Compromises to intellectual property:
-IP:the creation, ownership, and control of original ideas as well as the representation of those
ideas.
-Software piracy: the unauthorized duplication, installation or distribution of copyrighted
computer software, which is a violation of IP.
-Copyright protection and user registration: Digital watermarks, embedded code,
copyright codes.
Industrial espionage: the collection and analysis of information about an organization´s
business competitors, often through illegal or unethical means, to gain an unfair competitive
advantage.
Escalation of privilege: the unauthorized modification of an authorized or unauthorized
system user account to gain advanced access and control over system resources. Privilege
escalation attacks occur when a threat actor gains access to an employee’s account, bypasses
the proper authorization channel, and successfully grants themselves access to data they are
not supposed to have. When deploying these attacks threat actors are typically attempting to
exfiltrate data, disrupt business functions, or create backdoors.
Vertical privilege escalation: Vertical privilege escalation occurs when an attacker gains
access directly to an account with the intent to perform actions as that person.
Horizontal privilege escalation: Horizontal privilege escalation is a bit tricky to pull off as it
requires the attacker to gain access to the account credentials as well as elevating the
permissions.
Password attacks:
Brute force attack: the application of computing and network resources to try every possible
password combination.
Dictionary attack: is variation of the brute force attack which narrows the field by selecting
specific target accounts and using a list of commonly used passwords (the dictionary) instead
of random combinations.
Social engineering: is a mechanism to gain password information through attackers posing as
an organizations IT professional and attempting to gain access to systems information by
contacting low level employees and offering to help with their computer issues.
Forces of nature: the acts of God, they present dangerous threats that usually occur with little
warning and are beyond the control of people. For example: fire, floods, earthquakes,
landslides etc.
Human error or failure: employee mistakes can easily lead to revelation of classified data,
entry of erroneous data, accidental deletion or modification of data, storage of data in
unprotected areas, and failure protect information.
Social engineering in general: is the process of using social skills to convince people to
reveal access credentials or other valuable information to the attacker.
Phishing: a form of social engineering in which the attacker provides what appears to be a
legitimate communication (usually email), but contains hidden or embedded code that
redirects the reply to a third-party site in an effort to extract personal or confidential
information. Example: in order to ensure your account information is not made vulnerable
please visit: www.blablabla.com.
Spear phishing: any highly targeted phishing attack. DNB har opplevd slik type
svindelforsøk. Klikk på lenken fordi noen har forsøkt å komme seg inn på din konto osv.
Phishing er rett og slett forsøk på å få tak i personlig informasjon som siden kan brukes til å
svindle oss økonomisk, en form for identitetstyveri. Det dukker for eksempel opp et pop-up
på PCen din, og du blir bedt om å skrive inn dine kontoopplysninger. Disse opplysningene
blir så overført til en hacker, og ikke til den tjenermaskinen du trodde. Opplysningene kan
hackeren deretter bruke til svindel på en eller annen måte.
Pretexting: a form of social engineering in which the attacker pretends to be an authority
figure who needs information to confirm the targets identity, but the real objective is to tick
the target into revealing confidential information. Commonly performed by telephone (called
vishing).
Spoofing: a technique for gaining unauthorized access to computers using a forget or
modified identity or internet protocol (IP) address to give perception that message are coming
from a trusted host. Spoofing,: en innkommende samtale eller melding ser ut til å komme fra
et annet nummer enn det den faktisk gjør. Med andre ord: det nummeret som vises på
skjermen din er ikke det nummeret de faktisk ringer fra.
Denial of service (DoS): the attacker sends a large number of connection or information to a
target. So many requests are made that the target system becomes overloaded and cannot
respond to legitimate requests for service. The system may crash or simply become unable to
perform ordinary functions. Dos single attacker, attacking a single target.
Example: While surfing the Web, sending to a web server a malformed URL that causes the
system to consume 100 percent of the CPU.
Distributed denial of service (DDoS): is an attack in which a coordinated stream of requests
is launched against a target from many locations at the same time. In DDoS attacks, many
systems and machines are compromised and directed remotely by the attacker to participate in
the attack. Instead of one computer many connections. Det er et angrep hvor et nett av
datamaskiner brukes til å oversvømme en nettside eller annen ressurs på nett. Effekten av
dette er at man ikke får tilgang til denne siden eller ressursen. https://nettvett.no/ddos-angrep/.
Les mer her for eksempel.
Extortion: the act of an attacker or trusted insider who steals or interrupts access to
information from a computer system and demands compensation for its return or for an
agreement not to disclose the information. Den personen som angriper stjeler eller krypterer
din informasjon og den eneste måten du kan få den på er mot kompensasjon.
Sabotage or vandalism: involves a deliberate sabotage of a computer system or business, or
acts of vandalism to destroy and asset or damage the image of an organization.
Cybetterrorist: a hacker who attacks systems to conduct terrorist activities via networks or
internet pathways.
Cyberwarfare: formally sanctioned offensive operations conducted by government or state
against information or systems of another government or state.
Malware (malicious code of malicious software) : a computer software specifically
designed to perform malicious or unwanted actions.
Malware er en fellesbetegnelse for skadelige programmer som er blitt installert på
datamaskinen din, ofte uten at du har gitt tillatelse til det.
Du kan få malware hvis du har kommet til å klikke på en ukjent lenke i en e-post, har lastet
ned et ukjent program, eller har åpnet en fil fra en infisert minnepinne.
De som står bak malware kan ha forskjellige formål. Noen typer malware utspionerer
adferden din, og kan på den måten snappe opp opplysninger om bankkonto, kredittkort eller
andre opplysninger som kan utnyttes.
Andre overtar deler av datamaskinen din, og bruker den til å sende ut spam. I spesielt stygge
tilfeller bruker malware programmet til å kidnappe filene dine, og krever en løsesum for at du
får tilgang til dem igjen.
Virus,Worm,Trojan horse, Backdoor
E-mail attacks:
Mail bomb: an attack designed to overwhelm the receiver with excessive quantities of e-mail.
Spam: undesired e-mail, typically commercial advertising transmitted in bulk.
Packet sniffer: a software program, for example Wireshark) or hardware appliance that can
intercept, copy and interpret network traffic. Packet sniffers can be used both for legitimate
network management functions and for stealing information. Eksempel: En hacker tar opp
alle dataene som passerer mellom deg og den usikrede Wi-Fi-ruteren
Domain Name System (DNS) poisoning: the intentional hacking and modification of a DNS
database to redirect legitimate traffic to illegitimate internet locations.
Se den videoen her et par ganger så du skjønner:
https://www.youtube.com/watch?v=mpQZVYPuDGU
Pharming: The redirection of legitimate user Web traffic to illegitimate Web sites with the
intent to collect personal information.
Pharming kan pågå på flere måter, men målet er lik. Mens du skriver inn en url til et nettsted
blir du rutet til et helt annet nettsted som er helt likt det du skulle til. Uten å vite det kan alle
handlingene dine og all informasjon du etterlater hentes ut. Dette brukes av kriminelle for å få
profit på din bekostning.
Phishing vs. Pharming?
•Phishing requires the user to actively click a link or button to redirect to the illegitimate Web
site.
•Pharming attacks modify the user’s traffic without the user’s knowledge or active
participation.
Authentication: is the process of recognizing a user's identity. Authentication is the set of
methods we use to establish a claim of identity as being true.There are several methods we
can use, with each category referred to as a factor. Multifactor authentication, mutual
authentication, passwords.
Authorization: Authentication allows us to specify where the party should be allowed or
denied access, and access control enables us to manage this access at a more granular level.
Integrity: Information has integrity when it is whole, complete and uncorrupted. The
integrity of information is threatened when the information is exposed to corruption, damage,
destruction or other disruptions of its authentic state.
Confidentiality: is the keeping of another person or entity’s information private.
Confidentiality ensures that only those with the rights and privileges to access information are
able to do so. When unauthorized individuals or systems can view information, confidentiality
is breached.
Availability: Availability is also an attribute of information that is trying to protect data and
let the authorized users access to the information without interference. For example,
when the BankID users have entered their account, they expect to find the information they
need in a usable format and familiar language.
Identification: is the claim of what someone or something is. Authentication establishes
whether this claim is true.
Accountability: the fact or condition of being accountable; responsibility.
Nonrepudiation: Nonrepudiation means to ensure that a transferred message has been sent
and received by the parties claiming to have sent and received the message. Nonrepudiation is
a way to guarantee that the sender of a message cannot later deny having sent the message
and that the recipient cannot deny having received the message.
Nonrepudiation can be obtained through the use of:
digital signatures-- function as a unique identifier for an individual, much like a written
signature.
confirmation services -- the message transfer agent can create digital receipts to indicated that
messages were sent and/or received.
timestamps -- timestamps contain the date and time a document was composed and proves
that a document existed at a certain time.
Passive attack: someone casually reading sensitive information not intended for his or her
use. For example: det er en samtale mellom Bob og Thomas og en attacker is listening to the
communication between Thomas and Bob and only reading the exchanged messages.
Active attack: Someone attempts to make changes/unauthorized effect to data on the targets
computer. Med andre ord direkte angrep på filene til Bob for eksempel. Endrer for eksempel
på data.
Indirect attack:a hacker compromising a system using it to attack other systems, for
example, as part of a robot network. Sjekk lecture 1.
Access control models:
Discretionary access control (DAC): The owner of the resource can decide who does and
does not have access, and exactly what they are allowed to have access to, and what they can
do. (read,write,execute).
Mandatory access control (MAC): is a type of access control in which only the
administrator manages the access controls. The administrator defines the usage and access
policy, which cannot be modified or changed by users, and the policy will indicate who has
access to which programs and files. MAC is most often used in systems where priority is
placed on confidentiality.
Role-based access control (RBAC): restricts network access based on a person's role within
an organization and has become one of the main methods for advanced access control.
Employees are only allowed to access the information necessary to effectively perform their
job duties.
Attribute based access control (ABAC): is logically, based on attributes of a particular
person, of a resource or of an environment. A very common example can be seen in the use of
a Captcha that is used to control access, based on whether the party on the other end can pass
a test that is, in theory, too difficult for a machine to complete , thus proving the party to be
human. Sånn der skriv disse ordene for å bevies at du ikke er robot opplegg.
Bell LaPadula Confidentiality model: Ensures the confidentiality of the modeled system by
using MACs, data classification and security clearances. It is a model of computer security
that focuses on mandatory and discretionary access control. The first goal of the Bell-La
Padula security model is to prevent users from gaining access to information above their
security clearance. Clearance: how trusted are you to have access to sensitive
information.
No read up! Altså er du unclassified så kan du ikke lese top secret data eller secret data. Du
kan lese confidential og unclassified.
No write down! Er du en top secret eller secret user så kan du ikke endre på eller skrive på
dataen som er i de to nederste levelene. Bare dine to, top secret og secret.
Biba Integrity Model: is primarily concerned with protecting the integrity of data, even at
the expense of confidentiality. Biba has two security rules that are the exact reverse of those
that are discussed in the BellLaPadula model. The Biba Integrity Model is a hierarchical
security model designed to protect system assets (or objects) from unauthorized modification;
which is to say it is designed to protect system integrity.
De på høyre level burde ikke LESE lav intergrity data. No read down.
De på lav level kan ikke SKRIVE på høy integrity data. No write up.
The McCumber Cube:
Desired Goals:
Confidentiality
Integrity
Availability
States of information:
Transmission
Storage
Processing
Counter measures:
Technology
Policy and practices
Awareness, training, education/people
Network security:
TCP (Transmission Control Protocol) is a standard that defines how to establish and
maintain a network conversation through which application programs can exchange data. TCP
works with the Internet Protocol (IP), which defines how computers send packets of data to
each other. Together, TCP and IP are the basic rules defining the Internet.
