100% tevredenheidsgarantie Direct beschikbaar na betaling Zowel online als in PDF Je zit nergens aan vast
logo-home
Information Security | Summary | mid-term exam [UU ] €4,89   In winkelwagen

Samenvatting

Information Security | Summary | mid-term exam [UU ]

 65 keer bekeken  5 keer verkocht

This is a summary of all lectures and literature that you have to know for the UU mid-term exam of Information Security, including the introduction to information security, cyber risk management frameworks, CORAS risk analysis, cryptography, authentication and access control, web security, and unin...

[Meer zien]

Voorbeeld 4 van de 31  pagina's

  • 28 mei 2022
  • 31
  • 2021/2022
  • Samenvatting
Alle documenten voor dit vak (7)
avatar-seller
semstroop
Information security
Introduction to information security
Ransomware: malware (malicious software) that threatens to publish the victim’s personal data or
block access to it, unless a ransom (amount of money) is paid.


Security is about protecting assets (things one values; can be software, hardware, data, people, or
processes). The value of an asset is determined by the owner’s perspective, and by timing (the value
of a company’s plan decreases once it is released).

• A vulnerability is a weakness that could be exploited to cause harm to an asset
• A threat is a set of circumstances that could potentially cause harm to an asset
✓ A control is an action/device/procedure that prevents threats from exercising vulnerabilities


Two perspectives for looking at threats: (1) What bad things can happen to assets? (2) Who or what
can cause or allow those bad things to happen?


CIA triad

Three security properties of computers (a.k.a. C-I-A triad / security triad) and later added properties:
The ability of a system to (ensure that an asset can be…)

1. Availability; …used by any authorized parties
2. Integrity; …modified only by authorized parties
3. Confidentiality; …viewed only by authorized parties
4. Authentication; …confirm the identity of a sender
5. Nonrepudiation/accountability; …confirm that a sender cannot convincingly deny having sent
something
6. Auditability; …trace all actions related to a given asset


The CIA triad can be harmed by four actions:

- Interception (unauthorized party gets access to information), attack on confidentiality
- Interruption (a system is made unavailable for authorized parties), attack on availability
- Modification (changing/adding/deleting existing information), attack on integrity
- Fabrication (creating fake information to fool the system), can affect integrity



Confidentiality

- Difficulties: Who determines which parties are authorized? | To how much of certain data
can an authorized party have access? | Can an authorized party disclose data to others?
- Subject = the party (person/program/process), object = the data item, access mode = the
kind of access (read/write/execute), policy = authorization.

,Integrity

- Integrity has three particular aspects:
o Authorized actions // error detection & correction // separation & protection of
resources


Availability

- Availability entails: timely responses to requests, resources are allocated fairly, services and
systems are fault tolerant, the system/service can be used as intended
- Viewing, modifying, and using are the basic modes of access that computer security seeks to
preserve.
- Access should be small and centralized to preserve confidentiality and integrity, but a single
point of control means that a hacker can destroy availability by focusing on that single point.



Types of threats

Threats can be human or nonhuman. Human threats can be non-malicious/benign (unintentional
harm) or malicious (intentional). Malicious human threats can be random (attacker wants to cause
harm to any computer or user) or directed.

The Common Vulnerabilities & Exposures list (CVE) is a dictionary of publicly known security
vulnerabilities and exposures, and allows for evaluating the coverage of security tools and services.
The Common Vulnerability Scoring System (CVSS) provides a standard measurement system that
allows accurate and consistent scoring of vulnerability impact.

Advanced persistent threats come from organized, well financed, patient attackers. Typically the
attacks are silent, allowing the attackers to exploit the victim’s access rights over a long time.


Types of attackers

Many attackers show symptoms of Asperger syndrome (poor social skills, restlessness, exceptional
memorability, can focus on one task only).

 Originally, attackers were individuals acting with motives of fun, challenge, or revenge
 More recent attacks involve groups of people, often driven by financial gain

The novice attacker can use a crude attack, whereas the professional attacker wants a neat, robust,
and undetectable method that can deliver rewards for a long time.

