IT2910 Midterm Study Guide SP2013

Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________

This is the total body of knowledge you will be possibly tested upon for our midterm exam. I will be using this document to randomly create three tests. Two tests will be used for the midterm and one will be held in reserve for makeup tests etc. each version of the test will contain about half the information in this guide and will be approximately 15 pages of questions. This study guide is the document you cannot use for the open book midterm exam.

Part of what I am testing is your ability to recall security details in a time sensitive situation, basically time management and your ability to work under pressure and keep your wits about you and make good choices during stressful security events. Not only your recall but your accuracy and ability to pour through a large amount of technical and make quick decisions about it is being assessed.

There are 4 kinds of questions True/False, Multiple choice, Short answer and Long answer.

TRUE/FALSE QUESTIONS:

1. T F Computer security is protection of the integrity, availability, and confidentiality of information system resources.

2. T F Data integrity assures that information and programs are changed only in a specified and authorized manner.

3. T F Availability assures that systems works promptly and service is not denied to authorized users.

4. T F The “A” in the CIA triad stands for “authenticity”.

5. T F Many security administrators view strong security as an impediment to efficient and user-friendly operation of an information system.

6. T F In the context of security our concern is with the vulnerabilities of system resources.

7. T F Hardware is the most vulnerable to attack and the least susceptible to automated controls.

8. T F Contingency planning is a functional area that primarily requires computer security technical measures.

9. T F The first step in devising security services and mechanisms is to develop a security policy.

10. T F User authentication is the fundamental building block and the primary line of defense.

11. T F Identification is the means of establishing the validity of a claimed

Page 1

Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________identity provided by a user.

12. T F Many users choose a password that is too short or too easy to guess.

13. T F User authentication is a procedure that allows communicating parties to verify that the contents of a received message have not been altered and that the source is authentic.

14. T F User authentication is the basis for most types of access control and for user accountability.

15. T F Depending on the application, user authentication on a biometric system involves either verification or identification.

16. T F Enrollment creates an association between a user and the user’s biometric characteristics.

17. T F Identifiers should be assigned carefully because authenticated identities are the basis for other security services.

18. T F Keylogging is a form of host attack.

19. T F In a biometric scheme some physical characteristic of the individual is mapped into a digital representation.

20. T F Access control is the central element of computer security.21.22. T F The authentication function determines who is trusted for a given purpose.

23. T F Reliable input is an access control requirement.

24. T F A user may belong to multiple access control groups.

25. T F The default set of rights should always follow the rule of least privilege or read-only access

26. T F A query language provides a uniform interface to the database.

27. T F A telephone directory is an example of a statistical database.

28. T F To create a relationship between two tables, the attributes that define the primary key in one table must appear as attributes in another table, where they are referred to as a foreign key.

29. T F The value of a primary key must be unique for each tuple of its table.

30. T F The database management system operates on the assumption that the computer system has authenticated each user.

Page 2


31. T F The two commands that SQL provides for managing access rights are ALLOW and DENY.

32. T F Fixed server roles operate at the level of an individual database.

33. T F SQL Server allows users to create roles that can then be assigned access rights to portions of the database.

34. T F Encryption can be applied to the entire database, at the record level, at the attribute level, or at the level of the individual field.

35. T F Keyware captures keystrokes on a compromised system.

36. T F A virus that attaches to an executable program can do anything that the program is permitted to do.

37. T F. It is not possible to spread a virus via an USB stick.

38. T F A logic bomb is the event or condition that determines when the payload is activated or delivered.

39. T F Many forms of infection can be blocked by denying normal users the right to modify programs on the system.

40. T F A macro virus infects executable portions of code.

41. T F E-mail is a common method for spreading macro viruses.

42. T F In addition to propagating, a worm usually carries some form of payload.

43. T F A Trojan horse is an apparently useful program containing hidden code that, when invoked, performs some harmful function.

44. T F A bot propagates itself and activates itself, whereas a worm is initially controlled from some central facility.

45. T F A denial-of-service attack is an attempt to compromise availability by hindering or blocking completely the provision of some service.

Page 3

Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________46. T F A DoS attack targeting application resources typically aims to overload

or crash its network handling software.

47. T F The SYN spoofing attack targets the table of TCP connections on the server.

48. T F Given sufficiently privileged access to the network handling code on a computer system, it is difficult to create packets with a forged source address.

