9 - Security Vulnerabilities, Threats, and Countermeasures Flashcards
What is Computer Architecture?
An engineering discipline concerned with the design and construction of computing systems at a logical level.
What is Hardware?
The physical components of a computer.
What is a processor?
A processor (or microprocessor/central processing unit) is the computer’s nerve center. It governs all major operations and either directly performs or coordinates the calculations that allow a computer to perform its intended tasks.
The CPU is designed to perform a limited set of tasks that the OS and compiler break down for it which allows it to perform computational and logical tasks at blazing speeds.
What are the different execution types of processing?
- Multitasking: Handling two or more tasks at once.
- Multicore: A chip/CPU containing 2, 4, 8, or potentially dozens of independent execution cores that can operate simultaneously.
-
Multiprocessing: A multiprocessor computing system where a complex query is distributed amongst all the processors.
- Simple Multiprocessing (SMP): Where a single computer contains multiple processors that are treated equally and controlled by a single operating system. Processors share the OS, common data bus, and memory resources. Good for simple operations at high speeds.
- Massively Parallel Processing (MPP): Systems that house hundreds or thousands of processors, each of which has its own operating system and memory/bus resources. A single processor will break down a computationally complex task into manageable parts and distributes them to other processors for execution. After the task is completed, results are sent to the coordinating processor for assembly and returned to requesting application. Good for processing very large, complex, intensive tasks.
- Multiprogramming: Pseudosimultaneous execution of two tasks on a single processor coordinated by the operating system. When one process stops to wait on peripheral, its state is saved and the next process in line begins. The first process does not resume until all processes in the batch have had a chance to execute and stop for a peripheral. Total time for all processes is reduced in theory. Usually found in legacy systems and generally coordinated by separate software.
-
Multithreading: Permits multiple concurrent tasks to be performed within a single process.
- Thread: A self-contained sequence of instructions that can execute in parallel with other threads that are part of the same parent process.
What are the different security states of a system?
- Single State: A system that only handles one security level at a time. Only users who are approved for that level can use that machine.
- Multistate: Certified to handle multiple levels of security simultaneously by using security mechanisms that prevent information from crossing security levels.
What are the different Protection Mechanisms?
-
Protection Rings: Organized code and components of an OS into concentric rings. The deeper inside you go the higher the privilege level the code which has access to more resources and allows runs first. Generally used in a four ring model:
- Ring 0: OS Kernel/memory
- Ring 1: Other OS components
- Ring 2: Drivers/Protocols, etc.
- Ring 3: User-level Programs and Applications
- Mediated-Access Model: Where higher-numbered processes must ask a handler (system call) for access to a lower-numbered process.
- Modern OS’s break memory into 2 segments:
- Kernel/Privileged Mode
- User Mode
-
Process States (Operating States): Various forms of execution in which a process may run.
- Where an OS is concerned, processes can be classified as:
- Supervisor State: Privileged, all-access
- Problem State: User state.
- Ready State: Process is ready to resume or begin processing as soon as it is scheduled for execution.
- Waiting State: Process is ready for continued execution but is waiting for a device or access request to be serviced before it can continue processing.
- Running State: Process executes on the CPU and keeps going until it finishes, its time slice expires, or it is blocked for some reason.
- Supervisory: When the process must perform an action that requires privileges that are greater than the problem state’s set of privileges.
- Stoppped: Process finishes or must be terminated.
- Where an OS is concerned, processes can be classified as:
-
Security Modes: 4 modes designated by US gov for systems that process classified info:
-
Dedicated Mode: Equivalent to single state systems.
- Each user must have a security clearance that permits access to all information processed by the system.
- Each user must have access approval for all the information processed by the system
- Each user must have a valid need to know for all information processed by the system.
-
System High Mode:
- Each user must have a security clearance that permits access to all information processed by the system.
- Each user must have access approval for all the information processed by the system
- Each user must have a valid need to know for some information processed by the system but not necessarily all information processed by the system.
-
Compartmented Mode:
- Each user must have a security clearance that permits access to all information processed by the system.
- Each user must have access approval for any information they will have access to on the system.
- Each user must have a valid need to know for all information they will have access to on the system.
-
Compartmented Mode Workstations: Users with necessary clearances can process multiple compartments of data at the same time.
- Sensitivity Labels: Describe the levels at which objects must be protected
- Information Labels: Prevent data overclassification and associate additional information with the objects.
-
Multilevel Mode (Controlled Security Mode):
- Some users do not have a valid security clearance do not have access to all info processed by a system so access is controlled.
