-
-
Save oop106/1440258 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 10.1 explain the differences among the terms security class, security level, security clearance, and security classification. | |
| Context: BLP model, access control concept | |
| security class - assigned to each subject and object, in the simplest form: | |
| security level - form a strict hierarchy and are referred to as security levels (top secret -> secret -> ...) | |
| security clearance - a subject is said to have a security clearance of a given level | |
| security classification - an object is said to have a security classification of a given level | |
| 10.2 what are the three rules specified by the BLP model? | |
| ss-property (simple security) - no read up; subject can only read object of less or equal security level | |
| *-property - no write down; subject can only write into an object of greater or equal security level | |
| ds-propery (discretionary) - an individual may grant to another individual access to a document based on the owner's discretion, constrained by the MAC rules | |
| 10.3 how is discretionary access control incorporated into the BLP models? | |
| an individual may grant to another individual access to a document based on the owner's discretion, constrained by the MAC rules. site policy overrides any discretionary access controls. | |
| 10.4 what is the principal difference between the BLP model and the Biba model? | |
| BLP - confidentiality, concerned with unauthorized disclosure of information | |
| Biba - integrity, concerned with the unauthorized modification of data | |
| 10.5 what are the three rules specified by the Biba model? | |
| simple integrity - subject can modify an object only if integrity level I(S) of subject >= I(O) | |
| integrity confinement - subject can read an object only if I(S) <= I(O) | |
| invocation property - subject S1 can invoke (= communication from one subject to another) other subject only if I(S1) >= I(S2) | |
| 10.6 explain the difference between certification rules and enforcement rules in the clark-wilson model. | |
| certification - security policy restrictions on the behavior of IVPs (integrity verification procedures, p316) and TPs (transformation procedures) | |
| enforcement - built-in system security mechanisms that achieve the objectives of the certification rules | |
| 10.7 what is the meaning of the term chinese wall in the chinese wall model? | |
| subjects are only allowed access to information that is not held to conflict with any other information that they already possess. once information from one dataset is accessed, a wall is set up to protect information in other datasets in the same CI (conflict of interest class). | |
| 10.8 what are the two rules that a reference monitor enforces? | |
| no read up, no write down | |
| 10.9 what properties are required of a reference monitor? | |
| complete mediation - security rules are enforced on every access (not just on file open) | |
| isolation - reference monitor and database are protected from unauthorized modification | |
| verifiability - reference monitor's correctness must be provable | |
| 10.10 in general terms, how can MLS be implemented in an RBAC system? | |
| MLS (multilevel secure) - class of system that has resources at more than one level of security level and permits concurrent access by users who differ in clearances | |
| RBAC (role based access control) | |
| a role can include access permissions for multiple objects. r-level of role indicates the highest security classification for the objects assigned to the role. w-level of the role indicates the lowest security classification of its objects. | |
| 10.11 describe each of the possible degrees of granularity possible with an MLS database system. | |
| entire database, tables, columns, rows, individual elements | |
| 10.12 what is polyinstantiation? | |
| creating a new row at a lower level without modifying row at higher level. creates db with conflicting entries. | |
| 10.13 briefly describe the three basic services provided by a TPMs. | |
| TPM (trusted platform module) | |
| authenticated boot service - booting in stages, and ensuring each portion of the os is approved for use | |
| certification service - certify a specific configuration (hardware, software) for other systems | |
| encryption service - enables encryption of data in such a way that the data can be decrypted only by a certain machine and only if that machine is in a certain configuration | |
| 10.14 what is the aim of evaluating an IT product against a trusted computing evaluation standard? | |
| to provide greater confidence in the security of IT products as a result of formal actions taken during the process of developing, evaluating and operating these products. | |
| 10.15 what is the difference between security assurance and security functionality as used in trusted computing evaluation standards? | |
| functional requirements - desired security behavior | |
| assurance requirements - basis for gaining confidence that the claimed security measures are effective and correct | |
| 10.16 who are the parties typically involved in a security evaluation process? | |
| sponsor - customer or vendor of a product | |
| developer - provides evidence on the processes used to design, implement and test the product | |
| evaluator - performs technical evaluation work | |
| certifier - govt agency that monitors the process | |
| 10.17 what are the three main stages in an evaluation of an IT product against a trusted computing standard, such as the common criteria? | |
| preparation - initial contact, confirm all parties are adequately prepared, review of security target, ... | |
| conduct of evaluation - structured and formal process, ... | |
| conclusion - final evaluation report | |
| 11.1 Define buffer overflow. | |
| A condition where more input can be stored in a buffer than the buffers length and other information can be overwritten. | |
| 11.2 List the three distinct types of locations in a process address space that buffer overflow attacks typically target. | |
