Created
December 6, 2011 22:01
-
-
Save schuay/1440224 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 10.1 explain the differences among the terms security class, security level, security clearance, and security classification. | |
| Context: BLP model, access control concept | |
| security class - assigned to each subject and object, in the simplest form: | |
| security level - form a strict hierarchy and are referred to as security levels (top secret -> secret -> ...) | |
| security clearance - a subject is said to have a security clearance of a given level | |
| security classification - an object is said to have a security classification of a given level | |
| 10.2 what are the three rules specified by the BLP model? | |
| ss-property (simple security) - no read up; subject can only read object of less or equal security level | |
| *-property - no write down; subject can only write into an object of greater or equal security level | |
| ds-propery (discretionary) - an individual may grant to another individual access to a document based on the owner's discretion, constrained by the MAC rules | |
| 10.3 how is discretionary access control incorporated into the BLP models? | |
| an individual may grant to another individual access to a document based on the owner's discretion, constrained by the MAC rules. site policy overrides any discretionary access controls. | |
| 10.4 what is the principal difference between the BLP model and the Biba model? | |
| BLP - confidentiality, concerned with unauthorized disclosure of information | |
| Biba - integrity, concerned with the unauthorized modification of data | |
| 10.5 what are the three rules specified by the Biba model? | |
| simple integrity - subject can modify an object only if integrity level I(S) of subject >= I(O) | |
| integrity confinement - subject can read an object only if I(S) <= I(O) | |
| invocation property - subject S1 can invoke (= communication from one subject to another) other subject only if I(S1) >= I(S2) | |
| 10.6 explain the difference between certification rules and enforcement rules in the clark-wilson model. | |
| certification - security policy restrictions on the behavior of IVPs (integrity verification procedures, p316) and TPs (transformation procedures) | |
| enforcement - built-in system security mechanisms that achieve the objectives of the certification rules | |
| 10.7 what is the meaning of the term chinese wall in the chinese wall model? | |
| subjects are only allowed access to information that is not held to conflict with any other information that they already possess. once information from one dataset is accessed, a wall is set up to protect information in other datasets in the same CI (conflict of interest class). | |
| 10.8 what are the two rules that a reference monitor enforces? | |
| no read up, no write down | |
| 10.9 what properties are required of a reference monitor? | |
| complete mediation - security rules are enforced on every access (not just on file open) | |
| isolation - reference monitor and database are protected from unauthorized modification | |
| verifiability - reference monitor's correctness must be provable | |
| 10.10 in general terms, how can MLS be implemented in an RBAC system? | |
| MLS (multilevel secure) - class of system that has resources at more than one level of security level and permits concurrent access by users who differ in clearances | |
| RBAC (role based access control) | |
| a role can include access permissions for multiple objects. r-level of role indicates the highest security classification for the objects assigned to the role. w-level of the role indicates the lowest security classification of its objects. | |
| 10.11 describe each of the possible degrees of granularity possible with an MLS database system. | |
| entire database, tables, columns, rows, individual elements | |
| 10.12 what is polyinstantiation? | |
| creating a new row at a lower level without modifying row at higher level. creates db with conflicting entries. | |
| 10.13 briefly describe the three basic services provided by a TPMs. | |
| TPM (trusted platform module) | |
| authenticated boot service - booting in stages, and ensuring each portion of the os is approved for use | |
| certification service - certify a specific configuration (hardware, software) for other systems | |
| encryption service - enables encryption of data in such a way that the data can be decrypted only by a certain machine and only if that machine is in a certain configuration | |
| 10.14 what is the aim of evaluating an IT product against a trusted computing evaluation standard? | |
| to provide greater confidence in the security of IT products as a result of formal actions taken during the process of developing, evaluating and operating these products. | |
| 10.15 what is the difference between security assurance and security functionality as used in trusted computing evaluation standards? | |
| functional requirements - desired security behavior | |
| assurance requirements - basis for gaining confidence that the claimed security measures are effective and correct | |
| 10.16 who are the parties typically involved in a security evaluation process? | |
| sponsor - customer or vendor of a product | |
| developer - provides evidence on the processes used to design, implement and test the product | |
