Web-based Architecture Risk Flashcards
What do Rich Internet Applications (RIAs) typically provide?
Desktop-like services through a web application.
In RIAs, where does the user interface usually run?
On the client side, often within a web browser sandbox.
Where does data processing and storage typically occur in RIAs?
Back on the server side.
What is a primary benefit of client-side processing/validation?
It can provide immediate feedback and error correction without sending invalid data to the server first.
What is the main security drawback of client-side validation?
Anything done on the client side can be changed or bypassed by the client (e.g., using proxies); client input cannot be trusted.
What is the purpose of a sandbox in web applications?
To provide isolation and separation, controlling what code can do and restricting access outside the designated area.
What technology is often used as the basis for sandboxing?
Virtualization.
What is Remote Code Execution (RCE)?
An attack where hackers gain the ability to run their own (arbitrary) code on a remote machine.
What privilege level does remotely executed code often inherit initially?
The same privilege level as the user running the compromised process on the machine (often admin level).
Why is the “always-on” nature of devices a security concern?
Continuous connectivity makes them a constant target for attacks.
What types of devices often lack built-in security and become botnet targets?
IoT devices and IP cameras.
What is pervasive or ubiquitous computing?
The embedding of computing technologies into everyday objects and environments.
What major risk area is created by pervasive computing?
The Internet of Things (IoT).
Why are many IoT devices considered risky?
They were often built for function without security considerations and are network-connected, providing attack vectors.
What are SCADA and ICS primarily used for?
Managing industrial processes, infrastructure (like traffic), and building management systems.
What are key security risks associated with SCADA/ICS systems?
Often built without security, difficult to patch, contain known vulnerabilities, and lack rigorous testing.
What real-world breach originated from a building management (air conditioning) system?
The breach of a very large US retailer.
What risk arises from connecting IoT or ICS devices directly to production networks?
Lack of separation means vulnerabilities in these devices can directly expose critical business networks.
What examples illustrate risks in connected medical devices or vehicles?
A medical device rebooting during surgery due to a patch; a car restarting while driving due to an update.
What are the main security concerns for wireless communications (like 802.11)?
Interception (confidentiality loss), modification (integrity loss), and jamming (availability loss).
What is mobile code in this context?
Code designed to be executed on a remote system, often via a browser or document.
What is “active content”?
Mobile code that can execute automatically on a user’s system, often without direct user interaction.
What are common carriers of mobile code mentioned?
PDFs, Java applets, ActiveX controls, macros in word processor files, Flash/Shockwave files.
What NIST publication addresses mobile code risks?
SP 800-28 Rev 2.
What must software designers be aware of regarding architectural approaches?
Each approach has its own associated vulnerabilities that need to be understood and addressed.
