Lecture 12 Flashcards

1
Q

Data Breach

A

A confirmed incident in which sensitive, confidential, or otherwise protected data has been accessed or disclosed in an unauthorized fashion.

ex: PHI (personal health information), PII (personally identifiable information), trade secrets, intellectual property

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Security Concepts (AKA CIA Triad) (SC)

A

From top, right, left:

  • Confidentiality: data is secured to authorized parties only
  • Integrity: data is trusted
  • Availability: data is accessible when and where needed

From left, right, bottom:

  • Authenticity: components can prove their identity
  • Non-repudiation: service provides a trusted audit trail
  • Privacy: services does not automatically see customer data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

[SC] Authentication vs Authorization

A
  • Authentication (1st): verifies who you are

- Authorization (2nd): decides if you have permissions to access a resource

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Top 10 Security Principles

A
  • authenticate requests received on a network port
  • follow principle of least privilege
  • encrypt all credentials
  • test by abusing
  • assume no one else will secure it; validate it
  • hard code no passwords, user ids, etc
  • avoid security by obscurity/keep security simple
  • understand 3rd party components
  • EVERYONE IS RESPONSIBLE FOR SECURITY
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Security w/in an SDLC (S in SDLC)

A

Software security best practices involve explicitly thinking about the security situations throughout the SDLC.

  • know and understand common risks
  • design for security
  • all software artifacts subject to thorough, objective risk analysis and testing
  • security should be its own set of requirements for the app
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

[Security Terms] Vulnerability

A

A weakness (in an information system, security system procedure, or implementation) that could be exploited/triggered.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

[Security Terms] Threat

A

A potential violation or security which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

[Security Terms] Threat Agent

A

An individual or group which can manifest a threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

[Security Terms] Asset

A

A major app, general support system, high impact project, physical plant, mission critical system, personnel, equipment, or a logically related group of systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

[Security Terms] Risk

A

(level of threat) * (level of vulnerability). Likelihood of a successful attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

[Security Terms] Countermeasure

A

Reactive methods use to prevent an exploit from successfully occurring once a threat has been detected.

ex: IPS (intrusion prevention systems), patches, access control lists, malware filters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

[Security Terms] Security Model

A
  • Owners value ASSETS
  • Owners wish to minimize RISK to ASSETS
  • Owners impose COUNTERMEASURES to reduce RISK to ASSETS
  • Owners impose COUNTERMEASURES that may possess VULNERABILITIES leading to RISK to ASSETS
  • Threat agents wish to abuse and/or damage ASSETS
  • Threat agents give rise to THREATS to ASSETS
  • Threat agents give rise to THREATS that exploit VULNERABILITIES leading to RISK to assets
  • Threat agents give risk to THREATS that increase RISK to ASSETS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Application Threat Modeling [ATM]

A

An structured approach for analyzing the security of an application that enables you to identify, quantify, and address the security risks with an application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

[ATM] Process

A

1) Identify Assets
2) Create an Architecture Overview
3) Decompose the Application
4) Identify the Threats
5) Document the Threats
6) Rate the Threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Security Design Practices

A
  • earn/give, but never assume, trust
  • authentication mechanism that can’t be bypassed/tampered with
  • authorize after you authenticate
  • explicitly validate ALL data (client-side and server-side)
  • external 3rd party components change your attack surface
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Security Testing [ST]

A

A type of software testing that intends to uncover vulnerabilities of the system and determine that its data and resources are protected from intruders.

17
Q

[ST] of an Application Component (AST)

A
  • Network
  • System Software
  • Client-side
  • Server-side
18
Q

[AST] Static vs Dynamic

A

STATIC

  • White box
  • Analyzes source code of binaries
  • Covers all execution paths
  • Finds vulnerabilities early in SDLC (analysis/design/coding phases)

DYNAMIC

  • Black box
  • Requires running application
  • Testing with pre-defined test data sets
  • Finds vulnerabilities later in SDLC (integration/systems phases)
19
Q

[AST] Coverage

A

STATIC (N.I.C.T)

  • null pointer dereference
  • insecure crypto issues
  • code quality issues
  • threading issues

DYNAMIC (B.A.R.S)

  • business logic vulnerabilities
  • authentication issues
  • runtime privilege issues
  • session management issues

BOTH (S.X.X.L.H.B)

  • SQL Injection
  • XSS Injection
  • XPATH injection
  • LDAP injection
  • HTTPS Responses Splitting
  • Buffer Overflows
20
Q

[ST] Principles

A
  • think strategically, not tactically (patch and penetrate model w/out proper investigation of the root cause is ineffective)
  • integrate security into each phase of the S.D.L.C.
  • test early and test often
  • think outside the box
21
Q

[ST] Techniques

A
  • manual inspections and reviews
  • threat modeling
    (helps system designers to think about the security threats that their sys/app faces)
    (enables designer to develop mitigation strategies for potential vulnerabilities)
  • code review
  • penetration testing: remotely testing an app to find vulnerabilities without knowing apps inner workings