A&B Chapter 1 - Security Fundamentals

Book Navigation

Page Hub Next Chapter

Covered Topics

• CIA Triad
• Assume Breach
• Insider Threats
• Defense in Depth
• Least Privilege
• Supply Chain Attack
• Never Trust Always Verify
• Usable Security
• Factors of Authentication

Chapter Overview

Exercises

1. Bob sets the Wi-Fi setting on his pacemaker to not broadcast the name of his Wi-Fi. What is this defensive strategy called?
   1. Security through obscurity
2. Name an example of a value that could be hard coded and why.
   1. A engineer could hardcoded an API key that is needed to authenticate with a service. This would be done hopefully by not knowing or forgetting it was done.*
3. Is a captcha usable security? Why or why not?
   1. I believe that they are a usable form of security when done right. However some captchas are difficult of users to complete and will cause them to want to get around them whenever possible. They are a valid way to determine if a user is a human or not, however when done poorly they can not be considered usable security.
4. Give one example of a good implementation of usable security?
   1. A good implementation of usable security in my opinion is facial recognition of ios devices. It is seamlessly integrated into the login system along with being more secure than a bad pin that would be choose by someone who just wants to get into their phone.
5. When using information from the URL parameters do you need to validate that data? Why or why not?
   1. You always need to validate data that is taken from outside of your immediate system. Even if you trust the service that is sending the data in the url parameters you can never know if that service/user has been compromised.
6. If an employee learns a trade secret at work and then sell sit to a competitor, this breaks which part(s) of CIA?
   1. The employee would be breaking Confidentiality (The C in CIA). the data (trade secrets) was accessed by individuals who were not authorized to view it.
7. If you buy a "smart" fridge and connect it to your home network, then have a malicious actor connect to it and change the settings so that it's slightly warmer and your milk goes bad, which part(s) of CIA did they break?
   1. The malicious actor is breaking the Integrity of your smart fridge. Since they are messing with the data passed between the temperature controller and the actual fridge.
8. If someone hacks your smart thermostat and turns off your heat, which part(s) of CIA did they break?
   1. Since this malicious actor is removing your ability to access heat they are messing with Accessibility (A in CIA).
9. If a programmer adds an Easter egg, does this qualify as an insider threat? If so, why? If not, why not?
   1. As long as the programmer isn't adding an Easter egg that will cause any damage to the data, systems, or services provided by your company it can not qualify as an insider threat. However, if this feature was not approved an no one knows about it, it can be considered an insider threat.
10. When connecting to a public Wi-Fi, what are some of the precautions that you could take to ensure you are doing "defense in depth"?
    1. Make sure that you are only connecting to sites through HTTPS. HTTP traffic can be hijacked and you can have spoofed sites returned to you.
11. If you live in an apartment with several roommates and you all have a key to the door, is one of the keys considered to be a "factor of authentication"?
    1. Having a key to the door is considered Factors of Authentication#Something you have. This means that only those who have the key can gain access to the apartment.