Unit 1 Flashcards
A distributed Denial-of-Service (DDoS) attack hit CloudFlare, a major global CDN service provider from June 18, 2020 to June 21, 2020. The attackers responsible sent over 754 million packets per second during the peak. If service providers do not properly protect against DDoS attacks, many websites that use CDN services will stop serving ordinary users because of exhaustion of network resources (such as bandwidth, CPU power, and so on). Which security principle does a successful DDoS attack violate? Accountability Availability Integrity Confidentiality
Availability - A successful DDoS attack will degrade the service level of victim services, making victim services unable to serve their intended users. This will lead to degraded availability of the services.
In cybersecurity, defenses can be harder than attacks. There are many possible explanations for this phenomenon. Which explanation is the most plausible?
Defenses are always more expensive than attacks.
Defenders must know more than attackers do.
Defense must protect “all links on the chain” while attackers only need to successfully attack the “weakest link.”
Defenders must first be experienced attackers themselves so that they understand attacks better.
Defense must protect “all links on the chain” while attackers only need to successfully attack the “weakest link.”
Defenses must protect all aspects where things can potentially be broken. If security is a chain, the chain will be broken if the one of the links, oftentimes the weakest link, breaks. Attackers usually focus on attacking the weakest link. This is why defenses can be more difficult than attacks.
Risks are everywhere. Identifying risks, assessing their impact, and finding measures to control and maintain a level of tolerable risks are important for a company or an organization. What process best describes this procedure?
Life-cycle management
Risk management
Cost effectiveness
Access control
Risk management - Risk management is the process of identifying and analyzing risks to assess their impact, as well as proposing measures to maintain a certain level of tolerable risks.
Given a piece of software that uses an encryption algorithm with an encryption key, which scenario is an application of the security by obscurity strategy?
Keeping the encryption key secret, but releasing the encryption algorithm.
Keeping the encryption algorithm secret.
Making both the encryption algorithm and the encryption key public.
Making the encryption algorithm, the encryption key, and all clear data public.
Keeping the encryption algorithm secret.
Correct! The security by obscurity strategy secures an information system by hiding the details of security mechanisms to attackers. In this example, the encryption algorithm is a detail of the security mechanism of the software. Hiding it applies the security by obscurity strategy.
Perimeter defense refers to defense mechanisms that focus on controlling information flow between an organization’s internal trusted network and untrusted external network, such as the Internet. What is Perimeter Defense vulnerable to?
Internet threats
Insider threats
Malware threats
Outsider threats
Insider threats
Correct! Perimeter defense usually involves the use of firewalls and security access keys to defend against threats coming from the outside. In traditional perimeter defense, little or no effort is spared in protecting against attacks initiated by insiders.
What is a threat and what is a vulnerability?
A threat is a potential negative event that may affect the successful operation of a system; a vulnerability is a weakness that enables a threat.
A threat is a potential occurrence that can have an undesirable effect on a system; a vulnerability is a weakness that enables a threat.
A threat is a potential occurrence that can have an undesirable effect on a system; a vulnerability is a threat.
A threat is a potential occurrence that can have an undesirable effect on a system; a vulnerability is a potential negative event that may affect the successful operation of a system.
A threat is a potential occurrence that can have an undesirable effect on a system; a vulnerability is a weakness that enables a threat.
Correct! A threat is a potential occurrence that can have an undesirable effect on the system assets or resources. A vulnerability is a weakness that makes it possible for a threat to occur.
In information assurance, what are the categories that we use to classify common vulnerabilities?
Design, implementation, and testing
Implementation, deployment, and human
Design, testing, and deployment
Design, implementation, and deployment
Design, implementation, and deployment
Correct! In information systems, vulnerabilities can be categorized into design vulnerabilities, implementation vulnerabilities, and deployment vulnerabilities.
int var = 0, buffer[50];
scanf("%d", &var);
int index = abs(a);
if (index < 50) {
return buffer[index];
}
Review Codeblock: C Code Snippet. This piece of code is vulnerable because abs() may potentially return a negative number. What type of vulnerability is it?
