Chapters 1, 3, 4, 5

Question 1

Takes place when one entity pretends to be a different entity

Answer 1

A Masquerade

Question 2

Limit information system access to authorized users, processes acting on behalf of authorized
users, or devices (including other information systems) and to the types of transactions and functions that
authorized users are permitted to exercise.

Answer 2

Access Control

Question 3

Means that every access must be checked against the

access control mechanism.

Answer 3

Complete mediation

Question 4

Means that the design of a security mechanism should be open
rather than secret. For example, although encryption keys must be secret, encryption
algorithms should be open to public scrutiny.

Answer 4

Open Design

Question 5

Can be viewed as a specific form of isolation based on object-oriented functionality.

Answer 5

Encapsulation

Question 6

In the context of security refers both to the development of security
functions as separate, protected modules and to the use of a modular architecture
for mechanism design and implementation.

Answer 6

Modularity

Question 7

Is a branching, hierarchical data structure that represents a set of potential techniques for exploiting security vulnerabilities

Answer 7

Attack Tree

Question 8

In this type of attack, the attacker is able to intercept

communication between the UT and the IBS.

Answer 8

Injection of Commands

Question 9

Deals with computer-related assets that are subject to a variety of threats and for which
various measures are taken to protect those assets.

Answer 9

Computer Security

Question 10

In the nature of eavesdropping on, or monitoring of, transmissions.
The goal of the attacker is to obtain information that is being transmitted.

Answer 10

Passive Attacks

Question 11

Involve some modification of the data stream or the creation
of a false stream and can be subdivided into four categories: replay, masquerade,
modification of messages, and denial of service.

Answer 11

Active Attacks

Question 12

Four means of authenticating a user’s identity.

Answer 12

1. Something the individual knows.
2. Something the individual possesses.
3. Something the individual is (static biometrics). [Retina, fingerprint]
4. Something the individual does (dynamic biometrics). [voice pattern, typing rhythm]

Question 13

How are hashed passwords are implemented?

Answer 13

The password and salt serve as inputs to a
hashing algorithm to produce a fixed-length hash code. The hash algorithm is
designed to be slow to execute in order to thwart attacks. The hashed password
is then stored, together with a plaintext copy of the salt, in the password file for
the corresponding user ID.

Question 14

Biometric Enrollment, Verification and Identification

Answer 14

1. Each individual who is to
   be included in the database of authorized users must first be enrolled in the system. This is analogous to assigning a password to a user.
2. Verification is analogous to a user logging on
   to a system by using a memory card or smart card coupled with a password or PIN.
3. The individual uses the biometric sensor but
   presents no additional information. The system then compares the presented template
   with the set of stored templates.

Question 15

Challenge-Response Protocol

Answer 15

In this case, the computer system generates a challenge, such as a random string of numbers. The smart token generates a
response based on the challenge.

Question 16

Controls access based on the identity

of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do.

Answer 16

Discretionary access control (DAC)

Question 17

Controls access based on comparing
security labels (which indicate how sensitive or critical system resources are) with security clearances (which indicate system entities are eligible to access
certain resources).

Answer 17

Mandatory access control (MAC)

Question 18

Controls access based on the roles that
users have within the system and on rules stating what accesses are allowed to
users in given roles.

Answer 18

Role-based access control (RBAC)

Question 19

In the context of access control, this is an entity capable of accessing objects. Generally, the concept of
_____equates with that of process.

Answer 19

Subject

Question 20

In the context of access control, is a resource to which access is controlled. In general, an _____
is an entity used to contain and/or receive information.

Answer 20

Object

Question 21

Are roles such that a user can be assigned to only

one role in the set.

Answer 21

Mutually exclusive roles

Question 22

Refers to setting a maximum number with respect to roles. One
such constraint is to set a maximum number of users that can be assigned to a given
role.

Answer 22

Cardinality

Question 23

Which dictates that a user can only be assigned to a particular role if it is already assigned to some other
specified role.

Answer 23

Prerequisite Role

Question 24

Which is a suite of programs for constructing and maintaining the database and for
offering ad hoc query facilities to multiple users and applications.

Answer 24

Define a database management system (DBMS)

Question 25

Provides a uniform interface to the database for users and applications.

Answer 25

Query Language

Question 26

In a ____________, the basic building block is a relation, which is a flat table. Rows are referred to as tuples, and columns are referred to as attributes.

Answer 26

Relational DB

Question 27

Focuses on the requirements of “what” cloud services provide, not a “how to” design solution and implementation.

Answer 27

Cloud Computing Reference Architecture