Chapter 1 - Secure Software Concepts Flashcards
1
Q
What is the iron triangle?
A
Schedule, Scope, and Cost.
2
Q
What are the core security concepts?
A
Confidentiality, Integrity, Availability.
3
Q
What is authentication?
A
The security concept that answers the question “Are you who you claim to be.”
4
Q
What is nonrepudiation?
A
Deniability of actions taken by either a user or software on behalf of a user.
5
Q
What is a clipping level?
A
A predetermined, baseline level of allowable errors, such as user errors.
6
Q
What is economy of mechanism?
A
Keep it simple. Complexity -> greater vulnerabilities.
7
Q
What is complete mediation?
A
A security principle that ensures that authority is not circumvented in subsequent requests of an object by a subject by checking for authorization (rights and privileges) upon every request for the object.
8
Q
Least Common Mechanisms
A
The security principle of least common mechanisms disallows the sharing of mechanisms that are common to more than one user or process if the users and processes are at different levels of privilege
9
Q
What is a vulnerability?
A
A weakness or flaw that could be accidently triggered or intentionally exploited by an attacker, resulting in the breach or breakdown of the security polic
10
Q
What is a threat?
A
A threat is merely the possibility of an unwanted, unintended, or harmful event occurring.
11
Q
What is a threat agent?
A
Anyone or anything that has the potential to make a threat materialize is known as the threat source or threat agent.
12
Q
What is an attacK?
A
When the threat agent actively and intentionally causes a threat to happen, it is referred to as an “attack” and the threat agents are commonly referred to as “attackers.”
13
Q
How do you quantify risk?
A
Risk is conventionally expressed as the product of the probability of a threat source/agent taking advantage of a vulnerability and the corresponding impact.
14
Q
What is SLE?
A
It is calculated as the product of the value of the asset (usually expressed monetarily) and the exposure factor, which is expressed as a percentage of asset loss when a threat is materialized.
15
Q
What is SLE?
A
It is calculated as the product of the value of the asset (usually expressed monetarily) and the exposure factor, which is expressed as a percentage of asset loss when a threat is materialized.
SLE = ASSET VALUE ($) × EXPOSURE FACTOR (%)
16
Q
What is exposure factor?
A
percentage of asset loss when a threat is materialized.
17
Q
What is ARO?
A
The ARO is an expression of the number of incidents from a particular threat that can be expected in a year.
18
Q
What is ALE?
A
ALE is an indicator of the magnitude of risk in a year. ALE is a product of SLE × ARO
19
Q
When should you accept risk?
A
When the cost of mitigating the risk exceeds the risk of accepting it.
20
Q
What are the 4 risk management options?
A
Avoid
Transfer
Mitigate
Accept
21
Q
What is crossover error rate?
A
The point at which the false rejection rate equals the false acceptance rate.
22
Q
What should a security policy specify?
A
What needs to be protected and the repercussions of noncompliance. Goals and objectives.
23
Q
What are the benefits of adopting a coding standard?
A
Consistency in style, improved code readability, and maintainability are some of the nonsecurity related benefits one gets when they follow a coding standard.
24
Q
What is instrumentation?
A
Instrumentation is the inline commenting of code that is used to describe the operations undertaken by a code section.
25
What are the 12 PCI-DSS foundational requirements?
1: Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data
4. Encrypt transmissions of candholder data across open, public networks.
5. Use and regularly update antivirus software
6. Develop and maintain secure systems and applications
7. Restrict acces to cardholder data by business need to know.
8> Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes
12 Maintain a policy that addresses information security
26
What is NIST SP 800-64?
Security considerations in the System Development LifeCycle.
27
What is NIST 800-12?
Introduction to Computer Security
28
What are the categories of information system security controls?
Management, operational, and technology.
29
What is NIST 800-14?
Generally Accepted Principles and Practices for Securing IT Systems
30
What is NIST 800-30?
Risk Management Guide for IT
31
What is NIST 800-100?
Information Security Handbook: A Guide for Managers
32
What is ISO/IEC 27000:2009
Information Security Management System (ISMS) Overview and Vocabulary
33
What is ISO/IEC 27000:2009
Information Security Management System (ISMS) Overview and Vocabulary
34
What is ISO/IEC 27001:2005
Information Security Management Systems
35
What is ISO/IEC 27002:2005
Code of Practice for Information Security Management
36
What is ISO/IEC 27005:2008
Information Security Risk Management
37
What is ISO/IEC 27006:2007
Requirements for Bodies Providing Audit and Certification of Information Security Management Systems
38
What is ISO/IEC 15408
Evaluating Criteria for IT Security (Common Criteria)
39
What are EALs?
Evaluation Assuarnce Levels
40
What are SFRs?
In the Common Criteral, they are Security Functional Requirements.
41
What are SARs?
In Common Criterial, Security Assurance Requirements.
42
What is a PP?
Protection Profile in the Common Critera.
Used to create a set of reusable, generalized security requirements.
43
What is CC EAL 1?
Functionally tested
44
What is CC EAL 2?
Structurally tested
45
What is CC EAL 3?
Methodically tested and checked
46
What is CC EAL 4?
Methodically designed, tested, and reviewed
47
What is CC EAL 5?
Semiformally designed and tested
48
What is CC EAL 6?
Semiformally verified design and tested
49
What is CC EAL 7?
Formally verified design and tested
50
What is IOS/IEC 21827:2008
System Security Engineering Capability Maturity Model® (SSE-CMM)
51
What is ISO/IEC 9216?
Software Engineering Product Quality
52
What are the six quality characteristics specified by ISO/IEC 9216?
functionality, reliability, usability, efficiency, maintainability, and portability
53
What does FIPS 140-2 specify?
Security Requirement for Cryptographic Modules
54
What does FIPS 197 specify?
Advanced Encryption Standard
55
What does FIPS 201 specify?
Personal Identity Verification (PIV) of Federal Employees and Contractors
56
What is AES?
The AES algorithm is a symmetric block cipher that can be used to encrypt (convert humanly intelligible plaintext to unintelligible form called cipher text) and decrypt (convert cipher text to plaintext).
57
What are the OWASP top 10?
1. Injection
2. Cross site scripting
3 Broken authentication and session management
4 Insecure direct object references
5 Cross-site request forgery
6. Security misconfiguration
7. Failure to restrict URL access
8. Unvalidated redirects and forwards
9. insecure cryptographic storage
10. insufficient transport layer protection
58
What is OCTAVE?
Operationally Critical Threat, Asset, and Vulnerability Evaluation
59
Who devleoped OCTAVE?
Carnegie Mellon
60
What are the phases of Octave?
1. Build asset-based threat profiles
2. Identify infrasturcture vulnerabilities
3. Develop security strategy and plans
61
What is STRIDE?
a threat modeling methodology (Howard & LeBlanc, 2003) that is performed in the design phase of software development in which threats are grouped into the following six broad categories
62
What are the 6 categories of threats in STRIDE?
```
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
```
63
What is DREAD?
A risk calculation or rating methodology
64
What are the five dimensions of DREAD?
```
Damage Potential
Reproducability
Exploitability
Affected users
Discoverability
```
65
What is OSSTMM
Open Source Security Testing Methodology Manual
66
What is OSSTMM
Open Source Security Testing Methodology Manual
67
What is a STAR? What produces it?
A Security Test Audit Report. OSSTMM
68
What is FHM?
The Flaw Hypothesis Method (FHM) is as the name suggests a vulnerability prediction and analysis method that uses comprehensive penetration testing to test the strength of the security of the software.
69
What are the phases of FHM?
Phase 1: Hypothesizing potential flaws in software
Phase 2: Confirmation of flaws by conducting actual simulation penetration tests and desk checking tests.
Phase 3:Generalization of confirmed flaws to uncover other possibilities of weaknesses in the software.
Phase 4: Addressing the discovered flaws in the software to mitigate risk
70
What are the phases of FHM?
Phase 1: Hypothesizing potential flaws in software
Phase 2: Confirmation of flaws by conducting actual simulation penetration tests and desk checking tests.
Phase 3:Generalization of confirmed flaws to uncover other possibilities of weaknesses in the software.
Phase 4: Addressing the discovered flaws in the software to mitigate risk
71
What is Six Sigma
A methodology that measures quality with a target of no more than 3.4 defects per million opportunities.
72
What are the key submethodologies in Six Sigma?
DMAIC (define, measure, analyze, improve, and control), which is used for incremental improvement of existing processes that are below Six Sigma quality.
DMADV (define, measure, analyze, design, and verify), which is used to develop new processes for Six Sigma products and services.
73
What is CMMI
Capability Maturity Model Integration
74
What is SCAMPI?
STandard CMMI Appraisal Method for Process Improvement
75
What are the 5 CMMI levels
Initial (Level 1): Processes are ad hoc, poorly controlled, reactive, and highly unpredictable.
Repeatable (Level 2): Also reactive in nature, the processes are grouped at the project level and are characterized as being repeatable and managed by basic project management tracking of cost and schedule.
Defined (Level 3): Level 2 maturity level deals with processes at the project level, but in this level, the maturity of the organizational processes is established and improved continuously. Processes are characterized, well understood, and proactive in nature.
Managed Quantitatively (Level 4): In this level, the premise for maturity is that what cannot be measured cannot be managed and so the processes are measured against appropriate metrics and controlled.
Optimizing (Level 5): In this level, the focus is on continuous process improvements through innovative technologies and incremental improvements.
76
What is the Zachman Framework?
a 6 × 6 matrix that factors in six reification transformations (strategist, owner, designer, builder, implementer, and workers) along the rows and six communication interrogatives (what, how, where, who, when, and why) as columns.
77
Describe SABSA.