49. T F SYN-ACK and ACK packets are transported using IP, which is an unreliable network protocol.

50. T F Flooding attacks take a variety of forms based on which network protocol is being used to implement the attack.

51. T F The objective of the intruder is to gain access to a system or to increase the range of privileges accessible on a system.

52. T F Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.

53. T F The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts.

54. T F Signature-based approaches attempt to define normal, or expected, behavior, whereas anomaly approaches attempt to define proper behavior.

55. T F To be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.

56. T F A common location for a NIDS sensor is just inside the external firewall.

57. T F The countermeasure to tiny fragment attacks is to discard packets with an inside source address if the packet arrives on an external interface.

58. T F A traditional packet filter makes filtering decisions on an individual packet basis and does not take into consideration any higher layer context.

59. T F A prime disadvantage of an application-level gateway is the additional processing overhead on each connection.

60. T F A DMZ is one of the internal firewalls protecting the bulk of the enterprise network.

61. T F Distributed firewalls protect against internal attacks and provide

Page 4

Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________protection tailored to specific machines and applications.

62. T F The buffer overflow type of attack is one of the least commonly seen attacks.

63. T F Buffer overflow attacks result from careless programming in applications.

64. T F The only consequence of a buffer overflow attack is the possible corruption of data used by the program.

65. T F To exploit any type of buffer overflow the attacker needs to understand how that buffer will be stored in the processes memory.

66. T F A stack overflow can result in some form of denial-of-service attack on a system.

67. T F Shellcode is not specific to a particular processor architecture.

68. T F Buffer overflows can be found in a wide variety of programs.

69. T F Many computer security vulnerabilities result from poor programming practices.

70. T F Security flaws occur as a consequence of sufficient checking and validation of data and error codes in programs.

71. T F Software security is closely related to software quality and reliability.

72. T F Programmers often make assumptions about the type of inputs a program will receive.

73. T F Defensive programming requires a changed mindset to traditional programming practices.

74. T F To counter XSS attacks a defensive programmer needs to explicitly identify any assumptions as to the form of input and to verify that any input data conform to those assumptions before any use of the data.

75. T F Injection attacks variants can occur whenever one program invokes the services of another program, service, or function and passes to it externally sourced, potentially untrusted information without sufficient inspection and validation of it.

76. T F Cross-site scripting attacks attempt to bypass the browser’s security checks to gain elevated access privileges to sensitive data belonging to another site.

Page 5


77. T F To prevent XSS attacks any user supplied input should be examined and any dangerous code removed or escaped to block its execution.

78. T F Without suitable synchronization of accesses it is possible that values may be corrupted, or changes lost, due to over-lapping access, use, and replacement of shared values.

79. T F It is possible for a system to be compromised during the installation process.

80. T F 7. The default configuration for many operating systems usually maximizes security.

81. T F A malicious driver can potentially bypass many security controls to install malware.

82. T F Passwords installed by default are secure and do not need to be changed.

83. T F Manual analysis of logs is a reliable means of detecting adverse events.

84. T F Performing regular backups of data on a system is a critical control that assists with maintaining the integrity of the system and user data.

85. T F To implement a physical security program an organization must conduct a risk assessment to determine the amount of resources to devote to physical security and the allocation of those resources against the various threats.

86. T F Physical security must also prevent any type of physical access or intrusion that can compromise logical security..

87. T F Physical security must prevent misuse of the physical infrastructure that leads to the misuse or damage of the protected information.

88. T F Misuse of the physical infrastructure includes vandalism, theft of equipment, theft by copying, theft of services, and unauthorized entry.

89. T F High humidity does not pose a threat to electrical and electronic equipment as long as the computer’s temperature stays within the optimal range.

90. T F A person that becomes statically charged can damage electronic equipment by an electric discharge.

91. T F The direct flame is the only threat from fire.

Page 6


92. T F Low-intensity devices such as cellular telephones do not interfere with electronic equipment.

93. T F Human-caused threats are less predictable than other types of physical threats.

94. T F Unauthorized physical access can lead to other threats.

95. T F Physical access control should address not just computers and other IS equipment but also locations of wiring used to connect systems, equipment and distribution systems, telephone and communications lines, backup media, and documents.

MULTIPLE CHOICE QUESTIONS:

1. __________ assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.

A. Availability C. System IntegrityB. Privacy D. Data Integrity

2. ________ assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.

