Skip to main content

4. Security

All Past Paper Questions: https://docs.google.com/document/d/1oALN6dinPfuOl_jDXBOgfgjI-Nl3Pf8cUTlYl3GjM7g/edit?usp=sharing

Questions left out:

p3-ch3-pg15 p3-ch3-pg88

Encryption

  • how to combat cyber crime
    • protects information by scrambling it
    • data cannot be understood without decrypting
    • asymmetric encryption
      • has two keys
        • public key: available publicly
          • so, no need to send keys
        • private key: not shared
          • no risk of interception
      • used for communications + web
      • secure emails + text messages
    • symmetric encryption
      • to store data on disks
      • cannot be understood if data is stolen
      • protects cloud storage
      • protects data in USB devices
      • prevents use of stolen passwords
        • to protect personal data
        • eg: use in identity theft

Symmetric

  • advantages
    • same key for encryption + decryption
      • it must be shared
    • fast
    • simple
    • used to encrypt disks, etc...
  • disadvantages
    • key must be shared securely
    • confidentiality of keys shared is not gauranteed
    • more secure
      • fixed size block encryption
      • rather than encryption of bits (in asymmetric)
    • simple
      • keys have no special properties
  • to protect data
    • advantages
      • stolen/intercepted data cannot be understood
        • without decryption key
      • data can be sent via insecure networks (eg: public wifi)
        • no issue, since data is scrambled
      • data remains confidential
        • can only be read by person with decryption key
        • eg: not by system admins
      • independent data security (from device)
      • if key is compromized
        • data can be viewed by anyone
    • disadvantages
      • hard to administer encryption keys
      • if key is lost, data is lost
      • need more processing power
        • expensive
      • cross application incompatibility
      • it staff needs specialized training
      • symmetric keys have to be distributed everytime data is sent
        • increases preparation time

Asymmetric

  • advantages
    • public keys can be accessed by anyone
      • so, no need to send key to specific user
    • uses private key (know only to user)
    • only recipient can decrypt
    • very secure
    • data encrypted from one key can be decrypyted with the other
    • so, can transmit data securely
    • its possible beause keys are mathetically linked using the RSA algorithm
    • key is large
      • eg: 1024 bits, 2048 bits
    • keys are re-usable
    • ?? if private key is compromised
      • only sender's data is at risk
      • as any other data sent to others
      • is encrypted with a different public key
  • disadvantages
    • relatively slow
    • not suitable for disk encryption

Quantam Cryptography

  • used in internet (crappy answer)
    • for cryptographic tasks
    • detects interception of data
    • extreme fast calculations
    • can use higher bi-length for keys
      • increasing security (after encrypted)
    • ?? mathematic algorithms are still needed ??
    • use photons to carry data
      • difficult to control
      • more consistent
    • requires pure fibres to transmit photons
      • undisturbed over anything but short distances
      • max: 60KM
    • need new generation of computers
    • in theory, can break any (pre-quantam cryptographic) encryption very quickly
  • used in data transfers (no idea)
    • use polarized light for encoding data
    • in quantam states, for transmission over 2 particles
    • Initial polarisation
      • of first two photons
      • determines O and 1 bit of the data
    • Polarisation of subsequent bits
      • is determined at random
    • Recipient measures data using random polarisation
    • Used to establish a shared key
    • No third party sees the key
    • Key then used to create other keys for use in encryption
    • Called QKD (quantum key distribution)
    • Data state is changed when viewing by others
    • Impossible to eavesdrop without alerting it

AAA

Authentication

  • ensure authentication

    • user id with passowrd / pin
    • request random selection of PIN
    • send OTP to user
      • enter OTP after password
      • OTP is checked
      • (its a one time password, generated by a security token)
    • MFA (multi factor authentication)
      • using tokens
      • or physical security key (YubiKey)
    • use of security questions
    • use of biometric parameters
    • verify from already logged-in device to log in

