final sec Flashcards
learn all content
Know how attacks can be classified as passive or active.
A passive attack attempts to learn or make use of information from the system but does not affect system resources.
An active attack attempts to alter system resources or affect their operation.
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the attacker is to obtain information that is being transmitted. Two types of passive attacks are release of message contents and traffic analysis.
Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: replay, masquerade, modification of messages, and denial of service.
2 Know the role of the trusted platform module (TPM)
The TPM is a hardware module that is at the heart of a hardware/software approach to trusted computing. Indeed, the term trusted computing (TC) is now used in the industry to refer to this type of hardware/software approach
The TC approach employs a TPM chip in personal computer motherboard or a smart card or integrated into the main processor, together with hardware and software that in some sense has been approved or certified to work with the TPM.
The TPM generates keys that it shares with vulnerable components that pass data around the system, such as storage devices, memory components, and audio/visual hardware.
The keys can be used to encrypt the data that flow throughout the machine.
The TPM also works with TC-enabled software, including the OS and applications.
The software can be assured that the data it receives are trustworthy, and the system can be assured that the software itself is trustworthy.
To achieve these features, TC provides three basic services: authenticated boot, certification, and encryption.
Learn the role of message authentication
A message or other collection of data is said to be authentic when it is genuine and came from its alleged source. Message authentication is a procedure that allows communicating parties to verify that received or stored messages are authentic.
The two important aspects are to verify that the contents of the message have not been altered and that the source is authentic.
We may also wish to verify a message’s timeliness and sequence relative to other messages flowing between two parties. All of these concerns come under the category of data integrity.
Authentication can simply be done by the use of symmetric encryption. If we assume that only the sender and receiver share a key (which is as it should be), then only the genuine sender would be able to encrypt a message successfully for the other participant, provided the receiver can recognize a valid message
Learn the properties that a hash function H should have to be useful for message authentication.
Q The purpose of a hash function is to produce a “fingerprint” of a file, message, or other block of data. Describe the properties that a hash function H should have to be used for a message authentication.
- H can be applied to a block of data of any size.
- H produces a fixed-length output.
- H(x) is relatively easy to compute for any given x, making both hardware and software implementations practical.
- For any given code h, it is computationally infeasible to find x such that H(x) h. A hash function with this property is referred to as one-way or preimage resistant.
- For any given block x, it is computationally infeasible to find y x with H(y) H(x). A hash function with this property is referred to as second preimage resistant. This is sometimes referred to as weak collision resistant.
- It is computationally infeasible to find any pair (x, y) such that H(x) H(y).
Know how to describe public key encryption and the essential steps involved
Public-key cryptography is asymmetric, involving the use of two separate keys, in contrast to symmetric encryption, which uses only one key. The use of two keys has profound consequences in the areas of confidentiality, key distribution, and authentication.
The essential steps are the following:
1. Each user generates a pair of keys to be used for the encryption and decryption of messages.
2. Each user places one of the two keys in a public register. This is the public key. The companion key is kept private. Each user maintains a collection of public keys obtained from others.
3. If Bob wishes to send a private message to Alice, Bob encrypts the message using Alice’s public key.
4. When Alice receives the message, she decrypts it using her private key. No other recipient can decrypt the message because only Alice knows Alice’s private key.
Learn about attacks that can be made on packet filtering firewalls and any measures that can be taken to prevent them.
Some of the attacks that can be made on packet filtering firewalls and the appropriate
countermeasures are the following:
• IP address spoofing:
The intruder transmits packets from the outside with a source IP address field containing an address of an internal host.
• Source routing attacks:
The source station specifies the route that a packet should take as it crosses the Internet, in the hopes that this will bypass security measures that do not analyse the source routing information. A countermeasure is to discard all packets that use this option.
. Tiny fragment attacks:
The intruder uses the IP fragmentation option to create extremely small fragments and force the TCP header information into a separate packet fragment. This attack is designed to circumvent filtering rules that depend on TCP header information.
A tiny fragment attack can be defeated by enforcing a rule that the first fragment of a packet must contain a predefined minimum amount of the transport header. If the first fragment is rejected, the filter can remember the packet and discard all subsequent fragments.
Be able to describe the differences in pseudorandom number & true random number generation.
