BOOK: Ch 1, 3, 4 & 5

Question 1

Takes place when one entity pretends to be a different entity

Answer 1

A Masquerade

Question 2

Limit information system access to authorized users, processes acting on behalf of authorizedusers, or devices (including other information systems) and to the types of transactions and functions thatauthorized users are permitted to exercise.

Answer 2

Access Control

Question 3

Means that every access must be checked against theaccess control mechanism.

Answer 3

Complete mediation

Question 4

Means that the design of a security mechanism should be openrather than secret. For example, although encryption keys must be secret, encryptionalgorithms should be open to public scrutiny.

Answer 4

Open Design

Question 5

Can be viewed as a specific form of isolation based on object-oriented functionality.

Answer 5

Encapsulation

Question 6

In the context of security refers both to the development of securityfunctions as separate, protected modules and to the use of a modular architecturefor mechanism design and implementation.

Answer 6

Modularity

Question 7

Is a branching, hierarchical data structure that represents a set of potential techniques for exploiting security vulnerabilities

Answer 7

Attack Tree

Question 8

In this type of attack, the attacker is able to interceptcommunication between the UT and the IBS.

Answer 8

Injection of Commands

Question 9

Deals with computer-related assets that are subject to a variety of threats and for whichvarious measures are taken to protect those assets.

Answer 9

Computer Security

Question 10

In the nature of eavesdropping on, or monitoring of, transmissions.The goal of the attacker is to obtain information that is being transmitted.

Answer 10

Passive Attacks

Question 11

Involve some modification of the data stream or the creationof a false stream and can be subdivided into four categories: replay, masquerade,modification of messages, and denial of service.

Answer 11

Active Attacks

Question 12

Four means of authenticating a user’s identity.

Answer 12

1. Something the individual knows.2. Something the individual possesses.3. Something the individual is (static biometrics). [Retina, fingerprint]4. Something the individual does (dynamic biometrics). [voice pattern, typing rhythm]

Question 13

How are hashed passwords are implemented?

Answer 13

The password and salt serve as inputs to ahashing algorithm to produce a fixed-length hash code. The hash algorithm isdesigned to be slow to execute in order to thwart attacks. The hashed passwordis then stored, together with a plaintext copy of the salt, in the password file forthe corresponding user ID.

Question 14

Biometric Enrollment, Verification and Identification

Answer 14

1. Each individual who is tobe included in the database of authorized users must first be enrolled in the system. This is analogous to assigning a password to a user.2. Verification is analogous to a user logging onto a system by using a memory card or smart card coupled with a password or PIN.3. The individual uses the biometric sensor butpresents no additional information. The system then compares the presented templatewith the set of stored templates.

Question 15

Challenge-Response Protocol

Answer 15

In this case, the computer system generates a challenge, such as a random string of numbers. The smart token generates aresponse based on the challenge.

Question 16

Controls access based on the identityof the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do.

Answer 16

Discretionary access control (DAC)

Question 17

Controls access based on comparingsecurity labels (which indicate how sensitive or critical system resources are) with security clearances (which indicate system entities are eligible to accesscertain resources).

Answer 17

Mandatory access control (MAC)

Question 18

Controls access based on the roles thatusers have within the system and on rules stating what accesses are allowed tousers in given roles.

Answer 18

Role-based access control (RBAC)

Question 19

In the context of access control, this is an entity capable of accessing objects. Generally, the concept of_____equates with that of process.

Answer 19

Subject

Question 20

In the context of access control, is a resource to which access is controlled. In general, an _____is an entity used to contain and/or receive information.

Answer 20

Object

Question 21

Are roles such that a user can be assigned to onlyone role in the set.

Answer 21

Mutually exclusive roles

Question 22

Refers to setting a maximum number with respect to roles. Onesuch constraint is to set a maximum number of users that can be assigned to a givenrole.

Answer 22

Cardinality

Question 23

Which dictates that a user can only be assigned to a particular role if it is already assigned to some otherspecified role.

Answer 23

Prerequisite Role

Question 24

Which is a suite of programs for constructing and maintaining the database and foroffering ad hoc query facilities to multiple users and applications.

Answer 24

Define a database management system (DBMS)

Question 25

Provides a uniform interface to the database for users and applications.

Answer 25

Query Language

Question 26

In a ____________, the basic building block is a relation, which is a flat table. Rows are referred to as tuples, and columns are referred to as attributes.

Answer 26

Relational DB

Question 27

Focuses on the requirements of “what” cloud services provide, not a “how to” design solution and implementation.

Answer 27

Cloud Computing Reference Architecture