  • biometric

    • how it works? (good)
      • biometric parameter scanned into system
      • image converted into a binary system
      • binary pattern stored in system
      • pattern compared with existsing patterns (in database)
      • if match, accessed allowed
      • if not, show error
    • how it works?
      • scanner scans biometric factor
      • software converts it to standardized digital format
      • comparing match points of observed data with stored data
      • securely stored biometric data (for comparison)
      • to store student account data
      • to tranfer funds
    • paying with biometric authentication system
      • ?? register for biometric program by presenting valid info ??
      • student scans biometric parameter (finger / face / iris)
      • scanner encrypts multiple point-to-point measurements
      • is biometric data is stored in centralized database
      • at the event
      • scans biometric parameter
      • compares data from new scan to encrypted data
      • system finds match in database
      • check if have access / authorization
        • check if have balance / money
        • if yes, pay and issue reciept
    • advantages
      • unique to invidual
        • so, extremely hard to forge
      • more than one characteristic can be used
        • increased accuracy
      • no forgetting passwords, etc...
        • always readily can authenticate easily
      • password reset & administration (service desk) costs reduced
    • disadvantages
      • more time taken to enroll staff
      • high false match rate
      • can have high error rate
        • wastes time / inconvenient
      • cannot share access (with others)
      • biometric parameters may change over time
      • staff may not like having their biometric data stored
      • staff maybe identified in places they dont need to
        • eg: in public crowds
        • violating user privacy
    • choosing biometric parameters
      • stuff
        • must not be intrusive when collecting (+ embarrassing)
      • biometric parameters
        • Face
          • easy to read quickly
          • collected by a machine
          • difficult to copy
        • Voice
          • easy to read quickly
          • collected by a machine
          • difficult to copy
          • most acceptable, least intrusive, most privacy respecting
          • but not very unique
        • hand geometry
          • easy to read quickly
          • collected by a machine
        • iris
          • easy to read quickly
          • collected by a machine
          • do not change over time
        • Fingerprint
          • unique
          • found in everyone
          • do not change over time
        • facial thermogram
          • unique
          • found in everyone
          • not permanent
        • retina
          • unique
          • found in everyone
          • do not change over time
        • DNA
          • difficult to copy

Authorization

Threats

  • how to detect?
    • use anti-malware to
      • scan incoming data
      • scan existing data
    • examine signature and compare with database
      • (signature based detection)
    • do behaviour based detection
    • use firewall to filter
      • packets, ports
      • incoming connections
      • outgoing connections
      • detect abnormal (network) activity
        • abnormal patterns
    • proxy servers to hold and analyze packets
    • use honeypots
      • to track intruders
      • and notify admins
    • check network logs to discover threats

Malware

  • botnet
    • describe
      • collection of many devices
      • malware is running on each conencted computer
      • security has been taken over by a third party
      • node controlled by a third party
      • connection uses standard internet protocol
    • how they gain unauthorized access to data
      • setup
        • devices has malware installed (without user's knowledge)
        • can setup peer-to-peer connections with controller device
        • bots connect together using internet protocols
        • use of IRC to communicate with remote server
        • bots can automatically scan computer
      • uses
        • bot herder directs bots to log keystrokes
        • can run other malware (on behalf of attacker)
        • can carry DOS attacks to other services
        • can send disguised images
        • can distribute spyware to gather data
        • can use user's computer resources
          • and reduce performance
        • can compromise legit data

Spyware

  • how to combat it
    • anti-spyware tools
      • prevent installation of spyware
      • may not detect already installed spyware
      • may not detect disguised spyware
      • update list of spyware
    • anti-virus software
      • will detect and remove spyware (but not all)
    • real-time scanning of incoming data
      • block before it enters & infects system
    • spyware may
      • reinstall itself, under another process
    • use a hardened web-browser
    • browsers are not designed to detect spyware
    • use reputable sources to download software
    • but, reputable sources can be infected
      • (if the reputable source is hacked)
    • use a firewall
      • with outbound rules
      • to prevent spyware from sending data to attacker

Data Security

Threats

  • data destruction

    • deleting data
    • eg: deleting record from database

  • data modification

    • changing data to a different value
    • overwriting original value
    • eg: changing value in a cell from 100 to 101 (in spreadsheets)

