- Write the definition (approximately) of information security according to ISO27000.
Information security is the preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved.
- Write the definition (approximately) of availability according to ISO27000.
Availability is the property of being accessible and usable upon demand by an authorized entity.
- Which is the most relevant threat against availability?
- Cryptanalysis
- Zero-day exploit
- SQL injection
- Phishing email
- DDoS attack
DDoS attack
- Explain authorization in a way consistent with the definition of confidentiality.
Authorization is to specify access and usage permissions for entities, roles or processes.
- State the meaning of the abbreviation ISMS
Information Security Management System.
- Explain authorization in a way consistent with the definition of confidentiality.
Authorization is to specify access and usage permissions for entities, roles or processes
- Briefly explain the term security control, and mention the three (3) general categories of security controls. Give one example security control of each category.
1 - Security controls are practical mechanisms, actions, tools or procedures that are used to provide security services.
2 - Physical controls, with relevant example
3 - Technical controls, with relevant example
4 - Administrative controls, with relevant example
- Mention the three (3) functional types of security controls. Give one example security control of each functional type.
1 - Preventive controls, with relevant example
2 - Detective controls, with relevant example
3 - Corrective controls, with relevant example
- Some well-known hash functions are:
- MD5 (Message Digest 5)
- SHA-1 (Secure Hash Algorithm 1)
- SHA-2
- SHA-3
Indicate if their exists attacks for each one of them.
MD5: Attacks exist
SHA-1: Attacks exist
SHA-2: No attacks exist
SHA-3: No attacks exist
- The SHA-2 hash algorithm can have four (4) different output block sizes. Specify three of the four output block sizes (in bits) of the SHA-2 hash algorithm.
224, 256, 384 or 512 bits
- Alice wants to send a message M together with a message authentication code MAC(M) to Bob. Alice and Bob share a secret key k, and have agreed on using a specific MAC algorithm MACfunc that takes input parameters M and k, i.e. MAC(M) = MACfunc(M, k).
Outline the steps that Alice must follow when creating MAC(M), and the steps that recipient Bob must follow for verifying MAC(M).
MAC generation by Alice:
i. Alice prepares message M.
ii. Alice applies the secure MAC algorithm MACfunc with input parameters M and k to produce MAC(M) = MACfunc(M,k).
iii. Alice transmits message M and MAC(M) to Bob, together with her unique name and specification of the MAC algorithm she used.
MAC validation by Bob:
i. Bob receives message M’ (denoted as M’, not M, because from Bob’s point of view the message origin is still uncertain), as well as MAC(M).
ii. Bob applies MACfunc on M’ to produce MAC(M’ ) = MACfunc(M’,k).
iii. Bob checks whether MAC(M) =? MAC(M’). If TRUE, then MAC(M) is valid, meaning that M’ = M. Bob therefore is convinced that Alice sent message M. If FALSE, then the signature MAC(M) is invalid, meaning that M’ ≠ M. Bob therefore does not know who created the received message M’. He might then decide to reject the message, or use it knowing that its
- What is the purpose of sending a message with a MAC ?
i) Any third party can authenticate the message origin.
ii) It provides non-repudiation of message origin.
iii) The recipient can authenticate the message origin.
iv) It protects the message confidentiality.
iii) The recipient can authenticate the message origin
- “A trusted system or component is one that can break your security policy”.
Briefly explain the meaning of this proposition ?
If the system is trusted, then it is relied upon to enforce the security policy. So the security policy will be broken when the trusted system does not work as expected. A non-trusted system on the other hand is not relied upon to enforce the security policy, so when it breaks it does not lead to a breach of security policy.
- TPM (Trusted Platform Module) is a hardware chip which supports three (3) main security services on computing platforms.
List these three main TPM-supported services:
- Authenticated/measured boot
- Sealed Storage / Encryption
- Remote attestation
- Specify four elements that are relevant to include in the IR (Incident Response) policy.
i) List of potential threat agents. ii) Chain of escalation
iii) Security awareness guidelines.
iv) List of known security vulnerabilities
v) Criteria for calling the police.
vi) List of ranked security risks.
vii) Who has the responsibility to make decisions.
viii) List of systems that can be taken offline.
ii - Chain of escalation.
v - Criteria for calling the police.
vii - Who has the responsibility to make decisions.
viii - List of systems that can be taken offline.
- The type of IR (Incident Response) team depends on how it is manned (i.e. where its members come from). Mention the names and briefly describe the three (3) types of IR teams.
IR teams
- Permanent IR team, where the IR members’ principal job role is to handle security incidents
- Virtual IR team, where the IR team members have other main job roles, and are only called upon to handle security incidents whenever needed.
- Hybrid IR team, where some are permanent members, and some are virtual members.
- The activities of IR (Incident Response) can be divided into three (3) main phases. Mention the three phases, as well as one (1) specific procedure of each phase.
IR activities:
- Detection phase, with one of:
i) weed out false positive
ii) categorise event - Respond phase, with one of:
i) collect data
ii) mitigate damage
iii) isolate systems
iv) analyse and track adversary
v) report to police if necessary. - Recovery phase, with one of:
i) fix the problem
ii) improve the IR policy
iii) disclosure
- Mention and briefly describe the two types of synchronised authentication tokens, as well as one type of authentication tokens not based on synchronisation.
- Clock-synchronised tokens, where the token and server generate equal OTPs based on time from synchronised clocks as input, together with other data such as a secret key and user Id.
- Counter-synchronised tokens, where the token and server generate equal OTPs based on counter values from synchronised counters as input, together with other data such as a secret key and user Id.
- Challenge-response tokens, where the server sends a challenge (random number) to the token which returns the response computed as a function of the challenge in addition to e.g. a secret key and the user identity.
- Requirements for different AALs (Authentication Assurance Levels) are e.g. specified by the internationl standard ISO 29115 ‘Entity authentication assurance framework’ and by the Norwegian Framework for Authentication and Non-Repudiation (Rammeverk for autentisering og uavviselighet).
- How many AALs do the ISO framework and the Norwegian framework specify ?
- How many authentication factors are at least required for the highest AAL ?
- How many authentication factors are at least required for the lowest AAL ?
- 4 AALs specified in the ISO framework and the Norwegian framework
- The highest (AAL 4) requires at least two (2) authentication factors
- The lowest (AAL 1) requires at least one (1) authentication factor
- NGFW (Next Generation Firewalls) are advanced 3rd generation firewalls that support multiple functions. Select the functions that are typically supported by NGFWs.
- Deep packet inspection
- Email spam filtering
- Inspection of TLS/SSL encrypted traffic
- Intrusion detection and prevention
- Penetration testing
- Software fuzzing
- Vulnerability scanning
- X.509 certificate generation
- Deep packet inspection
- Inspection of TLS/SSL encrypted traffic
- Intrusion detection and prevention
- X.509 certificate generation
- Briefly explain how a user can know whether the TLS-encrypted traffic from a workstation in a company to a remote server on the Internet is being inspected in the company gateway firewall.
The user must view the certification path of the received server certificate, and know the difference between a Browser PKI root certificate and the internal proxy root certificate used for validation. If the certification path leads to an authentic root certificate of the Browser PKI, then there is no TLS inspection. If the certification path leads to the internal proxy root CA, then there is TLS inspection.
- Mention the meaning of the acronym OWASP, and describe what ‘OWASP Top 10’ is.
OWASP: Open Web Application Security Project 1p for: The OWASP Top 10 describes the most critical and common web application security flaws currently found in online applications.
