Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

Security (CMIS 422) > Modules 1 & 2 > Flashcards

Modules 1 & 2 Flashcards

1
Q

What is the CIA triad?

A

Confidentiality
Integrity
Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the difference between policy and mechanism?

A
  • Policy says what is, and is not, allowed. This defines “security” for the system.
  • Mechanisms enforce policies through technical or procedural means.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What characterizes an Advanced Persistent Threat (APT)?

A 
Organized
Directed
Well financed
Patient
Silent
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are four (4) common types of harm?

A

Interception, Interruption, Modification, Fabrication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the three classes of controls?

A
  • Physical controls stop or block an attack by using something tangible too, such as walls and fences
  • Procedural or administrative controls use a command or agreement that
  • Technical controls counter threats with technology (hardware or software)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the three classes of authentication strategies?

A
  • something you know
  • something you have
  • something you are
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are common attacks on “something you know”?

A 
Dictionary attacks
Inferring likely passwords/answers
Guessing
Defeating concealment
Exhaustive or brute-force attack
Rainbow tables
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a rainbow table?

A

Rainbow Tables are datasets of chains of pre-generated “hash-values” for almost every popular password variant, thus reducing the difficulty of password cracking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the goals of an access policy?

A

-Check every access
-Enforce least privilege
-Verify acceptable usage
(Access control ensures the prevention of unauthorized use of a resource, including the use of a resource in an unauthorized way.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a potential vulnerability of a static authentication token, and what is an alternative?

A

Skimming attacks. Alternative is dynamic (time-based) authentication token.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is Federated Identity Manager (FIM)?

A

A system that assists in managing identities and providing access to resources across different security domains and/or companies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is single sign-on (SSO)?

A

An authentication process that allows a user to access multiple applications with one set of login credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is an Access Control security policy?

A

Defines which users can access resources and with which rights (Who, what, how : Subject, object, attribute right).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

For access control, what are “Subjects”?

A
  • An entity trying to access a resource

- users, processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

For access control, what are “Objects”?

A
  • things on which an action can be performed:
  • Files, tables, programs, memory objects, hardware devices, strings, data fields, network connections, and processors are examples of objects
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are Access Rights?

A
  • the permissions an individual user or a computer application holds to read, write, modify, delete or otherwise access a computer file; change configurations or settings, or add or remove applications.
  • write, read, execute, create, transfer (WRECT)
17
Q

What is an Access Control Directory?

A
  • One simple way to protect an object is to use a mechanism that works like a file directory
  • Therefore, the operating system must maintain all file directories, under commands from the owners of files.
  • First, the list becomes too large if many shared objects, such as libraries of subprograms or a common table of users, are accessible to all users.
  • the directory of each user must have one entry for each such shared object, even if the user has no intention of accessing the object.
  • Deletion must be reflected in all directories.
18
Q

What is an Access Control Matrix?

A
  • table in which each row represents a subject, each column represents an object, and each entry is the set of access rights for that subject to that object
  • also version of matrix that gets rid of empty cells which is useful
19
Q

What is an Access Control List?

A
  • permissions attached to an object
  • There is one such list for each object, and the list shows all subjects who should have access to the object and what their access is.
  • This approach differs from the directory list because there is one access control list per object
20
Q

What is a privilege list?

A
  • Sometimes called a directory, is a row of the access matrix, showing all those privileges or access rights for a given subject
  • One advantage of a privilege list is ease of revocation: If a user is removed from the system, the privilege list shows all objects to which the user has access so that those rights can be removed from the object.
21
Q

What is a capability?

A
  • An unforgeable token that gives the possessor certain rights to an object.
  • Single- or multi-use ticket to access an object or service
22
Q

What is role-based access control (RBAC)?

A
  • Associates privileges with groups, such as all administrators can have significant privileges, and others such as regular users or guests to have lower privileges.
  • Administering security is easier if we can control access by job demands, not by person.
23
Q

What is symmetric encryption?

A
  • Uses same key for encryption and decryption
  • This is a secret key, which must be distributed out-of-band
  • Common schemes are AES and DES
24
Q

What is asymmetric encryption?

A
  • Each user has two keys, one public and one private

- The public key can be exposed and use to distribute other keys

25
What is the difference between an Access Control List and Privilege List?
An access control list is based on objects and a privilege list is based on users/subjects.
26
What is a stream cipher?
- A type of encryption algorithm that process an individual bit, byte, or character of plaintext at a time. -Often faster than block ciphers in hardware and require circuitry that is less complex. - Also useful when transmission errors are likely to occur because they have little or no error propagation.
27
What is a block cipher?
- a symmetric cryptographic algorithm that operates on a fixed-size block of data using a shared, secret key - high diffusion (information from one plaintext symbol is spread into several cipher-text symbols). - difficult for an attacker to insert symbols without detection, because they can't easily insert them into the middle of a block. - slower than a stream cipher (an entire block needs to be transmitted before encryption/decryption can happen) - if an error occurs, it can propagate throughout the block, corrupting the entire section.
28
What is DES?
- Data Encryption Standard - a symmetric-key block cipher created in the early 1970s by an IBM team and adopted by the National Institute of Standards and Technology (NIST) - takes the plain text in 64-bit blocks and converts them into ciphertext using 48-bit keys - Triple DES is a symmetric key-block cipher which applies the DES cipher in triplicate. It encrypts with the first key (k1), decrypts using the second key (k2), then encrypts with the third key (k3). - There is also a two-key variant, where k1 and k3 are the same keys.
29
What is AES?
- Advanced Encryption Standards - a modern symmetric block cipher algorithm - developed by two Belgian cryptographers and based on on Rinjdael cipher - adopted by the U.S. National Institute of Standards and Technology (NIST) in 2001 - supports three key lengths of 128, 192, and 256-bit encryption
30
What is hashing?
- the process of converting a given key into another value. - a Hash Function is used to generate the new value - the result of a Hash Function is a Hash Value or simply, a Hash - a one-way hashing algorithm, ensures that the hash cannot be converted back into the original key
31
What is the difference between hashing and encryption?
- hashing ensures Integrity, data can't be unhashed as a hash function is a one-way function - encryption ensure Confidentiality, as data can be encrypted and then decrypted using a shared secret
32
What are the two primary conditions of a digital signature?
- It must be unforgeable: If person S signs message M with signature Sig(S,M), no one else can produce the pair [M,Sig(S,M)]. - It must be authentic: If a person R receives the pair [M, Sig(S,M)] supposedly from S, R can check that the signature is really from S.
33
What additional two conditions do digital signatures ideally satisfy?
- Not alterable (desirable): No signer, receiver, or any interceptor can modify the signature without the tampering being evident - Not reusable (desirable): Any attempt to reuse a previous signature will be detected by receiver
34
How are digital signatures generally computed?
- with public key encryption: - the signer computes a signature value by using a private key - the public key can be used to verify that the signature came from the corresponding private key
35
What part of the CIA triad is fulfilled by digital signatures?
Authenticity.

Security (CMIS 422) (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions