Security Engineering

Question 1

What is one the fundamental concepts of a security model?

Answer 1

Focus on defining interactions between subjects and objects at a particular moment in time.

Question 2

In a security model, what is a subject?

Answer 2

A subject in an active entity (users).

Question 3

In a security model, what is an object?

Answer 3

An object in a passive entity (data).

Question 4

_______ and _______ properties descibe what a subject can do to an object.

Answer 4

Star and Simple

Question 5

Star [*] and SImple properties imply what?

Answer 5

Star implies “write”

Simple implies “read”

Question 6

The goal of the Bell-LaPadula security model is what?

Answer 6

Confidentiality

Question 7

The goal of the Biba security model is what?

Answer 7

Integrtiy

Question 8

Name some types of well-known security models?

Answer 8

1. State Machine Model
2. Multilevel Lattice Models
3. Noninterference Model
4. Matrix-based Models
5. Information Flow Models

Question 9

Provide a simple explanation of a ‘State Machine Model’.

Answer 9

Describes a system at a point in time and describes the behaviour of a system as it moves from one state to another and from one moment to another.

Question 10

Provide a simple explanation of a ‘Multilevel Lattice Model’.

Answer 10

A multilevel security model that describes strict layers of subjects and objects and defines clear rules that allow or disallow interactions between them based on the layers they are in. For example - Secret, Confidential and Unclassified.

The clearance of the subject is compared with the classification of the data to determine access and also look at what the subject is trying to do to determine whether access should be allowed.

Question 11

Provide a simple explanation of a ‘Matrix-based Models’.

Answer 11

Matrix-based models focus on one-to-one relationships between subjects and objects. An access control matrix is a two-dimensional table that allows for individual subjects and objects to be related to each other - subjects down the left-hand side and all resources and functions across the top

Question 12

What type of security model is Bell-LaPadula and Biba?

Answer 12

Lattice-based Security Model

Question 13

Can you define ‘Integrity’ from the CIA triad in InfoSec?

Answer 13

In information security, data integrity means maintaining and assuring the accuracy and completeness of data over its entire life-cycle.

Question 14

Can you define ‘Availability’ from the CIA triad in InfoSec?

Answer 14

For any information system to serve its purpose, the information must be available when it is needed.

Question 15

Can you define ‘Confidentiality’ from the CIA triad in InfoSec?

Answer 15

In information security, confidentiality “is the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes”

Question 16

The CIA triad of confidentiality, integrity, and availability is at the heart of information security. What other principles could be included to extend this classic trio?

Answer 16

Accountability and Non-repudiation

In law, non-repudiation implies one’s intention to fulfil their obligations to a contract. It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction.

Question 17

What are the Simple and Star rules for the Bell-LaPadula model?

Answer 17

1. Simple - No read up
   - A subject cannot read data at a higher security level.
2. Star - No write down
   - A subject cannot write information to a lower security level

Question 18

What are the Simple and Star rules for the Biba model?

Answer 18

1. Simple - No read down
   - A subject cannot read data at a lower security level.
2. Star - No write up
   - A subject cannot write information to a higher security level

Question 19

What is the ISO 15288 standard?

Answer 19

The ISO/IEC 15288 is a Systems Engineering standard covering processes and lifecycle stages.

Question 20

In the ISO 15288 standard defines processes divided into four categories. What are they?

Answer 20

1. Agreement
2. Organisational Project Enabling
3. Technical Management and Design
4. Enterprise

Question 21

What is the NIST SP 800-14?

Answer 21

Generally Accepted Principles and Practices for Securing Information Technology Systems.

Question 22

What is the ISO 15408?

Answer 22

The standard for ‘The Common Criteria’

Question 23

What is ‘The Common Criteria’ certification all about?

Answer 23

It is about the verification and validation of the claims that the vendor is making with regards to the security capabilities of their product.

Question 24

What is the NIST SP 800-27?