A. System Integrity C. Data IntegrityB. Availability D. Confidentiality

3. A loss of _________ is the unauthorized disclosure of information.A. confidentiality C. integrityB. authenticity D. availability

4. A ________ level breach of security could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

A. low C. normalB. moderate D. high

5. A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy is a(n) __________.

A. countermeasure C. vulnerabilityB. adversary D. risk

6. An assault on system security that derives from an intelligent act that is a deliberate attempt to evade security services and violate the security policy of a system is a(n) __________.

A. risk C. assetB. attack D. vulnerability

Page 7

Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________7. A(n) __________ is an action, device, procedure, or technique that reduces a threat, a vulnerability, or

an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that correct action can be taken.

A. attack C. countermeasureB. adversary D. protocol

8. A threat action in which sensitive data are directly released to an unauthorized entity is __________.A. corruption C. disruptionB. intrusion D. exposure

9. An example of __________ is an attempt by an unauthorized user to gain access to a system by posing as an authorized user.

A. masquerade C. interceptionB. repudiation D. inference

10. A __________ is any action that compromises the security of information owned by an organization.A. security mechanism C. security attackB. security policy D. security service

11. The assurance that data received are exactly as sent by an authorized entity is __________.A. authentication C. data confidentialityB. access control D. data integrity

12. __________ is the insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.A. Traffic padding C. Traffic routingB. Traffic control D. Traffic integrity

13. Recognition by fingerprint, retina, and face are examples of __________.A. face recognition C. dynamic biometricsB. static biometrics D. token authentication

14. A __________ is a password guessing program.A. password hash C. password crackerB. password biometric D. password salt

15. A __________ strategy is one in which the system periodically runs its own password cracker to find guessable passwords.

A. user education C. proactive password checking B. reactive password checking D. computer-generated password

16. The most common means of human-to-human identification are __________.A. facial characteristics C. signatures B. retinal patterns D. fingerprints

17. __________ systems identify features of the hand, including shape, and lengths and widths of fingers.A. Signature C. Hand geometry B. Fingerprint D. Palm print

Page 8


18. To counter threats to remote user authentication, systems generally rely on some form of ___________ protocol.

A. A. eavesdropping C. Trojan horse B. B. challenge-response D. denial-of-service

19. A __________ attack involves an adversary repeating a previously captured user response. A. A. client C. replay B. B. Trojan horse D. eavesdropping

20. A __________ is a separate file from the user IDs where hashed passwords are kept.i. A. Host file C. Shadow file

ii. B. Config file D. Hidden file

21. Objects that a user possesses for the purpose of user authentication are called ______.i. A. Keys C. Identifiers

ii. B. Tokens D. Authenticators

22. __________ implements a security policy that specifies who or what may have access to each specific system resource and the type of access that is permitted in each instance.

A. A. Audit control B. Resource controlB. C. System control D. Access control

23. __________ is verification that the credentials of a user or other system entity are valid.A. A. Adequacy B. AuthenticationB. C. Authorization D. Audit

24. _________ is the granting of a right or permission to a system entity to access a system resource.A. A. Authorization B. AuthenticationB. C. Control D. Monitoring

25. __________ controls access based on comparing security labels with security clearances.A. A. MAC B. DACB. C. RBAC D. MBAC

26. A __________ is an entity capable of accessing objects.A. A. group B. objectB. C. subject D. owner

27. A(n) __________ is a resource to which access is controlled.A. object B. ownerC. world D. subject

28. The final permission bit is the _________ bit.A. superuser B. kernelC. set user D. sticky

29. __________ is based on the roles the users assume in a system rather than the user’s identity.

Page 9

Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________A. DAC B. RBACC. MAC D. URAC

30. An approval to perform an operation on one or more RBAC protected objects is _________ .A. support B. prerequisiteC. permission D. exclusive role

31. A(n) __________ is a structured collection of data stored for use by one or more applications.A. attribute B. databaseC. tuple D. inference

32. The basic building block of a __________ is a table of data, consisting of rows and columns, similar to a spreadsheet.

A. relational database B. query setC. DBMS D. perturbation

33. In relational database parlance, the basic building block is a __________, which is a flat table.A. attribute B. tupleC. primary key D. relation

34. In a relational database rows are referred to as _________. A. relations B. attributesC. views D. tuples

35. A _________ is defined to be a portion of a row used to uniquely identify a row in a table.A. foreign key B. queryC. primary key D. data perturbation

36. A _________ is a virtual table.A. tuple B. queryC. view D. DBMS

37. A(n) __________ is a user who has administrative responsibility for part or all of the database.A. administrator B. database relations managerC. application owner D. end user other than application owner

38. An end user who operates on database objects via a particular application but does not own any of the database objects is the __________.

