Operating System Security
Encryption
The encoding of data in such a way so that only the sender and intended recipient can decode and read it.
Fingerprint canning is the most common biometric technology used in place of usernames and passwords. True False
True
Most operating systems have a preferred file system. True False
True
Multiprogramming enables the system to run multiple processes at once. True False
True
The only attack known that could possibly obtain a user's password from cryptographic hashing is the Rainbow Attack. True False
True
The three layers of an OS are Application, Kernel and Hardware. True False
True
To see all processes running, Windows users can press Ctrl-Alt-Del and select the Task Manager. True False
True
Typically the set of permissions that a process runs with is equivalent to the permissions of the user that started the process. True False
True
Security professionals prefer to use ____ over ____. Safe over Trusted Secure over Trusted Trusted over Safe Trusted over Secure
Trusted over Secure
A dormant virus that requires an action to activate, receives that command during the ______________ phase?
The correct answer is triggering phase.
Companion, overwriting and document are all common types of _________________.
The correct answer is viruses.
This malware does not require any user action to spread and execute is called a ___________
The correct answer is worm.
Virus
A type of program that performs unwanted actions on the target system, frequently causing damage. A virus requires a person to actively do something, such as open an infected file.
Hash
A value produced by a hash function.
Process
An application that is currently running. This mean each process: • Has its own portion of RAM to store data. • Receives time to run on the CPU. • Has a security level.
Files are: The different pieces of hardware that combine to make a computer Any chunk of data stored in the file system The different layers of an operating system Processes run by the operating system
Any chunk of data stored in the file system
A scanner that flags anything out of the ordinary is a/an _________________ based scanner
The correct answer is anomaly based.
Folders/directories
Just as files require access control, so do directories. For example, there may be situations in which an administrator wants to prevent someone from being able to view the list of files stored in a directory. Website administrators often disable this feature. By the same token, an administrator may wish to prevent a user from saving some information to a particular directory. A proper access control system should offer this level of control.
Processes are assigned portions of __________ to use while they are running. Folders/ Directories Hardware Devices Main Memory Access control
Main Memory
The phase when a virus is idle is the __________________ phase.
The correct answer is dormant phase.
Any executing program, including services, daemons or applications is a process. Select one: True False
True
What is the trusted computing base? Select one: a. The portions of a computer system that together serve to satisfy the stated security policy b. The systems in an organization that are considered to be most secure c. The users of the most heavily fortified computer systems in an organization d. None of the above
a. The portions of a computer system that together serve to satisfy the stated security policy
Why does hashing prevent hackers from stealing the contents of a password file? Select one: a. The passwords themselves are stored in cleartext. Other required information, such as the username, are hashed and not reversible b. Passwords are not hashed; they are encrypted c. Because, practically speaking, the hashes cannot be reversed to reveal the original password d. Because the passwords are encrypted and cannot be decrypted without the private key
c. Because, practically speaking, the hashes cannot be reversed to reveal the original password
Avoiding detection
• Polymorph • Stealth • Disabling
Other Common Malware (1) gathers information from your computer and uses it to display advertisements. Most of these advertisements occur in the form of pop ups. Adware may also redirect search engine queries or modify a user's homepage so it points to a different webpage. Most users unknowingly give adware distributors permission to install their software by embedding it into the End-User Licensing Agreement (EULA). (2) is similar to adware, the only difference is in what the application does once installed. Spyware is designed to capture sensitive data on your system and transmit the data back to another party. Spyware typically accomplishes this by either searching the hard disk for the desired information or by installing software devices that monitor your computer activity. (3) are software packages designed to allow a user located somewhere else to take complete control your system. Rootkits can be placed on a system by different types of malware; it is not uncommon to see rootkits placed on a computer by Trojans, spyware or worms.
(1) Adware (2) Spyware (3) Rootkits
Operating System Structure (1) The application layer is the topmost layer of the OS model, where all of the applications opened by the user are run. Applications running on the system are reliant upon the kernel for all operating system services. For instance, when an application desires to save information to a permanent storage device (i.e. hard disk), it cannot simply access the hard disk and store the data. Instead, it must request the operating system to perform this task on its behalf. Applications can access hardware functions using the Application Programming Interface (API). The API allows applications to perform whatever tasks they need without giving them direct access to the underlying hardware. APIs are also used when an application wishes to use some other service. For example, if an application wished to know what the current time was, it could simply use the operating system's time. The operating system would respond with the current system time. (2) The kernel layer is the layer that can be conceptually thought of as the operating system itself. The operating system's kernel is the inner most portion of the operating system. It is concerned with allocating memory to different programs, deciding which programs can use the CPU, as well as handling interaction with hardware devices. The kernel is also generally responsible for enacting security policies of the system. For this reason it is particularly important to information security professionals. (3) The hardware layer is exactly what most people envision. It is the conceptual layer that holds the actual hardware devices. These include items like the CPU, main memory (RAM), permanent storage (Hard Disk or HDD), networking card, USB devices, etc. This layer is at the bottom of the stack for two reasons. First, obviously a computer cannot function without hardware, making it the foundation of the entire system. The second reason is more conceptual, but just as important. It should be noted that the application layer, the location of user programs, cannot directly access the hardware. Operating systems purposefully separate the user programs from the underlying hardware to prevent this access. By forcing all hardware interactions to go through the operating system greater stability can be ensured. Drivers include the software coding necessary for the operating system to interface with various hardware components. For example, when using a printer or network interface, the appropriate driver is required to be installed first. This includes the microcode that enables the operating system to communicate properly and access the features available in the hardware's firmware.
(1) Application layer (2) Kernel layer (3) Hardware layer
Adware
Adware gathers information from your computer and uses it to display advertisements. Most of these advertisements occur in the form of pop ups. Adware may also redirect search engine queries or modify a user's homepage so it points to a different webpage. Most users unknowingly give adware distributors permission to install their software by embedding it into the End-User Licensing Agreement (EULA).
What is Multiprogramming? Select one: a. A system that is running multiple applications simultaneously b. A human operating multiple computer systems simultaneously c. A human working on multiple tasks simultaneously d. A system that has multiple CPUs or "Cores" installed.
a. A system that is running multiple applications simultaneously
In the context of information security, what is policy? Select one: a. A written list detailing the rules of an organization b. A list detailing practices that are to be observed regarding information c. A document assigning particular responsibilities to specific individuals or offices in an organization d. All of the above
a. A written list detailing the rules of an organization
How do anti-virus products work? Select all that apply. Select one or more: a. By examining files and comparing their code to known viruses in a dictionary b. By identifying any suspicious behavior from a computer application that might show some form of malicious intent/infection c. By examining the user's input d. By data captures and port monitoring, among other methods
a. By examining files and comparing their code to known viruses in a dictionary b. By identifying any suspicious behavior from a computer application that might show some form of malicious intent/infection
An operating system interfaces with hardware's firmware through: Select one: a. Device drivers b. Kernels c. The keyboard d. Applications
a. Device drivers
How does a signature based scanner find malware? Select one: a. Malware is detected by comparing an application's code to a database of known malware b. Malware is detected by monitoring network activity coming into and out of the computer, watching for patterns that are known to be associated with viruses c. Malware is detected by analyzing process activity and compares that to a known history of acceptable use in some artificially intelligent way d. Malware is detected by looking for suspicious behavior of applications through various means
a. Malware is detected by comparing an application's code to a database of known malware
Anti-virus systems should have their _______ libraries updated regularly. Select one: a. Signature b. File c. Software d. Password libraries
a. Signature
Which of the following is an API? Select all that apply Select one or more: a. Something that allows applications to perform the tasks they need without giving them direct access to the underlying hardware b. An interface that allows one application to directly manipulate the memory system of other applications c. An interface that allows the programmer to directly access the hardware when needed d. Something used when an application wishes to use a service offered by the operating system
a. Something that allows applications to perform the tasks they need without giving them direct access to the underlying hardware d. Something used when an application wishes to use a service offered by the operating system
How do user permissions impact the damage caused by malware? Select one: a. The malware inherits permissions from the user. The malware can only perform the same actions as the user b. The damage cause by malware is not impacted by user permissions c. Malware will sometimes adjust the permissions assigned to a particular user d. None of the above
a. The malware inherits permissions from the user. The malware can only perform the same actions as the user
Is a virus scanner required for each host if a network has a firewall and the e-mail is scanned for malware? Select one: a. Yes: Malware may bypass these two controls and enter the network through another path b. No: A firewall is all you really need to be protected against malware c. No: These two measures offer sufficient defense d. No: These two measures cover the only way that a virus might infiltrate the organization
a. Yes: Malware may bypass these two controls and enter the network through another path
Operating Systems are the most important piece of computer hardware. True False
False
Processes a user sees are the only processes the computer is running. True False
False
The smallest problem with encryption is where to store the encryption key. True False
False
The two most common methods anti-virus software use are Signature-based and Anonymous-based scanning. Select one: True False
False
The ________________ phase is when the virus begins to spread and replicate.
The correct answer is propogation.
Types of Viruses (1) Integrate their malicious instructions into the code of the targeted program. The targeted program still exists, for all intents and purposes, but every time it is run the virus will also be executed. (2) Completely replaces the targeted program. When the user goes to run the targeted program they instead unknowingly run the virus. (3) Frequently called "macro viruses", these viruses reside inside of data files. When the user opens the data file, often a Microsoft Office document, the virus runs as well. These viruses take advantage of the fact that common office applications have the capability of adding custom commands and routines to documents.
(1) Companion Viruses (2) Overwriting Viruses (3) Document Viruses
Access Control (1) Processes are assigned portions of main memory to use while they are running. For security to be maintained, processes must not be able to access the memory space of another process. The victimized process or possibly the operating system could crash, not to mention the loss of confidentiality that could ensue. For example, imagine a virus that attempts to examine the memory space of another process in the hopes of discovering an encryption key. Another example might be a piece of malware that attempts to disable a virus scanner. (2) Files are essentially chunks of data stored in the file system and are the type of object that most people think of when discussing access control. Examples of files include programs, files containing data such as a word processor documents, spreadsheets, image files (pictures) and many others. By default, an "owner" of a file will have full access to it while others may not, unless they have elevated privileges above those of a normal user. (3) Just as files require access control, so do directories. For example, there may be situations in which an administrator wants to prevent someone from being able to view the list of files stored in a directory. Website administrators often disable this feature. By the same token, an administrator may wish to prevent a user from saving some information to a particular directory. A proper access control system should offer this level of control. (4) Unlike data files, few people consider that programs must also be protected. There are many programs on a computer system that administrators like to prevent regular users from using. For example, a network administrator may have a network utility that attempts to hack into other computer systems, used for testing security. Obviously this utility should be locked down so accidental running does not occur. (5) Hardware devices must also have restricted access. For instance, one organization may discover that some employee has been stealing sensitive corporate information by copying it off their computer onto a USB drive. An operating system must provide a means of preventing users from accessing specific hardware devices, in this case preventing regular users from accessing USB drives.
(1) Main Memory (2) Files (3) Folders/Directories (4) Programs (5) Hardware Devices
Avoiding Detection Techniques: (1) The virus reprograms itself after each infection, making detection by scanners difficult. (2) Some viruses attempt to prevent virus scanners from communicating with the OS, thereby cutting off the virus scanner from the rest of the OS. If successful, detection becomes impossible. (3) Some viruses attempt to shut down, pause, disable or delete virus scanners. If successful, detection becomes virtually impossible.
(1) Polymorph (2) Stealth (3) Disabling
Malware Detection (1) The most common type of scanner used is a signature based scanner. Just as with signature based IDS, the scanner uses a library of signatures, and compares each program and file on a computer system to the entries in the library. If a match is found, then it can be determined that the system is infected with a form of malware. (2) Anomaly based malware scanners are roughly analogous to anomaly based IDS. These scanners attempt to monitor your computer to determine if anything is out of the ordinary. While signature based scanners have a false alarm rate of 0%, they often miss new attacks. Anomaly based scanners suffer from the reverse condition. They often identify nearly every attack perpetrated on the system. The false alarm rate, though, is considerably higher than signature based scanners.