Answer 24

Engineering Principles for IT Security (A Baseline for Achieving Security).

Question 25

What are the five lifecycle planning phases in NIST SP 800-27?

Answer 25

1. Initiation
2. Development Acquisition
3. Implementation
4. Operation and Maintenance
5. Disposal

Question 26

What is the ISO 2187:2008?

Answer 26

System Security Engineering Capability Maturing Model Standard (SSE-CMM).

Question 27

What is the difference between multitasking and multithreading?

Answer 27

Multitasking is the ability for a system to engage in more than one activity. Multithreading is a CPUs ability to process more than one request at the same time.

Question 28

Name four things the system kernel is responsible for?

Answer 28

1. Loads and runs binary programs.
2. Schedules task swapping
3. Allocates memory
4. Tracks physical location of files on the hard drive

Question 29

Can you list some security frameworks that cover security architecture?

Answer 29

1. Zachman Framework
   - a framework that allows us to understand how to do security architecture and security design. It is an enterprise ontology and is a fundamental structure for Enterprise Architecture which provides a formal and structured way of viewing and defining an enterprise.
2. SABSA (Sherwood Applied Business Security Architecture)
   - a framework and methodology for enterprise security architecture and service management. It was developed independently from the Zachman Framework, but has a similar structure.
3. TOGAF (The Open Group Architecture Framework)
   - a framework for enterprise architecture that provides an approach for designing, planning, implementing, and governing an enterprise information technology architecture. TOGAF is a high-level approach to design. It is typically modelled at four levels: Business, Application, Data, and Technology. It relies heavily on modularization, standardization, and already existing, proven technologies and products.

Question 30

What is ITIL?

Answer 30

IT Infrastructure Library
- a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.

Question 31

What are the five volumes of ITIL?

Answer 31

1. Service Strategy: understands organizational objectives and customer needs.
2. Service Design: turns the service strategy into a plan for delivering the business objectives.
3. Service Transition: develops and improves capabilities for introducing new services into supported environments.
4. Service Operation: manages services in supported environments.
5. Continual Service Improvement: achieves services incremental and large-scale improvements.

Question 32

Which security model is a combination of Bell LaPadula and Biba models but includes the idea of job functions or roles in novel way to protect both confidentiality and integrity?

Answer 32

Lipner Model

Question 33

The Clark-Wilson Integrity Model improves on the Biba security model by addressing the three major goal of integrity. What are they and what does TLC refer to?

Answer 33

1. Preventing unauthorised users from making modifications to data and programs.
2. Preventing authorised users from making improper or unauthorised modifications.
3. Maintaining internal and external consistency of data and programs.

TLC stands for…

• Tampered
• Logged
• Consistency

Question 34

What does the acronym TCSEC stand for, and what is it commonly referred to?

Answer 34

Trusted Computer System Evaluation Criteria. Also commonly referred to as the “Orange Book”. This sets the basic standards for the implementation of security protections in computing systems.

Question 35

Can you list some security evaluation models?

Answer 35

1. Information Technology Security Evaluation Criteria (ITSEC)
2. The Common Criteria
3. ISO/IEC 27001 and 27002 Security Standards.
4. Control objects for Information and Related Technology (COBIT)
5. Payment Card Industry Data Security Standard (PCI-DSS)

Question 36

PCI-DSS is a law specific to each country. True or False?

Answer 36

False. It is an information security standard for organizations that handle branded credit cards from the major card schemes.

Question 37

At a high-level, step-by-step process of identity access?

Answer 37

Identify –> Authenticate –> Authorise

Question 38

What are the two distinct access control states of the CPU?

Answer 38

1. Supervisory state - often referred to as kernel mode.

2. Problem state - often referred to as user mode.

Question 39

What is a state attack or race condition?

Answer 39

Attacks that take advantage of how a system is able to process or handle multiple requests.

Question 40

What is white space, or slack space, on a hard drive?

Answer 40

This is the area of the hard drive we can store information but is not available to the file system.

