CIS4361 Final Exam

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

An access matrix is implemented by decomposition in 2 ways:

1. Access Control Lists Decomposed by columns For each object, list users and permitted access rights 2. Capability Tickets Decomposed by rows Specify authorized objects and operations for particular user

List several security concerns associated with writing safe program code.

> Correct Algorithm Implementation > Ensuring that machine language corresponds to the algorithm > Correct interpretation of data values > Correct use of memory > Prevent race conditions with shared memory

What are some security concerns with virtualized systems?

> Guest OS isolation

Virtualization

A technology that provides abstraction of the computing resources used by some software, which runs in a simulated environment called a virtual machine (VM)

Injection Attack

A wide variety of program flaws related to invalid handling of input data. Program input data can accidentally influence the flow of execution of a program 3 different types: Command Injection SQL Injection Code Injection

.............................is the granting of a right or permission to a system entity to access a system resource. This function determines who is trusted for a given purpose. A.) Authorization B.) Authentication C.) Audit

A.) Authorization

Additional security controls that may be used to secure the base operating system?

Anti-virus software - Computer software used to avoid, catch, and eliminate malicious software Host-based firewalls - Software bundle used to protect an individual host IDS or IPS software - Intrusion Prevention System(IPS) is capable of detecting or blocking the traffic by discarding the packet. Intrusion Detection System(IDS) uses types of algorithms to block traffic. Application white-listing - Limits programs in an explicit list on the system

Password Guessing Against a Single User

Attacker attempts to gain knowledge about account holder and system password policies and uses knowledge to guess password

Specific Account Attack

Attacker targets specific account and submits password guesses until correct

Software Security

Attacker targets specific bugs that result in failure that can be exploited by attacker

Workstation Hijacking

Attacker waits until logged-in workstation is unattended

Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions. A.) MAC B.) RBAC C.) ABAC D.) DAC

C.) ABAC

Offline Dictionary Attack

Compare password hash against commonly used password hashes

Software Quality and Reliability

Concerned with the accidental failure of a program as a result of some theoretically random or unanticipated input, system interaction, or use of incorrect code

Where is application and service configuration information stored on Unix and Linux systems?

Configuration of applications and services is most generally applied using "separate text files". Applications and services configuration information are generally situated in either of the following: /etc directory Installation tree

Mandatory Access Control (MAC)

Controls access based on comparing security labels (how sensitive system resources are) with security clearances (which system entities are able to access certain resources)

Discretionary Access Control (DAC)

Controls access based on identity of the requestor & based on access rules stating what requestors are/aren't allowed to do

Role-Based Access Control (RBAC)

Controls access based on the roles users have & based on rules stating what accesses are allowed to users in given roles

What is the difference between "dictionary attacks" and "rainbow table attacks"?

Dictionary attacks are attacks in which the attacker tries each word and then tries obvious variants. These come from a large dictionary against hash in password files. Where as, rainbow table attacks are precomputed tables of hash values for the salts.

Exploiting Multiple Password Use

Different network devices share the same or similar password for a given user

List the main components of ICAM model.

Digital Identities Credentials Access Control

What type of access control model do UNIX and Linus systems implement?

Discretionary Access Control (DAC)

List different access control policies.

Discretionary access control (DAC) Mandatory access control (MAC) Role-based access control (RBAC) Attribute-based access control (ABAC)

Why is keeping all software as up to date as possible so important?

Due to the continuing discovery of software and vulnerabilities for commonly used operating system applications.

In the context of biometric user authentication define: Enrollment - Verification - Identification -

Enrollment - Each individual who's to be included in database of authorized users, must first be enrolled in the system Verification - User enters a PIN and also uses a biometric sensor Identification - Individual uses biometric sensor and no additional information

(T or F) In MAC, users can override security policy.

FALSE

Smart Card

Has a microprocessor, different types of memory, I/O ports, etc. May also have a crypto co-processor and an embedded antenna

2 common techniques for selecting or assigning passwords

Hashed Password with a Salt Value - Salt stored in plaintext with hash form (salt + password) Password File Access Control - Hashed passwords are kept in a separate file from user IDs called "shadow password file" (only privileged users have access to this)

Identify several issues associated with the correct creation and use of a lock file.

If a program chooses to ignore the existence of the lock file and access the resource, the system will not prevent this. Implementation must be precise, or a race condition will occur. Correct implementation is to always attempt to create the lock file (atomic operation).

Electronic Monitoring

If password is communicated over a network to log on a remote host, it is vulnerable to eavesdropping

Cross-site Scripting (XSS) Attack

Include a script code in the HTML content of a Web Page. Script code may need to access data associated with other pages currently displayed in browser. Attempt to exploit this feature and try to bypass the browser's security checks to gain elevated access privileges to sensitive data belonging to another site.