| - stack | |
| - heap | |
| - data section | |
| 11.3 What are the possible consequences of a buffer overflow occurring? | |
| - data corruption | |
| - unexpected transfer of control | |
| - memory access violation | |
| - program termination | |
| - arbitrary code execution by an attacker | |
| 11.4 What are the two key elements that must be identified in order to implement a buffer overflow? | |
| - initial vulnerability | |
| - how the buffer is located in memory, which data can be overwritten, how the program can be influenced | |
| 11.5 What types of programming languages are vulnerable to buffer overflow? | |
| languages which provide the ability to access and manipulate memory data directly | |
| 11.6 Describe how a stack buffer overflow attack is implemented. | |
| - buffer lies on the stack, adjacent to or near a stored function return address | |
| - attacker determines buffer size and distance between buffer and return address | |
| - the buffer is filled with shellcode (if it is large enough for it) or with "something" (really doesn't matter what, we will place the shellcode after the return address) | |
| - the space between return address and the end of the buffer is overwritten too (we can do this since the length of the input is unchecked) | |
| - the return address is overwritten with a specific value pointing to the beginning of the shellcode | |
| - if we are unable to determine the shellcodes exact location we insert some nops before it | |
| - if we are unable to determine the return addresses exact location, we set every value after the buffers end to the desired return address | |
| - when the running function returns, it will jump to the (attcker supplied) return address which now points to the shellcode | |
| - the shellcode is executed with the privileges of the attacked process | |
| 11.7 Define shellcode. | |
| The code inserted into a vulnerable program by an attacker in order to perform some task of the attackers choosing. Often lauching a shell which the attacker can access. | |
| Usually machine and os dependent. | |
| 11.8 What restrictions are often found in shellcode, and how can they be avoided? | |
| - not all characters allowed, as they have a special meaning to the function reading them. (For example gets stops reading on \n or \0.) | |
| - these characters must not be included in the shellcode or any thing else which should be used in an attack | |
| - most instructions can be replaced by others, which are represented by allowed characters | |
| - shellcode can create needed characters on the fly (xor %eax,%eax, now eax contains \0) and copy them to the positions where they are needed | |
| - shellcode can modify itsself to create the needed characters | |
| - shellcode encoders can do this automatically, can create alphanumeric shellcode | |
| - usually shellcode size increases with encoding | |
| 11.9 Describe what a NOP sled is and how it is used in a buffer overflow attack. | |
| - nop: no op, a cpu instruction which tells the cpu to do nothing | |
| - nop sled: many consecutive nops | |
| - nop sled can be inserted before the shellcode | |
| - even if the attacker doesn't know the exact location of the shellcode, s/he can set the return address to somewhere in the nop slep | |
| - since the nops don't do anything, it doesn't matter how many of them are executed | |
| - all nops before the shellcode are "executed", one the shellcode is reached, it is executed | |
| - effect is the same as if the attacker jumped directly to the beginning of the shellcode, but doesn't require it's exact location | |
| 11.10 List some of the different operations an attacker may design shellcode to perform. | |
| - whatever s/he wants? | |
| - execute shell | |
| - listening service which launches a shell when someone connects to it | |
| - connect to some attacker controlled server and direct in and output of a shell over the connection | |
| - use some local exploits | |
| - flush firewall rules | |
| 11.11 What are the two broad categories of defenses againt buffer overflows? | |
| - compile-time defenses: harden programs to resist attacks | |
| - run-time defenses: detect and abort attacks in existing programs | |
| 11.12 List and briefly describe some of the defenses against buffer overflows that can be used when compiling new programs. | |
| choice of programming language: strong typing, enforce range checks, (not C, more like java) | |
| safe coding techniques: code audits, use safe programming techniques, expect the unexpected, check available space before writing to a buffer, use safe library functions | |
| language extensions and use of safe libraries: use libraries which provide additional checks | |
| stack protection mechanisms: add checks to the function entry and exit code for corruption of the stack frame, terminate the program if corrution is detected to abort attacks, (checks are inserted by the compiler) | |
| 11.13 List and briefly describe some of the defenses against buffer overflows that can be implemented when running existing, vulnerable programs. | |
| executable address space protection: block execution of code on the stack (or any other location which should not contain executable code anyways), kill the program if it attempts to run code on the stack | |
| address space randomization: randomize the location of key data structures in the address space (like the location of the stack, allocations on the heap, location of library routines), to make jumping to the shellcode harder, program dies because the shellcode fails or because execution is transfered somewhere where there is no code | |
| guard pages: place pages between different memory regions (or between stack frames) and abort a process which tries to access these guard pages | |
| 11.14 Describe how a return-to-system-call attack is implemented and why it is used. | |
| - instead of directing the program flow to the shellcode, direct it do some already existing code like a library function | |