 Terrorists use computers as:
o Target of attack (e.g. for attention) | method of attack | enabler of an attack (e.g. get
locations of people) | enhancer of attack (e.g. spread propaganda to trigger radicals)

,Harm

Risk management means choosing which threats to control and what resources to devote to
protection. The risk that remains uncovered by controls = residual risk.

Spending for security is based on the impact and likelihood of potential harm, both of which are
nearly impossible to measure precisely.

A malicious attacker must have each of these 3 things to ensure success: method (how → skills,
knowledge), opportunity (when → time and access), and motive (why).

Script kiddie describes someone who downloads a complete attack code package and only needs to
enter a few details to identify the target and let the script perform the attack.

Attack surface = a system’s full set of vulnerabilities, actual and potential.


Controls

Controls/countermeasures can deal with harm in several ways:

• Prevent it, by blocking the attack or closing the vulnerability – deter it, by making the attack
harder to do – deflect it, by making the target less attractive or making another target more
attractive – mitigate it, by making its impact less severe – detect it – recover

There are 3 types of controls:

1- Physical controls (locks, guards, fire extinguishers)
2- Procedural/administrative controls (laws, regulations, policies, guidelines, copyrights,
patents, contracts, agreements)
3- Technical controls (passwords, encryption, network protocols, program controls)




Vulnerability-threat control paradigm:

, Cyber-risk management frameworks

Lecture
By using CS frameworks, you go from ‘reactive measures to security incidents’ to ‘comprehensive and
proactive cyber risk management’ and ‘intercorporate cyber security at the early stages of SDLC’.
The framework below is the ISO 31000 Risk Management Process.

• Establish the context: what/who/how/where/why
• Risk assessment: risk analysis can be qualitative as
well as quantitative
• Risk treatment: select cost-effective countermeasures
• Risk monitoring and review:
→ Security Operations Centre / SOC: monitoring
users and applications, threat intelligence,
continuous vulnerability scanning, security reporting
→ Network Operations Centre / NOC: firewalls and
antivirus, Intrusion Detection System (IDS), server
monitoring
→ Computer Security Incident Response Team /
CSIRT: incidents handling and response, analysis of
security incidents

*Regularly update the risk assessment*


Risk communication:

Communicate risks to:

• Security analysis team (during risk assessment) | management CEO stuff and investors |
auditors (accountants) | regulators | people who implement the selected security controls
(software developers, system administrators, security management)



Templates for risk communications:




NIST 800-30 (table row entry) SREP

Voordelen van het kopen van samenvattingen bij Stuvia op een rij:

Verzekerd van kwaliteit door reviews

Verzekerd van kwaliteit door reviews

Stuvia-klanten hebben meer dan 700.000 samenvattingen beoordeeld. Zo weet je zeker dat je de beste documenten koopt!

Snel en makkelijk kopen

Snel en makkelijk kopen

Je betaalt supersnel en eenmalig met iDeal, creditcard of Stuvia-tegoed voor de samenvatting. Zonder lidmaatschap.

Focus op de essentie

Focus op de essentie

Samenvattingen worden geschreven voor en door anderen. Daarom zijn de samenvattingen altijd betrouwbaar en actueel. Zo kom je snel tot de kern!

Veelgestelde vragen

Wat krijg ik als ik dit document koop?

Je krijgt een PDF, die direct beschikbaar is na je aankoop. Het gekochte document is altijd, overal en oneindig toegankelijk via je profiel.

Tevredenheidsgarantie: hoe werkt dat?

Onze tevredenheidsgarantie zorgt ervoor dat je altijd een studiedocument vindt dat goed bij je past. Je vult een formulier in en onze klantenservice regelt de rest.

Van wie koop ik deze samenvatting?

Stuvia is een marktplaats, je koop dit document dus niet van ons, maar van verkoper semstroop. Stuvia faciliteert de betaling aan de verkoper.

Zit ik meteen vast aan een abonnement?

Nee, je koopt alleen deze samenvatting voor €4,89. Je zit daarna nergens aan vast.

Is Stuvia te vertrouwen?

4,6 sterren op Google & Trustpilot (+1000 reviews)

Afgelopen 30 dagen zijn er 60904 samenvattingen verkocht

Opgericht in 2010, al 14 jaar dé plek om samenvattingen te kopen

Start met verkopen
€4,89  5x  verkocht
  • (0)
  Kopen