OSI (Open systems Interconnection): is a conceptual framework for how applications
communicate over network. There are 7 layers, help user to identify what is happening within
a networking system.
Se video: https://www.youtube.com/watch?v=Ilk7UXzV_Qc
Network security threats:
Cross-site Scripting or (XSS):occurs when an application running on a Web server gathers
data from a user in order to steal from it.
•
Allows an attacker inject a malicious script into a page URL (non-persistent) or into a
website (persistent).
•
Non-persistent XSS involves social engineering to trick the victim to click on the
URL.
•
Allows the attacker to acquire valuable information, such as account credentials,
account numbers, or other critical data.
Non persistent XSS:
Improper File Access: If an attacker changes the expected location of a file by intercepting
and modifying a program code call, the attacker can force a program to use files other that the
ones the program is supposed to use.
Example: A hacker did manipulate *.ACE archives “An old WinRAR-supported archiving
format” so that when a user does extract it to a certain path, it automatically extracts malware
files to a special system folder where they are automatically executed causing computer to
misbehave and user data privacy exposure.
SQL injection: occurs when developers fail to properly validate user input using it to query a
relational database. Syntax 1=1.
A developer’s best-practice towards preventing such attack is to use proper validation
methods for the application input fields, where he can eliminate the probability of passing
special characters that enables an attacker to inject evil commands into those input fields.
For example, allowing employees to use their personal USB flash drives without restriction
on a company’s PCs could be a huge security threat due to so many reasons like unintentional
virus infection or intentional attack via a compromised employee that helps an attacker inject
malware.
Packet sniffing: is done by using programs or hardware called packet sniffers to gather all
the network traffic. Packet sniffers can thus be views as devices that plug into the network via
a compters interface card. They capture the binary data on the network and translate it into
human readable form.
IP address spoofing: is used by hackers to hide their identity and to gain access by exploiting
trust between host systems.
•
The attacker forges the source IP address information in every IP packet with a
different address to make it appear that the packet was sent by a different computer.
•
It is mainly used to defeat network security and firewall rules that rely on IP-addressbased authentication and access control.
•
By changing the source IP address information in the packets, the hacker remains
anonymous and the target machine is incapable of correctly determining the identity of
the attacker.
•
To protect our networks and network resources against the array of threats we might
face, we can add security in the form of:
– Network design to make our networks more secure and resistant to attacks.
– Implementing devices at the borders of, and within, our networks to increase
the security level, such as firewalls and intrusion detection systems (IDSes).
•
Firewalls:
– A firewall is a mechanism for maintaining control over the traffic that flows
into and out of our network(s) - blocking or allowing traffic based on IP
address or used protocol.
– A firewall is placed in a network where we see the level of trust change.
– We might see a firewall on the border between our internal network and the
Internet
– We may also see a firewall put in place on our internal network to prevent
network traffic of a sensitive nature from being accessed by those that have no
reason to do so.
•
Packet filtering firewalls: look at the contents of each packet in the traffic
individually and make a gross determination, based on the source and destination IP
addresses, the port number, and the protocol being used, of whether the traffic will be
allowed to pass.
– Prone to attacks due to analyzing packets individually
•
Stateful packet inspection firewalls: a stateful firewall is able to watch the traffic
over a given connection, generally defined by the source and destination IP addresses,
the ports being used, and the already existing network traffic.
– This type of firewall can identify and track the traffic related to a particular
user-initiated connection to a Website, and knows when the connection has
been closed and further traffic should not legitimately be present.
•
Deep packet inspection firewalls: are capable of analyzing the actual content of the
traffic that is flowing through them.
– They reassemble the contents of the traffic to look at what will be delivered to
the application for which it is ultimately destined.
DMZs: demilitarized zone is a combination of a network design feature and a protective
device such as a firewall.
Benchmarking: Benchmarking is the process of seeking out and studying the practices used
in other organizations that produce results you would like to duplicate in your organization.
An organization typically benchmarks itself against other institutions by selecting a measure
upon which to base the comparison. The organization then measures the difference between
the way it conducts business and the way the other organizations conduct business.