| - make sure the frame pointer is overwritten with a usable address, place a dummy return address and parameter which the library function needs above the return address | |
| - the dummy return address may also be the address of another library function | |
| - using this technique already existing code followed by a return can be chained to perform something the attacker wants (like copying the actual shellcode somewhere where it can be executed and then run it) | |
| - used because the attacker my be unable to directly inject executable code (see 11.13 executable address space protection) | |
| 11.15 Describe how a heap buffer overflow attack is implemented. | |
| - overflow a buffer in the heap and overwrite something next to it | |
| - if a function pointer is located next to the buffer it can be overwritten to point back into the buffer where the shellcode can be placed | |
| - if no function pointer is present it could be possible to manipulate the management data structures next to the allocated space on the heap to reach one | |
| - once the function pointer is called, execution continues withing the shellcode | |
| - profit | |
| 11.16 Describe how a global data area overflow attack is implemented. | |
| - overflow a buffer in the global data area and overwrite something next to it | |
| - like a function pointer (see 11.15) | |
| 12.1 define the difference between software quality and reliability and software security. | |
| quality and reliability - concerned with the accidental failure of a program as a result of some theoretically random, unanticipated input, system interaction, or use of incorrect code. | |
| security - the attacker chooses the probability distribution, targeting specific bugs that result in a failure that can be exploited by the attacker. | |
| 12.2 define defensive programming. | |
| form of defensive design intended to ensure the continuing function of a piece of software in spite of unforeseeable usage of said software. | |
| 12.3 list some possible sources of program input. | |
| user keyboard/mouse entry, files, network connections, data supplied in execution environment, configuration values, values supplied by operating system. | |
| 12.4 define an injection attack. list some examples of injection attacks. what are the general circumstances in which injection attacks are found? | |
| flaws related to invalid handling of input data. specifically, when input data can accidentally or deliberately influence the flow of execution of the program. | |
| command injection, sql injection, code injection, remote code injection. | |
| can occur when input data is passed as a parameter to other helper programs on the system, whose output is then processed and used by the original program. | |
| 12.5 state the similarities and differences between command injection and sql injection attacks. | |
| both injection attacks are made possible by using an unchecked value (from user input) to construct a command. the difference is the type of metacharacters used - sql attacks use SQL metacharacters. bash injections use bash metachars. | |
| 12.6 define a cross-site scripting attack. list an example of such an attack. | |
| concerns input provided to a program by one user that is subsequently output to another user. exploits the assumption that all content from one site is equally trusted (browser data) and attempts to bypass the browser's security checks to gain elevated access privileges to sensitive data belonging to another site. | |
| 12.7 state the main technique used by a defensive programmer to validate assumptions about program input. | |
| compare input data to what is wanted, accepting only valid input. for example, this can be be done by using regular expressions. (?) | |
| 12.8 state a problem that can occur with input validation when the unicode character set is used. | |
| if a character has multiple encodings in ASCII and UTF-8 (for example '/' is '2F', 'C0 AF', 'E0 80 AF') and the programmer only checks for the short encoding, attackers can bypass input validation. solved by canonicalization (replacing alternate, equivalent encodings by one common value). | |
| 12.9 define input fuzzing. state where this technique should be used. | |
| a software testing technique that uses randomly generated data as input to a program. input can be completely random or generated according to some template. in general, only identifies simple types of faults with input handling. | |
| 12.10 list several software security concerns associated writing safe program code. | |
| correct algorithm implementation - incorrect implementation might expose weakness by running some seemingly legitimate input | |
| ensuring that machine language corresponds to algorithm - compilers generate correct code, compilers aren't compromised | |
| correct interpretation of data values - buffer overflows, corruption through incorrect pointer operations. best defense - strongly typed language. | |
| correct use of memory - memory leaks (can lead to denial of service attacks) | |
| preventing race conditions with shared memory - corrupted/lost values | |
| 12.11 define race condition. state how it can occur when multiple processes access shared memory. | |
| overlapping access, use, and replacement of shared values. occurs when multiple processes and threads compete to gain uncontrolled access to some resource. | |
| 12.12 identify several concerns associated with the use of environment variables by shell scripts. | |
| provide another path for untrusted data to enter a program and need to be validated. | |
| local user subverts a program that grants admin privileges, coercing it to run code of attacker's selection. | |
| redefine PATH combined with path-less program calls in script | |
| redefine IFS if PATH is reset in app to make PATH=... call execute program | |
| redefine custom application env vars | |
| 12.13 define the principle of least privilege. | |
| every program should execute with the least amount of privileges needed to complete their function. | |
| 12.14 identify several issues associated with the correct creation and use of a lockfile. | |
