Security

Question 1

What are some methods of authentication

Answer 1

-Something you know(Password)
-Something you are(Biometrics)
-Something you have(keycard)
-Context location(e.g current location)

Question 2

Passwords are widely used but hard to remember - good passwords should be long and random. What should good systems do in regards to passwords?

Answer 2

They should:
-Allow passwords to be an arbitrary length
-Store passwords hashed and salted

Question 3

What should good two factor authentication do?

Answer 3

Should combine the known and the unknown
E.g password and generated key sent via email

Question 4

Why is Biometric security not that useful upon further inspection

Answer 4

• Once data is leaked Biometrics are useless
• No longer all that hard to replicate Biometrics

Question 5

Access control models are created to ensure only certain users have access to certain features, what is an example of a simple request.

Answer 5

AC = subject x object x request
E.g (Will, Ecm_2426_Exam, set)
where Subject is the set of users of a system, Object is the set of resources (to which access should be controlled), and Request is the set of possible actions
(e.g., read, write) a user might want to apply to a resource

Question 6

How can roles be applied to an access control module to help reduce the stress of large systems

Answer 6

Roles can be created, each having different permissions that allows them to do different tasks. Roles can then be applied to users who inherit their permissions, this means each user no longer needs a long list of their allowed permissions

Question 7

What are the fundamental goals of information security

Answer 7

Confidentiality: Protecting information from disclosure to unauthorized parties.
Integrity: Protecting information from being modified by unauthorized parties.
Availability: Ensuring that information is available (accessible) to authorized parties.
(CIA triad)

Question 8

Why is the CIA triad hard to implement in actuality?

Answer 8

A system that is very secure, preventing all access to stored information, might not have a good availability.

Question 9

Define identification

Answer 9

Associating an identity with a subject

Question 10

Define Authentication

Answer 10

Verifying the validity of something (usually the identity claimed by a system entity).

Question 11

Define Authorization

Answer 11

Granting (or denying) the right or permission of a system entity
to access an object

Question 12

Define Access control

Answer 12

Controlling access of system entities (on behalf of subjects) Access to objects based on an access control policy (“security policy”)

Question 13

Name some potential issues with using passwords

Answer 13

-It can be hard to keep them secret when attackers are using social engineering attacks
-Users may choose passwords that are weak and easy to remember over secure passwords

Question 14

Define a policy enforcement point(PEP)

Answer 14

The enforcement of access control happens in each layer in a component called policy enforcement point policy enforcement (PEP). For deciding if a specific request should be granted or not, the PEP contacts a (central) policy decision point (PDP) that manages and evaluates the access control policy of the system.

Question 15

What is a Policy decision point (PDP)

Answer 15

manages and evaluates the access policy decision point (PDP) control policy of the system

Question 16

What does an access control policy define?

Answer 16

An Access control policy defines access control policy
what is allowed (or forbidden) in a system, it is similar to a set of rules or laws

Question 17

How does the Access control matrix work

Answer 17

The access control matrix is based on the idea of privileges of subjects on objects.
Examples for subjects, objects, and privileges are:
Subjects: users, processes, agents, groups, …
Objects: data, memory banks, other processes, files, …
Privileges: right to read, write, modify, …

Question 18

How can a security policy that uses an access control matrix be described

Answer 18

As a table, there is a column for each file and a row for each user. The table describes the permissions that the user has and the operations they can perform on this file. However this isn’t feasible for large systems as it will grow quadratically

Question 19

In Role Based Access Control(RBAC) we have this equation, what does it mean.
AC := PA ◦ UA

Answer 19

ROLES is the set of roles,
USERS is the set of users (subjects),
UA ⊂ USER × ROLES is a relation mapping users to their roles, and
PA ⊂ ROLES × PERMSSON is a relation mapping roles to their permissions.

Question 20

How can i add hierarchies to RBAC?

