Final Flashcards

Question 1

Q

Risk

Answer

A

likelihood that a chosen action or activity
(including the choice of inaction) will lead to a
loss (un undesired outcome)

Question 2

Q

Risk Management

Answer

A

identification, assessment,
and prioritization of risks followed by coordinated
use of resources to monitor, control or minimize
the impact of risk-related events or to maximize
the gains.
 examples: finances, industrial processes, public health
and safety, insurance, etc.
 one of the key responsibilities of every manager within
an organization

Question 3

Q

Risks in Info. Security

Answer

A

risks which arise from an
organization’s use of info. technology (IT)
 related concepts: asset, vulnerability, threat

Question 4

Q

Asset

Answer

A

anything that needs to be protected because it
has value and/or contributes to the successful
achievement of the organization’s objectives

Question 5

Q

Threat

Answer

A

any circumstance or event with the potential
to cause harm to an asset and/or result in harm
to organization

Question 6

Q

Vulnerability

Answer

A

a weakness in an asset that can be
exploited by threat and cause harm the
asset and/or the organization

Question 7

Q

Risk

Answer

A

probability of a threat acting upon a vulnerability

causing harm to an asset

Question 8

Q

Security Risk Management

Answer

A

process of identifying
vulnerabilities in an organization’s info. system
and taking steps to protect the CIA of all of its
components.
 two major sub-processes:
Risk Identification &
Assessment
12
Security Risk Management
Risk Control (Mitigation)

Question 9

Q

Risk Identification

Answer

A

Identify
the
Risk Areas
Assess the
Risks

Identify & Prioritize Assets
Identify & Prioritize Threats
Identify Vulnerabilities
between Assets and Threats
(Vulnerability Analysis)

Risk Assessment
Calculate Relative Risk ($$$)
of Each Vulnerability

Question 10

Q

Risk Control (Mitigation)

Answer

A

Re-evaluate
the Risks
Implement Risk
Management
Actions
Develop Risk
Management
Plan

Question 11

Q

Identifying Hardware, Software (& Networking Assets)

Answer

A

Can be done automatically (using specialized software)
or manually.
 Needs certain planning – e.g. which attributes of each
asset should be tracked, such as:
 name – tip: naming should not convey critical info to potential attackers
 asset tag – unique number assigned during acquisition process
 IP address
 MAC address
 software version
 serial number
 manufacturer name
 manufacturer model or part number

Question 12

Q

Identifying People, Procedures and Data Assets

Answer

A

Not as readily identifiable as other assets – require that
experience and judgment be used.
 Possible attributes:
 people – avoid personal names, as they may change, use:
∗ position name
∗ position number/ID
∗ computer/network access privileges
 procedures
∗ description
∗ intended purpose
∗ software/hardware/networking elements to which it is tied
∗ location of reference-document, …
 data
∗ owner
∗ creator
∗ manager
∗ location,

Question 13

Q

Asset Ranking

Answer

A

Assets should be ranked so that most valuable assets
get highest priority when managing risks.
 Questions to consider when determining asset value/rank:
1) Which info. asset is most critical for the overall operation
and success of organization?

Example: Amazon’s ranking assets
Amazon’s network consists of regular desktops and web servers.
Web servers that advertise company’s products and receive orders
24/7 - critical.
Desktops used by customer service department – not so critical.
Assets should be ranked so that most valuable assets
get highest priority when managing risks

Question 14

Q

Threat Identification

Answer

A

Now that assets are known, we should see if there are
any known potential threats/dangers for our company
that exist out there …
Once we identify
potential threats,
next step will be
to see whether
they really apply
to our assets …

Any organization faces a wide variety of threats.
• To keep risk management ‘manageable’ …
 realistic threats must be identified and further investigated,
while unimportant threats should be set aside
Example: government surveys of types of threats/attacks

Question 15

Q

Threat Modeling/Assessment

Answer

A

practice of building
an abstract model of how an attack may proceed and
cause damage [attacker-, system-, or asset- centric]

Question 16

Q

Attacker-centric

Answer

A

starts from attackers, evaluates their
motivations and goals, and how they might achieve them
through attack tree

Question 17

Q

System-centric

Answer

A

starts from model of system, and
attempts to follow model dynamics and logic, looking
for types of attacks against each element of the model.

Question 18

Q

Asset-centric

Answer

A

starts from assets entrusted to a system,
such as a collection of sensitive personal information, and
attempts to identify how CIA security breaches can happen.

Question 19

Q

Questions used to prioritize threats:

Answer

A

Which threats present a realistic danger to organization’s
assets in its current environment? ( ‘pre-step’ )
 Goal: reduce the risk management’s scope and cost.
 Examine each category from CSI/FBI list, or as identified
through threat assessment process, and eliminate any that
do not apply to your organization.
 Which threats represent the most severe danger … ?
 Goal: provide a rough assessment of each threat’s potential
impact given current level of organization’s preparedness.
 ‘Danger’ might be a measured of:
1) probability that the threat attacks organization
2) severity, i.e. overall damage that the threat could create
Other questions used to assess/prioritize threats:
 How much would it cost to recover from a successful
attack?
 Which threats would require greatest expenditure
to prevent?
• Once threats are prioritized, each asset should be reviewed
against each threat to create a specific list of vulnerabilities.

Question 20

Q

Vulnerability

Answer

A

flaw or weakness in an info. asset, its
design, implementation or security
procedure that can be exploited
accidentally or deliberately by a threat
 a known threat is a real ‘threat’ to an
organization only if there is an actual
vulnerability it can exploit
 sheer existence of a vulnerability does
not mean harm WILL be caused –
threat agent is required
 vulnerability that is easy to exploit is
often a high-danger vulnerability

Question 21

Q

TVA Worksheet

Answer

A

at the end of risk identification
procedure, organization should derive
threats-vulnerabilities-assets (TVA)
worksheet
 this worksheet is a starting point for
risk assessment phase
 TVA worksheet combines prioritized
lists of assets and threats
 prioritized list of assets is placed on x-axis,
with most important assets on the left
 prioritized list of threats is placed on y-axis,
with most dangerous threats at the top
 resulting grid enables a simplified prioritybased vulnerability assessment

Question 22

Q

Watermarking

Answer

A

Common Applications
 verify the owner of a digital object - copyright protection
 placing a (unique) watermark = placing a (unique) signature
identify illegal ‘theatrical release’ copies of a movie:
watermark prior to release to prevent movie piracy
 copy control in DVD and Blu-ray player
>forensics and piracy deterrence

content filtering

Question 23

Q

Digital Fingerprinting

Answer

A

process of embedding unique information for each user-
-copy of a digital object in order to be able to identify
entities involved in illegal distribution of the digital object
 if object with Alice’s ID is found on Bob’s computer =>
copy is illegal AND likely provided by Alice

Question 24

Q

Spheres of Information Use

Answer

A

information can accessed
directly (people accessing hard-copies) and/or indirectly
by means of computer systems (if data in digital form)
Introduction
 multiple layers on ‘technology’ side
of access sphere imply that one or
more access stages may be required
 example: to access info stored on a
system (database), the user must
access / log-into the database-server
 example: to access info via Internet,
the user must ‘go through’ local
network (e.g., pass a firewall) and then
access the system that hosts the info

Question 25

Q

Spheres of Protection

Answer

A

between each layer of use there
must exist a layer of protection to prevent access to next
inner layer
 shaded bands in the figure …
(Avoidance)
controls
that can be
applied to
humans!
(Avoidance)
controls
that can be
applied to
technology!

Question 26

Q

Access Controls

Answer

A

selective restriction of access to
a physical place, computer system
or other resource
 the act of ‘accessing’ may mean
entering, using, consuming …

Question 27

Q

Stages of Access Controls = I / A / A

Answer

A

identification – obtain identity of an
entity requesting access to a logical
or physical area (obtain credentials)
 authentication – confirm identity of
the entity seeking access …
 making sure user’s credentials are not false
– the user ‘is’ who they claim to be
 authorization – determine whether
the authenticated entity is permitted
to access a particular system (e.g.,
OS, firewall, router, database, …) and
its resources (e.g., system’s files)
 typically implemented by means of access
control lists / rules

Question 28

Q

Basic steps in access control

Answer

A

‘Authorization profile’ of the user is matched against

‘Access profile’ of a specific/requested object.

Question 29

Q

Just because a user can authenticate to a system

Answer

A

it does not mean they are given access to anything and everything.
Authorization ensues that the requested object or activity on an
object is possible based on the privileges assigned to the subject.

Question 30

Q

Identification

Answer

A

mechanism that provides info about
an unverified entity – aka supplicant
– that wants to be granted access to
a logical or physical area
 must be a unique value that can be
mapped to one and only one entity
within the administered domain
 in most organizations, identification
= name OR (initial + surname)

Question 31

Q

Authentication

Answer

A

process of validating a person’s
(supplicant’s) purported identity
 types of authentication mechanisms:
1) something you know
 password or passphrases
2) something you have
 cryptographic tokens or smart cards
3) something you are - static biometrics
 fingerprints, palm prints, iris scans, …
4) something you produce - dynamic
biometrics
 pattern recognition of voice, signature
/ handwriting, typing rhythm

Question 32

Q

Authentication: Something you know

Answer

A

Something you know …
 authentication mechanisms based on
use of passwords/pins and passphrases
 password – combination of characters
that only the user should know
 challenge: should be simple enough to
remember, and complex enough for cracking
 bad examples: name of spouse, child, pet
 passphrase – plain-language phrase
typically longer but stronger than a
password, from which a virtual password
is derived
 examples: Linksys, Windows 7 and up
Authentication: Something you know …
CPIMFF = Cheese Pizza Is My Favorite Food

Question 33

Q

Password cracking speed

Answer

A

Password cracking is
becoming very trivial
with the vast amount
of computing power
readily available for
anyone who desires so.
At a current rate of 25$
per hour, an AWS
p3.16xlarge nets you a
cracking power of
632GH/s (assuming
we’re cracking NTLM
hashes). This means
we’re capable of trying
a whopping
632.000.000.000
different password
combinations per
second!

Question 34

Q

Authentication: Something you have

Answer

A

objects used for purpose of user authentication
are called ‘tokens’
 token + PIN/password provides significantly
greater security than password alone
 an adversary must gain physical possession of
the token (or be able to duplicate it) in addition
to ‘cracking’ the password
 types of tokens:
 static tokens
 dynamic synchronous (one-time password) tokens
 dynamic asynchronous (challenge-response) tokens

Question 35

Q

Authentication: Something you have

Answer

A

e.g.: swipe card, smart card, RFID tags
 swipe cards - ID and ATM cards
 aka ‘dumb cards’, transmit same credential
every time – the credential (base secret) is
impractical to memorize
 PIN/password not on the card – ATM encrypts
PIN provided by user and sends it to a database for verification …
 smart card - swipe cards with a chip
 chip contains a CPU, memory blocks (RAM,
ROM, …) and on-chip encryption module
 stores 100x data stored on magnetic strip:
encrypted PIN & other info about card holder
 card checks user’s PIN & generates a certificate
to authorize transaction process …

Question 36

Q

Authentication: Something you have …

Answer

A

Synchronous (One-Time Password) Tokens
 small LCD device that generates a
unique new password periodically
(e.g., every 60 seconds)
 token combines ‘base secret’ with a clock
to generate new password
 token and authentication server must have
their clocks synchronized – which is often
a challenge!

Question 37

Q

Asynchronous (Challenge-Response) Tokens

Answer

A

instead of time, token uses a
challenge/nonce provided by the
system to generate the password
 e.g., token can generate the password by
1) applying a unique hash function to
(user’s base secret + nonce)
2) encrypting nonce using user’s/token’s
public key

Question 38

Q

Something you are (Static / Standard Biometrics)

Answer

A

authentication mechanisms that takes
advantage of users’ unique physical
characteristics, including
 fingerprints
 facial characteristics
 retina
 iris
 in contrast to password/token authentic.,
biometric systems do not look for a 100%
match – person’s characteristics are
inherently ‘noisy’
 pattern recognition must be involved
 very effective but costly if a large number
of biometric readers need to be installed!

Question 39

Q

In password-based authentication,
an exact (100%) match

Answer

A

is required

Question 40

Q

enrollment & authentication in biometric syst.