| - a program can ignore the existence of the lockfile | |
| - race condition on creation during lock-create; both programs create file, both access resources | |
| 12.15 identify several issues associated with the correct creation and use of a temporary file in a shared directory. | |
| temp files should be unique and not accessed by other processes; temp filenames should be random and permissions should only allow deletion by owner. | |
| temp file could be replaced by symbolic link to sensitive file (passwd). | |
| 12.16 list some problems that may result from a program sending unvalidated input from one user to another user. | |
| the receiving user assumes that the input has already been validated. | |
| can contain metachars, html markup, ... | |
| output must conform to the expected from and interpretation. | |
| 13.1 What are the principal concerns with respect to inappropriate temperature and humidity? | |
| - temperature: | |
| - damage if ambient temperature is too high | |
| - damage by "thermal shock" (device is too cold, circuits can break if they are heated too fast) | |
| - damage if internal temperature is too high (if the internal cooling system is damaged or doesn't receive enough power or the ambient temperature is too high for it to be effective) | |
| - humidity: | |
| - prolonged exposure to high humidity can cause corrosion | |
| - condensation can damage circuits | |
| - galvanic effects | |
| - static discharges from persons or objects if humidity is too low | |
| 13.2 What are the direct and indirect threats posed by fire? | |
| - direct: | |
| - it burns | |
| - dangerous to humans and equipment | |
| - may disrupt utilities like electricity | |
| - indirect: | |
| - high temperature: can damage equipment, causing it to ignite or melt | |
| - smoke damage: can collect on unprotected storage media or drives, damage other equipment and may be poisonous | |
| - water damage from fire suppression | |
| 13.3 What are the threats posed by loss of electrical power? | |
| - disruption of service? | |
| - equipment may be damaged by a sudden outage | |
| 13.4 List and describe some measures for dealing with inappropriate temperature and humidity. | |
| - environment-control equipment | |
| - sensors to warn if thresholds are exceeded | |
| - maintain a power supply | |
| 13.5 List and describe some measures for dealing with fire. | |
| - protect equipment against fires from adjacent areas, by using "fire-proof" walls | |
| - air conditioning and ducts should not help speading fire | |
| - positioning of equipment to minimize damage | |
| - don't store flammables near or in the IS area, keep IS area tidy | |
| - fire extinguishers should be available, tested and clearly marked | |
| - automatic fire extinguishers, shouldn't endanger personnel of equipment | |
| - power-off switches for equipment, make sure personnel is familiar with power-off procedures | |
| - contingency plan to continue operations elsewhere | |
| - off-site backups | |
| - important records stored in fireproof location | |
| - smoke detectors | |
| - no-smoking policy in computer rooms | |
| - some other stuff, see page 456/436 | |
| 13.6 List and describe some measures for dealing with water damage. | |
| - sensors: on floors of computer rooms and under raised floors, should turn off power automatically | |
| - don't place equipment where a plumbing leak could damage it or relocate plumbing | |
| - document location of shutoff valves | |
| - personnel should know procedures in case of emergency | |
| 13.7 List and describe some measures for dealing with power loss. | |
| - use uninterruptible power supply (UPS) for critical equipment | |
| - use an emergency power source like a generator | |
| 14.1 what are the benefits of a security awareness, training, and education program for an organization? | |
| improving employee behavior | |
| increasing the ability to hold employees accountable for their actions | |
| mitigating liability of the organization for an employee's behavior | |
| complying with regulations and contractual obligations | |
| 14.2 what is the difference between security awareness and security training? | |
| a security awareness program seeks to inform and focus an employee's attention on issues related to security within the organization. it teaches the "what" | |
| a security training program is designed to teach people the skills to perform their IS related tasks more securely. teaches the "what" and the "how" | |
| 14.3 what is an organizational security policy? | |
| a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide. | |
| 14.4 who should be involved in developing the organization's security policy and its security policy document? | |
| site security administrator | |
| information technology technical staff | |
| supervisors of large user groups within the organization | |
| security incident response team | |
| representatives of the user groups affected by the security policy | |
| responsible management | |
| legal counsel | |
| 14.5 what is ISO 17799? | |
| standard for writing and implementing securiity policies (Code of Practice for Information Security Management). comprehensive set of controls comprising best practices in information security. internationally recognized generic information security standard. | |
| 14.6 what principles should be followed in designing personnel security policies? | |
| least privilege | |
| separation of duties - people involved in checking for inappropriate use are not also capable of making such inappropriate use | |
| limited reliance on key employees - no one should be irreplaceable | |
| 14.7 why is an email and internet use policy needed? | |
| significant time may consumed in non-work activities | |
| significant resources may be consumed by such non-work activities | |
| increased risk of introduction of malicious software | |
| non-work activities could result in harm to other organizations or individuals outside the organization, creating liability for organization | |
| email/inet can be used as tools of harassment | |