- Each user must have access approval for all information they will have access to on the system.
- Each user must have a valid need to know for all information they will have access to on the system.
-
Dedicated Mode: Equivalent to single state systems.
What are the different privilege-based Operating Modes the processor supports?
- User Mode: The basic mode used by the CPU when executing user applications. Protects from accidentally running code that could accidentally (or intentionally) damage the system. Processes are often executed in a controlled environment called a virtual machine (VM) which is isolated from other VM’s and processes.
-
Privileged Mode: Designed to give the OS full access to the CPU’s full instruction set. Only OS components are generally allowed to run in this mode. Different names for this mode include:
- Privileged Mode
- Supervisory Mode
- System Mode
- Kernel Mode
What is memory and what are the different kinds?
-
Memory: The storage bank of information that the computer needs to keep readily available.
-
Read-Only Memory (ROM): Memory the PC can read but cannot change. The contents are burned in at the factory. Generally important information the computer needs to boot up.
- Programmable Read-Only Memory (PROM): Similar to ROM but the burning of data can be done by the end user, only once!
-
Erasable Programmable Read-Only Memory (EPROM): Similar to PROM but can data can be erased:
- Ultraviolet EPROM: Data can be erased with a light
- Electronically EPROM: Deletes by delivering electronic voltages to the pins of the chip to force erasure.
- Flash Memory: A form of EEPROM but data can be erased and written in blocks/pages versus needing everything deleted.
-
Random Access Memory (RAM): Useful for temporary storage, RAM only contains its information when power is supplied to it. RAM is readable and writable memory.
- Real Memory: (Main/Primary Memory) Dynamic RAM chips.
- Cache RAM: Cache is used to speed up access to reusable data from fast memory. There are different Levels of cache memory: L1-L4. The closer the data (on-chip, on the motherboard, near core) the faster the memory access.
- Dynamic: Uses capacitors to store memory and have to continually be refreshed.
- Static: Uses a flip-flop, that does not need refreshing only power. Faster than dynamic RAM but more expensive.
- Registers: Onboard CPU memory that is directly accessible for teh ALU (Arithmetic Logical Unit) when processing instructions or performing calculations. Data must be in the registers for the ALU to access.
-
Secondary Memory: Refers to magnetic, optical, or flash-based media that contain data not immediately available to the CPU. Must be read in by the OS and stored in real memory. Secondary memory can be used to store massive amounts of information.
-
Virtual Memory: Memory that acts as real memory but usually is read from storage on the fly (known as paging).
*
-
Virtual Memory: Memory that acts as real memory but usually is read from storage on the fly (known as paging).
-
Read-Only Memory (ROM): Memory the PC can read but cannot change. The contents are burned in at the factory. Generally important information the computer needs to boot up.
What is a Memory Addressing? And what are the different schemes of addressing?
Locations in memory the processor know where to access data. The different addressing schemes are:
- Register Addressing: Each register has a location name for easy tracking.
- Immediate Addressing: Referring to data in the instruction set given.
- Direct Addressing: Where the CPU is provided with an actual address of the memory location to access.
- Indirect Addressing: The actual location of the data isn’t given but the address of another is used to find the data.
- Base+Offset Addressing: Uses a value stored in one of the registers as the base location from which to begin counting. CPU adds the offset to the base address and finds needed data.
What is storage and what are the different types?
Storage: Devices used to store information that can be retrieved any time after it was written (long-term). This can also be called Secondary memory! This kind of storage is known as non-volatile.
- Types: CD, DVDs, flash memory cards
What is the difference between Random v. Sequential storage/access?
- Random: OS can read (and sometimes write) from any point within any point of the device by using an addressing scheme.
- Sequential: Require that you read/speed-past any data residing before the data you are accessing. Much cheaper solution.
What are some security concerns for storage?
- Data may remain on storage devices even after it has been erased (data remanence)
- Sanitizing can destroy all traces of data on a device by using software or destroying the unit.
- SSD’s often stored backups of data at lower levels which do not get deleted upon wiping the unit.
- Physical theft.
- Use full disk encryption for this purpose.
What are some Input and Output Devices that can present a security risk?
- Monitors: There are programs that can read monitors using the radiation they emit (TEMPEST). Also, shoulder surfing.
- Printers: Sensitive printouts can be taken, also encrypted traffic may not be implemented.
- Keyboards/Mice: Bugging of these devices can happen (keylogging) and Bluetooth signals can be hijacked.
- Modems: Can allow outsiders to access the network and put unauthorized access points on the networks among other things. Modems should be not be used.
