final sec Flashcards
learn all content
Know how attacks can be classified as passive or active.
A passive attack attempts to learn or make use of information from the system but does not affect system resources.
An active attack attempts to alter system resources or affect their operation.
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the attacker is to obtain information that is being transmitted. Two types of passive attacks are release of message contents and traffic analysis.
Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: replay, masquerade, modification of messages, and denial of service.
2 Know the role of the trusted platform module (TPM)
The TPM is a hardware module that is at the heart of a hardware/software approach to trusted computing. Indeed, the term trusted computing (TC) is now used in the industry to refer to this type of hardware/software approach
The TC approach employs a TPM chip in personal computer motherboard or a smart card or integrated into the main processor, together with hardware and software that in some sense has been approved or certified to work with the TPM.
The TPM generates keys that it shares with vulnerable components that pass data around the system, such as storage devices, memory components, and audio/visual hardware.
The keys can be used to encrypt the data that flow throughout the machine.
The TPM also works with TC-enabled software, including the OS and applications.
The software can be assured that the data it receives are trustworthy, and the system can be assured that the software itself is trustworthy.
To achieve these features, TC provides three basic services: authenticated boot, certification, and encryption.
Learn the role of message authentication
A message or other collection of data is said to be authentic when it is genuine and came from its alleged source. Message authentication is a procedure that allows communicating parties to verify that received or stored messages are authentic.
The two important aspects are to verify that the contents of the message have not been altered and that the source is authentic.
We may also wish to verify a message’s timeliness and sequence relative to other messages flowing between two parties. All of these concerns come under the category of data integrity.
Authentication can simply be done by the use of symmetric encryption. If we assume that only the sender and receiver share a key (which is as it should be), then only the genuine sender would be able to encrypt a message successfully for the other participant, provided the receiver can recognize a valid message
Learn the properties that a hash function H should have to be useful for message authentication.
Q The purpose of a hash function is to produce a “fingerprint” of a file, message, or other block of data. Describe the properties that a hash function H should have to be used for a message authentication.
- H can be applied to a block of data of any size.
- H produces a fixed-length output.
- H(x) is relatively easy to compute for any given x, making both hardware and software implementations practical.
- For any given code h, it is computationally infeasible to find x such that H(x) h. A hash function with this property is referred to as one-way or preimage resistant.
- For any given block x, it is computationally infeasible to find y x with H(y) H(x). A hash function with this property is referred to as second preimage resistant. This is sometimes referred to as weak collision resistant.
- It is computationally infeasible to find any pair (x, y) such that H(x) H(y).
Know how to describe public key encryption and the essential steps involved
Public-key cryptography is asymmetric, involving the use of two separate keys, in contrast to symmetric encryption, which uses only one key. The use of two keys has profound consequences in the areas of confidentiality, key distribution, and authentication.
The essential steps are the following:
1. Each user generates a pair of keys to be used for the encryption and decryption of messages.
2. Each user places one of the two keys in a public register. This is the public key. The companion key is kept private. Each user maintains a collection of public keys obtained from others.
3. If Bob wishes to send a private message to Alice, Bob encrypts the message using Alice’s public key.
4. When Alice receives the message, she decrypts it using her private key. No other recipient can decrypt the message because only Alice knows Alice’s private key.
Learn about attacks that can be made on packet filtering firewalls and any measures that can be taken to prevent them.
Some of the attacks that can be made on packet filtering firewalls and the appropriate
countermeasures are the following:
• IP address spoofing:
The intruder transmits packets from the outside with a source IP address field containing an address of an internal host.
• Source routing attacks:
The source station specifies the route that a packet should take as it crosses the Internet, in the hopes that this will bypass security measures that do not analyse the source routing information. A countermeasure is to discard all packets that use this option.
. Tiny fragment attacks:
The intruder uses the IP fragmentation option to create extremely small fragments and force the TCP header information into a separate packet fragment. This attack is designed to circumvent filtering rules that depend on TCP header information.
A tiny fragment attack can be defeated by enforcing a rule that the first fragment of a packet must contain a predefined minimum amount of the transport header. If the first fragment is rejected, the filter can remember the packet and discard all subsequent fragments.
Be able to describe the differences in pseudorandom number & true random number generation.
Pseudorandom numbers are:
• sequences produced that satisfy statistical randomness tests
• likely to be predictable
True random number generator (TRNG):
• uses a non-determined source to produce randomness
• most operate by measuring unpredictable natural processes
• e.g. radiation, gas discharge, leaky capacitors
• increasingly provided on modern processors
Learn about SQL Injection Attacks.
SQL Injection attacks are the number one method of attacking web applications 2013.
An SQLi attack is designed to exploit the nature of Web application pages. In contrast to the static Web pages of years gone by, most current Web sites have dynamic components and content.
This dynamic content is usually transferred to and from back-end databases that contain volumes of information.
An SQLi attack is designed to send malicious SQL commands to the database server.
The steps involved are as follows:
1. Hacker finds a vulnerability in a custom Web application and injects an SQL command to a database by sending the command to the Web server. The command is injected into traffic that will be accepted by the firewall.
2. The Web server receives the malicious code and sends it to the Web application
1. server.
2. The Web application server receives the malicious code from the Web server and sends it to the database server.
3. The database server executes the malicious code on the database. The database returns data from credit cards table.
4. The Web application server dynamically generates a page with data including credit card details from the database.
5. The Web server sends the credit card details to the hacker.
Learn the role of file permissions in securing Unix based systems.
Each file on a Unix system has two owners: a user and a group, each with its own set of permissions that specify what the user or group may do with the file.
A third set of permissions pertains to other, that is, user-accounts that don’t own the file or belong to the group that owns it.
There’s a third permission besides “read” and “write”: “execute,” denoted by “x”.
If maestro writes a shell script named “punish_bassoonists.sh”, and if he sets its permissions to “-rwxrw-r–”, then maestro will be able to execute his script by entering the name of the script at the command-line. If, however, he forgets to do so, he won’t be able to run the script, even though he owns it.
Permissions are usually set via the “chmod” command (short for “change mode”).
Learn the common lines of defence against DDoS attacks.
• Attack prevention and pre-emption (before the attack):
These mechanisms enable the victim to endure attack attempts without denying service to legitimate clients
• Attack detection and filtering (during the attack):
These mechanisms attempt to detect the attack as it begins and respond immediately. This minimizes the impact of the attack on the target.
Detection involves looking for suspicious patterns of behaviour.
Response involves filtering out packets likely to be part of the attack.
• Attack source traceback and identification (during and after the attack):
This is an attempt to identify the source of the attack as a first step in preventing future attacks
• Attack reaction (after the attack): This is an attempt to eliminate or curtail the effects of an attack.
Be able to describe how attack types can be grouped into three main categories: inband, inferential and out-of-band.
An inband attack uses the same communication channel for injecting SQL code and retrieving results. The retrieved data are presented directly in the application Web page.
Inband attack types include the following:
• Tautology: This form of attack injects code in one or more conditional statements so that they always evaluate to true.
• End-of-line comment: After injecting code into a particular field, legitimate code that follows are nullified through usage of end of line comments.
• Piggybacked queries: The attacker adds additional queries beyond the intended query, piggy-backing the attack on top of a legitimate request
Inferential
There is no actual transfer of data, but the attacker is able to reconstruct the information by sending particular requests & observing the resulting behaviour of the Website/ database server
• llegal/logically incorrect queries - lets an attacker gather information about the type and structure of the backend database of a Web app.
• Blind SQL injection - Allows attackers to infer the data present in a database system even when the system is sufficiently secure to not display any erroneous information back to the attacker
out of Band
• Data are retrieved using a different channel (e.g., an email with the results of the query is generated and sent to the tester).
• This can be used when there are limitations on information retrieval, but outbound connectivity from the database server is lax
Learn the common approaches to authentication.
There are four general means of authenticating a user’s identity, which can be used alone or in combination:
• Something the individual knows: Examples includes a password, a personal identification number (PIN), or answers to a prearranged set of questions.
- Something the individual possesses: Examples include electronic key cards, smart cards, and physical keys. This type of authenticator is referred to as a token.
- Something the individual is (static biometrics): Examples include recognition by fingerprint, retina, and face.
• Something the individual does (dynamic biometrics): Examples include recognition by voice pattern, handwriting characteristics, and typing rhythm.
All of these methods, properly implemented and used, can provide secure user authentication. However, each method has problems. Ie lost, stolen, forget password, biometric authenticators, ie false positives and false negatives, user acceptance, cost, and convenience.
Learn the phases that a typical virus goes through.
During its lifetime, a typical virus goes through the following four phases:
• Dormant phase: The virus is idle. The virus will eventually be activated by some event, such as a date, the presence of another program or file.
- Propagation phase: The virus places a copy of itself into other programs or into certain system areas on the disk. The copy may not be identical to the propagating version; viruses often morph to evade detection.
- Triggering phase: The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself.
- Execution phase: The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files.
Know how SYN spoofing attacks work.
A type of Distributed Denial of Service (DDoS) attack that exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive.
A SYN spoofing (Flood) attack exploits this behaviour on the targeted server system. The attacker generates a number of SYN (synchronised) connection request packets with forged source addresses.
For each of these, the server records the details of the TCP connection request and sends the SYN-ACK (acknowledgement)packet to the claimed source address.
in a SYN spoofing attack, the attacker directs a very large number of forged connection requests at the targeted server. These rapidly fill the table of known TCP connections on the server. Once this table is full, any future requests, including legitimate requests from other users, are rejected.
Read up on the benefits of IPsec.
The benefits of IPsec include the following:
• When IPsec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter. Traffic within a company or workgroup does not incur the overhead of security-related processing.
• IPsec in a firewall is resistant to bypass if all traffic from the outside must use IP and the firewall is the only means of entrance from the Internet into the organization.
• IPsec is below the transport layer (TCP, UDP) and so is transparent to applications. There is no need to change software on a user or server system when IPsec is implemented in the firewall or router.
• IPsec can be transparent to end users. There is no need to train users on security mechanisms.
• IPsec can provide security for individual users if needed. This is useful for off-site workers and for setting up a secure virtual subnetwork within an organization for sensitive applications.
IPsec can assure that
. A router advertisement (a new router advertises its presence) comes from an authorized router.
• A redirect message comes from the router to which the initial packet was sent.