FINAL EXAM 3423

Ace your homework & exams now with Quizwiz!

Truly Random Password

- Almost impossible to memorize - Must be written down - Long - Password policies

Key implementation areas for secure software

- Architecture - Authentication - Session Management - Access Controls and Authorization - Event Logging - Data Validation

How to prevent Buffer Overflow?

- Avoid using library files - Filter user input - Test applications

These can increase the number of possible passwords combinations

- Broader character set - Password length

How to counter SQL injection attack?

- Constrain and sanitize input data - Use type-safe SQL parameters for data access - Use an account w/ restricted permissions in database - Avoid disclosing database error info to user

Image Backup

- Everything, including programs and settings - Very slow - Data files change rapidly, so do several file data backups for each image backup

Characteristics of RAID

- Increased reliability and performance A single hard drive failure won't always cause data loss Multiple disks can be written to simultaneously

Scripting languages for mobile code

- JavaScript (not scripted form of Java) - VBScript (Visual Basic scripting from Microsoft

Appropriate Use of a Super User Account

- Log in as ordinary user - Switch to super user when needed - Revert to ordinary when super privileges are no longer needed

The Key Principle in Application Security Threats

- NEVER trust user input - Filter user input for inappropriate content

How to assign permissions in Windows

- Rightclick on file/directory - Select Properties -> Security - Select user/group - Select 6 standard permissions (permit/deny) - 13 special permissions for better control

Characteristics of a script

- Series of commands in scripting language - Usually invisible to users

Webserver Attacks

- Website Defacement - IIS buffer overflow (can take over computer) - IIS directory traversal AKA ../ attack AKA directory climbing (exploits lack of security rather than bug in code)

Custom Applications

- Written by a firm's programmers - Not securely coded - SECURITY THREAT

Current Top 5 Issues

1. Unvalidated Input 2. Broken Access Control 3. Broken Authentication and Session Management 4. Cross Site Scripting Flaws 5. Buffer Overflows

Shadowing

A backup copy of each file being worked on is written every few minutes to the hard drive, or to another location

What is a Host?

Anything with an IP address (it can be attacked)

Dictionary Attacks

Attacker encrypts every word in a dictionary - Common words are cracked instantly (people, pets, music, profanity, slang, dates, etc.)

What is Mirroring?

Creating an exact copy of a disk at the same time; normal speed, no data loss but more costly

Destroying

Data Recoverable?: No Media Reusable?: No Data Deletion Method: Shred, melt, pulverize, etc.

Wiping/Clearing

Data Recoverable?: No Media Reusable?: Yes Data Deletion Method: Disk wiping software or encrypt

Nominal Deletion

Data Recoverable?: Yes Media Reusable?: Yes Data Deletion Method: Delete key

Basic File Deletion

Data Recoverable?: Yes, with software Media Reusable?: Yes Data Deletion Method: Empty Recycle Bin

RAID Level NONE

Disks Needed: 1 Parity: No Striping: No Redundancy: No Data Transfer Speed: Normal

RAID Level 1 (Mirroring)

Disks Needed: 2 Parity: No Striping: No Redundancy: Yes Data Transfer Speed: Normal

RAID Level 0 (Striping)

Disks Needed: 2 Parity: No Striping: Yes Redundancy: No Data Transfer Speed: Very fast

RAID Level 5 (Distributed Parity)

Disks Needed: 3 Parity: Yes Striping: Yes Redundancy: Yes Data Transfer Speed: Fast read, slow write

An ___ takes advantage of a vulnerability

Exploit

Scope of Backup

Fraction of information on the hard drive that is backed up

Restoration Order

Full backup goes first, then restore incremental backups in the order created

What is Active-X from Microsoft?

Highly dangerous because it can do almost everything

Inheritance of Permission

If 'include inheritable permissions from object's parent' is checked in the security tab, the directory receives permissions of the parent directory (checked by default)

Full Backups

Includes all files and directories and is slow so is done weekly

Cross-site scripting (XSS) attack

Injects scripts into a web application server that will then direct attacks at clients.

Buffer Overflow Attack

Inputting so much data that the input buffer overflows, overwriting an adjacent section of RAM

Client-Side Scripting (Mobile Code) include

Java applets and Active X

Advantage/disadvantage of rainbow tables

Less time to crack, more memory used

Rainbow Tables

List of pre-computed password hashes

What is a redundant array of independent disks (RAID)?

Multiple hard drives within a single system

Types of Deletion

Nominal Deletion Basic File Deletion Wiping/Cleaning Destroying

Incremental Backups

Only records changes made since last backup and is FAST so is done daily; do these between full backups

What does OWASP stand for?

Open Web Application Security Project

What does OWASP provide?

Publications, Software, and Local Chapters

RAID

Redundant Array of Independent Disks

Generations

Save several generations of full backups; do not save incremental backups after the next full backup

Vulnerabilities

Security weaknesses that open a program to attack

File/Directory Data Backup

Select data files and directories to be backed up; not good for programs

Examples of Hosts

Servers, clients (cellphone), Routers/Switches, Firewalls

What are Java applets?

Small Java programs that run in a sandbox to not affect system

Why are PC's major targets?

They have interesting information and can be attacked through the browser

Brute-Force

Try all possible passwords - Try 1-char passwords (e.g. a, b, c) - Try 2-char passwords (e.g. aa, ab, bb)

RAID levels

Ways of configuring multi-disk arrays

What kind of software does OWASP provide?

WebGoat, WebScarab, oLabs Projects, .NET Projects

How to switch to super user

Windows - RunAs UNIX - su

What is Striping?

Writing data simultaneously across multiple disks; very fast but not reliable, one disk failure causes complete data loss

How to prevent XSS attack?

an application needs to ensure that all variable output in a page is encoded before being returned to the end user

Information Triangulation

combination of two pieces of personal info can be used to create a third info to identify that person

Zero-day exploits

exploits that occur before fixes are released

SQL Injection Attack

inserting a malicious SQL query in input such that it is passed to and executed by an application program

Permissions

specify what the user or group can do or not do to files, directories, and subdirectories

Personally Identifiable Information (PII)

the name, postal address, SSN, photo, addresses, or any other information that allows tracking down the specific person who owns a device

Hybrid Dictionary Attacks

try simple modifications (mangling rules) of common words contained in a dictionary file - adding nums, l33tspeak, key patterns (qwertyuiop), deleting chars (pswrd)


Related study sets

Consumer Behavior Chapters 7-11 Test

View Set

Climate change and greenhouse gases

View Set

ch 10 Assessing and Responding to Fraud Risks

View Set

The scanning electron microscope

View Set