CHAPTER 3: AUDITING OPERATING SYSTEMS AND NETWORKS Flashcards
The _________ is the computer’s control program. It allows users and their applications to share and access common computer resources, such as processors, main memory, databases, and printers.
operating system
________ involves policies, procedures, and controls that determine who
can access the operating system, which resources (files, programs, printers) they can use, and what actions they can take.
Operating system security
A formal ________ is the operating system’s first line of defense against unauthorized access. When the user initiates the process, he or she is presented with a dialog box requesting the user’s ID and password. The system compares the ID and password to a database of valid users.
Log-on procedure
If the log-on attempt is successful, the operating system creates an _________ that contains key information about the user, including user ID, password, user group, and privileges granted to the user. The information here is used to approve all actions the user attempts during the session
access token
An ______ is assigned to each IT resource (computer directory, data file, program, or printer), which controls access to the resources. These lists contain information that defines the access privileges for all valid users of the resource. When a user attempts to access a resource, the system compares his or her ID and privileges contained in the access token with those contained in the access control list. If there is a match, the user is granted access
access control list
Resource owners in this setting may be granted___________, which allow them to grant access privileges to other users.
discretionary access privileges
________ include hardware failures that cause the operating system to crash.
Accidental threats
__________ may cause whole segments of memory to be dumped to
disks and printers, resulting in the unintentional disclosure of confidential information.
Accidental system failures
_________ to the operating system are most commonly attempts to illegally access data or violate user privacy for financial gain. However, a growing threat is destructive programs from which there is no apparent gain.
Intentional threats
Systems administrators and systems programmers require unlimited access to the operating system to perform maintenance and to recover from system failures. Such individuals may use this authority to access users’ programs and data files.
Privileged personnel who abuse their authority
Looking through memory for sensitive information (e.g., in printer queue)
Browsing
Pretend to be authorized user by getting ID and passwords
Masquerading
The most common method to get your password is for someone to look over your shoulder! Make sure your password is a combination of upper/lower case letters, numbers, special characters.
Shoulder surfing
Virus must attach to another program, worms are self-contained
Virus & Worms
Management should ensure that individuals are not granted privileges that
are incompatible with their assigned duties.
Privileges determine which directories, files, applications, and other resources an individual or group may access. They also determine the types of actions that can be taken.
Controlling Access Privileges
A________ is a secret code the user enters to gain access to systems, applications, data files, or a network server.
password
The most common forms of contra-security behavior include:
- Forgetting passwords and being locked out of the system.
- Failing to change passwords on a frequent basis.
- The Post-it syndrome, whereby passwords are written down and displayed for others to see.
- Simplistic passwords that a computer criminal easily anticipates.
The most common method of password control is the __________. The user defines the password to the system once and then reuses it to gain future access.
reusable password
An alternative to the standard reusable password is the___________
one-time password
Under this approach, the user’s password changes continuously. This technology employs a credit card–sized smart card that contains a microprocessor programmed with an algorithm that generates, and electronically displays, a new and unique password every 60 seconds. The card works in conjunction with special authentication software located on a mainframe or network server computer.
One-time passwords
_____ are logs that record activity at the system, application, and user level
System audit trails
_______ involves recording both the user’s keystrokes and the system’s responses.
Keystroke monitoring
_________summarizes key activities related to system resources.
Event monitoring
A ________ can also be used to report changes in system performance that may indicate infestation by a virus or worm.
real-time audit trail
_________posed by dishonest employees who have the technical knowledge and position to perpetrate frauds
intranet risks
________ that threaten both consumers and business entities.
Internet risks
______consist of small LANs and large WANs that may contain thousands of individual nodes.
> > > are used to connect employees within a single building, between
buildings on the same physical campus, and between geographically dispersed locations.
Typical activities include e-mail routing, transaction processing between business units, and linking to the outside Internet.
Intranets
The unauthorized interception of this information by a node on the network is called_________
sniffing
_______ is a form of masquerading to gain unauthorized access to a Web server and/ or to perpetrate an unlawful act without revealing one’s identity. To accomplish this, a perpetrator modifies the IP address of the originating computer to disguise his or her identity.
IP spoofing
A________ is an assault on a Web server to prevent it from servicing its legitimate users. Although such attacks can be aimed at any type of Web site, they are particularly devastating to business entities that are prevented from receiving and processing business transactions from their customers.
denial of service attacks (Dos)
When a user establishes a connection on the Internet through
TCP/IP , a three-way handshake takes place.
is accomplished by not sending the final acknowledgment to the server’s SYN-ACK response, which causes the server to keep signaling for acknowledgement until the server times out.