A. application owner B. end user other than application ownerC. foreign key D. administrator

39. __________ is the process of performing authorized queries and deducing unauthorized information from the legitimate responses received.

A. Perturbation B. InferenceC. Compromise D. Partitioning

40. Statistics are derived from a database by means of a ___________.

Page 10

Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________A. characteristic formula B. compromise C. partition D. data perturbation

41. With __________ the records in the database are clustered into a number of mutually exclusive groups and the user may only query the statistical properties of each group as a whole.

A. compromise B. inferenceC. partitioning D. query restriction

42. __________ is when the data in the SDB can be modified so as to produce statistics that cannot be used to infer values for individual records.

A. Data perturbation B. Inference channelingC. Database access control D. Output perturbation

43. _________ is an organization that produces data to be made available for controlled release, either within the organization or to external users.

A. Client B. Data ownerC. User D. Server

44. __________ is an organization that receives the encrypted data from a data owner and makes them available for distribution to clients.

A. User B. ClientC. Data owner D. Server

45. The __________ cloud infrastructure is a composition of two or more clouds that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability.

A. hybrid B. community C. private D. public

46. A program that is covertly inserted into a system with the intent of compromising the integrity or confidentiality of the victim’s data is __________.

A. Adobe B. AnimotoC. malware D. Prezi

47. __________ are used to send large volumes of unwanted e-mail.A. Rootkits B. Spammer programsC. Downloaders D. Auto-rooter

48. A __________ is code inserted into malware that lies dormant until a predefined condition, which triggers an unauthorized act, is met.

A. logic bomb B. trapdoorC. worm D. Trojan horse

49. The __________ is what the virus “does”.A. infection mechanism B. triggerC. logic bomb D. payload

50. The __________ is when the virus function is performed.

Page 11

Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________A. dormant phase B. propagation phaseC. triggering phase D. execution phase

51. During the __________ the virus is idle.A. dormant phase B. propagation phaseC. triggering phase D. execution phase

52. A __________ uses macro or scripting code, typically embedded in a document and triggered when the document is viewed or edited, to run and replicate itself into other such documents.

A. boot sector infector B. file infectorC. macro virus D. multipartite virus

53. Unsolicited bulk e-mail is referred to as __________.A. spam B. propagatingC. phishing D. crimeware

54. __________ is malware that encrypts the user’s data and demands payment in order to access the key needed to recover the information.

A. Trojan horse B. RansomwareC. Crimeware D. Polymorphic

55. A __________ attack is a bot attack on a computer system or network that causes a loss of service to users.

A. spam B. phishingC. DDoS C. sniff

56. __________ will integrate with the operating system of a host computer and monitor program behavior in real time for malicious actions.

A. Fingerprint-based scanners B. Behavior-blocking softwareC. Generic decryption technology D. Heuristic scanners

57. ______ relates to the capacity of the network links connecting a server to the wider Internet.A. Application resource B. Network bandwidthC. System payload D. Directed broadcast

58. A ______ triggers a bug in the system’s network handling software causing it to crash and the system can no longer communicate over the network until this software is reloaded.

A. echo B. reflectionC. poison packet D. flash flood

59. Using forged source addresses is known as _________.A. source address spoofing B. a three-way addressC. random dropping D. directed broadcast

60. The ______ attacks the ability of a network server to respond to TCP connection requests by overflowing the tables used to manage such connections.

A. DNS amplification attack B. SYN spoofing attackC. basic flooding attack D. poison packet attack

Page 12


61. TCP uses the _______ to establish a connection.A. zombie B. SYN cookieC. directed broadcast D. three-way handshake

62. When a DoS attack is detected, the first step is to _______.A. identify the attack B. analyze the responseC. design blocking filters D. shut down the network

63. _________ are among the most difficult to detect and prevent.A. Organized groups of hackers B. Insider attacksC. Outsider attacks D. Crackers

64. A _________ is a security event that constitutes a security incident in which an intruder gains access to a system without having authorization to do so.

A. intrusion detection B. IDSC. criminal enterprise D. security intrusion

65. 3. A _________ monitors the characteristics of a single host and the events occurring within that host for suspicious activity.

