Sammanfattad tenta Flashcards
1
Q
What are the two steps in authentication?
A
Identification (announcing who you are) and Authentication (proving who you are).
2
Q
What are the four means of user authentication?
A
1) Something you know (e.g., password), 2) Something you possess (e.g., token), 3) Something you are (e.g., biometric), 4) Something you do (e.g., behavior-based).
3
Q
What is multi-factor authentication (MFA)?
A
A method that combines two or more authentication factors to verify identity.
4
Q
What role does a username/login ID play in password authentication?
A
It determines the user’s authorization and privileges in the system.
5
Q
What role does a password play in password authentication?
A
It confirms the user’s identity and establishes trust for access.
6
Q
What is a hash function?
A
A one-way function that’s easy to compute but hard to reverse.
7
Q
Why is a salt added to a password before hashing?
A
To ensure unique hashes even for identical passwords, preventing rainbow table attacks.
8
Q
What is a rainbow table?
A
A precomputed table for reversing cryptographic hash functions, used in password cracking.
9
Q
What are the three main password cracking strategies?
A
Exhaustive search (brute force), intelligent search (e.g., dictionary attack), and using dedicated cracking servers.
10
Q
What is a password spoofing attack?
A
An attack where a fake interface captures user credentials.
11
Q
What is shoulder surfing?
A
Observing a user enter a password over their shoulder.
12
Q
What is a key logger?
A
Software or hardware that records keystrokes.
13
Q
What is proactive password checking?
A
Enforcing rules or using dictionaries to prevent weak passwords.
14
Q
What is a Bloom filter used for in password checking?
A
To efficiently check if a password exists in a blacklist of weak passwords.
15
Q
What are memory cards used for in authentication?
A
They store data and are used alone or with a PIN for access.
16
Q
What is a smart card?
A
A card with an embedded microprocessor used for authentication.
17
Q
What are the three types of memory in smart cards?
A
ROM, EEPROM, and RAM.
18
Q
What are the smart card authentication protocols?
A
Static, dynamic password generation, and challenge-response.
19
Q
What is biometric authentication?
A
Authentication based on unique physical characteristics.
20
Q
What are the two types of biometric matching?
A
Verification (1:1 comparison) and Identification (1:n comparison).
21
Q
What is the Equal Error Rate (EER)?
A
The point where False Match Rate (FMR) and False Non-Match Rate (FNMR) are equal.
22
Q
What is FMR in biometric systems?
A
False Match Rate – the rate at which unauthorized users are incorrectly accepted.
23
Q
What is FNMR in biometric systems?
A
False Non-Match Rate – the rate at which legitimate users are incorrectly rejected.
24
Q
What is challenge-response protocol?
A
A method where the system issues a challenge that the user must respond to correctly.
25
What are major threats in remote user authentication?
DoS, eavesdropping, host attacks, replay, client attacks, and Trojan horses.
26
Why should default passwords be changed?
To prevent easy access by attackers who know factory-set credentials.
27
What is a trusted path?
A secure method of communication ensuring interaction with a legitimate system component.
28
What does a password policy typically enforce?
Rules on password length, complexity, and change frequency.
29
What is the function of password ageing?
To require users to change passwords regularly.
30
What is single sign-on (SSO)?
Authentication once to access multiple services.
31
How can failed logins help identify attacks?
They may indicate unauthorized attempts to access an account.
32
What were some of the top 10 passwords used by Adobe users in 2013?
'123456', '123456789', 'password', 'qwerty', 'picture1'
33
What is NIST SP 800-63-3?
A Digital Authentication Guideline defining confidence in user identities presented electronically.
34
What does Cisco Identity Services Engine (ISE) provide regarding authentication?
An example of an admin password policy.
35
What are some types of CAPTCHA used in challenge-response mechanisms?
Image CAPTCHA, Text CAPTCHA, FunCAPTCHA, Phone Prompt, Authenticator App.
36
What is the purpose of a CAPTCHA in authentication?
To verify the user is human and not a bot.
37
What are the three types of memory in a smart card?
Read-only memory (ROM), EEPROM, and RAM.
38
What is the role of the embedded microprocessor in a smart card?
To process data and support authentication protocols.
39
What are the types of interfaces used by smart tokens?
Manual interface (keypad/display) and electronic interface (contact/contactless).
40
Why are multiple fingers often recorded in biometric systems?
To increase accuracy of fingerprint recognition.
41
What is False Match Rate (FMR)?
The rate at which unauthorized users are incorrectly accepted.
42
What is False Non-Match Rate (FNMR)?
The rate at which legitimate users are incorrectly rejected.