Answer 20

To define hierarchic RBAC, we introduce a relation RH ⊂ ROLES × ROLES that defines the role hierarchy
For example RH {(lecturer, student), (demonstrator, student)}
-Demonstrator and lecturer will assume all the permissions of students

Question 21

Define data classification in access control

Answer 21

Instead of grouping objects we group subjects with permissions

Question 22

What does Break-Glass access control mean

Answer 22

That access control can be overridden if needed

Question 23

What is Discretionary access control

Answer 23

Discretionary access control (DAC): owners can chance permissions
- for example Unix/Linux file system

Question 24

What is usage control

Answer 24

Usage control is controlling how documents are used, not who can use them. E.g you can read a book but not forward it or you are allowed to watch a movie only three times a week

Question 25

How can access/usage control be overridden

Answer 25

Denied access can be overridden by a user, accepting liability that their actions can be logged. Often referred to as break glass access control

Question 26

Refined vs course break-glass access Control

Answer 26

Refined has a greater integration of break-glass into
various access control models by using pre-defined emergency levels that can be activated or de-activated

Question 27

Define Cryptography, Steganography and Cryptanalysis

Answer 27

Cryptography: the science of secret writing,i.e., cryptographers design messages that can only be read by certain people knowing a secret. The encrypted message does not need to be kept secret.

Steganography: the science of hiding messages in other messages or images, e.g., one can hide a message by encoding its content in the least significant bits of an image. Steganography is different from cryptography.

Cryptanalysis: the science of analyzing a cryptographic system to break/circumvent its protection

Question 28

What does Cryptography allow us to establish communication channels with?

Answer 28

Confidentiality, integrity, and authenticity even in the presence of an attacker

Question 29

Define Asymmetric encryption and why it works

Answer 29

Key1 != Key2
(cannot be easily derived from each other)
The public key (Key1) can be published without compromising the private key (Key2)
Without the knowledge of the necessary key, the (decryption)
operation should be computationally (very) hard

Question 30

Define a Ceaser cipher

Answer 30

Each plaintext character is replaced by the character
three to the right modulo 26

Question 31

Why are substitution cipers easily cracked?

Answer 31

Due to frequency analysis of letters

Question 32

How can subsitiution cipers be improved?

Answer 32

By adding multiple symbols/ letters for each letter in the plaintext, this is called a homophonic Substitution Cipher

Question 33

What is a polyalphabetic Substitution Ciper?

Answer 33

Another idea to make frequency analysis harder, is to conceal distribution using a family of mappings

Question 34

What is a one-time-pad and one advantage of using one

Answer 34

Where a plaintext is converted to binary and then encrypted with a binary string via XOR.
If the one time pad key is only used once it is unconditionally unbreakable

Question 35

Why are one-time-pads(Vernam Cipher) unreusable?

Answer 35

They can be attacked using a frequency analysis

Question 36

Can frequency analysis be used on a transposition ciper?

Answer 36

Yes as transpositions r do not change plaintext alphabet and, hence, the frequencies of the elements of the plaintext alphabet

Question 37

Can we create a better cipher by using two substitution and transpositon ciphers?

Answer 37

combining two substitution ciphers does not result in a better cipher. Similarly, combining two transposition are really only one transposition. However combining substitution and transposition ciphers does create a better ciper

Question 38

Why are ciphers often developed in the public

Answer 38

So cryptoanalysts can attempt to break them and provide feedback, additionally to ensure that there are no secret backdoors involved

Question 39

What are the steps required to encrypt something in RSA

Answer 39

Generate a public/private key pair:
1. Generate two large distinct primes p and q.
2. Compute n = pq and φ = (p − 1)(q − 1).
3. Select an e, 1 < e < φ, relatively prime to φ.
4. Compute the unique integer d, 1 < d < φ where ed mod φ = 1.
5. Return public key (n, e) and private key d.

Encryption with key (n, e).
1. Represent the message as an integer m ∈ {0, . . . , n − 1}.
2. Compute c = me mod n.

Decryption with key d: compute m = c
d mod n

Question 40

Define modification detection code

Answer 40

Allows to check if a message has been altered during sending, the receiver can compute the hash of the message and compare it with the code given by the sender. This only works assuming the hash is hard to forge

Question 41

A hash function is a cryptographic hash function if it is:

Answer 41

-One-way(pre image resistant) Given y, it is hard to compute an x where h(x) = y.

And usually either
2nd-preimage resistance It is computationally infeasible to find a second input that has the same output as any specified input, i.e., given x to find an x^1 != x such that h(x) = h(x^1).
Collision resistance (implies 2nd-preimage resistance) It is difficult to find two distinct inputs x, x^1 where h(x) = h(x^1).

Question 42

What is a Ciphertext only attack and what are some techniques used?

Answer 42

An attack in which the attacker has only access to the
ciphertext and tries to gain access to the plaintext. Techniques for mounting a ciphertext only attack include brute force attacks (i.e., testing of all possible combinations) or frequency analysis (e.g., used on character or word frequencies).

Question 43

What is a known plaintext attack and what are some methods used??

Answer 43

A known plaintext attack (PKA) is an attack in which the attacker has access to attack (PKA) a plain text (could be a part of a message) and
the cipher text of the plain text (or a message containing the plain text and tries to get access to the encryption key. Modern ciphers are not susceptible to KPA

Question 44

What is a random number generator attack?

Answer 44

Works on the premise that numbers that are randomly generated are not totally random and instead based on physical sources of entropy. Meaning it’s possible to reduce the level of computation needed to derive the key

Question 45

What are some reasons not to invent own cryptographic algorithms

Answer 45

-complicated maths
-must be fast and efficient
-depends on subtle assumptions

Question 46

What is cipher block chaining?

Answer 46

Making the encryption of each block dependent on the value of the previously encrypted block

Question 47

What does the phrase it’s hard to make collisions mean in cryptographic hashing?

Answer 47

It’s difficult to find two inputs that create the same has value, the security of the hash function is measured by how hard it is to create collisions

Question 48

What does a digital signature schema need to provide?

Answer 48

Signing procedure:: A creates a signature for m ∈ M by: Compute s = SA(m) and transmit pair (m, s).
Verification procedure: B verifies A’s signature of (m, s) by: Compute u = VA(m, s). Accept signature only if u = true.

Question 49

A Public Key Infrastructure (PKI) is an infrastructure that allows principals to recoginize which public key belongs to whom, what does a user need to join the PKI

Answer 49

The user needs to:
-have their own public/private key pair
-Take their public key to a certification authority and bind the public key to themselves
-The CA verifies the user is who they say and signs a certificate that says that their public key is valid
then:
any other user can check the certificate to obtain the original users public key

Question 50

Describe how the homomorphic property can be used to exploit RSA

Answer 50

The product of two cipertexts is equivalent to the encryption of the product of the corresponding plaintexts

Question 51

What is a simple case where an SQL injection can be used?

Answer 51

The addition of ‘ OR 1 = 1 - in the username field with a blank password to bypass the password check
If the site would constructs a query like “SELECT token FROM users WHERE user = ‘“+user+”’ AND password = ‘“+pass””’”
The resulting string would be
SELECT token FROM users WHERE user = ‘bob’ AND password = “ OR 1=1 -‘

Question 52

What are the stages in the Secure Software development lifecycle

Answer 52

Preparation
Development
Security testing
Transition
Ulitization

Question 53

In the SSDL what is the preparation phase?

Answer 53

Trainings for developers and managers need to raise
awareness for the security implications of using third party software during product development. Scurity implications of using third party software during product development. During Risk Identification, the development teams, together with the local security experts, organize, e. g., threat modeling workshops. During the risk and threat identification, the application specific risks of the third party components and their attack surface needs to be identified.

Question 54

In the SSDL what is the Development phase?

Answer 54

Includes a security testing strategy that ensures security measures are implemented correctly.
This stage is the actual development of software components that should take security into consideration right from the beginning. This includes defensive programming techniques as well as measures for secure consumption of 3rd part libraries

Question 55

In the SSDL what is the Security testing phase?

Answer 55

Executes the security testing plan and the results are documented in a security testing report. Will cover the whole product incuding 3rd party components.

Question 56

In the SSDL what is the Transition phase?

Answer 56

Security validation team acts like the first customer and executes a security analysis and test of the final product. This could include an architectural security analysis, code reviews or penetration tests. All security issues must be fixed

Question 57

In the SSDL what is the Utilisation phase?

Answer 57

The Security response team handles communication with customers and external security and ensures the dev and maintenance team fix all reported issues

Question 58

What does a CVE(common Vulnerabilities and Exposures) entry contain?

Answer 58

textual description of the vulnerability
description of the affected software and version
type of vulnerability (CWE)
patch/fix instructions (if available)
availability of an exploit (a proof of concept that shows how to make use of a vulnerability)
standardized risk assessment: CommonVulnerability Scoring System (CVSS)

Question 59

What is the Common Vulnerability Scoring System?

Answer 59

Industry standard for rating the severity of software vulnerabilities. Focuses on three areas of concern:
-Base Score Metrics: assessing exploitability and impact
-Temporal Score Metric: assessing current status (may change over time)
-Environmental Score Metrics: assesses the environment of the vulnerable system

Question 60

What is a case where an XML injection can be used

Answer 60

I’m not sure when tho icl

alert(document.cookie)

in the title of the message box

Question 61

What are the scores in the Common Vulnerability Scoring system?(scored from 0 -10 )

Answer 61

Access Vector - shows how vulnerability may be exploited
Attack Complexity - how easy it is to exploit a vulnerability
Privileges required - how many layers of authentication an attacker must pass
User interaction - : Is an action by a user different than the attacker required
Scope (S): Can the vulnerability impact other components or systems
Confidentiality (C): impact on the confidentiality of the processed data
Integrity (I): impact on the integrity of the system
Availability (A): impact on the availability of the system

Question 62

What is the difference between static and dynamic security testing?

