P1_L1-Chapter1- Security Mindset, P1_L2-Chapter10-Buffer Overflow, P1_L2-Chapter11-Software Security, P1_L3-Chapter12-Operating System Security, P1_L4-Chapter3-Authentication, P1_L7-Chapter5-Database Security, P1_L5-Chapter4_AccessControl, P2_L1-Chap...
TCP uses the _______ to establish a connection.
three-way handshake
The two criteria used to validate that a sequence of numbers is random are independence and _________ .
uniform distribution
If the only form of attack that could be made on an encryption algorithm is brute-force, then the way to counter such attacks would be to __________ .
use longer keys
In the context of biometric user authentication, explain the terms, enrollment, verification, and identification.
* Enrollment: Each individual who is to be included in the database of authorized users must first be enrolled in the system. *Verification: The user enters a PIN and also uses a biometric sensor * Identification: The individual uses the biometric sensor but presents no additional information.
Define the terms false match rate and false nonmatch rate, and explain the use of a threshold in relationship to these two rates.
*False match rate: It measures the percent of invalid inputs which are incorrectly accepted. *False non-match rate: It measures the percent of valid inputs which are incorrectly rejected. By moving the threshold, the probabilities can be altered but note that a decrease in false match rate necessarily results in an increase in false non-match rate, and vice versa.
List and briefly describe the principal characteristics used for biometric identification. *Facial characteristics
*Fingerprints *Hand geometry *Retinal pattern *Iris *Signature *Voice
Explain the difference between a simple memory card and a smart card.
*Memory Card: Stores but does not process data. *Smart Card: Has a microprocessor, different types memory, I/O ports etc. May also have a crypto coprocessor and an embedded antenna.
List and briefly describe four common techniques for selecting or assigning passwords.
*User education *Computer-generated passwords *Reactive password checking: The system periodically runs its own password cracker and notifies the user if it was able to crack his or her password. *Proactive password checking: The user chooses his password based on rules given by the system (eg. at least eight characters long etc.)
List and briefly describe some administrative policies that can be used with a RDBMS.
+ Centralized administration: A small number of privileged users may grant and revoke access rights. + Ownership-based administration: The owner of a table may grant or revoke access rights to the table. + Decentralized administration: The owner of a table may grant or revoke authorization rights to other users, allowing them to grant or revoke access rights to the table.
List several software security concerns associated writing safe program code.
+ Correct Algorithm Implementation + Ensuring that machine language corresponds to the algorithm + Correct interpretation of data values + Correct use of memory + Preventing race conditions with shared memory
List and briefly describe some of the defenses against buffer overflows that can be implemented when running existing, vulnerable programs.
+ Executable Address Space Protection: this is setting a no-execute bit in the Memory Management Unit (MMU) to tag pages of virtual memory as being nonexecutable. + Address Space Randomization: this is changing that address at which the stack or a library is located in a random manner for each process. + Guard Pages: These pages lie between critical regions of memory. Any attempt to access them results in the process being aborted.
What are disadvantages to database encryption?
+ Key management: Authorized users must have access to the decryption key for the data for which they have access. Because the database is typically accessible to a wide range of users, providing secure keys to selected parts of the database to authorized users is a complex task. + Inflexibility: When part or all of the database is encrypted, it becomes more difficult to perform record searching.
What types of resources are targeted by such attacks?
+ Network bandwidth + System resources + Application resources
What are the two main types of statistical databases?
+ Pure statistical databases: This type only stores statistical data. + Ordinary database with statistical access: In addition to the set of normal users, the database supports a set of statistical users, who are only permitted statistical queries. For these users, aggregate statistics based on the underlying raw data are generated in response to a user query.
List and briefly describe two approaches to inference prevention for a statistical database.
+ Query restriction: Rejects a query that can lead to a compromise. The answers provided are accurate. + Perturbation: Provides answers to all queries, but the answers are approximate.
List and briefly describe some of the defenses against buffer overflows that can be used when compiling new programs.
+ Using a modern high-level programming language + Safe Coding Techniques, such as range checks and using safe functions + Use of safe libraries + Stack Protection Mechanisms, eg. check the stack frame for corruption, using a canary value
Define the terms database, database management system, and query language.
+ database: a structured collection of data stored for use by one or more applications. + database management system: suite of programs for constructing and maintaining the database and for offering ad hoc query facilities to multiple users and applications. + query language: provides a uniform interface to the database for users and applications.
List and briefly define categories of security services.
+Authentication +Access Control +Data Confidentiality +Data Integrity +Non-repudiation (Prevents either sender or receiver from denying a transmitted message) +Availability
What is the difference between passive and active security threats?
+Passive attacks have to do with eavesdropping on, or monitoring transmissions. Email, file transfers, and client/server exchanges are examples of transmissions that can be monitored. +Active attacks include the modification of transmitted data and attempts to gain unauthorized access to computer systems.
