Test 1 - Final Prep Flashcards

Question 1

Q

Defensive or Secure Programming

Answer

A

the process of designing and implementing software so that it continues to function even when under attack

Question 2

Q

injection attack

Answer

A

wide variety of program flaws related to invalid handling of input dataThis problem occurs when program input data can accidentally or deliberately influence the flow of execution of the program

Question 3

Q

command injection

Answer

A

the input is used in the construction of a command that is subsequently executed by the system with the privileges of the Web server

Question 4

Q

SQL injection

Answer

A

The user-supplied input is used to construct a SQL request to retrieve information from a database

Question 5

Q

code injection

Answer

A

the input includes code that is then executed by the attacked system

Question 6

Q

cross-site scripting (XSS) attacks

Answer

A

concerns input provided to a program by one user that is subsequently output to another user.

Question 7

Q

XSS reflection vulnerability

Answer

A

The attacker includes the malicious script content in data supplied to a site

Question 8

Q

Malware propagation mechanisms include those used by…(3)

Answer

A

viruses, worms and Trojans

Question 9

Q

The principal objectives of computer security are to

Answer

A

prevent unauthorized users from gaining access to resources, to prevent legitimate users from accessing resources in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner

Question 10

Q

A consequence of a buffer overflow error is

Answer

A

corruption data used by the program, unexpected transfer of control in the program, possible memory access violation

Question 11

Q

To defend against database inference attacks we can apply

Answer

A

perturbation, de-identification, anonymization

Question 12

Q

Presenting or generating authentication information that corroborates the binding between the entity and the identifier is the

Answer

A

verification step

Question 13

Q

‘No write down’ is also referred to as the

Answer

A

‘*-property’

Question 14

Q

_____ is a process that ensures a system is developed and operated as intended by the system’s security policy

Answer

A

Assurance

Question 15

Q

____ data are data that may be derived from corporate data but that cannot be used to discover the corporation’s identity

Answer

A

Sanitized

Question 16

Q

Presenting or generating authentication information that corroborates the binding between the entity and the identifier is the

Answer

A

verification step

Question 17

Q

The most important changes needed to improve system security are to ____

Answer

A

disable remotely accessible services that are not required, ensure that applications and services that are needed are appropriately configured, disable services and applications that are not required

Question 18

Q

The following steps should be used to secure an OS:

Answer

A

test the security of the basic OS, remove unnecessary services, install and patch the OS

Question 19

Q

form of buffer overflow attack

Answer

A

heap overflows, return to system call, replacement stack frame

Question 20

Q

a set of automated tools designed to detect unauthorized access to a host system

Answer

A

intrusion detection system (IDS)

Question 21

Q

A multilevel secure system for confidentiality must enforce:

Answer

A

No read up: A subject can only read an object of less or equal security level. This is referred to in the literature as the simple security property (ss-property). No write down: A subject can only write into an object of greater or equal security level. This is referred to in the literature as the *-property1 (pronounced star property).

Question 22

Q

_____ will integrate with the operating system of a host computer and monitor program behavior in real-time for malicious action

Answer

A

behavior blocking software

Question 23

Q

intrusion management encompasses

Answer

A

intrusion detection, prevention and response

Question 24

Q

Which of the following need to be taken into consideration during the system security planning process

Answer

A

how users are authenticated, the categories of users of the system, what access the system has to information

Question 25

Q

______ include system corruption, bots, phishing, spyware, and rootkits.

Question 26

Q

Virus Propagation Phase

Answer

A

The virus places a copy of itself into other programs orinto certain system areas on the disk.

Question 27

Q

Virus Triggering Phase

Answer

A

The virus is activated to perform the function for which it was intended.

Question 28

Q

Virus Execution Phase

Answer

A

The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction ofprograms and data files.

Question 29

Q

Infects files that the operating system or shell consider to be executable.

Answer

A

File Infector Virus

Question 30

Q

An attack, that exploits social engineering to leverage user’s trust by masquerading as communications from a trusted source

Answer

A

Phishing Attack

Question 31

Q

Is a set of programs installed on a system to maintain covert access to thatsystem with administrator (or root) privileges, while hiding evidence of its presenceto the greatest extent possible.

Question 32

Q

An attempt to compromise availabilityby hindering or blocking completely the provision of some service.

Answer

A

Denial-of-service (DoS) attack

Question 33

Q

DDoS Flooding attack targets…(3)

Answer

A

Network BW, System resources, Application resources

Question 34

Q

The ICMP echo responsepackets generated in response to a ping flood using randomly spoofed source addresses is a good example.

Answer

A

Backscatter traffic

Question 35

Q

This attacks the ability of a network server to respond to TCP connection requests by overflowing the tables used to manage such connections.

Answer

A

DoS attach, SYN Spoofing Attack

Question 36

Q

The attacker sends packets to a known service on the intermediary with a spoofed source addressof the actual target system. When the intermediary responds, the response is sent tothe target.

Answer

A

Reflection Attack

Question 37

Q

Involve sending apacket with a spoofed source address for the target system to intermediaries. Theydiffer in generating multiple response packets for each original packet sent. This canbe achieved by directing the original request to the broadcast address for some network.

Answer

A

Amplification Attacks

Question 38

Q

Can be deployed as operating systems updates to provide some protection for existing vulnerable programs. These defenses involve changes to the memory management of the virtual address space of processes.

Answer

A

Run_time Defenses

Question 39

Q

Most commonlythe address of a standard library function is chosen, such as the system() function. The attacker specifies an overflow that fills the buffer, replaces the savedframe pointer with a suitable address, replaces the return address with the address of the desired library function, writes a placeholder value that the library function will believe is a return address, and then writes the values of one (or more) parameters to this library function.

Answer

A

return to system call attack

Question 40

Q

If the allocated space includes a pointer to afunction, which the code then subsequently calls, an attacker can arrange for this address to be modified to point to shellcode in the overwritten buffer.

Answer

A

Heap Buffer Overflow

Question 41

Q

The process of designing and implementingsoftware so that it continues to function even when under attack. Software written using this process is able to detect erroneous conditions resulting fromsome attack, and to either continue executing safely, or to fail gracefully.

Answer

A

Defensive Programming

Question 42

Q

This problem occurs when program input data can accidentally or deliberately influence the flow of execution of the program.

Answer

A

Injection Attack

Question 43

Q

When the input is used in theconstruction of a command that is subsequently executed by the system with theprivileges of the Web server.

Answer

A

Command Injection Attack

Question 44

Q

In this attack, the user-supplied input is used to construct a SQL request to retrieve informationfrom a database.

Answer

A

SQL Injection Attack

Question 45

Q

This is a software testing technique that uses randomly generated data as inputs to a program. The intent is to determine whether the program or functioncorrectly handles all such abnormal inputs or whether it crashes or otherwise fails to respond appropriately.

Answer

A

Input Fuzzing

Question 46

Q

This strongly suggests that programs should execute with the least amount of privileges needed to complete their function.

Answer

A

Principle of Least Privilege

Question 47

Q

A process that includes planning, installation, configuration, update, and maintenanceof the operating system and the key applications in use,

Answer

A

Hardening a System

Question 48

Q

3 Steps to hardening a base OS

Answer

A

• Removing unnecessary services, applications, and protocols.• Configuring users, groups, and permissions.• Configuring resource controls.

Question 49

Q

Which restricts the server’s view of the file system to just a specified portion. Files in directoriesoutside the __________ are not visible or reachable at all.

Answer

A

Chroot Jail

Question 50

Q

Refers to a technology that provides an abstraction of the computing resources used by some software, which thus runs in a simulated environmentcalled a virtual machine (VM).

Answer

A

Virtualization

Question 51

Q

A bot is a computer compromised by malware and under the control of a bot master (attacker).

Question 52

Q

Characteristics of APT include _(3)_____.(Advanced Persistent Threats)

Answer

A

A. Using zero-day exploitB. Low-and-slowC. Targeting high-value data

Question 53

Q

The best defense against being an unwitting participant in a DDoS attack

Answer

A

prevent your systems from being compromised

Question 54

Q

Both static and dynamic analyses are needed in order to fully understand malware behaviors

Question 55

Q

A Botnet can use _______ for command-and-control.

Answer

A

A. EmailB. HTTPC. IRC

Question 56

Q

In a ______ attack the attacker creates a series of DNS requests containing the spoofed source address for the target system.