Deployment vulnerability
Design vulnerability
Implementation vulnerability
Human vulnerability
Implementation vulnerability
Correct! abs() will return a negative number in certain cases, and using the return value without checking if it is greater than zero will lead to the use of an incorrect index inside the buffer variable. This is an implementation error.
Deployment vulnerabilities may significantly reduce the level of security of a service. Which vulnerability is a deployment vulnerability?
Not filtering user input
Using weak passwords to protect the server on which the service is deployed
Lack of authentication checks in an administration web service
Incorrectly handling unexpected input values in a program
Using weak passwords to protect the server on which the service is deployed
Correct! Setting passwords with proper strength is part of the deployment process of software or a service. Using weak passwords is generally considered as a deployment vulnerability
Which vulnerability is a design vulnerability?
A public web service trusts any users whose original IP addresses are within the 192.168.0.0/16 subnet
Incorrectly handling unexpected input values in a program
Giving a calculator app on Bob’s Android phone all permissions, including the permission to access the contact book and taking photos
Not filtering user input
A public web service trusts any users whose original IP addresses are within the 192.168.0.0/16 subnet
Correct! Trusting internal network users on an IP-based trust mechanism is a design vulnerability. In certain cases, the original IP addresses can be forged by providing fake HTTP header fields (such as X-Forwarded-For), which will allow an attacker to bypass IP-based trust mechanisms.
Security applies to not only information systems but also services in real life. Hijacking and reading other people’s mail without altering their content clearly violates security principles. Which security principle does this action violate?
Accountability
Availability
Confidentiality
Integrity
Confidentiality
Some people argue that the jobs of attackers are usually easier than the jobs of defenders. Which reason can support this argument?
Defenders must defend all aspects that can potentially be attacked while attackers only need to successfully break the “weakest link.”
Defenders must first be experienced attackers themselves so that they understand attacks better.
Defenses are always more expensive than attacks.
Defenders must spend more time at work than attackers do.
Defenders must defend all aspects that can potentially be attacked while attackers only need to successfully break the “weakest link.”
Which scenario is an application of the security by obscurity strategy?
Keeping the blueprint of a prison secret
Open-sourcing the blueprint of a prison, but not allowing visitors to access the prison
Open-sourcing some portion of a blueprint of a prison
Open-sourcing the blueprint of a prison
Keeping the blueprint of a prison secret
Perimeter defense refers to defense mechanisms that focus on controlling information flow between an organization’s internal trusted network and untrusted external network, such as the Internet. Which weakness does Perimeter Defense have?
Vulnerable to outsider threats
Vulnerable to Internet threats
Vulnerable to potential failures of defense mechanisms
Vulnerable to computer viruses
Vulnerable to potential failures of defense mechanisms
In information assurance, what is a vulnerability?
A vulnerability is a potential occurrence that can have an undesirable effect on a system.
A vulnerability is a potential negative event that may affect the successful operation of a system.
A vulnerability is a weakness that enables a threat.
A vulnerability is a threat.
A vulnerability is a weakness that enables a threat.
In information assurance, what categories are common vulnerabilities organized into?
Software, hardware, and network
Design, human, and deployment
Concrete, symbolic, and mixed
Design, implementation, and deployment
Design, implementation, and deployment
Deployment vulnerabilities may significantly reduce the level of security of a service. Which vulnerability is a deployment vulnerability?
Incorrectly handling unexpected input values in a program
Lack of authentication checks in an administration web service
Making a file with users’ unencrypted passwords publicly accessible
A program uses a user’s input directly as a shell command without filtering the input
Making a file with users’ unencrypted passwords publicly accessible
Which vulnerability is a design vulnerability?
A web application allows attackers to read arbitrary data out of its database due to lack of input sanitization.
An SMB server trusts any users whose original IP addresses are within the 172.16.0.0/16 subnet.
Assigning an alarm clock app on Alice’s Android phone all permissions, including the permission to read from the contact book and taking photos.
A program crashes when the user uses non-English characters as their username.
An SMB server trusts any users whose original IP addresses are within the 172.16.0.0/16 subnet.
