Eksamen 2016

Question 1

1. Write the definition (approximately) of confidentiality according to ISO27001.

Answer 1

Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Question 2

2. Security controls can be grouped into three main categories.
   Padlocks and security guards represent which category of security controls?

User authentication and data encryption represent which category of security controls?

Security policies and awareness training represent which category of security controls?

Answer 2

1. Physical security controls (padlocks and security guards).
2. Technical security controls (user authentication and data encryption).
3. Administrative controls (security policies and awareness training)

Question 3

3. Give one example of a preventive security control.
   Give one example of a detective security control.
   Give one example of a corrective security control.

Answer 3

1. Valid preventive control: encryption, authentication, awareness, padlock.
2. Valid detective control: IDS (intrusion detect.sys.) surveillance cameras.
3. Valid corrective control: backup of data & software, removal of malware.

Question 4

4. In which aspect is non-repudiation of data origin stronger than data authentication ?
   Which control/mechanism is typically used to implement non-repudiation?

Answer 4

Non-repudiation can provide proof of data authenticity to third parties. Data authentication can only prove authenticity to intended recipient of data.

Non-repudiation is implemented with digital signatures.

Question 5

5. Give the name of ISO27001.

Briefly describe what ISO27001 is about (1 sentence is enough).

Answer 5

ISO27001 = Information Security Management System.

It describes a framework setting up and managing an ISMS, i.e. establishing and operating a security program within an organisation

Question 6

6. Give the name of ISO27002.

Briefly describe what ISO27002 is about (1 sentence is enough).

Answer 6

ISO27002 = Code of practice for information security management.

It provides a checklist of security controls that organisations can consider using and implementing.

Question 7

7. 20 CSC (Critical Security Controls) is a framework which describes a set of elements for each of the 20 essential security controls.

Select two correct elements

Answer 7

Why the control is critical (specified by 20 CSC).

Effectiveness metrics (specified by 20 CSC).

Question 8

8. Which is the highest level in COBIT’s PCL (Process Capability Level) model ?

Which aspect of security governance in PCL is the most fundamental/important?

What is the basis for knowing the effectiveness of a security control?

Which PCL level requires: ”Security culture permeates the organization” ?

Answer 8

Level 5 (Optimizing) is the highest in the COBIT Process Capability Levels.

Risk assessment is the most important aspect of security governance.

Effectiveness metrics are used to determine the effectiveness of controls.

Level 5 (Optimizing) requires: ”Security culture permeates the organization”.

Question 9

10. Mention 2 typical approaches to identify relevant threat scenarios.

Answer 9

Attacker-Centric threat identification

System-Centric (aka. SW, design or architecture centric) threat identification

Asset-Centric threat identification.

Question 10

11. Briefly explain the principle for determining risk levels with a qualitative method.

Answer 10

A matrix is used to determine a qualitative level of risk as a function of qualitative levels of likelihood and impact of incident.

Question 11

12. Assume a quantitative risk model, where for a particular risk the following values are set:
    AV (Asset Value) = EUR 1,000,000

EF (Exposure Factor) = 0.2,
ARO (Annualised Rate of

Occurrence) = 0.1.

Give the SLE (Single Loss Expectancy) and the ALE (Annualised Loss Expectancy).

Answer 11

SLE = EUR 200,000

ALE = EUR 20,000

Question 12

13. Mention two (of the four) strategies for managing risk.

Answer 12

Reduce/mitigate risk (security and mitigation controls)

Share/transfer risk (outsource activity that causes risk, or insure)

Retain risk (understand tolerate potential consequences)

Avoid risk (stop activity that causes risk)

Question 13

14. What are the block size and possible key sizes in AES ?

Answer 13

Block size 128 bits.

Key sizes i) 128, ii) 192, iii) 256 bits.

Question 14

15. Select two important factors for the cryptographic strength of a cipher.

– The design randomness
– The cipher’s key size
– The cipher’s ability to hide statistical patterns in data
– The computation speed

Answer 14

The cipher’s key size

The cipher’s ability to hide statistical patterns in data

Question 15

17. The cryptoperiod (which my consist of separate protection and processing periods) limits the time a cryptographic key can be used, and mandates the key to be changed. Select the correct statement regarding cryptoperiods.

