Computer Security
How can we carry out intrusion detection in terms of physical security
- Electromechanical (broken circuit) - Photoelectric (broken lightbeam) - Passive infrared (increased heat) - Acoustic (increased sound) - Proximity (perturbed magnetic field)
How would you use attack reaction to stop DoS attacks. Why is this normally ineffective
- Eliminate or curtail the effects of the attack after the attack - Blacklist all of thew ips that were involved in the attack - This is unreliable because bot nets always change computers - Also a computer may be removed from a bot net and then the legitimate user of this IP would be unable to access your network
How can media be disposed of. List in order of strength, worst to best
- Erased: media file system deleted - Cleared: media file is overwritten - Purged: media is repeatedly overwritten - Degaussed: media is magnetically scrambled - Destroyed: media is physically wrecked
What is the design principle of complete mediation
- Every access to a resource must be checked by the access control mechanism - Systems should not rely on access decisions retrieved from the cache - This reduces the chance of any back-channels into files being found and abused
What are 3 elements of external security
- Fences - Lighting - Patrols
What is the principle of open design
- The design of security systems should be open rather than secret - So everyone can see and spot vulnerabilities, leading to a more secure system overall
What is the design principle of modularity
- The goal is to provide common security mechanisms for all security services and functions as modules. - This makes security services easy to update and iterate on without requiring a whole systems redesign
What is the difference between low and high interaction honeypots
A low interaction honeypot provides an instrumented simulation of an operating system and applications A high interaction honeypot provides an instrumented fully functional operating system and applications
What should you consider when designing a application
- Practise defence in depth - Fail securely - Principle of least privilege - Compartmentalise - Keep it simple - Promote privacy - Hiding secrets is hard - Be reluctant to trust - Use community resources
What is meant by Confidentiality in the CIA triad
- Preserving authorised restrictions on information access and disclosure, including protecting personal privacy and proprietary information
What parts of the CIA triad does the internet adhere to
Integrity, Availability but not confidentiality
How do we model legitimate behaviour using knowledge-based classification
Introducing a set of rules that model legitimate behaviour. Usually developed during the training phase of the intrustion detection system. These are manually programmed
How does a worm prevent being detected by anti-virus software during reconnaissance
It can scan more slowly at random intervals It can also scan ports in a random order
What is Spyware
It collects and steals data then silently sends it home via the network
How does a metamorphic conceal itself
It compresses and mutates the entire virus whilst changing its functionality
What is discretionary access control (DAC)
It controls access based on the identity of the subject and on rules stating what subjects are allowed to access what objects. One subject can be given permission to control the access of another
What is Role-Based Access Control (RBAC)
It controls access based on the roles that sujects have and rules governing what roles can access what objects
What is access control
It controls the access of subjects to objects
What is the purpose of a fence
It delays the intruder, a well maintained fence indicates the attitude to security
What is virtual memory paging
It divides process memory maps into same-sized pages, and loads some of them into same-sized frames
What is a patent
It gives an inventor exclusive rights to use an invention for a period of 20 years A patent isn't supposed to be obvious to someone skilled in the area
What is a rootkit
It hides a component that performs malicious act. Subverting operating system components that might be used to find it by hiding in the OS or other software
What is the record layer in TLS
It takes blocks from an upper layer protocl such as the handshake or application layer. Then fragments these blocks into records, and then encrypts these according to the current cryptographic parameters
Should a hardened OS by open source do ensure it is well understood
Open source is not favoured over closed source as even if you can see the source code this often doesn't aid in understanding the OS.
How is a computer system normally found out of the box
It will have a default collection of software installed and services running. The system will be designed normally to maximise ease of use and functionality rather than security
What are the downsides of a low interaction honeypot
It will only catch hackers during the early stages of their attacks. As they will soon realise that the system is a decoy. So you won't detain them as long or collect as much information about their full intentions
Give examples of hashing algorithms
Messsage Digest 5 (MD5) (insecure and should no longer be used) Secure Hash Function (SHA) (This has many different versions with greater sized hashes for greater and greater security)
How should an organisation handle back-ups
Programs and data should be backed-up, the integrity of these backups should be regularly checked You should try to restore your system from a back-up to check your backups are being successfully taken
What are the pros and cons of ABAC
Pros - Changing the status of an object or subject immediately changes permissions and can be done quickly and easily - This is the only system that allows environmental conditions to be taken into account Cons - It can be hard to understand and manage. - The system is likely to become very large and cumbersome
What are the pros and cons of MAC
Pros - Easily understood and managed Cons - It is rigid and inflexible
What are the Pros and Cons of DAC
Pros - It can be done very efficiently as many subjects mange the access of their own files Disadvantages - Subjects may not correctly define the access control for their files leading to security breaches
What are the pros and cons of RBAC
Pros - Readily supports the separation of subject duties Cons - Role explosion is needed to capture the changing complexities of an organisation. So if 1 role splits into 2 sub-roles this can be very arduous to manage
How would you use attack prevention and pre-emption to stop a DoS attack
Provide backup resources that are available on demand before the attack so that your network will have more bandwidth than the attacker can take up with their attack
How does the internet design adhere to availability
Provided by routers routing around issues on the network and always making information available
What is a detailed Risk analysis approach
Provides a formal qualitative/quantitative risk assessment carried out by internal experts or external consultants
What is a combined approach, why is this used
Provides a steadily improving risk assessment. Carrying out a baseline approach assessment, an informal approach and finally a detailed risk analysis. This results in a reasonable level of protection being achieved as quickly as possible
What is the Informal approach
Provides an informal and pragmatic risk assessment that doesn't have a structured process and it exploits the knowledge of internal or external testers
What a risk assessment be qualitative or quantitative
Quantitative as this will tell the full story of any issues and can't be spun by the IT department if they are carrying out the assessment
What is the Check stage in risk assessment
The effectiveness of the risk treatment plan is monitored
How could a Circuit-Level gateway be used nefariously
The firewall could not connect you to the IP you requested. It could direct you to an insecure website intended to deal data or infect your computer
What are Circuit-Level Gateways
The gateway sets up two TCP connections. From from the internal network to the firewall, and one from the firewall to the outside. This requires any traffic to connect to the firewall rather than other designs that watch network traffic as it comes through the firewall
Why should logs be audited
To see if users are: - Accessing resources illegally - Behaving unusually - Making mistakes
What is the idea of "Use Community resources" when designing applications What's the opposing view to this
Use pre-built code and libraries were possibke as these have been pre-tested and generally can be trusted more than components that you've invented yourself. However sometimes wide-spread some components can be there can be big security breaches (e.g. heartbleed) that will affect you
Why would you place a honeypot outside of your firewall
Useful for tracking attempts to connect to unused IP addresses within your network. Reducing some of the traffic to your firewall
What is the purpose and types of lighting in regard to external security
reduces accidents and crime The two types are continuous (always on) and responsive (triggered)
What is an attack tree
represents a set of potential techniques for exploiting security vulnerabilities
When should an informal approach be adopted
small-medium businesses where IT systems aren't necessary for meeting their business objectives and additional expenditure cannot be justified
What are the 3 approaches for modelling legitimate behaviour
statistical classification knowledge-based classification Machine-learning classification
What is a Trade secret, give an example
Something that a company must keep secret to ensure its survival Such as the source code of a product. Disclosing this would be a trade secret violation
What is a DOS attack
A Denial of Service attack. It prevents legitimate users from accessing a network resource
What is a distributed attack
A flooding attack using a network of bots
What are the 2 isssues with passwords
They are poorly chosen and poorly stored
How does a honeypot detain hackers
By making their attack seem successful, so they want to stay in the system for longer to finish their attack
What are all the design principles of Computer Security
- Economy of Mechanism - Fail-Safe Defaults - Complete Mediation - Open Design - Separation of Privilege - Least Privilege - Least Common Mechanism - Psychological Acceptability - Isolation - Encapsulation - Modularity - Layering - Least Astonishment
What are the internal security issues
- Electricity - Noise - Ventilation - Fire - Water
What is shoulder surfing
the practice of spying on a user of an electronic device (e.g. ATM) to obtain their PIN or password
What does the ClientHello message in the Handshake layer contain
- A 28-bit ClientRandom (a number) - An ordered list of suggested encryption algorithms
What does the ServerHello message in the Handshake layer contain
- A 28-bit ServerRandom (a number) - A chosen encryption algorithm - A certificate
Example the premise of a buffer overflow attack
- A buffer holds a reasonable amount of input data, but cannot hold an unreasonable amount of input data which will cause it to overflow - We use stacks for temporary data as this makes the space easy to reclaim simply by incrementing the stack pointer - If you place too much data in the buffer it will start overwriting other data in the stack that wasn't originally in the buffer
What does the ClientKeyExchange message in the HandShake layer contain
- A shared secret key computed from a made-up secret (think of it as a password), ServerRandom and ClientRandom. - It is transmitted to the server using its verified public key and then decrypted by the servers private key - This message is therefore encrypted and cannot be seen by anyone
What is the design principle of fail-safe defaults
- Access decisions should be based on permission rather than exclusion - this means that if there is an error then the default access is not at all. Minimising the impact of a systems failure
What is the Risk of "Malicious outsiders" in cloud computing and how to we counter it
- An account or service being hijacked using stolen credentials - Counter using 2FA and employ proactive monitoring to detecting any intrusions on unusual behaviour
How should you implement "least privilege" with personnel
- An employee should have just enough privilege to do their job - Seniority shouldn't dictate access permissions. Managers/Directors don't need access to everything
What is the Tunnel Mode of IPSec
- An encapsulating security payload header contains the index of the shared key used to encrypt the old IP header and IP payload - A hashed message authentication code is computed over the shared key, ESP header, old IP header and IP payload - This completely hides the original IP packet so that it no longer appears to any servers or routers as it originally did.
What is "privilege escalation" in terms of intruder behaviour
- An intruder escalates their privileges on the system - Often an application weakness is exploited
What is "system exploit" in terms of intruder behaviour
- An intruder exploits there access - Usually modifying or stealing data
What does GDPR set out
- Applies to all data processors - Applies to all identifying data - Requires positive proof of consent - Requires a Data Protection Officer - Introduces privacy impact assessments - Introduces a breach notification requirement (The government must be notified if you have a data breach) - Introduces the right to be forgotten - Extends liability beyond data controllers (if a controller gives data away he is still responsible for any breaches of this data) - Mandates software privacy by design - Allows complaints about the above to be lodged in any country within the EU
What are the classifications of hackers
- Apprentice hackers - Journeyman hackers - Master Hackers
What are the ways you could stop a DoS attack
- Attack prevention and Pre-emption - Attack detection and filtering - Attack source traceback - Attack reaction
What are the 4 approaches to identifying and mitigating risks
- Baseline approach - Informal approach - Detailed Risk analysis approach - A combined approach
Give some uses of Hashes
- Checking whether files have been tampered with. As you can recalculate the hash after a file has been received to ensure it is identical to before - Hashing passwords, and storing the hashes instead of the passwords
What is meant by Metadata Retention in the Investigatory powers act
- Communication service providers must retain metadata about the communications made through their services (who, what, when and where) for twelve months
What is the design principle of Separation of privilege
- Components of any information system are only given specific privileges that they require to perform a task. - This reduces the damage that would be caused by a computer security attack. As the impact of compromising a single component is now less likely to be able to impact other parts of the system, if it's privileges have been correctly restricted
What is the design principle of Isolation
- Components should be isolated from each other except were necessary. There are 3 key examples of isolation - Public access systems should be isolated from critical resources - The processes and files of individual users should be isolated from one another unless explicity required - Security mechanisms should be isolated in the sense of preventing access to these mechanisms to avoid tampering e.g. key theft from encryption algorithms
What are 3 characteristics of a vulnerable information system
- Corrupt - Leaky - Unavailable
What are 4 ways we can achieve database security
- DAC - RBAC - Views - Encryption
What are the business benefits of storing all data in 1 shared database
- Data might be replicated if it isn't unified into 1 shared repository - Data will often be inconsistent if it is stored in mulitple places, and when 1 is updated the other place may not. Leading to consistency issues
What is a honeypot designed to do
- Divert the attacker away from critical systems - Detain an attacker for some time to allow administrators to respond - Collect information about the hackers activity
What are the 2 ways of dealing with inference attacks
- During database design you alter the database structure to remove the possibility for inference e.g. removing data dependency by splitting a table into multiple tables or using more fine-grained access controls in an RBAC scheme - At Query time. If an inference channel is detected, the query is denied or altered. A simple version of this is to only allow queries to return a limited number of results as this reduces the possibility of an inference being able to be made
What is the Risk of "Unknown Risk Profile" in cloud computing and how to we counter it
- Handing over control of security to the cloud service. This can be risking whether or not the cloud provider is unreliable or has nefarious intentions - Counter this by insisting that the provider discloses their security measures and applicable security logs
Why is database security hard
- Hard to configure as DBMS systems are large and complex. Their complexity also gives them a large attack surface - Database interaction through SQL is hard to control and more complicated that other languages - Database staff are scarce, busy or unskilled and many organisations don't have dedicated staff - Most environments consists of a large range of database, enterprise and OS platforms which adds a big complexity hurdle for security staff
What are the stages of a detailed Risk analysis approach
- Identification of assets - Identification of threats and vulnerabilities to the assets - Determination of the likelihood of the threat occurring - Consequences if the threat occurs - What the overall risk to the organisation is
How would you use attack source traceback to stop DoS attacks. And why is this normally ineffective
