Professional Documents
Culture Documents
Security FA1
Security FA1
Familiarity/Liking
Some people have the sort of natural charisma that allows them to persuade
others to do as they request. One of the basic tools of a social engineer is
simply to be affable and likable and to present the requests they make as
completely reasonable and unobjectionable. This approach is relatively
low-risk as even if the request is refused, it is less likely to cause suspicion and
the social engineer may be able to move on to a different target without being
detected.
Consensus/social proof
The principle of consensus or social proof refers to the fact that without an
explicit instruction to behave in a certain way, many people will act just as they
think others would act. A social engineering attack can use this instinct either
to persuade the target that to refuse a request would be odd (“That’s not
something anyone else has ever said no to”) or to exploit polite behaviour.On
another example, an attacker may be able to fool a user into believing that a
malicious website is actually legitimate by posting numerous fake reviews and
testimonials praising the site. The victim, believing many different people have
judged the site acceptable , takes this as evidence of the site’s legitimacy and
places their trust in it.
Tailgating
Refers to means of entering a secure area without authorization by following
close behind the person that has been allowed to open the door or checkpoint.
Like tailgating, piggy backing is a situation where the attacker enters a secure
area with an employee’s permission. For instance, an attacker might
impersonate a member of the cleaning crew and request that an employee
hold the door open while they bring in a cleaning cart. Alternatively, piggy
backing may be a means of an insider thread actor to allow access to
someone without recording it in the building’s entry log. Another technique is to
persuade someone to hold a door open , using an excuse such as “I’ve
forgotten my key.”
Lunchtime attack
Most authentication methods are dependent on the physical security of the
workstation. If a user leaves a workstation unattended while logged on, an
attacker can physically gain access to the system. Most operating systems are
set to activate a password-protected screen saver after a defined period of no
keyboard or mouse activity. Users should also be trained to lock or log off the
workstation whenever they leave it unattended.
Question two
2.1) I would achieve this by dividing the controls into types according to the
goal or function of the control. AND those controls are:
Preventive - the control physically or logically restricts unauthorized
access. A directive can be thought of as an administrative version of a
preventive control.
Deterrent - the control may not physically or logically prevent access, but
psychologically discourages an attacker from attempting an intrusion.
Detective - the control may not prevent or deter access, but it will identify
and record any attempted or successful intrusion.
Corrective - the control responds to and fixes and incident and may also
prevent its reoccurrence.
Compensating - the control does not prevent the attack but restores the
function of the system through some other means, such as using data
backup or an alternative site.
2.2)
User training (administrative control) could ensure that the media is not left
unattended on a desk and is inserted into a computer system without
scanning it first.
Endpoint security (technical control) on the laptop could scan the media for
malware or block access automatically.
Security locks inserted into USB ports (physical control ) on the laptop
could prevent attachment of media without requesting a key, allowing
authorization checks to be performed first.
Permissions restricting Alan’s user account (technical control) could
prevent the malware from executing successfully.
The use of encrypted and digitally signed media (technical control) could
prevent or identify an attempt to tamper with it.
If the laptop were compromised, intrusion detection and logging/alerting
systems (technical control) could detect and prevent the malware
spreading on the network.
Question three
3.1) The netstat command allows you to check the state of ports on the local
machine. Netstat can be used to check for service misconfigurations (perhaps
a host is running a web or FTP server that a user installed without
authorization). You may also be able to identify suspect remote connections to
services on the local host or from the host to remote IP addresses.
If an attempt is made to identify malware, the most useful netstat output is to
show which process is listening on which ports. An Advanced Persistent
Threat (APT) might have been able to compromise the netstat command to
conceal the ports it is using, so a local scan may not be completely reliable.
3.2) One of the most important tools when it comes to network security(both
from the perspective of an adversary and for the security posture assessment)
is the protocol analyzer. This tool facilitates eavesdropping. Eavesdropping is
a valuable counterintelligence technique because it can be used to detect
hostile or malicious traffic passing over unauthorized ports or IP ranges. For
the attacker, the difficulty in performing eavesdropping lies in attaching a
sniffer to the network medium at a suitable point to obtain traffic from hosts of
interest. For the security analyst, all the contents of the network are fully
available (if enough sensors are positioned appropriately) the problem lies in
identifying suspicious traffic.
Question four
Encryption is the process of encoding information. Information is converted
from a plaintext, into ciphertext.
Symmetric encryption is a two-way encryption algorithm in which encryption
and decryption are both performed by a single secret key.
It uses a secret key that can either be a number, a word or a string of random
letters. Alternatively, there may be two keys or multiple subkeys, but these are
easy to derive from possession of the master key. There are two types of this
encryption: stream ciphers and block ciphers.