– The usage frequency of a key does not influence its cryptoperiod.
– Frequent use of a key requires longer cryptoperiod.
– Frequent use of a key requires shorter cryptoperiod.

Answer 15

Frequent use of a key requires longer cryptoperiod.

Question 16

18. Select the correct statement regarding cryptoperiods.

– High overhead for changing a key does not influence the cryptoperiod.
– High overhead for changing a key requires longer cryptoperiod.
– High overhead for changing a key requires shorter cryptoperiod.

Answer 16

High overhead for changing a key requires longer cryptoperiod.

Question 17

19. Select the correct statement regarding cryptoperiods.

– High criticality and sensitivity does not influence the key’s cryptoperiod.
– High criticality and sensitivity requires longer cryptoperiod of the key.
– High criticality and sensitivity requires shorter cryptoperiod of the key.

Answer 17

High criticality and sensitivity of the encrypted messages requires shorter cryptoperiod of the key.

Question 18

20. Select the correct statement regarding cryptoperiods.

– Fast computation of the encryption algorithm does not influence the key’s cryoptoperiod.
– Fast computation of the encryption algorithm requires longer cryoptoperiod of the key.
– Fast computation of the encryption algorithm requires shorter cryoptoperiod of the key

Answer 18

Fast computation of the encryption algorithm does not influence the key’s
cryoptoperiod.

Question 19

21. NIST SP800-57, Part 1, “Recommendation for Key Management” gives recommendations about
    cryptoperiods.

What is the latest recommended protection period time for a 1024 bit RSA key?

Answer 19

1024 bit RSA key for protection: Not allowed now.

Question 20

22. NIST SP800-57, Part 1, “Recommendation for Key Management” gives recommendations about
    cryptoperiods.

What is the latest recommended processing period time for a 1024 bit RSA key?

Answer 20

1024 bit RSA key for processing: Not allowed now (but legacy use OK).

Question 21

23. NIST SP800-57, Part 1, “Recommendation for Key Management” gives recommendations about
    cryptoperiods.

What is the latest recommended protection period time for a 2048 bit RSA key?

Answer 21

2048 bit RSA key for protection: Until 2030

Question 22

24. NIST SP800-57, Part 1, “Recommendation for Key Management” gives recommendations about
    cryptoperiods.

What is the latest recommended processing period time for a 2048 bit RSA key?

Answer 22

2048 bit RSA key for processing: Until 2030 (only legacy use after that)

Question 23

25. NIST SP800-57, Part 1, “Recommendation for Key Management” gives recommendations about
    cryptoperiods.

What is the latest recommended protection period time for a 3072 bit RSA key?

Answer 23

3072 bit RSA key for protection: After 2030

Question 24

26. NIST SP800-57, Part 1, “Recommendation for Key Management” gives recommendations about
    cryptoperiods.

What is the latest recommended processing period time for a 3072 bit RSA key? (

Answer 24

3072 bit RSA key for processing: After 2030

Question 25

29. Virtual machine architectures have implications for security. Select the correct statements about VMs and security. – Virtual machines prevent social engineering attacks. – Virtual machines are immune against computer viruses. – The OS or hypervisor can not interfere with VMs. – Malware can be executed in a VM without posing a risk for the rest of the computer. – Hackers can not hide their malware in a VM. – Malware can easily be detected in a VM. – A VM crash caused by malware can easily be analysed. – VMs running on the same physical machine are isolated/protected from each other.

Answer 25

Malware can be executed in a VM without posing a risk for the rest of thecomputer A VM crash caused by malware can easily be analysed. VMs running on the same physical machine are isolated/protected from each other.

Question 26

30. Mention two types of synchronized authentication tokens. Mention the authentication principle used by tokens not based on synchronization, and which is typically used by physical access cards.