- Identify the source of the attack (if possible) and block it during and after the attack - This is unreliable because most routers won't allow you to track back where packet came from because governments won't allow this
What are the disadvantages of placing the honeypot on the internal network
- If compromised it can attack internal systems. - If the honeypot is compromised then it can still receive network traffic through the firewall meaning the attacker can continue to access the network - We have to open up the firewall in order to allow potential attackers to access the honeypot
How does Asymmetric or public key encryption work
- If someone wants to send you data they find your public key (which cannot decrypt the data) and use this to encrypt the data. - The receiver is then able to decrypt the data using their private key which is known only to them
Why might a TLS connection not be established
- If the client and server can't agree on an encryption algorithm - if the certificate is invalid, the communication will be termianted
What is the Risk of "Insecure Interfaces and APIs" in cloud computing and how to we counter it
- If the interfaces and APIs that people use to interact with the services aren't secure then this can make it very easy for hackers to gain access to your data - Counter by employing a string authentication/access control system and using penetration testing
What are the advantages of an informal approach
- Individuals don't require any additional skills so it can be carried out quickly and cheaply - The organisations systems specifically are being examined so the assessment is specific and might spot issues overlooked in a baseline approach
What are the key elements of intruder behaviour
- Information gathering - Initial access - Privilege escalation - System exploit - Maintaining access - Covering tracks
What are the 3 service models for providing cloud computing services
- Infrastructure as a Service - Platform as a Service - Software as a Service
What are the disadvantages to an informal approach
- Issues might be overlooked as there is no formal guideline to mandate that some issues are looked at - Results may be skewed by the views and prejudices of the individuals - There may be insufficient justification for any suggested changes leading to questions over whether they are necessary - As employees change over time the level of expertise in carrying out the assessment may vary, making them inconsistent over time - Often these tests can be overlooked in favour of completing other IT tasks. They are often not carried out regularly enough.
What are the advantages of placing a honeypot on the internal network
- It can catch internal attacks - It can detect a misconfigured firewall that forwards traffic from the internet to the internal network that is shouldn't be.
What is a keylogger
- It collects and steals data - it records and logs specific key presses, most often those pressed after prompts for sensitve information such as log-in details - Then silently sends the information home via the network
What are the pros and cons of a baseline approach
- It does not require a formal risk assessment to be carried out which could be expensive - The same measures can be replicated over many systems - No consideration is given to variations in your system compared to the industry standard - The baseline could be too high leading to expensive and restrictive measures that aren't warranted - The baseline could be too low leaving your organisation vulnerable due to insufficient security
How does an encrypted virus conceal itself. What is the issue with them
- It encrypts the payload with a random key. - The virus decrypts itself before it runs. - Each time the virs propagates a new key is chosen to make it harder to detect
Why do we target high capacity network services with reflection and amplification services
- It makes the attack more effective as more packets can be sent - It makes it easier to hide, because your attack most likely won't register as unusually high traffic if the network is used to massive amounts of traffic
What are the issues with a high interaction honeypot
- It requires a larger amount of resources - It is a fully functioning system which could be compromised and used by an attacker to launch attacks that appear to have come from within your organisation
What does the Investigatory Powers Act allow for
- Legalised Hacking - An Investigatory Powers Commissioner - Metadata retention - Real-time surveillance
What are the two ways we can carry out intrusion detection
- Looking for signatures - Looking for anomalies
What is the state of the art in worm technology
- Multi-platform - Multi-exploit (gains access in many ways) - Ultrafast spreading (seeks targets quickly) - Polymorphic (varies its code) - Metamorphic (varies its behaviours) - Zero-day (gains access in a previously unknown way)
What must be considered when placing a honeypot in the DMZ
- Must ensure that all of the servers in the DMZ are secure from any activity that the honeypot could generate - The DMZ is not fully accessible from external networks. So in order for attackers to access it you need to open up the firewall by adding rules to let traffic into the honeypot
How should any media that is stored by an organisation be labelled
- Name and version - Date created - Classification level - Retention period - Date to be destroyed
What are the main types of password attacks
- Offline dictionary - Specific account - General password - Workstation hijacking - User Mistake - Password Reuse - Electronic Monitoring
What is the Risk of "Malicious Insiders" in cloud computing and how to we counter it
- One of the cloud service staff compromising the confidentiality, integrity or availability of data - Counter by specifying human resource and installation management requirements in contracts to make sure nobody unnecessary has access
What are the characteristics of a strong hash function
- One way: given M, it is easy to find H(M), but given H(M) it is hard to infeasible to find M - Leakage free: It is hard to deduce any information about M from H(M) i.e. being able to discern the file type from the hash value - Collision free: It is computationally infeasible to find a W and M, such that H(W) = H(M).
What are the 4 stages in the risk assessment process
- Plan - Do - Check - Act
What are the benefits of salts
- Prevents duplicate passwords being visible because if 2 users pick the same password they will be giving different salts making their hashes unique - It becomes nearly impossible to find out whether a person with passwords on two or more systems has used the same password on all of them - It increases the difficulty of offline dictionary attacks. Instead of the user being able to compare a rainbow table to your password file. For each password the user wants to check against your file they need to calculate the hash of this password + every possible salt. This adds a huge performance overhead
What are the advantages of a detailed risk analysis approach
- Provides the most detailed examination of the security risks of an organisations IT system - Produces strong justification for any expenditure on changes - Provides the best information for continuing to manage the security of the systems as they evolve and change
What are the models for cloud deployment
- Public cloud (available to the public) - Private clouds (available to a single organisation) - Community Clouds (available to a closed set of partners) - Hybrid Clouds (any composition of the above)
What are the phases of worm operation
- Reconnaissance - access - execution - propagation
What is the process for carrying out any configuration change in an organisation
- Request - Approve - Document - Test - Implement - Report
What is separation of duties in regards to operations security
- Requires important operations to be divided between different tasks and given to different employees - This is because 1 person is far easier to corrupt than multiple
What is job rotation and why is it practiced
- Requires that over time more than one employee fulfills each role - Prevents someone spending a long time in a role and slowly becoming looser with the rules. Putting a new person into the role will allow this to come to light and will resolve the issues. - Can also bring improvement to roles by bring in a fresh set of eyes and new approach
What is the design principle of psychological acceptability
- Security should not interfere unduly with the work of users, while still meeting the needs of those who authorise access. - Security should blend with the workflow of users - Security measures should reflect the users mental model of protection, making them more likely to understand the measures and use them correctly
What are the disadvantages of a detailed risk analysis approach
- Significant cost - Time taken - During this time an informal approach may have been able to identify and fix some simple threats. Which instead are still present whilst the analysis is ongoing, leaving the organisation vulnerable.