Answer

A

A sample of biometric
reading is captured.
The sample is processed
into feature set.
Feature set is converted
into a template.
enrolment stage in
biometric systems is
much more involved !!!
it is hart if not impossible
in some type of biometrics
to achieve 100% match

Question 41

Q

In biometric-based authentication,

an approximate match

Answer

A

is required

Question 42

Q

Biometric Modality

Answer

A

different types of biometric
information / measurements that can be used to
discriminate between different individuals

Question 43

Q

an ideal biometric modality / information should have

the following properties

Answer

A

Universality – all individuals must be characterized by this
information
• Uniqueness / Distinctiveness – this information must be
as dissimilar as possible for two different individuals
• Permanency / Stability – this information should be
present during the whole life of an individual
• Collectability / Measurability – this information should be
measured in an easy manner
• Performance – this information can be used to build
accurate, fast and robust biometric/authentication systems
• Acceptability – how willing individuals are to have this
biometric information captured and assessed
Performance – this information can be used to build
accurate, fast and robust biometric/authentication systems

Question 44

Q

an ideal biometric modality / information should have

the following properties:

Answer

A

Resistance to Attack – how easy it is for this information

to be forged

Question 45

Q

iris scanner

Answer

A

Iris scanner 
Authentication: Something you are …
IRIS - colored section of an eye
scan = 2 seconds of near IR imaging 
subject can be at some distance 
alcohol consumption changes iris 

Question 46

Q

Retina scanner

Answer

A

RETINA - cannot be seen by naked eye - the
network of blood vessels
most reliable biometrics, aside from DNA 
but can be affected by eye-disease 
scan = 15 seconds of low-energy IR scanning 
subject has to be close to scanner 

Question 47

Q

Extraction of biometrics features

Answer

A

many biometric systems are

based on image processing

Question 48

Q

Types of Biometric Systems

Answer

A

1) systems for IDENTIFICATION
 perform 1:n comparison to identify a user from a database of n users
2) systems for AUTHENTICATION
 perform 1:1 comparison to check whether a user matches his profile
Authentication: Something you are …
 Types of Biometric Systems
something you know – to identify the user

Question 49

Q

Biometric Accuracy / Performance

Answer

A

in all biometrics schemes, some physical
characteristic of the individual is mapped
into digital representation
 however, physical characteristics may change
 facial contours and color may be influenced by
clothing, hairstyle, facial hair, …
 the results of fingerprint scan may vary as a
function of: finger placement, finger swelling and
skin dryness …
 multiple mappings may have to be taken
in order to create a (statistically) useful
biometric representation / profile
 a biometric sensor must be able to adapt
to a broad range of appearances

Question 50

Q

Biometric Accuracy

Answer

A

statistical distribution of ‘match score’ between
user’s new scan and user’s stored profile/record
unfortunately, range of
scores/features for any
particular user is likely
to overlap with scores/
/features of other users
 by moving the ‘decision
threshold’, sensitivity of
biomet. system changes
move t to left ⇒
system more tolerant
to noise , but also
system more likely to
accept wrong person

Question 51

Q

 False Reject Rate (FRR), aka False Negative

Answer

A

% of authorized users who are denied access
 false negatives do not represent a threat to security
but an annoyance to legitimate users

Question 52

Q

False Accept Rate (FAR), aka False Positive

Answer

A

% of unauthorized / fraudulent users who are allowed
access to system
 represent serious security breach

Question 53

Q

\convenience

Answer

A

1-FR

the higher the FR, the less
convenient an application is
because more subjects are
incorrectly rejected …

Question 54

Q

security

Answer

A

1-FA

the lower the FA, the fewer
imposter users (adversaries) are
incorrectly accepted into the
system

Question 55

Q

Crossover Error Rate (CER), aka Equal

Error Rate

Answer

A

point at which FRR = FAR – Operating Point of choice
for most biometric systems – provides balance between
sensitivity & performance (i.e., convenience & security)
 techniques with 1% CER superior to 5% CER
as threshold moves to the left, system
becomes ‘less sensitive’ and
the value of FRR decreases but the
value of FAR increases
as threshold moves to the right, system
becomes ‘more sensitive’ and
the value of FRR increases but the
value of FAR decreases

Question 56

Q

Example: biometric accuracy

Answer

A

Assume a system where each airport passenger is
identified with a unique frequent flyer number and
then verified with a fingerprint sample.
The systems false reject (FR) rate for finger is:
0.03 (= 3%).
5000 people / hour are requesting access to the
airport during a 14 hour day.
How many people will fail to be verified in a day?
# rejected passengers =
= (5000 * 0.03) [rejects / hour] * 14 [hours] =
= 150 [rejects / hour] * 14 [hours] =
= 2100 [rejects]

Question 57

Q

Something you produce: Dynamic Biometrics

Answer

A

authentication mechanisms that makes
use of something the user performs or
produces:
 signature recognition
 voice recognition
 keystroke recognition
 less costly than ‘what you are’ systems,
but not as reliable
 signature, voice, keystroke pattern may change
significantly with time and under different
circumstances

Question 58

Q

Dynamic / behavioral biometrics

Answer

A

Authentication that examines normal actions performed
by the user, e.g. keystroke dynamics.
measure/observe various time-related
parameters during a user’s interaction
with a keyboard

Question 59

Q

keystroke dynamics

Answer

A

With keystroke dynamics the biometric template used to identify an individual is based on the typing pattern, the rhythm and the speed of typing on a keyboard. The raw measurements used for keystroke dynamics are dwell time and flight time.

Dwell time is the time duration that a key is pressed
Flight time is the time duration in between releasing a key and pressing the next key

When typing a series of characters, the time the subject needs to find the right key (flight time) and the time he holds down a key (dwell time) is specific to that subject, and can be calculated in such a way that it is independent of overall typing speed. The rhythm with which some sequences of characters are typed can be very person dependent. For example someone used to typing in english will be quicker at typing certain character sequences such as ‘the’ than a person with french roots.

There exists software which combines keystroke dynamics with other interactions the user has with the computer, such as mouse movements (acceleration time, click frequency).

Question 60

Q

Biometrics accuracy vs. acceptance

Answer

A

Organizations implementing biometrics must carefully balance
a system’s effectiveness against its perceived intrusiveness and
acceptability to users …

Question 61

Q

Attacks on password-based authenticat. systems

Answer

A

breaking
(try to ‘get
into’ the
system by
using a
legitimate
password)
disabling
(prevent
legitimate
user from
getting into
the system)

Question 62

Q

Standard vs. Targeted DoS Attacks

Answer

A

Standard DoS Attack
Attacker’s goal is to prevent victimserver from providing access/service
to all legitimate user.
Targeted DoS Attack
Attacker’s goal is to prevent one
particular victim-user from obtaining
access/service from a server.
Most systems ‘lock-out’ a user after
multiple login attempts using false
password ….

Question 63

Q

Single- and multi- factor authentication

Answer

A

Systems that use one authentication credential (e.g. something
you know) are known as one-factor authentication systems.
Most computer systems / applications are one-factor
authentication systems – they rely on passwords only.
Systems that require strong protection typically combine
multiple authentication mechanisms – e.g. something you
have and something you know. They are known as two-factor
authentication systems.
For example, access to a bank’s ATM requires a banking
card + a personal identification number (PIN).

Question 64

Q

Attacks on biometrics-based authenticat. systems

Answer

A

Spoof biometric data
as someone else.

Modify the signal
processing unit to
(e.g.) cause DoS on
legitimate users.

Spoof the signal
between the
sensor and signal
processing unit.
(e.g. replay voice)

Alter the content of
the template
database.

Alter the matching
process / software.

Answer 65

A

a secret word/string of characters used to
authenticate a user into a system
 critical (often only) defense against intruders
 ideal password: easy to remember, hard to
‘crack’
 Google frequently releases lists of common
password types which are insecure as they
are too easy to guess / get off social media
 name of a pet, child, family member, spouse
 names of birthplaces, favorite sports teams
 birthdays, anniversary dates
 overly complex passwords are as dangerous
as very simple ones
 the user likely to write it down or to reuse it

Answer 66

A

\storing in plane text is bad idea

Answer 67

A

 in most systems, passwords are stored in
a protected (hash) form ⇒ snooper that
gains internal access to system cannot
easily retrieve/steal passwords
 every time a user logs in, password handling
software runs the hash algorithm
 if (new hash = stored hash), access is granted

Answer 68

A

storing hash instead

of password

Answer 69

A

testing a password against stored hash

Answer 70

A

try every password at login prompt in real time
 very slow!
8-character password of 76 possible characters
(upper & lower case, digits, common symbols) =
1.1x1015 possibilities
2 to 3 passwords a second ⇒ 5,878,324 years
to guess a password
 extremely noisy!
most systems block the victim account after
several failed login attempts

Answer 71

A

assumes the possession of passwd/hash file

Answer 72

A

password hashes are stored in
Security Account Manager (SAM) file
 stored in C:\Windows\System32\config
or HKEY_LOCAL_MACHINE\SAM registry
- neither of them can be opened/copied
on normal boot-up of the OS (i.e., while
computer running) – file used by OS

Answer 73

A

Accessing SAM – requires administrative privileges

File in Windows to be copied / dumped

Answer 74

A

Copy of SAM file is
now stored on C
drive as a
file named ‘sam’.
However, this file is
encrypted using
SysKey!!!
So, a dump of
SYSTEM hive/file is
also needed!

Answer 75

A

The SAM file is encrypted with the SysKey which is stored in
%SystemRoot%\system32\config\system file.
During the boot-time of Windows the hashes from the SAM file get decrypted using the
SysKey and these hashes are then loaded to the registry and used for authentication
purpose.
Both system and SAM files are unavailable (i.e., locked by kernel) during Windows’
runtime.
Tools like mimikatz (on Windows) and samdump2 (on Linux) can be used
to extract hashes from SAM

Answer 76

A

text file: /etc/shadow (/etc/passwd)
 readable by system administrator
(root) only
getent shadow admin
When a new user is created in Linux it affects 4 files
/etc/passwd
/etc/group
/etc/shadow
/etc/gshadow
/etc/passwd file is essentially the user account database in which Linux stores
valid accounts and related information about these accounts; typically has file
system permissions that allow it to be readable by all users of the system
When a new user is created in Linux it affects 4 files
/etc/passwd
/etc/group
/etc/shadow
/etc/gshadow
/etc/shadow file contains hashed passwords and bookkeeping information;
accessible only by the super user

Answer 77

A

etc/passwd Format
From the above image:

Username: It is used when user logs in. It should be between 1 and 32 characters in length.
Password: An x character indicates that encrypted password is stored in /etc/shadow file. Please note that you need to use the passwd command to computes the hash of a password typed at the CLI or to store/update the hash of the password in /etc/shadow file.
User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
Group ID (GID): The primary group ID (stored in /etc/group file)
User ID Info (GECOS): The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell. For example, sysadmin can use the nologin shell, which acts as a replacement shell for the user accounts. If shell set to /sbin/nologin and the user tries to log in to the Linux system directly, the /sbin/nologin shell closes the connection.

Answer 78

A

Username : It is your login name.
Password : It is your encrypted password. The password should be minimum 8-12 characters long including special characters, digits, lower case alphabetic and more. Usually password format is set to $id$salt$hashed, The $id is the algorithm used On GNU/Linux as follows:
$1$ is MD5
$2a$ is Blowfish
$2y$ is Blowfish
$5$ is SHA-256
$6$ is SHA-512
Last password change (lastchanged) : Days since Jan 1, 1970 that password was last changed
Minimum : The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
Maximum : The maximum number of days the password is valid (after that user is forced to change his/her password)
Warn : The number of days before password is to expire that user is warned that his/her password must be changed
Inactive : The number of days after password expires that account is disabled
Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.

Answer 79

A

In the case of
brute-force
password cracking,
there is no particular
strategy when
generating password
guesses. The entire
possible space of
passwords is
explored.

Answer 80

A

a method of gaining unauthorized access
to a computer system by trying different
passwords
 cracking difficulty ∼ size of password space
& ‘diversity’ of password characters

Answer 81

A

aka exhaustive password search
 entire password space is ‘tried’
 starts by using simple combinations of
characters, and then gradually moves
to more complex/longer ones
 (may be) effective for passwords of small
size, but too time consuming for long
passwords
 examples of brute-force crackers
 Cryptool
 Cain and Able
 John the Ripper
 Ophcrack

Answer 82

A

a) On 26-letter alphabet, password of length exactly 1/2/n

S1-Letter= 261
S2-Letter= 26*26 = 262
Sn-Letter= 26*26*…*26 = 26n

b) On A-character alphabet (lett. + numb.), passw. of length n:

Sn-character= A^n = 36^n

c) On A-character alphabet, passwords up-to n characters

Answer 83

A

Tina has to create a password for the security of a software program
file. She wants to use a password with 3 letters.
How many passwords are allowed if no letter is repeated and the
password is not case sensitive?
L1 L2 L3 : A (B-Z) (C-Z)
26*25*24 = 15,600
Password Cracking (cont.)
26 25 24

Answer 84

A

A system allows passwords consisting of 4 lower-case letters followed
by 3 digit numbers.
How many passwords are possible if there are no restrictions.
L1 L2 L3 L4 D1 D2 D4
264 *103 = 456,976,000

Answer 85

A

the search space is further reduced by
focusing on most likely combinations
of words and/or numbers …
Attack
Example: Biased Attack on 4-Digit Pins
Assume a system requires that access passwords be comprised
of 4 digits.
Total unbiased
search space:
Many people use some important personal dates to
generate 4-digit passwords.
Biased search
space:
any number between 0000 – 9999 (10,000)
only 366 possible combinations!

Answer 86

A

users often create passwords using
common dictionary words
 instead of trying every password, dictionary
attack probes only common dictionary words
 faster than brute force, as it uses smaller
(more likely) search space
 still might take considerable time, and might
fail in the end

Answer 87

A

Many studies on effectiveness of dictionary attack have been
conducted.
Not 100% effective, but enough passwords were cracked to make
the use of this attack worthwhile.

Answer 88

A

achieves TIME-SPACE tradeoff by
pre-computing a list of hashes of
dictionary words
 pre-computed hashes are compared
against those in a stolen password file
 rainbow tables
1) pregenerated sets/lists of hashes –
n*Gbyte size!!! 
2) allow extremely rapid searching

Answer 89

A

adding a unique random value to
each password before hashing
 both the hash and salt are stored
 does not fully prevent against
password cracking, but makes it
harder / more time consuming

It is hard, if not impossible, to
prevent users from choosing
‘weak’ passwords
So, ideally, the system would
additionally ‘strengthen’
user passwords.

hello Found in most attack
dictionaries and rainbow
tables!

hello3ab9
Cannot be found in
common dictionaries or
rainbow tables

Answer 90

A

storing hash & salt
instead of password

logging into an existing account:
testing a password against stored hash

Answer 91

A

For every word in a dictionary (or an ‘extended’ dictionary):

1) add the User’s salt
2) hash
3) compare

Answer 92

A

in case of a compromised
Password File
 (simple) dictionary and rainbow attacks impossible to perform
 prevents duplicate passwords from being visible in password file
 becomes impossible to find out whether a person has used the
same password on multiple systems

Answer 93

A

Company A requires that its employees pick 6-character passwords
made up of combinations of lowercase letters, uppercase letters, and
digits (62 possibilities). No other characters are allowed, and a given
user’s password must not use any character twice.
Example: ab98CD
Company B requires that its employees pick 12-character passwords,
where each of the 12 can be any of 100 possible characters. Unlike for
Company A, Company B’s employees can reuse characters in their
passwords. However, Company B finds that users often make mistakes
with these long passwords, so if an authentication attempt fails, the
login server helps the user by telling them how many of the initial letters
were correct. For example, if a password entered was ‘abcdefgij’ and the
server replies “Wrong, but the first 4 letters were correct”, then ‘abcd’
are correct, ‘e’ is wrong, and nothing is revealed about the correctness
of the letters after ‘e’.

Suppose an attacker is trying to guess/crack the password of user
U1 at Company A, and user U2 at Company B. Both usernames are valid
at the respective companies, and the users have chosen passwords that
conform with the policy.
a) Write down an expression for the # of attempts the attacker
needs for guessing the password of user U1 at Company A.
Solution:
Example: ab98CD
Total # of allowed characters = 26 + 26 + 10 = 62
Total # of possible passwords = 6261605958*57 =
= 4.4 * 1010

Example: Password policies – which one is better?!
b) Write down an expression for the # of attempts the attacker
needs for guessing the password of user U2 at Company B.
Solution:
The key for this part of the problem is that the attacker can use
feedback provided by the login process to speed up the ‘cracking’
process.
To start, the attacker can try 100 passwords that each differ in
their first character. One of these must succeed. In addition, when
it succeeds, in the worst case the attacker is told that the second
character in the attempted password is incorrect. Therefore, once
the attacker learns that the first character is correct, they also can
eliminate 1 of the possibilities for the second character.

Password: bszi1289AMLK
1st round of 100 guesses: aa, ba, ca, da, …
2nd round of 99 guesses: bba, bca, bda, bea, …, bsa, bta, …
At this point, they make another 100 − 1 = 99 guesses, each of
which uses the first character learned in the previous step, and
tries a different second character (excluding the character that the
attacker has already learned is not correct for the second
position).
This process continues until they try candidates for all 12
positions, requiring at worst a total of:
# of possible passwords = 100+99+99+ … + 99 =
= 100 + 99 · 11 = 1189 38
Password Example (cont.)
b is correct, a is not.
In the next round, do
not check a

Answer 94

A

Damage
must be
quantifiable!

Threat has
to be real
(probable)!

Threat
Vulnerability
Asset
People
Procedure
Data
Software
Hardware
Networking
Act of human error or failure
Deliberate act of trespass
Deliberate act of extortion
Deliberate act of sabotage
Deliberate software attacks
Technical software failures
Technical hardware failures
Forces of nature
Etc

sheer existence of a vulnerability
does NOT mean there is an actual
RISK (i.e., harm will be caused

Answer 95

A

provides relative numerical risk
ratings/scores for each vulnerability
 in risk management, it is not the
presence of a vulnerability that really
matters, but the associated risk!

Answer 96

A

1) possibility that a threat acts upon a vulnerability
AND is successful
2) how severe the consequences would be

R = P * V

P = probability of risk-event occurrence
V = value lost / cost to organization

Answer 97

A

R = Pa ⋅ Ps ⋅ V
Pa = probability that an attack/threat (against a
vulnerability) takes place
 Ps = probability that the attack successfully exploits
the vulnerability
V = value lost / cost to organization

Answer 98

A

R = Pa ⋅ (1-Pe) ⋅ V
Pe = probability that the system’s security measures
effectively protect against the attack
(reflection of system’s security effectiveness)
R = Pa ⋅ (1-Pe) ⋅ V
Ps
Ps = probability
that the attack
is successfully
executed (i.e.,
system defences are
NOT effective)
Pe = probability
that the attack
is NOT successfully
executed (i.e.,
system defences are
effective)

Answer 99

A

R = P ⋅ V – CC ⋅ (P ⋅ V) + UK ⋅ (P ⋅ V)
LE = Loss Expectancy
(i.e. Potential Loss / Risk before Control is Applied)= P ⋅ V ⋅ [ 1 – CC + UK ]

P = probability that certain vulnerability (affecting a
particular asset) gets exploited – equivalent to Pa
 V = value of information asset ∈ [1, 100]
 CC = current control = percentage/fraction of risk already
mitigated by current control
 UK = uncertainty of knowledge = fraction of risk that is not
fully known

Answer 100

A

Asset A
Has a value of 50.
Has one vulnerability, with a likelihood of 1.0.
No current control for this vulnerability.
Your assumptions and data are 90% accurate.
Asset B
Has a value of 100.
Has two vulnerabilities:
* vulnerability #2 with a likelihood of 0.5, and
a current control that addresses 50% of its risk;
* vulnerability #3 with a likelihood of 0.1 and
no current controls.
Your assumptions and data are 80% accurate.
Which asset/vulnerability should be dealt with first ?!

Answer 101

A

The resulting ranked list of risk ratings for the three
vulnerabilities is as follows:
Asset A:
Vulnerability 1 rated as 55 = 50 * 1 * (1.0 - 0 + 0.1)
Asset B:
Vulnerability 2 rated as 35 = 100 * 0.5 * (1 - 0.5 + 0.2)
Asset B:
Vulnerability 3 rated as 12 = 100 * 0.1 * (1 – 0 + 0.2)

Answer 102

A

1) Information asset inventory worksheet
2) Weighted asset worksheet
3) Weighted threat worksheet
4) TVA worksheet
5) Ranked vulnerability risk worksheet
 extension of TVA worksheet, showing only the assets
and relevant vulnerabilities
 assigns a risk-rating ranked value for each uncontrolled
asset-vulnerability pair

Answer 103

A

Once all vulnerabilities/risks are evaluated, the company has to decide
on the ‘course of action’ – often influenced by
1) risk level ($$$)
2) cost of treatment ($$$) …

Answer 104

A

Avoidance
 do not proceed with the activity or system that creates this risk
 Reduced Likelihood (Control) - implement
 by implementing suitable controls, lower the chances of the
vulnerability being exploited
 Transference
 share responsibility for the risk with a third party
 Mitigation
 reduce impact should an attack still exploit the vulnerability
 Acceptance - do not implement
 understand consequences and acknowledge risks without any
attempt to control or mitigate

Answer 105

A

strategy that results in complete
abandonment of activities or
systems due to overly excessive risk
 usually results in loss of convenience or
ability to preform some function that is
useful to the organization
 the loss of this capacity is traded off
against the reduced risk profile

• Avoidance – strategy that results in complete
abandonment of activities or
systems due to overly excessive risk
 usually results in loss of convenience or
ability to preform some function that is
useful to the organization
 the loss of this capacity is traded off
against the reduced risk profile
Recommended for vulnerabilities with
very high risk factor
that are very costly to fix.

Answer 106

A

Risk control strategy that attempts to
prevent exploitation of vulnerability by
means of following techniques:
 application of technology
 implementation of security controls & safeguards,
such as: anti-virus software, firewall, secure HTTP
and FTP servers, etc.
 policy
 e.g. insisting on safe procedures
 training and education
 change in technology and policy must be coupled
with employee’s training and education
Likelihood
(Control)
Recommended for vulnerabilities with
high risk factor that are moderately- to low- costly to fix.

Answer 107

A

risk control strategy that attempts
to shift risk to other assets, other
processes or other organizations
 if organization does not have adequate
security experience, hire individuals or
firms that provide expertise
 ‘stick to your knitting’!
 e.g., by hiring a Web consulting firm, risk
associated with domain name registration,
Web presence, Web service, … are passed
onto organization with more experience
Recommended for vulnerabilities with
high risk factor that are moderately costly to fix
if employing outside expertise.

Answer 108

A

Risk control strategy that attempts to
reduce the significance of impact caused
by a vulnerability – includes 3 plans:

Risk Control Strategies (cont.)
• Mitigation – risk control strategy that attempts to
reduce the significance of impact caused
by a vulnerability – includes 3 plans:
Recommended for vulnerabilities that are
low (but not zero) risk and moderately to high costly to fix

Answer 109

A

assumes NO action towards protecting an
an information asset – accept outcome …
 should be used only after doing all of the
following
 assess the probability of attack and likelihood
of successful exploitation of a vulnerability
 approximate annual occurrence of such an attack
 estimate potential loss that could result from
attacks
 perform a thorough cost-benefit analysis
assuming various protection techniques
 determine that particular asset did not
justify the cost of protection!
steps
to be
discussed
Risk Control Strategies (cont.)
Recommended when vulnerability risk &laquo_space;cost of any control.

Answer 110

A

Risk that organization is willing to
accept after implementing risk-
mitigation controls

Answer 111

A

Risk that has not been completely
removed, reduced or planned for,
after (initial) risk-mitigation
controls have been employed
 goal of information security is not to
bring residual risk to 0, but to bring
it in line with companies risk tolerance
 risk-mitigation controls may (have to)
be reinforced until residual risk falls
within tolerance

Answer 112

A

‘Spotting’ the most significant

vulnerabilities in the sea of potential vulnerabilities.

Answer 113

A

predicts level of monetary loss
for each threat, and monetary
benefit of controlling the treat
 each element is quantified and
entered into equations, e.g.:
 asset value
 threat likelihood/frequency/probability
 severity of vulnerability
 damage impact
 safeguard cost

Answer 114

A

in a manner that would allow the same
scale to be used across multiple risk
assessments
Quantitative
Analysis

Answer 115

A

is the standard way of measuring risk in
many fields, such as finance and insurance, but it is not commonly used
to measure risk in information systems.
Two of the reasons claimed for this are:
1) the difficulties in identifying and assigning a value to assets, and
2) the lack of statistical information that would make it possible to
determine frequency.
Thus, many of the risk assessment tools that are used today for
information systems are measurements of qualitative risk.”

Answer 116

A

scenario based approach - uses
labels & relative values (high/low)
rather than numbers; blends in
experience & personal judgment

Example: threat likelihood/frequency (i.e., vulnerability
exploitation) categories

Answer 117

A

• Requires simple (if any)
calculations.
• Considers hands-on opinions
of individuals who know the
process best

Answer 118

A

Easier to automate and
evaluate.
• Very useful in performance
tracking - enables credible
cost/benefit analysis.

Answer 119

A

aka economic feasibility study -
quantitative decision-making process
in which for each high-risk vulnerability:
 determine the loss in value if the
asset (with this vulnerability) remained
unprotected
 determine the cost(s) of protecting the
asset using various approaches
 compare available alternatives and
arrive at a decision with best financial
outcome …

Company should not spend more
to protect an asset than the asset is worth!

Answer 120

A

combination of the following:
 cost of buying/developing
hardware, software, service
 cost of installing, maintaining,
upgrading hardware, software,
service
 cost to train and re-train
personnel
 as well as the direct profit gained
from the utilization of the asset !

Answer 121

A

Exposure – percentage loss that would occur from
a given vulnerability being exploited
by a given threat
Factor (EF)

Answer 122

A

most likely loss (in value) from an attack
SLE = AV * EF
Example: A Web-site’s SLE due to a DDoS Attack
Estimated value of a Web-site: AV = $ 1,000,000.
A DDoS on the site would result in 10% losses of the site
value (EF=0.1).
SLE for the site: AV * EF = $ 100,000.
Quantitative Risk Analysis (cont.)
Would it be worth investing in anti-DDoS system that costs
$150,000 a year?

Answer 123

A

indicates how often an attack is
expected to successfully occur in
a year (e.g., 2x a year => ARO=2)
 if an attack occurs once every
2 years ⇒ ARO = 0.5

Answer 124

A

Annualized Loss – overall loss incurred by an attack
(i.e. by exploiting a vulnerability)
in each year
Expectancy
(ALE)

Answer 125

A

A widget manufacturer has installed new network servers,
changing its network from P2P, to client/server-based network.
The network consists of 200 users who make an average of
$20 an hour, working on 200 workstations.
Previously, none of the workstations involved in the network
had an anti-virus software installed on the machines. This was
because there was no connection to the Internet and the
workstations did not have USB/disk drives or Internet
connectivity, so the risk of viruses was deemed minimal.
One of the new servers provides a broadband connection to
the Internet, which employees can now use to send and receive
email, and surf the Internet.

Answer 126

A

200 employees
200 workstations
$20 hour

One of the managers read in a
trade magazine that other widget
companies have reported an
annual 75% chance of virus
infection after installing T1 lines,
and it may take up to 3 hours to
restore the system.
A vendor will sell licensed copies
of antivirus for all servers and
the 200 workstations at a cost
of $4,700 per year.
The company has asked you to determine the annual loss that
can be expected from viruses, and whether it is cost effective
to purchase licensed copies of anti-virus software.

Answer 127

A

Very simplistic scenario. Other losses
could be: erased (IP) documents, lost
emails, impact on reputation, etc.

ARO = 0.75
SLE = 200 user * ($ 20 / user-hour)
* 3 hours = $ 12,000
ALE = ARO * SLE = $ 9,000
ACS = $ 4,700
Because the ALE is $9,000, and the cost of the software that
will minimize this risk is $4,700 per year, this means the
company would save $4,300 per year by purchasing the
software ($9,000 - $4,700 = $4,300).

Answer 128

A

– expresses cost benefit of a
safeguard – i.e., determines
whether a particular control
is worth its cost

safeguard is justified
if it results in
NRRB>0

GROSS risk reduction benefit

NRRB = [ALE(prior) - ALE(post)] – ACS
NET Risk Reduction Benefit
(money saved)

ALE(prior) – ALE before implementing control
 ALE(post) – ALE after implementing control
 ACS – annual cost of safeguard

Answer 129

A

Your organization has decide to centralize anti-virus support on a
server which automatically updates virus signatures on user’s PCs.
When calculating risk due to viruses, the annualized loss expect.
(ALEprior) is $145,000. The cost of this anti-virus countermeasure
Is estimated to $24,000/year, and it will lower the ALEpost to
$65,000.
Is this a cost-effective countermeasure? Why or why not?
ALE (prior) = $145 k
ALE (post) = $65 k
ACS = $24 k
NRRB = ALE (prior) – ALE (post) – ACS =
= $145 k - $65 k - $24 k =
= $56 k, so there are + cost benefits of this solution

Answer 130

A

ALE (prior) = AVEFARO = $106 0.10.2 = $20,000
ALE (post) = $0 (best case scenario - safeguard 100% eff.)
ACS = ?
For NRRB ≥ 0, safeguard of up to $20,000 acceptable.

Answer 131

A

Cost-benefit analysis in case of 100%
effective safeguard
Quantitative Risk Analysis (cont.)
Time
ALE
ALE(prior)
before
safeguards
GRRB
gross risk
reduction
benefit
ALE(post)
after
safeguards
ACS
annual. cost
of safeguards
NRRB
net risk
reduction
benefit

Answer 132

A

• Quantitative cost-benefit analysis determines whether
a security control measure is feasible economically.
• Other factors and ‘measures of feasibility’, when
evaluating a security control, should be considered:
NRRB = [ALE(prior) - ALE(post)] – ACS
=AROpost
*AVpost
*EFpost

Answer 133

A

– examines how well a proposed
security control will contribute to
organization’s strategic objectives
 e.g. a firewall might be a good
security safeguard, but may prevent
effective flow of multimedia data

Answer 134

A

– examines user’s and management’s
acceptance and support of a proposed
security control
 e.g. if users do not accept a new policy/
technology/program, it will inevitably fail
 most common methods for obtaining
user acceptance are:
 communication – affected parties must
know the purpose and benefits of the
proposed change
 education – affected parties must be
educated on how to work under the new
constraints
 involvement – affected parties must be
given a chance to express what they want
and what they will tolerate from the system

Answer 135

A

– determine whether organization has or
can acquire technology and/or necessary
technical expertise to implement and
support a control
 e.g. use of VPN may require special software
hardware support / installation on all
computers

Answer 136

A

– determines what can and cannot be done
based on consensus and relationship
between different departments …
 IT and Info. Sec. department might have
to compete for same resources
Feasibility

Answer 137

A

Rather than using quantitative or qualitative risk analysis
an organization may resort to relative risk analysis of a
control, including:
• Benchmarking – study practices used in other
organizations that obtain results
you would like to duplicate
• Due Care or – implement a minimum level of
security
 failure to maintain a standard of due
care can open an organization to legal
liability – especially important if dealing
with customer data

Answer 138

A

study practices used in other
organizations that obtain results
you would like to duplicate

Answer 139

A

implement a minimum level of
security
 failure to maintain a standard of due
care can open an organization to legal
liability – especially important if dealing
with customer data

Answer 140

A

‘best practices’ according to Microsoft:
 use antivirus software
 use strong passwords
 verify your software security setting
 update product security
 build personal firewalls
 back up early and often
 protect against power surges and losses

Answer 141

A

implement controls beyond best
practices – for those that strive to
be ‘the best of the best’

Answer 142

A

process/technique(s) of converting
data into unintelligible form in order to ensure:
confidentiality, data integrity, and authentication
 requirement 1: no data should be lost during encryption
 requirement 2: decryption should ensure perfect data
recovery

Answer 143

A

original message that should be ‘protected’

Answer 144

A

performs various substitutions,

permutations and transformations on plaintext

Answer 145

A

variable data that is input into encryption algorithm
together with plaintext
 determines exact substitutions, permutations and
transformations performed on plaintext

Answer 146

A

scrambled message produced as output

Answer 147

A

encryption algorithm run in

reverse

Answer 148

A

in modern cryptography encryption/decryption algorithm
is not a secret

encryption goal:
make the entire
decryption process
very difficult/long for attacker

Answer 149

A

If the key-size is N [bits],

how big is the key ‘space’? nkeys = 2^N

Answer 150

A

keys × tone-decryption

BEST case for hacker:
nkeys = 1

WORST case for hacker:
nkeys = 2^N

Answer 151

A

brute force attack on ciphertext – all possible keys
are tried until an intelligible translation into plaintext
is obtained
 with current processing capabilities, 56 bit keys are
not considered safe

Answer 152

A

Encryption that keep intruder ‘busy’ for

> ∆t seconds may be good enough!

Answer 153

A

describe different possible attack scenarios – i.e., type
of access a cryptanalyst (hacker) has to a system under
attack when attempting to ‘break’ ciphertext

Answer 154

A

hacker does
NOT have access
to crypto-system

Answer 155

A

hacker has access

to crypto-system

Answer 156

A

goal is to find the plaintext

Answer 157

A

goal is to find the key and then

apply it to the entire ciphertext

Answer 158

A

goal is to find the key

Answer 159

A

goal is to find the key
Any plaintext of
hacker’s choice!
Any ciphertext of
hacker’s choice!
Eve gets access
to the system
once, manages to
‘crack’ the key and
then (re)uses this
key to decrypt any
subsequent
messages ...

Answer 160

A

humans have been using cryptographic techniques for
1000s of years – what have changed are the complexity
and creativity of cryptographic techniques

Answer 161

A

more of an art than science
 schemes were designed in an ad-hoc manner and then
evaluated based on their perceived complexity/cleverness
 true ‘strength’ of these schemes was in ‘secrecy’ of their
respective protocols

Answer 162

A

based on scientific foundations
 the strength is NOT in secrecy of protocols but in sound
mathematical and computational principles
 it is now possible to formally argue about the security
protocols
 used for more than just data confidentiality - can protect
data integrity, enable user authentication, etc.

Answer 163

A

he units of plaintext (letters)
are kept in the same original sequence, but the units
themselves are altered

Answer 164

A

monoalphabetic substitution cipher in
which each letter in the plaintext is replaced by a letter
some fixed number of positions down the alphabet
Example: Caesar Cipher with k=3

Answer 165

A

Ciphertext: WKH TXLFN EURZQ IRA MXPSV RYHU WKH ODCB GRJ
Plaintext: THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG

Answer 166

A

Ti - i-th character of the plain text
Ci - i-th character of the cipher text
i = 0, 1, 2, .. , m-1 in English
m - length of the alphabet
k - shift
Encryption: Ci = (Ti + k) mod m
Decryption: Ti = (Ci - k) mod m
NOTE:
-b mod m = (-b + m) mod m

Answer 167

A

simple substitution cipher in which each
letter is replaced with a graphical symbol
 alphabet is written in 4 grids shown below
 each letter is replaced with a symbol that corresponds to
the portion of the pigpen grid that contains the letter
 used by Freemasons in the 18th Century to keep their
records private

Answer 168

A

complex substitution
cipher - instead of shifting each character by the same
number, characters located at different positions are
shifted by different numbers – key keeps changing!
 key (word) must
be provided
 key is aligned
with plaintext –
key-letter
determines
the value of
cipher-letter

Answer 169

A

Ti - i-th character of the plain text
Ci - i-th character of the cipher text
Ki - i-th character of the key phrase
i = 0, 1, 2, .. , m-1
m - length of the alphabet
Encryption: Ci = (Ti + Ki) mod m
Decryption: Ti = (Ci - Ki) mod m

Answer 170

A

Key is not know, but the keyword size is = n.
Plaintext: HOW ARE YOU TODAY ...
Key: MUSICMUSICMUSICMUSIC
Ciphertext: TIO ITQ SGC VAXSG
Total number of keys = 26n.

Answer 171

A

order of letters in the ciphertext

is rearranged according to some predetermined method

Answer 172

A

transposition cipher in which the
plaintext is written downwards and upwards on successive
‘rails’ of an imaginary fence
 the message is then read off in rows

Answer 173

A

HLOWRDEL OL
Decrypting algorithm:
1) Count the letters in the cipher.
2) Divide the letters in 2 equal parts.
3) Draw/write the letters in a 2-rail zigzag pattern with
½ of the letters on the top and ½ of the bottom rail.
If number of letters is odd, add extra letter to the top rail.
H L 0 W R D
E L _ O L HELLO WORLD

Answer 174

A

Decrypting algorithm:
1) Count the number of letters.
2) Make an outline of the zigzag pattern with the
given number of rails and given number of letters.
3) Arrange the letters at the allocated spaces …

Answer 175

A

mechanical devices for implementing
complex substitution cipher
 in widespread use 1920 – 1970 – most famous example
is German Enigma machine from World War II
 consists of keyboard (input letter), set of rotors, lights
(output letter)
 every time a key is pressed, some of the rotors change
position, producing different output letter

Answer 176

A

Same key!

Answer 177

A

Different but

related keys!

Answer 178

A

private-key encryption - uses the
same secret/private key to encrypt & decrypt information
 symmetric key = shared secret – must only be known
to the communicating parties – challenge # 1
 to ensure full confidentiality in a group of N users, each
pair of users must share a unique key – challenge # 2

total number of keys required =
(N-1)+(N-2)+(N-3)+…+1 =
((N-1)*N)/2

Answer 179

A

n systems deploying symmetric encryption both the number and
distribution of keys is a problem.
Solution: Key Distribution Center (KDC) - trusted 3rd party/server.
Each entity shares a secret key with KDC - N keys in total.
KDC hands out keys to each pair of communicating entities (M) on
demand, to enable confidential communication between them.
After use, keys are ‘recycled’.
total number of keys
in use in the system =
= N + M

Answer 180

A

esired crypto properties …
 confusion = making the plaintext-ciphertext substitution
(i.e., relationship between the key and the ciphertext)
as complex and involved as possible

diffusion (permutation) = ensuring that the statistics of
the plaintext is dissipated in the statistics of the ciphertext

One block of
ciphertext
should not
depend only on
one particular
block of
plaintext

Answer 181

A

Symmetric Encryption
Encrypt digits (bytes) of a message one
at a time
 advantage: speed of transformation – each symbol is
encrypted as soon as it is read
 disadvantage: low diffusion – all information of a plain-
text symbol is contained in a single ciphertext symbol
 disadvantage: sensitivity to tampering – an interceptor
can splice together pieces of previous messages and
transmit a new message that looks authentic
 examples: RC4, ChaCha, FISH, SEAL, …

Improvement: pseudo-randomized key
key changes in pseudo-random manner – hard for attacker to predict,
yet fully known to communicating parties

Answer 182

A

ata is divided into fixed length blocks
– all block bits are then acted upon to produce an output
 advantage: high diffusion – information from one
plaintext symbol is diffused into several ciphertext
symbols
 disadvantage: slowness of encryption – an entire
block must be accumulated before encryption /
decryption can begin => slows down real-time app.
 examples: DES, 3DES, AES

Answer 183

A

Data Encryption Standard
 one of the first widely used
symmetric-key block ciphers
 initially proposed by IBM (1974), later
modified & adopted by US National Bureau
of Standards (1977) as an official Federal
Information Processing Standard (FIPS)
 takes a 64-bit block of plaintext
and a 56-bit key to produce
a ciphertext block of 64 bits
 in 1999, Electronic Frontier Foundation
managed to break DES in 22 h, 15 min
 officially retired in 2005
 3DES attempted to solve the problem

With todays
computing
powers,
DES can be
broken within
seconds!!!

Answer 184

A

1) plaintext is fractioned into
64-bit locks
2) each block is broken into two
parts – left (L) and right (R)
3) permutation and substitution
are repeated 16 times/rounds
4) each round also uses a 48-bit
subkey from the original 56-bit
key
5) in the end, two parts are re-
joined and undergo inverse
initial permutation

In 3DES,
there is 3 x 16
rounds of these
permutation &
substitutions

Answer 185

A

 symmetric-key block cipher
which applies DES 3 times
to each data block =
Encrypt + Decrypt + Encrypt
Ciphertext = EK3(DK2(EK1(Plaintext)))
 proposed in 1978,
accepted as FIPS in 1999
 a simple method of strengthening (increasing key size of)
DES, without the need to design a completely new algorithm
 current use – electronic payment industry (until 2023!)

Answer 186

A

Option 1: all three keys are
independent
* total key size = 168 bits
* effective security = 112 bits
* strongest
 Option 2: K1 and K2 are
independent, K3=K1
* total key size = 112 bits
* effective security = 80 bits
* retired in 2015
 Option 3: all three keys the same K1=K2=K3
* total key size = 56 bits
* weak – just a ‘very slow’ version of regular DES
* not approved

Answer 187

A

 theoretical brute-force complexity: 2x56=112-bit key space
 applies to any block-cipher that is sequentially processed (i.e.,
attempts to increase ‘strength’ by adding multiple components/stages)
* instead of focusing only on input/plaintext & output/ciphertext of entire
chain/system, transitional value(s) between components are utilized
 attack works only if a known plaintext-ciphertext is given !!
2DES (112-bit key)
But which key was used ??
X1
X2
E.g., store in a hash
table that allows
quick search.

Answer 188

A

3DES, key option 1, still in use, but will be deprecated in 2023
* many devices in the financial industry (e.g., POS terminals)
as well as networking equipment (e.g., firewalls) use 3DES
and are challenging to upgrade
 DES was designed for efficient hardware implementation -
software implementation is very slow, 3DES even slower 
 DES and 3DES use 64-bit block size – to improve efficiency
and security larger block sizes would be preferable

Answer 189

A

Advanced Encryption Standard
 NIST issued call for a 3DES replacement in 1997 with
requirements:
* symmetric block cipher
* block size 128
* key lengths 128, 192 or 256
 initially 15, then 5 competing standards were evaluated
 Rijndael cipher was selected as the most suitable for AES
 AES became a US FIPS in November 2001
 AES is intended to replace 3DES, but this process is taking
longer than expected …

Answer 190

A

Like DES, AES is an iterated block cipher in which a block
of plaintext is subject to multiple rounds of processing, with
each round applying the same overall function.
 Unlike DES, AES applies transformation operation to the entire
incoming block in each iteration, while in DES one-half of incoming
block passes unchanged.
 Unlike DES which is bit-oriented, AES is byte-oriented ⇒ allows
convenient and fast software implementation.
 Unlike DES, where 1/64 bits of a plaintext affected roughly 31/64
bits of the ciphertext, in AES (due to shift-row and mix-column
steps) each bit of the plaintext affects every bit of the ciphertext.

Answer 191

A

Is use of symmetric encryption
with a single master encryption key
a good way to
protect passwords in a system ??

Answer 192

A

On Dec. 23, 2013, Target confirmed malware was to blame for
an infection of its point-of-sale system that likely exposed
details associated with 40 million debit and credit cards (50GB
of encrypted data) between Nov. 27 and Dec. 15.
In its statement, Target notes that:
“The most important thing for our guests to know is that their
debit card accounts have not been compromised due to the
encrypted PIN numbers being taken.“
“… PINs are encrypted at the keypad with what is known as
Triple DES” - a standard the retailer refers to as being highly
secure and used broadly throughout the U.S.
“Most people object to 3DES because it’s an ancient algorithm that was
designed as a patch for (now broken) DES until AES was finalized,” …
“Now we’ve had AES for more than a decade, it’s questionable why we’d
be using 3DES.”

Answer 193

A

An Encrypting PIN Pad is an apparatus for encrypting an identifier such as
a PIN as soon as it is entered on a keypad. These are used in ATM and POS
terminals to ensure that the unencrypted PIN is not stored or transmitted
anywhere in the rest of the system and thus cannot be revealed accidentally
or through manipulations of the system.

Answer 194

A

3DES decryption is time consuming as it
requires the search through 168-bit key space!
Plus, passwords are hard to validate (likely not plain English words).

But, what if ‘chosen plaintext’
attack is conducted ??

If hacker knows one pin (e.g., his own) and its respective ciphertext,
he can conduct (faster) Meet-in-the-Middle attack, and once he finds
the key, he can crack all other pins from the same POS device!

Answer 195

A

aka Public-Key Encryption –
involves the use of two separate but related keys:
public key and private key
 public key is made public
for others to use, private key
is known only to its owner
 either key can encrypt a
message – the other key
must be used for decryption
 first truly revolutionary advance in encryption, with
profound consequences in the areas of
* confidentiality
* authentication
* key distribution

Answer 196

A

Public key is sent only to other people/entities with whom
Alice wants to confidentially communicate !!!

The overall number of different keys generated (in the ‘existence’):
O(2*N) = O(N) «< O(N2)

Answer 197

A

1) Each user generates a pair of keys.
(2) Each user places one of the keys in a public register -
this becomes the public key; the other is private key.
(3) If Bob wishes to send a
private message to Alice,
he uses Alice’s public key.
(4) To decrypt Bob’s message,
Alice uses her private key.
No other recipient can
decrypt Bob’s message
as only Alice knows her key.

Answer 198

A

common
misconceptions
(1) public-key encryption is a general-purpose technique
that has made symmetric encryption obsolete
* public-key encryption is versatile but very slow –
symmetric encryption is still needed for encryption
of large messages!
* public-key encryption is used for authentication,
digital signatures, and exchanges of secret keys!
(2) exchange of asymmetric/public keys is much simpler
than exchange of symmetric/secret keys
* both schemes require a well established system and
protocols

Answer 199

A

irst published public-key encryption
algorithm (1976)
 currently used in TLS (Transport Layer Security), SSH
IPSec protocol
 purpose: enable two users to securely reach agreement
(i.e., generate) a secret key for subsequent symmetric
encryption without the involvement of a Key Dist. Cent. (KDC)
 property: private key A and public key B generate the
same result as private key B and public key A

Answer 200

A

1) Before establishing a symmetric key, two parties choose/obtain
two integer numbers:
p – large prime number with 1024 bits (300 decimal digits)
g – base or generator (primitive root of mod p) – often 2, 3, 7
(2) Alice chooses a large random number x (1 ≤ x ≤ p-1)
and calculates Rx = gx mod p.
(3) Bob chooses another large random number y (1 ≤ y ≤ p-1)
and calculates Ry = gy mod p.
(4) Alice sends Bob Rx, Bob sends Alice Ry.
(5) Alice calculates K = (Ry)x mod p.
(6) Bob calculates K = (Rx)y mod p.
K = (gy mod p)x mod p = (gx mod p)y mod p = gxy mod p

Answer 201

A

Assume that p = 23 and g = 7.
1. Alice picks x = 3 and calculates R1 = 73 mod 23 = 21.
2. Bob picks y = 6 and calculates R2 = 76 mod 23 = 4.
3. Alice sends the number 21 to Bob.
4. Bob sends the number 4 to Alice.
5. Alice calculates K = 43 mod 23 = 64 mod 23 = 18.
6. Bob calculates K = 216 mod 23 = 85766121 mod 23 =
= 18.
7. The value of K is the same for both Alice and Bob.
gxy mod p = 718 mod 23 = 18.

Answer 202

A

No built-in mechanism to

authenticate other users!!!

Answer 203

A

Rivest, Shamir, Adleman (1978, MIT)
 first practically deployable public-key algorithm for
secure data transmission and other applications
 was patented, but patent expired in 2000
 RSA Security LLC – manufactures security solutions
deploying RSA, was later sold to Dell …
 spin-off company: VeriSign (1995), bought by Symantec and now
DigiCert
 based on practical difficulty of factoring the product
of two large prime numbers
 like DH uses modulus arithmetic, but in a different way
DH is used to generate a secret key [key agreement] …
RSA is used to exchange a secret key [key transport] …
for subsequent symmetric encryption.

Answer 204

A

TSL, SSH, IPsec

Answer 205

A

basics of the math behind key establishment
(1) Choose two random large prime numbers p and q.
The larger the numbers, the more difficult it is to break RSA,
but longer it also takes to perform encoding and decoding!!!
RSA Laboratories recommends that the product of p and q
be 1024 bits long.
(2) Compute n = p⋅q and z = (p-1)⋅(q-1).
(3) Choose a number e < n with no common factors with z
other than 1. (e,n) – used in encryption, public key.
(4) Find a number d such that ed-1 is exactly divisible by z.
That is, choose d such that ed mod z = 1.
(d,n) – used in decryption, private key.
(5) Kpublic = (n, e), Kprivate = (n, d)

Answer 206

A

RSA – the basics of the math ...
 how can we prove:
1) modulo rules allow:
2) theory of large prime numbers allows:
Asymmetric Ciphers: RSA (cont.)
P = (Pe mod n)d mod n
= (Ped mod n) mod n = Ped mod n =
= Ped mod n =
= P - when P

Answer 207

A

1) Given (e, n) = Kpublic it is/should be impossible to
compute (d, n) = Kprivate.
2) The public and private keys are ‘commutative’.
Asymmetric Ciphers: RSA (cont.)
 RSA – important properties
Kpublic(Kprivate(P)) = Kprivate(Kpublic(P)) = P
K+(K-(P)) = K-(K+(P)) = P
provided p and q are
properly randomized !!!

Answer 208

A

Bob chooses p=5, q=7. Then n=35, z=24.
e=5 (so e, z relatively prime).
d=29 (so ed-1 exactly divisible by z).
m me c = m mod ne
12 24832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cd
Encrypt:
(e,n)
Decrypt:
(d,n)
Encrypting 8-bit message: 0000 11002 = 1210 .
Plaintext
must be
converted
to a
decimal
number!!!

Answer 209

A

Jennifer creates a pair of keys for herself:
p=397 and q= 401 => n=159197 and z= 158400.
She then chooses e=343 and d=12007.
Show how Ted can send a 2-letter text message to
Jennifer if he knows e and n.
Each letter encoded as a 2-digit
number between 0 and 25,
instead of using ASCII values (65 – 90).
Not necessary
to encrypt each
letter/number
separaterly

Answer 210

A

 protect. of data confidentiality & user/message authenticity
 other possible more common uses:
a) digital envelopes = fast exchange of confidential
messages (secret message & secret key sent at once)
b) digital signature =
= message integrity + message authentication, where
message integrity – guarantees that the message
has not been changed
message authentication – authenticates the sender
of the message

Answer 211

A

use of asymmetric encryption
for fast exchange of confidential messages
1) generate random symmetric key K symmetric
2) encrypt message using K symmetric – digital letter
3) encrypt K symmetric using receiver’s public key K+ - protective
digital envelope
4) send the two together !!!

Answer 212

A

use of asymmetric encryption to
protect message integrity + sender authenticity
Public
Key
A+ A-
A-
A+
In some cases the
confidentiality is not
required - data sent in
plaintext) but we want to
be able to ensure .

Answer 213

A

Example: Public encryption for all three – message
integrity, authentication and confidentiality
(digital signatures + confidentiality)

Answer 214

A

ust involve a trusted
third party
 Certificate Authority – a trusted government agency or a
for-profit institution that issues Digital Certificates
 IdenTrust, DigiCert, GlobalSign, …
 Digital Certificate – digital document that binds a public
key to an identity (person or organization) and contains

Answer 215

A

all three transform message into another ‘format’
 encoding and encryption are reversible, hashing is not!
1) message encoding – transforms data to another format
so that it can be properly/safely consumed by a different
type of system
 does not aim to keep
information secret
 does not require a key
 encoding scheme is
publicly available and
relatively simple/fast
to perform

2) message encryption – transforms data to another
format that cannot be easily consumed by anybody
but the intended recipient(s)
 aims to keep information secret
 requires a key
 encryption scheme
is publicly available
but quite complex
to perform/break

3) message hashing – used to validate the integrity of
a given content by producing a fixed-length string with
following attributes:
 does not require a key
 hashing algorithms are publically available
 the same input will
always produce the
same output
 any modification to
the input should result
in a drastic change to
the output

Answer 216

A

accomplished through the use
of cryptographic hash functions
 hash function creates a small fixed-size digital
‘summary’ of the message that can be used as a
message fingerprint, aka hash or message digest
 typical hash size: 128, 160, 256, 512 bits
 popular standards:
(a) Message Digest 5 (MD5) – no longer secure
(b) Secure Hash Algorithm (SHA-2: SHA 256 & SHA 512)

Answer 217

A

to be eligible for a hash
a function needs to meet 6 important criteria:
 Hash function h can be applied to block of data of
any size.
 Hash function h produces a fixed-length output.
 h(M) is relatively easy to compute for any given M,
making both hardware and software implementation
practical.
 Collision Resistance.
 Preimage Resistance.
 Second Preimage Resistance.

Answer 218

A

two messages create the same digest

Answer 219

A

must be extremely difficult to find any two M and M’
such that h(M) = h(M’)
 if strong collision is possible => digital signatures
become meaningless
 also relevant to online password cracking

Answer 220

A

given a
hash function h and y=h(M), it must be extremely
difficult for Eve to find any message M’ such that
y=h(M’)
 we should not be able to work ‘backwards’ and
(re)create the original message from a given hash
 relevant for off-line password cracking

Answer 221

A

Eiven M and its hash h(M) it should be
extremely difficult for Eve to find a second/another
message M’ such that h(M)=h(M’)
 property intended to prevent an adversary from
appending a falsified message to a given hash

Answer 222

A

companies: trade secrets, intel. prop., customer records, …
 governments: classified information, citizen records, …
 individuals: personal & sensitive information (protect
from hackers and/or authorities)

Answer 223

A

Techniques
of digital information protection can be grouped in two
major categories:
 Information Encryption
 the content is ‘scrambled’ using a crypto-key, so it becomes
meaningless
 however, the presence of information is ‘obvious’
 no matter how ‘unbreakable’, encrypted message will arose
suspicion
 Information Hiding
 the goal is not just to prevent others from accessing hidden
information, but to make others unaware of the very existence
of the hidden information

Answer 224

A

unauthorized users will be aware
of the existence of confidential data
but will not be able to ‘read’ it

the actual existence of
the confidential data
is entirely obscured
from unauthorized users

Can be used when protecting both –
data ‘at rest’ and data ‘in transit’ !

Answer 225

A

leading post-
exploitation tool that dumps
passwords from memory, as well as
hashes, PINs and Kerberos tickets

Answer 226

A

small hard-
to-detect
piece of code

Answer 227

A

teganography - Greek word for “concealed writing”
 art and science of hiding information in some cover media
for the purpose of protecting information confidentiality
 digital steganography – cover media: image, text, audio, video

unauthorized
users
cannot
find/read
confidential
info

Answer 228

A

also aims to make information invisible, but for the purpose
of protection of intellectual property

unauthorized users
cannot use or
appropriate
somebody’s IP

Answer 229

A

embedding user-unique marking to different copies of content
for the purpose of tracking of intellectual property

users can be
tracked/identified

Answer 230

A

The main difference between watermarking and fingerprinting is that the WM
remains the same for all copies of the IP while the FP is unique for each copy.
As such, FPs … enable tracking of IP misuse conducted by a specific user.

Answer 231

A

the need to protect
information from unsolicited access, by making it
obscure, precedes our digital age
 in ancient Greece, a message would be tattooed on the
shaved head of a messenger; the hair would be grown over
 in era of printed press, different typefaces were used to
‘encode’ a message
 in WW2, the French resistance used invisible ink (e.g., wax)
to write messages on the back of regular currier

Answer 232

A

process of hiding information in digital multimedia files
and in network packets
 elements of digital steganography system include
 cover media (C) that will hold the hidden data
 secret message (M) - may be plain text or any other type of data
 stego function (Fe) and its inverse (Fe-1)
 an optional stego-key (K) or password to hide and unhide the
message
 stego object (S) = cover media + secret message

Answer 233

A

digital steganography takes advantage of
1) space redundancy in cover media
2) data redundancy in cover media in combination with
inherent weaknesses of human perception
 e.g., in computer/text file steganography, information can
be hidden in unused areas of the file/text
 e.g., in image steganography, information can be embedded
in the Least Significant Bits (LSBs) of an image (introduced
change is insignificant for human eye)
 e.g., in audio steganography, information can be embedded
in high frequencies of audio spectrum (human ear is insensitive
to slight variations in high audio frequencies)

Answer 234

A

sender sends
1) text message / text file = stego object
2) a series of integer number = key
 secret message is hidden within the respective
positions of subsequent words in cover media
The weather is sunny and wonderful.
They have gone running at the beach.
2 2 1 1 2 2 1 1 4 1 0 0 2
He is not here.
Example: Plaintext Steganography with Selected Characters
The weather is sunny and wonderful.
They have gone

Answer 235

A

e.g., lines are shifted down by a small fraction
 shift present = 1, shift not present = 0
 e.g., words are shifted right by a small fraction
 shift present = 1, shift not present = 0
 encoded bits are extracted and compared against
a predefined Codebook

Answer 236

A

Image is broken into a finite
number of areas that contain
the same color/shade.
There is finite number of
colors/shades available.

any image can be digitized – i.e., represented by a discrete
(finite) set of display elements holding same-color content

Answer 237

A

a 2D (NxM) array/grid
of m-bit pixels

Answer 238

A

fundamental same-color display element
in a digital image
 each pixel is made up of one or more bits
 monochrome image: pixel = 1 bit =>
(black/white)
 grayscale image: pixel = 8 bits =>
256 shades of gray
 RGB image: pixel = 24 bits =>
8 bits for each – red, green, blue =>
16777216 different color shades

Answer 239

A

200 x 300 x 8 = 480,000 bits
= 60,000 bytes
= 60 kbytes
= 58.59 KBytes

kbyte = 103 bytes = 1000 bytes
KByte = 210 bytes = 1024 bytes

Answer 240

A

relative importance
of different pixels is different
 LSB – least significant bit – last bit
 MSB – most significant bit – 1st bit

LSB carries the least
information – it changes
most rapidly
 MSB carries the most
information – it changes
least rapidly

Answer 241

A

easiest and surprisingly effective way of hiding
information in an image
 LSB(s) of each pixel in cover object/image are used to
hide the most significant bits of another image
 algorithm:
(1) load up host image and image to hide
(2) choose the number of LSBs you whish to hide
the secret image in
more bits used
=> better quality of hidden image 
=> more distortion in cover image 
(3) to get original image back, pick out the LSBs
according to the number used in (2)

Answer 242

A

hiding’ capacity low –
better stego-image 
worse recovered image

Answer 243

A

the
(un)predictability of a
region with respect to
an assumed model of
simplicity.

Answer 244

A

ecret bits can be
embedded in LSBs of cover image in two ways:
 sequentially
 simple embedding & extraction of secret bits 
 statistics of cover image abruptly changed - easy to detect 
 randomly
 the key to generate pseudorandom numbers must be sent 
 secret bits scattered throughout cover image - hard to detect

Answer 245

A

Should not ‘mess up’ pixel values in
areas of ‘low entropy’.
What is a better place to hide secret bits:
- same-color background
- part of image with lots of detail ???

Answer 246

A

DCT is one of key components of JPEG compression
 JPEG algorithm:
(1) algorithm is split in 8x8 pixel squares
(2) each square is transformed via DCT to
64 frequency components
(3) each DCT coefficient is quantized against
a reference table – many bits get removed
 more bits are used for low-freq. and fewer
for high-freq. components
(human eye is more sensitive to low-freq. info)
(4) many coefficients are (now) close in value =>
run/variable length coding can be used

Answer 247

A

Possible Approaches to Hiding Data in DCT
(A) hide secret data in LSBs of selected or non-
significant DCT coefficients (high. frequencies)
(B) hide secret data in LSBs of DCT coefficients
(C) hide one bit of data in each 8x8 block of DCT:
0 => all coefficients even
1 => all coefficients odd

Answer 248

A

LSB of each audio sample is replaced with a secret bit

Answer 249

A

secret bit is spread across cover audio in form of

high-frequency noise

Answer 250

A

IP Identification Field = 16 bits long - used to uniquely

identify an IP packet - useful in case of fragmentation

Answer 251

A

TCP Sequence Number = 32 bits - keeps track of

byte order in payload - useful in payload reassembly

Answer 252

A

outlines
different goals / trade-off of digital steganography
 capacity: how much bits can be hidden in a cover image
 imperceptibility: how easy it is to spot hidden data
 robustness: hidden message in stego-object unaffected by
 rotation
 compression
 cropping
 additive noise
CAPACITY
ROBUSTNESSIMPERCEPTIBILITY
tradeoff triangle of
‘data hiding’
features
(invisibility / secrecy)

Answer 253

A

Example: tradeoff triangle –

steganography vs. watermarking

Answer 254

A

security: embedded info. cannot be removed unless attacker
has the full knowledge of algorithm and/or secret key
 extraction complexity: computational effort/time to extract
hidden information
 embedding complexity: computational effort/time to embed
hidden information

Answer 255

A

Process Components / Terminology
 Watermark (W)
 each owner has a unique watermark (e.g., ‘layer’ of 1 bit/pixel)
 Marking Algorithm
 incorporates the watermark into the image
 Verification Algorithm
 determines the integrity/ownership of the image

Answer 256

A

Private – a secret key was used in watermarking process
=> only authorized users can recover it
(can be used by owner to demonstrate ownership
once he discovers illicit use)
 Public – anyone can read watermark – key is not a ‘secret’
(can be used to actually discover all illicit uses –
e.g., by providing the watermark key to search
crawlers)

Answer 257

A

is a new information-stealing malware that contains the functionality to
steal login credentials, credit card data, cryptocurrency and more. This harvested
data is returned to the attacker via SMTP and the Telegram Bot API.
ChromeRecovery begins by scanning the infected machines for any potential login
credentials for web browsers, FTP clients and email clients. In the screenshot below,
the malware can be seen searching through the directories of various well known
web browsers, including Chrome™ and Opera

Answer 258

A

captures keystrokes

in a compromised system

Answer 259

A

Not ‘classical’ malware – does not require any software or drivers to be
installed on the victim machine.
Logger is plugged in between USB keyboard (connector) and USB port.
All keyboard activity is logged to its internal memory.
Effective against antivirus protection; no ‘physical trace’ stays on the
victim machine => challenge for forensics analysis!

Answer 260

A

Steals data when
processed in memory
 best place to steal data - everything is decrypted

Answer 261

A

takes screenshots of the
desktop (e.g.) when mouse clicked or keyboard
pressed
 disadvantage: amount of that that needs to be
stored / transmitted

Answer 262

A

 RANSOMWARE – holds data or access to systems containing
data until the victim pays a ransom
 subcategories of ransomware based on
implementation
Threat Events: Software Attacks (cont.)
1) CryptoLockers – encrypts victim’s data or
entire hard-drive get encrypted
2) ScreenLockers – user is locked out and
denied login to the system

Answer 263

A

malicious programs that aim to scare users
into installing a program and sometimes
even paying for it
 program is ‘supposed’ to solve a problem that
does not exist!

Answer 264

A

Software that spies on users by gathering
information without their consent, thus
violating their privacy
 example: Zango – transmits detailed information
to advertisers about Web sites you visit
 legal spyware – parental monitoring of Internet
usage by children

Answer 265

A

software that
delivers advertising content
in a manner that is unexpected
and unwanted by the user

Answer 266

A

can be ‘on-line’ and ‘off-line’
 off-line crackers attempt to reverse-calculate a password
 requires that a copy of Security Account Manager (SAM)
- a registry data file - be obtained
 SAM file (c:\windows\system32\config\SAM) contains the
hashed representation of the user’s password – LM or NTLM hash
algorithms are used
 cracking procedure: hash any random password using the
same algorithm, and then compare to the SAM file’s entries
 SAM file is locked when Windows is running: cannot be opened,
copied or removed (unless pwdump is run by the administrator)
 off-line copy of SAM’s content can be obtained (e.g.) by booting
the machine on an alternate OS such as NTFSDOS or Linux

Answer 267

A

brute force – every possible combination/password is tried
 dictionary – a list of commonly used passwords (the dictionary)
is used
 guessing – the attacker uses his/her knowledge of the user’s
personal information and tries to guess the password

Answer 268

A

attacker sends a large number of requests to a target
 target gets overloaded and cannot respond to legitimate requests
 distributed DoS = DDoS - a coordinated stream of requests
is launched from many locations (zombies) simultaneously
 zombie/bot – a compromised machine that can be commanded
remotely by the master machine
 botnet – network of bots + master machine

Answer 269

A

In 2000, a number of major firms were subjected to devastatingly
effective distributed denial-of-service (DDoS) attack that blocked
each of their e-commerce systems for hours at a time. Victims of
this series of attacks included: CNN.com, eBay, Yahoo.com,
Amazon.com, Dell.com, ZDNet, and other firms.
The Yankee Group estimated that these attacks cost $1.2 billion in
48 hours:
$100 million from lost revenue
$100 million from the need to create tighter security
$1 billion in combined market capitalization loss.
At first, the attack was thought to be the work of an elite hacker, but it
turned to be orchestrated by a 15-year-old hacker in Canada.
He was sentenced to eight months detention plus one year probation
and $250 fine.

Answer 270

A

insertion of forged Internet identification data in order to
gain an illegitimate advantage (in packets, web-requests,
emails)
 types of spoofing
 IP Spoofing – creation of IP packets with a forged source IP
address, e.g. for the purpose of ‘passing through a firewall

Answer 271

A

creation of email messages with
a forged sender address, e.g. for the purposes of social
engineering and data phishing

Answer 272

A

Referrer or User Agent Spoofing – creation of HTTP requests
with forged fields in order to gain access to a protected web-site
* some sites allow access to their material only from certain
approved (login) pages and/or only to humans

Answer 273

A

use of a program or device that can monitor data
traveling over a network
 unauthorized sniffers can be very
dangerous – they cannot be detected,
yet they can sniff/extract critical
information from the packets traveling
over the network
 wireless sniffing is particularly simple,
due to the ‘open’ nature of the
wireless medium
 popular sniffers:
Wireshark – wired medium
Cain & Abel – wireless medium
Kismet – wireless medium

Answer 274

A

gives an illusion that two computers are communicating
with each other, when actually they are sending and
receiving data with a computer between them
 spoofing and/or sniffing can be involved
 examples:
 passive – attacker records &
resends data at a later time
(acts as a signal/packet
repeater)
 active – attacker intercepts,
alters and sends data
before or after the original
arrives to the recipient

Answer 275

A

Domain Name System (DNS) poisoning and spoofing are types of cyberattack that exploit DNS server vulnerabilities to divert traffic away from legitimate servers towards fake ones. Once you’ve traveled to a fraudulent page, you may be puzzled on how to resolve it — despite being the only one who can. You’ll need to know exactly how it works to protect yourself.

DNS spoofing and by extension, DNS cache poisoning are among the more deceptive cyberthreats. Without understanding how the internet connects you to websites, you may be deceived into thinking a website itself is hacked. In some cases, it may just be your device. Even worse, cybersecurity suites can only stop some of the DNS spoof-related threats.

Answer 276

A

process of using social skills to manipulate people into
revealing vulnerable information
 either by believing that an email came from a legitimate person
or believing that a web-site is the real web-site, or both!
g) Phishing – involves fake/spoofed emails + …
 attempt to gain sensitive personal information by
posing as a legitimate entity
 SIMPLE PHISHING: an email is sent to the victim informing
them of a problem (e.g. with their email or banking
account) and asking them to provide their username,
password, etc.;
‘From’ email address is spoofed to look legitimate, ‘Reply
To’ email address is an account controlled by the attacker

Answer 277

A

In email is sent to the victim
containing a link to a bogus website that looks legitimate
Example: Phishing using URL Links Embedded in HTML-based
Emails

Answer 278

A

involves a fake Web-site (remember Lab 1)
 phishing is accomplished by getting users to type in or
click on a bogus URL
 pharming redirects users to false website without them
even knowing it – typed in or clicked on URL looks OK
 performed through DNS
poisoning – user’s local
DNS Cache or DNS server
are ‘poisoned’ by a virus

Answer 279

A

Information security should balance protection & access
- a completely secure information system would not allow
anyone access!

Answer 280

A

Consider a network consisting of N machines and a worm that uses ‘local
network’ propagation model. In particular, at time t=0, the worm has
infected only 1 machine. In each subsequent minute, every infected
machine contacts and successfully infects k=2 other machines on the
same network. (You can also ssume:
1) All the machines in this network are ‘vulnerable’ to the given worm.
2) The worm is ‘smart’ so that an infected machine never tries to infect
another infected machine.)
If N = 200, how many minutes does it take to infect all the machines in
the system?
Solution
1st minute: 1 old + 2 new infected = 3 infected machines
2nd minute: 3 old + 32 new infected = 9 infected machines
3rd minute: 9 old + 92 new infected = 27 infected machines
4th minute: 27 old + 272 new infected = 81 infected machines
5th minute: 81 old + 812 new infected = 243 infected machines

Answer 281

A

state of worm technology
i) multi-platform / cross-platform - target a variety of
platforms / OSs
ii) multi-exploit - penetrate systems in a variety of
ways (through email, browsers, file sharing, …)
iii) ultrafast spreading - use various techniques to
to identify as many vulnerable machines in a short
period of time
iv) polymorphic
v) metamorphic
vi) multi ‘transport vehicle’ - can carry a variety of
payloads (rootkits, spam generators, bots, etc.)
vii) zero-day exploit - try to exploit new/unknown
vulnerabilities

Answer 282

A

rst multi-exploit
worm – used 5 different infection paths:
* via email
* via browsing of compromised web
sites – an injected java-script would
allow the downloading of Nimda
* via open network shares on LANs
* via exploiting of vulnerabilities in
Microsoft’s IIS server
* via back doors left behind by the Code Red
Nimda cost an estimated $635 million in damages.
https://www.techrepublic.com/article/learn-what-nimda-worm-does-and-how-to-combat-it/
https://www.eweek.com/security/nimda-takes-over-the-net/
Nimda itself does not contain a destructive payload beyond modification of
Web content to continue to propagate itself.
DoS may occur because of the volume of e-mail traffic triggered by this
worm, but it doesn’t appear to be targeting specific systems with a DoS attack.

Answer 283

A

a highly sophisticated worm that used a variety
of advanced techniques to spread, including:
- by the use of shared infected USB drives (spreads even
between computers that are not connected to the Internet);
- by connecting to systems using a default SQL database password;
- by searching for unprotected administrative shares of systems
on the LAN; …
While it was programmed to spread from system to system, it
was actually searching for a very specific type of system to
execute – programmable logic controller (PLC) system made by
Siemens and run on devices that control and monitor industrial
processes. When it found such a system, it executed a series
of actions designed to destroy centrifuges attached to the
Siemens controller.

Answer 284

A

a computer-software vulnerability
NOT known to or addressed by the vendor and users of the
vulnerable software

Answer 285

A

ogram launched
in 1999 by MITRE to identify and catalog vulnerabilities in software
and firmware
 MITRE – US non-profit funded by Cybersecurity and Infrastructure
Security Agency, part of the US Department of Homeland Security
 CVE database – list of publicly disclosed computer security flaws
 CVE entry/report – brief description of a reported vulnerability –
does not include technical data or information about risk and fixes
 CVE reports can come from anywhere: a vendor, a researcher,
a clever user …
 CVSS = CV Scoring System - set of open
standards for assigning a number/score
to a vulnerability to assess its severity
[ scores range from 0 to 10 ]

Answer 286

A

malware that looks legitimate and is
advertised as performing one activity
but actually does something else; it
does NOT self-replicate
 example: AOL4Free - advertised free
access to AOL Internet Service; would
delete hard drive
 common types of Trojans:
 destructive – designed to destroy data
or kill the system – not common today
 remote access – designed to give an
attacker control over the victim’s system
(client-server model)
 data sending – designed to capture and
redirect data (keystrokes, passwords, ...)
to an attacker

common types of Trojans (cont.)
 Denial of Service – designed to conduct a DoS
attack on a predefined IP address
 FTP – designed to set up the infected system
to serve as an FTP server for illegal software,
pirated movies and music, etc.

Answer 287

A

the host computer,
but instead use its resources
for illegal purposes
through a client-server connection.

Answer 288

A

most Trojan ‘exfiltrate’ or ‘infiltrate’ data
to/from remote machines (over the Internet)

common techniques of Trojan detection:
 on the infected computer – run netstat
and look for unusual ports and connections
 from the infected network – scan the
network with nmap and look for systems
with unusual open ports

Answer 289

A

malware typically installed by an authorized
user; lies dormant until triggered by a
specific logical event; once triggered, it can
perform any number of malicious activities
 trigger events:
1) a certain date reached on the calendar –
check for organization payroll data;
2) a person was fired – files deleted once his
account got disabled

Answer 290

A

In 2002, disgruntled system administrator for UBS Investment Bank
was accused of planting a logic bomb shortly before quitting his job.
The bomb had been designed to wipe out 2,000 files on the main
servers for UBS, and cripple the company.
His plan was to drive down the company’s stock, and eventually profit
from that (put option contract).
During the downtime caused by the logic bomb, brokers could not
access the UBS network or make trades. According to one employer:
“Every branch was having problem. Every single broker was
complaining. They couldn’t log onto their desktops and [get to] their
applications because the servers were down. …”
In 2006, Duronio was convicted and sentenced to 8 years and 1 month
in prison as well as $3.1 million restitution to UBS.

Answer 291

A

stealthy software with root/administrator
privileges – aims to modify the operation of the
OS in order to facilitate a nonstandard or
unauthorized functions
 unlike virus, rootkit’s goal is not to damage computer
directly or to spread, but to hide the presence and/or
control the function of other (malicious) software
 since rootkits change the OS, the only safe and
foolproof way to handle a rootkit infection is to
reformat the hard drive and reinstall the OS

Answer 292

A

n 2005, Sony included a rootkit program Extended Copy Protection (XCP) on
many of its music CDs in an attempt to limit the user’s ability to access the
CD and prevent illegal copying.
The software was automatically installed on Windows desktop computers
(in a hidden directory + modified the OS) when customers tried to play the CD.
Threat Events: Software Attacks (cont.)
https://www.eff.org/cases/sony-bmg-litigation-info
XCP (Extended Copy Protection) and MediaMax - software for
copy protection and digital rights management used by Sony

Answer 293

A

Whitelisting and blacklisting prevent malware but they do this
in opposite ways.
blacklisting vs. whitelisting – which is faster, which is stricter ?!?

Answer 294

A

allow everything
block some
good for detecting
yesterday’s (known)
threats

Answer 295

A

block everything
allow some -
aka “zero trust”
good for detecting
zero-day threats

Answer 296

A

The concept also applies to:
• Web Domains (in a browser)
• IP addresses (in a firewall)
• email addresses (in email client)
• Intrusion Detection System (IDS) signatures ...

Answer 297

A

A sandbox typically provides a
tightly controlled set of resources
for guest programs to run in.
Network access, the ability to
inspect the host system or read
from input devices are usually
disallowed or heavily restricted.

Answer 298

A

classification of viruses by concealment strategy
i) polymorphic virus – mutates (changes its
appearance) with every infection to avoid
‘signature’ (bit pattern) detection
iv) metamorphic virus - mutates (changes its behavior
dynamic binary/opcode/) with every infection while
remaining ‘functionally equivalent’
ii) encrypted virus - a portion of the virus creates
a random key and encrypts the remainder -
special case of polymorphic virus
iii) stealth virus - uses special techniques to conceal
its presence on the OS
 makes sure that ‘last modified’ date of host file
remains unchanged
 makes sure that the size of host file appears/
stays the same - aka cavity viruses

Answer 299

A

Look for some variations in
the sequence of 0s and 1s.

Look for an identical
sequence of 0s and 1s.

A malware packer is a
tool used to mask
a malicious file. Packers can
encrypt, compress or simply
change the format of
a malware file to make it
look like something else
entirely. (Sequence of
instructions in the malicious
code unchanged.)

Answer 300

A

alware actively seeks out more machines to
infect and then each infected machine serves
as an automated launching pad for attacks on
other machines
 worms exploit software vulnerabilities in client or
server programs to gain access to a new system
(worm = power of virus + convenience of Internet)
 IMPORTANT: viruses vs. worms
 viruses need a carrier medium (document or
program to ‘attach’ itself to) and then require
user action to propagate
 worms do not always need a carrier or human
action to move (can some times ‘move’ on their
own), are typically spread through the Internet,
does not always rely on user to replicate/infect

Answer 301

A

classification of worms by replication strategy
1) electronic mail or instant messaging - worm emails
a copy of itself to other systems, or sends itself as
an attachment via an instant message service
2) file sharing - worm copies itself on removable
media such as USB drives; it, then, executes
when the drive is connected to another system
3) remote login capability - worm logs onto a remote
system as a user and then uses commands to
copy itself from one system to another
4) remote file access or transfer capability - worm
uses a remote file access or transfer service to
another system to copy itself
etc. ….

Answer 302

A

VIRUS: Malware ‘sits’ inside a
‘carrier’ (program/document) and
requires the user to manually move
the carrier ‘onto’ a USB (on one
computer) and ‘from’ a USB (to
another computer) and to click on it

Worm: Malware on its own infects the
USB (copies itself as autoran.inf); when
plugged into a new host, automatically
executed & infects the new machine.

Answer 303

A

Methods worms
use to first gain
access to the
victim machine:
- drive-by-
download
- email
- file sharing
etc.
Methods
worms use to
transfer the
rest of its body
to the target:
- file transfer
- HTTP
etc.
Once the worm
is running on the
victim machine it
starts looking
for new victims
to attack
- email address
- host lists
- different IPs
targets
etc.
Using addresses
generated by the
target engine,
the worm
actively scans
across the
network to
determine
suitable victims
Chunk of code
designed to
implement some
specific action on
behalf of the attacker
on a target system. It
is what the worm
does when it gets to
a target ...
- opening a backdoor
- planting a DDoS bot
- performing a
complex math
operation (e.g.,
cryptominer)

Answer 304

A

Propagation
Engine

Warhead -
small hard-
to-detect
piece of code

Target Selection
Algorithm
+
Scanning Engine

Payload

Answer 305

A

a) random - each compromised host probes random
addresses in IP addr. space - fast development, but
1) unknown results (many machines may not be
vulnerable), 2) some machine may already infected
b) hit list - the attacker pre-compiles a long list of
potentially vulnerable machines, each infected
machine uses a part of this list - time consum. devel.
c) topological - worm uses information contained on
the infected machine to find more hosts to scan
- e.g., worms infecting/exploiting P2P applications
d) local subnet - worm uses the subnet address
to find other vulnerable machine on the same
network (works well against firewall-protection)

Answer 306

A

a deliberate action aimed to violate / compromise a
system’s security through the use of specialized software
 types of attacks base on the type of malicious software:
a) Use of Malware
b) Password Cracking
c) DoS and DDoS
d) Spoofing
e) Sniffing
f) Man-in-the-Middle
g) Phishing
h) Pharming

Answer 307

A

person that conducts a deliberate software attack
Script Kiddies: Individuals with
(only) enough understanding of
computer systems to be able to
download and run scripts that others
have developed. Vast majority of
attack activity on the Internet is
carried out by these individuals.
Script Writers: Individuals capable
of writing scripts to exploit known
vulnerabilities.
Elite Hackers: Individuals capable of
discovering new vulnerabilities
and writing programs (scripts) that
exploit those vulnerabilities.
Threat Events: Software Attacks (cont.)
(can be distinguished based on their ‘skill level’ & their ‘mission’)

Answer 308

A

MALWARE – a program that is inserted into the victim
system, usually covertly, with the intention to:
1) compromise the CIA of the victim’s data, application(s)
or the OS
2) misuse the resources of the victim computer, or
3) otherwise annoy or disrupt the victim
(malware examples: virus, worm, trojan, key-logger, …)
Threat Events: Software Attacks (cont.)
• Common Malware Targets/Objectives
 steal credit card data, passwords, ….
 destroy files, boot records, …
 store illegal music, movies, pirated software, ..

Answer 309

A

corruption of system or data files - virus & worms
 turning the victim into a zombie - bot/botnets for DDoS
 theft of information (logins, passwords, …) - keyloggers
& spyware
 hiding of its presence - backdoors & rootkits
• Malware Based on How It Spreads/Propagates
 carried/spread by ‘carriers’ + replicate = virus
 spread over a network on their own + replicate = worms
 use ‘social engineering’ to ‘sneak in’ = trojans
local machine harm
remote machine harm
produce copies of
themselves
no machine harm

Answer 310

A

 Virus
 Worm
 Trojan horse
 Logic Bomb
 Rootkit
 Information Stealer
 Ransomware
 Scareware
 Spyware
 Adware

Answer 311

A

piece of software that ‘infects’ other host programs
(executable) by modifying them
 once a virus attaches to an executable, it can do
anything that the executable is permitted to do
(e.g., erase files & programs, change settings, etc.)

When viruses attach
themselves to the
executable files, they
alter the instruction
pointer of the executable
programs in such a way
that the virus code gets
executed first before the
actual executable code.

Answer 312

A

1) dormant phase - the virus is idle and eventually
gets activated by some event (date, presence of
another program or file, …) - not always present
2) propagation/infection phase - the virus places a
copy of itself into other programs - each infected
program will contain a clone of the virus which
itself will enter a propagation/replication phase
3) triggering phase - the virus is activated to perform
the function for which it was intended - again, it
can be caused by a variety of system events (e.g.,
number of times that the virus has replicated)
4) execution phase - the malicious function is
performed and can be
 harmless, (e.g.) a message on the screen
 harmful, (e.g.) destruction of programs or files

Answer 313

A

viruses need ‘2 factors’ to replicate -
carrier = document or host program, and
user = to initiate the propagation/triggering phase

Answer 314

A

classification of viruses by target / means of execution
a) boot sector infector - infects a master boot record
and spreads when a system is booted from the
disk containing the virus - nowadays rare
b) file infector - infects executable files (.exe, .com)
c) macro virus - infects files with macro or scripting
code that are interpreted by an application -
 easily spread, as ‘documents’, not applications
are commonly exchanged among users today
d) multipartite virus - uses multiple ‘attack vectors’,
e.g., both boot sector and executable files on
hard drive - most difficult to eradicate

Answer 315

A

The Master Boot
Record (MBR) is the
information in the
first sector of any
hard disk or
diskette that
identifies how and
where an operating
system is located so
that it can be boot
(loaded) into the
computer's main
storage or random
access memory.

Answer 316

A

[found in .exe, .com programs]

Answer 317

A

[found in .doc, .pdf files that get interpreted
by MSWord and Acrobat]
macro - list of ‘shortcut instructions’ in a document (e.g., in Visual Basic)
https://www.slideshare.net/lastlinesecurity/introduction-to-malware-part-1
Infect data files
rather than
programs !!!

Answer 318

A

fire, flood, earthquake, hurricane,
tsunami, dust contamination, …
 cannot be fully predicted/prevented
 organization must implement controls to limit damage
as well as develop incident response plans and business
continuity plans

Answer 319

A

cannot be fully predicted/prevented by the organization
 causes of hardware failures: wear, tear, age, operating
environment (e.g., high temperature, moisture, dust), …
 best defences against hardware failures:
 redundancy (e.g., backup servers)
 continuous monitor hardware devices (where & how deployed)
 causes of software failures: difficulty of testing software
for all possible inputs & all possible operating conditions;
OS evolutions and software incompatibilities …
 best defences against software failures:
 keep up-to-date with software updates and vulnerabilities
 continuously monitor and maintain software system

Answer 320

A

organization’s own employee’s are
one of its greatest threats
 examples:
 revelation of classified data (e.g., phishing)
 accidental deletion or modification of data
 failure to protect data
 storing data in unprotected areas
 entry of erroneous data
 preventative measures:
 training and ongoing awareness activities
 enhanced control techniques:
 require users to type a critical command twice
 ask for verification of commands by a second party
Much of human error or failure can be prevented!

Answer 321

A

in organizations that relies
on the Internet and Web,
irregularities in available
bandwidth can dramatically
affect their operation
 e.g., employees or customers
cannot contact the system
 possible ‘defence’: backup ISP or backup power generator

Answer 322

A

attempts
to learn or make use of info.
from the system but does not
affect system resources
 compromises Confidentiality
 generally hard to detect !!!
 examples: traffic sniffing

Answer 323

A

attempts
to alter system resources
or affect their operation
 compromises Integrity or
Availability
 examples: man-in-the-middle,
data/packet injection and DoS

Answer 324

A

IP = any intangible asset that consist of
human knowledge & ideas – creations of
the mind (copyright, patent, trade secret)
 any unauthorized use of IP constitutes
a security threat (MS Office, Adobe Acrobat)
 defense measures:
 use of digital watermarks and embedded code

Answer 325

A

In 2000, while still employed at Cisco Systems, Morch logged into a computer
belonging to another Cisco software engineer, and obtained (burned onto a CD)
proprietary information about an ongoing project.
Shortly after, Morch started working for Calix Networks – a potential competitor
with Cisco. He offered them Cisco’s information.
Morch was sentenced to 3 years’ probation.

Answer 326

A

hacker or malicious insider steals
information & demands compensation
for its return or non-disclosure
 example:
 theft of data files containing customer
credit card information

Answer 327

A

acker or malicious insider destroys an
asset in order to cause financial loss or
damage the organization’s reputation
 example:
 hackers accessing a system and damaging
or destroying critical data

Answer 328

A

unauthorized access to info. that
an organization is trying to protect
(e.g., through stolen passwords)
 low-tech e.g.: shoulder surfing
 high-tech e.g.: hacking

Answer 329

A

any event (action/inaction) that may /
may not happen, but has the potential to cause disclosure,
alteration, loss, damage or unavailability of a company’s
(or an individual’s) assets

Answer 330

A

arget [asset/resource with vulnerability]: organization’s
system resource that might be attacked
 information/data (its confidentiality, integrity, availability), software,
hardware, communication facilities and networks, etc.
 Agent [may or may not be present]: people/organizations
originating the threat – intentional or non-intentional
 employees, ex-employees, hackers, commercial rivals, terrorists, …
 Event: possible action that exploits target’s vulnerability
 malicious / accidental destruction or alteration of information, misuse
of authorized information, etc.

Answer 331

A

Asset with v.
WiFi-signal carrying
important data
within outsider’ reach

Agent
competitor or
hacker actually
interested in
seizing data

event
it is possible for
someone, by investing
time & effort,
to capture/sniff
wireless data

NO EVENT ⇒ NO THREAT !!!

Answer 332

A

Example of insider causing accidental threat: SysAdmin has added a new
software to the system and has forgotten to change the password

Asset
with vulnerability
Agent Event
Threat
deliberate
or accidental
outsider
or inside

Answer 333

A

THREAT EVENT DELIBERATELY EXECUTED BY AGENT = ATTACK

Answer 334

A

asset identification
 e.g. what are the company’s main assets:
(a) web servers (e-commerce company), or
(b) workstations (software develop. company)?
 threat identification [ asset-vulnerability, agent, event ]
 some assets have multiple vulnerabilities (e.g., web-server)
but they are not all equally likely to be exploited …
 organizational strategy regarding risk
 different threats pose different risks

Answer 335

A

some security experts
feel that additional concept need to be added to
(i.e., reinforced in) the traditional CIA triad:
 authenticity - being able to verify that users are who
they claim to be, and that each data
input has come from a trusted source
 accountability - being able to trace actions of an entity
uniquely to that entity

Answer 336

A

We know that we want to protect the CIA of data. But,
1) Data can reside in several different states.
2) Data can be attacked/protected in several different
ways – e.g., through technology or through people.

Answer 337

A

McCumber Cube – Rubik’s cube-like detailed
model for establishment & evaluation of info. security
 to develop a secure system, one must consider not only
key security goals (CIA) but also how these goals relate
to various states in which information resides and full
range of available security measures
data
states
objectives
when
protecting
data means of
protecting
data

Answer 338

A

Storage - aka ‘data at rest’, is data stored in permanent
(secondary) memory, such as hard disk, USB, removable drive
 Transmission - aka ‘data in transit’ - data being transferred
between systems, in electronic form OR physical form
 Processing - aka ‘data in use’ - data being actively examined
or modified

Answer 339

A

Technology - software and hardware solutions (e.g.,
antivirus, firewall, IDS system, cryptography, backups, etc.)
 Policy and practices - administrative controls, such as
management directives (e.g., acceptable use policies)
 People - aka awareness, training, education - ensure
that users are aware of their roles & responsibilities

Answer 340

A

Each of 27 cells in the cube represents an area that
must be addressed to secure an information system
 e.g., intersection between data integrity, storage and
technology implies the need to use technology to protect
data integrity of information while in storage
 solution: new ‘file check sum’ (cryptographic hash) is calculated every
time a critical file is modified …

Answer 341

A

Scenario: An employee stores company
information on a personal USB drive, in
order to transfer it to another computer
(e.g., work from home)
Safeguard: Educate employees about
the importance of carefully handling data
and encrypting data before transferring it
to insecure ‘movable’ media – in case that
USB is infected or lost, encryption ensures
that data cannot be read

Answer 342

A

Busy downtown office:
WiFi used in an area that is
within outside reach.
Remote nuclear plant:
WiFi used in an area that is
NOT within outside reach.

Answer 343

A

“In the last 20 years, technology has permeated every facet
of the business environment. The business place is no longer
static – it moves whenever employees travel from office to
office, from office to home, from city to city. Since business
have become more fluid, …, information security is no longer
the sole responsibility of a small dedicated group of
professionals, …, it is now the responsibility of EVERY employee ….”

Answer 344

A

in addition to their own
security team & employees,
3rd party employees are also
important …

Answer 345

A

key characteristics of information
that must be protected by information security:
 confidentiality - only authorized parties can view private
information
 integrity - information is changed only in a specified and
authorized manner (by authorized users)
 availability - information is accessible to authorized users
whenever needed
C.I.A. of Information Security
Different organizations may view one of the CIA
components as being more important than others!!!

Answer 346

A

Student grade – an information asset of
high importance for student.
 In US, release of such information is regulated by Family
Educational Rights and Privacy Act (FERPA).
Grade information should only be available to students,
their parents and employees that require this information
to do their job.
 In Canada, the same issue is regulated by Personal
Information Protection and Electronic Documents Act
(PIPEDA).

Answer 347

A

cryptography
 strong access control
 limiting number of places where data can appear
(e.g., cannot be stored on an USB)
C.I.A. of Information Security (cont.)
What is a potential drawback of
protecting confidentiality
through encryption?!

Answer 348

A

Patient information in a hospital –
the doctor should be able to trust
that the information is correct and
current.
Inaccurate info could result in serious
harm to the patient end expose the
hospital to massive liability.
 In US, Health Insurance Portability and Accountability Act
(HIPAA) regulates the collection, storage, and transmission
of sensitive personal health care information.
Hospital is responsible for safeguarding patient information
against error, loss, defacing, tampering and unauthorized use.
(Ontario’s Personal Health Information Protection Act - PHIPA)

Answer 349

A

strong access control - good at preventing
attacks on data integrity

cryptography
(hashing)
- detects attacks
on data integrity

documenting system activity (logging) - who did what
and when - detects attacks on data integrity

Answer 350

A

Accessible and properly functioning
web site – a key asset for an
e-commerce company.
E.g., a DDoS attack could make the site
unavailable and cause significant
loss in revenue and reputation.
 In US, Computer Fraud and Abuse Act (CFAA) applies to
DoS-related attacks.
 In Canada, DoS activities are regulated under Criminal
Code of Canada, Section 342: Unauthorized Use of
Computer
C.I.A. of Information Security (cont.)
Do you know any other types of attack on data availability??

Answer 351

A

anti-DDoS system (in case of attack that attempt to
prevent access by blocking the bandwidth/server):
e.g., content distribution networks, scrubbing centers
 well established backup procedure (in case of attacks
that prevent access by encrypting or destroying data)

Answer 352

A

general purpose device that can be
programmed to carry out a set of arithmetic or logical
operations automatically
 examples:
 desktops
 laptops, tablets
 mobile phones
 printers, servers
 routers, firewalls
 IoT devices
 industrial controllers ...
 alternative definition: electronic device for storing and
processing of data/information

Answer 353

A

echnology
involving development OR use of computer
systems & networks for the purpose of
processing & distribution of data/information
 categories of IT jobs:
 IT engineer - develops new or upgrades existing IT equipment
(software or hardware)
 IT architect - draws up plans for IT systems and how they
will be implemented
 IT administrator - installs, maintains, repairs IT equip./system
 IT manager - oversees other IT employees, has authority
to buy technology and plan budgets
 IT security specialist - creates and executes security
applications to maintain system security and safety

Answer 354

A

entire set of data as well as
software, hardware, networks, people, procedures &
policies that deal with processing & distribution of
information (data) in an organization
 each component has its own strengths, weaknesses,
and its own security requirements

Answer 355

A

Information/data is
- stored on computer hardware,
- manipulated by software,
- transmitted by networks,
- used by people,
- controlled by procedures &
policies

Answer 356

A

terms are often used interchangeably, but …
 computer security (aka IT security) is mostly concerned
with information in ‘digital form’
 information security is concerned with information in
any form it may take: electronic, print, etc.

Answer 357

A

a) your university suffers a data breach
b) your bank suffers a data breach
your PII compromised, your grades leaked
can lead to identity theft or blackmail …
your online banking credentials stolen (user login, password)
your money gone …
c) your hospital suffers a data breach
your health information stolen
your chances of getting employed reduced …

Answer 358

A

direct, shorter term

operational disruption
cyber-security investigations
attorney fees
government fines
drop in stock price, …
* indirect, longer term
damage to brand and reputation
loss of intellectual property
increased insurance premium,

Answer 359

A

identification & exploitation of
weaknesses in a computer system or
a network in order to achieve a
nefarious objective
* an intentional attack typically conducted
by a malicious outsider
* could, but does not have to, result in a
data breach / leak (e.g., DDoS, logic bomb)

Answer 360

A

weak or compromised credentials
careless / untrained employees (social engineering)
missing or poor encryption
misconfiguration (e.g., in a firewall)
vulnerabilities (e.g., in servers or workstations)
third- or fourth- party vendors,

Answer 361

A

Learn why it is important to protect
the CIA of data, and how to do it.
\$\$$ is at the bottom line !!!
(prevent financial losses)
• Steganography
• Cryptography
• Access Control / Passwords
• Policy ...
• IT Security Risk Management

Answer 362

A

exposing of
sensitive, confidential and/or protected
data to someone who should not have
access to that data
* could be deliberate or unintentional !
* common type of leaked information:
1. financial data (e.g., credit card numbers)
2. medical or personal health information
3. personally identifiable information (PII)
4. intellectual property

Answer 363

A

an accidental insider
 e.g., an employee using a co-worker’s computer
& accessing files without having proper authorization,
NO information is leaked outside the company
 e.g., an employee fooled into disclosing data to a
malicious actor – information leaked outside …
a malicious insider
 e.g., an employee purposely accesses and/or shares
data with the intent of causing harm to an individual
or company – may have legitimate authorization
a malicious outsider
 e.g., a hacker uses various attack vectors to gather
information from a network or an individual (e.g.,
finds vulnerability in a server, gains access to net., …)

Brainscape's Knowledge GenomeTM

Final Flashcards

Brainscape's Knowledge Genome^TM