Answer

A

DNS amplification

Question 57

Q

APT attacks

Answer

A

Boy in the middle–covertly changes a computer’s network routingClickjacking–web users unknowingly click on something that is not as it is portrayed.Man in the Browser–Modifies web pages covertlyMan in the middle–EavesdropsKeyloggers–covertly records keystrokes

Question 58

Q

Takes advantage of a previously unknown weakness or vulnerability in a system.

Answer

A

Zero-Day Exploit

Question 59

Q

APT Lifecycle

Answer

A

–Define target–Research target infrastructure/employees–Test for detection–deployment–establish outbound connections–exfiltrate data–remain undetected–Repeat

Question 60

Q

Advanced Persistent Threat (APT)

Answer

A

Advanced: Use special malwarePersistent: Long-term presence, multi-step, low-and-slowThreat: Data targeted is high valueTend to target specific organizations

Question 61

Q

Examples of Attacks/Frauds by botnets

Answer

A

–Spam–DDOS–Click fraud–Phishing and Pharming–Keylogging and data/ID theft–Key/password cracking–Anonymized terrorist and criminal communication–Cheat in online games and polls

Question 62

Q

Why DDoS attack?

Answer

A

Why DDoS attack?–Attacker does not need to use his own computer–So many computers involved in the attack, it is difficult to distinguish legitimate from malicious traffic

Question 63

Q

C&C design

Answer

A

–Must be efficient and reliable–Stealthy–Resilient

Question 64

Q

T/F: The botmasters prefer dynamic DNS servers

Answer

A

True: Because of the frequent change between domain name and IP address.

Answer 61

A

The way the bots look up a domain suggest the domain is most likely used for C&C.

Answer 62

A

Map the domain name to a sinkhole

Answer 63

A

Researchers can discover where the bots are in the net.

Answer 64

A

Attempts to understand what a malware instance would do if executed.

Answer 65

A

Attempts to understand what a program does when executed.

Answer 66

A

Fine-grained: Looking at instruction by instructionCoarse-grained: looking at function calls

Answer 67

A

A technique whereby parts or all of an executable file are compressed, encrypted or transformed in some fashion.

Answer 68

A

False: A number of legitimate programs use packing/unpacking

Answer 69

A

trap doors, logic bombs, trojan horses, viruses, browser plug-ins, extensions, scripts

Answer 70

A

Worms, botnets, APT

Answer 71

A

Hidden in an apparently useful host program

Answer 72

A

Infect a program by modifying it. Can self copy

Answer 73

A

–Dormant phase: Program infected, but virus has not been triggered–Propagation phase: Virus is being spread–Triggering phase: When the host program is run, the virus is run.–Execution phase: When the virus runs and performs malicious activities. (also looks to spread)

Answer 74

A

trojan horse

Answer 75

A

Virus code has to be physically inserted into the program code. The virus code runs first, then the original program. virus code may run last, too, to do any clean up. Program needs to run cleanly to avoid detection.

Answer 76

A

Parasitic virus: scan/infect programsMemory-resident virus: infect running programsBoot sector virus: Runs when the system is bootedMacro virus: executable program embedded in a word processing document; triggered when doc openedPolymorphic virus: encrypt part of the virus program using randomly generated key

Answer 77

A

Resides in OS. Modifies OS code and data structure. Can hide itself by manipulating functions that list directory contents.

Answer 78

A

–All OSes can be affected–Can modify hidden and read-only files–Can spread in any form–Cannot remain in memory after reboot, but since it is a part of the OS, it will return with the OS is restarted–Rootkits cannot affect HW that does not have FW–Rootkits are always malevolent

Answer 79

A

Use network connections to spread from system to system.

Answer 80

A

Prevention: Limit contact to outside worldDetection/IdentificationRemovalPrevention hampers productivity, so detection is preferred.

Answer 81

A

Simple scanners–use signatures of known viruses. not effective against polymorphic virusesHeuristic scanners–Integrity checking (checksum). Can be defeated by compressing file to have the same size as the pre-infection file.Activity traps: Look for specific activities that malware performs. Not effective against newer malware.Full-featured analysis: State of the art. Host-based, network-based, and sandbox-based.