Question 41

What are the 5 essential characteristics of Cloud Computing?

Answer 41

1. On-demand Self-service
2. Broad Network Access
3. Resource Pooling
4. Rapid Elasticity
5. Measured Service

Question 42

Do you have an understanding of what Kerckhoffs’s principle is?

Answer 42

A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

Question 43

In cryptography, define what “key clustering” is?

Answer 43

Different encryption keys generate the same ciphertext from the same plaintext message.

This is bad! It could allow an attacker to find patterns that could lead to discovering one or more keys.

Question 44

Can you define “Synchronous” encryption?

Answer 44

Synchronous encryption is where the encrypt and decrypt functions are being performed immediately.

Question 45

Can you define “Asynchronous” encryption?

Answer 45

Asynchronous encryption is where the encrypt and decrypt requests are processed in queues.

Question 46

What is a “hash” function?

Answer 46

A hash function is a one-way mathematical operation that reduces a message or data file into a smaller fixed length output, or hash value.

Hashing is about providing data integrity, NOT confidentiality!

Question 47

What are digital signatures?

Answer 47

A message is input into a hash function. Then the hash value is encrypted using the private key of the sender. The result of these two steps yields a digital signature.

Digital signatures provide authentication of a sender and integrity of a sender’s message.

Question 48

What does “Moore’s Law” state?

Answer 48

Moore’s Law is the observation that the number of transistors in a dense integrated circuit doubles approximately every two years.

Question 49

What is “Symmetric” encryption?

Answer 49

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext (private key).

Question 50

What is “Asymmetric” encryption?

Answer 50

Public key cryptography, or asymmetrical cryptography, is any cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. This accomplishes two functions: authentication, which is when the public key is used to verify that a holder of the paired private key sent the message, and encryption, whereby only the holder of the paired private key can decrypt the message encrypted with the public key.

Question 51

What is a digital certificate?

Answer 51

A digital certificate is used to identify the certificate holder when conducting electronic transactions.

Question 52

What is a certificate authority (CA)?

Answer 52

A CA is an entity trusted by one or more users as an authority in a network that issues, revokes, and manages digital certificates.

Question 53

In the context of hashing, what is a collision and is this a good or bad outcome?

Answer 53

Collisions occur when a hash function generates the same output for different inputs.

Not good.

Question 54

In cryptography, what is an “initialisation vector” (IV)?

Answer 54

In cryptography, an initialization vector (IV) or starting variable (SV) is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom.

Question 55

What are the two types of encryption solutions typcially used?

Answer 55

1. Block based ciphers

2. Stream based ciphers

Question 56

There are a number cipher modes, but what is Electronic Code Book (ECB) cipher mode?

Answer 56

The simplest of the encryption modes is the Electronic Codebook (ECB) mode (named after conventional physical Codebooks). The message is divided into blocks, and each block is encrypted separately.

Question 57

What is the purpose of cipher modes?

Answer 57

The purpose of cipher modes is to mask patterns which exist in encrypted data.

Question 58

What is the disadvantage of the ECB cipher mode?

Answer 58

The disadvantage of the ECB cipher mode is that identical plaintext blocks are encrypted into identical ciphertext blocks; thus, it does not hide data patterns well. In some senses, it doesn’t provide serious message confidentiality, and it is not recommended for use in cryptographic protocols at all.

Question 59

What is Cipher Block Chaining (CBC) mode encryption?

Answer 59

In CBC mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an initialization vector must be used in the first block.

Ehrsam, Meyer, Smith and Tuchman invented the Cipher Block Chaining (CBC) mode of operation in 1976.

N.B. This method can potentially create an avalanche effect because the any error in the encryption could potentially propergate all the way through the system.

Question 60

What is Cipher Feedback (CFB) mode encryption?

Answer 60

In CFB mode, the cipher is used as a key-stream generator rather than for confidentiality. Each block of keystream comes from encrypting the previous block of ciphertext.

The CFB mode, a close relative of CBC, makes a block cipher into a self-synchronizing stream cipher. Operation is very similar; in particular, CFB decryption is almost identical to CBC encryption performed in reverse.

Question 61

What is Output Feedback (OFB) mode encryption?

Answer 61

In OFB mode, the keystream is generated indenpendently of the message.

The Output Feedback (OFB) mode makes a block cipher into a synchronous stream cipher. It generates keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext.

Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many error correcting codes to function normally even when applied before encryption.

Question 62

What is Counter (CTR) mode encryption?

Answer 62

Like OFB, Counter mode turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a “counter”.

CTR the formaula Encrypt (Base+N) as a keystream generator, where Base is the starting 64-bit number and N is a simple incrementing function.

Question 63

Other than “block” and “stream” based ciphers, what other cipher types are there?

Answer 63

Null, Substitution and Transposition ciphers.

Question 64

Is symmetric encrption typicaly fast or slow?

Answer 64

Answer: Fast

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. The keys may be identical or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. This requirement that both parties have access to the secret key is one of the main drawbacks of symmetric key encryption.

Question 65

Name some symmetric algorithms?

Answer 65

DES, 3DES (Triple DES), Blowflish, RC2 (2 to 6), AES (Advanced Encryption Standard)

Question 66

What are popular encryption key lengths?

Answer 66

56 (DSE), 64, 128, 192, 256 bit keys

Question 67

What is Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) and where is it used.

Answer 67

CCMP is an authentication protocol and encryption solution that is used in 802.11i wireless standards.

Question 68

What is “Asymmetric” encryption?

Answer 68

Public key cryptography, or asymmetrical cryptography, is any cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. This accomplishes two functions: authentication, which is when the public key is used to verify that a holder of the paired private key sent the message, and encryption, whereby only the holder of the paired private key can decrypt the message encrypted with the public key.

Question 69

What is the major problem with asymmetric encryption?

Answer 69

A large amount of computation is required, and therefore the amount of time taken, to encrypt and decrypt a message compard to symmetric ciphers.

Question 70

What are the two types of secure FTP?

Answer 70

1. SFTP (Secure FTP over SSH)

2. FTPS (FTP over SSL/TLS)

Question 71

What is Secure Authentication Markup Language (SAML)?

Answer 71

SAML is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. Beyond what its name suggests, SAML is each of the following:

• An XML-based markup language (for assertions etc.)
• A set of XML-based protocol messages
• A set of protocol message bindings
• A set of profiles (utilizing all of the above)

Question 72

What is SAML mainly used for?

Answer 72

The single most important use case that SAML addresses is web browser single sign-on (SSO).

Question 73

What are the three primary purposes of the Public Key Infrastructure (PKI)?

Answer 73

1. Publish public keys/certificates
2. Certify that a key is tied to an individual or entity
3. Provide verification of the validity of a public key

Question 74

What is the CA hierarchy of PKI?

Answer 74

A Root CA at the top and then an intermediate and subordinate CA below allows the Root CA to be isolated from the rest of the network.

Question 75

Can you think of any problems with the Public Key Infrastructue?

Answer 75

• Compromised root CA (hacked)
• Fraudulently issued certificate
• Certificate revocation (CRL or OCSP)
• Key Managment, such as key backu and secure storage

Question 76

What are the different stages of the key lifecycle?

Answer 76

1. Creation
2. Distribution
3. Installation
4. Storage
5. Renewal
6. Secure
7. Disposal

Question 77

What does XML stand for and what is it?

Answer 77

XML (Extensible Markup Language) is a flexible data framework thsat allows applications to communicate on the internet. It is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable through use of tags that can be created and defined by users.

The design goals of XML emphasize simplicity, generality, and usability across the Internet.

It is a textual data format with strong support via Unicode for different human languages. Although the design of XML focuses on documents, the language is widely used for the representation of arbitrary data structures such as those used in web services.