| evaluator - performs technical evaluation work | |
| certifier - govt agency that monitors the process | |
| 10.17 what are the three main stages in an evaluation of an IT product against a trusted computing standard, such as the common criteria? | |
| preparation - initial contact, confirm all parties are adequately prepared, review of security target, ... | |
| conduct of evaluation - structured and formal process, ... | |
| conclusion - final evaluation report | |
| 12.1 define the difference between software quality and reliability and software security. | |
| quality and reliability - concerned with the accidental failure of a program as a result of some theoretically random, unanticipated input, system interaction, or use of incorrect code. | |
| security - the attacker chooses the probability distribution, targeting specific bugs that result in a failure that can be exploited by the attacker. | |
| 12.2 define defensive programming. | |
| form of defensive design intended to ensure the continuing function of a piece of software in spite of unforeseeable usage of said software. | |
| 12.3 list some possible sources of program input. | |
| user keyboard/mouse entry, files, network connections, data supplied in execution environment, configuration values, values supplied by operating system. | |
| 12.4 define an injection attack. list some examples of injection attacks. what are the general circumstances in which injection attacks are found? | |
| flaws related to invalid handling of input data. specifically, when input data can accidentally or deliberately influence the flow of execution of the program. | |
| command injection, sql injection, code injection, remote code injection. | |
| can occur when input data is passed as a parameter to other helper programs on the system, whose output is then processed and used by the original program. | |
| 12.5 state the similarities and differences between command injection and sql injection attacks. | |
| both injection attacks are made possible by using an unchecked value (from user input) to construct a command. the difference is the type of metacharacters used - sql attacks use SQL metacharacters. bash injections use bash metachars. | |
| 12.6 define a cross-site scripting attack. list an example of such an attack. | |
| concerns input provided to a program by one user that is subsequently output to another user. exploits the assumption that all content from one site is equally trusted (browser data) and attempts to bypass the browser's security checks to gain elevated access privileges to sensitive data belonging to another site. | |
| 12.7 state the main technique used by a defensive programmer to validate assumptions about program input. | |
| compare input data to what is wanted, accepting only valid input. for example, this can be be done by using regular expressions. (?) | |
| 12.8 state a problem that can occur with input validation when the unicode character set is used. | |
| if a character has multiple encodings in ASCII and UTF-8 (for example '/' is '2F', 'C0 AF', 'E0 80 AF') and the programmer only checks for the short encoding, attackers can bypass input validation. solved by canonicalization (replacing alternate, equivalent encodings by one common value). | |
| 12.9 define input fuzzing. state where this technique should be used. | |
| a software testing technique that uses randomly generated data as input to a program. input can be completely random or generated according to some template. in general, only identifies simple types of faults with input handling. | |
| 12.10 list several software security concerns associated writing safe program code. | |
| correct algorithm implementation - incorrect implementation might expose weakness by running some seemingly legitimate input | |
| ensuring that machine language corresponds to algorithm - compilers generate correct code, compilers aren't compromised | |
| correct interpretation of data values - buffer overflows, corruption through incorrect pointer operations. best defense - strongly typed language. | |
| correct use of memory - memory leaks (can lead to denial of service attacks) | |
| preventing race conditions with shared memory - corrupted/lost values | |
| 12.11 define race condition. state how it can occur when multiple processes access shared memory. | |
| overlapping access, use, and replacement of shared values. occurs when multiple processes and threads compete to gain uncontrolled access to some resource. | |
| 12.12 identify several concerns associated with the use of environment variables by shell scripts. | |
| provide another path for untrusted data to enter a program and need to be validated. | |
| local user subverts a program that grants admin privileges, coercing it to run code of attacker's selection. | |
| redefine PATH combined with path-less program calls in script | |
| redefine IFS if PATH is reset in app to make PATH=... call execute program | |
| redefine custom application env vars | |
| 12.13 define the principle of least privilege. | |
| every program should execute with the least amount of privileges needed to complete their function. | |
| 12.14 identify several issues associated with the correct creation and use of a lockfile. | |
| - a program can ignore the existence of the lockfile | |
| - race condition on creation during lock-create; both programs create file, both access resources | |
| 12.15 identify several issues associated with the correct creation and use of a temporary file in a shared directory. | |
| temp files should be unique and not accessed by other processes; temp filenames should be random and permissions should only allow deletion by owner. | |
| temp file could be replaced by symbolic link to sensitive file (passwd). | |
| 12.16 list some problems that may result from a program sending unvalidated input from one user to another user. | |
| the receiving user assumes that the input has already been validated. | |
| can contain metachars, html markup, ... | |
| output must conform to the expected from and interpretation. | |
| 14.1 what are the benefits of a security awareness, training, and education program for an organization? | |
| improving employee behavior | |
| increasing the ability to hold employees accountable for their actions | |
| mitigating liability of the organization for an employee's behavior | |
| complying with regulations and contractual obligations | |
| 14.2 what is the difference between security awareness and security training? | |
| a security awareness program seeks to inform and focus an employee's attention on issues related to security within the organization. it teaches the "what" | |
| a security training program is designed to teach people the skills to perform their IS related tasks more securely. teaches the "what" and the "how" | |
| 14.3 what is an organizational security policy? | |
| a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide. | |
| 14.4 who should be involved in developing the organization's security policy and its security policy document? | |
| site security administrator | |
| information technology technical staff | |
| supervisors of large user groups within the organization | |
| security incident response team | |
| representatives of the user groups affected by the security policy | |
| responsible management | |
| legal counsel | |
| 14.5 what is ISO 17799? | |
| standard for writing and implementing securiity policies (Code of Practice for Information Security Management). comprehensive set of controls comprising best practices in information security. internationally recognized generic information security standard. | |
| 14.6 what principles should be followed in designing personnel security policies? | |
| least privilege | |
| separation of duties - people involved in checking for inappropriate use are not also capable of making such inappropriate use | |
| limited reliance on key employees - no one should be irreplaceable | |
| 14.7 why is an email and internet use policy needed? | |
| significant time may consumed in non-work activities | |
| significant resources may be consumed by such non-work activities | |
| increased risk of introduction of malicious software | |
| non-work activities could result in harm to other organizations or individuals outside the organization, creating liability for organization | |
| email/inet can be used as tools of harassment | |
| inappropriate online conduct may damage organization reputation | |
| 16.1 define IT security management. | |
| a process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability. | |
| 16.2 list the three fundamental questions IT security management tries to addres. | |
| what assets do we need to protect? | |
| how are those assets threatened? | |
| what can we do to counter those threats? | |
| 16.3 list the steps in the process used to address the three fundamental questions. | |
| determine a clear view of an organization's IT security objectives and risk profile. | |
| IT security risk assessment for each asset in the organization requiring protection (must answer questions above) | |
| (?) | |
| 16.4 list some of the key national and international standards that provide guidance on IT security management and risk assessment. | |
| NIST02 | |
| ISO27000-27005 | |
| ISO13335 | |
| 16.5 list and briefly define the four steps in the iterative security management process. | |
| plan (establish policy, objectives, processes relevant to managing risk and improving information security) | |
| do (implement and operate the security policy, controls, processes, procedures) | |
| check (assess and measure process performance against policy, objectives, ..., and report results to management) | |
| act (take corrective and preventive actions based on internal review) | |
| 16.6 organizational security objectives identify what IT security outcomes are desired, based in part on the role and importance of the IT systems in the organization. list some questions that help clarify these issues. | |
| what key aspects of the organization require IT support in order to function efficiently? | |
| what tasks can only be performed with IT support? | |
| which essential decisions depend on the accuracy, currency, integrity, or availability of data managed by the IT systems? | |
| what data create, managed, processed, and stored by the IT systems need protecton? | |
| what are the consequences to the organization of a security failure in the organization's IT systems? | |
| 16.7 list and briefly define the four approaches to identifying and mitigating IT risks. | |