Metrics based measures: are comparisons based on numerical standards. An organization
uses numerical standards like these to rank itself against competing organizations with a
similar size or market to its own and then determines how it measures up to the competitors.
Process based measures: Have less focus on numbers and are more strategic than metricsbased measures. Organizations must make sure they have met a reasonable level of security
across the board, protecting all information, before beginning to improve individual areas to
reach a higher standard, such as best practices or recommended practices.
The GDPR apples to anyone processing the personal data of individuals located within the
EU.
To process personal data the gdpr requires organizations to embitter propriate technical and
organizational measures, which include data protection safeguards such as anonymization and
pseudominyazation.
When the likelihood of reidentification is small, the anonymization is successful and gdpr
does not apply.
Pseudonymization is a method to substitute identifiable data with a reversible, consistent
value. Pseudonymisation’ means the processing of personal data in such a manner that the
personal data can no longer be attributed to a specific data subject without the use of
additional information, provided that such additional information is kept separately and is
subject to technical and organisational measures to ensure that the personal data are not
attributed to an identified or identifiable natural person
Anonymization is the destruction of the identifiable data.
Data protection standards are becoming increasingly high, and companies face a more
complex task to evaluate whether their data processing activities are legally compliant,
especially in an international context.
In this context, the European Union (EU) adopted the General Data Protection Regulation
(GDPR) to further harmonize the rules for data protection within the EU Member States and
to raise the level of privacy for the affected individuals.
1. Confidentiality, Integrity, and Availability are the main security requirements
that must be ensured to secure the operations of organizations and the services
they provide to their users. Each of these three are exposed to difference types of
threats and there are different types of controls to secure them.
A.
Describe each of these three requirements.
Confidentiality: is the protection of personal and private information. Confidentiality ensures
that only those with the rights and privileges to access information are able to do so. When
unauthorized individuals or systems can view information, confidentiality is breached.
Integrity: refers to the accuracy and trustworthiness of information. Information has integrity
when it is whole, complete and uncorrupted. The integrity of information is threatened when
the information is exposed to corruption, damage, destruction or other disruptions of its
authentic state.
Availability: ensures that the information is available and accessible by authorized individuals
when needed.
B.
Provide an example of each requirement from any domain area, for example
(healthcare, e-commerce, etc.)
Example of confidentiality: Patient confidentiality is one of the most important pillars in the
healthcare system. Personal and medical information should only be available for authorized
personnel and not disclosed to anyone unless they have the permission. If a hacker breaches
the system of for example Rikshospitalet, it might not have an impact on the patient safety but
since an unauthorized person have the access to their personal information the confidentiality
is breached.
Example of integrity: Banks have integrity as their highest priority. They are mainly
concerned about the integrity of financial information. If an unauthorized individual makes
any change in financial records, it leads to issues in the accuracy, consistency and value of the
information. Some bank account holders or depositors leave ATM receipts unchecked and
hanging around after withdrawing cash.
Example of availability: Internet and e-commerce businesses rely on having their websites
available at all times. If their site is down, then the availability has been affected.
C.
Give an example threat to each of the three and at least one control mechanism
or security model that can prevent threats from happening.
Attackers can use many methods to compromise confidentiality:
– Packet sniffing
– Password attack
– Phishing and pharming
– Social engineering
– Bell LaPadula Confidentiality model can prevent threaths from happening.
Data integrity may be compromised through:
– Human error, whether malicious or unintentional.
– Transfer errors, including unintended alterations or data compromise during
transfer from one device to another.
– Bugs, viruses/malware, hacking, and other cyber threats.
– Biba Integrity Model
Attackers can use these methods to compromise availability:
– Denial of Service
– Distributed Denial of Service attacks
2. McCumber cube is one good way to provide a graphical representation of the
architectural approach used in computer and information security. Describe its
structure and provide three examples of three different elements of the cube.
The McCumber Cube is a framework, which is a tool for guiding the process of setting up
and assessing information security programs. The McCumber Cube brings together
desired goals (confidentiality, integrity, and availability), information states (storage,
transmission, and processing), and safeguards (policies, education and technology).
