Software Dev VCE 3/4 Cybersecurity
Studied by 0 people
Knowt Play
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/79
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
80 Terms
define Cybersecurity
Cybersecurity is a multi-faceted field incorporating aspects of digital systems, organisational practices, threats to data and systems, law, ethics and risk management.
Cyber security measures focus on protecting systems and data from a range of threats.
Define Goal
high level aim
Define Objective
specific, measurable way to achieve goal
Define In-house development
In-house development, is using an existing team of developers within the organisation to develop software.
List the 3 In-house development Advantages
Better communication between the developers and organisation
Improved understanding of the organisation and its values
Improved security with the development occurring within the existing organisation network
In-house development Disadvantages
Can be difficult to find the right employees with the the right skills
Current employees may not have the specialised skill required
Define External development
External development, is employing a third-party to complete the development of software
List the External development Advantages
Current employees may not have the specialised skill required
Easier to find the right employees with the the right skills
External development Disadvantages
Worse communication between the developers and organisation
Lower understanding of the organisation and its values
Lower security with the development occurring within the existing organisation network
List types of vulnerabilities and risks within insecure development environments
Use of application programming interfaces (APIs)
Malware
Unpatched Software
Poor identity and access management practices
Man-in-the-middle attacks
Insider threats
Cyber security incidents
Risks present from software acquired by third parties
Ineffective code review practices
Combined development, testing and production environments
Define APIs and what threats they can leave the user open to
Application programming interfaces (APIs) a set of protocols that enable different software components to communicate and transfer data
Using APIs can leave the user open to threats such as data breach, DDoS, injection and more.
Define Malware and list examples
Malware is a malicious software which is designed to cause harm to a system.
Examples
Viruses - cause a negative effect on a device
Worms - self-replicates, frequently damages from the self-replications and use of system resources
Trojans - hidden in legitimate software, allows backdoor access to an attacker
Ransomware - files are encrypted and then attacker demands ransom for access again
Spyware - collects data about a users activity i.e. keystrokes
Denial of service - attackers prevent legitimate users from accessing a service, Distributed DOS is the same, but originates from many sources
Define software patches and their importance
Software patches make changes to software, typically involving security improvements. If software is not up to date this can leave the software more vulnerable
Define Poor identity and access management practices
List what good identity and access management practices ensures
individuals cannot access data, modules or systems beyond their needs
staff are not granted administrator or high-level privileges (unless necessary)
there is a decreased exposure to risk and security breaches for the organisation.
Give examples of Poor identity and access management practices
Weak password management, i.e. not considering length, special characters etc.
Not using multi-factor authentication
Define Man-in-the-middle attacks
A man-in-the-middle attack secretly observes and potentially alters communications or information transfer between two parties.
What do man-in-the-middle attacks allow malicious actors to do
Gain access to confidential information such as private data or authentication credentials, as they are pretending to be a trusted person to communicate with
Edit data
List protection strategies against man-in-the-middle attacks
Only transmit private information on a secure network
Usual measure to protect against an attacker gaining user’s authentication details
social engineering training
two factor authentication.
Define Insider threats
Malicious or accidental actions from authorised users which can cause harm to a system. The impact of these actions can be data loss, stolen data, a small part of a larger attack etc.
Define the insider threat, malicious actions
Think the guy in Jurassic park who steals the dinosaur eggs and takes down the whole company as well. This is an individual which is trusted by the company, and intends to cause them harm.
Define the insider threat, accidental actions
This can constitute ”Social engineering” which was in the previous study design:
Social engineering is the art of manipulating people so they give up confidential information.
Define the social engineering, phishing
This is where an attacker disguises themselves as a credible entity e.g.
A fake website that looks real, so that you submit your username and password on it.
An email or phone call from “IT Support” that gets you to give them information, or perform actions on your computer or network
List strategies to defend against phishing
Warn and train users about the potential for social engineering, in particular not to:
click on suspicious links
enter authorization credentials
plug in unfamiliar hardware into your computer.
Define Cyber security incidents
Cyber security incident is an event which has an impact on a business i.e. data breach, malware etc.
Define how software acquired by third parties can present risks
counterparty risk (what if the third party does something nefarious or negligent)
unknown or uncontrollable security practices of the third party,
lack of transparency,
potential for security vulnerabilities in the third-party software, and
risk of data breaches
List the mitigation strategies for risks presented by software acquired from third parties
Working with a third party with a track record, reputation and history with other clients
Detailing security requirements and transparency upfront in the contract
Assigning liability to the third party in the event of a security incident in the contract
Conducting regular security audits
Encrypting data when transmitted
define code review
Code review is when code is checked by a developer to check the quality or make any improvements before it is added into the codebase.
List Ineffective code review practices
Not have appropriate feedback to action
Not included appropriate follow up
Focus on less meaningful part of the code
Lack context in terms of the code as a whole
define environments (development, testing and production)
Environments are a dedicated workspace for a specific area of the process, such as development, testing or production.
What are the practices for development, testing and production environments
Environments need to be kept separate to ensure they are stable and secure
If they are combined this means developers are working over the top of each other in the same environment and this can cause issues like down time or missing bugs
list the Security controls used to protect software development practices and data stored within applications
Version control and code repositories
Robust identity and access management
Encryption
Code review
Regular updates and patches to software
Separated development, testing and production environments
Define version control
Version control is a system that records changes to a file or set of files over time so that you can recall specific versions later.
List Benefits of version control
If you make a change to a project that breaks something or if files are lost, it is easy to recover (and recover back to a specific point in time).
It is easier to keep track of changes and updates made to the code.
It provides a controlled and stable way to merge together different developers’ work.
You can identify who might have introduced an issue and where. In a team of developers this lets you find out who to ask about a change that might have caused a problem.
List Dangers of not using version control
Assuming you have another form of backup, it may take longer to recover work, or not all up-to-date work may be recovered if it was not caught in the last back up.
It is harder to track what code was changed, when and by whom, which may slow down bug fixes.
It also makes later evaluation harder as there is no record of the progress of the development, as well as a record of what worked and what didn’t.
When to use version control:
When you are developing a project that would have multiple developers working on
When significant changes are made consistently to the project
Define identity and access management
A system using user authentication restricts what users are able to see or do until their identity is confirmed.
Give examples of identity and access management
Something you know: username, password, pin
Something you have: RFID chip, key fob, smart phone, USB stick, authentication app on a phone
Something you are: biometrics e.g. fingerprint, face, retinal scan
define Two-factor authentication
Two-factor authentication is where there are multiple points that have to authenticate a user e.g. login plus a code messaged to your phone.
define Multi-factor authentication
Multi-factor authentication is the general term for when two or more points of authentication are used.
What is the importance of Robust identity and access management
If the user’s identity is not verified, anyone could claim to be this user and execute actions on their behalf, such as transferring money out of their account, or firing nukes if the user was the US President.
When to use identity and access management
Any time there are actions that depend on the identity of the user to determine their outcome, it is important to use User Identification.
define Encryption
Encryption is the process of transforming information into a coded form, so that it is unreadable without deciphering
Ideally this ability to decipher the coded information is only available to authorised users.
Why is encryption important?
If data is encrypted, even if an attacker gains access to the data they will not be able to read it (at least not easily).
If information is not encrypted, intercepted or leaked data can easily be interpreted by unauthorised parties.
When do you use encryption?
When sensitive data is stored on a computer system or is being transferred over an unsecured network, or to otherwise protect data which should not be readable without authorisation.
define Code review
A code review is when a developer/s checks through the code to maintain quality.
List the capabilities of code reviews
Improve quality of the code
Use multiple reviewers to more thoroughly check code
Ensure code uses current security practices
Can catch errors before deploying
What is the purpose of software updates
Software updates are changes to a software products, usually to:
change the program’s features,
fix bugs or
fix security vulnerabilities.
why are Regular updates and patches to software important?