Answer 82

A

–Efficient–Effective against known malware–good first line of defense

Answer 83

A

–Databases store massive amounts of sensitive data–Data has structure that influences how it is accessed–Accessed via queries or programs written in languages like SQL–Transactional nature of queries (done completely or not done at all)–Derived data or database views

Answer 84

A

Insiders and unauthorized users

Answer 85

A

–they store info that is easily monetized–they store info about a lot of users–query languages used to access data can be abused

Answer 86

A

RDBS tableA table is defined by a schema and consists of tuples

Answer 87

A

GRANT or REVOKE

Answer 88

A

SELECT, INSERT, UPDATE, or DELETE

Answer 89

A

–Do not allow aggregate query results when the set of tuples selected is either too small or too large (Perturbation)–De-identification: transform data by removing identifying info.–Anonymization: replace exact values with a more general values

Answer 90

A

Is not at the user discretion. Solves the problem of information control. Company decides who has access to data.

Answer 91

A

Labels are a key requirement. They indicate sensitivity and/or category of data. Indicate clearance/need-to-know requirements

Answer 92

A

Compartment.

Answer 93

A

FalseL1 > L2L2 < L1L1 and L3 are not comparable.

Answer 94

A

Developed by the DoDAssumes classification of data and clearances for subjects

Answer 95

A

Read-down rule (ss-property): user with label L1 can read the document with L2 only when L1 dominates L2Write-up rule (*-property): User with label L1 can write document with label L2 when L1 is dominated by L2.

Answer 96

A

States that classification of a subject or object does not change during a session.

Answer 97

A

Users should be able to access certain programs usser -> program -> obj

Answer 98

A

True. Only the company can decide roles of its employees.

Answer 99

A

SELinux and SCOMP

Answer 100

A

information flow problem (cannot control that if someone has access to a file would further share the contain of it)- in many organizations, the user does not get to decide how/who to share

Answer 101

A

indicate sensitivity/category/clearance/need-to-know- TCB associates labels with object/user- exact nature of label depends on model/policy

Answer 102

A

biba focuses on integrity while BLP focuses on confidentiality- biba read up, write down

Answer 103

A

functional correctness- maintain data integrity- protect disclosure of sensitive data- confidence

Answer 104

A

least privilege for users/programs- economy: keep trusted code as small as possible- open design: obscurity doesn’t work- complete mediation- fail safe default- easy of use

Answer 105

A

authentication- access control (MAC & DAC)

Answer 106

A

it needs to protect itself (tamperproof)

Answer 107

A

object reuse protection- disk blocks, mem reuse- allocate disk or mem, then look to see what’s left behind- zero out objs before use- secure file deletion- secure disk destruction

Answer 108

A

enforce all sec mechanisms- good isolation, small size- reference monitor controls access to objects- tamperproof- un-bypassable- analyzable

Answer 109

A

demonstrate the existence of problem

Answer 110

A

test case generation- code coverage- exponential number of different executions- different execution environments

Answer 111

A

checking a mathematical specification of a program- model checking, automated theorem proving- exponential time & space complexity

Answer 112

A

True. Model checking is a form of formal verification.

Answer 113

A

Decide who should have access to certain resources. An access control policy.2. Enforcement–only accesses defined by the access control policy are granted

Answer 114

A

abstract state: rows-users, column-resources- ACM[U,O] defines what access right user U have on object O Rows correspond to sources of the request (users/subjects/groups)Columns correspond to the resources that need protected

Answer 115

A

Access is at the discretion of its owner. Owner can grant access to other users and also allow or not allow the other users to propagate this access.

Answer 116

A

Columns for an object that define each users rights of that object. handle access to object Oi (column wise)

Answer 117

A

Capability List (C-List)Rows for a user that define that user’s rights for each object. - handle right of user Ui (row wise)

Answer 118

A

–In trusted part of system–Consists of access control entries–Should be stored along with other object meta-data–Checking requires traversal of the ACL

Answer 119

A

–It is per user–A capability is an unforgeable reference/handle for a resource–User catalogue of capabilities defines what a certain user can access–Can be stored in objects/resources themselves

Answer 120

A

Efficiency–ACL are not as efficient as C-ListAccountability–Can be found easily in ACL. With C-List, each user’s catalog must be checked to see if access ok.Revocation–Revoking access in ACL is easyMost OS uses ACL

Answer 121

A

The OS keeps track of info about each file and its metadata, called an i-node. Open files are stored in the meta-data table. The file must be active.