Example 1: Integrity-technology-storage. the intersection between the technology,
integrity and storage areas requires a control or safeguard that addresses the need to use
technology to protect integrity of information while in storage.
Example 2: Confidentiality-policy-processing. To issue the rules for keeping access
restricted to authorized viewers while information is been processed.
Example 3: Availability-education-transmission. An example of protecting the availability
of class information that is being transmitted by means of education could be
accomplished by teaching the students to remain quiet in the classroom so that all can hear
the information
3. What methods does a social engineering hacker use to gain information about a
user's login ID and password? how would this method differ if it targeted an
administrator's assistant versus a data-entry clerk?
Social engineering in general: is the process of using social skills to convince people to
reveal access credentials or other valuable information to the attacker.
Phishing: a form of social engineering in which the attacker provides what appears to be a
legitimate communication (usually email), but contains hidden or embedded code that
redirects the reply to a third-party site in an effort to extract personal or confidential
information. Example: in order to ensure your account information is not made vulnerable
please visit: www.blablabla.com.
Spear phishing: any highly targeted phishing attack. DNB har opplevd slik type
svindelforsøk. Klikk på lenken fordi noen har forsøkt å komme seg inn på din konto osv.
A social engineering hacker uses many different methods to gain information. Sometimes the
attacker calls the targeted organization to get small bits of information that add up to a large
amount of useful data, like leading officers names, how they look there schedules. This all
helps the attacker because he knows when to infiltrate and what to say to get information.
The attacker chooses his targets well when using social engineering. You don’t want to pick a
target like the assistant to an administrator one who might know all the higher up figures and
the new employees. They usually target lower clerks that have some clearance and that
wouldn’t think otherwise of giving out the information
4. Why are employees one of the greatest threats to information security? Provide
examples for your justifications.
Employees constitute one of the greatest threats to information
security because employee mistakes can lead to the revelation of classified data, entry of
erroneous data, accidental deletion or modification of data, the storage of data in unprotected
areas, or they could fail to follow procedures to protect data
Human error or failure: employee mistakes can easily lead to revelation of classified data,
entry of erroneous data, accidental deletion or modification of data, storage of data in
unprotected areas, and failure protect information.
5. Describe the various types of firewalls and discuss with examples when each type
can be used.
A firewall is a network security system for maintaing control over the traffic that flows into
and out of our network(s). Blocking or allowing traffic based on IP address or used protocol.
A firewall establishes a barrier between an internal network that is trusted and an untrusted
external network.
There are various types of firewalls:
A Packet filtering firewalls
A Packet filtering firewalls examines each packet in the traffic individually and makes
processing decision on whether the traffic will be allowed to pass or not, based on the source
and destination Internet Protocol (IP) addresses, protocols and port number. Packet-filtering
firewalls operate at the network layer (Layer 3) of the OSI model. One of the biggest
weaknesses of packet filtering is that it pretty much trusts that the packets themselves are
telling the truth when they say who they’re from and who they’re going to. Hackers exploit
this weakness by using a hacking technique called IP spoofing, in which they insert fake IP
addresses in packets that they send to your network.
A Stateful packet inspection firewalls:
Stateful packet inspection firewalls (generally referred to as stateful firewalls) function on the
same general principle as packet filtering firewalls, but they are able to watch the traffic over
a given connection, generally defined by the source and destination IP addresses, the ports
being used, and the already existing network traffic. The stateful packet filter still operates at
the network layer of the OSI model, although some may extend into the transport layer (layer
4) to collect state information.
Deep packet inspection firewalls: are capable of analyzing the actual content of the traffic
that is flowing through them. Deep packet inspection is able to check the contents of these
packets and then figure out where it came from, such as the service or application that sent it.
Deep packet inspection evaluates the contents of a packet that is going through a checkpoint.
DPI-enabled devices have the ability to look at Layer 2 and beyond Layer 3 of the OSI model.
Proxy servers: are a specialized variant of a firewall that provide security and performance
features, generally for a particular application, such as mail or web browsing. A proxy server
is a piece of software that works at the Application layer of the OSI model to increase the
security of a network.
6. In October 2016, an attack targeted the Dyn (an Internet performance
management company); the attack is considered to be the largest of its kind in
the history. The source of the attack is said to be Mirai botnet, which is made up
of Internet of things and involved 100,000 devices flooded the Dyn’s DNS and
caused the several sites to be down (for example: Twitter, the Guardian, Netflix,
Reddit, CNN and many others) in Europe and the US.
A. What is the type of attack that is most relevant to the case, DoS, DDoS, or
DNS poisoning? And why?
DDoS is an attack in which a coordinated stream of requests is launched against a target from
many locations at the same time. In DDoS attacks, many systems and machines are
compromised and directed remotely by the attacker to participate in the attack. Instead of one
computer many connections. Det er et angrep hvor et nett av datamaskiner brukes til å
oversvømme en nettside eller annen ressurs på nett. Effekten av dette er at man ikke får
tilgang til denne siden eller ressursen. https://nettvett.no/ddos-angrep/. Les mer her for
eksempel.
In a DDos attack the hacker overloads the system by flooding it with multiple requests- with
the aim of exceeding the websites capacity. The attack prevents users from accessing the
website.
B. What technical controls should the Dyn apply to avoid similar attacks?
Install protection tools. Make sure you have appropriate protection tools installed for both
your networks and your applications. This includes such key tools as firewalls, network
monitoring software, anti-virus and anti-malware programs, as well as threat monitoring
systems. With these, you can monitor your network baseline traffic and set up alerts for
behavior that is out of the ordinary.
Whitman, Michael E., and Herbert J. Mattord. Principles of information security. Cengage
Learning, 2017 (6th Edition).
7. In January 2018, advanced hackers had breached the systems of Norway’s
Health South East RHF, with nearly three million patients’ data potentially
compromised as a result. It was said that the breach has not had any impact on
patient safety, and the compromised data could be used for cyberespionage
(source: the inquirer). What security requirement has been affected by this
incident?
A. Which element(s) of the CIA triad may have been broken in the RHF case? And
why?
Mainly confidentiality
Can also affect the integrity, men ikke i like stor grad som confidentiality.
B. What would be the potential risks resulting from the incident happened to RHF?
Stor risiko for at informasjon som ikke skulle være tilgjengelig for offentligheten kommer i
hender av en person som ikke skal ha tilgang til slik informasjon.
8. Classify each of the following occurrences as an incident or disaster and which
elements of the CIA triad apply is broken in each occurrence.
A hacker gets into the network and deletes files from a server.
Intentional threat. Incident. Confidentiality is breached because unauthorized individuals or
systems can view information.
A tornado hits a local power company, and the company will be without power for three
to five days.
Disaster. Forces of nature: the acts of God, they present dangerous threats that usually occur
with little warning and are beyond the control of people. For example: fire, floods,
earthquakes, landslides etc. A disaster may be brief or long lasting, anticipated or unexpected,
man-made or the result of natural forces.
Availability means that network, system and applications are up and running. It means that
authorized users have access to resources when they are needed. In this case, the company
won’t have the access that is need for over three days.
9. If we are using an identity card as the basis for our authentication scheme.
A.What steps might we add to the process in order to allow us to move to multifactor
authentication?
Multi-factor authentication (sometimes referred to as two-factor authentication) combines two
or more independent credentials: what the user knows the password, what the user has
security token, and what the user is biometric verification. The goal of multi-factor
authentication is to create a layered defense and make it more difficult for an unauthorized
person to access a target such as a physical location, computing device, network, or database.
If one factor is compromised or broken, the attacker still has at least one more barrier to
breach before successfully breaking into the target.
Can add:
Password as a step
Further, kan de evt benytte seg av for eksempel hardware token or a card. Et nytt passord eller
kode på en separat device. Dette er en metode bankene benytter.
I andre tilfeller kan man også benytte seg av biometric verification, atlså what the user is.