Data Protection

  • advantages

    • use of passwords to restrict access
    • enter OTP when logging in
      • prevents others from logging in
      • even if password is shared
    • tokens do not need network connections
    • physical barriers
      • eg: locks on doores
    • security cameras recording all the time
    • encrypt data
    • backup & restore data
      • but does not protect the data from being damaged

  • disadvantages

    • passwords can be forgotten
    • sharing of password -> unwanted access
    • tokens
      • have limited number of uses for access
      • limited battery life
    • physical barriers can be broken
      • eg: door locks
    • security cameras must be watched all the times
    • watchers maybe distracted

  • precausions

    • off-site backup at regular intervals
    • backup first made on-site
      • later copied to off-site
    • or backup to cloud
    • local RAID mirrors (for data redundancy)
    • surge protectors to minimize power surges (buggy power)
    • UPS (uninterruptible power supply) or backup generator incase of power outage
    • fire prevention systems + smoke detectors
    • anti-virus software protects file against deletion & curroption & encryption by ransomware
    • firewalls prevent unauthorized access

  • how data is lost

    • accidental deletion
    • malware deleting files
    • mechanical failiure of storage systems
    • magnetic interference with hard disk surfaces leading to loss of sectors
    • power failiure
      • loss of data in memmory buffers
    • theft of storage media, physical loss of files
    • physical damage
      • eg: natural disasters

  • how to protect?

    • prevent unauthorized access
      • use authentication with credintials
      • use firewalls
    • make subnets to restrict access to users
    • use VPN for secure connections
      • eg: to cloud / remote network
    • do regular checks on data integrity
    • use encryption (256bit) to restrict understanding data

  • software methods

    • keep software upto date
    • keep antivirus upto date
    • provides real-time monitoring
    • use encryption to make data meaningless (unless decrypted)
      • protects confidential information
    • encrypt hard disks
      • safe even if device is lost
    • use biometric authentication
      • access only to authorized users
    • use of access rights / access control lists
      • which have allow / deny entries
    • use passwords on individual files
      • to control user access
      • encrypt documents (encryption key)
      • control editing rights
        • to prevent unauthorized users from accessing
    • use steganography to hide data in other files, eg: images (JPEG)
      • users are unaware of available data
    • backup
      • use automatic schedules
      • backup elsewhere (another device, and maybe also elsewhere)
      • can restore data is damaged
    • use of regular software updates
    • address security issues

  • access rights / access control

    • (new)
      • authenticates user
      • ensure users have appropriate access to data
      • provides selective access
      • distribution of data is controlled
      • managers / sysadmins can control permissions for each user
      • can be adapted in response to
        • changing
          • so, new employees can have access
          • retired employees have no access
        • data breaches
          • users isolated from data
      • based on attribute of user
        • so have access to appropriate data only
        • can access data depending on time / location
    • (old)
      • different permissions given to different users
      • eg: RBAC
      • setup ACLs (access control lists)
      • works on files and directories
      • permissions on folder maybe cascaded
      • files within folder have different permissions (than the parent folder)
      • permissions
        • read
          • can view file
        • write
          • can modify files
        • execute
          • allows files to be executed
      • permissions must be set

Backups

  • backup strategy
    • make copies regularly
    • automate it
    • store backups on different media
    • implement incremental backup systems
    • keep records of backups
    • test the restore process periodically
    • have off-site backups
      • (eg: incase of fire)
  • advantages
    • no quick access to files
    • protects data against
      • system failiures
      • accidental deletion
      • deletion by malware
      • encryption by ransomware
      • failiure of storage
      • failiure of operating system
  • disadvantages
    • will store both safe data as well as malware
    • will not remove malware
    • latest data will be lost
      • only data when taking backup if restored
    • doesnt always have upto-date information
    • snapshots of data taken change too soon
    • full backup can get stolen (entirely)
    • if not encrypted, it will be accessible
    • system performance reduced while backing up
      • backup when system is not heavily used
    • data restoration takes time
    • extra storage costs (to store backup)
  • backup medium
    • tape based
      • huge storage capacity
      • serial access
      • cheap per GByte
      • slow to create backup
      • slow to recover files
      • fragile
      • some tapes may not work in different tape drives
        • eg: proprietary standards or vendor locking mechisms
    • hard disk based
      • quick to produce backup
      • quick to recover files
      • direct access
      • cost per GByte varies/can be
      • expensive
      • large capacities
      • hard disk can fail losing large
      • amounts of data.
    • cloud based
      • off-site technology used so not so vulnerable to on-site disasters
      • maintenance costs borne by supplier
      • security arranged by supplier
      • security of data issues
      • unlimited capacity available
      • need reliable internet connection
        • with high bandwidth