Question 78

What is XML Key Management Specification 2.0 (XKMS)?

Answer 78

A specification that defines protocols for distributing and registering public keys, suitable for use in conjunction with XML Digital Signatures and XML Encryption.

Question 79

What is a digital signature?

Answer 79

A digital signature is a block of data (a pattern of bits, usually a hash) that is based on the contents of the message sent.

A digital signature is a mathematical scheme for demonstrating the authenticity of digital messages or documents. A valid digital signature gives a recipient reason to believe that the message was created by a known sender (authentication), that the sender cannot deny having sent the message (non-repudiation), and that the message was not altered in transit (integrity).

Question 80

A digital signature scheme typically consists of 3 algorithms. What are they?

Answer 80

1. A key generation algorithm that selects a private key uniformly at random from a set of possible private keys. The algorithm outputs the private key and a corresponding public key.
2. A signing algorithm that, given a message and a private key, produces a signature.
3. A signature verifying algorithm that, given the message, public key and signature, either accepts or rejects the message’s claim to authenticity.

Question 81

A hash code is the same as a message digest? True/False?

Answer 81

True

Question 82

Please list some common hashing algorithms?

Answer 82

MD5, SHA1, SH2, SHA3, HAVAL, Tiger

Question 83

What is primary purpose of hashing?

Answer 83

Hashing provides integrity by being unique, like a fingerprint.

Question 84

What is hashing typically used for?

Answer 84

Message Digest, Storing Passwords, Data Integrity Check, Digital Signatures, Message Authentication Code (HMAC and CBC-MAC).

Question 85

What is a Hash-based Message Authentication Code?

Answer 85

In cryptography, a keyed-hash message authentication code (HMAC) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic (symmetric) key. It may be used to simultaneously verify both the data integrity and the authentication of a message, as with any MAC.

Question 86

List the three main bock ciphers?

Answer 86

DES, 3DES and AES (Advanced Encryption Standard)

Question 87

List some other block ciphers?

Answer 87

IDEA, Blowfish, RC5, RC6, Skipjack Twofish, CAST.

Question 88

What is the block size and key size of DES (Data Encryption Standard)?

Answer 88

Block size: 64 bits

Key Size: 56 bits

Question 89

What is the block size and key size of 3DES (Data Encryption Standard)?

Answer 89

Block size: 64 bits

Key Size: variable key sizes (can use 2/3 keys)

Question 90

How many rounds of substitution and diffusion does 3DES go through?

Answer 90

3DES goes through 48 rounds of substitution and diffusion.

Question 91

What is the block size and key size of AES (Advanced Encryption Standard)?

Answer 91

Block size: 128 bits

Key size: variable key sizes (128/192/256)

Question 92

How many rounds of substitution and diffusion does AES go through?

Answer 92

AES goes through 10/12/14 rounds of substitution and diffusion.

Question 93

What algorithm does AES use?

Answer 93

Rijndael Algorithm

Question 94

Define what a cipher is?

Answer 94

A cipher is a technique or set of rules that transforms cleartext (plaintext) into an unreadable form (ciphertext or cryptogram) and back to cleartext.

Question 95

A key, or _____________, is a value used with an algorithm.

Answer 95

Cryptovariable

Question 96

In cryptography, what is a keyspace?

Answer 96

A keyspace is the number of possible key combinations.

Question 97

Can you list four asymmetric algorithms?

Answer 97

1. Diffe-Hellman-Merke
2. RSA (Rivest, Shamir-Adleman
3. El Gamel
4. ECC (Elliptic Curve Cryptography)

ECC is the current U.S. Government standard

Question 98

Can you describe what types of encryption are being used when using a hybrid system? Use the scenario where Bob wants to send Alice a secure message, but they are geographically distant from each other.

Answer 98

A message is sent from Bob to Alice using a symmetric cipher (which is this case is a “session key”) which encrypts the message. To decrypt, the same session key has to be used.