B. Why an identity card alone might not make an ideal method of authentication?
Falsified identity card can be used by criminals and terrorists for a variety illegal tasks.
Can also be stolen.
10. If we are developing a multifactor authentication system for an environment,
where we might find larger-than-average numbers of disabled or injured users,
such as a hospital.
a.Which authentication factors might we want to use? And why?
Finger print everyone on this universe has unique finger print that no one else have. Also it
doesn't require for disabled or injured users carry identification card.
C. Which authentication factors might we want to avoid? And why?
11. Organizations differ from each other in their security requirements, assuming
there are three organization (a banks, Coca Cola, and stock market (or Borsa)):
a. Discuss the most important security requirements for each organization.
b. Do you think there is a security requirement that is common across the three
organizations? And why?
12. There are two approaches for an organization to evaluate its security, either
internal evaluation of risks or comparing its security with peer organizations
operating in the same industry. Discuss the advantages and disadvantages of each
approach, and which is better?
13. For its upcoming 20th anniversary, a private tuition service provider wants to
find out how many of its former students attended a university and, if so, what
they studied. For this purpose, the service provider collects the data of its
students from the past 20 graduation years and contacts them via email to
participate in an online survey. The survey does not contain questions on the
name, email address, graduation year or date of birth. The IP addresses of the
participants are not being recorded. Furthermore, in order to avoid the
identification of former students who graduated in more unusual study subjects,
the latter are being regrouped into study areas, such as ‘natural sciences’, ‘legal
and business studies’, ‘social and educational studies’ and ‘language and cultural
studies’.
a.Which one is used here? Anonymization or pseudonymization?
Anonymization
b.Does the GDPR apply here? And why?
No does not apply here. When the likelihood of reidentification is small, the
anonymization is successful and gdpr does not apply.
14. With the GDPR came into action, discuss how it has affected the practices of
software development lifecycle.
15. Your company is service provider based outside the EU. It provides services to
customers outside the EU. Its clients can use its services when they travel to
other countries, including countries within the EU.
The GDPR applies to:
-a company or entity which processes personal data as part of the activities of one of its
branches established in the EU, regardless of where the data is processed; or
-a company established outside the EU and is offering goods/services (paid or for free) or is
monitoring the behaviour of individuals in the EU.
a.Determine whether GDPR applies to this scenario or not.
No.
b. If GDPR applies, then justify why. If GDPR does not apply, then justify why and
explain what would make GDPR apply to the scenario.
Provided your company doesn't specifically target its services at individuals in the EU, it is
not subject to the rules of the GDPR.
16. What are the differences between a policy, a standard, and a practice?
Policies make the basis for all information security planning, design and deployment.
Policies direct how issues should be addressed and technologies should be used.
Practices: effectively explain how to comply with policy.
Standard: are more detailed then policies and describe steps to be taken for an
organization to conform the policies.
What are the three types of security policies?
Enterprise information security policy
Issue specific security policy
Systems specific security policy
Where would each be used?
What type of policy would be needed to guide use of the Web? E-mail? Office
equipment for personal use?
ISSP policy would be needed to guide the use of the web, email and use of personal use of
office equipment.
17. A medical practice stores its patient data in paper records. The paper records are
structured alphabetically based on the patients’ surnames within several filing
cabinets. There is a drawer for surnames starting with ‘A’, one for surnames
starting with ‘B’ and so forth.
Considering the above scenario, do you think GDPR applies here? if no, then justify and
if yes, then explain why GDPR applies and which articles and recitals apply to the
scenario?
Yes the GDPR applies here.
18. how do you determine when to use the IR, DR, and BC plans. Provide examples
to convey your answer.
Powerpoint 9
19. discuss the pros and cons of both top-down and bottom-up approaches to
information security. Support your answer with examples. If there is one
approach is better than the other, what would it be and why?
20. Why organizations need risk management practices? Who is responsible for risk
management in an organization? Which community of interest usually takes the
lead in information security risk management?
Powerpoint 9
http://cs3.uwsuper.edu/kwittroc/Site/ITS370CH4.html