43
What is Equal Error Rate (EER)?
The point where FMR and FNMR are equal; used to evaluate biometric systems.
44
Why might high-security applications use biometrics?
To reduce FMR and enhance difficulty of misuse.
45
What is a Replay Attack in authentication?
An adversary reuses a previously captured user response.
46
What is a Trojan Horse attack in authentication?
A malicious program or device mimicking a legitimate one to steal credentials.
47
What is a Client Attack?
An adversary attempts to authenticate without access to host or communication path, e.g., by guessing passwords.
48
What is a Host Attack?
Targeting the user file where credentials or biometric templates are stored.
49
What is Eavesdropping in authentication?
Observing the authentication process to steal credentials.
50
What is Denial of Service (DoS) in authentication?
Flooding the system with requests to disable the service.
51
What is a trusted path?
A secure mechanism ensuring communication with the operating system, not spoofed software.
52
Why are characters often hidden during password entry?
To prevent shoulder surfing.
53
Why might showing characters during password entry be useful?
Improves usability, especially for long or complex passwords.
54
What is a threat in the context of information security?
A potential security harm to an asset.
55
Who or what is a threat agent?
The entity carrying out an attack, such as an attacker.
56
What is the primary goal of thieves as threat agents?
Monetary gain.
57
What are nation state attackers often motivated by?
Cyberwarfare, counter-intelligence, strategic goals.
58
Give an example of a tool used by organized crime groups.
Botnets, ransomware, inside information.
59
What are examples of tangible assets?
Servers, networking equipment, storage devices, workstations.
60
What are examples of intangible assets?
Brand reputation, data, software, encryption keys.
61
Why is identifying intangible assets challenging?
They are not readily discovered or documented like hardware or software.
62
Define a vulnerability in a system.
A weakness that could be exploited to damage assets.
63
Give an example of a leaky vulnerability.
Insecure data transfer and storage.
64
What are the three steps in threat modeling?
1) Decompose the application, 2) Determine and rank threats, 3) Determine countermeasures.
65
What is the purpose of decomposing an application in threat modeling?
To understand how the application functions and identify vulnerabilities.
66
What are entry points in threat modeling?
Places where data enters the system.
67
What is an exit point in an application?
Places where data exits, such as output or session termination.
68
What is a trust level in threat modeling?
A defined access right assigned to entities interacting with the system.
69
What do data flow diagrams (DFDs) represent?
Visual representations of how data moves and is processed in the application.
70
What is the role of a data store in DFD?
To represent where data is stored without modifying it.
71
Give an example of Tampering.
Changing data in the backend to grant unauthorized privileges.
72
What is Repudiation in STRIDE?
Denial of an action to avoid responsibility.
73
Give an example of a DoS attack.
Flooding the network with requests.
74
What is a limitation of the DREAD model?
Subjective scoring and lack of widespread adoption.
75
What is an alternative to DREAD for threat ranking?
Qualitative risk model (Low, Medium, High).
76
What is an attack surface?
Reachable and exploitable vulnerabilities in a system.
77
Name a category of attack surface.
Software, Network, Human.
78
What is attack surface analysis useful for?
Assessing the scale and severity of threats.
79
What is the root node in an attack tree?
The ultimate goal of the attacker.
80
What do leaf nodes in an attack tree represent?
Specific methods to initiate an attack.
81
What should passwords be stored with?
Salted hashes.
82
What is an effective authorization method?
Role-based access control.
83
What principle restricts access to only necessary resources?
Principle of least privilege.
84
What protocols are recommended for data protection in transit?
SSL/TLS.
85
What technique protects data integrity?
Hashed message authentication codes (HMACs).
86
How to reduce Denial of Service risk?
Throttling, filtering, quality of service.
87
Name a threat modeling tool from Microsoft.
Microsoft Threat Modeling Tool.
88
What is OWASP Threat Dragon?
An open-source tool for threat modeling.
89
What is malware?
A program covertly inserted into a system to compromise confidentiality, integrity, or availability.
90
What are the two main malware classification methods?
By propagation and by payload.
91
Name types of malware based on propagation.
Virus, worm, Trojan horse.
92
Name types of malware based on payload.
Ransomware, logic bomb, botnet, spyware, keylogger, phishing, backdoor, rootkit.
93
What is Stuxnet known for?
Infected USB drives; targeted Iranian nuclear facilities.
94
What is Mirai?
A botnet of IoT devices used in DDoS attacks.
95
What is a stealth virus?
A virus that hides its presence from antivirus programs.
96
What is a multipartite virus?
A virus that infects multiple file types for complex eradication.
97
What is a zero-day exploit in worms?
An attack that uses previously unknown vulnerabilities.
98
What is a Trojan horse?
Software that appears harmless but hides malicious functionality.
99
Give an example of ransomware.
Gpcode, WannaCry.
100
What is a logic bomb?
Malicious code triggered by specific events or conditions.
101
What is a botnet?
A network of infected machines used for malicious tasks.
102
What is spyware?
Malware that monitors user activity and redirects web traffic.
103
What is phishing?
Tricking users into revealing personal data through fake websites or emails.
104
What is a keylogger?
Malware that records keystrokes to steal sensitive info.
105
What is a backdoor?
A hidden way to access a system, often installed by developers.
106
What is a rootkit?
Software that hides the presence of malicious processes or programs.
107
What is stack smashing?
A buffer overflow on the stack, used to alter control flow.
108
Name a function vulnerable to buffer overflow.
gets(), strcpy(), strcat(), vsprintf().
109
What is SQL injection (SQLi)?
A vulnerability that allows attackers to interfere with database queries.
110
What is union-based SQLi?
Using UNION SELECT to extract additional data from a query.
111
What is Boolean-based SQLi?
Injecting conditions like 'OR 1=1' to bypass authentication.
112
What is command injection?
Injecting system commands via unvalidated input.
113
What is a cross-site scripting (XSS) attack?
Injecting script code into HTML output sent to other users.
114
What is Server-Side Request Forgery (SSRF)?
Tricking a server into making internal network requests.
115
What is XML External Entity (XXE) attack?
An attack exploiting XML parsers to access sensitive files or internal services.
116
What is Metasploit?
A framework for exploiting vulnerabilities and injecting payloads.
117
What is Burp Suite used for?
Web vulnerability scanning and proxying.
118
What is the role of Wireshark?
Network traffic analysis.
119
What is OWASP ZAP?
Tool for fuzzing, spidering and proxying web apps.
120
What is Maltego used for?
Information gathering and analysis.
121
What is cryptography?
The art and science of keeping messages secure using mathematical techniques.
122
What are the five key goals of cryptography?
Confidentiality, privacy preservation, authentication, data integrity, non-repudiation.
123
What is plaintext?
The original, unencrypted message or data.
124
What is ciphertext?
The scrambled message produced by encryption.
125
What is an encryption algorithm?
An algorithm that performs substitutions and transformations on plaintext.
126
What is a secret key?
Used in symmetric encryption for both encrypting and decrypting.
127
What is a public key?
Used in asymmetric encryption for encrypting data.
128
What is a private key?
Used in asymmetric encryption for decrypting data.
129
What is cryptanalysis?
The process of attempting to discover the plaintext or key.
130
What is a ciphertext-only attack?
The attacker only knows the ciphertext and attempts to decrypt it.
131
What is a known plaintext attack?
The attacker knows plaintext-ciphertext pairs encrypted with the same key.
132
What is a chosen plaintext attack?
The attacker chooses plaintexts and obtains their ciphertexts.
133
What is a chosen ciphertext attack?
The attacker chooses ciphertexts and gets corresponding plaintexts.
134
What is a chosen text attack?
Combination of chosen plaintext and chosen ciphertext attacks.
135
What is the difference between symmetric and asymmetric encryption?
Symmetric uses one key; asymmetric uses two keys (public/private).
136
What is a block cipher?
Processes input in fixed-size blocks, e.g., 128-bit blocks in AES.
137
What is a stream cipher?
Encrypts data one bit or byte at a time.
138
What is the Caesar cipher?
A substitution cipher that shifts letters a fixed number down the alphabet.
139
What is symmetric encryption?
Both sender and receiver use the same secret key.
140
What is asymmetric encryption?
Sender and receiver use different keys (public/private).
141
What problem does a digital certificate solve?
It helps verify public key authenticity.
142
What is a certificate authority (CA)?
A trusted third party that issues digital certificates.
143
What is in an X.509 certificate?
Subject's name, public key, and digital signature from CA.
144
What is a Feistel Cipher Structure?
A block cipher design dividing data into left/right halves with multiple rounds.
145
What is a Substitution-Permutation Network (SPN)?
A cipher structure used in AES combining S-boxes and P-boxes.
146
What is AES?
A symmetric block cipher standard replacing DES.
147
What is ECB mode?
Encrypts each block independently with the same key.
148
What is CBC mode?
Each block is XORed with the previous ciphertext block before encryption.
149
What is a hash function?
A function that maps variable-length input to a fixed-length output.
150
What is preimage resistance?