(1) Signature Based Scanners (2) Anomaly Based Scanners
Trojan
A Trojan is a computer program that does something other than its advertised functionality. Trojans have been used to plant rootkits, software backdoors, space servers, keystroke loggers and other malicious activities (a discussion of these items can be found later in the module). The one upside to Trojans is they do not spread automatically like viruses and worms.
Multiprogramming
A scheme which enables the system to run multiple processes simultaneously in spite of most systems having only one CPU. This technique enables users to perform work in several different applications at once. Users may be downloading a file using Internet Explorer while typing a document in Microsoft Word at the same time.
Vulnerability
A weakness that can potentially be exploited by an attacker.
ACL stands for: Access Communications List Access Controlled Ledger Access Control List Attempted Control List
Access Control List
Portions of the operating system typically do not make up the TCB •Hardware •Processes •File Protection •Memory Protection •Inter-process Communication
All systems in the computer that are used to satisfy the organization's security policy combine to form the Trusted Computing Base (TCB). The TCB should be isolated from the other components of the system so that things in the non-TCB cannot affect the operation of the TCB. For this reason it is very important for the TCB to be implemented correctly. The portions of the Operating System that typically make up the TCB are:
Trusted Computer Base (TCB)
All systems in the computer that are used to satisfy the organization's security policy combine to form the Trusted Computing Base (TCB). The TCB should be isolated from the other components of the system so that things in the non-TCB cannot affect the operation of the TCB. For this reason it is very important for the TCB to be implemented correctly. The portions of the Operating System that typically make up the TCB are: •Hardware •Processes •File Protection •Memory Protection •Inter-process Communication
Application Programming Interface (API)
Allows applications to perform whatever tasks they need without giving them direct access to the underlying hardware. APIs are also used when an application wishes to use some other service. For example, if an application wished to know what the current time was, it could simply use the operating system's time. The operating system would respond with the current system time.
Cryptographic hashing was abandoned in favor of encryption. True False
False The challenges with password encryption were great enough that basic encryption was abandoned in favor of cryptographic hashing.
Rainbow attack
Can be used to possibly determine a user's password given only the hash. The key to a rainbow attack is the knowledge that a password will always hash to the same output. Using this knowledge, an attacker can begin generating hashes for all possible passwords. When the attacker intercepts hashed passwords, (s)he only needs to consult the table of already computed hashes, and see which password generates the hash they have intercepted.
Today's trusted computing standard can be found in the: Trusted Criteria Handbook Computing Criteria Guidelines Common Criteria , ISO Standard 15408 Computing Criteria, ISO standard 15480
Common Criteria , ISO Standard 15408
Overwriting viruses
Completely replaces the targeted program. When the user goes to run the targeted program they instead unknowingly run the virus.
The Mac OS equivalent to the Windows Task Manager is the Process Watcher. True False
False (It is Activity Monitor)
Rootkit
Malware designed to hide the existence of certain processes or programs, and use administrator access to maintain access to the computer without detection.
Passwords and cryptographic hashing script
Cryptographic hashing functions are one way functions. Meaning, the output cannot be reversed to obtain the input using any known methods. Therefore, the hashed output of a password can never be reversed to obtain the original password.
Biometrics
Describes the method of identifying a user through the use of unique physical attributes. Examples: Fingerprints, Retina Scan, and Facial Recognition.
Before starting a rainbow attack the attacker must know an individual username. True False
False
Authentication
During the authentication phase, the system somehow verifies the unknown person's claim of identity. Frequently this is a true or false process - the user is who they claim to be, or an impostor has been discovered.
Dormant phase
During the dormant phase the virus is idle. The virus will remain in this state, without releasing its payload, until some triggering event occurs. This triggering event may be a user action, such as opening a specific file, or it may be something more passive such as a specific date or time. This phase is optional, meaning that not every virus has a dormant phase.
Propagation phase
During the propagation phase the virus spreads, typically seizing every opportunity to replicate itself to other systems. It should be noted that the virus has not yet executed its payload during the propagation phase. If the virus is file-infecting, then it will infect other executable files on the system. If the virus is spread through email then typically it will mail copies of itself to other email addresses found on the system.
Access Control List (ACL)
Each asset has a list that states which users may perform particular actions on it. This list is called an Access Control List (ACL).
Hidden procedures are services run by the system with the user's knowledge. True False
False
Which of the following is not a goal of an access control mechanism? Ensure permissions are enforced Enforce least privilege Ensure acceptable usage Ensure accurate usage
Ensure accurate usage
1) Attacker computes random password hashes 2) Attacker observes secret password hash transmitted between computers 3) Attacker looks at table of pre-computed hashes, looking for the entry that matches the has (s)he observed. 4) Attacker now has a valid password.
Example of Rainbow Attack The key to a rainbow attack is the knowledge that a password will always hash to the same output. Using this knowledge, an attacker can begin generating hashes for all possible passwords. When the attacker intercepts hashed passwords, (s)he only needs to consult the table of already computed hashes, and see which password generates the hash they have intercepted. When you type in a password, the submitted password is hashed and compared to a hashed value on file. If the same cryptographic hashing function is used in both cases, then it becomes possible to compare the output to determine if the submitted password is the same as the one that is on file.
A computer never stores a user's username and password. True False
False
A process with read and write access cannot do more damage than a process with only read access. Select one: True False
False
A process with read and write access cannot do more damage than a process with only read access. True False
False
Files
Files are essentially chunks of data stored in the file system and are the type of object that most people think of when discussing access control. Examples of files include programs, files containing data such as a word processor documents, spreadsheets, image files (pictures) and many others. By default, an "owner" of a file will have full access to it while others may not, unless they have elevated privileges above those of a normal user.
Document viruses
Frequently called "macro viruses", these viruses reside inside of data files. When the user opens the data file, often a Microsoft Office document, the virus runs as well. These viruses take advantage of the fact that common office applications have the capability of adding custom commands and routines to documents.
Access control
Function of policy that determines who can access a particular resource. In Information Security, this typically refers to which users are allowed access to some resource of the computing infrastructure and what functions they are allowed to perform therein.
Trusted computing
Generally speaking, an operating system can be considered by the government to be "trusted" if it offers protection of the following kinds: •Memory Protection •File Protection •Object Protection •User Protection
•Check permissions on every access - the operating system needs to verify a user's permissions every time they access an object. If this is not done then users may continue to have access even after their permissions have changed. On the flip side, users may not have access to assets even after an administrator has adjusted their permission settings. •Enforce least privilege - Recall that the principle of least privileges states that users should have access only to the assets they need to accomplish their assigned tasks. •Ensure acceptable usage - While determining whether a person can have access is a yes or no decision, an access control system should attempt to ensure that the object is being used appropriately. This type of defense can help defend against some types of viruses that cause existing programs to behave in new manners.
Goals of an Access Control System
Hardware devices
Hardware devices must also have restricted access. For instance, one organization may discover that some employee has been stealing sensitive corporate information by copying it off their computer onto a USB drive. An operating system must provide a means of preventing users from accessing specific hardware devices, in this case preventing regular users from accessing USB drives.
•CPU utilization. •Memory utilization. •Which processes are running at a particular time. •Some advanced monitor what each process typically does, and sound an alarm when a process exhibits abnormal behavior.
Host based IDSs run on a computer like anti-virus products and monitor the computer for unusual activity. Host based IDSs are heuristically based software systems that compare how the system is currently running to observed prior behavior. Host based IDSs monitor all of the following:
Triggering phase
If the virus has been dormant, the triggering phase is the phase that causes it to activate. As previously outlined, this may occur when at a specific level. If the virus has not been dormant, then the triggering phase may simply be the completion of the propagation phase. In other words, once the virus has spread, it then executes its payload.
Companion viruses
Integrate their malicious instructions into the code of the targeted program. The targeted program still exists, for all intents and purposes, but every time it is run the virus will also be executed.
Intrusion detection system
Intrusion Detection Systems attempt to monitor the current operation of the network and raise alarms if an attack appears to be occurring.
Why do files need protection (access control) by the operating system? To keep the creator from deleting the files Malicious users may attempt to access and modify personal files of another user To prevent authorized users from accessing files To protect the main memory
Malicious users may attempt to access and modify personal files of another user
Which of the following is a protection of a trusted operating system? Memory Protection Hardware Protection Complete Protection Warranty Protection
Memory Protection
NT File System (NTFS)
Most operating systems have a preferred file system. For example, Microsoft Windows normally formats hard disks using NTFS (NT File System).
An anti-virus scanner that scans a library of known malware for matches on a system is a/an ____________ based scanner.
The correct answer is signature.
Processes script
One common misconception about processes is that only users may start them, and only through an active means. This is not the case. While a user may start an initial process, that process may in turn "spawn" or create other processes (sometimes known as child processes). Some may argue that a user ultimately causes all processes to be executed by performing some initial action (such as turning the system on). The fact is, the system often has many processes running that the user sitting in front of the monitor is simply unaware of.
The Trusted Computing System Evaluation Criteria (TCSEC) of 1983 is also known as the: Blue book Orange Book Red book Yellow book
Orange Book
Execution phase
The final phase is the execution phase, during which time the virus executes its payload. The payload itself may be harmless, such as displaying a message to the user. Often, though, the results are somewhat more severe, ranging from a denial of service attack to corruption and destruction of the data on the system.
Access Control is designed to: Place and enforce restrictions on which users may perform certain actions Control the OS functions Control a computer's hardware Place restrictions on how the software interacts with the hardware
Place and enforce restrictions on which users may perform certain actions
A _____ is a written set of rules that describes the information security, a system is expected to provide. Policy Compendium Manual Guidelines
Policy
Main memory
Processes are assigned portions of main memory to use while they are running. For security to be maintained, processes must not be able to access the memory space of another process. The victimized process or possibly the operating system could crash, not to mention the loss of confidentiality that could ensue. For example, imagine a virus that attempts to examine the memory space of another process in the hopes of discovering an encryption key. Another example might be a piece of malware that attempts to disable a virus scanner.
A commonly overlooked area that needs restrictions is: Files Administrative Accounts Programs Main Memory (RAM)
Programs
Keylogger
Programs that record a user's keystrokes on the computer. Keyloggers can compromise your sensitive data by capturing it and sending it to a criminal.
Rootkits
Rootkits are software packages designed to allow a user located somewhere else to take complete control your system. Rootkits can be placed on a system by different types of malware; it is not uncommon to see rootkits placed on a computer by Trojans, spyware or worms.
Host-based Intrusion Detection System (IDS)
Run on a computer like anti-virus products and monitor the computer for unusual activity. Host based IDSs are heuristically based software systems that compare how the system is currently running to observed prior behavior. Host based IDSs monitor all of the following: • CPU utilization. • Memory utilization. • Which processes are running at a particular time. • Some advanced host based IDSs monitor what each process typically does, and sound an alarm when a process exhibits abnormal behavior.
Trusted computing script
Security professionals don't like the term "secure" because nothing can truly be "secured" - there's simply degrees of security. It is generally a misconception that an administrative assistant's system deserves any less attention that the corporate database server. Attackers can leverage any intrusion into a full-scale assault onto any company's network from any foothold.
Malware
Short for malicious software - software used to interrupt computer operations, gain unauthorized access to computer systems or gather sensitive information. Includes spyware, adware, viruses, worms, Trojans and rootkits.
Worms
Similar to a virus, a worm is a type of program that performs unwanted actions on a computer system, frequently causing damage. Unlike a virus, a worm can infect systems without any human assistance.
Stealth
Some viruses attempt to prevent virus scanners from communicating with the OS, thereby cutting off the virus scanner from the rest of the OS. If successful, detection becomes impossible.
Disabling
Some viruses attempt to shut down, pause, disable or delete virus scanners. If successful, detection becomes virtually impossible.
Spyware
Spyware is similar to adware, the only difference is in what the application does once installed. Spyware is designed to capture sensitive data on your system and transmit the data back to another party. Spyware typically accomplishes this by either searching the hard disk for the desired information or by installing software devices that monitor your computer activity.