Protect

  • from data breach

    • enforce password policies
      • require to change password every 90 days
      • password strength restrictions and stuff
    • use access control
    • keep software upto-date
    • use standardized software
    • dont install sketchy software (from sketchy sources)
    • use firewalls
      • protect with inbound+outbout rules
    • give training in
      • data security
      • identifying threats
      • how to respond to data breaches
    • use anti-virus software

  • using public wifi

    • logout of account after using
    • disable file sharing (eg: to disable unauthorized copying)
    • turn off wifi/bluetooth when not in use
    • only use HTTPS websites
    • use a secure VPN (with encryption)
    • dont allow auto-connect to WiFi
    • dont log-in to accounts
      • (verify secure connection before doing it)
    • dont use sensitive sites, eg: banking sites
    • dont login into open wifi networks

  • credit card

    • when using it online
      • loss of card data
      • merchant can use them fraudulently
        • keylog with javascript to log card info
        • use illegally
      • victim unaware of loss
      • cardholder not present when transaction is made
      • might be redirected to fake site (eg: pharming)
      • might get emails/calls asking for OTPs and verification info
        • impersonating a bank
      • BIN attacks (bank identification number)
        • could reduce money from real active accounts
      • dont use http sites or public wifi
      • physical theft of card
      • card details stored by merchant are stolen
    • may subject account holders to fraud
      • skimming
      • use number generators to guess working cards
        • using BIN
        • last 4 numbers are usually in sequential range
        • (with expiry date)
      • card details obtained by phishing / vishing
      • hacker does small transaction to see if valid
        • if success, can do large ones later
        • subscribing to a web service
          • is a quick way to check validity
          • repeated billing charges for card holder
      • use spyware to capture card details
    • how merchants can combat against it
      • demand extra security information
      • check if location in card matches actual address
      • if online transcation
        • lookup IP to get approx. geolocation
        • and see if card's address match
      • use trusted 3rd party services to pass it to merchant
        • eg: stripe
      • dont display full card number on reciept
        • PAN (primary account number)
      • dont store card details in servers
      • encrypt stored card details

Physical Security

  • use (evaluvate)
    • physical barriers
      • eg: doors, bars
    • video survaillance
      • CCTV to monitor to find unauthorized people
      • cost effective as deterrent
      • watch large areas
    • physical presence of gaurds
      • can control people who can come in
      • can deal with issues quickly
    • lighting
      • sensor control lights
      • low cost
      • warn and highlight intruders
        • will let them know that they have been seen
    • physical locks required keys
      • they can get lost
      • + hard to keep track of them
    • combinations of locks can be forgotten
    • locked doors can be left unlocked
    • physical keys can be copied
    • security gaurds may not be in alert when required
    • physical combination locks can be seen by others (when using)

AntiVirus / AntiMalware / AntiSpyware

  • AntiMalware

    • advantages
      • remove malicous software
      • protect against spam
      • stop unauthorized use of computer
    • disadvantages
      • must be kept upto date
      • should be running all the time
      • will not detect all malware (eg: new custom written ones)
      • infected website can carry malicous code
        • not (usually) detected by AntiMalware

  • AntiSpyware

    • advantages
      • protects against spyware
      • prevents theft of confidential files
      • thus protects unauthorized access to bank accounts
      • protect against identity theft
    • disadvantages
      • (same as AntiMalware)

Distaster Recovery

  • perpetrator analysis

    • perpetrator are attackers, includes
      • script kiddies
      • crackers
      • hackers
      • terrorists
      • bussiness competitors
      • foreign government intrusions
    • each perpetrator has different skills
      • higher the skill, higher the risk
    • analysis of their actions done by security companies
    • allocation of resources to disaster recovery
      • depends on how much hackers succeed
    • IDS (intrusion detection systems)
      • can be deployed to combat perpetrator
      • identified by analysis of their behaviour
      • so, resources can be targetted at a possible perpetrator

  • risk analysis

    • Qualitative risk analysis to prioritise risks for analysis
    • Quantitative risk analysis
      • of likelihood of occurrence/probabilities
      • of consequences of occurrence
    • To identify effect/cost of risks caused by e.g.
      • loss of access to premises
      • loss of data
      • loss of it function
      • loss of skills
    • Produce a computer simulation of the disaster
    • Produce a report of the risks.

