Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Security (CMIS 422) > Modules 1 & 2 > Flashcards

Modules 1 & 2 Flashcards

1
Q

What is the CIA triad?

A

Confidentiality
Integrity
Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the difference between policy and mechanism?

A
  • Policy says what is, and is not, allowed. This defines “security” for the system.
  • Mechanisms enforce policies through technical or procedural means.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What characterizes an Advanced Persistent Threat (APT)?

A 
Organized
Directed
Well financed
Patient
Silent
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are four (4) common types of harm?

A

Interception, Interruption, Modification, Fabrication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the three classes of controls?

A
  • Physical controls stop or block an attack by using something tangible too, such as walls and fences
  • Procedural or administrative controls use a command or agreement that
  • Technical controls counter threats with technology (hardware or software)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the three classes of authentication strategies?

A
  • something you know
  • something you have
  • something you are
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are common attacks on “something you know”?

A 
Dictionary attacks
Inferring likely passwords/answers
Guessing
Defeating concealment
Exhaustive or brute-force attack
Rainbow tables
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a rainbow table?

A

Rainbow Tables are datasets of chains of pre-generated “hash-values” for almost every popular password variant, thus reducing the difficulty of password cracking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the goals of an access policy?

A

-Check every access
-Enforce least privilege
-Verify acceptable usage
(Access control ensures the prevention of unauthorized use of a resource, including the use of a resource in an unauthorized way.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a potential vulnerability of a static authentication token, and what is an alternative?

A

Skimming attacks. Alternative is dynamic (time-based) authentication token.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is Federated Identity Manager (FIM)?

A

A system that assists in managing identities and providing access to resources across different security domains and/or companies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is single sign-on (SSO)?

A

An authentication process that allows a user to access multiple applications with one set of login credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is an Access Control security policy?

A

Defines which users can access resources and with which rights (Who, what, how : Subject, object, attribute right).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

For access control, what are “Subjects”?

A
  • An entity trying to access a resource

- users, processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

For access control, what are “Objects”?

A
  • things on which an action can be performed:
  • Files, tables, programs, memory objects, hardware devices, strings, data fields, network connections, and processors are examples of objects
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are Access Rights?

A
  • the permissions an individual user or a computer application holds to read, write, modify, delete or otherwise access a computer file; change configurations or settings, or add or remove applications.
  • write, read, execute, create, transfer (WRECT)
17
Q

What is an Access Control Directory?

A
  • One simple way to protect an object is to use a mechanism that works like a file directory
  • Therefore, the operating system must maintain all file directories, under commands from the owners of files.
  • First, the list becomes too large if many shared objects, such as libraries of subprograms or a common table of users, are accessible to all users.
  • the directory of each user must have one entry for each such shared object, even if the user has no intention of accessing the object.
  • Deletion must be reflected in all directories.
18
Q

What is an Access Control Matrix?

A
  • table in which each row represents a subject, each column represents an object, and each entry is the set of access rights for that subject to that object
  • also version of matrix that gets rid of empty cells which is useful
19
Q

What is an Access Control List?

A
  • permissions attached to an object
  • There is one such list for each object, and the list shows all subjects who should have access to the object and what their access is.
  • This approach differs from the directory list because there is one access control list per object
20
Q

What is a privilege list?

A
  • Sometimes called a directory, is a row of the access matrix, showing all those privileges or access rights for a given subject
  • One advantage of a privilege list is ease of revocation: If a user is removed from the system, the privilege list shows all objects to which the user has access so that those rights can be removed from the object.
21
Q

What is a capability?

A
  • An unforgeable token that gives the possessor certain rights to an object.
  • Single- or multi-use ticket to access an object or service
22
Q

What is role-based access control (RBAC)?

A
  • Associates privileges with groups, such as all administrators can have significant privileges, and others such as regular users or guests to have lower privileges.
  • Administering security is easier if we can control access by job demands, not by person.
23
Q

What is symmetric encryption?

A
  • Uses same key for encryption and decryption
  • This is a secret key, which must be distributed out-of-band
  • Common schemes are AES and DES
24
Q

What is asymmetric encryption?

A
  • Each user has two keys, one public and one private

- The public key can be exposed and use to distribute other keys

25
Q

What is the difference between an Access Control List and Privilege List?

A

An access control list is based on objects and a privilege list is based on users/subjects.

26
Q

What is a stream cipher?

A
  • A type of encryption algorithm that process an individual bit, byte, or character of plaintext at a time. -Often faster than block ciphers in hardware and require circuitry that is less complex.
  • Also useful when transmission errors are likely to occur because they have little or no error propagation.
27
Q

What is a block cipher?

A
  • a symmetric cryptographic algorithm that operates on a fixed-size block of data using a shared, secret key
  • high diffusion (information from one plaintext symbol is spread into several cipher-text symbols).
  • difficult for an attacker to insert symbols without detection, because they can’t easily insert them into the middle of a block.
  • slower than a stream cipher (an entire block needs to be transmitted before encryption/decryption can happen)
  • if an error occurs, it can propagate throughout the block, corrupting the entire section.
28
Q

What is DES?

A
  • Data Encryption Standard
  • a symmetric-key block cipher created in the early 1970s by an IBM team and adopted by the National Institute of Standards and Technology (NIST)
  • takes the plain text in 64-bit blocks and converts them into ciphertext using 48-bit keys
  • Triple DES is a symmetric key-block cipher which applies the DES cipher in triplicate. It encrypts with the first key (k1), decrypts using the second key (k2), then encrypts with the third key (k3).
  • There is also a two-key variant, where k1 and k3 are the same keys.
29
Q

What is AES?

A
  • Advanced Encryption Standards
  • a modern symmetric block cipher algorithm
  • developed by two Belgian cryptographers and based on on Rinjdael cipher
  • adopted by the U.S. National Institute of Standards and Technology (NIST) in 2001
  • supports three key lengths of 128, 192, and 256-bit encryption
30
Q

What is hashing?

A
  • the process of converting a given key into another value.
  • a Hash Function is used to generate the new value
  • the result of a Hash Function is a Hash Value or simply, a Hash
  • a one-way hashing algorithm, ensures that the hash cannot be converted back into the original key
31
Q

What is the difference between hashing and encryption?

A
  • hashing ensures Integrity, data can’t be unhashed as a hash function is a one-way function
  • encryption ensure Confidentiality, as data can be encrypted and then decrypted using a shared secret
32
Q

What are the two primary conditions of a digital signature?

A
  • It must be unforgeable: If person S signs message M with signature Sig(S,M), no one else can produce the pair [M,Sig(S,M)].
  • It must be authentic: If a person R receives the pair [M, Sig(S,M)] supposedly from S, R can check that the signature is really from S.
33
Q

What additional two conditions do digital signatures ideally satisfy?

A
  • Not alterable (desirable): No signer, receiver, or any interceptor can modify the signature without the tampering being evident
  • Not reusable (desirable): Any attempt to reuse a previous signature will be detected by receiver
34
Q

How are digital signatures generally computed?

A
  • with public key encryption:
  • the signer computes a signature value by using a private key
  • the public key can be used to verify that the signature came from the corresponding private key
35
Q

What part of the CIA triad is fulfilled by digital signatures?

A

Authenticity.

Security (CMIS 422) (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions