Lecture 1

Question 1

What is Information Security?

Answer 1

Ensure data is protected from unauthorised people, preventing them from modifying, deleting, recording etc

Question 2

What and Why is a CIA Triad needed?

Answer 2

A model to guide policies for internet security

Needed to protect data and its services

Question 3

What is Confidentiality?

Answer 3

Maintain sensitive data (such as personal data) from reaching to the wrong the wrong people

• Data Encryption
• Usernames/Password
• Biometric Verification

Question 4

What is Integrity?

Answer 4

Maintaining accurate, consistant, **trusted information. **Data cannot be changed by people who don’t have access

​**Back up copy must be stored **

Question 5

What is Availability?

Answer 5

Ensurre that information is accessible and available at the right time

Maintain hardware and repair quickly

Question 6

What are the few Computer Security Challenges?

Answer 6

1. Not simple for **novice users **
2. Potential attacks on security features
3. Additional algorithm may be needed
4. The designer will need to find > eliminate benefits > single weakness
5. Managers do not see the benefits of security > failure occurs
6. Requires regular and constant monitoring
7. Security incorportated AFTER the design is complete

Question 7

What is Attack?

Answer 7

An attempt of threat to companies to bypass security services and its policies

Question 8

What is countermeasure?

Answer 8

Is an action that reduces the threat by reporting or taking action

Question 9

What is Risk?

Answer 9

Holding a chance that a threat may lead data more vulnerable or further **harmful results **

Question 10

What is Secuity Policy?

Answer 10

Is a set of rules that is applied to organisations to protect sensitive data and resources

Question 11

What is a System Resource?

Answer 11

Data in the system provides further security to control access to resourcess

Question 12

What is a threat?

Answer 12

A potential of violating and exploiting the security which may cause harm

Question 13

What is Vulnerability?

Answer 13

A weakness in a systems design that could be exposed which can easily attack the system’s security policy

Question 14

What are the Vulnerabilities of:

Corrupted, Leaky and Unavailable (CIA)

Answer 14

1. Corrupted – Integrity
2. Leaky – Confidentiality
3. Unavailable or slow – Availability

Question 15

What are the types of threats?

Answer 15

1. Capable of exploiting vulnerabilities
2. Potential harm to an asset

Question 16

Types of Attacks

Answer 16

1. Passive – DOES NOT affect the system resources
2. Active – ATTEMPTS to change/affect the system and operation
3. Insider – Initialises an entity inside the security parameter
4. Outsider – Initialises from outside the **perimeter **

Question 17

What is Unauthorised Disclosure? What are the 4 main points?

Answer 17

Gaining access to data without permission

1. Exposure: Sensitive data can be released
2. Interception: Authorised entity has direct access to sensitive data through authorised sources
3. Inference: Unauthorised person gains access to sensitive data which is considered leaked
4. Intrusion: Gaining access to sensitive data through bypassing a **system’s security **

Question 18

What is Deception? List and define the 3 main classes

Answer 18

An event that results to an authorised entity to receive false data that may believe to be true

1. Masquerade: An attack where a system/user ‘pretends’ to be an identity of another to perform a malicious act
2. Falsification: Receiving false data
3. Repudiation: A system tricks another by denying ‘refusing to admit’ the false** act**

Question 19

What is Disruption? What are the 3 main classes?

Answer 19

prevents the correct operation from processing

1. Incapacitation: Interrupts a system by disabling a system component
2. Corruption: Changes the system operations to modify it data
3. Obstruction: A threat that interrupts the delivery of the **system service **

Question 20

What is Usurpation? List the classes

Answer 20

Controlling a system by using unauthorised entity

1. Misappropriation: Unauthorised logical or physical control of a system resource
2. Misuse: **abusing ** a system to perform a function that can be harmful to a security system

Question 21

What is a Passive threat? Give examples

Answer 21

Attempts to make use of the information but DOES NOT affect the system resources

Example: Eavesdropping/monitoring

1. Release message contents
2. Traffic analysis

Question 22

What is a Active attack? Give examples

Answer 22

• Hard to detect
• **Modifys **data stream – to PREVENT it

Examples:

1. Masquerade
2. Replay
3. Modify messages
4. DOS

Question 23

What is Countermeasures?

Answer 23

Dealing with a security attack

Can be used:

• Detect/Prevent attacks from succeeding
• Recover from attacks

Question 24

What is X.800?

Answer 24

Is a security service provided by a protocol layer of communicating open systems

Question 25

What are the 3 aspects of Computer Security Strategy?

Answer 25

* Specification/Policy * Implementation/Mechanism * Correctness/Assurance

Question 26

What is a Security Policy? What needs to be considered?

Answer 26

A **set of rules** to _regulate_ how an **organisation** provides **security services** to **protect** their **data** Factors that needs to be considered: 1. Protecting assets 2. Vulnerabilities of the system 3. Potential threats and attacks

Question 27

What security implementation should be implemented?

Answer 27

1. Prevention - Secure encryption algorithms - Prevent unauthorised access 2. Detection - Intrusion detection systems - Detect Denial of Service attacks 3. Recovery - Have back-up systems 4. Response - Upon detection, halt attack and prevent further damage