CHAPTER 3: AUDITING OPERATING SYSTEMS AND NETWORKS Flashcards
The _________ is the computer’s control program. It allows users and their applications to share and access common computer resources, such as processors, main memory, databases, and printers.
operating system
________ involves policies, procedures, and controls that determine who
can access the operating system, which resources (files, programs, printers) they can use, and what actions they can take.
Operating system security
A formal ________ is the operating system’s first line of defense against unauthorized access. When the user initiates the process, he or she is presented with a dialog box requesting the user’s ID and password. The system compares the ID and password to a database of valid users.
Log-on procedure
If the log-on attempt is successful, the operating system creates an _________ that contains key information about the user, including user ID, password, user group, and privileges granted to the user. The information here is used to approve all actions the user attempts during the session
access token
An ______ is assigned to each IT resource (computer directory, data file, program, or printer), which controls access to the resources. These lists contain information that defines the access privileges for all valid users of the resource. When a user attempts to access a resource, the system compares his or her ID and privileges contained in the access token with those contained in the access control list. If there is a match, the user is granted access
access control list
Resource owners in this setting may be granted___________, which allow them to grant access privileges to other users.
discretionary access privileges
________ include hardware failures that cause the operating system to crash.
Accidental threats
__________ may cause whole segments of memory to be dumped to
disks and printers, resulting in the unintentional disclosure of confidential information.
Accidental system failures
_________ to the operating system are most commonly attempts to illegally access data or violate user privacy for financial gain. However, a growing threat is destructive programs from which there is no apparent gain.
Intentional threats
Systems administrators and systems programmers require unlimited access to the operating system to perform maintenance and to recover from system failures. Such individuals may use this authority to access users’ programs and data files.
Privileged personnel who abuse their authority
Looking through memory for sensitive information (e.g., in printer queue)
Browsing
Pretend to be authorized user by getting ID and passwords
Masquerading
The most common method to get your password is for someone to look over your shoulder! Make sure your password is a combination of upper/lower case letters, numbers, special characters.
Shoulder surfing
Virus must attach to another program, worms are self-contained
Virus & Worms
Management should ensure that individuals are not granted privileges that
are incompatible with their assigned duties.
Privileges determine which directories, files, applications, and other resources an individual or group may access. They also determine the types of actions that can be taken.
Controlling Access Privileges
A________ is a secret code the user enters to gain access to systems, applications, data files, or a network server.
password
The most common forms of contra-security behavior include:
- Forgetting passwords and being locked out of the system.
- Failing to change passwords on a frequent basis.
- The Post-it syndrome, whereby passwords are written down and displayed for others to see.
- Simplistic passwords that a computer criminal easily anticipates.
The most common method of password control is the __________. The user defines the password to the system once and then reuses it to gain future access.
reusable password
An alternative to the standard reusable password is the___________
one-time password
Under this approach, the user’s password changes continuously. This technology employs a credit card–sized smart card that contains a microprocessor programmed with an algorithm that generates, and electronically displays, a new and unique password every 60 seconds. The card works in conjunction with special authentication software located on a mainframe or network server computer.
One-time passwords
_____ are logs that record activity at the system, application, and user level
System audit trails
_______ involves recording both the user’s keystrokes and the system’s responses.
Keystroke monitoring
_________summarizes key activities related to system resources.
Event monitoring
A ________ can also be used to report changes in system performance that may indicate infestation by a virus or worm.
real-time audit trail
_________posed by dishonest employees who have the technical knowledge and position to perpetrate frauds
intranet risks
________ that threaten both consumers and business entities.
Internet risks
______consist of small LANs and large WANs that may contain thousands of individual nodes.
> > > are used to connect employees within a single building, between
buildings on the same physical campus, and between geographically dispersed locations.
Typical activities include e-mail routing, transaction processing between business units, and linking to the outside Internet.
Intranets
The unauthorized interception of this information by a node on the network is called_________
sniffing
_______ is a form of masquerading to gain unauthorized access to a Web server and/ or to perpetrate an unlawful act without revealing one’s identity. To accomplish this, a perpetrator modifies the IP address of the originating computer to disguise his or her identity.
IP spoofing
A________ is an assault on a Web server to prevent it from servicing its legitimate users. Although such attacks can be aimed at any type of Web site, they are particularly devastating to business entities that are prevented from receiving and processing business transactions from their customers.
denial of service attacks (Dos)
When a user establishes a connection on the Internet through
TCP/IP , a three-way handshake takes place.
is accomplished by not sending the final acknowledgment to the server’s SYN-ACK response, which causes the server to keep signaling for acknowledgement until the server times out.
SYN Flood Attack
______is used to test the state of network congestion and determine whether a particular host computer is connected and available on the network.
Ping
A _______involves three parties: the perpetrator, the intermediary,
and the victim.
The perpetrator of this attack uses a program to create a ping message packet that contains the forged IP address of the victim’s computer (IP spoofing) rather than that of the actual source computer.
smurf attack
The perpetrator of a _________attack may employ a virtual
army of so-called zombie or bot (robot) computers to launch the attack.
Distributed Denial of Service
______ is a popular interactive service on the Internet that lets thousands of people from around the world engage in real-time communications via their computers.
Internet Relay Chat (IRC)
The collections of compromised computers are known as ____
botnets
A_____ is a system that enforces access control between two networks.
firewall
________ provide efficient but low-security access control. This type of firewall consists of a screening router that examines the source and destination addresses that are attached to incoming message packets.
Network-level firewalls
__________provide a higher level of customizable network security, but they add overhead to connectivity. These systems are configured to run security applications called proxies that permit routine services such as e-mail to pass through the firewall, but can perform sophisticated functions such as user authentication for specific tasks.
Application-level firewalls
_________ uses a variety of analytical and statistical techniques to evaluate the contents of message packets. It searches the individual packets for protocol noncompliance and employs predefined criteria to decide if a packet can proceed to its destination.
Deep Packet Inspection (DPI)
is the conversion of data into a secret code for storage in databases and
transmission over networks. The sender uses an encryption algorithm to convert the original message (called cleartext) into a coded equivalent (called ciphertext).
Encryption