Operating System Security

Ace your homework & exams now with Quizwiz!

Other Common Malware (1) gathers information from your computer and uses it to display advertisements. Most of these advertisements occur in the form of pop ups. Adware may also redirect search engine queries or modify a user's homepage so it points to a different webpage. Most users unknowingly give adware distributors permission to install their software by embedding it into the End-User Licensing Agreement (EULA). (2) is similar to adware, the only difference is in what the application does once installed. Spyware is designed to capture sensitive data on your system and transmit the data back to another party. Spyware typically accomplishes this by either searching the hard disk for the desired information or by installing software devices that monitor your computer activity. (3) are software packages designed to allow a user located somewhere else to take complete control your system. Rootkits can be placed on a system by different types of malware; it is not uncommon to see rootkits placed on a computer by Trojans, spyware or worms.

(1) Adware (2) Spyware (3) Rootkits

Types of Viruses (1) Integrate their malicious instructions into the code of the targeted program. The targeted program still exists, for all intents and purposes, but every time it is run the virus will also be executed. (2) Completely replaces the targeted program. When the user goes to run the targeted program they instead unknowingly run the virus. (3) Frequently called "macro viruses", these viruses reside inside of data files. When the user opens the data file, often a Microsoft Office document, the virus runs as well. These viruses take advantage of the fact that common office applications have the capability of adding custom commands and routines to documents.

(1) Companion Viruses (2) Overwriting Viruses (3) Document Viruses

Access Control (1) Processes are assigned portions of main memory to use while they are running. For security to be maintained, processes must not be able to access the memory space of another process. The victimized process or possibly the operating system could crash, not to mention the loss of confidentiality that could ensue. For example, imagine a virus that attempts to examine the memory space of another process in the hopes of discovering an encryption key. Another example might be a piece of malware that attempts to disable a virus scanner. (2) Files are essentially chunks of data stored in the file system and are the type of object that most people think of when discussing access control. Examples of files include programs, files containing data such as a word processor documents, spreadsheets, image files (pictures) and many others. By default, an "owner" of a file will have full access to it while others may not, unless they have elevated privileges above those of a normal user. (3) Just as files require access control, so do directories. For example, there may be situations in which an administrator wants to prevent someone from being able to view the list of files stored in a directory. Website administrators often disable this feature. By the same token, an administrator may wish to prevent a user from saving some information to a particular directory. A proper access control system should offer this level of control. (4) Unlike data files, few people consider that programs must also be protected. There are many programs on a computer system that administrators like to prevent regular users from using. For example, a network administrator may have a network utility that attempts to hack into other computer systems, used for testing security. Obviously this utility should be locked down so accidental running does not occur. (5) Hardware devices must also have restricted access. For instance, one organization may discover that some employee has been stealing sensitive corporate information by copying it off their computer onto a USB drive. An operating system must provide a means of preventing users from accessing specific hardware devices, in this case preventing regular users from accessing USB drives.

(1) Main Memory (2) Files (3) Folders/Directories (4) Programs (5) Hardware Devices

Avoiding Detection Techniques: (1) The virus reprograms itself after each infection, making detection by scanners difficult. (2) Some viruses attempt to prevent virus scanners from communicating with the OS, thereby cutting off the virus scanner from the rest of the OS. If successful, detection becomes impossible. (3) Some viruses attempt to shut down, pause, disable or delete virus scanners. If successful, detection becomes virtually impossible.

(1) Polymorph (2) Stealth (3) Disabling

Malware Detection (1) The most common type of scanner used is a signature based scanner. Just as with signature based IDS, the scanner uses a library of signatures, and compares each program and file on a computer system to the entries in the library. If a match is found, then it can be determined that the system is infected with a form of malware. (2) Anomaly based malware scanners are roughly analogous to anomaly based IDS. These scanners attempt to monitor your computer to determine if anything is out of the ordinary. While signature based scanners have a false alarm rate of 0%, they often miss new attacks. Anomaly based scanners suffer from the reverse condition. They often identify nearly every attack perpetrated on the system. The false alarm rate, though, is considerably higher than signature based scanners.

(1) Signature Based Scanners (2) Anomaly Based Scanners

ACL stands for: Access Communications List Access Controlled Ledger Access Control List Attempted Control List

Access Control List

Portions of the operating system typically do not make up the TCB •Hardware •Processes •File Protection •Memory Protection •Inter-process Communication

All systems in the computer that are used to satisfy the organization's security policy combine to form the Trusted Computing Base (TCB). The TCB should be isolated from the other components of the system so that things in the non-TCB cannot affect the operation of the TCB. For this reason it is very important for the TCB to be implemented correctly. The portions of the Operating System that typically make up the TCB are:

Files are: The different pieces of hardware that combine to make a computer Any chunk of data stored in the file system The different layers of an operating system Processes run by the operating system

Any chunk of data stored in the file system

Today's trusted computing standard can be found in the: Trusted Criteria Handbook Computing Criteria Guidelines Common Criteria , ISO Standard 15408 Computing Criteria, ISO standard 15480

Common Criteria , ISO Standard 15408

Which of the following is not a goal of an access control mechanism? Ensure permissions are enforced Enforce least privilege Ensure acceptable usage Ensure accurate usage

Ensure accurate usage

1) Attacker computes random password hashes 2) Attacker observes secret password hash transmitted between computers 3) Attacker looks at table of pre-computed hashes, looking for the entry that matches the has (s)he observed. 4) Attacker now has a valid password.

Example of Rainbow Attack The key to a rainbow attack is the knowledge that a password will always hash to the same output. Using this knowledge, an attacker can begin generating hashes for all possible passwords. When the attacker intercepts hashed passwords, (s)he only needs to consult the table of already computed hashes, and see which password generates the hash they have intercepted. When you type in a password, the submitted password is hashed and compared to a hashed value on file. If the same cryptographic hashing function is used in both cases, then it becomes possible to compare the output to determine if the submitted password is the same as the one that is on file.

A computer never stores a user's username and password. True False

False

A process with read and write access cannot do more damage than a process with only read access. Select one: True False

False

Before starting a rainbow attack the attacker must know an individual username. True False

False

Operating Systems are the most important piece of computer hardware. True False

False

The smallest problem with encryption is where to store the encryption key. True False

False

The two most common methods anti-virus software use are Signature-based and Anonymous-based scanning. Select one: True False

False

Cryptographic hashing was abandoned in favor of encryption. True False

False The challenges with password encryption were great enough that basic encryption was abandoned in favor of cryptographic hashing.

•Check permissions on every access - the operating system needs to verify a user's permissions every time they access an object. If this is not done then users may continue to have access even after their permissions have changed. On the flip side, users may not have access to assets even after an administrator has adjusted their permission settings. •Enforce least privilege - Recall that the principle of least privileges states that users should have access only to the assets they need to accomplish their assigned tasks. •Ensure acceptable usage - While determining whether a person can have access is a yes or no decision, an access control system should attempt to ensure that the object is being used appropriately. This type of defense can help defend against some types of viruses that cause existing programs to behave in new manners.

Goals of an Access Control System

•CPU utilization. •Memory utilization. •Which processes are running at a particular time. •Some advanced monitor what each process typically does, and sound an alarm when a process exhibits abnormal behavior.

Host based IDSs run on a computer like anti-virus products and monitor the computer for unusual activity. Host based IDSs are heuristically based software systems that compare how the system is currently running to observed prior behavior. Host based IDSs monitor all of the following:

Processes are assigned portions of __________ to use while they are running. Folders/ Directories Hardware Devices Main Memory Access control

Main Memory

Why do files need protection (access control) by the operating system? To keep the creator from deleting the files Malicious users may attempt to access and modify personal files of another user To prevent authorized users from accessing files To protect the main memory

Malicious users may attempt to access and modify personal files of another user

Which of the following is a protection of a trusted operating system? Memory Protection Hardware Protection Complete Protection Warranty Protection

Memory Protection

The Trusted Computing System Evaluation Criteria (TCSEC) of 1983 is also known as the: Blue book Orange Book Red book Yellow book

Orange Book

Access Control is designed to: Place and enforce restrictions on which users may perform certain actions Control the OS functions Control a computer's hardware Place restrictions on how the software interacts with the hardware

Place and enforce restrictions on which users may perform certain actions

A _____ is a written set of rules that describes the information security, a system is expected to provide. Policy Compendium Manual Guidelines

Policy

A commonly overlooked area that needs restrictions is: Files Administrative Accounts Programs Main Memory (RAM)

Programs

Which of the following permissions is an example of an action that most users need to be able to complete? The ability to access the network The ability to uninstall software The ability to install software The ability to add new network devices

The ability to access the network

A program that appears to be one thing, such as a game, to lure installation, but actually runs malware is called a ___________________.