What are the 4 categories of authentication information (give examples)
- Something you know (password, PIN, Security questions) - Something you have (badge or ID card) - Something you are (fingerprint, retinal scan) - Something you do (voice, "gait" walking pattern, hand writing characteristics)
Explain what happens in 1 round of AES encryption
- Subsititue bytes: perform byte-by-byte substitution of the block using a substitution table which maps every possible byte to another byte - Shift rows: Perform row-by-row circular left rotations. Some rows will be rotated once or twice, others not at all - Mix columns: Each byte of a column is mapped to a new one that is a function of all four bytes in the column. Each possible column is mapped to another column by a function - Add round key: Perform an XOR with a portion of the expanded key. this takes 2 inputs (the bit in the block and bit in the key) and gives you 1 set output This occurs 10 times
What is the design principle of Economy of Mechanism
- The design of security mechanisms should be as simple as possible - Smaller systems are easier to design and test thoroughly - More complex designs lead to more opportunities for a hacker to discover weaknesses to exploit that are hard to spot ahead of time - Updating or replacing a simple system is far easier so your security system is less likely to be out of date
What is a TCP SYN flooding attack
- The server responds to a SYN packet with a SYN-ACK packet, tying up the server while it waits for an RST packet from the client to start a TCP connection. However the usually spoofed client won't respond with a RST packet - You start the 3-way handshake process of setting up a TCP connection, then don't respond, tying up the server
How does an ICMP flooding attack work. How would you guard against it. Is there a way hackers could get around this guard?
- The server responds to an echo request made by a usually spoofed client (by using different IP addresses) - Handled by blocking ICMP at the firewall - However hackers can get around this by using other types of ICMP packets that can't be blocked at the firewall. Because these packets have a function within TCP/IP communication so the firewall must allow them through
How would you ensure the frivolous software and services are not installed on your hardened OS
- The system should be setup with only the absolute required services installed - Favour not installing software in the first place rather than uninstalling it later. This is because most uninstallers don't remove 100% of the program files. Also if a service is installed but disabled, a hacker would be able to re-enable it, so it is safer to not have it installed at all
What is the access phase of a worm
- The worm gains access to a system - This is done by sending unexpected inputs to a weak applications so that it falls over and gives the malware access
How should configuration restarts be handled within an organisation
- They should be controlled - Carried out only be authorised individuals when absolutely required - They should be logged with a reason for them given
Why is risk assessment always ongoing
- Threats are always changing and new ones are arising (changing threat landscape) - The business is changing so new threats might affect a business or some might no longer affect them - The business might gain new assets that need protecting
How do you prevent a buffer overflow
- Tight coding - Bounds checking - Stack canaries - Nonexecutable stack
Why should a hardened OS have users/groups configured, and how should they be configured
- To ensure that only necessary users/groups will be able to access certain files - Ensure that users are given the lowest privilege necessary for their role - Ideally even high privilege users should spend most of their time with only low level privileges - They can then access higher privileges only when required
What are the Cloud-specific security risks
- Unknown Risk Profile - Malicious insiders - Malicious outsiderss - Insecure Interfaces and APIs - Shared Infrastructure - Data loss or leakage - Abuse and Nefarious use
What are the different types of surveillance cameras
- Visible/hidden - Fixed/movable - Recording/monitored
What attributes must a security guard have
- Well instructed with clear duties - Well-equipped with a two way radio - Well supported with a central control - Trustworthy with a clean record
What attributes does a hardened OS have
- Well understood - Frivolous services disabled - Monitoring services enabled -Logging services enabled -Development tools removed - Users/groups configured - Regular patches/audits - Regular testing
What questions does a risk assessment answer
- What assets do we need to protect - How are those assets threatened - What can we do to counter those threats
What are the main Entry/Exit security measures that should be implemented
- Zoning - locks - Surveillance Cameras - Intrusion detection
How are passwords poorly chosen
- less than 8 characters long - Does not inlcude an upper-case letter - Does not include a lower-case letter - does not contain a special character
What are ways of increasing internal security outside of handling the main risks
- name badges - Fire drills - Locking anchor chains to prevent theft - Open plan
What might a packet firewall look for
- particular source/destination IP addresses - Particular source of destination TCP ports - Particular payload content containing the signatures of malware - Particular payload content containing specific file types
How should a hardened OS be setup with regard to patches
- patches should be automatic - The OS should have utilities that do the patches automatically to reduce the timeframe for which the OS is vulnerable
What are examples of suspicious behaviour during a DoS attack
- unknown sources - ramp-up sources (meaning 1 IP is suddenly increasing the amount of packets its sending) - bad hop count (if the packet claims to have come from further than is possible in the number of hops its made. e.g. coming from China should take 9 but the packet claims to have done it in 2 hops. Meaning the IP is spoofed)
What is the double bastion inline firewall organisation, what are the benefits
A DMZ is placed between an external and internal firewall The DMZ network can be accessed externally but is still protected by a firewall The internal network can't be accessed externally at all, the firewall blocks all incoming traffic. However computers on the internal network can send traffic out of the internal firewall and access the DMZ and the wider network
What is a network of bots called and who controls them
A botnet is controlled by "shepherds" or "herders"
What is a cold boot attack
A cold boot attack may make it possible to recover encryption keys even if the power is lost. RAM is "frozen" and accessed at a later date
What is a hash function
A hash function takes a string M, and returns a number H(M). Small changes in the string result in large changes in the hash value
What is a non-executable stack and what are the drawbacks
A processor may ensure the stack is nonexecutable so that arbitrary code execution can't occur However this isn't useful for legitimate users for example java uses JIT (just in time) compilation which is where the machine compiles the code just in time to use it. This uses the stack and requires it to be executable
What is pipelining
A processor predicts branches that a program will take based on past history It preloads instructions in a program into a pipeline, and squashes instructions if it guesses incorrectly
What is the Plan stage in Risk Assessment
A security policy is established, processes and procedures and put in place, and a risk treatment plan is established
What is the Single Bastion inline firewall organisation, what is the issue with it
A single firewall is placed between and external and internal router. The issue is that if someone gains access to the network through the firewall they now have access to the entire local network
How does Anti-virus software function
A virus can be identified by a short signature in its binary code. The software looks for these signatures in files and quarantines those files (it does not delete them) for the user to check
What is the execution phase of a virus
A virus does something malicious. For example deleting files on the computer or more commonly stealing information and sending it to the virus creator
What is a macro virus
A virus infects files with macro or scripting code that is interpreted by an application
What is the triggering phase of a virus
A virus is activated by some event e.g. opening the infected word document
What is the execution phase of a worm
A work does something malicious. Most commonly stealing data from the machine
What is the propagation phase of a worm
A worm seeks access to further systems Often done by searching through log files to find other systems that the infected system has recently communicated. This is successful because these systems will trust communication coming from the infected system making it easy to send the worm into the systems
What are the advantages and disadvantages of statistical classification
Advantages - Relative simplicity - efficiency - lack of assumptions required Disadvantages - the difficulty in selecting suitable metrics, to find a good balance between false negatives and false positives
What are the advantages and disadvantages of knowledge-based classification
Advantages: robust and flexible Disadvantages: difficult and time consuming to develop a good set of rules. It will require experts in the field
What is the purpose of patrols
All physical and environment protection measures ultimately require human intervention
What is an SQL injection attack
An SQL injection attack involves passing SQL code from a Web client to a Web server, and onto a database with malicious intent
How can an RBAC be represented
An access matrix which shows the roles on 1 access and permissions on the other