Advantages are
>It is used for security, making it extremely secure. When it uses algorithm, it
can be extremely secure.
>Key encryption is far faster than the asymmetric encryption.
>Ease of use. It only requires you to maintain and remember a single key and
only requires a single decryption step to return the data to a readable format.
>Uses less computer resources, single-key encryption does not require a lot of
computer resources when compared to public key encryption.
>Prevents widespread message security compromise.A different secret key is
used for communication with every different party. If a key is compromised,
only the messages between a particular pair of sender and receiver are
affected. Communications with other people are still secure.
>Provides for non-repudiation, digitally signing a message is akin to physically
signing a document. It is an acknowledgement of the message and thus, the
sender cannot deny it.
Disadvantages
> Secure distribution and storage of the key becomes exponentially greater the
more widespread the key’s distribution needs to be.
>Need for secure channel for secret key exchange. Sharing the secret key in
the beginning is a problem in symmetric key encryption. It has to be
exchanged in a way that ensures it remains secret.
>Too many keys. A new shared key has to be generated for communication
with every different party. This creates a problem with managing and ensuring
the security of all these keys.
>Origin and authenticity of message cannot be guaranteed. Since both sender
and receiver use the same key, messages cannot be verified to have come
from a particular user. This may be a problem if there is a dispute.
>There is more damage if the key is compromised. Should the key be in the
hands of the wrong person, they have the power to decrypt everything.
Advantages
>Identification and verification - If you encode a known string of data with your
private key and attach it to a message, anyone who receives that message can
decode it with your public key. Therefore, the encryption serves as a fingerprint,
since only your private key could have encrypted the data. Another technique
involves running a document through a hash function, a one-way
cryptographic encoding that produces a message and encoding the hash
using your private key, you not only prove your identity to the recipient, but you
also ensure that no one was able to tamper with the message, since the hash
would change.
>Convenience, it solves the problem of distributing the key for encryption.
Everyone publishes their public keys and private keys are kept secret.
>Provides for message authentication, public key encryption allows the use
receiver to detect if the message was altered in transit. A digitally signed
message cannot be modified without invalidating the signature.
Provide for non-repudiation, digitally signing a message is akin to physically
signing a document. It is an acknowledgement of the message and thuis, the
sender cannot deny.
Disadvantages
>It involves quite a lot of computing overhead. The message cannot be larger
than the key size.
> The key is slower than other methods, such as secret-key encryption.In
secret-key encryption, a single key provides that only way to encrypt and
decrypt, simplifying and speeding up the process. In public-key encryption, the
encryption and decryption processes have to work with two different keys,
each related to each other by a complex mathematical process involving prime
>The public-key encryption does not have a built-in method for authentication.
>Public key should/must be authenticated , no one can be absolutely sure that
a public key belongs to the person it specifies and so everyone must verify that
their public keys belong to them.
>Widespread security compromise is possible, if an attacker determines a
person’s private key, his or her entire messages can be read.
>Loss of private key may be irreparable, the loss of a private key means that
all received messages cannot be decrypted.
Question five
If a certificate is stolen, the encrypted data cannot be recovered unless backup
of the key has been made. If there is no backup, the certificate authority must
be deliberately told to revoke the certificate, it has no automatic way to know of
compromise. To revoke a certificate, the CA(certificate authority) marks it as
revoked in its own database. It can then issue or update a Certificate
Revocation List (CRL). A CRL has the following attributes:
Publish period - the date and time on which the CRL is published. Most
CAs are set up to publish the CRL automatically.
Distribution point(s) - the location(s) to which the CRL is published.
Validity period - the period during which the CRL is considered
authoritative. This is usually a bit longer than the publish period (for
example, if the publish period was every 24 hours, the validity period might
be 25 hours).
Signature - the CRL is signed by the CA to verify its authenticity.
The publish period introduces the problem that a certificate might be revoked
but still accepted by clients because an up-to-date CRL has not been
published. Another problem is that the CRL Distribution Point(CDP) may not
be included as a field in the certificate. A further problem is that the browser(or
other applications) may not be configured to perform CRL checking, though
this now tends to be the case only with legacy browser software.
Question six
6.1) There are different ways to identify people. Those ways can be
categorized as physical (fingerprints, eye and facial recognition) or behavioral
(voice, signature and typing pattern matching).Key metrics and considerations
used to evaluate different technologies include the following:
6.2)
An authentication product is considered strong if it combines the use of more
than one type of something you know or have are multifactor. A singlefactor
authentication systems can quite easily be compromised: a password could be
written down or shared, a smart card could be lost or stolen, and a biometric
system could be subject to high error rates or spoofing.