Answer 26

Synchronised clock-based authentication tokens. Synchronised counter-based authentication tokens. Challenge-response authentication.

Question 27

31. Briefly explain the two main effects/purposes of password salting.

Answer 27

Password salting ensures that equal passwords have different hashes. Makes cracking difficult by preventing the use of pre-computed hash tables.

Question 28

33. User authentication frameworks for eGovernment typically specify 3 different classes of requirements per authentication assurance level. Mention these 3 requirement classes.

Answer 28

Authentication Method Strength requirements. Credential Management Assurance requirements. Identity Registration Assurance requirements.

Question 29

35. Briefly describe the concept of Identity Federation.

Answer 29

A set of agreements, standards and technologies that enable a group of SPs to recognise and trust user identities and credentials from different IdPs (Identity Providers), CrPs (Credential Providers) and SPs (Service Providers).

Question 30

38. DROWN is the name of an attack against TLS server software. i) What does the acronym DROWN stand for? ii) Briefly describe the nature of the DROWN vulnerability in TLS software. iii) Briefly describe the standard way of removing the DROWN vulnerability.

Answer 30

DROWN: Decrypting RSA with Obsolete and Weakened eNcryption DROWN is a cross-protocol attack that abuses weaknesses in SSLv2 combined with the secure TLS protocol. Servers that run TLS but allow SSLv2 for backwards compatibility are vulnerable to DROWN attacks. To remove DROWN vulnerabilities, update TLS server software, and disable SSLv2 (and SSLv3).

Question 31

39. TLS/SSL stripping is an attack against TLS/SSL. HSTS is a technology to protect against the TLS/SSL stripping attack. i) Briefly describe the nature of the TLS/SSL stripping attack. ii) What does the acronym HSTS stand for? iii) Briefly explain how HSTS works.

Answer 31

TLS/SSL stripping is a MitM (Man-in-the-Middle) attack, whereby a rogue (WIFI) router acts as a hidden proxy between a client and server, via a https connection to the server and a http connection to the client. The rogue router can then read, and inject data into the communication between the client and server. HSTS: HTTP Strict Transport Security. HSTS forces the browsers to only use https to servers that support HSTS. Users are not able to override the HSTS policy.

Question 32

40. How can a user know when TLS-encrypted traffic is being inspected in a firewall ?

Answer 32

The user must view the certification path of the received server certificate, and know the difference between a Browser PKIX root certificate and the internal proxy root certificate used for validation. If the certification path leads to an authentic root certificate of the Browser PKI, then there is no TLS inspection. If the certification path leads to the internal proxy root CA, the there is TLS inspection.

Question 33

41. What is OWASP Top 10 ?

Answer 33

The OWASP Top 10 is a document describing the 10 most prevalent security risks/vulnerabilities in current web application, as well as how they can be avoided.

Question 34

42. Name the nr.1 in OWASP Top 10, and explain why it is so prevalent.

Answer 34

(SQL) Injection vulnerabilities/attacks SQL injection is still nr.1 because software developers ignore how to prevent it, or because they are lazy

Question 35

43. What is specified as the first phase in Microsoft SDL (Secure Development Lifecycle)?

Answer 35

Security training is the first phase on Microsoft SDL.

Question 36

44. What do the abbreviations OpenSAMM and BSIMM stand for ?

Answer 36

OpenSAMM: Open Software Assurance Maturity Mode. BSIMM Build Security In Maturity Mode.

Question 37

45. What is the purpose of using a framework like OpenSAMM and BSIMM ?

Answer 37

They offer a framework for helping software development organisations to become better at making secure software, and a method for an organisation to assess how good (how mature) they are at doing secure software development.

Question 38

46. Mention 1 difference between OpenSAMM and BSIMM.

Answer 38

OpenSAMM - Based on experience and principles of secure software development - Enables you to evaluate yourself against best practice - Prescriptive - Sponsored by OWASP - Not commercially oriented BSIMM - Based on study of software security practices - Enables you to compare yourself against others - Descriptive - Sponsored by Cigital and FortifySoftware - Commercially oriented