What is the idea of "Promote Privacy" when designing applications Give examples
An application should be diligent in processing and storing personal information. Increasingly important because of GDPR E.g. ensuring data is deleted when a user stops doing business with the company/application. Making sure that databases are secure and up to date
What is the idea of "Be reluctant to trust" when designing applications
An application should be reluctant to trust other applications and processes it should also be reluctant to trust any inputs it receives e.g. SQL injection
What are Application-Level Gateways
An application-level gateway operates at the application level, working on application headers and content This allows you to ban specific applications, websites and application commands from your network
What is the idea of "secure the weakest link" when designing applications
An applications weakest link should be strengthened until an acceptable level or risk is achieved. For example storing keys for encryption
What is a general password attack and how do we counter it
An attacker tries common passwords against a range of system identifiers Counter by preventing common password use. Scan IP addresses of authentication request and check for submission patterns
What is an asset, give examples
An element within an organisation that must be protected and ideally can be valued e.g. Computers, Software, Databases, People, Reputation
What is the Transport mode of IPSec
An encapsulating security payload contains the index of the shared key used to encrypt the TCP payload A hashed message authentication code (HMAC) is computed over the shared key plus ESP header plus IP payload
What was the heartbleed exploit
An error in the OpenSSL implementation meant that an attacker could send a 16 byte message claiming it was 65536 bytes, and receive a response from the server containing 65536 bytes of the server uninitialised memory. Eventually this memory was likely to include names, passwords and private keys
What is the current issue with completely protecting against inference attacks
An inference detection algorithm is required to effectively state whether an inference is possible. However a good algorithm hasn't yet been developed
What is "covering tracks" in terms of intruder behaviour
An intruder removes any sign of their presence For example editing logs, fixing timestamps
What is "maintaining access" in terms of intruder behaviour
An intruder works to maintain access to a system, often by creating dummy accounts
How might a buffer overflow lead to arbitrary code execution
An overflow may fill the buffer with shell code and make the function return link point to it. This code when executed may give you control of the system. This is very dangerous as it means the hacker can run their own code on their system.
How might a buffer overflow lead to a denial of service
An overflow might make the function return link point to a random address, leading to a crash and a denial of service as the functions no longer return to the correct points making the code no longer function as intended
What do we assume about any communication into a honeypot. And why?
Any incoming communication is assumed to be a probe, scan or attack This is because the honeypot has no production value, so there is no reason for a legitimate user to communicate with it
If there is communication coming out of a honeypot, would would this mean?
Any outgoing communication indicates that the honeypot has been compromised
What is the idea of "security as an afterthought"
Applications should be designed with security in mind, it shouldn't be an afterthought It is very hard to make an application secure after it has already been designed as core design decisions are likely to have to be reversed/changed
Why is content not retained in the Investigatory powers act
As this is seen as too much of an invasion of privacy Also the amount of data that would have to be retained is far too large making this infeasible
What are stack canaries
At the head of the return address you insert a number. Then you check this umber regularly to ensure the a buffer overflow hasn't overwritten the address
What should you do to every employee before they take a position
Background checks
Why are logging systems necessary
Because humans cannot effectively monitor logs due to the quantity of information they contain
Why can it be hard to know if your violating a patent?
Because searching for patents is very hard to you often don't know you were infringing one till your accused of it by the patent holder
Why are polymorphic viruses often still detected
Because the signature can still be detected regardless of its location within the virus
Why should a hardened OS have development tools removed
Because tools such as compilers and scripting languages are easily abused by hackers
What does availability mean in the CIA triad
Ensuring timely and reliable access to the information as well as the use of information
What is piggybacking
Entering a door by following something through a door that would otherwise be locked
How are passwords poorly stored
If the password file is stored in plain text and can easily be found by a hacker if the system is infiltrated
What is a baseline approach
Carried out with reference to baseline documents, codes of practice and industry best practice
What is bound checking and what are the drawbacks
Checking is done by the compiler rather than the programmer. The compiler will check the array access and prevent overflows The issue with this is that it can be inefficient as implementing the checks yourself can be far faster
What is a Spectre attack
Commands that should only be executed if a specific check is met will be speculatively executed but then discarded if the check isn't met. This means that variables exist that aren't supposed to for the period of time before they are either confirmed or rolled back by the pipeline. These variables will be stored in the cache. What you can do is time access variables to reveal which are stored in the cache (they will be accessed far faster) and therefore which have been speculatively accessed. These variables were stored in a private section of the main memory and are meant to be invisible to both the user and even the process itself until required. From the knowledge of where the data is stored and it's address we can often deduce what the data is
What is meant by Real-Time surveillance in the Investigatory powers act
Communication data will have to be provided by communication service providers to the government "in near real time", removing encryption were possible
What is the design principle of encapsulation
Component functionality should be isolated into separate modules where necessary and only externally visible where required. (Think OOP)
What is a stealth virus
Compressing or mutating the entire virus and maintaining its functionality
What is the CIA triad
Confidentiality, Integrity, Availability
What is Attribute-Based Access Control (ABAC)
Controls access based on the attributes of the subject, object and environmental conditions environmental conditions may include location, time/date etc. This is the most general system that has the most flexibility
How do current processors deal with meltdown and spectre attacks
Current processors all use speculative execution and will continue to for many years. Therefore they are all vulnerable to these styles of attacks
What is the design principle of least privilege
Every component of an information system should have the least level of privilege necessary to perform the task
What is a DMZ
Demilitarised Zone It is a network for systems that must be externally accessible, but still need to be protected e.g. email servers
How do we model legitimate behaviour using machine-learning classification. Why are the draw backs
Developing a model using labelled training data given to a machine learning algorithm This can build models for all your users and notify any deviations from their standard behaviour Not used due to the high resource cost and high false positive rate
How do we model legitimate behaviour using statistical classification
Developing a statistical profile of observed metrics that we can use to classify behaviour as legitimate or nefarious
How should you implement zoning
Divide your facility into zones and give the relevant zones appropriate access rights
What would a corrupt information system do
Does the wrong things, or gives the wrong answers
Give an example of information gathering
Doing a port scan on a network
Explain how the UNIX operating system implements discretionary access control
Each file associates permission bits for the user, group and others. Some UNIX operating systems store a list of permission bits for different users as part of the file
How should companies carry out regular testing on an OS
Employ "pen" testers who will try to infiltrate the system to ensure it is secure These testers are employed on short contracts and then new testers are hired to ensure that systems are exposed to many different infiltration attempts by different testers
What is tight coding and what are the drawbacks
Employ programmers who will properly design code to make it impossible to give inputs that will exceed the size of the buffer. However this is unreliable as whoever good your programmers mistakes can still happen
What are the 4 classifications of virus (by ways in which they conceal themselves)
Encrypted Stealth Polymorphic Metamorphic
How do counter the risk of shared infrastructure in cloud computing
Enforce the SLA (service level agreement) that states what you expect from the provider in terms of downtime and speed However this rarely works because the cost of changing cloud provider is often far too large to make it worthwhile switching. Providers are aware of this so even if you accuse them of not meeting the SLA they are unlikely to care given the chance of you leaving is so slim.