SYN Flood Attack
______is used to test the state of network congestion and determine whether a particular host computer is connected and available on the network.
Ping
A _______involves three parties: the perpetrator, the intermediary,
and the victim.
The perpetrator of this attack uses a program to create a ping message packet that contains the forged IP address of the victim’s computer (IP spoofing) rather than that of the actual source computer.
smurf attack
The perpetrator of a _________attack may employ a virtual
army of so-called zombie or bot (robot) computers to launch the attack.
Distributed Denial of Service
______ is a popular interactive service on the Internet that lets thousands of people from around the world engage in real-time communications via their computers.
Internet Relay Chat (IRC)
The collections of compromised computers are known as ____
botnets
A_____ is a system that enforces access control between two networks.
firewall
________ provide efficient but low-security access control. This type of firewall consists of a screening router that examines the source and destination addresses that are attached to incoming message packets.
Network-level firewalls
__________provide a higher level of customizable network security, but they add overhead to connectivity. These systems are configured to run security applications called proxies that permit routine services such as e-mail to pass through the firewall, but can perform sophisticated functions such as user authentication for specific tasks.
Application-level firewalls
_________ uses a variety of analytical and statistical techniques to evaluate the contents of message packets. It searches the individual packets for protocol noncompliance and employs predefined criteria to decide if a packet can proceed to its destination.
Deep Packet Inspection (DPI)
is the conversion of data into a secret code for storage in databases and
transmission over networks. The sender uses an encryption algorithm to convert the original message (called cleartext) into a coded equivalent (called ciphertext).
Encryption
The _______is a mathematical value that the sender selects.
key
The _______ is the procedure of shifting each letter in the cleartext message the number of positions that the key value indicates.
algorithm
What are the two commonly used methods of encryption?
private key
public key
________________is a 128-bit encryption technique that has become a U.S. government standard for private key encryption.
- Its algorithm uses a single key known to both the sender and the receiver of the message. To encode a message, the sender provides the encryption algorithm with the key, which is used to produce a ciphertext message.
- The message enters the communication channel and is transmitted to the receiver’s location, where it is stored. The receiver decodes the message with a decryption program that uses the same key the sender employs.
Advance encryption standard (AES)
_________encryption provides considerably improved security over most single encryption techniques
Triple-DES
This is a form of Triple DES which uses three different keys to encrypt the message three times.
EEE3
This is a form of Triple DES which uses one key to to encrypt the message
EDE3
__________ uses two different keys: one for encoding messages and the other for decoding them.
-Each recipient has a private key that is kept secret and a public key that is published.
- The sender of a message uses the receiver’s public key to encrypt the message.
- The receiver then uses his or her private key to decode the message. Users never need to share their private keys to decrypt messages, thus reducing the likelihood that they fall into the hands of a criminal.
Public key encryption
___________ is a highly secure public key cryptography method. This method is, however, computationally intensive and much slower than standard DES encryption.
RSA (Rivest-Shamir-Adleman)
Sometimes, both DES and RSA are used together in what is called a_______________.
Procedure:
The actual message is encrypted using DES to provide the fastest decoding. The DES private key needed to decrypt the message is encrypted using RSA and transmitted along with the message. The receiver first decodes the DES key, which is then used to decode the message.
digital envelope
A ____________is electronic authentication that cannot be forged.
digital signature
The_________is a mathematical value calculated from the text content of the message.
digest
A _________is used in conjunction with a public key encryption system to authenticate the sender of a message. The process for certification varies depending on the level of certification desired. It involves establishing one’s identity with formal documents, such as a driver’s license, notarization, and fingerprints, and proving one’s ownership of the public key.
digital certificate
________________is a sequence number used to detect missing messages
Message sequence numbering
Listing of all incoming and outgoing messages to detect the efforts of hackers.
Message transaction log
- Random control messages are sent from the sender to ensure messages are received
- Using this, a control message from the sender and a response from the receiver are sent at periodic, synchronized intervals. The timing of the messages should follow a random pattern that will be difficult for the intruder to determine and circumvent
request-response technique
- The receiver calls the sender back at a pre-authorized phone number before transmission is completed.
- This restricts access to authorized terminals or telephone numbers and prevents an intruder masquerading as a legitimate user.
