Mid_Term Flashcards
List 5 Principle Threats to the secrecy of passwords
- Specific Account Attack
- Popular Password Attack
- Exploiting User Mistakes
- Exploiting Multiple Password Use
- Offline Dictionary Attack
- Workstation Hijacking
- Electronic Monitoring
- Password Guessing against a single user
Specific Account Attack
An attack where the attacker targets a specific account and submits password guesses until the correct pass is found
Popular Password Attack
An attack that uses common passwords against a wide array of user accounts.
Password Guessing Against Single User
The attacker attempts to gain knowledge about the account holder and system password policies to guess the password
Workstation Hijacking
The attacker accesses an active workstation that is unattended
Exploiting user mistakes
This type of attack depends on the carelessness of the user. Viewing their credentials from over the shoulder or attaining a password that they have written down.
Electronic Monitoring
The attackers eavesdrops on network communication and decrypts the data to obtain the password.
What is the cloud computing reference architecture?
The NIST cloud computing reference architecture is a tool for describing and developing a system-specific architecture using a common reference.
Name Two Categories of Passive Attack
Release of message contents and traffic analysis
Name Three Categories of Active Attack
Masquerade, replay, modification of message, denial of service
What is an active attack?
A network exploit in which a hacker attempts to make changes to data on the target
What is a Passive Attack?
A passive attack is a network attack where a system is monitored or scanned to gain information.
Biometric Enrollment
Biometric enrollment is the process off associating the users identification with his password and biometric data.
BIometric Verifcation
Is the process of the user utilizing his credentials biometric and otherwise to access the system.
Biometric Authentication
The user is authenticated if his user id, password and biometric data all match the stored records on the system.
List 4 Cloud Specific Threats
- Abuse and Nefarious use of cloud computing
- Malicious Insider
- Insecure Interfaces and API’s
- Shared Technology Issues
- Data loss or leakage
- Account or service hijacking
- Unknown risk profile
Abuse and Nefarious use of cloud computing
This enables to attacker to execute malicious code or perform spamming and denial of service attacks using valid credentials.
Insecure Interfaces and API’s
Cloud Service Provides (CP’s) provide interfaces and API’s to help customers manages their cloud resources. Weaknesses in these policies can be used can allow attackers to circumvent policy.
Malicious Insider
An attacker that has credentials or is a valid administrator of system security uses his authority to perform a malicious act.
Data Loss of Leakage
The loss of access to information due to an attack.
Account/Service Hijacking
Attackers can access critical areas of deployed cloud computing services allowing them to compromise CIA.
What is DAC?
Discretionary Access Control
controls access based on user identity and access rules that define his access to the system.
What is MAC?
Mandatory Access Control
controls access based on security levels. A user is associated with an access level that determines his privileges on the system.
What is RBAC?
Roles Based Access Control controls access based on roles that users have within the system and the rules that define what access are allowed for each role.
Name Three Cloud Service Models
(SaaS) Software as a service Provides service to customers in the form of software.
(PaaS) Platform as a service provides a platform for running applications
(IaaS) Infrastructure as a service provides hardware resources to user remotely.
Account/Service Hijacking
The attackers uses stolen credentials to access critical areas and negatively impact CIA.
Unknown Risk Profile
The client cedes control of resources and systems to the CP. There exist a number of issues that the client may not be aware of or have the access to mitigate.
List and define the four types of entities in a base model RBAC system as mentioned in our text.
User: An individual that has access to this computer system. Each
individual has an associated user ID.
Role: A named job function within the organization that controls this
computer system. Typically, associated with each role is a description of
the authority and responsibility conferred on this role, and on any user
who assumes this role.
Permission: An approval of a particular mode of access to one or more
objects. Equivalent terms are access right, privilege, and authorization.
Session: A mapping between a user and an activated subset of the set
of roles to which the user is assigned.
List and define the three classes of subject in an access control system as mentioned in our text.
Owner: This may be the creator of a resource, such as a file. For
system resources, ownership may belong to a system administrator. For
project resources, a project administrator or leader may be assigned
ownership.
Group: In addition to the privileges assigned to an owner, a named
group of users may also be granted access rights, such that
membership in the group is sufficient to exercise these access rights. In
most schemes, a user may belong to multiple groups.
World: The least amount of access is granted to users who are able to
access the system but are not included in the categories owner and
group for this resource.
List and briefly describe four common techniques for selecting or assigning passwords that are mentioned in our text.
User education: Users can be told the importance of using hard-toguess
passwords and can be provided with guidelines for selecting
strong passwords.
Computer-generated passwords: the system selects a password for
the user.
Reactive password checking: the system periodically runs its own
password cracker to find guessable passwords.
Proactive password checking: a user is allowed to select his or her own
password. However, at the time of selection, the system checks to see if
the password is allowable and, if not, rejects it.
What are the essential ingredients, mentioned in our text, of a symmetric cipher?
Plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm.
Define the terms database, database management system, and query language as mentioned in our text.
A database is a structured collection of data stored for use by one or
more applications. In addition to data, a database contains the
relationships between data items and groups of data items. A
database management system (DBMS), which is a suite of
programs for constructing and maintaining the database and for
offering ad hoc query facilities to multiple users and applications. A
query language provides a uniform interface to the database for users
and applications.
List and briefly define four of the fundamental security design principles mentioned in our text.
• Economy of mechanism • Fail-safe defaults • Complete mediation • Open design • Separation of privilege • Least privilege • Least common mechanism • Psychological acceptability • Isolation • Encapsulation • Modularity • Layering • Least astonishment - Page 28 - 31 gives details of each
Define computer security and what it includes.
Computer security refers to protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).
List and briefly describe some administrative policies that can be used with a RDBMS as mentioned in our text.
Centralized administration: A small number of privileged users may
grant and revoke access rights.
Ownership-based administration: The owner (creator) of a table
may grant and revoke access rights to the table.
Decentralized administration: In addition to granting and revoking
access rights to a table, the owner of the table may grant and revoke
authorization to other users, allowing them to grant and revoke access
rights to the table.
List and briefly define three uses of a public-key cryptosystem.
Encryption/decryption:
The sender encrypts a message with the recipient’s public key.
Digital signature:
The sender “signs” a message
with its private key.
Key exchange:
Two sides cooperate to exchange a
session key.