Pseudorandom numbers are:
• sequences produced that satisfy statistical randomness tests
• likely to be predictable
True random number generator (TRNG):
• uses a non-determined source to produce randomness
• most operate by measuring unpredictable natural processes
• e.g. radiation, gas discharge, leaky capacitors
• increasingly provided on modern processors
Learn about SQL Injection Attacks.
SQL Injection attacks are the number one method of attacking web applications 2013.
An SQLi attack is designed to exploit the nature of Web application pages. In contrast to the static Web pages of years gone by, most current Web sites have dynamic components and content.
This dynamic content is usually transferred to and from back-end databases that contain volumes of information.
An SQLi attack is designed to send malicious SQL commands to the database server.
The steps involved are as follows:
1. Hacker finds a vulnerability in a custom Web application and injects an SQL command to a database by sending the command to the Web server. The command is injected into traffic that will be accepted by the firewall.
2. The Web server receives the malicious code and sends it to the Web application
1. server.
2. The Web application server receives the malicious code from the Web server and sends it to the database server.
3. The database server executes the malicious code on the database. The database returns data from credit cards table.
4. The Web application server dynamically generates a page with data including credit card details from the database.
5. The Web server sends the credit card details to the hacker.
Learn the role of file permissions in securing Unix based systems.
Each file on a Unix system has two owners: a user and a group, each with its own set of permissions that specify what the user or group may do with the file.
A third set of permissions pertains to other, that is, user-accounts that don’t own the file or belong to the group that owns it.
There’s a third permission besides “read” and “write”: “execute,” denoted by “x”.
If maestro writes a shell script named “punish_bassoonists.sh”, and if he sets its permissions to “-rwxrw-r–”, then maestro will be able to execute his script by entering the name of the script at the command-line. If, however, he forgets to do so, he won’t be able to run the script, even though he owns it.
Permissions are usually set via the “chmod” command (short for “change mode”).
Learn the common lines of defence against DDoS attacks.
• Attack prevention and pre-emption (before the attack):
These mechanisms enable the victim to endure attack attempts without denying service to legitimate clients
• Attack detection and filtering (during the attack):
These mechanisms attempt to detect the attack as it begins and respond immediately. This minimizes the impact of the attack on the target.
Detection involves looking for suspicious patterns of behaviour.
Response involves filtering out packets likely to be part of the attack.
• Attack source traceback and identification (during and after the attack):
This is an attempt to identify the source of the attack as a first step in preventing future attacks
• Attack reaction (after the attack): This is an attempt to eliminate or curtail the effects of an attack.
Be able to describe how attack types can be grouped into three main categories: inband, inferential and out-of-band.
An inband attack uses the same communication channel for injecting SQL code and retrieving results. The retrieved data are presented directly in the application Web page.
Inband attack types include the following:
• Tautology: This form of attack injects code in one or more conditional statements so that they always evaluate to true.
• End-of-line comment: After injecting code into a particular field, legitimate code that follows are nullified through usage of end of line comments.
• Piggybacked queries: The attacker adds additional queries beyond the intended query, piggy-backing the attack on top of a legitimate request
Inferential
There is no actual transfer of data, but the attacker is able to reconstruct the information by sending particular requests & observing the resulting behaviour of the Website/ database server
• llegal/logically incorrect queries - lets an attacker gather information about the type and structure of the backend database of a Web app.
• Blind SQL injection - Allows attackers to infer the data present in a database system even when the system is sufficiently secure to not display any erroneous information back to the attacker
out of Band
• Data are retrieved using a different channel (e.g., an email with the results of the query is generated and sent to the tester).
• This can be used when there are limitations on information retrieval, but outbound connectivity from the database server is lax
Learn the common approaches to authentication.
There are four general means of authenticating a user’s identity, which can be used alone or in combination:
• Something the individual knows: Examples includes a password, a personal identification number (PIN), or answers to a prearranged set of questions.
- Something the individual possesses: Examples include electronic key cards, smart cards, and physical keys. This type of authenticator is referred to as a token.
- Something the individual is (static biometrics): Examples include recognition by fingerprint, retina, and face.
• Something the individual does (dynamic biometrics): Examples include recognition by voice pattern, handwriting characteristics, and typing rhythm.
