Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
G53SEC
Computer science security module
| Question | Answer |
|---|---|
| What are the three protection measures? | Prevention, detection (Logs, find out what happened and who) and reaction (manual or automatic) |
| What is the CIA triad? | Confidentiality, prevention of unauthorised disclosure of information. Integrity, prevention of unauthorised modification of information. Availability, prevention of unauthorised withholding of information. |
| Define accountability: | Being able to trace a users actions to that user and that user alone. Audit trails must be kept. |
| Define non-repudiation: | A user should not be able to deny the authenticity of their signature, for example if they are a party in a communication. |
| Define dependability: | The property of a computer system such that reliance can be justifiably placed on it's service. |
| What is Focus of control? | In a given application, should the focus of protection mechanisms be data, operations of users. Unix specifies what data can exist and what users can do with that data. |
| What is Layered security? | We can visualise our security model in layers. Each layer protects a boundary, and relies on the security of the layers below it. If the security of the lower layers isn't very good, the upper layers are vulnerable. |
| What does "Complexity vs. Assurance" mean? | Feature rich security systems and high assurance do not match easily. e.g. Linux vs. Windows permissions. |
| What are decentralised controls? | A central entity provides a possible bottleneck. A distributed solution is a more efficient but harder to manage solution. It allows delegation of permissions. |
| Define encryption: | We encode a message such that only authorised users can read it. |
| Define cipher: | Takes a string of plain-text and converts it into a string of cipher-text. |
| What is a symmetric key? | A key that is used for both encryption and decryption. Usually extremely fast and used for longer term communication. Based on circuits of permutation and substitution. |
| What is an asymmetric key? | Different keys are used for encryption and decryption. Computationally slower and used for key exchange, verification and authentication only. based on entirely mathematical principles. |
| What is frequency analysis? | The frequency of occurrences of each character is very consistent. The longer the cipher text, the easier this becomes. Shorted text is harder due to the lack of data. |
| Describe public key cryptography: | Two keys, public and private. Hinges on the fact it is computationally infeasible to calculate a private from a public key. Allows us to exchange private symmetric keys "in the open". The sender of the message can be verified. |
| What are some vulnerabilities to Diffie Hellman key exchange (DHKEX)? | A man in the middle attack. The attacker could intercept the initial communication from party A, then create two separate key exchanges with party A and B. Simply re-encrypting each message would allow them to sit in the middle of the conversation. |
| What is perfect forward secrecy? | Generate new keys for each session, rather than using persistent ones. A DHKEX key might be broken. Ephemeral mode in protocols such as TLS enforces this this refresh to happen. |
| What are the benefits of elliptical curve cryptography? | It is much stronger than traditional public key schemes for the same key length. |
| What are the properties of integer factorisation? | Any integer can be expressed as the multiplication of a list of prime numbers. The longer the value, the harder and slower this calculation gets. Semi-primes are the hardest number to factor. |
| What is a semi-prime? | The product of two primes, n = pq |
| What is the Euler Totient function? | Integers a and b are relatively prime if they do not share a divisor except . The Euler totient is the integers from 1 -> n-1 that are relatively prime with n. The totient value of a prime is p - 1. For two primes multiple it's (p-1)(q-1). |
| What is RSA? | Based on integer factorisation. Provides both encryption and authentication. |
| What is a hash function? | Takes a message of any length and returns a pseudo-random hash of fixed length. The output must be indistinguishable from random noise. Bit changes must be diffused through the entire output. |
| A key property of a hash function is that it is one-way, what does this mean? | Given h(m), we cannot calculate m easily. |
| A key property of a hash function is that it has weak collision resistance, what does this mean? | Given M, and h(m), we cannot find some M' such that h(m) = h(m'). |
| A key property of a hash function is that is has strong collision resistance, what does this mean? | We can't find some message pair m != m' such that h(m) = h(m'). |
| What is a birthday attack? | Given a hash function outputs n bit hashes, you will find a collision after about 2^^n/2 random attempts. The output of a hash must be long enough to avoid this. |
| What is a message authentication code? | Provides integrity and authenticity, not confidentiality. This protects system files and ensures messages haven't been altered. A hash of the message is calculated and appended to the end. A shared key could be included to preserve message integrity. |
| What is a digital signature? | Used to verify the sender, which a MAC does not do. We used a trusted third party in order to verify the ownership of a public key. The receiver knows they have the senders genuine key and they are not an impostor, an important part of TLS. |