The correct answer is Trojan horse.

A scanner that flags anything out of the ordinary is a/an _________________ based scanner

The correct answer is anomaly based.

The phase when a virus is idle is the __________________ phase.

The correct answer is dormant phase.

The final phase when the virus releases its payload is called the _______________ phase.

The correct answer is execution phase.

___________ is a generic term for all malicious software.

The correct answer is malware.

The ________________ phase is when the virus begins to spread and replicate.

The correct answer is propogation.

An anti-virus scanner that scans a library of known malware for matches on a system is a/an ____________ based scanner.

The correct answer is signature.

A dormant virus that requires an action to activate, receives that command during the ______________ phase?

The correct answer is triggering phase.

Companion, overwriting and document are all common types of _________________.

The correct answer is viruses.

This malware does not require any user action to spread and execute is called a ___________

The correct answer is worm.

Guidelines for strong passwords: •Seven to fourteen characters long •Contain characters from each of the following three groups: •Uppercase and Lowercase: A,B,C..., and a,b,c... •Numerals: 0,1,2,3,4,5,6,7,8,9 •Symbols: ' ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : " ; ' < > ? , . / •Have at leastone symbol character in the second through sixth position •Significantly different from prior passwords •Not contain a user's name or username •Not be a common word or name To assist in the creation of a strong password, consider converting phrases or lyrics to a numerical form.

The following are guidelines for setting up strong passwords:

The need for layered defense: •Many types of malware are capable of bypassing network firewalls. •Users may unknowingly download and install Trojans. •Users may open infected email messages. •Users may download free software containing adware and spyware.

The increase in malware illustrates the need for a layered defense a network firewall will not prevent infection under any of these circumstances. Firewalls are typically thought of as a network security control. However, as previously discussed, firewalls can be installed in two different places: the network perimeter and on each computer (host-based firewall). The question is, which is the better place? The simple answer is, both are necessary and practical. Many forms of malware are designed to reconfigure host based firewalls so vulnerabilities can be exploited. Network firewalls can help mitigate some of these problems.

•Where should it be stored? •How should it be secured? •When should the OS be allowed to access the key? •When should the OS be denied access?

The use of encryption prevents attackers from being able to discern the individual passwords. Though this approach seems straightforward and clean, it is not quite the case. The main challenges involve the encryption key:

Defense in Depth: •Firewalls •Anti-virus scanning software •Password security •Host-based intrusion detection systems •User permissions

This practice is commonly referred to as defense in depth or layered defense. The goal of these differing layers is to provide additional protection in the event that the previous layer is compromised or defeated.

•Unclassified •Restricted •FOUOF - or Official Use Only •CUI - Controlled Unclassified Information •SBU - Sensitive but Unclassified •Confidential •Secret •Top Secret

Though the policy attempts to satisfy all goals of information assurance, confidentiality is a top priority. Generally speaking, information in the DoD security policy is governed by the concept of "need to know". The DoD security policy classifies information according to its sensitivity.

A user on any system should be given just enough permissions for him or her to complete their duties. Select one: True False

True

Any executing program, including services, daemons or applications is a process. Select one: True False

True

Cryptographic hashing is a one way function, so the output cannot be reversed to obtain the input. True False

True

Early Unix systems kept passwords in clear text. True False

True

Encryption helps prevent attackers from being able to easily obtain passwords. True False

True

Fingerprint canning is the most common biometric technology used in place of usernames and passwords. True False

True

The only attack known that could possibly obtain a user's password from cryptographic hashing is the Rainbow Attack. True False

True

The three layers of an OS are Application, Kernel and Hardware. True False

True

Security professionals prefer to use ____ over ____. Safe over Trusted Secure over Trusted Trusted over Safe Trusted over Secure

Trusted over Secure

What can a company block access to, to keep employees from stealing corporate information? Email applications CPU RAM USB Drives

USB Drives

The principle of least privilege is: Users should only have access to assets they need to accomplish their assigned tasks Users should have complete access to all assets on the computer Ensuring acceptable usage Checking permissions on every access

Users should only have access to assets they need to accomplish their assigned tasks

(1) During the dormant phase the virus is idle. The virus will remain in this state, without releasing its payload, until some triggering event occurs. This triggering event may be a user action, such as opening a specific file, or it may be something more passive such as a specific date or time. This phase is optional, meaning that not every virus has a dormant phase. (2) During the propagation phase the virus spreads, typically seizing every opportunity to replicate itself to other systems. It should be noted that the virus has not yet executed its payload during the propagation phase. If the virus is file-infecting, then it will infect other executable files on the system. If the virus is spread through email then typically it will mail copies of itself to other email addresses found on the system. (3) If the virus has been dormant, the triggering phase is the phase that causes it to activate. As previously outlined, this may occur when at a specific level. If the virus has not been dormant, then the triggering phase may simply be the completion of the propagation phase. In other words, once the virus has spread, it then executes its payload. (4) The final phase is the execution phase, during which time the virus executes its payload. The payload itself may be harmless, such as displaying a message to the user. Often, though, the results are somewhat more severe, ranging from a denial of service attack to corruption and destruction of the data on the system.

Viruses Phases

Anti-virus systems should have their libraries updated regularly. Select one: a. Signature b. File c. Software d. Password libraries

How do user permissions impact the damage caused by malware? Select one: a. The malware inherits permissions from the user. The malware can only perform the same actions as the user b. The damage cause by malware is not impacted by user permissions Incorrect c. Malware will sometimes adjust the permissions assigned to a particular user d. None of the above

How does a signature based scanner find malware? Select one: a. Malware is detected by comparing an application's code to a database of known malware b. Malware is detected by monitoring network activity coming into and out of the computer, watching for patterns that are known to be associated with viruses c. Malware is detected by analyzing process activity and compares that to a known history of acceptable use in some artificially intelligent way d. Malware is detected by looking for suspicious behavior of applications through various means

In the context of information security, what is policy? Select one: a. A written list detailing the rules of an organization b. A list detailing practices that are to be observed regarding information c. A document assigning particular responsibilities to specific individuals or offices in an organization d. All of the above

Is a virus scanner required for each host if a network has a firewall and the e-mail is scanned for malware? Select one: a. Yes: Malware may bypass these two controls and enter the network through another path b. No: A firewall is all you really need to be protected against malware c. No: These two measures offer sufficient defense d. No: These two measures cover the only way that a virus might infiltrate the organization

What is Multiprogramming? Select one: a. A system that is running multiple applications simultaneously b. A human operating multiple computer systems simultaneously c. A human working on multiple tasks simultaneously d. A system that has multiple CPUs or "Cores" installed.

What is a host based intrusion detection system? Select one: a. A software package that monitors a single computer system, watching for abnormal activity b. A software package that watches all of the hosts on a network, monitoring them for abnormal activity c. A software package that watches all incoming network traffic for indications of an attack d. None of the above

What is a root kit? Select one: a. A software tool designed to allow a user located somewhere else to take complete, interactive control of a system b. A portion of an application that, with or without user consent, shows advertisements for other products or services during its use c. A portion of an application that, with user consent, downloads updates for its application suite d. A program that copies itself and infects computer after computer via host movement without permission or knowledge from the users

What is an Application Program Interface ("API")? Select one: a. A mechanism by which a program may interact with the operating system b. A way of interfacing with a particular application c. A way of accessing all of the software installed on a computer system d. A way of accessing the program code for applications that have been loaded on the system

What is an operating system? Select one: a. A software system that manages all of the hardware and other software in a system b. A system that is used to track the progress of IT managers and resources c. A system used to optimize distribution of network resources d. A system that is used to track the monetary disbursements

What is the trusted computing base? Select one: a. The portions of a computer system that together serve to satisfy the stated security policy b. The systems in an organization that are considered to be most secure c. The users of the most heavily fortified computer systems in an organization d. None of the above

Why do information security professionals describe operating systems using the word "trust" rather than "secure"? Select one: a. "Secure" is too rigid - something is either secure, or it is not. Trust can be measured in grades or classes b. "Trust" evokes greater confidence in the security of a system than "secure" c. "Secure" can have a variety of definitions, leading to confusion about which definition is intended d. None of the above

How do anti-virus products work? Select all that apply. Select one or more: a. By examining files and comparing their code to known viruses in a dictionary b. By identifying any suspicious behavior from a computer application that might show some form of malicious intent/infection Correct c. By examining the user's input d. By data captures and port monitoring, among other methods

a, b

Which of the following is an API? Select all that apply Select one or more: a. Something that allows applications to perform the tasks they need without giving them direct access to the underlying hardware b. An interface that allows one application to directly manipulate the memory system of other applications c. An interface that allows the programmer to directly access the hardware when needed d. Something used when an application wishes to use a service offered by the operating system

a, d

A formal security model used in computer systems that characterizes the rights of each user with respect to every object in the system is known as a(n) ____________. Select one: a. Role Hierarchy b. Access Control Matrix c. Hash Table d. API

How do user permissions impact the damage caused by malware? Select one: a. The damage caused by malware is not impacted by user permissions b. The malware inherits permissions from the user and can only perform the same actions as the user c. Malware will sometimes adjust the permissions assigned to a particular user d. None of the above

In regard to trusted computing, what is a policy? Select one: a. A policy is a statement that describes the matrix that is rendered from the rights granted by an operating system b. A policy is a statement that describes the information security a system is expected to provide c. A policy is the rights granted to a process within the trusted computing architecture d. A policy is the rights granted to a user from an operating system, provided in a policy matrix

Information security professionals prefer the term "trust" to "secure" because Select one: a. Trust is not preferred to the term secure b. Secure is a cut-and-dry yes/no quality. While trust can have varying degrees c. Trust is a simple to use and understand word for the non-technical d. Secure is not totally possible, while trust is

The orange book and its successors were collectively referred to as the Select one: a. Trusted Computing Safety Evaluation Criteria (TCSEC) b. Trusted Computer System Evaluation Criteria (TCSEC) Correct c. Trusted Computer Security Evaluation Concept (TCSEC) d. Technical Computer Security Evaluation Concept (TCSEC)

Which of the following are goals of an Access Control System in an operating system? Select all that apply. Select one or more: a. Check permissions on every access Correct b. Enforce least privilege c. Remove credible threats d. Ensure acceptable usage

Which of the following is an example of a layered defense? Select one: a. An attacker is outrightly prevented from exploiting a network through multiple layer of defensive measures. Incorrect b. After defeating an initial defense, an attacker is confronted with a different form of defense that must be overcome before further penetration can occur. c. An attacker prevents counterattacks through the use of proxy networks and other means, thereby involving a layer of defensive measures. d. None of the above

Which of the following is not a best practice for virus scanner configuration? Select one: a. Automatic updates downloaded multiple times a day b. Monthly removal and re-installation to ensure that the scanner itself has not been compromised by malware c. Complete scans of all files on a weekly basis d. Scanning of programs as they are executed

Why are strong passwords required to protect a system? Select one: a. To allow users access to more systems b. To prevent dictionary attacks c. Strong passwords are not required d. To alleviate pressure on the firewall

Which of the following is not an example of a layered defense? Select all that apply Select one or more: a. After defeating an initial defense, an attacker is confronted with a different type of defense that must be overcome before further penetration can occur Incorrect b. An attacker prevents counterattacks through the use of proxy networks and other means, thereby involving a layer of defense measures c. An attacker is isolated after his initial entry into a network, thereby preventing further damage d. After defeating the primary defense, an attacker has complete access to a network

b,d

An operating system interfaces with hardware's firmware through: Select one: a. Kernels b. Applications c. Device drivers d. The keyboard

How does hashing prevent passwords that are stored by the operating system on a hard drive from being stolen by attackers? Select one: a. By acting much like a non-random function b. By hiding the location of the password in the file system c. By providing a cryptographic key so that only the author can reserve the passwords d. By changing the password in a non-random way that is possible to reverse into the original password

The orange book was a member of what series of government security standards? Select one: a. Secure Series b. Prism Series c. Rainbow Series d. Multi-Color Series

The storage scheme used by an operating system to organize data on a hard disk is known as a . Select one: a. Task manager b. File manager c. File system d. Control matrix

The systems in the computer that are used to satisfy the organization's security policy combine to form the . Select one: a. IT foundation b. Core Network c. Trusted Computing Base (TCB) d. High-assurance processing system (HPS)

What is a file system? Select one: a. A collection of all of the permanent storage devices (Hard disks, USB drives, CDRWs, etc.) on the system b. A proprietary technology used on Windows to organize files c. The storage schemes used by different operating systems to organize data on a hard disk or other permanent storage device d. A listing of all files stored on a hard disk

Which of the following describes how most anti-virus products work? Select one: a. The software watches all network traffic into and out of a system, comparing it to prior traffic patterns, watching for changes b. The software compares prior behavior of programs to the current behavior, watching for changes that could indicate infection by a virus. c. The software uses signatures to compare the contents of the files on the system to known viruses d. The software monitors all of the programs on a system, watching for "virus like" characteristics

Which of the following is an example of a host based intrusion detection system? Select one: a. A system installed on a user's computer that keeps track of every permission list and notes any variances b. Hardware that is designed to prevent unauthorized access to a computer system c. A system installed on a user's computer that monitors CPU utilization, memory utilization and running processes, searching for anomalies d. A system installed on a user's computer that compares currently running code against large databases of known viruses

Which of the following is not a goal of an access control mechanism? Select one: a. Enforce least privilege b. Ensure acceptable usage c. Ensure accurate usage d. Ensure that permissions are enforced

Why are passwords typically hashed? Select one: a. Because hashed passwords can be compared more quickly b. Because hashed passwords can be compared more accurately c. Because hashed passwords are more fortified against password file attacks Correct d. None of the above

Why are strong passwords important? Select one: a. If a password can be guessed, no technological device will protect the system or information b. Password cracking is more likely to occur using weak passwords c. Both A and B d. None of the above

Why should firewalls be used both at the host and network level? Select one: a. As part of a layered defense strategy b. Because host firewalls protect against a different type of threat, threats inside the network. Network firewalls protect against attacks originating outside of the network c. All of the above d. None of the above

A piece of hardware or software that captures a user's keystrokes is known as a . Select one: a. Informant b. Virus c. Trojan d. Keystroke logger

In reference to operating systems, which of the following is a process? Select one: a. A set of transformations of input into products b. A method or system for achieving a commercial result c. A projection or outgrowth of an application into an operating system d. An instance of a computer program being executed

Which of the following is not a best practice for generating a strong password? Select one: a. A password should have at least one symbol character in the second through sixth positions b. A password should not be a common word or name c. A password should be significantly different from prior passwords d. All of the above are recommendations for generating a strong password

Which of the following is not an object type that requires protection by the operating system? Select one: a. Files b. Memory c. Users (user authentication) Incorrect d. All of the above are objects that require protection by the operating system

Why do files need protection (access control) by the operating system? Select one: a. Malicious users may attempt to access the personal files of another user b. Malicious users may attempt to modify the files that belong to another user c. Malicious users may attempt to access and sell personal data belonging to another user d. All of the above

Why does hashing prevent hackers from stealing the contents of a password file? Select one: a. Because the passwords are encrypted and cannot be decrypted without the private key b. The passwords themselves are stored in cleartext. Other required information, such as the username, are hashed and not reversible c. Passwords are not hashed; they are encrypted d. Because, practically speaking, the hashes cannot be reversed to reveal the original password

Why should firewalls be used both at the host and network level? Select one: a. As part of a layered defense b. Because host firewalls protect against threats originating inside the network, while network firewalls protect against attacks originating outside of the network. c. Because network firewalls protect against threats originating inside the network, while host-base firewalls protect against attacks originating outside of the network. d. Both A and B

Which of the following portions of the operating system typically do not make up the TCB (Trusted Computing Base)? Select all that apply. Select one or more: a. Inter-process communication b. User protection c. File protection d. Memory protection e. Kernels

Operating System Security

Related study sets

quiz 2

Unit 4: China Quiz

Pregnancy

Nursing Process

Med Surg 2 Final

Chapter 6

neurons

CC

2nd Test #1 Study Guide

Sampling

Chapter 1

Chapter 1

MIS 301 Final Review

chapter 16 - F I N

HISTORY: Nationalism in India - UT 1

SCM chapter 10 - clicker questions and quiz

micro econ final

ASL 2 Final

Maternity exam 6 study q's

CH. 16: FINISHES