Final Exam Flashcards
The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources
Computer Security
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
Confidentiality
Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity
Integrity
Ensuring timely and reliable access to and use of information
Availability
A potential security harm to an asset
Threat
A system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network
Exposure
A weakness in the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that, when exploited, results in a negative impact to confidentiality, integrity, OR availability
Vulnerability
A flaw in the specification, design, implementation, or operation of information system / asset
Bug
A threat that uses a vulnerability or exposure to violate the security of system
Exploit
Address a vulnerability typically though code changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety)
Mitigation
Attempt to learn or make use of information from the system that does not affect system resources
Passive Attack
Attempt to alter system resources or affect their operation
Active Attack
A subject should be given only those privileges that it needs in order to complete its task.”
Least Privilege
Unless a subject is given explicit access to an object, it should be denied access to that object. (Whitelisting)
Fails-Safe Default
Security mechanisms should be as simple as possible. (KISS principle)
Economy of Mechanism
Requires that all accesses to objects be checked to ensure that they are allowed.
Complete Mediation
Security of a mechanism should not depend on the secrecy of its design or implementation
Open Design
A system should not grant permission based on a single condition.
Separation of Privilege
Security mechanisms should be designed so that users understand
Principle of Least Astonishment
Security Implementation
Identify, Prevent, Detect, Respond, Recover
the act of taking the low level technical artifact and abstracting logic to understand what the program does
Reverse Engineering
looking at source code for vulnerability or algorithm details
White Box Analysis
looking at low level implementation with inferred abstractions
Grey-Box Analysis
Using only input and output relations, make conclusions about how the system behaves
Black-Box Analysis
Inputting large amounts of random data in hopes that some data will encounter edge case and change execution path
Fuzzing
Marking input data and marking each intermediate state of data all the way to output
Taint Analysis
Running unknown files and collecting statistics on usage
Sandbox Analysis
Inspecting control flow and type information
Manual Static Analysis
Stepping through execution to follow important code
Manual Dynamic Analysis
Matching strings for algorithms, magic numbers, and common code structures
String Pattern Matching Analysis
Selective restrictions for access to a place, to data, or to otherresources
Access Control
Decentralized
Access based on the identity of the requestor and on access rules established by the owner or administrator
(Typically) Owner is the “Rights Controller”
Individual users can set an access control mechanism to allow/deny access to an object
Relies on the object owner to control access.
Discretionary access control (DAC)
Centralized
Access based on comparing security labels with security clearances
(Typically) Administrator is the “Rights Controller”
A system-wide policy decrees who is allowed to have access
Individual user cannot alter access
Relies on the system to control access
Mandatory access control (MAC)
Controls access based on:
Roles that users have within the system
Rules stating the accesses allowed to users in given roles
Role-based access control (RBAC)
Controls access based on attributes of:
The User
The Object
Current environmental conditions
Attribute-based access control (ABAC)
a computational system where code execution, outside of the specifications of a given program, may occur
Weird Machine
Exploits that allow an attacker to alter the command flow of a program to execute arbitrary code through specially crafted input
Memory Corruption Exploits
A program that is inserted into a system, usually covertly, with the intent of: Compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system, or otherwise annoying or disrupting the victim.
Malware
Software that infects existing programs
Viruses
Program that actively seeks out more machines to infect
Exploits software vulnerabilities in client or server programs
Worms
Set of hidden programs installed on a system to maintain covert access to that system
Rootkits
“Tricking” users to assist in the compromise of their own systems
Social Engineering
Involves the collection of data relating to the behavior of legitimate users over a period of time
Anomaly Detection
Uses a set of known malicious data patterns or attack rules that are compared with current behavior
Signature-based (Heuristic/Misuse) Detection
Four Means for Authenticathing an user
Knows, Is, Has, Does
A precomputedlist of hashesand associated plaintext passwords used to crack/recover plaintext passwords
Rainbow Table
A malicious (or hacked) web site sends innocent victim a script that steals information from an honest web site
XSS – Cross-site scripting
Bad web site sends request to good web site, using credentials stolen form an innocent victim who “visits” the site
CSRF – Cross-site request forgery
XSS VULNERABILITY. Data provided by the browser (in the URL) is used by server-side scripts to dynamically generate a page that “echoes” the malicious script back to the user’s browser
Non-persistent / Reflected
XSS VULNERABILITY.Data (malicious script) is provided to a web application and stored on the server to be used, later, to “render” pages for a user
Persistent / Stored
XSS VULNERABILITY.The malicious script is generated through the (local) client-side DOM processing
DOM-Based / Local
A TOCTOU Race Condition exists when an attackercan influence the state of aresourcebetweencheckand use
TOCTOU Race Condition
The attacker initiates large number of TCP SYN packets (typically with spoofed source addresses) but does not respond to SYN-ACK requests
SYN flood: A (D)DOS attack