Answer 122

A

The access rights are associated by roles/jobs. Users can have more than one role.

Answer 123

A

–Policy need not be updated when a certain person leaves–new employee should be able to activate the desired role.–Start with minimum accessSELinux supports RBAC

Answer 124

A

mplies that when an access control policy is silent about access to a certain user, that access must be denied.

Answer 125

A

unforgeable reference/handle for a resource- user catalog of capabilities define defines what a certain user can access.

Answer 126

A

store c-list in objs, resources themselves

Answer 127

A

create new ACE, and add access right to that

Answer 128

A

ACL, which is good for accountability and revocation. C-list is only good for efficiency

Answer 129

A

capability (holder get access)

Answer 130

A

neg/deny found or transverse the whole list

Answer 131

A

each resource look like a file- each file has an owner- each file can possibly be accessed by owner, group or everyone-permission r,w,x- ACL implemented using bitmap, 9 bits

Answer 132

A

process call open file- openfile table get i (index) from i-node table and return to the process- ACL bit is stored at the same location on i-node table. This will grant access and point to the file data.

Answer 133

A

permission changed between checking and using

Answer 134

A

the uid of the process will be the owner

Answer 135

A

False “Distributed control mechanisms, using peer-to-peer protocols, are also used, to avoid a single point of failure.”

Answer 136

A

who are you? prove it!- the process making the request does it on behalf of a certain user, subject, or principal.- claims & verification about the identity.

Answer 137

A

Does this requester have permission to access this resource?

Answer 138

A

Availability: When the correct credentials are presented, the resources should be made available.No false negatives: A false negative is when a process presents the correct credentials, but access is denied.No false positives: A false positive is if the incorrect credentials are presented, but access is given.

Answer 139

A

Something only the user knows: password, pinSomething the user has: token, smart card, etc.Something the user is: fingerprint, iris scan, etc.

Answer 140

A

capture evidence2. compare it3. authenticate it

Answer 141

A

–guessing PW–impersonating a real login program (ie a trojan horse)–keylogging: grabs keystrokes to record password

Answer 142

A

Connection between the user and the TCB. Should be provided by the OS and hardware.

Answer 143

A

Keyboard and display must have trusted paths to OS

Answer 144

A

if we know the common passwords, we can figure out their hash- for dictionary and offline attacks, we have the dict and plenty of time (online system can stop the attack after a certain amount of trials)

Answer 145

A

negative outcome was generated falsely

Answer 146

A

try popular password first- rainbow table lookup

Answer 147

A

must have them- may require additional hardware- need user to confirm identity (challenge/response)- cost & misplaced trust

Answer 148

A

Hardware: I/o…Memory….CPUOperating Systems: Windows or Android, etcApplications run on operating system

Answer 149

A

Makes it easier to use resources. Allows for high-level abstractions like files- Hardware is controlled by the OS- Provides isolation (each process believes it is the only one running on the system)

Answer 150

A

trusted computing base/kernel- The operating system has direct control of the hardware resources.- The OS must determine who is an authorized user of the resources.

Answer 151

A

Complete mediation : the OS comes between the hardware resources and applications. The OS must make sure the application has the necessary authorizations.- The OS must be tamperproof.- The OS must be correct: the protected resources are used properly.

Answer 152

A

- Establish the source of the request (authentication - who?)- Authorization or access control does the source of the request have the right to access the resource.- The OS follows the policies for authorization and authentication

Answer 153

A

ask the OS for (access to) resources.- is often called protected procedure call- go through call gates (controlled/defined fashion)

Answer 154

A

user domain to OS domain (control transfer)

Answer 155

A

hardware support memory protection- processor execution modes/rings (system & user)

Answer 156

A

sysenter/sysexit

Answer 157

A

make sure no protected resources could be accessed w/o going through the TCB- TCB acts as a reference monitor that cannot be bypass

Answer 158

A

virtualizes physical resources and provides API- file for storing persistent data on disk- virtual resources must be translated to physical resource handle

Answer 159

A

secure coding with type safe language

Answer 160

A

–Using a hypervisor between OS and hardware–VMs on top of hypervisor have their own OS and apps (isolation)

Answer 161

A

pagesframes

Brainscape's Knowledge GenomeTM

Test 1 - Final Prep Flashcards

Brainscape's Knowledge Genome^TM