All of these methods, properly implemented and used, can provide secure user authentication. However, each method has problems. Ie lost, stolen, forget password, biometric authenticators, ie false positives and false negatives, user acceptance, cost, and convenience.
Learn the phases that a typical virus goes through.
During its lifetime, a typical virus goes through the following four phases:
• Dormant phase: The virus is idle. The virus will eventually be activated by some event, such as a date, the presence of another program or file.
- Propagation phase: The virus places a copy of itself into other programs or into certain system areas on the disk. The copy may not be identical to the propagating version; viruses often morph to evade detection.
- Triggering phase: The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself.
- Execution phase: The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files.
Know how SYN spoofing attacks work.
A type of Distributed Denial of Service (DDoS) attack that exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive.
A SYN spoofing (Flood) attack exploits this behaviour on the targeted server system. The attacker generates a number of SYN (synchronised) connection request packets with forged source addresses.
For each of these, the server records the details of the TCP connection request and sends the SYN-ACK (acknowledgement)packet to the claimed source address.
in a SYN spoofing attack, the attacker directs a very large number of forged connection requests at the targeted server. These rapidly fill the table of known TCP connections on the server. Once this table is full, any future requests, including legitimate requests from other users, are rejected.
Read up on the benefits of IPsec.
The benefits of IPsec include the following:
• When IPsec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter. Traffic within a company or workgroup does not incur the overhead of security-related processing.
• IPsec in a firewall is resistant to bypass if all traffic from the outside must use IP and the firewall is the only means of entrance from the Internet into the organization.
• IPsec is below the transport layer (TCP, UDP) and so is transparent to applications. There is no need to change software on a user or server system when IPsec is implemented in the firewall or router.
• IPsec can be transparent to end users. There is no need to train users on security mechanisms.
• IPsec can provide security for individual users if needed. This is useful for off-site workers and for setting up a secure virtual subnetwork within an organization for sensitive applications.
IPsec can assure that
. A router advertisement (a new router advertises its presence) comes from an authorized router.
• A redirect message comes from the router to which the initial packet was sent.
Learn the common physical characteristics used in biometric applications
- Facial characteristics: The most common approach is to define characteristics based on relative location and shape of key facial features, such as eyes, eyebrows, nose, lips, and chin shape. An alternative approach is to use an infrared camera to produce a face thermogram that correlates with the underlying vascular system in the human face.
- Fingerprints: A fingerprint is the pattern of ridges and furrows on the surface of the fingertip. In practice, automated fingerprint recognition and matching system extract a number of features from the fingerprint for storage as a numerical surrogate for the full fingerprint pattern.
- Hand geometry: Hand geometry systems identify features of the hand, including shape, and lengths and widths of fingers.
- Retinal pattern: A retinal biometric system obtains a digital image of the retinal pattern by projecting a low-intensity beam of visual or infrared light into the eye.
- Iris: Another unique physical characteristic is the detailed structure of the iris.
- Signature: Each individual has a unique style of handwriting and this is reflected especially in the signature, which is typically a frequently written sequence. However, multiple signature samples from a single individual will not be identical. This complicates the task of developing a computer representation of the signature that can be matched to future samples.
- Voice: Whereas the signature style of an individual reflects not only the unique physical attributes of the writer but also the writing habit that has developed, voice patterns are more closely tied to the physical and anatomical characteristics of the speaker. Nevertheless, there is still a variation from sample to sample over time from the same speaker, complicating the biometric recognition task.
Know the role of a heartbeat in the SSL
A heartbeat is a periodic signal generated by hardware or software to indicate normal operation or to synchronise other parts of a system.
A heartbeat protocol is typically used to monitor the availability of a protocol or entity
SSL/TLS heartbeat protocol was defined in the 2012 in RFC (TLS) and datagram Transport layer security (DTLS) heartbeat extension
The heartbeat protocol runs on top of the TLS recorded protocol and consists of 2 message types: Heartbeat_request and heartbeat_response
The use of the heartbeat protocol is established during Phase 1 of the HANDSHAKE protocol
Each peer indicates whether it supports heartbeats, if heartbeats are supported peer indicates whether it is willing to receive a heartbeat request messages respond with a heartbeat_response messages or only willing to send a heartbeat_request message.
The heartbeat requestmessage includeds payload length, payload and padding fileds
The payload is random content between 16bytes and 64kb in length
The corresponding heartbeat response message must include an exact copy of the received payload
The heartbeat servers 2 purposes
First it assures the sender that the recipient is still alive, even though there may have not been any activity on the connection for a while
Second, the heartbeat generates activity across the connection during these periods, which avoids closure by firewall that does not tolerate idle connections
Know the importance of using a salt value when storing password
A widely used password security technique is the use of hashed passwords and a salt value. This scheme is found on virtually all UNIX variants as well as on a number of other operating systems.
To load a new password into the system, the user selects or is assigned a password. This password is combined with a fixed-length salt value.
In older implementations, this value is related to the time at which the password is assigned to the user. Newer implementations use a pseudorandom or random number. The password and salt serve as inputs to a hashing algorithm to produce a fixed-length hash code. The hash algorithm is designed to be slow to execute in order to thwart attacks. The hashed password is then stored, together with a plaintext copy of the salt, in the password file for the corresponding user ID. The hashed password method has been shown to be secure against a variety of cryptanalytic attacks.
When a user attempts to log on to a UNIX system, the user provides an ID and a password. The operating system uses the ID to index into the password file and retrieve the plaintext salt and the encrypted password. The salt and user-supplied password are used as input to the encryption routine. If the result matches the stored value, the password is accepted.
The salt serves three purposes:
- It prevents duplicate passwords from being visible in the password file. Even if two users choose the same password; those passwords will be assigned different salt values. Hence, the hashed passwords of the two users will differ.
- It greatly increases the difficulty of offline dictionary attacks. For a salt of length b bits, the number of possible passwords is increased by a factor of 2b, increasing the difficulty of guessing a password in a dictionary attack.
- It becomes nearly impossible to find out whether a person with passwords on two or more systems has used the same password on all of them.
There are two requirements for secure use of symmetric encryption:
- We need a strong encryption algorithm. At a minimum, we would like the algorithm to be such that an opponent who knows the algorithm and has access to one or more ciphertexts would be unable to decipher the ciphertext or figure out the key. This requirement is usually stated in a stronger form:
The opponent should be unable to decrypt ciphertext or discover the key even if he or she is in possession of a number of ciphertexts together with the plaintext that produced each ciphertext. - Sender and receiver must have obtained copies of the secret key in a secure fashion and must keep the key secure. If someone can discover the key and knows the algorithm, all communication using this key is readable.
Know How to describe Symmetrical Encryption and the two requirements for secure use of symmetric encryption.
Symmetric-key encryption are algorithms for cryptography that use the same cryptographic keys for both encryptions of plaintext and decryption of ciphertext.
The keys may be identified or there may be a simple transformation to go between the 2 keys.
The keys represent a shared secret between the parties that can be used to maintain a private information link
This requirement that both parties have access to the secret key is one of the main drawbacks of symmetric key encryption, in comparison to public key encryption (AKA asymmetric key encryption)
Symmetric-key encryption can use either stream ciphers or block ciphers
Stream Ciphers encrypt the digits or letters of a message one at a time. An example is the Vigenere cipher
Block Ciphers take a number of bits and encrypt them as a single unit, padding the plaintext so that it is a multiple of the block size.
Blocks of 64 bits were commonly used. The advanced encryption standard (AES) algorithm used 128 bits’ blocks.
MIME defines a number of content formats, which standardize representations for the support of multimedia e-mail. Examples include text, image, audio, and video.
Know the functions that the content types supports
- Enveloped data: This function consists of encrypted content of any type and encrypted-content encryption keys for one or more recipients.
- Signed data: A digital signature is formed by taking the message digest of the content to be signed and then encrypting that with the private key of the signer. The content plus signature are then encoded using base64 encoding. A signed data message can only be viewed by a recipient with S/MIME capability.
- Clear-signed data: As with signed data, a digital signature of the content is formed. However, in this case, only the digital signature is encoded usingbase64. As a result, recipients without S/MIME capability can view the message content, although they cannot verify the signature.
- Signed and enveloped data: Signed-only and encrypted-only entities may be nested, so that encrypted data may be signed and signed data or clear-signed data may be encrypted.