| baseline approach - implement a basic general level of security controls on systems using baseline documents, codes of practice and industry best practice | |
| informal approach - involves conducting some form of informal, pragmatic risk analysis (not a formal, structured process) for the organization's IT systems. | |
| detailed risk analysis - detailed risk assessment of the organization's IT systems, using a formal structured process. | |
| combined approach - combine elements of previous approaches to provide reasonable protection sa quickly as possible | |
| 16.8 which of the four approaches for identifying and mitigating IT risks does ISO13335 suggest is the most cost effective for most organizations? | |
| the combined approach | |
| 16.9 list the steps in the detailed security risk analysis process. | |
| system characterization | |
| threat identification | |
| vulnerability identification | |
| control analysis | |
| likelihood determination | |
| impact analysis | |
| risk determination | |
| control recommendations | |
| results documentation | |
| 16.10 define asset, control, threat, risk, and vulnerability. | |
| asset - anything that has value to the organization | |
| threat - a potential cause of an unwanted incident which may result in harm to a system or organization | |
| vulnerability - a weakness in an asset or group of assets which can be exploited by a threat | |
| risk - the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets | |
| 16.11 indicate who provides the key information when determining each of the key assets, their likelihood of compromise, and the consequence should any be compromised. | |
| people in the relevant areas of the organization (, ... ?) | |
| 16.12 state the two key questions answered to help identify threats and risks for an asset. briefly indicate how these questions are answered. | |
| who or what could cause it harm? | |
| how could this occur? | |
| 16.13 define consequence and likelyhood. | |
| likelyhood of the risk occurring (likely, possible, unlikely, ...) | |
| consequences to the organization should that occur | |
| 16.14 what is the simple equation for determining risk? why is this equation not commonly used in practice? | |
| risk = probability that threat occurs x cost to organization | |
| not commonly used because both the threat probability and the cost to the organization are often impossible to determine exactly. | |
| 16.15 what are the items specified in the risk register for each asset/threat identified? | |
| asset, threat, existing controls, likelyhood, consequence, level of risk, risk priority | |
| 16.16 list and briefly define the five alternatives for treating identified risks. | |
| risk acceptance - accept risk level greater than normal for business reasons | |
| risk avoidance - not proceeding with activity that creates risk | |
| risk transferal - sharing responsibility with third party (insurance) | |
| reduction of consequences - modifying structure or use of assets to reduce impact on organization should risk occur | |
| reduction of likelihood - implementing suitable controls to lower chance of vulnerability exploitation | |
| 18.1 describe a classification of computer crime based on the role that the computer plays in the criminal activity? | |
| - Computers as targets: This form of crime targets a computer system to gain unauthorized access to data, gain control over the system... | |
| This form of crime involves an attack on: Integrity, confidentiality and availability | |
| - Computers as storage devices: A computer can be used to store all kind of illegal data (like password files, pirated software, pornographic files,...) | |
| - Computers as communication tools: A computer is used to commit a non-cyber crime like selling illegal things ,... | |
| 18.2 define three types of property? | |
| - Real property (German: “Immobilie”): Land and things permanently attached to the land, such as trees, buildings and stationary mobile homes. | |
| - Personal property: Personal effects, moveable property (cars, cellphones, bank accounts, furniture,...) | |
| - Intellectual property: Any intangible (nicht physisch, nicht greifbar) asset that consists of human knowledge and ideas, like software, data, novels, designs,... | |
| 18.3 define three types of intellectual property? | |
| - Copyrights | |
| - Trademarks | |
| - Patents | |
| 18.4 what are the basic conditions that must be fulfilled to claim a copyright? | |
| - The work is original | |
| - The creator has put his idea in a concrete form (hard copy, software, multimedia) | |
| 18.5 what rights does a copyright confer? | |
| - Reproduction right: The owner has the right to produce copies of a work | |
| - Modification right: | |
| - Distribution right: The owner may sell, rent, lease or lend copies of a work | |
| - Public-performance right: applies mainly to live performances | |
| - Public-display right: | |
| 18.6 briefly describe the Digital Millennium Copyright Act: | |
| DMCA strengthens the protection of copyrighted materials in digital form. It further encourages copyright owners to use technological measures to protect their work from being copied or even being accessed. The attempt to bypass such security measures is illegal. | |
| 18.7 what is digital rights management? | |
| Digital rights management (DRM) is used to ensure that the holders of digital rights are clearly identified. People who have no rights on an object are not allowed to use it in any way. | |