| What are three types of authentication credential? | Something you have (e.g. a key card), something you know (e.g. a password) and something you are (e.g. a fingerprint). |
| What is the difference between identification and authentication? | Identification is displaying who you are and allowing others to recognise you. Authentication is verifying that identity, proving you are who you say you are |
| What is TOCTTOU? | Time of Check to Time of Use. It is repeated authentication most commonly seen in online banking. The user must authenticate at the start and during the session. |
| What are the issues with passwords? | They are digital keys. People can forget them, they can be guessed, they could be stolen via spoofing or phishing or from a compromised and weakly protected password file. |
| What is the difference between offline and online password cracking? | Offline means you have a copy of the hash locally. Online means you are attempting to gain access through an actual login terminal. |
| How is the difficulty of brute force calculated? | {char_count}^^length |
| What is password salting? | A random salt is prepended to a password before hashing. This salt is stored un-encrypted alongside the hash in the database. It protects uses who use the same password, and makes cracking multiple passwords slower. Prevents rainbow table attacks. |
| What is pretexting? | It is there for when password cracking fails. The use of other information to obtain private details such as the users date of birth or mothers maiden name. |
| Why does hashing speed play an important role in password cracking? | Newer algorithms take longer by design, reducing the speed at which an attacker can try different passwords. However, this does have a trade-off as it would be impractical for a large site such as Amazon. |
| What is two factor authentication? | A combination of something you know with something you have. e.g. a one-time code sent to a phone. |
| What is a principle? | An entity that can be granted access to objects or can make statements affecting access control decisions. It is an entity that owns or uses a file. |
| What is a subject? | An active entity within an IT system. Usually tries to access a file on behalf of a principle. e.g. a process running under a user identity. |
| What is an object? | Files or resources. Two options for control: What a subject is allowed to do, what may be done to an object. |
| What is discretionary ownership? | Owner can be define for each resource. The owner controls who gets access. |
| What is mandatory ownership? | There could be a system-wide policy. Similar to the military (e.g. confidential, secret, top-secret) |
| What does the Unix ownership model simplify access control? | It only considers the owner, group and others. The user is the current owner, the group is a named group entity and others are everyone else. |
| What is the Shadow file? | Stores password hashes in an attempt to improve security. It is readable only by the root user. This is an attempt to improve security by not allowing all users to view it. |
| What is an inode? | Stores permission information. Get permission to access this then reference this to get hardware info. |
| A permission is in the format of "754" or "666" in Unix. What do these number mean? | The first bit is the permissions of the user, the second the permissions of the group and the last the permissions for everyone else. These relate to a file object. |
| What is SUID? | Set UID: Sets the effective user to be the file owner when executed. It is necessary to allow non-privileged access to privileged actions. |
| What is an access control matrix? | Access control rights are defined individually for each combination of subject and object. Quite an abstract concept, but would allow for very fine grained control. Not practical as it requires a lot of memory to scale up. |
| What is an access control list? | It is stored with an object itself, corresponding to a column of an access control matrix. |
| What is an object in Windows Security? | Executive objects (processes, threads, etc..) and private objects (files and directories). |
| What is an access token in windows security? | Security credentials for a login session are stored in access tokens. Identifies the user, their groups and privileges. |
| How did user account control tokens work after windows vista? | Users have two tokens, a heavily restricted one and a default one. A prompt allows users to spawn a process with the other token. |
| What is a Domain? | Centralised security administration, providing a single sign-on for network resources. The Domain Controller (DC) handles user accounts and access control, using a trusted 3rd party for authentication. |
| What is Ctrl + Alt + Del known as and what is it used for? | The secure attention sequence. It is used to begin the interactive login sequence for the user. |
| What does the interactive logon process contain? | WinLogon - The process responsible for authenticating users. Graphical Identification and Authentication. The Local Security Authority. An authentication package. |
| What is a credential provider? | WinLogon uses a LogonUI to query credential providers, they don't actual log you in but serialise your credentials and pass them to the LSA. |
| What is Kerberos? | A network authentication protocol, the default for windows. It uses symmetric encryption and requires a trusted third party. |
| What are some important features of kerberos? | Including nonces / timestamps to prevent replay attacks. It buries domain group IDs inside tickets for access checks. The ticket granting ticket usually exists until log off or rotates daily - a problem if your user rights have changed. |
| What is a reference monitor? | An access control concept that refers to an abstract machine which mediates al access to objects by subjects. |
| What is the security kernel? | The hardware, firmware and software elements of a Trusted Computing Base that implement the reference monitor. |
| What is a Trust Computing Base (TCB)? | The totality of protection mechanisms within a computer system responsible for enforcing a security policy. |
| Why is the placement of a reference monitor better the lower it is? | We can assure a higher degree of security. They are usually simple structures to implement. Reduced performance overheads. Fewer layer below attack opportunities. However, access control decisions are far removed from applications. |
| What does the operating system do towards OS integrity? | Arbitrates access requests. It itself is a resource that must be accessed. However, users must not be able to modify the OS but must be able to use it. |
| How are modes of operation used to ensure OS integrity? | Defines which actions are permitted in which mode e.g. system calls, machine instructions and Input/Output. It distinguishes between commands done on behalf of the OS and the user. A status flag within the CPU allows the OS to operate in different modes. |
| What does controlled invocation do to ensure OS integrity? | Allows us to execute privileged instructions safely, before returning to user code. Many functions are held at kernel level such as networking and file IO. These are quite reasonably called from user code. Interrupts allow us to transfer from ring 0->3. |
| How is an interrupt processed? | The CPU switches execution to the location given in an interrupt descriptor table. The handler then services the request and returns to the user code. |
| What is an interrupt descriptor and selector? | Holds information on crucial system objects like kernel structure locations. Descriptors are held in descriptor tables, and contain a descriptor privilege level (DPL). They are indexed by selectors and loaded when required. |
| What does the CPU do to protect the kernel when a selector is loaded? | It checks the Current Privilege Level (CPL) when the selector is loaded. |
| What is an interrupt gate? | A descriptor that has a higher privilege level than where they point. Since these are created by the kernel they offer a secure means of entry into ring 0. |
| What is a process and a thread? | A process is a program being executed, existing in it's own address space and communicating with other processes via the OS. A thread is a strand of execution within a process that shares a common address space. |
| What is segmentation and why is it useful in memory protection? | Dividing data into logical units, good for security but causes challenging memory management. Not used much in modern OSs. |
| What is paging and why is it useful in memory protection? | Paging is the division of memory into pages of equal size, providing efficient memory management. However, it is not as good for access control but is extremely common in modern OSs. |
| What is Memory Address Translation? | All programs see the system memory as a virtual, continuous blocks of memory. These must be translated from the physical address space which obviously does not exist in this way. A page table maps from a linear address space to a physical address space. |
| What are the valid / invalid bits used for in page tables? | The valid pages have page numbers allocated to the currently executing process. Invalid pages are either non-existent (not mapped for this process) or are in the page table but belong to other processes. |
| What is a shared page? | Pages that are valid but read only can be shared by multiple processes. For example browser program code shared between multiple browser processes. |
| What is the NX Bit? | Newer intel processors add NX/XD bits into the page table to allow execute permissions. This prevents the execution of non-program data. |
| What is malware? | Malicious software. Usually categories on how it proliferates and what it does. |
| What is a vector? | The mechanism through which malware infects a machine. Sometimes a software vulnerability or someone clicking something they shouldn't. |
| What is a payload? | The actual malware deposit on the machine or the harmful results. Ranging in severity from essentially nothing to completely destroying the system. |
| What is a virus? | A piece of self-replicating code that propagates by burying itself in some other code. It installs itself without the users knowledge or consent. |
| What is a worm? | A self-replicating and stand alone program that spreads without human intervention. It exploits known software vulnerabilities to spread. |
| What was MS Blaster? | A worm that spread between machines on an internal network easily that have no port filtering. It used a buffer overflow in a Remote Procedure Call (RPC) service, then DDOSing windowsupdate.com (the wrong website ironically). |
| What is Sasser? | A work that used a buffer overflow in the Local Security and Authority Subsystem service (LSASS). It scans IP addresses and infects via port 445. |
| What is an exploit? | A vulnerability that allows access to a system. Many of them are reverse engineered from patches or developed simultaneously. A zero-day exploit is one that has not been previously seen. |
| What is a trojan? | A malicious program pretending to be a legitimate application. They do not replicate themselves. |
| What is ransomware? | Encrypts or blocks access to file sand demands a ransom. These are usually distributed on malicious websites or to already infected machines. |
| What is a backdoor? | Provides easy access to a system once you have already gained access. |
| What is a rootkit? | Hides malicious code from the OSs process table. It is often activated before / during boot, and used to hide other malware from standard countermeasures. Often installs on the kernel itself, hooking into system call tables or the master boot record. |
| What is signature based anti-virus? | Store a small code signature (e.g. a hash) for each virus. The files are then scanned in bulk or at run-time, comparing their signatures with those in the database. |
| What is heuristic based anti-virus? | Executes programs in a specialised virtual machine, determining if it exhibits actions or characteristics a malicious program typically has. |
| What is a buffer overflow? | When a program is executed, contiguous blocks of memory can be allocated to store arrays. If data is written into a buffer that exceeds its size an overflow occurs. This can be used to overwrite the return address, replacing it with malicious code. |
| What is a canary and what does it protect? | Modifies the prologue & epilogue of all functions to check a value in front of the return address has not changed. If you can work out the canary value however there is no issue, you could also corrupt the standard exception handler. |
| What is data execution protection (NX) and what does it protect? | Modern OSs will mark the stack as non-executable. Adding in our exploit code won't work. This could be circumvented with a return-to-libc attack. |
| What is return oriented programming? | Finding short sections "gadgets: of an exploitable program that do what we want, and linking them together. |
| What is a passive network attack? | Eavesdropping / wiretapping / sniffing / traffic analysis. The attacker does not modify the communication in any way, purely gathering intel. |
| What is an active network attack? | Phishing / squatting attacks. The attacker manipulates the messages in some way, be that modifying the content, replaying or stopping entirely. |
| What is the Security Parameter Index (SPI)? | Stores security parameters such as the crypto protocols and keys . Established by Internet Security associated and key management protocol (ISAKMP) during the Internet key exchange (IKE) handshake. This uses DEX. The SPI references the entry in a table. |
| What are the two major security mechanisms of IP? | The IP Authentication Header (AH) The IP Encapsulating Security Payload (ESP) |
| What does Transport mode do? | Simply encrypts packets, providing host to host encryption but using the original header. This prevents the contents being read but doesn't stop manipulation of the header or traffic analysis. |
| What does Tunnel mode do? | Usually gateway-to-gateway, protects some segment of a channel with encryption. This provides some resistance to traffic analysis and completely protects against manipulation of the header. |
| What is ARP? | A protocol used in IPv4 to obtain physical MAC addresses for given IPs. This is used prior to constructing IP and TCP packets for communication. |
| What is ARP cache poisoning? | Send an un-requested ARP reply and overwrite the MAC address in a hosts ARP cache with our own. This means all traffic between the router and other machine will travel via our Ethernet adapter. A man in the middle attack. |
| What is a Denial of Service (DOS)? | An attempt to make a machine or network resource unavailable to authorised / intended users. Usually involves flooding a machine with enough requests that it can't serve it's legitimate purpose. A distributed version of this involves more than one machine |
| What is a smurf amplification attack? | Broadcast an ICMP ping request to a router with a spoofed origin address (the victims). All machines that receive the broadcast will respond to this request, sending their data to the victims IP. |
| What is a firewall? | A hardware or software system that prevents unauthorised access of packets from one network to another. All data leaving or entering a subnet must pass through it. |
| What is a network firewall? | Placed between a subnet and the internet. An example of this is a standard home router. They cannot protect against the transfer of virus infected programs or files. |
| What is a host firewall? | A firewall placed on an individual machine. Can only monitor the one machine. |
| What is a demilitarised zone (DMZ)? | A small subnet that separates externally facing services from the internal network. Used to protect a local area network from the internet. |
| What is a black list firewall policy? | Allow everything except dangerous services. This ins't necessarily food as it is very easy to make a mistake or forget something. |
| What is a white list firewall policy? | Block everything except designated useful services. This is more secure by default but it is possible to accidentally DOS yourself. |
| What are the issues with packet filtering? | They cannot prevent attacks that employ application specific vulnerabilities. They do not support higher level authentication schemes. It is easy to accidentally allow or deny packets incorrectly. |
| What is a stateful packet filter? | Understands requests and replies, allowing it to dynamically generate rules. |
| What is a cookie and what different types are available? | A cookie is a small text file used to provide persistence. Servers can provide cookies during HTTP responses and a browser will return any cookies for a given domain in GET/POST requests. Types: Session, Persistent, Secure, HTTPOnly. |