Laws

Acts

  • why data protection laws?

    • personal data stored on computer
    • Databases are easily accessed
      • and edited
    • systems can be networked
      • (for easy data sharing)
    • hard to maintain control over data
    • data can be stolen (without a trace)
    • protect user privacy
      • Data about individuals can be stored without their knowledge so infringing their privacy
    • ?? Keeping records of who/what/when data is accessed are difficult to maintain unless enforced by law ??

  • data protection act

    • principles
      1. Personal data should be collected and processed fairly and lawfully.
        • Data subject should be informed about the data being collected.
        • Data subject should be asked for permission to collect it.
      2. Personal data can be held only for specified and lawful purposes.
        • Data subject should know why data is collected/stored.
        • Law is broken if data is used for other purposes.
      3. Personal data should be adequate, relevant and not excessive for the required purpose.
        • Only data that is needed can be stored.
      4. Personal data should be accurate and kept up-to-date.
        • Wrongnnaccurate data must not be stored.
        • Wrong/inaccurate data should be corrected.
      5. Personal data should not be kept for longer than is necessary.
        • Data must not be kept forever/unreasonable lengths of time/must be destroyed when no longer needed.
      6. Data should be processed in accordance with the rights of the data subject.
        • Data subjects can inspect the data held about them.
        • Data subjects can insist that incorrect data is amended.
    • rights created
      • A right of access to a copy of the information held in their personal data
        • told whether personal data is being processed
        • given a description of personal data
        • given reason(s) for processing
        • given details of source of data
      • A right to object to processing that is causing distress
      • A right to prevent processing for direct marketing
      • A right to object to decisions being taken by automated means
      • A right to have inaccurate personal data rectified, blocked, erased or destroyed
      • A right to claim compensation for damages caused by a breach of the Act.
    • criminal offences (when they fail to abide - data controllers)
      • Failure to register when required
        • and to keep personal data if not registered
        • failure to provide accurate information information when registering
      • Failure to comply with provisions for storing data supplied when registering
      • Processing data if not registered
      • To fail to provide Data Commissioner with updated address failure to comply with enforcement order
        • prohibition notice e.g. not to supply data to third party
        • information notice e.g. not supplying all information when requested.

Uncategorized

  • identity theft

    • meaning
      • Unauthorised use of personal information
      • hacker pretends to be another person
      • Using information for personal gain (unauthorized)
      • to cause harm to victim
      • to create a new identity
    • impact
      • can use when doing crime
      • difficult to prove innocence
      • ID might be rejected by institutions due to already fraudulent use of ID by others
      • difficult to correct false information
      • victims left financially viable for transcations they didnt do
      • innocent individuals caught for no reason
      • mental health issues for victims
      • victims are liable for things they didnt do
      • child's ID stolen at young age, get loans, child will be in debt at adulthood

  • networking (more in Chapter 3)

    • security issues
      • data can be lost
      • data can be intercepted
        • if data is unencrypted
          • the data will have meaning
          • eavesdropping on other user's activities
          • captured data can be used fraudulently
          • valid user accounts can be used
      • can modify traffic
      • risk of worm infection
      • misuse of resources by unauthorized people
      • failiure may expose data to lose
      • can acces other devices in network remotely

  • weak password

    • reject them
    • setup security/password policies for it
    • eg: abc
      • too short (not meeting minimum length)
      • no different types of characters
      • must not be easily guessed
        • and this is a simple pattern
      • no combination of upper+lower case / number / special characters
    • eg: 1234AAA
      • has a sequence of characters/numbers
        • of repeating characters
      • no combination of upper+lower case / number / special characters