encryption, network protocols, program controls)




Vulnerability-threat control paradigm:

, Cyber-risk management frameworks

Lecture
By using CS frameworks, you go from ‘reactive measures to security incidents’ to ‘comprehensive and
proactive cyber risk management’ and ‘intercorporate cyber security at the early stages of SDLC’.
The framework below is the ISO 31000 Risk Management Process.

• Establish the context: what/who/how/where/why
• Risk assessment: risk analysis can be qualitative as
well as quantitative
• Risk treatment: select cost-effective countermeasures
• Risk monitoring and review:
→ Security Operations Centre / SOC: monitoring
users and applications, threat intelligence,
continuous vulnerability scanning, security reporting
→ Network Operations Centre / NOC: firewalls and
antivirus, Intrusion Detection System (IDS), server
monitoring
→ Computer Security Incident Response Team /
CSIRT: incidents handling and response, analysis of
security incidents

*Regularly update the risk assessment*


Risk communication:

Communicate risks to:

• Security analysis team (during risk assessment) | management CEO stuff and investors |
auditors (accountants) | regulators | people who implement the selected security controls
(software developers, system administrators, security management)



Templates for risk communications:




NIST 800-30 (table row entry) SREP

The benefits of buying summaries with Stuvia:

Guaranteed quality through customer reviews

Guaranteed quality through customer reviews

Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.

Quick and easy check-out

Quick and easy check-out

You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.

Focus on what matters

Focus on what matters

Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!

Frequently asked questions

What do I get when I buy this document?

You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.

Satisfaction guarantee: how does it work?

Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.

Who am I buying these notes from?

Stuvia is a marketplace, so you are not buying this document from us, but from seller semstroop. Stuvia facilitates payment to the seller.

Will I be stuck with a subscription?

No, you only buy these notes for $5.44. You're not tied to anything after your purchase.

Can Stuvia be trusted?

4.6 stars on Google & Trustpilot (+1000 reviews)

66184 documents were sold in the last 30 days

Founded in 2010, the go-to place to buy study notes for 15 years now

Start selling
$5.44  5x  sold
  • (0)
Add to cart
Added