Software that is not updated will still contain known vulnerabilities which attackers can exploit.
It may contain bugs which could affect data integrity by (depending on what the bug is): not retrieving or updating data correctly, not displaying data correctly.
From a non-security perspective, users will also miss out on additional feature improvements and bug fixes which may affect their user experience.
When do you update your software?
Update your software:
Regularly
Reasonably close to when updates are released, keeping in mind that updates themselves may introduce bugs and security issues.
what are the steps taken in an Organisational plans for software updates
Designating someone to be responsible for them
Doing them at regular intervals e.g. every 2 weeks, quarter.
A testing process in a non-production environment (i.e. not shown to users) to test updates before implementing them.
Name the 3 threat modelling principles
Defining security requirements
Identifying and mitigating threats
Confirming threats have been mitigated
Define threat modelling
Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.
(OWASP) There are a few different types of models used i.e. STRIDE.
List what we need to consider in terms of security for the system
What needs to be protected/What are we working on?
What can go wrong? (what threats exist to the system)
What are we going to do about it? (what mitigations are we going to use?)
Did we do a good job? (continuous checking to the plans)
Define security threats
Security threats are the actions, devices and events that threaten the integrity and security of data and information stored within, and communicated between, digital systems.
List the 3 types of security threats
Accidental: deletion or overwriting of data, misdelivery of information and unintended equipment damage
Deliberate: insider threats, unauthorised access, theft of data or physical devices, malware, denial of service attacks and social engineering
Events-based: natural disasters and environmental factors, power or network outages, hardware failures and data corruption.
Mitigations are required for each of these threats.
List the 3 ways to Confirm threats have been mitigated
Security audits - assess security as a whole for the organisation and determine anywhere which needs to be improved
Security assessments- identifies new issues in the system to be address
Monitoring and logging - system logs help determine if there have been any threats to the system
What is the importance of continued checking of your system for threats?
to ensure the threats identified have been mitigated appropriately.
Give 3 examples of Criteria for evaluating the security of software development practices within an organisation
Examples of criteria include:
Software is updated to the latest version each month.
Users have to log in to gain access to non-public information.
Passwords have a minimum character length.
List the 5 pieces of Key legislation and industry frameworks for cybersecurity
Copyright Act 1968 (Cwlth)
Essential Eight
Information Security Manual (ISM) Guidelines for Software Development
Privacy Act 1988 (Cwlth) (APP 1, 6, 8, 9, 11)
Privacy and Data Protection Act 2014 (IPP 1, 2, 4, 5, 9)
List these facets of the Copyright Act 1968:
Federal or State?
main focus?
who does it apply to?
federal
copyright
Everyone (government, companies and individuals) with some minor technical exceptions which we can ignore
What is copyright?
“Copyright is a form of intellectual property that protects the original expression of ideas.”
How to copyright something?
Copyright protection is free and is automatically granted to the creator when material is created.
There is no registration system for copyright in Australia
What does copyright cover?
Artistic, dramatic and musical works
Text
Software programs
What can not be copyrighted?
Ideas (only their “expression”)
Inventions (covered by patents)
Names, titles or slogans (this is covered by trademarks)
What is the purpose of copyright?
Incentivise creators to make new works and give them control of their creations.
what can you use copyrighted material without permission for?
research or study
criticism or review
parody or satire
reporting the news
provision of legal advice.
Define the term “essential eight” (don’t list them)
developed by the Australian Signals Directorate (ASD)
The most effective of these mitigation strategies to help organisations protect themselves against various cyberthreats
List The mitigation strategies that constitute the Essential eight
patch applications
patch operating systems
multi-factor authentication
restrict administrative privileges
application control
restrict Microsoft Office macros
user application hardening
regular backups.
The essential eight are implemented in maturity models. What are maturity models?
maturity models are designed to assist organisations to implement the Essential Eight in a graduated manner based upon different levels of malicious actors’ tradecraft (i.e. tools, tactics, techniques and procedures) and targeting.
can also be used to provide a high-level indication of an organisation’s cybersecurity maturity
Define features of a level 0 of a maturity model
Organisation has weaknesses in its overall cybersecurity posture.
Define features of a level 1 of a maturity model
Threat: actors using widely available, commodity tradecraft.
Opportunistic attacks (e.g., exploiting unpatched vulnerabilities).
Use of stolen, reused, brute-forced, or guessed credentials.
Define features of a level 2 of a maturity model
Threat: actors with more capability and persistence than Level One.
Invest more time in targets and tool effectiveness.
Use well-known tradecraft to bypass controls and evade detection.
Actively target credentials via phishing.
Employ technical + social engineering to circumvent weak MFA.
Define features of a level 3 of a maturity model
Threat: adaptive actors with less reliance on public tools.
Exploit weaknesses like outdated software or poor logging/monitoring.
Extend access, evade detection, and strengthen foothold.
Rapidly weaponise new exploits when they become available.
Use diverse tradecraft to increase chance of success.
What are the Privacy Act 1988 APPs relating to cybersecurity?
APP 1 | Open and transparent management of personal information | Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy. |
APP 6 | Use or disclosure of personal information | Outlines the circumstances in which an APP entity may use or disclose personal information that it holds. |
APP 8 | Cross-border disclosure of personal information | Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas. |
APP 9 | Adoption, use or disclosure of government related identifiers | Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual. |
APP 11 | Security of personal information | An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances. |
(basically just not APP 3)
List the features of Privacy Act 1988:
Federal or State?
main focus?
How many APPs?
federal
Personal information handled by some private organisations and by Australian Government agencies
13 Australian Privacy Principles (APPs)
Who does the Privacy Act 1988 apply to and who does it not apply to?
Applies to:
Australian Government agencies
organisations with an annual turnover more than $3 million
an organisation that provides a “health service” e.g.
Doctors, hospitals, allied health
Gyms or weight loss clinics
Childcare and private schools
a business that sells or purchases personal information
Does not apply to:
state or territory government agencies
universities, government schools
individuals
some other exceptions exist.
List the features of Privacy and Data Protection Act 2014:
Federal or state?
main focus?
amount of IPPs?
federal
Personal information (except health) handled by Victorian public sector organisations
10 Information Privacy Principles (IPPs)
Who applies to the Privacy and Data Protection Act 2014?
Who does it apply to?
Victorian public sector organisations
local councils
government schools, universities and TAFEs
What are the Privacy and Data Protection Act 2014? IPPs relating to cybersecurity?
IPP 1 | Collection | An organisation can only collect personal information if it is necessary to fulfil one or more of its functions. It must collect information only by lawful and fair means, and not in an unreasonably intrusive way. It must provide notice of the collection, outlining matters such as the purpose of collection and how individuals can access the information. This is usually done by providing a Collection Notice, which should be consistent with an organisation's Privacy Policy. |
IPP 2 | Use and disclosure | Personal information can only be used and disclosed for the primary purpose for which it was collected, or for a secondary purpose that would be reasonably expected. It can also be used and disclosed in other limited circumstances, such as with the individual's consent, for a law enforcement purpose, or to protect the safety of an individual or the public. |
IPP 4 | Data security | Organisations need to protect the personal information they hold from misuse, loss, unauthorised access, modification or disclosure. An organisation must take reasonable steps to destroy or permanently de-identify personal information when it is no longer needed. |
IPP 5 | Openness | Organisations must have clearly expressed policies on the way they manage personal information. Individuals can ask to view an organisation's Privacy Policy. |
IPP 9 | Transborder data flows | If an individual's personal information travels outside Victoria, the privacy protection should travel with it. Organisations can only transfer personal information outside Victoria in certain circumstances, for example, if the individual consents, or if the recipient of the personal information is subject to a law or binding scheme that is substantially similar to the Victorian IPPs. |
(Basically not IPP 7 and 10)