| What is a third party cookie? | Some websites include requests to other domains such as third party advertisers. These serve a lot of cookies, which are returned to the advertiser any time a website includes on of their ads. Allows detailed info to be constructed over time. |
| What vulnerabilities do cookies provide? | Many websites create an SID to authenticate users and "keep them logged on". If you can obtain this cookie you can hijack a users session. HTTP cookies can be stolen simply by monitoring, HTTPS cookies would require XSS or DNS poisoning. |
| What is the record layer of TLS? | Using established symmetric keys and other session info we will encrypt application packets very like IPSec. |
| What is the handshake layer of TLS? | Used to establish session keys as well as authenticate either party - usually the server using a public-key certificate. |
| What does the TLS handshake consist of? | Establish the master secret, resume sessions, authenticate the identity of the server or client. |
| What does a Cross Site Scripting (XSS) attack involve? | Injecting HTML structures into the content of a website that the browser executes. e.g. a <script> tag. |
| What is reflected XSS? | A malicious URL that inserts an exploit directly into the page returned by a server. |
| What is persistent XSS? | Any website that doesn't properly sanitise website user input fields (removing HTML tags). |
| What is Cross-Site request forgery (XSRF)? | When a user sends a HTTP request, any relevant session cookies are automatically included, If the user has already authenticated, a malicious URL could then perform some action on their account. |
| How do you prevent XSRF? | XSS vulnerabilities make it a lot easier so these need to be solved first. Synchronisation tokens need to be used, a one-time token that the server validates when the form is submitted. |
| How do you prevent XSS? | Aggressively escape all HTML tags and their various obfuscated versions. |
| What are the three entities of an SQL system and how do they interact? | Users, actions and objects. Users invoke actions on objects. Newly created objects are owned by the creator. |
| What is view-based SQL security? | A flexible way of creating policies closer to application requirements. Views can implement controlled invocation and data can be easily reclassified. |
| What are the downsides the view-based SQL security? | INSERT/UPDATE depend on the CHECK options, otherwise they might be blind inserts. Completeness and consistency are not achieved automatically. Can quickly become very inefficient. |
| What is inference? | Access is not permitted to individual items. Statistical queries are useful and allowed, but using the correct ones can provide a lot more information about the actual data than one would like. |
| What is tracking? | Direct attack, aggregate is computer to capture information of individual data elements. Indirect attacks, combines information from several aggregates. Tracker attacks are a generalised indirect attack. |
| What are some defences of statistical databases? | Data swapping, swap records but keep the stats the same. Noise addition, alter aggregate output (only a little). Table splitting, separate data completely. User tracking. |
| What is blind SQL injection? | Most servers don't directly output SQL errors, so the database analysis is performed without any actual output. |
| What is second order SQL injection? | Entry points may be checked for special characters, but internal functions generally aren't. The malicious function is stored on one pass and executed on another. |
| What is an Intrusion Detection System (IDS)? | Detects possible intrusion attempts whilst generating alerts and logs for administrators. |
| What is an Intrusion Prevention System (IPS) ? | Identical to an IDS but also tries to stop the attack. |
| What is a host based IDS? | Monitor a single host to find suspicious activity including resource/app usage. Runs on a host within a protected LAN / VPN. Creates a profile of usage for specific users. |
| What is a network based IDS? | Placed at a viewpoint on a network to examine and analyse traffic. Installed on a firewall or in a DMZ. Installed behind a screen subnet. May perform deeper analysis than many firewalls. |
| What are the components of an IDS? | Sensors / agents collection and collate data from multiple viewpoints on a network. Analysers ascertain if an intrusion has taken place. Reporting notifies the administrators via alerts on a console or GUI. |
| What is stateful packet analysis detection mode? | More complex version of a stateful packet filter. Hold detailed session information on protocols being used, examine for attacks. Computationally costly and requires the IDS to have all possible versions of these protocols describe in the DB. |
| What is a signature based IDS? | Similar to anti-virus, signatures are create and stored in a database. Includes operations as well as binaries. If an operation matches an alarm is triggered. |
| What are the signs of a host port scanning? | Large amounts of ICMP traffic, many TCP packets (SYN) and connections going to a variety of other hosts. NMAP detection can be reduced by decreasing the speed of the scan, meaning the packets get lost amongst the others on the network. |
| What is anomaly detection? | Uses machine learning. A profile of "normal usage" is built up and alarms are triggered when usage moves beyond this. Can create false negatives and positives. |
Created by:
Sparksy
Popular Computers sets