Security

Question 1

What is the primary goal of cybersecurity?

Answer 1

Protecting a computing asset from harm.

Question 2

What are some computer assests?

Answer 2

● Computer hardware
● Software
● Data

Question 3

What are some harms?

Answer 3

● Physical damage
● Unauthorised change, unauthorised use
● Denial of service
● Theft

Question 4

What does “harms” mean in the context of cybersecurity?

Answer 4

Any negative impact on computing assets, such as physical damage, unauthorized change or use, denial of service, or theft.
-> may not be for monetary reasons but usually some benefit to someone in causing it

Question 5

Define computer assets.

Answer 5

● Anything the computer system controls

Question 6

What are risks?

Answer 6

● What could go wrong? – a hazard
● What would be the consequences?
● What are the chances of it happening?

Question 7

How do we naively measure risk?

Answer 7

risk = expected cost x probability

Question 8

Why is the risk calculation naive?

Answer 8

Cannot always estimate cost of an incident nor the probability of it happening.

Question 9

What are the qualitive measures of risk?

Answer 9

1. negligible
2. minor
3. major
4. survivable
5. existential

Question 10

What are threats?

Answer 10

Something that tries to break system security.

Question 11

How are threats studied?

Answer 11

In a threat model.

Question 12

What do threats show?

Answer 12

The attack points of a system.

Question 13

How are threats ranked?

Answer 13

By risk.

Question 14

What is an attack in system security?

Answer 14

An attempt to exploit a threat by technical or non‑technical means.

Question 15

What is an attack vector?

Answer 15

The path or exploit used to carry out an attack.

Question 16

Example of a direct attack?

Answer 16

Stealing a password.

Question 17

Example of an indirect attack?

Answer 17

Sending a virus email that steals the password.

Question 18

What does identity mean in security?

Answer 18

Proving you are who you say you are.

Question 19

What does identity decide about information?

Answer 19

What you are allowed to see (information hiding).

Question 20

What does identity decide about actions?

Answer 20

What you are allowed to do (agency).

Question 21

What is privacy in security?

Answer 21

Only people with permission can see the information.

Question 22

What are the degrees of privacy?

Answer 22

• Not knowing what the information is.
• Not knowing it exists at all.

Question 23

Why is hidden information safer?

Answer 23

It’s hard to attack something you don’t know exists.

Question 24

What is authentication?

Answer 24

Proving a claimed identity.
Showing you are who you say you are.

Question 25

What does “Identify yourself” mean in security?

Answer 25

It is a request for authentication.

Question 26

How do countries differ in real‑life authentication?

Answer 26

Some have mandatory ID cards, others don’t. Having one is a prime target for theft though.

Question 27

What is the challenge moving from real‑world to digital authentication?

Answer 27

Digital tokens can be copied; physical tokens are harder to reproduce.

Question 28

Why is digital authentication harder?

Answer 28

No physical presence, so it’s hard to validate possession.

Question 29

What is anonymity in security?

Answer 29

Preventing identity from being linked to a person, actions, or data.

Question 30

Why might anonymity be important?

Answer 30

To allow criticism of authority, legal but controversial actions, or avoid consequences.

Question 31

How can risks of anonymity change?

Answer 31

Risks for an individual may change over time.

Question 32

What is the problem with digital footprints?

Answer 32

They tend to last forever, making anonymity harder.

Question 33

What is an agent in security?

Answer 33

The actor that does things once authenticated. This can be a person or a piece of software.

Question 34

What is agency in security?

Answer 34

The things an agent can do once authenticated.

Question 35

What is limiting agency called?

Answer 35

Access control.

Question 36

What is non‑repudiation?

Answer 36

The inability to deny that an action happened and that it was performed by some agent.

Question 37

Why is non‑repudiation important?

Answer 37

It is essential for services where actions must be committed and cannot be undone.

Question 38

Example of subtlety in non‑repudiation?

Answer 38

Paying cash (harder to prove) vs paying with a credit card (recorded, harder to deny).

Question 39

What is trust in security?

Answer 39

A combination of identity and agency.

Question 40

What questions does trust answer?

Answer 40

Should this person be allowed to perform this action? Should I believe information from this person?

Question 41

How can trust be decided?

Answer 41

Based on an agent’s prior actions, not just fixed rules.

Question 42

Does trust work in anonymous situations?

Answer 42

Yes as users can be “up‑voted” and allowed to do more.

Question 43

Why must trust be monitored?

Answer 43

To detect abuse and revoke trust before harm happens.

Question 44

What is a vulnerability in security?

Answer 44

An aspect of a system that provides a way for a threat. Example: An unencrypted disc drive, a router with a default password.

Question 45

What are socio‑technical vulnerabilities?

Answer 45

Weaknesses involving people and systems together.

Question 46

Example of socio‑technical vulnerability (networks)?

Answer 46

Open wireless networks for customer access.

Question 47

What are some security goals of secure communications?

Answer 47

- confidentiality - authentication of who we are talking to

Question 48

How do we do authentication in secure communications?

Answer 48

1. Authenticate once, however we want to 2. Retain and re-use the fact we did authenticate

Question 49

How do web APIs ensure authentication?

Answer 49

1. Alice authenticates using whatever mechanism 2. Server returns bearer token to Alice -> says has been authenticated 3. Everytime Alice returns to the server, she now has that token

Question 50

What is a risk associated with bearer tokens?

Answer 50

1. If another user acquires the token, they can now enter the secure server without having to authenticate.

Question 51

How do capabilities increase bearer token security?

Answer 51

1. bearer tokens now encode the exact operations that can be performed with it -> what it is capable of performing 2. Since the server can create them only, only packets with the correct signature can be used

Question 52

What are symmetric keys?

Answer 52

Alice and Bob share the same key which they use to encrypt and decrypt each other's traffic. - Fast - Efficient - Hard to manage

Question 53

How do we deal with the management issues of symmetric keys?

Answer 53

Securing a single exchange and throwing it away when we tear-down the connection. Still get the speed benefits without having to later manage. E.g. interacting with a mail server.

Question 54

What is the Diffie-Hellman key exchange (basic idea)?

Answer 54

Uses public-key ideas to exchange a non-public key. Basic idea: 1. Take a shared basis - can even be public 2. Each side adds some secret element 3. Synthesis a common secret 4. Don't disclose enough information for the common secret to be retrieved