Answer 62

Static security testing testing is done automatically via a program while dynamic is done manually using tools.
static is typically conducted during early stages of development while dynamic is later
Static can cover the entire codebase as it analyses the source ode while dynamic only covers behaviour during runtime

Question 63

Define the halting problem

Answer 63

states that we cannot build
a computer program that takes an arbitrary computer program as input and decides, if that program terminates for a given input or not.

Question 64

What is an issue with too many false positives in security testing tools?

Answer 64

“The boy who cried wolf problem”
-Developers can be overwhelmed with too many false positives, making it challenging to prioritize issues
-Loss of trust in tool accuracy
-Failure to prioritise real threats
Increased costs

Question 65

What is an issue with not enough false positives in security testing tools?

Answer 65

-Actual vulnerabilities can go undetected
-Incomplete security coverage
-There is a potential that vulnerabilities could be exploited

Question 66

What is mutation based fuzzing and what’s some advantages

Answer 66

Mutate existing data samples to create test data
Advantages:
easy to setup and automate
requires little to no knowledge of the input format/protocol
Disadvantages:
effectiveness limited by selection of initial data set
has problems with file formats/protocols that require valid checksums

Question 67

What are some problems with dynamic security testing tools?

Answer 67

Dynamic test require a (dedicated) test system (it can take weeks or even month to get one …)
Dynamic test need to parse the output of the system under test (again, a parsing problem)
Dynamic tests need to generate input for various frameworks, which are often less standardised as programming languages (e.g., XML, REST, ODATA,
generating good test cases is hard

Question 68

What is stride modelling

Answer 68

STRIDE:
Spoofing Identity
Tampering with Data
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege

Question 69

What is the definition of the things in stride modelling
STRIDE:
Spoofing Identity
Tampering with Data
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege

Answer 69

Definition 13.2.1 (Spoofing Identity). An example of identity spoofing is illegally accessing and then using another user’s authentication information, such as username and password. „
Definition 13.2.2 (Tampering with Data). Data tampering involves the malicious modification of data. Examples include unauthorized changes made to persistent data,
such as that held in a database. „
Definition 13.2.3 (Repudiation). Repudiation threats are associated with users who
deny performing an action without other parties having anyway to prove otherwise.
„
Definition 13.2.4 (Information Disclosure). Information disclosure threats involve
the exposure of information to individuals who are not supposed to have access to
it. „
Definition 13.2.5 (Denial of Service). Denial of service (DoS) attacks deny service
to valid users—for example, by making a Web server temporarily unavailable or
unusable. „
Definition 13.2.6 (Elevation of Privilege). In this type of threat, an unprivileged user
gains privileged access and thereby has sufficient access to compromise or destroy the entire system.

Question 70

What does DREAD stand for?

Answer 70

Damage: How big would the damage be if the attack succeeded?
Reproducibility: How easy is it to reproduce an attack?
Exploitability: How much time, effort, and expertise is needed to exploit the threat?
Affected Users: If a threat were exploited, what percentage of users would be affected?
Discoverability: How easy is it for an attacker to discover this threat?

Question 71

What are some things we need for threat modelling?

Answer 71

-Knowledge of how data flows
-attackers goals
-how to defeat an attack, e.g. planned security techniques
- team of experts
-a structured process so no aspects get forgotten

The result of threat modelling should be a list of identified threats with the severity, description, catagory, likelihood and a mitigation strategy

Question 72

Define full disclosure

Answer 72

Publish vulnerabilities to the public immediately
-creates pressures on vendors to fix the vulnerabilities immediately

Question 73

Define Responsible Disclosure

Answer 73

Publishing vulnerabilities after a mitigation period to the public.
Creates pressures on vendors to react within mitigation period typical mitigation period: 90 days (might be negotiated, case by case, with vendor)
Allows vendors to distribute patches to their customers “in private”
If they fail to react, vulnerability is published without restrictions

Question 74

Advantages of bug bounties

Answer 74

Guides researchers to look for vulnerabilites and rewards them