A. host-based IDS B. security intrusionC. network-based IDS D. intrusion detection

66. A ________ monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity.

A. host-based IDS B. security intrusionC. network-based IDS D. intrusion detection

67. __________ are attacks that attempt to give ordinary users root access.A. Privilege-escalation exploits B. Directory transversalsC. File system access D. Modification of system resources

68. The first widely used occurrence of the buffer overflow attack was the _______.A. Code Red Worm B. Morris Internet WormC. Sasser Worm D. Slammer Worm

69. A _______ can occur as a result of a programming error when a process attempts to store data beyond the limits of a fixed-size buffer.

A. shellcode B. program overflowC. buffer overflow D. library function

70. A stack buffer overflow attack is also referred to as ______.A. stack smashing B. stack framingC. buffer overrunning D. heap overflowing

71. An essential component of many buffer overflow attacks is the transfer of execution to code, known as _______, supplied by the attacker and often saved in the buffer being overflowed.

Page 13

Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________A. NOP code B. stack codeC. heap code D. shellcode

72. Incorrect handling of program _______ is one of the most common failings in software security.

A. lines B. inputC. output D. disciplines

73. A _________ attack occurs when the input is used in the construction of a command that is subsequently executed by the system with the privileges of the Web server.

A. A. command injection B. SQL injectionB. C. code injection D. PHP remote code injection

74. The intent of ________ is to determine whether the program or function correctly handles all abnormal inputs or whether it crashes or otherwise fails to respond appropriately.

A. A. shell scripting B. fuzzingB. C. canonicalization D. deadlocking

75. The first step in deploying new systems is _________.A. security testing B. installing patchesC. planning D. secure critical content

76. Which of the following need to be taken into consideration during the system security planning process?

A. how users are authenticatedB. the categories of users of the systemC. what access the system has to information stored on other hostsD. all of the above

77. The following steps should be used to secure an operating system:

A. test the security of the basic operating system

B. remove unnecessary services

C. install and patch the operating system

D. all of the above

78. __________ applications is a control that limits the programs that can execute on the system to just those in an explicit list.

i. A. Virtualizing B. White listingii. C. Logging D. Patching

Page 14


79. Once the system is appropriately built, secured, and deployed, the process of maintaining security is ________.

1. A. complete B. no longer a concern2. C. continuous D. sporadic3.

80. The ______ process makes copies of data at regular intervals for recovery of lost or corrupted data over short time periods.

A. logging B. backupC. hardening D. archive

81. The ______ process retains copies of data over extended periods of time in order to meet legal and operational requirements.

A. archive B. virtualizationC. patching D. backup

82. 14. The most important changes needed to improve system security are to ______.A. Assure the principle of least privilege is being applied whenever possibleB. disable remotely accessible services that are not required ensure that applications and

services that are needed are appropriately configuredC. disable services and applications that are not requiredD. all of the above

83. Security concerns that result from the use of virtualized systems include ______.A. guest OS isolationB. guest OS monitoring by the hypervisorC. virtualized environment securityD. all of the above

84. 6. A prevalent concern that is often overlooked is ________.A. overvoltage B. undervoltageC. dust D. noise

85. 8. Eavesdropping and wiretapping fall into the ________ category.A. theft B. vandalismC. misuse D. unauthorized physical access

86. 9. _______ includes destruction of equipment and data.A. Misuse B. VandalismC. Theft D. Unauthorized physical access

87. 10. _______ should be located on the floor of computer rooms as well as under raised floors, and should cut off power automatically in the event of a flood.

A. Smoke detectors B. UPSC. Water sensors D. Equipment power off switches

SHORT ANSWER QUESTIONS:

Page 15


1. A(n) _________ is any means taken to deal with a security attack.

2. The assets of a computer system can be categorized as hardware, software, communication lines and networks, and _________.

3. Establishing, maintaining, and implementing plans for emergency response, backup operations, and post disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations is a __________ plan.

4. A(n) _________ assessment is periodically assessing the risk to organizational operations, organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission or organizational information.

5. Security implementation involves four complementary courses of action: prevention, detection, response, and _________.

6. A __________ authentication system attempts to authenticate an individual based on his or her unique physical characteristics.

7. The basic elements of access control are: subject, __________, and access right.

8. Basic access control systems typically define three classes of subject: owner, __________ and world.

9. The __________ user ID is exempt from the usual file access control constraints and has system wide access.

10. A _________ is a set of programs installed on a system to maintain covert access to that system with administrator (root) privileges while hiding evidence of its presence.

11. A computer __________ is a piece of software that can “infect” other programs or any type of executable content and tries to replicate itself.

12. Sometimes known as a “logic bomb”, the __________ is the event or condition that determines when the payload is activated or delivered.

13. During the __________ phase the virus is activated to perform the function for which it was intended.

14. A __________ is a collection of bots capable of acting in a coordinated manner.

15. A bot can use a __________ to capture keystrokes on the infected machine to retrieve sensitive information.

Page 16

Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________16. Countermeasures for malware are generally known as _________ mechanisms because they were first

developed to specifically target virus infections.

17. __________ technology is an anti-virus approach that enables the anti-virus program to easily detect even the most complex polymorphic viruses and other malware, while maintaining fast scanning speeds.

18. The ICMP echo response packets generated in response to a ping flood using randomly spoofed source addresses is known as _______ traffic.

19. A _____ is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units, memory, bandwidth, and disk space.

20. ________ are decoy systems that are designed to lure a potential attacker away from critical systems.

21. In 1996 ________ published “Smashing the Stack for Fun and Profit” in Phrack magazine, giving a step-by-step introduction to exploiting stack-based buffer overflow vulnerabilities.

22. A _________ can occur as a result of a programming error when a process attempts to store data beyond the limits of a fixed-sized buffer and consequently overwrites adjacent memory locations.

23. The principle of ________ strongly suggests that programs should execute with the least amount of privileges needed to complete their function.

24. _______ is the process of making copies of data at regular intervals allowing the recovery of lost or corrupted data over relatively short time periods of a few hours to some weeks.

25. __________ is a standardized language that can be used to define schema, manipulate, and query data in a relational database.

26. The information transfer path by which unauthorized data is obtained is referred to as an ___________ channel.

27. ______ is the process of retaining copies of data over extended periods of time, being months or years, in order to meet legal and operational requirements to access past data.

28. Tornados, tropical cyclones, earthquakes, blizzards, lightning, and floods are all types of ________ disasters.

29. An _______ condition occurs when the IS equipment receives less voltage than is required for normal operation.

30. Human-caused threats can be grouped into the following categories: unauthorized physical access, theft, _________ and misuse.

31. Noise along a power supply line, motors, fans, heavy equipment, microwave relay antennas, and other computers are all sources of _________.

Page 17

Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________32. To deal with the threat of smoke, the responsible manager should install _______ in every room that

contains computer equipment as well as under raised floors and over suspended ceilings.

33. A(n) ________ is a battery backup unit that can maintain power to processors, monitors, and other equipment and can also function as a surge protector, power noise filter, and an automatic shutdown device.

34. The most essential element of recovery from physical security breaches is ____.

LONG ANSWER QUESTIONS:

Define computer security.

The protection afforded to an automated information system in order to attain the

applicable objectives of preserving the integrity, availability and confidentiality of

information system resources (includes hardware, software, firmware,

information/data, and telecommunications).

What is the difference between passive and active security threats?

Passive attacks have to do with eavesdropping on, or monitoring, transmissions.

Electronic mail, file transfers, and client/server exchanges are examples of

transmissions that can be monitored. Active attacks include the modification of

transmitted data and attempts to gain unauthorized access to computer systems.

List and briefly define samples of passive and active network security attacks.

Passive attacks: release of message contents and traffic analysis.

Active attacks: masquerade, replay, modification of messages, and denial of service.

Page 18


In general terms, what are four means of authenticating a user's identity?

Something the individual knows: Examples includes a password, a personal identification number (PIN), or answers to a prearranged set of questions.

Something the individual possesses: Examples include electronic keycards, smart cards, and physical keys. This type of authenticator is referred to as a token.

Something the individual is (static biometrics): Examples include recognition by fingerprint, retina, and face.

Something the individual does (dynamic biometrics): Examples include recognition by voice pattern, handwriting characteristics, and typing rhythm.

List and briefly describe the principal threats to the secrecy of passwords.

We can identify the following attack strategies and countermeasures:

Offline dictionary attack: Typically, strong access controls are used to protect the system's password file. However, experience shows that determined hackers can frequently bypass such controls and gain access to the file. The attacker obtains the system password file and compares the password hashes against hashes of commonly used passwords. If a match is found, the attacker can gain access by that ID/password combination.

Specific account attack: The attacker targets a specific account and submits password guesses until the correct password is discovered.

Popular password attack: A variation of the preceding attack is to use a popular password and try it against a wide range of user IDs. A user's tendency is to choose a password that is easily remembered; this unfortunately makes the password easy to guess.

Password guessing against single user: The attacker attempts to gain knowledge about the account holder and system password policies and uses that knowledge to guess the password.

Workstation hijacking: The attacker waits until a logged-in workstation is

unattended.

Exploiting user mistakes: If the system assigns a password, then the user is more likely to write it down because it is difficult to remember. This situation creates the potential for an adversary to read the written password. A user may intentionally share a password, to enable a colleague to share files, for example.

Page 19

Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________Also, attackers are frequently successful in obtaining passwords by using social engineering

tactics that trick the user or an account manager into revealing a password. Many computer systems are shipped with preconfigured passwords for system administrators. Unless these preconfigured passwords are changed, they are easily guessed.

Exploiting multiple password use. Attacks can also become much more effective or damaging if different network devices share the same or a similar password for a given user.

Electronic monitoring: If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping. Simple encryption will not fix this problem, because the encrypted password is, in effect, the password and can be observed and reused by an adversary.

List and briefly describe the principal physical characteristics used for biometric identification.

Facial characteristics: Facial characteristics are the most common means of human to-human identification; thus it is natural to consider them for identification by computer. The most common approach is to define characteristics based on relative location and shape of key facial features, such as eyes, eyebrows, nose, lips, and chin shape. An alternative approach is to use an infrared camera to produce a face that correlates with the underlying vascular system in the human face.

Fingerprints: Fingerprints have been used as a means of identification for centuries, and the process has been systematized and automated particularly for law enforcement purposes. A fingerprint is the pattern of ridges and furrows on the surface of the fingertip. Fingerprints are believed to be unique across the entire human population. In practice, automated fingerprint recognition and matching system extract a number of features from the fingerprint for storage as a numerical surrogate for the full fingerprint pattern.

Hand geometry: Hand geometry systems identify features of the hand, including shape, and lengths and widths of fingers.

Retinal pattern: The pattern formed by veins beneath the retinal surface is unique and therefore suitable for identification. A retinal biometric system obtains a digital image of the retinal pattern by projecting a low-intensity beam of visual or infrared light into the eye.

Iris: Another unique physical characteristic is the detailed structure of the iris.

Page 20

Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________Signature: Each individual has a unique style of handwriting and this is reflected especially in the signature, which is typically a frequently written sequence. However, multiple signature samples from a single individual will not be identical. This complicates the task of developing a computer representation of the signature that can be matched to future samples.

Voice: Whereas the signature style of an individual reflects not only the unique physical attributes of the writer but also the writing habit that has developed, voice patterns are more closely tied to the physical and anatomical characteristics of the speaker. Nevertheless, there is still a variation from sample to sample over time from the same speaker, complicating the biometric recognition task.

Briefly define the difference between DAC and MAC.

Discretionary access control (DAC) controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do. This policy is termed discretionary because an entity might have access rights that permit the entity, by its own volition, to enable another entity to access some resource.

Mandatory access control (MAC) controls access based on comparing security labels (which indicate how sensitive or critical system resources are) with security clearances (which indicate system entities are eligible to access certain resources). This policy is termed mandatory because an entity that has clearance to access a resource may not, just by its own volition, enable another entity to access that resource.

List and define the three classes of subject in an access control system

Owner: This may be the creator of a resource, such as a file. For system resources, ownership may belong to a system administrator. For project resources, a project administrator or leader may be assigned ownership.

Group: In addition to the privileges assigned to an owner, a named group of users may also be granted access rights, such that membership in the group is sufficient to exercise these access rights. In most schemes, a user may belong to multiple groups.

World: The least amount of access is granted to users who are able to access the system but are not included in the categories owner and group for this resource.

Page 21


In the context of access control, what is the difference between a subject and an object?

A subject is an entity capable of accessing objects. Generally, the concept of subject equates with that of process. Any user or application actually gains access to an object by means of a process that represents that user or application.

An object is anything to which access is controlled. Examples include files, portions of files, programs, and segments of memory.

List and define the four types of entities in a base model RBAC system.

User: An individual that has access to this computer system. Each individual has an associated user ID.

Role: A named job function within the organization that controls this computer system. Typically, associated with each role is a description of the authority and responsibility conferred on this role, and on any user who assumes this role.

Permission: An approval of a particular mode of access to one or more objects. Equivalent terms are access right, privilege, and authorization.

Session: A mapping between a user and an activated subset of the set of roles to which the user is assigned.

Describe the difference between a host based IDS and network IDS

Host-based IDS: Monitors the characteristics of a single host and the events

occurring within that host for suspicious activity

Network-based IDS: Monitors network traffic for particular network segments

Or devices and analyzes network, transport, and application protocols to identify

suspicious activity

Describe the three logical components of an IDS.

Page 22

Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________Sensors: Sensors are responsible for collecting data. The input for a sensor may be any part of a system that could contain evidence of an intrusion. Types of input to a sensor include network packets, log files, and system call traces. Sensors collect and forward this information to the analyzer.

Analyzers: Analyzers receive input from one or more sensors or from other

analyzers. The analyzer is responsible for determining if an intrusion has occurred. The output of this component is an indication that an intrusion has occurred. The output may include evidence supporting the conclusion that an intrusion occurred. The analyzer may provide guidance about what actions to take as a result of the intrusion.

User interface: The user interface to an IDS enables a user to view output from the system or control the behavior of the system. In some systems, the user interface may equate to a manager, director, or console component.

What are the three benefits that can be provided by an IDS?

1. If an intrusion is detected quickly enough, the intruder can be identified and

ejected from the system before any damage is done or any data are compromised. Even if the detection is not sufficiently timely to preempt the intruder, the sooner that the intrusion is detected, the less the amount of damage and the more quickly that recovery can be achieved.

2. An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions.

3. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.

What is the difference between anomaly detection and signature intrusion detection?

Statistical anomaly detection involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior. Signature intrusion detection involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder.

Page 23


What are possible locations for NIDS sensors?

(1) just inside the external firewall;

(2) between the external firewall and the Internet or WAN;

(3) at the entrance to major backbone networks; to support workstation LANs.

What is a honeypot?

Honeypots are decoy systems that are designed to lure a potential attacker away

from critical systems.

What is the difference between a bot and a rootkit?

A bot (robot), also known as a zombie or drone, is a program that secretly takes

over another Internet-attached computer and then uses that computer to launch

attacks that are difficult to trace to the bot's creator.

A rootkit is a set of programs installed on a system to maintain administrator (or root) access to that system. Root access provides access to all the functions and services of the operating system. The rootkit alters the host's standard functionality in a malicious and stealthy way.

What are the #1 and #2 web application vulnerabilities?

#1 Cross Site Scripting (XSS) Flaws

XSS flaws occur whenever an application takes user supplied data and sends

it to a web browser without first validating or encoding that content.

XSS allows attackers to execute script in the victim's browser which can

hijack user sessions, deface web sites, possibly introduce worms, etc.

Page 24


#2 Injection Flaws

Injection flaws, particularly SQL injection, are common in web applications.

Injection occurs when user-supplied data is sent to an interpreter as part of a

command or query. The attacker's hostile data tricks the interpreter into

executing unintended commands or changing data.

List three design goals for a firewall

1. All traffic from inside to outside, and vice versa, must pass through the firewall.

2. Only authorized traffic, as defined by the local security policy, will be allowed to pass.

3. The firewall itself is immune to penetration.

What information is used by a typical packet filtering firewall?

Source IP address: The IP address of the system that originated the IP packet.

Destination IP address: The IP address of the system the IP packet is trying to reach.

Source and destination transport-level address: The transport level (e.g., TCP or UDP)

port number, which defines applications such as SNMP or TELNET.

IP protocol field: Defines the transport protocol.

Interface: For a router with three or more ports, which interface of the router the packet came

from or which interface of the router the packet is destined for.

What is the difference between a packet filtering firewall and a stateful inspection firewall?

A traditional packet filter makes filtering decisions on an individual packet basis and does not take into consideration any higher layer context. A stateful inspection

Page 25

Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________packet filter tightens up the rules for TCP traffic by creating a directory of outbound TCP connections

What is a DMZ network and what types of systems would you expect to find in such networks?

Between internal and external firewalls are one or more networked devices in a

region referred to as a DMZ (demilitarized zone) network. Systems that are

externally accessible but need some protections are usually located on DMZ

networks. Typically, the systems in the DMZ require or foster external

connectivity, such as a corporate Web site, an e-mail server, or a DNS (domain

name system) server.

Define the principle of least privilege.

The principle of least privilege states that programs should execute with the least amount of privileges needed to complete their function.

Page 26

Documents

IT2910 Midterm Study Guide SP2013