Hardware layer
The conceptual layer that holds the actual hardware devices. These include items like the CPU, main memory (RAM), permanent storage (Hard Disk or HDD), networking card, USB devices, etc. This layer is at the bottom of the stack for two reasons. First, obviously a computer cannot function without hardware, making it the foundation of the entire system. The second reason is more conceptual, but just as important. It should be noted that the application layer, the location of user programs, cannot directly access the hardware.
A program that appears to be one thing, such as a game, to lure installation, but actually runs malware is called a ___________________.
The correct answer is Trojan horse.
The final phase when the virus releases its payload is called the _______________ phase.
The correct answer is execution phase.
___________ is a generic term for all malicious software.
The correct answer is malware.
Which of the following permissions is an example of an action that most users need to be able to complete? The ability to access the network The ability to uninstall software The ability to install software The ability to add new network devices
The ability to access the network
Guidelines for strong passwords: •Seven to fourteen characters long •Contain characters from each of the following three groups: •Uppercase and Lowercase: A,B,C..., and a,b,c... •Numerals: 0,1,2,3,4,5,6,7,8,9 •Symbols: ' ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : " ; ' < > ? , . / •Have at leastone symbol character in the second through sixth position •Significantly different from prior passwords •Not contain a user's name or username •Not be a common word or name To assist in the creation of a strong password, consider converting phrases or lyrics to a numerical form.
The following are guidelines for setting up strong passwords:
Trusted Computer System Evaluation Criteria (TCSEC)
The government issued its first formal explanation and criteria for declaring a system as "trusted" in 1983 in the Trusted Computer System Evaluation Criteria (TCSEC), commonly known as the orange book because of the color chosen for the document's cover. The orange book outlined the requirements that vendors had to meet in order to have their products qualify as "trusted". The orange book also identified levels of certification used to determine whether products were certified to handle classified material. Over time the requirements spelled out in the orange book have been superseded by the Common Criteria, ISO Standard 15408. Like the orange book, the common criteria contains requirements and directives to be used by product developers when designing trusted systems. The Common Criteria also spells out certification levels. Testing is performed by the Trusted Product Evaluation Program (TPEP), a division of the National Security Agency.
The need for layered defense: •Many types of malware are capable of bypassing network firewalls. •Users may unknowingly download and install Trojans. •Users may open infected email messages. •Users may download free software containing adware and spyware.
The increase in malware illustrates the need for a layered defense a network firewall will not prevent infection under any of these circumstances. Firewalls are typically thought of as a network security control. However, as previously discussed, firewalls can be installed in two different places: the network perimeter and on each computer (host-based firewall). The question is, which is the better place? The simple answer is, both are necessary and practical. Many forms of malware are designed to reconfigure host based firewalls so vulnerabilities can be exploited. Network firewalls can help mitigate some of these problems.
Kernel layer
The layer that can be conceptually thought of as the operating system itself. The operating system's kernel is the inner most portion of the operating system. It is concerned with allocating memory to different programs, deciding which programs can use the CPU, as well as handling interaction with hardware devices. The kernel is also generally responsible for enacting security policies of the system. For this reason it is particularly important to information security professionals.
Signature based scanner
The most common type of scanner. Uses a library of signatures, and compares each program and file on a computer system to the entries in the library. If a match is found, then it can be determined that the system is infected with a form of malware. At the very least, malware has been placed on the system and not yet activated.
Early Unix systems kept passwords in clear text. True False
True
Encryption helps prevent attackers from being able to easily obtain passwords. True False
True
Background process script
The operating system typically uses many different processes that run in the background to carry out all the functions that must occur. Furthermore, many commercial applications also use the processes that run in the background. Virus scanners, instant messengers and even some e-mail clients all have background processes or can exist as a background process.
Trusted Computing Base (TCB)
The sum of the parts of the operating system that satisfy the security policy. The TCB should be isolated from the other components of the system so that things in the non-TCB cannot affect the operation of the TCB.
Application layer
The topmost layer of the OS model, where all of the applications opened by the user are run. Applications running on the system are reliant upon the kernel for all operating system services. For instance, when an application desires to save information to a permanent storage device (i.e. hard disk), it cannot simply access the hard disk and store the data. Instead, it must request the operating system to perform this task on its behalf.
Defense in depth/layered defense
The use of defensive controls at every layer of an organization to protect against attackers. Includes: • Firewalls • Anti-virus scanning software • Password security • Host-based intrusion detection systems • User permissions
•Where should it be stored? •How should it be secured? •When should the OS be allowed to access the key? •When should the OS be denied access?
The use of encryption prevents attackers from being able to discern the individual passwords. Though this approach seems straightforward and clean, it is not quite the case. The main challenges involve the encryption key:
Polymorph
The virus reprograms itself after each infection, making detection by scanners difficult.
Anomaly Based Scanners
These scanners attempt to monitor your computer to determine if anything is out of the ordinary. For example, a particular process may normally sit idle for long periods of time, rarely using much of the system's resources. If the process unexpectedly begins to consume many resources, the anomaly based scanner will flag this occurrence as possible indication of an infection. While signature based scanners have a false alarm rate of 0%, they often miss new attacks. Anomaly based scanners suffer from the reverse condition. They often identify nearly every attack perpetrated on the system. The false alarm rate, though, is considerably higher than signature based scanners.
Defense in Depth: •Firewalls •Anti-virus scanning software •Password security •Host-based intrusion detection systems •User permissions
This practice is commonly referred to as defense in depth or layered defense. The goal of these differing layers is to provide additional protection in the event that the previous layer is compromised or defeated.
•Unclassified •Restricted •FOUOF - or Official Use Only •CUI - Controlled Unclassified Information •SBU - Sensitive but Unclassified •Confidential •Secret •Top Secret
Though the policy attempts to satisfy all goals of information assurance, confidentiality is a top priority. Generally speaking, information in the DoD security policy is governed by the concept of "need to know". The DoD security policy classifies information according to its sensitivity.