Call-back devices
____________are data errors from communications noise.
–> The most common problem in data communication
Line errors
__________ is made up of random signals that can interfere with the message signal when they reach a certain level
Noise
The ____________ involves the receiver of the message returning the message to the sender. The sender compares the returned message with a stored copy of the original. If there is a discrepancy between the returned message and the original, suggesting a transmission error, the message is retransmitted.
echo check
___________uses computer-to-computer communications, standard format for messaging between two dissimilar systems. Exchange of computer-processible business info in standard format.
Electronic data interchange (EDI)
_______________ is used to restrict employees who are sharing the same computers to specific directories, programs, and data files. Under this approach, different passwords are used to access different functions.
Multilevel password control
include hardware failures and errors in user applications
Accidental threats
is destructive programs with no apparent gain, which come from three sources:
o Privileged personnel who abuse their authority.
o Individuals who browse the operating system to identify and exploit security flaws.
o Individuals who insert viruses or other destructive programs into the operating system,
either intentionally or unintentionally
Growing threat
involves recording user’s keystrokes and the system’s response
Keystroke monitoring
summarizes key activities related to system resources
Event monitoring
can be used to:
o detect unauthorized access,
o reconstruct events and
o promote personal accountability
Audit trails
are subject to risks from equipment failure which can cause corruption or
loss.
Network topologies
may be to punish an organization for a grievance or may be done for
financial gain.
Motivation
examines source and destination addresses attached to incoming
message packets but does not explicitly authenticate outside users.
Screening router
extra bit is added onto each byte of data similar to check digits
Parity check
Messages divided into small packets where each packet of the message may take a
different routes.
Packet switching
is a private network within a public network
Virtual private network (VPN)
is a password controlled network for private users
Extranet
is an Internet facility that links users locally and globally
World Wide Web (WWW)
Format for E-mail addresses:
USERNAME@DOMAIN NAME
Defines the path to a facility or file on the Web.
Subdirectories can be several levels deep.
URL address
Every computer node and host attached to the Internet must have a unique ___________.
Internet Protocol (IP) address
Rules and standards governing design of hardware and software that permit network users to
communicate and share data.
Protocols
permits communication between Internet sites.
Transfer Control Protocol/Internet Protocol (TCP/IP)
used to transfer files across the Internet.
File Transfer Protocol (FTP)
transmits e-mail messages
Simple Network Mail Protocol (SNMP)
are encryption schemes.
Secure Sockets Layer (SSL) and Secure Electronic Transmission (SET)
used to connect to Usenet groups on the Internet
Network News Transfer Protocol
is the document format used to produce Web pages.
HTML
is the physical arrangement of network components
A network topology
can cover several miles and connect hundreds of users
Local area networks (LANs)
Networks that exceed geographic limitations of LANs are
wide area networks (WANs)
- A network of IPUs with a large central computer (the host).
Host computer has direct connections to smaller computers, typically desktop or laptop PCs.
-
Popular for mainframe computing.
-
All communications must go through the host computer, except for local computing
Star Topology
A host computer is connected to several levels of subordinate smaller computers in a master-slave
relationship
Hierarchical Topology
All nodes in this configuration are of equal status (peers).
-
Responsibility for managing communications is distributed among the nodes.
-
Common resources that are shared by all nodes can be centralized and managed by a file server
that is also a node.
Ring Topology
Configuration distributes the processing between the user’s (client’s) computer and the central file
server.
-
Both types of computers are part of the network, but each is assigned functions that it best
performs.
-
This approach reduces data communications traffic, thus reducing queues and increasing response
time.
Client-Server Topology
Purpose is to:
Establish communications sessions.
Manage the flow of data across the network.
Detect and resolve data collisions between nodes.
Detect line failure of signal degeneration errors
Network Control
most popular technique for establishing a communication session in WANs
Polling
involves transmitting special signal around the network. Only the node processing
the token is allowed to transmit data.
Token passing
A random access technique that detects collisions when they occur
Carrier Sensing
is a program that attaches itself to a legitimate program to penetrate the operating system
and destroy programs, files and the operating system itself.
Virus
is used interchangeably with virus.
Worm
is a destructive program triggered by some predetermined event or date
Logic bomb
is a software program that allows unauthorized access to a system
Back Door (trap door)
program purpose is to capture IDs and passwords.
Trojan horse
the most popular LAN topology. one or more servers centrally control communications and file transfers between workstations.
Bus Topology
passwords are written down and displayed for others to see
Post-it syndrome
