Final Exam

Question 1

The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources

Answer 1

Computer Security

Question 2

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information

Answer 2

Confidentiality

Question 3

Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity

Answer 3

Integrity

Question 4

Ensuring timely and reliable access to and use of information

Answer 4

Availability

Question 5

A potential security harm to an asset

Answer 5

Threat

Question 6

A system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network

Answer 6

Exposure

Question 7

A weakness in the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that, when exploited, results in a negative impact to confidentiality, integrity, OR availability

Answer 7

Vulnerability

Question 8

A flaw in the specification, design, implementation, or operation of information system / asset

Answer 8

Bug

Question 9

A threat that uses a vulnerability or exposure to violate the security of system

Answer 9

Exploit

Question 10

Address a vulnerability typically though code changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety)

Answer 10

Mitigation

Question 11

Attempt to learn or make use of information from the system that does not affect system resources

Answer 11

Passive Attack

Question 12

Attempt to alter system resources or affect their operation

Answer 12

Active Attack

Question 13

A subject should be given only those privileges that it needs in order to complete its task.”

Answer 13

Least Privilege

Question 14

Unless a subject is given explicit access to an object, it should be denied access to that object. (Whitelisting)

Answer 14

Fails-Safe Default

Question 15

Security mechanisms should be as simple as possible. (KISS principle)

Answer 15

Economy of Mechanism

Question 16

Requires that all accesses to objects be checked to ensure that they are allowed.

Answer 16

Complete Mediation

Question 17

Security of a mechanism should not depend on the secrecy of its design or implementation

Answer 17

Open Design

Question 18

A system should not grant permission based on a single condition.

Answer 18

Separation of Privilege

Question 19

Security mechanisms should be designed so that users understand

Answer 19

Principle of Least Astonishment

Question 20

Security Implementation

Answer 20

Identify, Prevent, Detect, Respond, Recover

Question 21

the act of taking the low level technical artifact and abstracting logic to understand what the program does

Answer 21

Reverse Engineering

Question 22

looking at source code for vulnerability or algorithm details

Answer 22

White Box Analysis

Question 23

looking at low level implementation with inferred abstractions

Answer 23

Grey-Box Analysis

Question 24

Using only input and output relations, make conclusions about how the system behaves

Answer 24

Black-Box Analysis

Question 25

Inputting large amounts of random data in hopes that some data will encounter edge case and change execution path

Answer 25

Fuzzing

Question 26

Marking input data and marking each intermediate state of data all the way to output

Answer 26

Taint Analysis

Question 27

Running unknown files and collecting statistics on usage

Answer 27

Sandbox Analysis

Question 28

Inspecting control flow and type information

Answer 28

Manual Static Analysis

Question 29

Stepping through execution to follow important code

Answer 29

Manual Dynamic Analysis

Question 30

Matching strings for algorithms, magic numbers, and common code structures

Answer 30

String Pattern Matching Analysis

Question 31

Selective restrictions for access to a place, to data, or to otherresources

Answer 31

Access Control

Question 32

Decentralized
Access based on the identity of the requestor and on access rules established by the owner or administrator
(Typically) Owner is the “Rights Controller”
Individual users can set an access control mechanism to allow/deny access to an object
Relies on the object owner to control access.

Answer 32

Discretionary access control (DAC)

Question 33

Centralized
Access based on comparing security labels with security clearances
(Typically) Administrator is the “Rights Controller”
A system-wide policy decrees who is allowed to have access
Individual user cannot alter access
Relies on the system to control access

Answer 33

Mandatory access control (MAC)

Question 34

Controls access based on:
Roles that users have within the system
Rules stating the accesses allowed to users in given roles

Answer 34

Role-based access control (RBAC)

Question 35

Controls access based on attributes of:
The User
The Object
Current environmental conditions

Answer 35

Attribute-based access control (ABAC)

Question 36

a computational system where code execution, outside of the specifications of a given program, may occur

Answer 36

Weird Machine

Question 37

Exploits that allow an attacker to alter the command flow of a program to execute arbitrary code through specially crafted input

Answer 37

Memory Corruption Exploits

Question 38

A program that is inserted into a system, usually covertly, with the intent of: Compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system, or otherwise annoying or disrupting the victim.

Answer 38

Malware

Question 39

Software that infects existing programs

Answer 39

Viruses

Question 40

Program that actively seeks out more machines to infect

Exploits software vulnerabilities in client or server programs

Answer 40

Worms

Question 41

Set of hidden programs installed on a system to maintain covert access to that system

Answer 41

Rootkits

Question 42

“Tricking” users to assist in the compromise of their own systems

Answer 42

Social Engineering

Question 43

Involves the collection of data relating to the behavior of legitimate users over a period of time

Answer 43

Anomaly Detection

Question 44

Uses a set of known malicious data patterns or attack rules that are compared with current behavior

Answer 44

Signature-based (Heuristic/Misuse) Detection

Question 45

Four Means for Authenticathing an user

Answer 45

Knows, Is, Has, Does

Question 46

A precomputedlist of hashesand associated plaintext passwords used to crack/recover plaintext passwords

Answer 46

Rainbow Table

Question 47

A malicious (or hacked) web site sends innocent victim a script that steals information from an honest web site

Answer 47

XSS – Cross-site scripting

Question 48

Bad web site sends request to good web site, using credentials stolen form an innocent victim who “visits” the site

Answer 48

CSRF – Cross-site request forgery

Question 49

XSS VULNERABILITY. Data provided by the browser (in the URL) is used by server-side scripts to dynamically generate a page that “echoes” the malicious script back to the user’s browser

Answer 49

Non-persistent / Reflected

Question 50

XSS VULNERABILITY.Data (malicious script) is provided to a web application and stored on the server to be used, later, to “render” pages for a user

Answer 50

Persistent / Stored

Question 51

XSS VULNERABILITY.The malicious script is generated through the (local) client-side DOM processing

Answer 51

DOM-Based / Local

Question 52

A TOCTOU Race Condition exists when an attackercan influence the state of aresourcebetweencheckand use

Answer 52

TOCTOU Race Condition

Question 53

The attacker initiates large number of TCP SYN packets (typically with spoofed source addresses) but does not respond to SYN-ACK requests

Answer 53

SYN flood: A (D)DOS attack