The challenge is getting the session key to Alice securely.

Bob uses an asymmetric cipher AND Alice’s public key to encrypt the session key. Alice then uses her private key to decrypt the session key, which she then uses to decrypt the original message.

Question 99

For the Secure Hash Algorithm (SHA) what are included in the SHA-2 family?

Answer 99

SHA-224, SHA-256, SHA-384 and SHA-512

Question 100

Which hashing algorithms have been shown to be subject to collision attacks?

Answer 100

MD5, SHA-1 and Haval

Question 101

What is a “salt” in the context of hashing?

Answer 101

A “salt” is a process that adds a random string to what is being hashed before the hashing process. It makes the hash value harder to crack.

Question 102

Digital signatures require two algorithms. What are they?

Answer 102

1. Hashing Algorithm (SHA-x)

2. Digital signature function, such as RSA or DSA (Digital Signature Algorithm)

Question 103

A message can be “hashed”, which provides for __________.

Answer 103

integrity

Question 104

A message can be “digitally signed”, which provides for __________ and __________.

Answer 104

nonrepudiation and integrity

Question 105

A message can be “encrypted”, which provides for __________.

Answer 105

confidentiality

Question 106

A message can be “encrypted” and “digitally signed”, which provides for __________.

Answer 106

confidentiality, nonrepudiation and integrity

Question 107

What is a “digital certificate”?

Answer 107

A digital certificate is an electronic “passport” that identifies a person, device, organisation, or publisher (code).

Question 108

What is x.509 v3?

Answer 108

Digital certificate standard

Question 109

What is the role of the Certificate Authority (CA)?

Answer 109

The role of the CA is to issue and revoke certificates.

Question 110

The Registration Authority (RA) is ____________.

Answer 110

Administrative

Question 111

Which type of certificate “enforces” both CRL and OCSP?

Answer 111

Extended Validation (EV) Certificates

Question 112

Information flow is vulnerable to eavesdropping and packet capture, which is a violation of ___________.

Answer 112

Confidentiality

Question 113

Information flow is vulnerable to tampering, which is a violation of ___________.

Answer 113

Integrity

Question 114

Information flow is vulnerable to spoofing and misrepresentation, which is a violation of ___________.

Answer 114

Authentication, integrity and availability.

Question 115

What is encrypted when deploying link encryption?

Answer 115

All control information (headers, trailers and routing information) is encrypted along with the payload.

Question 116

What is encrypted when deploying end-to-end encryption?

Answer 116

Only the payload is encrypted as the packets may route over a public network (internet).

Question 117

List some common cryptographic protocols?

Answer 117

SSL/TLS, HTTPS, FTPS, SSH, SFTP, S/MIME (Secure email communications)

Question 118

What is IPsec?

Answer 118

IPsec is a suite of protocols that use cryptographic security services to protect communications over the Internet Protocol (IP) networks.

Question 119

What are the characteristics of IPsec?

Answer 119

1. Native to IPv6
2. Supports authentication, message integrity, encryption and nonrepudiation
3. Operates in transport mode (end-to-end) or tunnel mode (link)

Question 120

What are the different components of IPsec?

Answer 120

1. Authentication Header (AH)
2. Encapsulating Security Payload (ESP)
3. Internet Key Exchange (IKE)
4. Security Association (SA)
5. Security Parameter Index (SPI)

Question 121

What is the function of the AH component of IPsec?

Answer 121

The Authentication Header (AH) provides integrity, origin authentication, and protects from replay attacks using HMAC.

Question 122

What is the function of the IKE component of IPsec?

Answer 122

Device Authentication and establishing Security Association.

Question 123

What is the function of the SA component of IPsec?

Answer 123

A negotiation that includes the algorithms that will be used (hashing and encryption), key length and key information.

Question 124

In Cryptanalysis, how is “workfactor” calculated?

Answer 124

time + effort = workfactor

Question 125

List some common cryptanalytic attacks?

Answer 125

1. Ciphertext-only
2. Known Plaintext
3. Chosen Plaintext
4. Chosen Ciphertext

Question 126

What are the two primary ways to attack hash functions?

Answer 126

1. Collision (Brute force)

2. Rainbow (Cryptanalysis - comparing hashes with precomputed hashes)

Question 127

What are the common key attacks?

Answer 127

1. Brute Force
2. Dictionary
3. Frequency
4. Differential

Question 128

What is a “frequency” key attack?

Answer 128

In a frequency key attack, an attacker is looking for patterns to reveal the key.

Question 129

What is a “differential” key attack?

Answer 129

in a differential key attack, an attacker measures execution time and processing power. The work factor for this type of attack is significant.

Question 130

With database integrity, when do concurrency issues arise?

Answer 130

When a database is simultaneously accessed by subjects and other objects.

Question 131

What are the ACID characteristics for online transaction processing (OLTP)?

OLTP is generally used when databases are clustered to provide fault tolerance and real-time performance.

Answer 131

1. Atomicity
2. Consistency
3. Isolation
4. Durability

Question 132

What does “atomicity” mean in relation to the ACID characteristics?

Answer 132

Transactions must be implemented in their entirety, or they must be completely rolled back.

Question 133

What does “isolation” mean in relation to the ACID characteristics?

Answer 133

Transactions must not interact with other transactions until completed.

Question 134

List the three transaction recovery characteristics for database availability?

Answer 134

1. Rollback
   - operation that ends the a corrupt or invalid transaction, cancels the changes to the database, and logs the error
2. Checkpoint
   - known good point from which the database can recover using the transaction log
3. Savepoints
   - temporary backup files

Question 135

There are confidentiality concerns with database access controls. Some are quite generic to file system access controls, such as:

• Need-to-know
• Least Privilege
• Content Access Control
• Context Access Control

But what are the two characteristics that are specific to databases?

Answer 135

1. Cell Suppression
   - technique used to hide specific cells
2. Database Views
   - technique used to control viewing of specific fields or records

Question 136

What are the four privacy concerns of databases?

Answer 136

1. Data Warehousing
2. Data Mining
3. Aggregation
4. Inference

Question 137

Can you define an database injection attack?

Answer 137

Injection is the failure to properly validate input from the client or environment.

Question 138

What is the origin of the “no read down, no write up” model?

a. This is the Bell-LaPadula model used to maintain integrity
b. This is the Biba model used to maintain integrity
c. This is the Biba model used to maintain confidentiality
d. This is the Bell-LaPadula model used to maintain confidentiality

Answer 138

Answer: b

This is the Biba model used to maintain integrity

Question 139

• and Simple properties describe what a subject can do to an object,

a. * = modify, simple = write
b. * = delete, simple = write
c. * = write, simple = read
d. * = read, simple = write

Answer 139

Answer: c

• = write, simple = read

Question 140

Which of the following statements in incorrect?

a. The objective of Brewer Nash is to reduce conflict of interest
b. The objective of Bell-LaPadula is confidentiality
c. The objective of Biba is confidentiality
d. The objective of Clark Wilson is availability

Answer 140

Answer: d

The objective of Clark Wilson is availability

Question 141

Which of the following is not a true statement?

a. The strength of a cryptosystem is a combination of the algorithm, the length of the key, and the public knowledge of the key.
b. Work factor is the time and effort it takes to break a cryptosystem.
c. Longer keys are harder to break.
d. Keyspace is the number of possible crypto-variable combinations.

Answer 141

Answer: a

The strength of a cryptosystem is a combination of the algorithm, the length of the key, and the public knowledge of the key.

The key should always be kept secret!!

Question 142

Which statement best describes the cryptographic objectives of substitution and transposition?

a. Secrecy and block chaining
b. Confusion and diffusion
c. Initialisation and workfactor
d. Padding and randomisation

Answer 142

Answer: b

Confusion and diffusion