| inappropriate online conduct may damage organization reputation | |
| 15.1 Explain the difference between a security audit message and a security alarm. | |
| An audit message is any security related message, an alarm sent if the audit messages indicate an attack (or any other event which should trigger an alarm) | |
| 15.2 List and briefly describe the elements of a security audit and alarms model. | |
| - event discriminator: monitors system activity, detects security related events, must be configured for these events | |
| - audit recorder: receives events from event discriminator, the event is stored in the audit trail | |
| - alarm processor: takes some action when an alarm is received (from the event discriminator), the action is auditable and thus transmitted to the audit recorder | |
| - security audit trail: created by audit recorder, contains formatted records of each event | |
| - audit analyzer: can generate new auditable events from the audit trail, based on a pattern of activity, may generate alarms | |
| - audit archiver: software, periodically extracts records from audit trail for permanent storage | |
| - archives: permanent store of security-related events | |
| - audit provider: interface to the audit trail (for users or applications) | |
| - audit trail examiner: application or user, examines audit trail and archives for historical trends, for forensics/analysis | |
| - security reports: human readable report, generated by audit trail examiner | |
| 15.3 List and briefly describe the principal security auditing functions. | |
| - Data generation: identify audit related information, auditable events, identify for which events the identity of the user performing an action is included | |
| - Event selection: inclusion or exclusion of events from the auditable set | |
| - Event storage: creates an maintains the audit trail, prevents loss of data from audit trail, ensures availability | |
| - Automatic response: defines reactions to take if a potential security violation is detected | |
| - Audit analysis: analyze activity and audit data to find security violations | |
| - Audit review; enables autorized users to review the audit data (searches, sorting, filtering etc.) | |
| 15.4 In what areas (categories of data) should audit data be collected? | |
| - events related to auditing software | |
| - events related to security mechanisms | |
| - events collected for security detection/prevention mechanisms | |
| - system management and operation | |
| - os-access | |
| - access to specific applications | |
| - remote access | |
| 15.5 List and explain the differences among four different categories of audit trails. | |
| - System-level audit trails: login attempts, devices used, os functions performed, system operation, network performance | |
| - Application-level audit trails: used to detect flaws or security violations in an application, application specific access (email, database etc.) | |
| - User-level audit trails: hold user accountable for actions, can be used to build profiles for normal behavior, contains user interactions with a system (commands, files/resources accessed, authenication) | |
| - Physical access audit trails: generated by equipment that controls physical access (date, time, location of access, by whom, monitor unauthorized access attempts, changes to access privileges), report certain violations to security personnel | |
| 15.6 What are the main elements of a UNIX syslog facility? | |
| syslog(): API to syslog | |
| logger: command to add log entries | |
| /etc/syslog.conf: configuration file for logging and log routing | |
| syslogd: daemon which receives and routes log events | |
| 15.7 Explain how an interposable library can be used for application-level auditing. | |
| It can intercept calls to library functions and perform additional actions once they are called. It could create an audit event, alter or check the functions parameters or return values, or prevent the function from being called. | |
| 15.8 Explain the difference between audit review and audit analysis. | |
| - Audit analysis: analyze the entire audit trail, filter out unneeded events (false positives etc.) | |
| - Audit review: selectively review information from some audit records (actions of a specific user, actions associated with a specific system etc.) | |
| not sure, page 517ff, please check | |
| 15.9 What is a security information and event management (SIEM) system? | |
| - centralized logging system | |
| - uniform audit trail storage facility | |
| - provides a suite of audit data analysis programs | |
| - can handle various log formats, reformats them for the audit trail, remove irrelevant data | |
| - can correlate and prioritize events, initiate responses | |
| 16.1 define IT security management. | |
| a process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability. | |
| 16.2 list the three fundamental questions IT security management tries to addres. | |
| what assets do we need to protect? | |
| how are those assets threatened? | |
| what can we do to counter those threats? | |
| 16.3 list the steps in the process used to address the three fundamental questions. | |
| determine a clear view of an organization's IT security objectives and risk profile. | |
| IT security risk assessment for each asset in the organization requiring protection (must answer questions above) | |
| (?) | |
| 16.4 list some of the key national and international standards that provide guidance on IT security management and risk assessment. | |
| NIST02 | |
| ISO27000-27005 | |
| ISO13335 | |
| 16.5 list and briefly define the four steps in the iterative security management process. | |
| plan (establish policy, objectives, processes relevant to managing risk and improving information security) | |
| do (implement and operate the security policy, controls, processes, procedures) | |
| check (assess and measure process performance against policy, objectives, ..., and report results to management) | |
| act (take corrective and preventive actions based on internal review) | |
| 16.6 organizational security objectives identify what IT security outcomes are desired, based in part on the role and importance of the IT systems in the organization. list some questions that help clarify these issues. | |
| what key aspects of the organization require IT support in order to function efficiently? | |
| what tasks can only be performed with IT support? | |
| which essential decisions depend on the accuracy, currency, integrity, or availability of data managed by the IT systems? | |
| what data create, managed, processed, and stored by the IT systems need protecton? | |
| what are the consequences to the organization of a security failure in the organization's IT systems? | |
| 16.7 list and briefly define the four approaches to identifying and mitigating IT risks. | |
| baseline approach - implement a basic general level of security controls on systems using baseline documents, codes of practice and industry best practice | |
| informal approach - involves conducting some form of informal, pragmatic risk analysis (not a formal, structured process) for the organization's IT systems. | |
| detailed risk analysis - detailed risk assessment of the organization's IT systems, using a formal structured process. | |
| combined approach - combine elements of previous approaches to provide reasonable protection sa quickly as possible | |
| 16.8 which of the four approaches for identifying and mitigating IT risks does ISO13335 suggest is the most cost effective for most organizations? | |
| the combined approach | |
| 16.9 list the steps in the detailed security risk analysis process. | |
| system characterization | |
| threat identification | |
| vulnerability identification | |
| control analysis | |
| likelihood determination | |
| impact analysis | |
| risk determination | |
| control recommendations | |
| results documentation | |
| 16.10 define asset, control, threat, risk, and vulnerability. | |
| asset - anything that has value to the organization | |
| threat - a potential cause of an unwanted incident which may result in harm to a system or organization | |
| vulnerability - a weakness in an asset or group of assets which can be exploited by a threat | |
| risk - the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets | |
| 16.11 indicate who provides the key information when determining each of the key assets, their likelihood of compromise, and the consequence should any be compromised. | |
| people in the relevant areas of the organization (, ... ?) | |
| 16.12 state the two key questions answered to help identify threats and risks for an asset. briefly indicate how these questions are answered. | |
| who or what could cause it harm? | |
| how could this occur? | |
| 16.13 define consequence and likelyhood. | |
| likelyhood of the risk occurring (likely, possible, unlikely, ...) | |
| consequences to the organization should that occur | |
| 16.14 what is the simple equation for determining risk? why is this equation not commonly used in practice? | |
| risk = probability that threat occurs x cost to organization | |
| not commonly used because both the threat probability and the cost to the organization are often impossible to determine exactly. | |
| 16.15 what are the items specified in the risk register for each asset/threat identified? | |
| asset, threat, existing controls, likelyhood, consequence, level of risk, risk priority | |
| 16.16 list and briefly define the five alternatives for treating identified risks. | |
| risk acceptance - accept risk level greater than normal for business reasons | |
| risk avoidance - not proceeding with activity that creates risk | |
| risk transferal - sharing responsibility with third party (insurance) | |
| reduction of consequences - modifying structure or use of assets to reduce impact on organization should risk occur | |
| reduction of likelihood - implementing suitable controls to lower chance of vulnerability exploitation | |
| 17.1 Define security control and safeguard. | |
| security control = security safeguard | |
| - practices, procedures or mechanisms | |
| - protect against a threat, reduce a vulerability, detect or limit impact of security incident or help with recovery | |
| 17.2 List and briefly define the three broad classes of controls and the three categories each can include. | |
| classes: | |
| - Management control: policies, planning, guidelines, standards, influence selection of other safeguards, management needs to take care of this | |
| - Operational: correct use and implementation of policies, correcting operational deficiencies, implemented by people | |
| - Technical controls: correct use of hard- and software security capabilities | |
| categories: | |
| - Supportive controls: used by many other controls, provide some generic protection (identification, cryptographic key management) | |
| - Preventative controls: prevent security breaches (authentication, access control) | |
| - Detection and recovery controls: detect and report (attempted) breaches, help with recovery (intrusion detection, audit) | |
| 17.3 List a specific example of each of the three broad classes of controls from those given in Table 17.3. | |
| management: planning, risk assessment | |
| operational: awareness & training | |
| technical: access control | |
| 17.4 List the steps [NIST02] specifies for selecting and implementing controls. | |
| 1. Prioritize actions | |
| 2. Evaluate recommended control options | |
| 3. Conduct cost-benefit analysis | |
| 4. Select controls | |
| 5. Assign responsibility | |
| 6. Develop safeguard implementation plan | |
| 7. Implement selected controls | |
| (see figure 17.1, p 560/540) | |
| 17.5 List three ways that implementing a new or enhanced control can reduce the residual level of risk. | |
| Reduce the number of flaws or errors. | |
| Reduce the capability and motivation of the threat source. | |
| Reduce the magnitude of impact. | |
| 17.6 List the items that should be included in an IT security implementation plan. | |
| - Risks (asset/threat/vulnerability combinations) | |
| - Recommended controls | |
| - Action priority for each task | |
| - Selected controls (based on cost/benefit analysis) | |
| - Required resources (for implementing the selected controls) | |
| - Responsible personnel | |
| - Target start and end dates for implementation | |
| - Maintenance requirements and other comments | |
| 17.7 List and briefly define the elements from the implementation of controls phase of IT security management. | |
| - Implementation of security plan: implement the controls specified in the implementation plan, done by the personnel specified in the implementation plan, this process should be monitored for correctness, after implementation system has to be authorized for operational use (may be informal or formal) | |
| - Security training: train the development, operation, administration personnel, ensure correct use of new controls | |
| - Security awareness: awareness training for all personnel, people are often the weakest link, need to be aware of the risks and their impact on the organization and the necessity of security controls, can be done with poster, flyers, workshops, should be repeated regularly and for new staff too | |
| 17.8 List and briefly define the elements from the implementation follow-up phase of IT security management. | |
| - Maintenance: ensure that controls continue to perform as intended | |
| - Security compliance: verify compliance with the security plan, can be performed by internal or external personnel | |
| - Change and configuration management: both general systems administration processes, may have impact on security | |
| - Change management: review all proposed changes to systems for their impact on them, test changes before deployment, update documentation | |
| - Configuration Management: keep track of configuration of each system, help with restoration after failure and updating | |
| - Incident handling: dealing with a security violation, define procedures to be followed if a breach occurs, define the responsible personnel and how it can be contacted quickly | |
| 17.9 What are the benefits of developing an incident response capability? | |
| - systematical response, appropriate steps are taken | |
| - minimize impact, helps to recover more quickly | |
| - using the information gathered during incident handling to enhance proctection of systems and data and incident handling in the future | |
| - dealing properly with legal issues that arise during incidents | |
| 17.10 List the broad categories of security incidents. | |
| - Denial of service attacks | |
| - Malicious code that infects a host | |
| - Unauthorized access to a system | |
| - Inappropriate usage of a system in violation of acceptable use policies | |
| - Multiple-component incidents, which involve two or more of the above in a single incident | |
| 17.11 List some types of tools used to detect and respond to incidents. | |
| - System integrity verification tools | |
| - Log analysis tools | |
| - Network and host intrusion detection systems | |
| - Intrusion prevention systems | |
| 17.12 What should occur following the handling of an incident with regard to the overall IT security management process? | |
| - identify the vulnerability, prevent the incident in the future | |
| - document details of incident and response | |
| - assess impact on oranizations systems and their risk profile | |
| - reiterate the IT security management process with the gathered information | |
| - adapt controls accordingly | |
| 18.1 describe a classification of computer crime based on the role that the computer plays in the criminal activity? | |
| - Computers as targets: This form of crime targets a computer system to gain unauthorized access to data, gain control over the system... | |
| This form of crime involves an attack on: Integrity, confidentiality and availability | |
| - Computers as storage devices: A computer can be used to store all kind of illegal data (like password files, pirated software, pornographic files,...) | |
| - Computers as communication tools: A computer is used to commit a non-cyber crime like selling illegal things ,... | |
| 18.2 define three types of property? | |
| - Real property (German: “Immobilie”): Land and things permanently attached to the land, such as trees, buildings and stationary mobile homes. | |
| - Personal property: Personal effects, moveable property (cars, cellphones, bank accounts, furniture,...) | |
| - Intellectual property: Any intangible (nicht physisch, nicht greifbar) asset that consists of human knowledge and ideas, like software, data, novels, designs,... | |
| 18.3 define three types of intellectual property? | |
| - Copyrights | |
| - Trademarks | |
| - Patents | |
| 18.4 what are the basic conditions that must be fulfilled to claim a copyright? | |
| - The work is original | |
| - The creator has put his idea in a concrete form (hard copy, software, multimedia) | |
| 18.5 what rights does a copyright confer? | |
| - Reproduction right: The owner has the right to produce copies of a work | |
| - Modification right: | |
| - Distribution right: The owner may sell, rent, lease or lend copies of a work | |
| - Public-performance right: applies mainly to live performances | |
| - Public-display right: | |
| 18.6 briefly describe the Digital Millennium Copyright Act: | |
| DMCA strengthens the protection of copyrighted materials in digital form. It further encourages copyright owners to use technological measures to protect their work from being copied or even being accessed. The attempt to bypass such security measures is illegal. | |
| 18.7 what is digital rights management? | |
| Digital rights management (DRM) is used to ensure that the holders of digital rights are clearly identified. People who have no rights on an object are not allowed to use it in any way. | |
| DRM might also add further restrictions on objects (printing, copying,... not allowed) digital rights management. | |
| DRM is not a single standard, there are many different approaches. It generally supports many platforms (PC, Mac, Iphone, ...) | |
| 18.8 describe the principal categories of users of digital rights management systems: | |
| Content Provider: The holder of the digital right, who wants to protect them. (record lable, ...) | |
| Distributor: Distributes digital content (music, software, ...) | |
| Consumer: Uses the digital content | |
| Clearinghouse (Abrechnungsstelle): Handles the financial part. | |
| 18.9 what are the key principles embodied in the EU Directive on Data Protection? | |
| Notice: Individuals must be informed, if personal information is collected. | |
| Consent: Individuals must be able to choose whether and how their personal information is used by, or disclosed to, third parties. They have the right, that there is no sensitive data (health, religion,...) collected. | |
| Consistency: Information must only be used in accordance to the terms of notice. | |
| Access: Individuals must be able to access or change their stored information | |
| Security: Organisations must protect integrity and confidentially of personal information | |
| Onward transfer: If information is passed to a third party, they must provide the same level of security, as the organisation that passed them the information | |
| Enforcement: Violation of these rules is not allowed. Each EU member has a own enforcement agency concerned with privacy rights enforcement. | |
| 18.10 how do the concerns relating to privacy in the Common Criteria differ from the concerns usually expressed in official documents, standards and organizational policies? | |
| In the Common Criteria the purpose of privacy functions is to provide a user protection against discovery and misuse of identity by other users. | |
| ???? | |
| 18.11 what functions can a professional code of conduct (Verhaltensnorm) serve to fulfil? | |
| - be a positive stimulus (Ansporn) and instil confidence | |
| - be educational | |
| - provide a measure of support | |
| - be a means of deterrence and discipline | |
| - enhance the profession's public image | |
| 19.1 what are the essential ingredients of a symmetric cipher? | |
| - Plaintext | |
| - Encryption algorithm | |
| - Secret key | |
| - Cipher text | |
| - Decryption algorithm | |
| 19.2 what are the two basic functions used in encryption algorithms? | |
| Substitution: An element is replaced by another element. | |
| Transposition: Elements are rearranged. | |
| 19.3 how many keys are required for to people to communicate via a symmetric cipher? | |
| Only a single key is required | |
| 19.4 what is the difference between a block cipher and a stream cipher? | |
| A block cipher processes one block of elements at a time, production an output block for each input block. | |
| A stream cipher processes the input elements continuously. Each single element produces a different element of output | |
| 19.5 what are the two general approaches to attack a cipher? | |
| Cryptanalysis, brute force | |
| ????????????? | |
| 19.6 why do some block cipher modes of operation only use encryption while others use both encryption and decryption? | |
| Some block cipher modes of operation only use encryption because the input is set to some initialization vector and the leftmost bits of the output of the encryption function are XORed with the first segment of plain text p1 to produce the first unit of cipher text C1 and it is transmitted. While in decryption, the cipher text is XORed with the output of the encryption function to produce the plain text. | |
| 19.7 what is triple encryption? | |
| Triple encryption (or 3DES) is enhancement of DES. It applies DES three times: | |
| ENCRYPT, DECRYPT, ENCRYPT | |
| 19.8 why is the middle portion of 3DES a decryption rather than an encryption? | |
| Security does not benefit form the decryption. The only advantage is, that 3DES can also decrypt Cipher text encrypted with DES! | |
| 19.9 what is the difference between link and end-to-end encryption? | |
| End-to-end encryption: Data is encrypted by the sender, passes the network encrypted and is decrypted by the receiver. | |
| Link encryption: encrypts and decrypts all traffic at each end of a communications line. | |
| 19.10 list ways which secret keys can be distributed to two communicating parties: | |
| - Selected by A and physically delivered to B | |
| - Selected by a third party and physically delivered to A and B | |
| - If A and B were using a cipher before to communicate, the new key could be encrypted with the old cipher. | |
| - If both A and B have a encrypted connection to C, C can send them the new key. | |
| 19.11 what is the difference between a session key and a master key? | |
| A session key is a one time key, only used for the duration of one logical connection. | |
| The master key is a pre-shared Key Encrypting Key, used to distribute session keys. | |
| 19.12 what is a key distribution centre? | |
| The key distribution centre (KDC) determines which systems are allowed to communicate with each other. | |
| 20.1 in the context of a hash function, what is a compression function? | |
| The function applied to each block of the input message. The collision resistance of the entire hash function depends on the collision resistance of this compression function. | |
| (see figure 20.2 and 20.3 p 649/629) | |
| 20.2 what basic arithmetical and logical functions are used in SHA? | |
| circular SHIFTS, (+ mod 2^64) and the logical operations AND, OR, NOT, XOR | |
| 20.3 what changes in HMAC are required in order to replace one underlying hash function with another? | |
| HMAC uses a hash function as a “blackbox”. It’s only necessary to remove the old hash function and replace it with the new one! | |
| 20.4 what is a one-way function? | |
| A one way function is not invertible. | |
| 20.5 briefly explain Diffie-Hellman key exchange: | |
| Diffie-Hellman was the first public‐key type scheme proposed. Its security relies on the difficulty of computing discrete logarithms. | |
| It allows two parties to communicate over an unsafe communication channel safely and transmit a key, which can be used for symmetric encryption later. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
thanke dear for posng