What is deep packet inspection
Examing the packet headers and payload
What is shallow packet inspection
Examining only packet headers
What are the 3 categories of roles that exist within an RBAC for a database
Fixed server roles - Operate on the entire database server, roles within this have different permissions within the server (admin accounts) Fixed database roles - Roles that operate on an individual database and have different permissions within the database (owner of an application that uses a database on the server) User defined roles - Roles that are created y users and normally have access to just a collection of tables necessary for their jobs (end-users)
How does a stateful packet inspection firewall work
For every outgoing TCP connection the firewall adds the source IP and port as well as the destination IP and port to a table. When the firewall receives an incoming packet it checks whether it is part of a connection that has been added to the table. If so then it allows the packet through. If not the packet is discarded unless another firewall rule specifies otherwise.
What is meant by Integrity in the CIA triad
Guarding against imporper modification or destruction of information, and ensuring authenticity and non-repudiation (the fact that the validity of something cannot be denied)
What is a journeyman hacker
Has sufficient skills to modify an attach toolkit, or to construct something smaller Responsible for a smaller volume of attacks, but harder to defend against
What is the idea of "defense in depth" when designing applications
Have overlapping security mechanisms. Doing multiple virus scans (at both a server level and at a host level)
What are the 3 types of flooding attack
ICMP, UDP, TCP SYN
What 2 stages make up authentication
Identification step: - Presenting a unique identifier to the security system Verification step: - Presenting/generating authentication information that the security system can use to corroborate and validate the binding between the user and the claimed identifier
What is the benefit of auditing logs to see if people are making mistakes
If possible you can re-engineer your system to stop people from making these mistakes
How can cloud computing compare to the start of mainstream computing back in the 1960s
In 1960 it was common for a computer bureaux to divide up and sell the services of a single mainframe computer running a time-share operation Today cloud computing providers divide up and sell the services of large computer clusters, essentially running a time-sharing operation
What are the 3 parts of a virus
Infection mechanism: The means by which a virus spreads and propagates, enabling it to replicate Trigger: The event or condition that determines when the payload is activated Payload: What the virus does, besides spreading
What would a loss of integrity mean
Information has been modified or destroyed without authorisation
How does a good password system store passwords
It stores the hash of the salted password It stores the salt for each user in plain text
What is a packet-filtering firewall
It is a firewall that filters individual packets on the basis of packet headers and packet payloads
What is a salt
It is a fixed length value that is random (at least pseudo random). It is added onto a password and then the given as input to the hashing function
What is a man-trap. What is their purpose
It is a physical security access control system comprising a small space with two sets of interlocking doors, such that the first set of doors must close before the second set of doors. Only 1 person is allowed inside the mantrap. It seeks to eliminate piggybacking
What is a virus
It is a piece of malware that is attached to some host software, and when it is run it performs some malicious act before propagating by attaching itself to other host software
What is a database view and how does it help with database security
It is a virtual table that provides restricted access to only certain rows or columns Meaning that users are only given access to the required information
What is a public-key certificate
It is an association of a user and a public key vouched for by a certifying authority such as the government The purpose of this is to verify that this public key does belong to the user, and it isn't someone posing as the user in an attempt to get you to send them your data
What is a threat
It is an exploit for a vulnerability
What is Mandatory Access Control (MAC)
It is based on subject security clearances and object security labels One subject cannot control the access of another A central authorities allocates the clearances and labels
What is caching
It is when a processor fetches instructions and data from a faster cache memory if possible. Cache memory is very fast and expensive
How might a herder send an encrypted message to the botnet control machines
It might hide a message on a public webpage
What is backdoor
It offers a secret entry to a system without going through the usual security procedures This could be as simply as creating an account on the system to log-in to in the future
What is a worm and how is it unlike a virus
It probes network ports, exploits flawed applications and performs some malicious act before propagating and seeking out other host machines Unlike viruses worms are autonomous so don't require the user or host machine to open a file or make a mistake in order to function. They have no "idle phase"
What is Copyright
It protects an author from unauthorised duplication of their work.