Operating system structure
Three layers: • Application layer • Kernel layer • Hardware layer
A process is an application running on a system. True False
True
A process is essentially an application that is currently running. This mean each process: •Has its own portion of RAM to store data. •Receives time to run on the CPU. •Has a security level. True False
True
A user on any system should be given just enough permissions for him or her to complete their duties. Select one: True False
True
Cryptographic hashing is a one way function, so the output cannot be reversed to obtain the input. True False
True
The principle of least privilege is: Users should only have access to assets they need to accomplish their assigned tasks Users should have complete access to all assets on the computer Ensuring acceptable usage Checking permissions on every access
Users should only have access to assets they need to accomplish their assigned tasks
What can a company block access to, to keep employees from stealing corporate information? Email applications CPU RAM USB Drives
USB Drives
Programs
Unlike data files, few people consider that programs must also be protected. There are many programs on a computer system that administrators like to prevent regular users from using. For example, a network administrator may have a network utility that attempts to hack into other computer systems, used for testing security. Obviously this utility should be locked down so accidental running does not occur.
What is an Application Program Interface ("API")? Select one: a. A mechanism by which a program may interact with the operating system b. A way of interfacing with a particular application c. A way of accessing all of the software installed on a computer system d. A way of accessing the program code for applications that have been loaded on the system
a. A mechanism by which a program may interact with the operating system
(1) During the dormant phase the virus is idle. The virus will remain in this state, without releasing its payload, until some triggering event occurs. This triggering event may be a user action, such as opening a specific file, or it may be something more passive such as a specific date or time. This phase is optional, meaning that not every virus has a dormant phase. (2) During the propagation phase the virus spreads, typically seizing every opportunity to replicate itself to other systems. It should be noted that the virus has not yet executed its payload during the propagation phase. If the virus is file-infecting, then it will infect other executable files on the system. If the virus is spread through email then typically it will mail copies of itself to other email addresses found on the system. (3) If the virus has been dormant, the triggering phase is the phase that causes it to activate. As previously outlined, this may occur when at a specific level. If the virus has not been dormant, then the triggering phase may simply be the completion of the propagation phase. In other words, once the virus has spread, it then executes its payload. (4) The final phase is the execution phase, during which time the virus executes its payload. The payload itself may be harmless, such as displaying a message to the user. Often, though, the results are somewhat more severe, ranging from a denial of service attack to corruption and destruction of the data on the system.
Viruses Phases
Access control assets
When discussing operating systems, there are many assets that must be protected and many different parties to protect them from, such as: • main memory • files • folders/directories • programs • hardware devices
What is a host based intrusion detection system? Select one: a. A software package that monitors a single computer system, watching for abnormal activity b. A software package that watches all of the hosts on a network, monitoring them for abnormal activity c. A software package that watches all incoming network traffic for indications of an attack d. None of the above
a. A software package that monitors a single computer system, watching for abnormal activity
What is an operating system? Select one: a. A software system that manages all of the hardware and other software in a system b. A system that is used to track the progress of IT managers and resources c. A system used to optimize distribution of network resources d. A system that is used to track the monetary disbursements
a. A software system that manages all of the hardware and other software in a system
What is a root kit? Select one: a. A software tool designed to allow a user located somewhere else to take complete, interactive control of a system b. A portion of an application that, with or without user consent, shows advertisements for other products or services during its use c. A portion of an application that, with user consent, downloads updates for its application suite d. A program that copies itself and infects computer after computer via host movement without permission or knowledge from the users
a. A software tool designed to allow a user located somewhere else to take complete, interactive control of a system
Why do information security professionals describe operating systems using the word "trust" rather than "secure"? Select one: a. "Secure" is too rigid - something is either secure, or it is not. Trust can be measured in grades or classes b. "Trust" evokes greater confidence in the security of a system than "secure" c. "Secure" can have a variety of definitions, leading to confusion about which definition is intended d. None of the above
a. "Secure" is too rigid - something is either secure, or it is not. Trust can be measured in grades or classes
What is an Application Program Interface ("API")? Select one: a. A mechanism by which a program may interact with the operating system b. A way of accessing the program code for applications that have been loaded on the system c. A way of accessing all of the software installed on a computer system d. A way of interfacing with a particular application
a. A mechanism by which a program may interact with the operating system
In regard to trusted computing, what is a policy? Select one: a. A policy is a statement that describes the matrix that is rendered from the rights granted by an operating system b. A policy is a statement that describes the information security a system is expected to provide c. A policy is the rights granted to a process within the trusted computing architecture d. A policy is the rights granted to a user from an operating system, provided in a policy matrix
b. A policy is a statement that describes the information security a system is expected to provide
What is an operating system? Select one: a. A system that is used to track the monetary disbursements b. A software system that manages all of the hardware and other software in a system c. A system used to optimize distribution of network resources d. A system that is used to track the progress of IT managers and resources
b. A software system that manages all of the hardware and other software in a system
What is a root kit? Select one: a. A portion of an application that, with or without user consent, shows advertisements for other products or services during its use b. A software tool designed to allow a user located somewhere else to take complete, interactive control of a system c. A program that copies itself and infects computer after computer via host movement without permission or knowledge from the users d. A portion of an application that, with user consent, downloads updates for its application suite
b. A software tool designed to allow a user located somewhere else to take complete, interactive control of a system
What is Multiprogramming? Select one: a. A system that has multiple CPUs or "Cores" installed. b. A system that is running multiple applications simultaneously c. A human operating multiple computer systems simultaneously d. A human working on multiple tasks simultaneously
b. A system that is running multiple applications simultaneously
A formal security model used in computer systems that characterizes the rights of each user with respect to every object in the system is known as a(n) ____________. Select one: a. Role Hierarchy b. Access Control Matrix c. Hash Table d. API
b. Access Control Matrix
Which of the following is an example of a layered defense? Select one: a. An attacker is outrightly prevented from exploiting a network through multiple layer of defensive measures. b. After defeating an initial defense, an attacker is confronted with a different form of defense that must be overcome before further penetration can occur. c. An attacker prevents counterattacks through the use of proxy networks and other means, thereby involving a layer of defensive measures. d. None of the above
b. After defeating an initial defense, an attacker is confronted with a different form of defense that must be overcome before further penetration can occur.
