IT 4823 Test 1

List the three pieces to the attacker's triad. Specify which information security property they are a violation of

Disclosure - Confidentiality Alteration - Integrity Denial - Availability

Briefly describe how the techniques of public key cryptography can be used to implement a digital signature. Be sure you distinguish correctly the use of public and private keys

A message can be encrypted with a public key. Then sent to its destination. It can then be encrypted with the recipient's private key, which is the only key capable of opening the message.

Explain the principle of least privilege.

A person is assigned to a minimum number of rights needed to complete the tasks required of them, and nothing more.

What does secure mean?

A system that does what it is intended to do and nothing else

Distinguish between authentication and authorization.

Authentication is the password, biometrics, and smart card that protects who you are. Authorization takes that password and checks if you have rights to the system.

Why is blocking ICMP useless?

Blocking ICMP is useless because the ICMP packets, created by (ping), are typically allowed through most well managed routers.

In the Unites States, organizations sometimes use Social Security Number or a part of it as an authenticator (<- Note as an "authenticator" as opposed to "identifier"). Is this a good or bad idea? Explain your answer.

By using SSN as an authenticator, the organization opens the door for you to be hacked. Authentication by SSN requires a ssn column in a database, which can then be easily retrieved by a hacker.

Distinguish between computationally secure and absolutely secure encryption.

Computationally secure encryption is a type of encryption that by the time the encryption is broken, the data inside is valueless. Absolutely secure encryption implies that there is no way to break the encryption without the proper key.

Name and briefly describe the three properties of information security (Hint: three-letter agency.)

Confidentiality - Keeps information secure from unauthorized users Integrity - Modification or destruction of information from unauthorized users Availability - Enable access of data when needed

The recent data breach that occurred to the Office of Personnel Management (OPM) in which millions of federal employees' personal information were disclosed to unauthorized individuals is a violation of which one of the three properties of information security? Explain why it is NOT a violation of the others.

Confidentiality. The information was not modified outrightly, therefore its integrity was still present. Additionally, the information was not accessed ethically, therefore it was not a violation of availability.

What is the difference between identification and authentication?

Identification asks you who you are (traditionally a username). Authentication asks you to prove it (traditionally a password).

If an error is made in assigning access rights, a default deny policy is safer in terms of security than a default permit policy. Explain why.

It blocks everything rather than allowing everything through, so, while inconvenient, it is more secure.

Distinguish between mandatory access control and discretionary access control.

Mandatory access control gives access to externally-enforced policies. Discretionary access control gives access by the discretion of the object owner.

What are the three goals of information security professionals?

Prevention Detection Response and recovery

Name the three things related to security that the McCumber Model is intended to cause us to think about. (Hint: What do the three faces of that cube represent?)

Properties triad Secure states of information technical safeguards of information security

In the context of password storage, what is a salt? In a sentence or two, explain how a salt can make password storge more secure.

Salt is a random assigned number to a password before it is hashed. It prevents/stops pre-computation attacks.

What are the three "factors" that can be used in authentication? (Just name them.)

Something you know. Something you have. Something you are.

Name and briefly describe any one of the four types of attacks on passwords that we discussed in class.

Specific account attack: The attacker targets a specific account and guesses different password combinations until the correct password is entered

Is the data encryption standard (DES) suitable for encrypting sensitive material? Why or why not?

The 56 bit encryption used in DES is simply not enough to handle today's computers.

Explain in detail how "wrapping" a public key in a digital certificate makes it much more difficult to tamper with than the same public key alone. (Note: This question is asking about the properties of the digital certificate, not the trustworthiness of the certificate authority.)

The properties of a digital certificate are principle's identity, public key, identity of signer, and digital signal. You would have to access the private key without the owner knowing, therefore it is much more difficult to tamper with.

What is the purpose of a key exchange algorithm? With what type of cryptosystem is such an algorithm needed?

The purpose is for exchanging on an unsecured network, and it symmetric encryption.

Alice wants to send a message securely to Bill. Bill lives in another state and Alice has no way to communicate with him other than Internet mail. What kind of encryption should Alice and Bill use? Explain why.

They should use public key encryption. The public keys could be sent via email, and the message could be encrypted with the public key. After the message is sent, the recipient could decrypt the message with his private key.

Briefly describe vulnerability, threat, risk, & exploit.

Threat: something bad that can happen. A potential violation of security policy. Vulnerability: a weakness that could allow a system to enter a state not permitted by policy. Risk: the probability that a particular threat (violation of policy) to a particular asset will be realized. Implies a vulnerability that can be exploited. Exploit: a mechanism for taking advantage of a vulnerability

A one-time pad cryptosystem has a provable property that no other cryptosystem has. What is it?

Unbreakable

A cryptographic hash (like MD5 or SHA) is a one-way function; information processed with such a hash algorithm cannot later be recovered. Name one use for a cryptographic hash and briefly explain how the hash is used in your example. (There are several uses; I only want one of them.)

Use of a password. After your password is entered, it can be compared to the stored hash value for authentication.

Explain why using a computationally intensive (i.e. slow) hash algorithm is important when storing password data.

With an intensive algorithm, the time to crack takes significantly longer, and thus, slows the attack down

Explain how two-factor authentication can make a system more secure.

With two-factor authentication, the hacker has to do virtually twice as much work, breaking two instances of authentication (generally from two different devices, rather than just one.) Also, it makes the loss of passwords less severe, as access can still not be gained by attackers

What is a man-in-the-middle attack?

the "man-in-the-middle" replaces the public key in the repository with their own. So with that being said, they are able to intercept the message, read it, re-encrypt it, and send it onward without the other users knowing.