What is IPSec and what are the benefits of it
It provides a secure, best-effort delivery Because it is built into the internet layer all servers have to use it so this is unskippable unlike TLS
What is the TLS protocol and what is it made up of
It provides a secure, reliable end-to-end secure server. It is made up of the Handshake and Record Layer
How should a hash algorithm be designed for use in a password
It should be slow to execute. In order to thwart attacks and make it unfeasible to do a brute-force attack on a password file
How should an organisation store physical media
It should be stored in a safe and secure environment e.g. a fire and waterproof safe Media should be geographically isolated from the computer systems so both aren't lost. As often this media is backups or old customer records
What characteristics should an identifier have
It should be unique and never re-used even if a certain identifier is no longer in use
What are the issues with encryption when applied to a database
Key management - With many users needing access to specific parts of the database. Creating and keys that only give the desired access and then distributing them securely is a complex task Querying - it becomes more difficult to search records if they are all encrypted
When is detailed risk analysis used
Large organisations whose IT systems are critical to their business objectives, and the additional expenditure can be justified Government or critical service providers who are mandated to carry out this analysis
How should you setup your hardened OS to have a logging system enabled
Log files should be automatically inspected to find security breaches quickly and effectively
How should you implement logging with regard to operations security of a company
Logs should associate events with users
How would you use attack detection and filtering to stop a DoS attack
Look for suspicious patterns of behaviour during the attack and filter out the offending hosts
How would we carry out intrusion detection by looking for signatures
Looking for network content that is typical of malware, characteristic byte sequences This only works for attacks that the system is aware of so has the patterns and rules for
How would we carry out intrusion detection by looking for anomalies
Looking for patterns of behaviour typical of malware - modification of system resources, privilege escalation We achieve this by monitoring the behaviour of legitimate users to get an idea of what this looks like and checking that the currently observed behaviour matches our model of legitimate behaviour
What would a loss of availability mean
Means that the access to or use of information has been disrupted
What is the design principle of least common mechanism
Mechanisms used to access a resource should not be shared between users e.g. Giving everyone the same link on a website to access some sensitive information increases the change of a DDOS attack or a data breach
What is ransomware
Modifies data and demands a ransom to undo the modifications
What is a meltdown attack
Much like a spectre attack but we use virtual memory. We time access pages and reveal which locations have been accessed speculatively. From the knowledge of where the data is stored and it's address we can often deduce what the data is
What is the design principle of layering
Multiple, overlapping protection approaches should be used so that failure of one does not mean total failure
Give an example were logging user activity was useful
NHS staff selling medical records to newspapers. You can see who accessed said records to find out who sold them
Give examples of trademark violation and how it can be relevant to computer security
Passing off a fake product or service as a genuine one. These fake products may install malware
What is an inference attack
Performing authorised queries and deducing unauthorised information from legitimate response received
What are the characteristics of a macro virus
Platform independent: The virus can spread to many different platforms and still function Easily Spread: Making them found in data that can be sent easily such as through email attachments
What is the Act stage in risk assessment
Policy, process and procedures are modified in the response to security incidents or compromises
What is catfishing
Pretending to be someone you are not online, in order to lure someone you haven't met into a relationship A catfish may steal someone else's photos, videos or personal information to create a fake profile or website when they are forming their bogus identity
How can DAC be applied to databases
Privileges can be granted and revoked through SQl much like file permissions in Linux
What is the problem and solution for fire issues
Problem: - Fire can destroy computer systems Solution: - Prevention by construction and usage (storing flammable materials away from computers) - Detection using smoke/heat detectors - Supression using automatic/portable fire extinguishers
What is the problem and solution for Ventilation issues
Problem: - Most computer equipment needs a controlled atmosphere Solution: A closed loop air-conditioning system avoids: - high/low temperatures - high/low humidity - particle contamination - static electricity
What is the problem and solution for electricity issues
Problems: - Electrical excess (spike -> surge) - Electrical loss (fault -> blackout) - Electrical degradation (sage -> brownout) Solution: - Surge protection - UPS (Uninterruptible Power Supply)
What is the problem and solution for Noise issues
Problems: - Electromagnetic interference (EMI) when cables are side by side - Radio frequency interference (RFI) often from fluorescent lighting Solution - Plan cable routs - Use shielded cables - Avoid microwave ovens
What is the problem and solution for water issues
Problems: - Water can destroy computer systems Solutions: - Prevention by construction/usage - Detection using water detectors
What would a leaky information system do
Reveals information that it should not. For example someone who shouldn't have access to some or all of the information via the network access
Give an example of a monitoring service that might be run on a hardened OS
SNORT for intrusion detection
How do you prevent an SQL injection attack
Sanctify any user input
What happens during the reconnaissance phase of a worm
Scans the system to find weak applications that are listening at certain ports that a worm can gain access to
What is the idea of "Hiding Secrets is Hard" when designing applications
Secrets such as passwords, encryption keys and results are often hard to hide. Therefore we try to store as few of these as possible and destroy them as quickly as possible
What is meant by legalised hacking in the Investigatory powers act
Security services will be legally allowed to hack computers, networks, mobile devices and services by exploiting vulnerabilities to gain control of them
Why can encryption most likely not be removed during Real-Time surveillance by the government (as mandated by the Investigatory Powers Act)
Strong end-to-end encryption makes this nearly impossible if encryption is to be removed it would have to be weakened to the point where it can be easily cracked and removed. Which is obviously something most companies would be unwilling to do.
What is a master hacker
Sufficient skills to create entirely new attack toolkits Responsible for a small volume of attacks which are very difficult to defend against (so-called "zero day" vulnerabilities)
What are the 2 ways in which security can be implemented into the network stack
TLS (Transport layer security) IPsec (Internet Layer Security)
What does a firewall program consist of
Tables, which are arrays of chains Chains, which are lists of rules Rules, which are lists of patterns, with actions depending on whether the packet meets those patterns
What is spear phising
Targetted phishing attacks. They often exploits the credibility of a victim by getting them to respond to a cry for help from friends e.g. impersonating the victims friend by researching them and crafting a believable story to get money or personal information
What is the overarching issue in database security
That the database is the single shared repository of data
How does the internet design adhere to Integrity
The CRC (cyclic redundancy check). This is a number calculated for each packet, much like a hash. This ensures the packet arrives int he same state as it was sent in
What is AES
The advanced encryption standard. The current standard for symettric encryption It works on 128-bit blocks. It splits up the file into these blocks and encrypts them one at a time. It does 10 rounds of encryption
What is social engineering
The art of manipulating people to give/hand over things of value, or the means to access such things
What is pretexting. Give an example
The attacker exploits the credibility of the victim to get them to perform an action e.g. impersonating an external IT contractor to get the security staff to let them into the building
What is phishing
The attacker exploits the fear or helpfulness of the victim to get them to follow a link to a landing site where they enter their username and password e.g. an email claiming to be from a bank, asking for customers to update their security information
What is baiting Give an example
The attacker exploits the greed, kindness or curiosity of a victim to get them to install software e.g. leaving a USB drive in a carpark in the hope that the victim will be curious and plug it into a company PC. e.g. a free film download with some imbedded malware
What is tailgating. Give an example
The attacker exploits the politeness of the victim to assist them through a security check. e.g. claiming to have forgotten your ID card to get through a door, or relying on someone to hold the door open by walking just behind them
What is an electronic monitoring attack
The attacker observes password hashes on the network
What is an offline dictionary attack and how do you counter it
The attacker obtains a copy of the password file and compare its password hashes with those of common passwords Counter by: - Preventing unauthorised access to the password file using intrusion prevention - Ensure passwords and hashed and salted - Use intrusion detection to detect if the password file is compromised. If so re-issue passwords to all users immediately
What is a Workstation Hijacking attack and how do we counter it
The attacker seizes an unattended workstation Counter by automatically logging the workstation out after a period of inactivity. Or use intrusion detection to detect a change in user activity
What is an amplification attack
The attacker sends packets with a spoofed source address of the target to the broadcast address of high capacity network services. So it goes to all machines on the network, making all machines send a response to the "victim" machine
What is a reflection attack
The attacker sends packets with the spoofed source address of the target to high capacity network services. So that the response from the server actually goes to the desired target
What is a User Mistake Attack and how do we counter it
The attacker takes advantage of lazy password disclosure such as writing the password on a post-it note, passwords being shared with colleagues or using social engineering tactics to trick a user into disclosing their password Counter by training users, using simpler passwords in addition to another authentication method. Intrusion detection can also be applied to
What is a password reuse attack and how do we counter it
The attacker takes advantage of password reuuse Counter by forbidding the same or similar passwords on devices within your network
What is a specific account attack and how do we counter it
The attacker tries likely passwords against specific system identifiers Counter by adding a lockout counter to lock access to an account after a certain number of attempts
How do polymorphic viruses conceal themselves
The code is rearranged whilst maintaining functionality.