What is Firmware?
(aka Microcode) Software that is stored in a ROM chip that drives the basic operation of a computing device. There are 2 types of firmware:
-
BIOS (Basic Input/Output System): Comprised of OS-independent primitive instructions that a computer needs to start up and load the operating system from disk. Usually stored on an EEPROM chip to allow for software updates (“flashing the BIOS”).
- UEFI (Unified Extensible Firmware Interface): A more advanced interface between OS and hardware which maintains support for legacy BIOS.
- Device Firmware: Many devices need some limited processing power to complete their tasks without taking away from the main OS. So they have these “mini-OS’s” which are entirely contained in firmware chips onboard the devices they serve. Generally, on EEPROM so they can be updated.
What are Client-side Attacks?
Client-side Attacks are any attacks that can harm the user, their data, and/or their system.
What are Applets?
Applets are code objects that are sent from a server to a client to perform some action. They are self-contained miniature programs that execute independently of the server that sent them.
Benefits:
- The Processing burden is shifted to the client.
- The Client is not waiting on a response from the server, and their local response is most of the time faster.
- More secure for the server as it is not receiving any input from the client.
Downsides:
- A remote system is sending code to a user’s system in order to execute.
What are the different types of Applets?
-
Java Applets: Java is a platform-independent programming language developed by Sun Microsystems (now owned by Oracle). Most browsers do not support Java anymore. The main benefit of Java is it doesn’t need a specific compiler for each system. It uses the Java Virtual Machine (JVM) which takes the Java code and translates it into a format executable by that specific system. The code can be shared between OS’s without modification.
- Java applets are simply short Java programs transmitted over the internet to perform operations on a remote system.
- The Java platform uses a sandbox that executes code in a restricted environment away from other system resources and limited privileges.
-
ActiveX Controls: Developed by Microsoft and similar to Java applets but use a variety of languages including Visual Basic, C, C++, and Java.
- Can only execute on systems running MS browsers.
- Not restricted to a sandbox environment, these controls have full access to the environment and can perform a number of privileged actions.
What are local caches?
Anything that is temporarily stored on the client for future reuse.
What type of attacks happen on local caches?
-
ARP poisoning:
- Dynamic Cache: ARP cache is updated via a falsified ARP reply. This mapping will stay in place until a timeout occurs (usually within 10 mins).
- Static Cache: Cache is updated locally with some type of malware.
-
DNS cache poisoning: Client recieves a falsified DNS response and updates its DNS cache.
- Host File poisoning: HOSTS file is updated with malicious mappings. HOSTS files are generally permanent updates.
- Authorized DNS server attack: An attack on a local trusted DNS server.
- caching DNS server attacks: Modifying the IP address of the DNS server on a local machine. Can be done by script or by compromising a DHCP server
- DNS query spoofing: Sending a malicious reply when a client sends a DNS query out.
-
Internet Files cache: Internet files that are cached for later use are modified maliciously.
*
what is a Split DNS system?
Where an organization has 2 DNS servers, one public and one private.
The public server is available for the public to use and query.
The private is only available to internal, authorized users.
What is Data Flow Control?
Data flow is the movement of data between processes, devices, across a network, or over communication channels.
Data Flow Control ensures that receiving systems are not overloaded with traffic, especially to the point of dropping connections or being subject DoS.
Data Flow Control may be provided by network devices.
What is a Load Balancer?
Used to spread or distribute network traffic load across several network links or network devices.
Generally used to spread a load across multiple members of a server farm or cluster.
Techniques:
- Round Robin
- Random Choice
- Load Monitoring
- Preferencing
What is Database Security?
The protection of the database an org uses because without which business tasks can be interrupted and confidential information can be disclosed.
- Aggregation: The functions that combine records from one or more tables to produce potentially useful information. These functions need to have restricted access.
- Inference: Combining several pieces of nonsensitive information to gain access to information that should be classified at a higher level.
-
Data Warehousing: Large databases that store large amounts of information from a variety of databases for use with specialized analysis techniques. These warehouses often contain detailed historical information.
- Data Dictionary: Commonly used for storing critical information about data, including usage, type, sources, relationships, and formats.
- Data Mining: Techniques that allow analysts to comb through data warehouses and look for potential correlated information.
What is Metadata?
Metadata is data about data or information about data.
Generally stored in a Data Mart which is a more secure container than a normal data warehouse.
What is Data Analytics?
The science of raw data examination with the focus of extracting useful information out of the bulk information set such as outliers, summary sets, or important information. Also known as “Big Data”