It’s hard to find any input that hashes to a specific output.
151
What is second preimage resistance?
It’s hard to find a different input with the same hash.
152
What is collision resistance?
It’s hard to find two inputs with the same hash.
153
Name common hashing algorithms.
MD5, RIPEMD128, SHA-1, SHA-256.
154
What are hash functions used for?
Password verification, digital signatures, integrity checking, etc.
155
What is a MAC?
A short piece of information to authenticate a message using a shared key.
156
What is HMAC?
A keyed-hash message authentication code standard documented in RFC 2104.
157
What are HMAC's design goals?
Usability, replaceability of hash functions, and strong authentication.
158
What is AEAD?
Authenticated Encryption with Associated Data, ensures both confidentiality and integrity.
159
What is the role of 'Associated Data' in AEAD?
It is not encrypted but is authenticated for integrity protection.
160
Why is IoT security important?
Because IoT devices handle sensitive data and are increasingly integrated into critical infrastructure.
161
Give examples of smart environments in IoT.
Smart lighting, connected cars, smart homes.
162
What is the 'headless' nature of IoT devices?
They often lack user interfaces, making them harder to monitor and secure.
163
Why are resource constraints an IoT security issue?
IoT devices often have limited processing power, memory, and energy, making strong security hard to implement.
164
What is the challenge posed by heterogenous protocols?
Different IoT devices use various communication protocols, making standardization and security more complex.
165
Why is dynamic communication a risk in IoT?
IoT devices often connect and disconnect dynamically, which complicates monitoring and control.
166
What is tamper resistance in IoT devices?
The ability of a device to resist physical access or modification.
167
What are the three core information security goals?
Confidentiality, Integrity, and Availability.
168
What threats correspond to each security goal?
Disclosure (Confidentiality), Alteration (Integrity), Destruction (Availability).
169
What is the impact of nation state threats?
High-level attacks for espionage, sabotage, and influence.
170
Name network-level IoT security measures.
VPNs, firewalls, intrusion prevention and detection systems (IPS/IDS).
171
What are examples of service-level security strategies?
Security-by-design, privacy-by-design, and compliance with standards.
172
What is the main concept of the Zero-Trust Model?
Never trust, always verify.
173
What does the Zero-Trust Model assume about users and devices?
They should not be trusted by default, even inside secure networks.
174
What is AI?
Artificial Intelligence – the ability of machines to mimic human intelligence.
175
How did Prof. Max Tegmark define intelligence?
The ability to accomplish complex goals.
176
What is the theoretical processing power difference between machines and biological tissue?
A factor of 10^33.
177
What is a requirement for intelligent behavior?
Not just computation, but the right computations (software).
178
What is machine learning (ML)?
A subfield of AI where computers learn from past data.
179
What does the model produce from new data?
Predictions or decisions.
180
What is classification in ML?
Mapping observations into predefined categories using labeled data.
181
Give an example of classification.
Classifying emails as spam or not spam.
182
What is regression in ML?
Predicting a numerical value based on input features.
183
Give an example of regression.
Estimating a car’s price based on model, year, mileage, etc.
184
What is clustering in ML?
Grouping observations based on similarities without labeled data.
185
What is required for supervised learning?
Labeled data.
186
What is reinforcement learning?
Learning actions through rewards to maximize outcomes.
187
What is deep learning?
An ML technique using neural networks to learn multiple abstraction levels.
188
Give two application examples of deep learning.
Speech recognition and image recognition.
189
List four current AI system examples.
Robotics, text-to-image generation, self-driving cars, conversation systems like ChatGPT.
190
What is AI ethics?
A field concerned with moral principles guiding AI behavior and impact.
191
Give an example of an ethical dilemma in AI.
Self-driving cars deciding between protecting passengers or pedestrians.
192
Why is training data in AI an ethical concern?
It may affect user privacy and introduce bias.
193
What are the two main categories of attacks on ML models?
Adversarial input attacks and data poisoning attacks.
194
What is an adversarial input attack?
Slightly modifying input features to trick ML models into incorrect classification.
195
What is a real-world example of adversarial input?
A stop sign misclassified as a speed limit sign due to added stickers.
196
What is a data poisoning attack?
Injecting malicious data into the training set to mislead the model.
197
What are the two goals of poisoning attacks?
Affect availability (useless model) or integrity (add backdoor).
198
What is the black-box problem in AI?
AI models are often too complex to understand.
199
What is the purpose of LIME?
To interpret and explain decisions made by AI models.
200
What is an Internet Security Protocol?
A framework of standards that ensures private and secure communications over IP networks using cryptographic services.