Sherwood Applied Business Security Architecture
a framework for developing risk-based enterprise security architectures and for delivering security solutions that support business initiatives.
based on the premise that security requirements are determined from the analysis of the business requirements.
Has layers:
View/Security Architecture Level
Business/Contextual
Architect/Conceptual
Designer/Logical
Builder/Physical
Tradesman/Component
Facilities manager/Operational
78
Describe SABSA.
Sherwood Applied Business Security Architecture
a framework for developing risk-based enterprise security architectures and for delivering security solutions that support business initiatives.
based on the premise that security requirements are determined from the analysis of the business requirements.
Has layers:
View/Security Architecture Level
Business/Contextual
Architect/Conceptual
Designer/Logical
Builder/Physical
Tradesman/Component
Facilities manager/Operational
79
What is SOX?
Sarbanes–Oxley (SOX) Act
enacted in 2002 to improve quality and transparency in financial reporting and independent audits and accounting services for public companies.
80
BASEL II
European Financial Regulatory Act that was originally developed to protect against financial operations risks and fraud.
81
Gramm–Leach–Bliley Act (GLBA)
a financial privacy act that aims to protect consumers’ personal financial information (PFI) contained in financial institutions.
82
HIPAA
Health Insurance Portability and Accountability Act
83
Data Protection Act
declares that personal data protection is a fundamental human right and requires that personal data that are no longer necessary for the purposes they were collected in the first place must either be deleted or modified so that they no longer can identify the individual that the data were originally collected from.
84
Computer Misuse Act
Computer misuse such as hacking, unauthorized access, unauthorized modification of contents, and disruptive activities like the introduction of viruses are designated as criminal offenses.
85
California State Bill 1386
SB 1386 requires that personal information be destroyed when it is no longer needed by the collecting entity.
86
What kind of model is Bell-LaPadula?
Confidentiality
87
List the Confidentiality Models.
Bell-LaPadula
88
What kind of model is Biba?
Integrity
89
What kind of model is Clark and Wilson?
Integrity
90
What kind of model is Brewer and Nash
Access Control
91
What kind of model is Clark and Wilson?
Integrity
92
What kind of model is Brewer and Nash?
Access Control
93
What is BLP primarily concerned with?
The Bell-LaPadula model is primarily concerned with disclosure.
94
What is the simple security property?
If you have read capability, you can read data at your level of secrecy or lower, but not higher. AKA, "no read up".
95
What is the star (*) security property?
If you have write capability, you can write data at your level of secrecy or higher, but not lower. "No write down".
96
What is the strong star security property?
If you have both read and write capability, you can only read and write at your level of secrecy.
97
What is the Biba model primarily concernedwith?
Modification or alteration of data.
98
What other model is Biba considered equivalent to as far as integrity goes?
Bell-LaPadula
99
What is the invocation property?
It's the difference between Biba and Bell-LaPadula. Subjects can't send messages to objects with higher integrity.
100
Describe the Clark and Wilson Model.
A security model that uses access triples, which require that a subject may only modify an object through a trusted program or application.
101
Describe the Brewer and Nash Model.
Chinese Wall.
Individuals may access data as long as there is no conflict of interest. If you access data for client A, who competes with client B, you may not access client B's data.
102
What operates in Ring 0?
The OS/kernel.
103
What operates in Ring 1?
I/O utilities
104
What operates in Ring 2?
Drivers
105
What operates in Ring 3?
User applications
106
What is the "security kernel"?
That hardware, firmware, and software elements of a TCK.
107
What are the 4 basic functions of the TCB?
1. Process activiation
2. Execution domain switching
3. Memory protection
4. Input/output operations
108
What is the reference monitor?
The reference monitor is an abstract concept that enforces or mediates access relationships between subjects and objects.
109
What is a subject?
Subjects are active entities that request a resource.
110
What is an object?
Objects are passive entities and examples of this include a file, a program, data, or hardware.
111
What attributes should the refence monitor have?
Tamper proof
Always invoked (can't be circumvented)
Verifiable
112
What is a rootkit?
Authors Hoglund and Butler in their book, Rootkits, define a rootkit as “a set (kit) of programs and code that allows an attacker to maintain a permanent or consistent undetectable access to ‘root,’ the most powerful user on a computer.”
113
What is the TPM?
Trusted Platform Module.
the TPM is a specification used in personal computers and other systems to ensure protection against disclosure of sensitive or private information as well as the implementation of the specification itself. The implementation of the specification, currently in version 1.2, is a microcontroller commonly referred to as the TPM chip usually affixed to the motherboard (hardware) itself.
114
What does the TPM chip do?
A TPM chip can be used to uniquely identify a hardware device and provide hardware-based device authentication. It can be complementary to smartcards and biometrics and in that sense facilitates strong multifactor authentication and enables true machine and user authentication by requiring the presentation of authorization data before disclosing sensitive or private information.
115
What is the "cold boot attack?"
See Chapter 7.