Which of the following is an example of a layered defense? Select one: a. An attacker is outrightly prevented from exploiting a network through multiple layer of defensive measures. b. After defeating an initial defense, an attacker is confronted with a different form of defense that must be overcome before further penetration can occur. c. An attacker prevents counterattacks through the use of proxy networks and other means, thereby involving a layer of defensive measures. d. None of the above
b. After defeating an initial defense, an attacker is confronted with a different form of defense that must be overcome before further penetration can occur.
Which of the following is not an example of a layered defense? Select all that apply Select one or more: a. After defeating an initial defense, an attacker is confronted with a different type of defense that must be overcome before further penetration can occur b. An attacker prevents counterattacks through the use of proxy networks and other means, thereby involving a layer of defense measures c. An attacker is isolated after his initial entry into a network, thereby preventing further damage d. After defeating the primary defense, an attacker has complete access to a network
b. An attacker prevents counterattacks through the use of proxy networks and other means, thereby involving a layer of defense measures d. After defeating the primary defense, an attacker has complete access to a network
Which of the following are goals of an Access Control System in an operating system? Select all that apply. Select one or more: a. Remove credible threats b. Check permissions on every access c. Ensure acceptable usage d. Enforce least privilege
b. Check permissions on every access c. Ensure acceptable usage d. Enforce least privilege
Which of the following are goals of an Access Control System in an operating system? Select all that apply. Select one or more: a. Check permissions on every access b. Enforce least privilege c. Remove credible threats d. Ensure acceptable usage
b. Enforce least privilege
Which of the following is not a best practice for virus scanner configuration? Select one: a. Automatic updates downloaded multiple times a day b. Monthly removal and re-installation to ensure that the scanner itself has not been compromised by malware c. Complete scans of all files on a weekly basis d. Scanning of programs as they are executed
b. Monthly removal and re-installation to ensure that the scanner itself has not been compromised by malware
Which of the following is not a best practice for virus scanner configuration? Select one: a. Complete scans of all files on a weekly basis b. Monthly removal and re-installation to ensure that the scanner itself has not been compromised by malware c. Automatic updates downloaded multiple times a day d. Scanning of programs as they are executed
b. Monthly removal and re-installation to ensure that the scanner itself has not been compromised by malware
The orange book was a member of what series of government security standards? Select one: a. Prism Series b. Rainbow Series c. Multi-Color Series d. Secure Series
b. Rainbow Series
Information security professionals prefer the term "trust" to "secure" because Select one: a. Trust is not preferred to the term secure b. Secure is a cut-and-dry yes/no quality. While trust can have varying degrees c. Trust is a simple to use and understand word for the non-technical d. Secure is not totally possible, while trust is
b. Secure is a cut-and-dry yes/no quality. While trust can have varying degrees
How do user permissions impact the damage caused by malware? Select one: a. The damage caused by malware is not impacted by user permissions b. The malware inherits permissions from the user and can only perform the same actions as the user c. Malware will sometimes adjust the permissions assigned to a particular user d. None of the above
b. The malware inherits permissions from the user and can only perform the same actions as the user
Why are strong passwords required to protect a system? Select one: a. To allow users access to more systems b. To prevent dictionary attacks c. Strong passwords are not required d. To alleviate pressure on the firewall
b. To prevent dictionary attacks
The orange book and its successors were collectively referred to as the Select one: a. Trusted Computing Safety Evaluation Criteria (TCSEC) b. Trusted Computer System Evaluation Criteria (TCSEC) c. Trusted Computer Security Evaluation Concept (TCSEC) d. Technical Computer Security Evaluation Concept (TCSEC)
b. Trusted Computer System Evaluation Criteria (TCSEC)
Which of the following portions of the operating system typically do not make up the TCB (Trusted Computing Base)? Select all that apply. Select one or more: a. Inter-process communication b. User protection c. File protection d. Memory protection e. Kernels
b. User protection e. Kernels
In regard to trusted computing, what is a policy? Select one: a. A policy is the rights granted to a process within the trusted computing architecture b. A policy is the rights granted to a user from an operating system, provided in a policy matrix c. A policy is a statement that describes the information security a system is expected to provide d. A policy is a statement that describes the matrix that is rendered from the rights granted by an operating system
c. A policy is a statement that describes the information security a system is expected to provide
Which of the following is an example of a host based intrusion detection system? Select one: a. A system installed on a user's computer that keeps track of every permission list and notes any variances b. Hardware that is designed to prevent unauthorized access to a computer system c. A system installed on a user's computer that monitors CPU utilization, memory utilization and running processes, searching for anomalies d. A system installed on a user's computer that compares currently running code against large databases of known viruses
c. A system installed on a user's computer that monitors CPU utilization, memory utilization and running processes, searching for anomalies
Why should firewalls be used both at the host and network level? Select one: a. As part of a layered defense strategy b. Because host firewalls protect against a different type of threat, threats inside the network. Network firewalls protect against attacks originating outside of the network c. All of the above d. None of the above
c. All of the above
Why are passwords typically hashed? Select one: a. Because hashed passwords can be compared more quickly b. Because hashed passwords can be compared more accurately c. Because hashed passwords are more fortified against password file attacks d. None of the above
c. Because hashed passwords are more fortified against password file attacks
Why are passwords typically hashed? Select one: a. Because hashed passwords can be compared more quickly b. Because hashed passwords can be compared more accurately c. Because hashed passwords are more fortified against password file attacks d. None of the above
c. Because hashed passwords are more fortified against password file attacks
Why are strong passwords important? Select one: a. If a password can be guessed, no technological device will protect the system or information b. Password cracking is more likely to occur using weak passwords c. Both A and B d. None of the above
c. Both A and B
How do anti-virus products work? Select all that apply. Select one or more: a. By data captures and port monitoring, among other methods b. By examining the user's input c. By examining files and comparing their code to known viruses in a dictionary d. By identifying any suspicious behavior from a computer application that might show some form of malicious intent/infection
c. By examining files and comparing their code to known viruses in a dictionary