List and briefly define categories of passive and active network security attacks.
+Passive: Unauthorized Disclosure +Active: ---> Deception ---> Disruption ---> Usurpation (An event that results in control of system services of functions by an unauthorized entity)
Computer Security
. ___________________ is the protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources.
List some possible sources of program input.
user keyboard entries, mouse entries, files, network connections, data supplied in the execution environment, values of any configuration and values supplied by the operating system.
List and briefly describe the principal threats to the secrecy of passwords.
1) Offline dictionary attack: The attacker obtains the system password file and compares the password hashes against hashes of commonly used passwords. If a match is found, the attacker can gain access by that ID/password combination. 2) Specific account attack: The attacker targets a specific account and submits password guesses until the correct password is discovered. 3) Popular password attack: A variation of the preceding attack is to use a popular password and try it against a wide range of user Ids. 4) Password guessing against single user: The attacker attempts to gain knowledge about the account holder and system password policies and uses that knowledge to guess the password. 5) Workstation hijacking: The attacker waits until a logged-in workstation is unattended. 6) Exploiting user mistakes: Strict polices force more complicated password and the user is more likely to write it down because it is difficult to remember. An attacker may trick the user or an account manager into revealing a password (also: pre-configured passwords for system administrators are a threat) 7) Exploiting multiple password use: Attack can also become much more effective or damaging if different network devices share the same or a similar password for a given user. 8) Electronic monitoring: If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping.
In general terms, what are four means of authenticating a user's identity?
1) Something the individual knows 2) Something the individual possesses 3) Something the individual is (static biometrics) 4) Something the individual does (dynamic biometrics)
Application security
1. Application configuration 2. Encryption technology
Restrictions on shell code
1. It must be position independent 2. It cannot contain any null values
Security maintenance
1. Monitor and analyze the log information 2. Perform regular backups 3. Recover from security compromises 4. Regularly test system security 5. Patch and update all critical software
The top 4 strategies of hardening measures
1. Waitlist approved applications 2. Patch third-party applications and OS vulnerabilities 3. Restrict administrative privileges 4. Create a defense - in - depth system
B. role
A ____ is a named job function within the organization that controls this computer system. A. user B. role C. permission D. session
High
A ________ level breach of security could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
subject
A __________ is an entity capable of accessing objects.
discretionary
A ___________ access control scheme is one in which an entity may be granted access rights that permit the entity, by its own volition, to enable another entity to access some resource.
Environment variables
A collection of string values inherited by each process from its parent that can affect the way a running process behave
Trojan horse
A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the Trojan horse program
Worm
A computer program that can run independently and can propagate a complete working version of itself onto other hosts on a network, usually by exploiting software vulnerabilities in the target system
mandatory access control (MAC)
A concept that evolved out of requirements for military information security is ______ .
Define buffer overflow.
A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.
Define a denial-of-service attack.
A denial of service is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as CPU, memory, bandwidth and disk space.
vulnerability
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy is a(n) ____
Confidentiality
A loss of ___ is the unauthorized disclosure of information.
availability
A loss of _________ is the disruption of access to or use of information or an information system.
Regular expression
A pattern composed of a sequence of characters that describe allowable input variants
Define race condition. State how it can occur when multiple processes access shared memory.
A race condition occurs when multiple processes and threads compete to gain uncontrolled access to some resource. Without suitable synchronization of accesses, it is possible that values may be corrupted or changes lost.
Describe how a return-to-system-call attack is implemented and why it is used.
A return-to-system-call attack is usually starting with a buffer overflow in which the return address on the stack is replaced by the address of another instruction and an additional portion of the stack is overwritten to provide arguments to this function. This allows attackers to call preexisting functions without the need to inject malicious code into a program. It has been developed to circumvent the nonexecutable stack limitation.
Input fuzzing
A software testing technique that uses randomly generated data as inputs to a program
Describe how a stack buffer overflow is implemented.
A stack buffer overflow occurs when the targeted buffer is located on the stack, usually as a local variable in a function's stack frame. The exploits include an unchecked buffer overflow resulting from the use of the C gets() function. The program tries to put more data into a byte array than it is allowed to hold, thus overwriting parts of the adjacent memory.
Virtualization
A technology that provides an abstraction of the computing resources used by some software, which thus runs in a simulated environment call the virtual machine
Macro virus
A type of virus that uses macro or scripting code, typically embedded in a document, and triggered when the document is viewed or edited, to run and replicate itself into other such documents
True
A user may belong to multiple groups
countermeasure
A(n) ________ is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that correct action can be taken.
inside attack
A(n) _________ is an attempt to learn or make use of information from the system that does not affect system resources.
The most important symmetric algorithms, all of which are block ciphers, are the DES, triple DES, and the __________.
AES
Adware
Advertising that is integrated into software. It can result in pop-up ads or redirection of a browser to a commercial site.
Application virtualization
Allows applications written for one environment to execute on some other operating system
______ attacks are a variant of reflector attacks and also involve sending a packet with a spoofed source address for the target system to intermediaries.
Amplification
True
An access right describes the way in which a subject may access an object.
attack
An assault on system security that derives from an intelligent act that is a deliberate attempt to evade security services and violate the security policy of a system is a(n)____
Code injection
An attack where the input includes code that is then executed by the system. Many of the buffer overflow examples discussed including a code injection component.
masquerade
An example of __________ is an attempt by an unauthorized user to gain access to a system by posing as an authorized user.
audit
An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to recommend any indicated changes in control, policy and procedures is a(n) ________________________ .
Audit
An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to recommend any indicated changes in control, policy and procedures.
Cross - site scripting attacks (XSS)
Another broad class of vulnerabilities, this concerns input provided to the program by one user that is subsequently output to another user
True
Any program that is owned by, and SetUID to, the "superuser" potentially grants unrestricted access to the system to any user executing that program.
What types of packets are commonly used for flooding attacks?
Any type of packet can be used in a flooding attack. Commonly used: ICMP, UDP or TCP SYN.
_______ bandwidth attacks attempt to take advantage of the disproportionally large resource consumption at a server.
Application-based
What types of programming languages are vulnerable to buffer overflows?
Assembly languages and C and its derivatives.
group
Basic access control systems typically define three classes of subject: owner, ___________ and world.
Keyloggers
Captures keystrokes on a compromised system
__________ is the scrambled message produced as output.
Ciphertext
Exploits
Code Specific to a single vulnerability or set of vulnerabilities.
Logic bomb
Code inserted into malware by an intruder. A logic bomb lies dormant until a predefined condition is met; the code then triggers an unauthorized act
Downloaders
Code that installs other items on a machine that is under attack. It is normally included in the malware code first inserted on to a compromised system to then import a larger malware package
What are the two broad categories of defenses against buffer overflows?
Compile-time defenses, which aim to harden programs to resist attacks in new programs Run-time defenses, which aim to detect and abort attacks in existing programs
CIA triad
Confidentiality,Integrity, and Availability form what is often referred to as the _____.
DAC (Discretionary access control)
Control access based on the identity of the requestor and on access rules (authorizations) starting what requestors are (or are not) allowed to do.
MAC ( Mandatory access control)
Controls access based on comparing security labels with security clearances. This policy is termed mandatory because an entity that has clearance to access a resource may not, just by its own volition, enable another entity to access that resource.
RBAC ( Role-based access control)
Controls access based on the roles that users have within the system and on rules starting what accesses are allowed to users in giving roles.
A buffer can be located _____ A. In the heap B. On the stack C. In the data section of the process D. All of above
D. All of above
A consequence of a buffer overflow error is _____ A. corruption of data used by the program B. unexpected transfer of control in the program C. possible memory access violation D. all of the above
D. All of above
Security concerns that result from the use of virtualized systems include___ A. guest OS isolation B. guest OS monitoring by the hypervisor C. virtualized environment security D. all of the above
D. All of above
The following steps should be used to secure an operating system: _____ A. test the security of the basic operating system B. remove unnecessary services C. install and patch the operating system D. all of the above
D. All of above
The most important changes needed to improve system security are to __ A. disable remotely accessible services that are not required B. ensure that applications and services that are needed are appropriately configured C. disable services and applications that are not required D. all of the above
D. All of above
Which of the following need to be taken into consideration during the system security planning process? A. how users are authenticated B. the categories of users of the system C. what access the system has to information stored on other hosts D. all of the above
D. All of above
__ is a form of buffer overflow attack. A. Heap overflows B. Return to System call C. Replacement stack frame D. All of above
D. All of above
To defense against database inference attacks, we can apply ____ A. Perturbation B. Deindentification C. Anonymization D. All the above
D. All the above
Define defensive programming.
Defensive programming is a form of defensive design intended to ensure the continuing function of a piece of software in spite of unforeseeable usage of said software. A difference between defensive programming and normal practices is that nothing is assumed. All error states a accounted for and handled.
Public-key encryption was first publicly proposed by _________________ in 1976.
Diffie and Hellman
List and briefly define categories of security mechanisms.
Encipherment +Digital Signature +Access Control +Data Integrity +Authentication Exchange +Trusted Functionality +Event Detection +Security Audit Trail
A DoS attack targeting application resources typically aims to overload or crash its network handling software. (True Or False)
F
Cryptanalytic attacks try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained. True or False
F
DoS attacks cause damage or destruction of IT infrastructures. (True Or False)
F
External devices such as firewalls cannot provide access control services. (True Or False)
F
Given sufficiently privileged access to the network handling code on a computer system, it is difficult to create packets with a forged source address. (True Or False)
F
Security labels indicate which system entities are eligible to access certain resources. (True Or False)
F
The advantage of a stream cipher is that you can reuse keys. True or False
F
The authentication function determines who is trusted for a given purpose. (True Or False)
F
Triple DES takes a plaintext block of 64 bits and a key of 56 bits to produce a ciphertext block of 64 bits. True or False
F
A view cannot provide restricted access to a relational database so it cannot be used for security purposes.
False
An attacker can generally determine in advance exactly where the targeted buffer will be located in the stack frame of the function in which it is defined.
False
External attacks are the only threats to database security
False
It is possible to write a compiler tool to check any C program and identify all possible buffer overflow bugs.
False
Security mechanisms typically do not involve more than one particular algorithm or protocol.
False
Shellcode is not specific to a particular processor architecture
False
The default configuration for many operating systems usually maximizes security.
False
Threats are attacks carried out. True or False
False
The "A" in the CIA triad stands for "authenticity". True or False
False. C-Confidentiality, I-Integerity, A-Availability
_____ attacks flood the network link to the server with a torrent of malicious packets competing with valid traffic flowing to the server.
Flooding
A runtime defense that can be used by placing these between critical regions of memory in the process address space
Guard pages
A _______ flood refers to an attack that bombards Web servers with HTTP requests.
HTTP
Exploiting or flows and buffers located elsewhere in the process address space. One possible target is a buffer located in memory dynamically allocated from the heap.
Heap overflows
What are the two key elements the must be identified in order to implement a buffer overflow?
Identification of a buffer overflow vulnerability that can be triggered using externally sourced data under the attackers control Understanding of how that buffer will be stored in the process memory and hence the potential for corrupting adjacent memory locations and potentially altering the flow of execution of the program.
What steps should be taken when a DoS attack is detected?
Identification of the type of attack, application of suitable filters to block the attack packets. In addition, an ISP may trace the flow of packets back in attempt to identify the source.
List some problems that may result from a program sending un-validated input from one user to another user.
If the input of a program includes unexpected content, and the content is not adequately sanitized by the program, then an attack from one user to another is possible (like XSS). Textual terminals used special character sequences to send messages or edit the text style which made classic command injection attacks possible. Another issue here is that different character sets allow different encodings of meta characters, which may change the interpretation of what is valid output. If the display program is unaware if the specific encoding, unexpected problems will occur.
Why do many DoS attacks use packets with spoofed source addresses?
If there is a valid system at the spoofed source address, it will respond with a RST packet. However, if there is no system then no reply will return. In these cases the server will resend the packet a number of times before finally assuming the connection request has failed. In this period, the server is using an entry in its memory. If many connection requests with forged addresses are incoming, the memory fills up, making the server incapable of handing any more requests (not even legitimate ones).
State a problem that can occur with input validation when the Unicode character set is used.
In Unicode some characters have multiple encodings. For example '/' the forward slash. The common check to prevent an absolute pathname, is to ensure that the supplied filename does not start with /. If the check only assumes the shortest UTF-8 encoding of slash, then an attacker using one of the longer encodings could avoid this check.
FERPA (Family Educational Rights and Privacy Act)
In the United States, student grade information is an asset whose confidentiality is regulated by the __________.
SQL injection
In this attack, the user supply input is used to construct a SQL request to retrieve information from a database
____ is the process of performing authorized queries and deducing unauthorized information from the legitimate responses received.
Inference
Explain the nature of the inference threat to a RDBMS.
Inference is the process of performing authorized queries and deducing unauthorized information from the legitimate responses received.
___ is a defense against SQL Injection attacks
Input validation
Software quality and reliability
Is concerned with the accidental failure of a program as a result of some theoretically random, unanticipated input, system interaction, or use of incorrect code
What is the OSI security architecture?
It defines a systematic approach for managers, describing a way of organizing the task of providing security.
What is a relational database and what are its principal ingredients?
It is a table of data, consisting of rows and columns, similar to a spreadsheet. The basic building block is a relation. Rows are referred to as tuples, and columns are referred to as attributes. A primary key is used to uniquely identify a row in a table.
Identify several issues associated with the correct creation and use of a lockfile.
It is purely advisory. If a program chooses to ignore the existence of the lockfile and access the resource, then the system will not prevent this. Implementation must be precise, otherwise race conditions will occur. The correct implementation is not to test separately for the presence of the lockfile, but always also to attempt to create it (atomic operation).
What is the primary defense against many DoS attacks, and where is it implemented?
Limiting the ability of systems to send packets with spoofed source addresses. An ISP knows which addresses are allocated to all its customers and hence can ensure that valid source addresses are used in all packets from its customers.
Auto-rooter
Malicious hacker tools used to
Virus
Malware that, when executed, tries to replicate itself into other executable machine or script code; when it succeeds, the code is said to be infected. When the infected code is executed, the virus also executes
Describe how a heap buffer overflow attack is implemented.
Memory on the heap is dynamically allocated by the application at run-time and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers.
__________ is a procedure that allows communicating parties to verify that received or stored messages are authentic.
Message authentication
usurpation
Misappropriation and misuse are attacks that result in ____________ threat consequences.
Hosted virtualization
More common in clients, they run alongside other applications on the host OS, and are used to support applications for alternate operating system versions or types
Full virtualization
Multiple full operating system instances execute in parallel. Each of these guest operating systems executes in its own VM on virtual hardware
A run of an NOP commands with the return address in the middle somewhere, to deal with the inability to precisely determine the starting address to put the hackers code
NOP sled
______ relates to the capacity of the network links connecting a server to the wider Internet.
Network bandwidth
Can the openSSL heartbleed vulnerability be avoided with non-executable stack?
No
Does ASLR protect against read-only buffer overflow attacks?
No
Support from the processors memory management unit to tag pages of virtual memory as being non executable
No - execute bit
A generic restriction on the content of shell code - this means it cannot contain any absolute address referring to itself, Because the attacker generally cannot determine in advance exactly where the target buffer will be located in the stack frame of the function which is defined.
Position independent
Zombie, bot
Program activated on an infected machine that is activated to launch attacks on other machines
Define the principle of least privilege.
Programs should execute with the least amount of privileges needed to complete their function.
Hardening
Providing system security through planning, installation, configuration, update, and maintenance of the operating system and the key applications and use
Define a distributed denial-of-service attack.
Recognizing the limitations of flooding attacks generated by a single system, hackers invented tools for the use of multiple systems to generate attacks. That is called a distributed denial-of service attack.
Injection attack
Refers to a wide variety of programing flaws related to invalid handling of input data. This problem occurs when program input data can accidentally or deliberately influence the flow of execution of the program
A variant of stack overflow, this attack overwrites the buffer and saved frame pointer address. The saved frame pointer value is changed to refer to a location near the top of the overwritten buffer, where a dummy stack frame has been created with a return address pointing to the shellcide lower in the buffer
Replacement stack frame
Canonicalization
Replacing alternate, equivalent encodings by one common value
A variant attack in which the return address is changed to jump to existing code on the system
Return to system call
_______ is a text-based protocol with a syntax similar to that of HTTP.
SIP
The ______ attacks the ability of a network server to respond to TCP connection requests by overflowing the tables used to manage such connections.
SYN spoofing attack
False
Security labels indicate which system entities are eligible to access certain resources.
The standard protocol used for call setup in VoIP is the ________ Protocol.
Session Initiation
Rootkit
Set of hacker tools used after attacker has broken into a computer system and gained root-level access
Attack kit
Set of tools for generating new malware automatically using a variety of supplied propagation and payload mechanisms
List some of the different operations an attacker may design shellcode to perform.
Set up a listening service to launch a remote shell when connected to, create a reverse shell that connects back to the hacker, use local exploits that establish a shell, flush firewall rules that currently prevent other attacks.
Code supplied by an attacker and often saved in the buffer being overflowed, so the attacker can transfer execution of the program to the Shell code
Shell code
The function of _______ was to transfer control to a user command-line interpreter, which gave access to any program available on the system with the privileges of the attacked program
Shellcode
What restrictions are often found in a shellcode, and how can they be avoided?
Shellcode has to be position independent, cannot contain any NULL values. The first can be avoided using a tricky combination of CALL instructions to obtain the actual position. The second is avoided by using the XOR function of a register value with itself to generate zero values as the code runs.
Mobile code
Software (e.g., script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics
Define the difference between software quality and reliability and software security.
Software quality and reliability is concerned with the accidental failure of a program as a result of some theoretically random, unanticipated input, system interaction, or use of incorrect code. Software security differs in that the attacker targets specific bugs that result in a failure that can be exploited by the attacker.
Spyware
Software that collects information from a computer and transmits it to another system by monitoring keystrokes, screen data, and/or network traffic; or by scanning files on the system for sensitive information.
Occurs when the targeted buffer is located on the stack, usually is a local variable any functions stack frame
Stack buffer overflow/Stack smashing
A structure on the stack that stores the return address during a function call, here It also stores locations and saves parameters to be passed to the function. Possibly register values too.
