Mid_Term Flashcards

1
Q

List 5 Principle Threats to the secrecy of passwords

A
  1. Specific Account Attack
  2. Popular Password Attack
  3. Exploiting User Mistakes
  4. Exploiting Multiple Password Use
  5. Offline Dictionary Attack
  6. Workstation Hijacking
  7. Electronic Monitoring
  8. Password Guessing against a single user
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Specific Account Attack

A

An attack where the attacker targets a specific account and submits password guesses until the correct pass is found

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Popular Password Attack

A

An attack that uses common passwords against a wide array of user accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Password Guessing Against Single User

A

The attacker attempts to gain knowledge about the account holder and system password policies to guess the password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Workstation Hijacking

A

The attacker accesses an active workstation that is unattended

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Exploiting user mistakes

A

This type of attack depends on the carelessness of the user. Viewing their credentials from over the shoulder or attaining a password that they have written down.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Electronic Monitoring

A

The attackers eavesdrops on network communication and decrypts the data to obtain the password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the cloud computing reference architecture?

A

The NIST cloud computing reference architecture is a tool for describing and developing a system-specific architecture using a common reference.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Name Two Categories of Passive Attack

A

Release of message contents and traffic analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Name Three Categories of Active Attack

A

Masquerade, replay, modification of message, denial of service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is an active attack?

A

A network exploit in which a hacker attempts to make changes to data on the target

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a Passive Attack?

A

A passive attack is a network attack where a system is monitored or scanned to gain information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Biometric Enrollment

A

Biometric enrollment is the process off associating the users identification with his password and biometric data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

BIometric Verifcation

A

Is the process of the user utilizing his credentials biometric and otherwise to access the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Biometric Authentication

A

The user is authenticated if his user id, password and biometric data all match the stored records on the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

List 4 Cloud Specific Threats

A
  1. Abuse and Nefarious use of cloud computing
  2. Malicious Insider
  3. Insecure Interfaces and API’s
  4. Shared Technology Issues
  5. Data loss or leakage
  6. Account or service hijacking
  7. Unknown risk profile
17
Q

Abuse and Nefarious use of cloud computing

A

This enables to attacker to execute malicious code or perform spamming and denial of service attacks using valid credentials.

18
Q

Insecure Interfaces and API’s

A

Cloud Service Provides (CP’s) provide interfaces and API’s to help customers manages their cloud resources. Weaknesses in these policies can be used can allow attackers to circumvent policy.

19
Q

Malicious Insider

A

An attacker that has credentials or is a valid administrator of system security uses his authority to perform a malicious act.

20
Q

Data Loss of Leakage

A

The loss of access to information due to an attack.

21
Q

Account/Service Hijacking

A

Attackers can access critical areas of deployed cloud computing services allowing them to compromise CIA.

22
Q

What is DAC?

A

Discretionary Access Control

controls access based on user identity and access rules that define his access to the system.

23
Q

What is MAC?

A

Mandatory Access Control
controls access based on security levels. A user is associated with an access level that determines his privileges on the system.

24
Q

What is RBAC?

A

Roles Based Access Control controls access based on roles that users have within the system and the rules that define what access are allowed for each role.

25
Q

Name Three Cloud Service Models

A

(SaaS) Software as a service Provides service to customers in the form of software.

(PaaS) Platform as a service provides a platform for running applications

(IaaS) Infrastructure as a service provides hardware resources to user remotely.

26
Q

Account/Service Hijacking

A

The attackers uses stolen credentials to access critical areas and negatively impact CIA.

27
Q

Unknown Risk Profile

A

The client cedes control of resources and systems to the CP. There exist a number of issues that the client may not be aware of or have the access to mitigate.

28
Q

List and define the four types of entities in a base model RBAC system as mentioned in our text.

A

User: An individual that has access to this computer system. Each
individual has an associated user ID.
Role: A named job function within the organization that controls this
computer system. Typically, associated with each role is a description of
the authority and responsibility conferred on this role, and on any user
who assumes this role.
Permission: An approval of a particular mode of access to one or more
objects. Equivalent terms are access right, privilege, and authorization.
Session: A mapping between a user and an activated subset of the set
of roles to which the user is assigned.

29
Q

List and define the three classes of subject in an access control system as mentioned in our text.

A

Owner: This may be the creator of a resource, such as a file. For
system resources, ownership may belong to a system administrator. For
project resources, a project administrator or leader may be assigned
ownership.
Group: In addition to the privileges assigned to an owner, a named
group of users may also be granted access rights, such that
membership in the group is sufficient to exercise these access rights. In
most schemes, a user may belong to multiple groups.
World: The least amount of access is granted to users who are able to
access the system but are not included in the categories owner and
group for this resource.

30
Q

List and briefly describe four common techniques for selecting or assigning passwords that are mentioned in our text.

A

User education: Users can be told the importance of using hard-toguess
passwords and can be provided with guidelines for selecting
strong passwords.
Computer-generated passwords: the system selects a password for
the user.
Reactive password checking: the system periodically runs its own
password cracker to find guessable passwords.
Proactive password checking: a user is allowed to select his or her own
password. However, at the time of selection, the system checks to see if
the password is allowable and, if not, rejects it.

31
Q

What are the essential ingredients, mentioned in our text, of a symmetric cipher?

A

Plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm.

32
Q

Define the terms database, database management system, and query language as mentioned in our text.

A

A database is a structured collection of data stored for use by one or
more applications. In addition to data, a database contains the
relationships between data items and groups of data items. A
database management system (DBMS), which is a suite of
programs for constructing and maintaining the database and for
offering ad hoc query facilities to multiple users and applications. A
query language provides a uniform interface to the database for users
and applications.

33
Q

List and briefly define four of the fundamental security design principles mentioned in our text.

A

• Economy of mechanism • Fail-safe defaults • Complete mediation • Open design • Separation of privilege • Least privilege • Least common mechanism • Psychological acceptability • Isolation • Encapsulation • Modularity • Layering • Least astonishment - Page 28 - 31 gives details of each

34
Q

Define computer security and what it includes.

A

Computer security refers to protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).

35
Q

List and briefly describe some administrative policies that can be used with a RDBMS as mentioned in our text.

A

Centralized administration: A small number of privileged users may
grant and revoke access rights.
Ownership-based administration: The owner (creator) of a table
may grant and revoke access rights to the table.
Decentralized administration: In addition to granting and revoking
access rights to a table, the owner of the table may grant and revoke
authorization to other users, allowing them to grant and revoke access
rights to the table.

36
Q

List and briefly define three uses of a public-key cryptosystem.

A

Encryption/decryption:
The sender encrypts a message with the recipient’s public key.

Digital signature:
The sender “signs” a message
with its private key.

Key exchange:
Two sides cooperate to exchange a
session key.