How does hashing prevent passwords that are stored by the operating system on a hard drive from being stolen by attackers? Select one: a. By acting much like a non-random function b. By hiding the location of the password in the file system c. By providing a cryptographic key so that only the author can reserve the passwords d. By changing the password in a non-random way that is possible to reverse into the original password
c. By providing a cryptographic key so that only the author can reserve the passwords
An operating system interfaces with hardware's firmware through: Select one: a. Kernels b. Applications c. Device drivers d. The keyboard
c. Device drivers
Which of the following is not a goal of an access control mechanism? Select one: a. Enforce least privilege b. Ensure acceptable usage c. Ensure accurate usage d. Ensure that permissions are enforced
c. Ensure accurate usage
The storage scheme used by an operating system to organize data on a hard disk is known as a _______. Select one: a. Task manager b. File manager c. File system d. Control matrix
c. File system
Which of the following portions of the operating system typically do not make up the TCB (Trusted Computing Base)? Select all that apply. Select one or more: a. File protection b. User protection c. Kernels d. Inter-process communication e. Memory protection
c. Kernels
The orange book was a member of what series of government security standards? Select one: a. Secure Series b. Prism Series c. Rainbow Series d. Multi-Color Series
c. Rainbow Series
Which of the following describes how most anti-virus products work? Select one: a. The software watches all network traffic into and out of a system, comparing it to prior traffic patterns, watching for changes b. The software compares prior behavior of programs to the current behavior, watching for changes that could indicate infection by a virus. c. The software uses signatures to compare the contents of the files on the system to known viruses d. The software monitors all of the programs on a system, watching for "virus like" characteristics
c. The software uses signatures to compare the contents of the files on the system to known viruses
What is a file system? Select one: a. A collection of all of the permanent storage devices (Hard disks, USB drives, CDRWs, etc.) on the system b. A proprietary technology used on Windows to organize files c. The storage schemes used by different operating systems to organize data on a hard disk or other permanent storage device d. A listing of all files stored on a hard disk
c. The storage schemes used by different operating systems to organize data on a hard disk or other permanent storage device
The orange book and its successors were collectively referred to as the Select one: a. Technical Computer Security Evaluation Concept (TCSEC) b. Trusted Computing Safety Evaluation Criteria (TCSEC) c. Trusted Computer System Evaluation Criteria (TCSEC) d. Trusted Computer Security Evaluation Concept (TCSEC)
c. Trusted Computer System Evaluation Criteria (TCSEC)
The systems in the computer that are used to satisfy the organization's security policy combine to form the . Select one: a. IT foundation b. Core Network c. Trusted Computing Base (TCB) d. High-assurance processing system (HPS)
c. Trusted Computing Base (TCB)
Is a virus scanner required for each host if a network has a firewall and the e-mail is scanned for malware? Select one: a. No: A firewall is all you really need to be protected against malware b. No: These two measures cover the only way that a virus might infiltrate the organization c. Yes: Malware may bypass these two controls and enter the network through another path d. No: These two measures offer sufficient defense
c. Yes: Malware may bypass these two controls and enter the network through another path
Why do files need protection (access control) by the operating system? Select one: a. Malicious users may attempt to access the personal files of another user b. Malicious users may attempt to modify the files that belong to another user c. Malicious users may attempt to access and sell personal data belonging to another user d. All of the above
d. All of the above
Which of the following is not an object type that requires protection by the operating system? Select one: a. Files b. Memory c. Users (user authentication) d. All of the above are objects that require protection by the operating system
d. All of the above are objects that require protection by the operating system
Which of the following is not a best practice for generating a strong password? Select one: a. A password should have at least one symbol character in the second through sixth positions b. A password should not be a common word or name c. A password should be significantly different from prior passwords d. All of the above are recommendations for generating a strong password
d. All of the above are recommendations for generating a strong password
Which of the following is not a best practice for generating a strong password? Select one: a. A password should have at least one symbol character in the second through sixth positions b. A password should not be a common word or name c. A password should be significantly different from prior passwords d. All of the above are recommendations for generating a strong password
d. All of the above are recommendations for generating a strong password
In reference to operating systems, which of the following is a process? Select one: a. A method or system for achieving a commercial result b. A projection or outgrowth of an application into an operating system c. A set of transformations of input into products d. An instance of a computer program being executed
d. An instance of a computer program being executed
In reference to operating systems, which of the following is a process? Select one: a. A set of transformations of input into products b. A method or system for achieving a commercial result c. A projection or outgrowth of an application into an operating system d. An instance of a computer program being executed
d. An instance of a computer program being executed
Why does hashing prevent hackers from stealing the contents of a password file? Select one: a. Because the passwords are encrypted and cannot be decrypted without the private key b. The passwords themselves are stored in cleartext. Other required information, such as the username, are hashed and not reversible c. Passwords are not hashed; they are encrypted d. Because, practically speaking, the hashes cannot be reversed to reveal the original password
d. Because, practically speaking, the hashes cannot be reversed to reveal the original password
Why should firewalls be used both at the host and network level? Select one: a. As part of a layered defense b. Because host firewalls protect against threats originating inside the network, while network firewalls protect against attacks originating outside of the network. c. Because network firewalls protect against threats originating inside the network, while host-base firewalls protect against attacks originating outside of the network. d. Both A and B
d. Both A and B
A piece of hardware or software that captures a user's keystrokes is known as a . Select one: a. Informant b. Virus c. Trojan d. Keystroke logger
d. Keystroke logger
Trusted Computer Base (TCB) script
he job of the TCB is to satisfy the security policy. If the TCB is implemented correctly, then nothing that happens to the system will be able to prevent it from offering the services the security policy outlines. An example of where manufacturers are using this in the latest hardware, is with Trusted Platform Module (TPM) chips included in most motherboards. This is a hardware component operating systems and applications can access and interact with to form a trusted environment.
Virus phases
• Dormant phase • Propagation phase • Triggering phase • Execution phase
Access control goals
•Check permissions on every access •Enforce least privilege •Ensure acceptable usage