Unit 1.1 - CIA Triad and Authentication

Question 1

What is the equation fused to model computer security?

Answer 1

Protection = Prevention + (Detection + Response)

Question 2

What is the CIA Triad? (what each letter represents and what each of those categories is)

Answer 2

Confidentiality - the data is not revealed
Integrity - data is intact (not modified or corrupted)
Accessibility - data is accessible to allowed users

Question 3

What are the 3 data states?

Answer 3

Data in rest, data in transit, data in use

Question 4

What tools are used to achieve CIA (AAA?)

Answer 4

Authentication - prove who you are
Access Control - what you are allowed to see or get to
Accounting - keep track of what you have done and what’s happened

Question 5

What are the 2 methods of password attacks?

Answer 5

Steal the password
Guess the password (brute force or stupid user)

Question 6

What are some rules for creating a strong password?

Answer 6

Use minimum 8 - 10 characters
Use lower and upper case characters
Include special characters/symbols
Don’t use any personal information
Don’t reuse passwords on important websites
Don’t use any dictionary words

Question 7

How are databases used in password attacks?

Answer 7

Databases are used for dictionary attacks, password spraying, and credential stuffing.

Question 8

What are dictionary attacks?

Answer 8

Uses a database of words that people are likely to use and rapidly tests them for a given account

Question 9

What is password spraying?

Answer 9

Uses a database of weak passwords and tests each one against a large number of accounts

Question 10

What is credential stuffing?

Answer 10

Uses a database of usernames and passwords from a data breach in order to gain access to user accounts

Question 11

What is password hashing and why do we use it?

Answer 11

Hashing is a special mathematical function that performs a one way conversion. We use it to avoid storing passwords in plain text.

Question 12

What does it mean to add salt to a hash?

Answer 12

Salting is adding a random string of characters to a password before the hashing algorithm is applied so that rainbow tables are less effective

Question 13

What is a rainbow table?

Answer 13

A file of pre-computed hash values for every possible combination of characters

Question 14

What is the birthday attack?

Answer 14

Takes advantage of the fact that it is likely there will be multiple accounts that have the same passwords and can then use that information to reverse the hashing algorithm.

Question 15

What is the ‘pass the hash’ method?

Answer 15

Attacker logs in with the username and password hash instead of the text password

Question 16

Give an example of authentication for each of the following categories: what you have, what you know, what you are

Answer 16

What you have - smart cards, certificate
What you know - password, PIN
What you are - biometrics