Command Injection

Input used in construction of a command that is then executed by the system with the privileges of the program

False Match Rate

Measures the percent of invalid inputs that are incorrectly accepted *Note that a decrease in false match rate necessarily results in increase in false non-match rate, vice versa

False Non-Match Rate

Measures the percent of valid inputs that are incorrectly rejected *Note that a decrease in false match rate necessarily results in increase in false non-match rate, vice versa

3 types of role hierarchy constraints

Mutually Exclusive Roles - A user can only be assigned to 1 role in set Cardinality - Max number with respect to roles. Set max number of users that can be assigned to a role Prerequisite Roles - A user can only be assigned to a particular role if it is already assigned to some other specified role

Race condition

Occurs when multiple processes and threads compete to gain uncontrolled access to some resource. Without suitable synchronization of accesses, it is possible that values may be corrupted or changes lost.

Principle Threats to the Secrecy of Passwords

Offline Dictionary Attack Specific Account Attack Popular Password Attack Password Guessing Against a Single User Workstation Hijacking Exploiting User Mistakes Exploiting Multiple Password Use Electronic Monitoring

Advantage of Challenge-Response Authentication over Password-Based Authentication

Only the hashes of the password are stored Do not have to be transmitted directly, so it cannot be captured during transmission

3 classes in an Access Control System

Owner - Creator of a resource (file) Group - In addition to owner privileges, a group of users may also have granted access rights World - Least amount of access rights. Users that are able to access the system but NOT included in owner/group classes

Principle of Least Privilege

Programs should execute with the least amount of privileges needed to complete their function.

Pros and Cons of automates patching

Pros Minimize the time any system is vulnerable to weaknesses Cons On rare but significant occasion, introduce instability

What effect do set user and set group permissions have when executing files on UNIX and Linux systems?

Provide more flexibility by specifying permissions

Protection Domain

Sets of objects with access rights to those objects In access matrix, this is a row

State the problem that can occur with input validation when the Unicode character set is used.

Some characters have multiple encoding. For example '/'. To prevent an absolute path name, ensure that the supplied filename does not start with /. If the check only assumes the shortest UTF-8 encoding of /, the attacker using one of the longer encoding can avoid the check.

Memory Card

Stores but does not process data

In the context of Access Control define: Subject - Object -

Subject - Entity capable of accessing objects Objects - Resource used to contain information

Reactive Password Checking

System periodically runs its own password cracker and cancels any passwords that were guessed and notifies user

(T or F) ACLs are not convenient for determining the access rights available to a specific user.

TRUE

(T or F) In ABAC, the root of trust is derived from many sources of which the object owner has no control.

TRUE

Identify several issues associated with the correct creation and use of a temporary file in a shared directory.

The temporary file must not be accessed by another process. An attacker could guess he name of the file and create it in between that time and the time the program checks if it already exists. The program can be redirected and would then overwrite the existing file. The use of secure system calls to avoid race conditions.

Access Right

The way in which a subject may access an object (read, write, execute, delete, create, search)

What is the point of removing unnecessary services, applications, and protocols?

This is security hardening, and security is improved. If fewer software packages are available to run, then the risk is reduced.

Main technique used by a defensive programmer to validate assumptions about program input.

Use of regular expressions to describe allowable input variables. Input that does not match, is rejected.

Popular Password Attack

Use popular password and try against a wide variety of user IDs

4 types of entities in a base model RBAC system

User - An individual that has access to system --> user ID Role - A named job function Permission - An approval of a mode of access to one or more objects Session - A mapping between user and an activated subset of the set of rules to which the user is assigned

4 common techniques for selecting or assigning passwords

User Education Computer-Generated Passwords Reactive Password Checking Proactive Password Checking

Proactive Password Checking

User chooses his password based on rules given by system. Balance between acceptability and strength

Exploiting User Mistakes

User is likely to write password down, attacker can exploit this mistake and steal the password

Challenge-Response Protocol

User sends identity Host responds with random number (R) User computes F(R, h(P)) and sends back Host compares value from user with own computed value If they match, the user is authenticated

SQL Injection

User-supplied input is used to construct a SQL request to retrieve information from a database

What is the difference between verification and identification?

Verification is establishing how valid the claim is. Where as, identification is when the user provides an existing identity to the system.

What is the main host firewall program used on Linux systems?

iptables

Sort the biometric authentication methods with respect to accuracy. (low accuracy to high accuracy) ☐ Voice, Retina, Iris ☐ Face, Iris, Finger ☐ Retina, Iris, Finger ☐ Hand, Fingerprint, Iris

☑ Voice, Retina, Iris ☐ Face, Iris, Finger ☐ Retina, Iris, Finger ☑ Hand, Fingerprint, Iris


Kaugnay na mga set ng pag-aaral

Lesson 2 - The Rights and Obligations of Citizenship

View Set

12 - Security Solutions for Cloud and Automation

View Set

Financial Management Exam 2 Whitledge

View Set

Unit 7 - Atmospheric Pollution Test

View Set

Back + Spinal Cord - MCQ Questions

View Set

Biomatek összes tesztkérdés 2022 - válaszlehetőségekkel

View Set

gov CH 6: Interest Groups and Lobbying

View Set