Stack frame
A cyberslam is an application attack that consumes significant resources, limiting the server's ability to respond to valid requests from other users. (True Or False)
T
A denial-of-service attack is an attempt to compromise availability by hindering or blocking completely the provision of some service. (True Or False)
T
A message authentication code is a small block of data generated by a secret key and appended to a message. True or False
T
An auditing function monitors and keeps a record of user accesses to system resources. (True Or False)
T
Modes of operation are the alternative techniques that have been developed to increase the security of symmetric block encryption for large sequences of data. True or False
T
Reliable input is an access control requirement. (True Or False)
T
SYN-ACK and ACK packets are transported using IP, which is an unreliable network protocol. (True Or False)
T
The SYN spoofing attack targets the table of TCP connections on the server. (True Or False)
T
The principal objectives of computer security are to prevent unauthorized users from gaining access to resources, to prevent legitimate users from accessing resources in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner. (True Or False)
T
The secret key is input to the encryption algorithm. True or False
T
The source of the attack is explicitly identified in the classic ping flood attack. (True Or False)
T
Two of the most important applications of public-key encryption are digital signatures and key management. True or False
T
Define shellcode.
The act of transferring the execution to code supplied by the attacker that is often saved in the buffer being overflowed is known as shellcode. (Traditionally its function was to transfer the control to a command-line interpreter.)
Data
The assets of a computer system can be categorized as hardware, software, communication lines and networks, and _______________.
Data integrity
The assurance that data received are exactly as sent by an authorized entity is __________.
Define a reflection attack.
The attacker sends a network packet with a spoofed source address to a service running on some network server. The server (=reflector) responds to this packet, sending it to the spoofed source address that belongs to the actual attack target. This is then called a reflection attack.
object
The basic elements of access control are: subject, __________, and access right.
Operating systems hardening
The first critical step in secure systems, to secure the base operating system upon which all other applications and services rely 1. Initial set up and patching 2. Remove unnecessary services, application, and protocols 3. Configure users, groups, and authentication 4. Configure resource controls using permissions 5. Install additional security controls 6. Test the system security
System security planning
The first step in deploying new systems
Authorization
The granting of a right or permission to a system entity to access a system resource. This function determines who is trusted for a given purpose
Describe the general concept of a challenge-response protocol.
The host generates a random number r and returns it to the user (=challenge). In addition, the host specifies two functions, a hash function h() and another function f() to be used in the response. The user calculates f(r', h(P')), where r' = r and P' is the user's password. When the response arrives, the host compares the incoming result to the calculated f(r, h(P)) and if it matches the user is authenticated. Advantages: Only the hashes of the passwords have to be stored and they do not have to be transmitted directly, so i cannot be captured during transmission.
What is the goal of a flooding attack?
The intent is to overload the network capacity on some link to a server, and may aim to overload the server's ability to handle and respond to traffic.
XSS reflection
The most common variant, here the attacker includes malicious script content in data supplied to a site. If this content is subsequently displayed to other users without sufficient checking, they will execute the script assuming it is trusted to access any data associated with that site. An example would be guestbook program
True
The principal objectives of computer security are to prevent unauthorized users from gaining access to resources, to prevent legitimate users from accessing resources in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner.
Defensive or secure programming
The process of designing and implementing software so that it continues to function even when under attack
Define computer security.
The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, information, data...).
Return-to-libs
The return address is overwritten to point to a standard library function
Identify several concerns associated with the use of environment variables by shell scripts.
The security concern for a program is that these provide another path for untrusted data to enter a program and hence need to be validated. An attacker could alter the PATH variable and append his own directory where he puts a program called grep. Whenever a shell script calls 'grep' the attackers program is executed rather than the program installed on the system. Dynamic linking in combination with environment variables also introduce another target for an attack. The attacker constructs a custom version of a common library, placing the desired attack code in a function known to be used by some target, dynamically linked program. Then by setting the LD_LIBRARY_PATH variable to reference the attacker's copy first, it is executed as soon as the program is run with the privileges of the program.
Identify several issues associated with the correct creation and use of a temporary file in a shared memory
The temporary file must not be accesses by another process. An attacker could guess the name of the temporary file and create it in between the time the program checks if it exists and subsequently creating it. The program could be redirected an would the overwrite an existing file. Thus the use of secure system calls is advised to avoid race conditions.
Define an injection attack. What are the general circumstances in which injection attacks are found?
The term injection attack refers to a wide variety of program flaws related to invalid handling of input data. Specifically, this problem occurs when program input data can accidentally of deliberately influence the flow of execution of the program. This most often occurs when using scripting languages such as perl, PHP, python and many others. 3 different types: command injection, SQL injection, code injection.
How many primary keys and how many foreign keys may a table have in a relational database?
The value of a primary key must be unique, a foreign key value can appear multiple times in a table.
What do the terms slashdotted and flash crowd refer to? What is the relation between these instances of legitimate network overhead and the consequences of a DoS attack?
These terms refer to the following occurrence: A posting to the well-known site Slashdot news aggregation site often results in overload to the referenced server system. There is very little that can be done to prevent this type of either accidental or deliberate overhead The provision of excess network bandwidth is the usual response.
Define an amplification attack.
They differ to reflection attacks in that they are generating multiple response packets for each original packet sent. This can be achieved by directing the original request to the broadcast address for some network. As a result, all hosts will respond, generating a flood of responses.
What defenses are possible to prevent an organization's system being used as intermediaries in an amplification attack?
They should have implemented antispoofing, directed broadcast and rate limiting filters. In addition you should have some form of automated network monitoring and intrusion detection system.
State the main technique used by a defensive programmer to validate assumptions about program input.
They use regular expressions to describe allowable input variants. Input not matching the given criteria may be rejected. Alternatively, the data may be altered to conform. This generally involves escaping metacharacters to remove any special interpretation.
Describe what a NOP sled is and how it is used in a buffer overflow attack.
This a mechanism to determine the starting address of the code the attacker wants to execute. The attacker can exploit the fact that the code is often much smaller than the space available in the buffer. By placing the code near the end of the buffer, the attacker can pad the space before it with NOPs. Because these instructions do nothing, the attacker can specify the return address used to enter this code as a location somewhere in this run of NOPs which is called a NOP sled. This allows the attack to succeed even if the attacker's guess of the actual buffer address is not precise.
Describe how a global data area overflow attack is implemented.
This attack involves buffers located in the program's global (or static) data area. If unsafe buffer operations are used, data may overflow a global buffer and change adjacent memory locations, including one with a function pointer. Later the attacked program may call the overwritten function pointer and will transfer control to shellcode of the attacker's choice.
Define input fuzzing. State where this technique should be used.
This is a software testing technique that uses randomly generated data as inputs to a program. The range of input that may be explored is very large. They include direct textual or graphic input to a program, random network requests directed at a Web server, or random parameters values passed to a standard library or system functions. The intent is to determine whether the program handles the input correctly or whether it fails to respond appropriately.
Define a cross-site scripting attack. List an example of such an attack.
This vulnerability involves the inclusion of script code in the HTML content of a Web page displayed by a user's browser. The script code could be in Javascript, ActiveX, Flash etc. To support some categories of Web applications, script code may need to access data associated with other pages currently displayed by the user's browser. XSS attacks attempt to exploit this feature and try to bypass the browser's security checks to gain elevated access privileges to sensitive data belonging to another site. These data can include page contents, session cookies, and a variety of other objects. The XSS reflection attacker includes a malicious script into the contents of a site eg. a guestbook or wiki. Other users that view this site will execute this script assuming it is trusted to access any data associated with that site.
A malicious driver can potentially bypass many security controls to install malware.
True
ASLR can prevent return-to-libc attacks.
True
Access control is the central element of computer security. (True Or False)
True
Availability assures that systems works promptly and service is not denied to authorized users. True or False
True
Computer security is essentially a battle of wits between a perpetrator who tries to find holes and the administrator who tries to close them. True or False
True
Computer security is protection of the integrity, availability, and confidentiality of information system resources. True or False
True
Data integrity assures that information and programs are changed only in a specified and authorized manner.
True
Each layer of code needs appropriate hardening measures in place to provide appropriate security services.
True
It is possible for a system to be compromised during the installation process.
True
Many computer security vulnerabilities result from poor programming practices
True
Performing regular backups of data on a system is a critical control that assists with maintaining the integrity of the system and user data.
True
Software security is closely related to software quality and reliability, but with subtle differences.
True
Symmetric encryption is used primarily to provide confidentiality. True or False
True
The OpenSSL heartbleed vulnerability would have been prevented if OpenSSL had been implemented in Java.
True
The first step in devising security services and mechanisms is to develop a security policy.
True
The more critical a component or service, the higher the level of availability required. True or False
True
To exploit any type of buffer overflow the attacker needs to identify a buffer overflow vulnerability in some program that can be triggered using externally sourced data under the attackers control
True
Native virtualization
Typically seen in servers, with the goal of improving the execution efficiency of the hardware
Flooders (DoS client)
Used to generate a large volume of data to attack networked computer systems, by carrying out some form of denial-of-service (DoS) attack
Spammer programs
Used to send large volumes of unwanted e-mail
What are two common techniques used to protect a password file?
User of hashed passwords and a salt value. Using a salt value. This salt is stored in plaintext with the hash from (salt + password). Password File Access Control. The hashed passwords are kept in a separate file from the user Ids referred to as shadow password file. Only privileged users have access to this file.
Explain the concept of cascading authorizations.
Users may grant other users rights they have to certain tables. The new users may pass on the rights to other users and so on.
What defenses are possible against TCP SYN spoofing attacks?
Using a modified version of the TCP connection handling code, where the connection details are stored in a cookie on the client computer rather than the server.
What architecture does a distributed denial of service attack typically use?
Usually a botnet consisting of infected zombie PCs is used, that is under the control of a hacker. Usually a small number of systems act as handlers controlling a much larger number of agent systems that ultimately launch the attack.
Authentication
Verification that the credentials of a user or other system entity are valid.
Memory leak
When a program fails to correctly manage the process of dynamically allocating memory to store data, and releasing it when done
Command injection attack
When input is used in the construction of a command that is subsequently executed by the system with the privileges of the Web server
Race condition
When multiple processes and threads compete to gain on controlled access to some resource
Least privilege
When programs execute with the least amount of privileges needed to complete their function, this is widely recognized as a desirable characteristics in a secure program
Privilege escalation
When the attackers able to execute code with the privileges and access rights of the compromised programmer service, and these privileges are greater than those already available to the attacker
______ applications is a control that limits the programs that can execute on the system to just those in an explicit list.
White Listing
access control
X.800 defines ___ as the prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner.
Do stack canaries prevent return-to-libc buffer overflow attacks
Yes
System Integrity
__ assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system
Privacy
__ assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.
A. MAC
__ controls access based on comparing security labels with security clearances. A. MAC B. DAC C. RBAC D. MBAC
A. Authorization
__ is the granting of a right or permission to a system entity to access a system resource. A. Authorization B. Authentication C. Control D. Monitoring
A. Constraints
___ provide a means of adapting RBAC to the specifics of administrative and security policies in an organization. A. Constraints B. Mutually Exclusive Roles C. Cardinality D. Prerequisites
Discretionary
__________ access control controls access based on the identity of the requestor and on access rules stating what requestors are or are not allowed to do.
Role-based
__________ access control controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles.
DAC
__________ is the traditional method of implementing access control.
Authentication
__________ is verification that the credentials of a user or other system entity are valid.
D. Access control
___implements a security policy that specifies who or what may have access to each specific system resource and the type of access that is permitted in each instance. A. Audit control B. Resource control C. System control D. Access control
Atomic operation
a characteristic of an operation that is seen, from any other thread, as a single, non-splittable operation. That means that any other thread, once the operation has this characteristic, will either see the value before the assignment, or after the assignment. But never in between at the intermediate value.
Drive-By-Download
an attack using code in a compromised Web site that exploits a browser vulnerability to attack a client system when the site is viewed
Backdoor (trapdoor)
any mechanism that bypasses a normal security check; it may allow unauthorized access to functionality in a program, or onto a compromised system
The ICMP echo response packets generated in response to a ping flood using randomly spoofed source addresses is known as _______ traffic.
backscatter
A _________________ processes the plaintext input in fixed-size blocks and produces a block of ciphertext of equal size for each plaintext block.
block cipher
There are two general approaches to attacking a symmetric encryption scheme: cryptanalytic attacks and _______________________ attacks.
brute-force
A condition at an interface under which more info can be placed into a buffer or data holding area than the capacity allocated, overriding other information
buffer overflow
State the similarities and differences between command injection and SQL injection attacks.
command injection: The input is used in the construction of a command that is subsequently executed by the system with the privileges of the program. SQL injection: In this attack the user-supplied input is used to construct a SQL request to retrieve information from a database. Both injection methods exploit that fact that the user-supplied input is insufficiently checked.
What are the possible consequences of a buffer overflow occurring?
corruption of data used in the program, unexpected transfer of control in the program, memory access violations, eventual program termination
Shell code
creates a shell which allows it to execute any code the attacker wants
A _________________ attack exploits the characteristics of the algorithm to attempt to deduce a specific plaintext or to deduce the key being used.
cryptanalytic
Heap overflows
data stored in the heap is overwritten. Data can be tables of function pointers.
The ________________ algorithm takes the ciphertext and the secret key and produces the original plaintext.
decryption
The __________ is the encryption algorithm run in reverse.
decryption algorithm
On average, __________ of all possible keys must be tried in order to achieve success with a brute-force attack.
half
The purpose of a __________ is to produce a "fingerprint" of a file, message, or other block of data.
hash function
Hypervisor/virtual machine monitor
manages guest OSs
The original message or data that is fed into the algorithm is __________.
plaintext
A ______ triggers a bug in the system's network handling software causing it to crash and the system can no longer communicate over the network until this software is reloaded.
poison packet
OpenSSL heart bleeds Vulnerability
read much more of the buffer than just the data, which may include sensitive data.
During a ______ attack, the attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system and when the intermediary responds, the response is sent to the target.
reflection
Requests and _______ are the two different types of SIP messages.
responses
Using forged source addresses is known as _________.
source address spoofing
Bots starting from a given HTTP link and then following all links on the provided Web site in a recursive way is called _______
spidering
In reflection attacks, the ______ address directs all the packets at the desired target and any responses to the intermediary.
spoofed source
List the three distinct types of locations in a processes address space that buffer overflow attacks typically target.
stack, heap or data section of a process
A _________________ processes the input elements continuously, producing output one element at a time.
stream cipher
Also referred to as single-key encryption, the universal technique for providing confidentiality for transmitted or stored data is _______________________ .
symmetric encryption