What is meant by An Investigatory Powers Commissioner in the Investigatory powers act
The commissioner and judicial commissioners approve warrants for legalised hacking and handle and issues that arise from implementation of the act
What is the structure of the linux firewall
The hocks (blue dots) represent places that we can apply rules
What is most often the weakest link in a security system
The human element
Why does the internet not provide confidentiality
The internet provides no encryption. Communications can be intercepted and observed
What is the key distribution problem
The issue with encryption algorithms is how do we distribute the shared key securely. This is the weakness as most algorithms have been proven to be impossible to break
What is the benefit of longer salts
The longer the salt the more possible combinations so the hacker will have to calculate even more possible hashes for each password they want to check against your file.
What is the idea behind the cloud computing wheel of reincarnation
The potential idea that cloud computing could come out of fashion if a big provider has an issue and there is a rush to remove data from the cloud and bring it back on-prem
What is the design principle of least astonishment
The program should always respond in away that is least likely to astonish the user Security mechanisms should intuitively map to security goals in a way that is obvious to the user
Define Computer Secuirty
The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity of availability and confidentiality of information system resources
What is an attack surface
The reachable and exploitable vulnerabilities in a system
What is a return link
The return address for a function will be stored in a register. Then a return instruction will jump to the location pointed to by that register
What is the Risk of "Data loss or leakage" in cloud computing and how to we counter it
The risk that data could be lost or leaked from the cloud Counter this by using access control for data in your storingand encryption for any data in transit
What is the Risk of "Abuse and nefarious" in cloud computing and how to we counter it
The risk that the cloud service could be used for spamming, DoS, password cracking etc. Counter by having more checks on registation and monitoring the usage of your services
What is the Do stage in risk assessment
The risk treatment plan is implemented
What is a UDP flooding attack
The server responds to a UDP packet from a usually spoofed client
What would an unavailable information system do
The system is essentially unusable. Either by being impossible to use or impractically slow
What is the Risk of "Shared Infrastructure" in cloud computing
The threat of every virtual machine not being fully isolated on multi-tenanted hardware. So if 1 virtual machine crashes this will have an effect on the physical machine that is running many tenants virtual machines. Either slowing down or crashing these machines
What is the propagation phase of a virus
The virus copies itself elsewhere e.g. searching a computer for all word documents and attaching itself to all of them
What is the purpose of a lock and what are the different types
Their purpose is to delay in intruder. The types are: - Mechanical (key) - Combination (code) - Cipher locks (code/card) - Biometric locks
How are botnets controlled
There is a botnet hierarchy which allows herders to control their botnet by sending or hiding encrypted messages to give commands to botnet control machines that then pass on the commands to the botnet
What is a Rainbow table
This is where you calculate the hashes of a large dictionary of passwords. Then compare the hashes of the dictionary to those found in a password file
What are heartbeats
They are a way for a client and server to make sure that the other is still alive The client sends a message out and the server should echo back the same message
Why are external consults preferred over internal consultants for risk assessments
They have no conflict of interest
What are trademarks
They protect the words, logos and slogans used to identify a company and its products or services
How should audits be done on an OS
They should be taken against a baseline
What is the ChangeCiperSpec message in the handshake protcol
This causes a switch to the chosen symmetric encryption algorithm using the shared secret key as the symmetric key. This is secure because the key was transmmitted via public key encryption so nobody other than the client or server has access to the key.
What is platform as a service
This is when your purchasing time on a PC with specific software installed such as web servers or database
What is software is a service. What is the advantage of this for the company providing the software
This provides entire applications. You rent access to specific applications that are held and run on computers in the cloud. The advantage of this is that the company can update the software and everyone will have the update. It also removes the possibility for piracy as the produce is online only
What is Infrastructure as a Service
This provides virtual computing infrastructure. Known as "bare" systems so nothing is installed on them You will most likely even have to install an operating system
How can we improve on the design of polymorphic viruses
We encrypt the virus and use a "mutation engine" to do the encryption which alters itself after every propagation
Why is spear phishing so uncommon
it has a high time investment, uncertain results and stakes that often aren't very high generally only a small amount of money
Why should you implement Mandatory vacations for staff
When someone takes a holiday somebody else has to fill in for them. This will expose any illicit activity that the employee might be engaging in
What is the dormant phase of a virus
When the virus is attached to the host software but it is idle, waiting for some event to occur
How are modern networks designs
With a single point of entry/exit. Where both inbound and outbound traffic is monitored by a firewall
What is the fine for breaching GDPR
a fine of 4% of annual turnover
What is an apprentice hacker
a hacker with minimal technical skills that relies on attack toolkits a "script kiddie" These hackers are responsible for the highest volume of attacks, but their attacks are easiest to defend against
What is an attack kit
aka crimeware, these allow for construction of sophisticated worms right out of the box and come with full support
Give examples of copyright voilations
bypassing license restrictions or Digital Rights Management Systems (DRM)
What is Symmetric encryption
encryption and decryption are done with the same shared key
What is an attack
it is a threat carried out
What would a loss of confidentiality mean
that information has been disclosed without authorisation
Why are encrypted viruses often detected
the encryption key has to be visible (unencrypted) to decrypt the virus making it easily detectable by anti-virus software
What is "initial access" in terms of intruder behaviour
the intruder probes for vulnerabilities For example an open port were a weak server is listening
How do honeypots collect information
they have sensitive monitors and event loggers that detect accesses and collect information
Give examples of patent violations.
unauthorised or unlicensed use of algorithms or procedures