| DRM might also add further restrictions on objects (printing, copying,... not allowed) digital rights management. | |
| DRM is not a single standard, there are many different approaches. It generally supports many platforms (PC, Mac, Iphone, ...) | |
| 18.8 describe the principal categories of users of digital rights management systems: | |
| Content Provider: The holder of the digital right, who wants to protect them. (record lable, ...) | |
| Distributor: Distributes digital content (music, software, ...) | |
| Consumer: Uses the digital content | |
| Clearinghouse (Abrechnungsstelle): Handles the financial part. | |
| 18.9 what are the key principles embodied in the EU Directive on Data Protection? | |
| Notice: Individuals must be informed, if personal information is collected. | |
| Consent: Individuals must be able to choose whether and how their personal information is used by, or disclosed to, third parties. They have the right, that there is no sensitive data (health, religion,...) collected. | |
| Consistency: Information must only be used in accordance to the terms of notice. | |
| Access: Individuals must be able to access or change their stored information | |
| Security: Organisations must protect integrity and confidentially of personal information | |
| Onward transfer: If information is passed to a third party, they must provide the same level of security, as the organisation that passed them the information | |
| Enforcement: Violation of these rules is not allowed. Each EU member has a own enforcement agency concerned with privacy rights enforcement. | |
| 18.10 how do the concerns relating to privacy in the Common Criteria differ from the concerns usually expressed in official documents, standards and organizational policies? | |
| In the Common Criteria the purpose of privacy functions is to provide a user protection against discovery and misuse of identity by other users. | |
| ???? | |
| 18.11 what functions can a professional code of conduct (Verhaltensnorm) serve to fulfil? | |
| - be a positive stimulus (Ansporn) and instil confidence | |
| - be educational | |
| - provide a measure of support | |
| - be a means of deterrence and discipline | |
| - enhance the profession's public image | |
| 19.1 what are the essential ingredients of a symmetric cipher? | |
| - Plaintext | |
| - Encryption algorithm | |
| - Secret key | |
| - Cipher text | |
| - Decryption algorithm | |
| 19.2 what are the two basic functions used in encryption algorithms? | |
| Substitution: An element is replaced by another element. | |
| Transposition: Elements are rearranged. | |
| 19.3 how many keys are required for to people to communicate via a symmetric cipher? | |
| Only a single key is required | |
| 19.4 what is the difference between a block cipher and a stream cipher? | |
| A block cipher processes one block of elements at a time, production an output block for each input block. | |
| A stream cipher processes the input elements continuously. Each single element produces a different element of output | |
| 19.5 what are the two general approaches to attack a cipher? | |
| Cryptanalysis, brute force | |
| ????????????? | |
| 19.6 why do some block cipher modes of operation only use encryption while others use both encryption and decryption? | |
| Some block cipher modes of operation only use encryption because the input is set to some initialization vector and the leftmost bits of the output of the encryption function are XORed with the first segment of plain text p1 to produce the first unit of cipher text C1 and it is transmitted. While in decryption, the cipher text is XORed with the output of the encryption function to produce the plain text. | |
| 19.7 what is triple encryption? | |
| Triple encryption (or 3DES) is enhancement of DES. It applies DES three times: | |
| ENCRYPT, DECRYPT, ENCRYPT | |
| 19.8 why is the middle portion of 3DES a decryption rather than an encryption? | |
| Security does not benefit form the decryption. The only advantage is, that 3DES can also decrypt Cipher text encrypted with DES! | |
| 19.9 what is the difference between link and end-to-end encryption? | |
| End-to-end encryption: Data is encrypted by the sender, passes the network encrypted and is decrypted by the receiver. | |
| Link encryption: encrypts and decrypts all traffic at each end of a communications line. | |
| 19.10 list ways which secret keys can be distributed to two communicating parties: | |
| - Selected by A and physically delivered to B | |
| - Selected by a third party and physically delivered to A and B | |
| - If A and B were using a cipher before to communicate, the new key could be encrypted with the old cipher. | |
| - If both A and B have a encrypted connection to C, C can send them the new key. | |
| 19.11 what is the difference between a session key and a master key? | |
| A session key is a one time key, only used for the duration of one logical connection. | |
| The master key is a pre-shared Key Encrypting Key, used to distribute session keys. | |
| 19.12 what is a key distribution centre? | |
| The key distribution centre (KDC) determines which systems are allowed to communicate with each other. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment