Computer Security Flashcards
(121 cards)
1
Q
What is the CIA traid in computer security?
A
Confidentiality: Prevent Unauthorised Disclosure
Integrity: Prevent unauthorised modification
Availability: Ensure service is always available when needed.
2
Q
Give one example each how to protect the CIA traid
A
- Confidentiality: Encrypting medical records.
- Integrity: Verifying bank transactions
- Availability: Maintaining data backups or redudant power.
3
Q
What are 2 common security trade-offs?
A
Security vs Usability (ease of use)
Accountability (audit trails) vs privacy
4
Q
Explain authenticity in security contexts
A
Authenticity = Integrity + Freshness, ensures data is both correct/genuine and recent.
5
Q
What are the 4 key security design principles?
A
- Focus of control (data, operations, users)
- Complexity vs Assurance
- Centralised vs Decentralised Controls
- Layered Security.
6
Q
What’s the difference between asymmetric and symmetric encryption?
A
Symmetric: Same key for encryption/decryption (fast, efficient but difficult key management)
Asymmetric: Public / Private key pair (simpler key management, computationally heavier)
7
Q
Describe stream vs block ciphers
A
Stream: Faster, continuous streams, XOR with keystream
Block: Fixed-size blocks, substitution/permutation (AES).
8
Q
Name three cryptographic attack models
A
- Ciphertext only
- Known-plaintext
- Chosen-plaintext
9
Q
What Diffie-Hellman helps with?
A
Allows two parties to create a shared secret securely over insecure channels (no private key shared.)
10
Q
What mathematical problems underpin RSA and Diffie-Hellman
A
RSA: Integer factorisation problem
Diffie-Hellman: Discrete logarithm problem
11
Q
Name three types of user credentials used in authentication
A
- Something you know: (password)
- Something you have: (security token)
- Something you are: (biometric)
12
Q
List 3 common problems with passwords
A
- Easily Forgotten
- Weak / Easily Guessed
- Vulnerable to attacks e.g. phishing and keylogging.
13
Q
What two key properties should strong hash functions have?
A
Non reversible (can’t retrieve original data)
Collision resistance (very unlikely two inputs produce the same hash)
14
Q
What is password salting and why is it important
A
Adding random data to passwords before hashing, slows cracking, prevents rainbow table attacks, unique per user.
15
Q
What’s the difference between a brute force and a dictionary atack
A
Brute force: tries every possible combination
Dictionary: Uses lists of common passwords / words applies variations.
15
Q
What is a rainbow table attack and how does password salting protect against it?
A
An attack using precomputed tables of plaintext passwords and their hashes to quickly find passwords from stolen hashes.
- Salting adds a unique random data to each password before hashing, making precomputed rainbow tables useless as attackers must recompute hashes individually for each salted password.
16
Q
Give examples of behavioural biometrics
A
Typing Patterns, posture, mouse movement, etc.
17
Q
List one disadvantage and two disadvanages of biometric authentication
A
Advantage: you’ll never lose or forget it.
Disadvantage:
1. Could happen a negative positive where the system wrongfully accepts a wrong biometric
2. Ethical / Privacy Issues
3. Can’t be changed if compromised since this is something that can’t be changed e.g. fingerprint.
18
Q
What’s the difference between OTP token and FIDO security key?
A
OTP: Temporary numeric code, manually entered
FIDO Key: Automatic public-key authentication (no manual codes)
19
Q
State one pro and one con of using password managers
A
Pro: Generates strong, unique passwords; convenient and all passwords can be kept in one place.
Con: Master password is single point of failure; attractive hacking target.
20
Q
Why is MFA more secure?
A
It just adds an extra layer of authentication, making accounts harder to compromise.
21
Q
What are the 3 key properties of a reference monitor?
A
Tamper-proof
Always invoked on access
Small enough to analyse and verify
22
Q
What is the difference between a security kernel and a Trusted Computing Base?
A
Security kernel: part of the system enforcing access control
TCB: Includes the kernel + all trusted protection mechanisms.
23
Q
What is controlled invocation?
A
Mechanism to safely run priveleged operations (e.g. system calls)
24
Why lower is better for security?
Fewer layers can bypass it, simpler and faster to very, better protection against low-level attacks
25
What is the purpose of page tables in modern OS memory management?
Map logical (virtual) memory addresses to physical memory locations,
Enable per-process address spaces,
enforce seperation and protection.
26
What is a reference monitor?
It can be seen as a mediator to access objects (resources in the system), but in reality it implements access control of users and their actions to protect resources.
27
What is the security role of the OS?
1. Indentification
2. Authentication
3. Access control
4. Auditing
28
What's the difference between a principal and a subject in linux security?
Principal: an entity that can be authenticated and identified by a system to gain access to an object or resource.
Subject: an active entity like a process running as an entity (user?)
29
What do the numbers in chmod 754 represent?
7 (user): rwx
5: (group): r-x
4: (others): r--
Each digit is a sum of Read (4), Write (2), Execute (1)
30
What's the difference between etc/passwd and /etc/shadow?
/etc/passwd: stores usernames, UIDs and GIDs, home directories, login shells
/etc/shadow: stores hashed passwords, readable only by root for security.
31
Why is the UID 0 special in linux?
UID 0 is hardcoded in the linux kernel for root.
Grants unrestricted access; not safe to reassign or misuse.
32
What does SUID bit do? and why can it be dangerous?
Allows a file to run with the priveleges of its owner, e.g. root and can be exploited if the executable has vulnerabilities.
33
What is an access token in Windows, and what does it contain?
A data structure issued at login that contains: User SID, Group SIDs, Priveleges and default settings for new objects.
It's attached to every process you run and controls what resources it can access.
34
How is Windows access control different from Unix/Linux? and what are its permissions?
Windows uses Access Control Lists (ACLs) with more detailed permissions like:
- Read, Write, Execute
- Take ownership
- Change Permissions
- Delete
Whereas unix uses simpler rxw permissions for user, group and others.
35
What is a UAC in windows
User Account Control - and it's used to give admins users 2 access tokens.
1. A restricted one (default)
2. A full one (used only when explicitly approved), prevents silent privelege escalation by malware or scripts.
36
What's the difference between a local and a domain login in Windows?
Local login uses Security Account Manager (SAM) and NTLM.
Domain login uses Active Directory and Kerberos.
Domain login allows single sign-on and centralised user management.
37
What is a SID and who are considered principals in Windows?
It's a Security Identifier (unique string for each principal), includes users, groups and machines.
38
What is a malware and how is it commonly classified?
Malicious Software and it's usually classified as how it spreads, and what it does
39
What is the difference between virus and a worm?
Virus: attaches to files and needs human action to spread.
Worm: self-replicates and spreads automatically using vulnerabilities no human needed.
40
What is a trojan and how is a ransomware related to it?
A trojan is a malware that impersonates a legitimite software but it's malicious, ransomware is a type of trojan that encrypts files and demands payments.
e.g. cryptolocker
41
What is a zero-day exploit and why is it dangerous?
It's when an exploit is found / vulnerability in the system that no one knows about, it's dangerous because it's unexpected, and takes a few days to be fixed and no one knows the fix when it happens.
42
What are vectors and payloads in malware
43
What was the stuxnet? and why is it notable?
It was a worm malware that used 4 zero-day exploits to target industrial equipment (centrifuges), and it was notable because it demonstrated how malware could cause physical damage.
44
What is a buffer overflow? and why is it dangerous?
A buffer overflow is when a program writes more data to a buffer than it can hold, it may overwrite adjacent memory - like return addresses and attackers can exploit this to take control of program execution e.g. injecting shellcode.
45
What is stack smashing and what's usually overwritten?
A type of buffer overflow that overwrites the stack, including the return address to hijack execution flow.
46
What are the stack canaries and how they protect against buffer overflows?
It's a known value placed before the return address, if it changes the program, the program knows the stack was corrupted and exits
47
What is DEP and hows does it prevent exploitation? and who sets this?
DEP marks memory regions like the stack as non-executable. This prevents code injected via buffer overflows from running. This is a hardware and os level against exploits.
48
What is Return-Oriented Programming (ROP)
ROP avoids code injection by chaining short existing code snippets called gadgets, the attacker builds a fake stack to execute arbitrary logic using only existing code.
49
What is a race condition in software security?
A vulnerability where timing between 2 operations allows an attacker to interfere.
50
What do confidentiality, integrity and availability mean in database security?
Confidentiality: keep data private (e.g. salaries, health records).
Integrity: Ensure data is accurate and correct.
Availability: Data must be accessible when needed.
51
What are SQL priveleges and how are they managed?
SQL privileges define what actions (e.g., SELECT, INSERT) a user can perform on database objects (e.g., tables, views), based on permissions granted by the database system.
52
Why are SQL views useful for security?
Views allows users to see only part of a table, hiding sensitive data because it doesn't store data only parts of a table
53
What is an inference attack in a statistical database
It's when someone uses aggregate queries (e.g. SUM AVG) to deduce private data, e.g. if total salaries 100k and total excluding the boss is 70k then the boss earns 30k
54
What is an SQL injection attack and how does it work?
It happens when user input is inserted into SQL query without sanitasation, allowing attackers to manipulate the query.
55
What is blind injection?
An attack infers data from responses, e.g. presence/absence of a page, even if errors are not shown. It just tries values.
56
What is second-order SQL injection?
The attacker stores malicious input (e.g. in a username) which gets executed later in a different query.
57
How to prevent SQL injection?
1. Use parameterised queries
2. Sanitse user input
3. Use stored procedures
4. Apply least privelege
5. Avoid string-based query building.
58
What is the difference between IDS and IPS?
IDS (Intrusion Detection System): detects attacks and logs or alerts
IPS (Intrusion Prevention System): detects and actively blocks attacks
59
Host based vs Network-based IDS
HIDS: Monitors a single device's CPU, memory, files, processes, etc.
NIDS: Monitors a network traffic, looking for suspicious packets.
60
How does Signature-Based Detection work?
Matches traffic or behaviour to known attack patterns (signature).
Fast and reliable to known threats but can't detect new ones.
61
What is anomaly-based detection in IDS?
Builds a profile of "normal" behaviour.
Flags anything that deviates significantly
Can detect unknown attacks but may cause false positives.
62
What is a stateful protocol analysis in IDS? and give an example e.g. TCP
Security technique in IDS Understands how a protocol should behave.
Detects misuse (e.g. unexpected command sizes or sequences)
Accurate but slow and requires up-to-date protocol definitions.
E.g. learns TCP protocol meaning it will know that tcp keeps conversations with packets being received and things and also knows like let's say it always sends x bits of packet, if it sends 100000x more than the normal x it will be flagged.
63
What is snort and what does it do?
A free and widely-used signature-based IDS
Uses rules to match traffic patterns and detect known attacs e.g. nmap scans
64
How is machine learning used in IDS?
Learns patterns of normal vs abnormal behaviour from data.
Can predict attacks
Good for complex threats but needs training data and has scaling issues.
65
What is the main trade-off in intrusion detection?
False Positives: normal activity flagged as a threat
False Negatives: Threats not detected.
Balancing Sensitivity is always a challenge.
66
What's the difference between transport mode and tunnel mode in IPsec?
Transport mode: Only encrypt the payload and it's used for host-to-host communication
Tunnel Mode: Encrypts the entire packet (header+payload) used for VPNs and gateway-to-gateway
67
What's the Difference between ESP and AH in IPSec protocols?
ESP (Encapsulation Security Payload): Provides confidentiality, integrity and authentication
AH (Authentication Header): Provides authentication and integrity only, no encryption.
68
What is a VPN and how does it relate to IPSec?
A Virtual Private Network, is a secure tunnel over an insecure network. Often implemented using IPSec in tunnel mode to protect all data in transit between endpoints.
69
What is Address Resolution Protocol (ARP) cache poisoning?
An attacker sends a fake ARP reply linking their MAC to a real IP (e.g. the router). Victim updates its ARP cache and sends traffic to the attacker enabling MITM attacks.
70
How does DNS spoofing work and how can it be prevented?
DNS Spoofing works by an attacker guessing the Transaction ID and Port Number of a DNS response then the attacker can poison the resolver's cache people are using and replace a webiste lookup with our IP. It can be prevented by randomising transaction id and port number but also by using IDS e.g. snorts.
71
What is the TCP session hijacking and how is it mitigated?
If the attacker can guess the next sequence number then they can inject malicious packets into a TCP session, it can be prevented by randomising the initial sequence numbers and using encryption e.g. TLS
72
What is network segmentation and why is it used?
Network segmentation is the way of breaking a network into smaller parts, so that if one part is affected not the whole network is affected.
73
What is zero trust in network security?
Zero trust is an architecture that says we should never trust it and always verify it, even inside the network.
Includes: mutual authentication, least privilege, segmentation, and context-aware access.
74
Compare WEP, WPA2 and WPA3 in terms of Wi-Fi Security
WEP -> Weak and easily broken because the key is too small is only a 40 bit key.
WPA2 -> Good and widely used but still has some issues (Stronger: 128-bit key)
WPA3 -> Strongest, fixes WPA2 handshake flaws e.g. KRACK - not fully (but not compatible with all devices)
75
What is an evil attack and how is it related to a KARMA attack?
Evil attack -> attacker creates a wifi access point with the same SSID to steal data or credentials
Karma: Attacker listens for device's saved SSIDs and responds with matching fake networks to get connected.
76
What is the KRACK attack and what does it exploit
A vulnerability in WPA2's handshake process that allows attackers to replay packets and decrypt data.
77
How does a TCP SYN flood cause a DOS and how can it be prevented?
The attacker send many SYN requests but never completes the handhsake. The server holds resource for "half-open" connections and eventually becomes overwhelmed. Just drop half-open connections and only allocate any memory after receiving a valid ACK, so pretty much stateless until the client proves legitimacy.
78
What is an amplification attack in network security?
the attackers sends small requests that trigger large responses to a victim by spoofing their IP.
79
How does DNS amplification work and why is it dangerous?
A small query e.g. ANY gov.uk is sent to an open DNS server with the victim's IP. The server then sends a large response to the victim, overwhelming their bandwidth.
80
Which protocol is commonly used to secure wi-fi networks?
WPA2
81
What does a firewall do?
A firewall monitors and controls any incoming/outgoing network traffic using rules.
82
What is a DMZ?
A buffer subnet that hosts public-facing services, isolated from the internal network.
83
What's the difference between a host-based and network firewalls?
A host-based firewall protects individual machines whereas a network firewall protects all devices on a Local network (LAN)
84
Why does NAT improve security?
Because it hides internal IPs from the internet dropping unsolicited packets automatically.
85
in iptables, what happens if no rule matches?
The default policy for the chain applies. (either DROP or ACCEPT)
86
Why is restrictive policy safer?
Because it blocks everything by default only allowing what's explicitly listed.
87
What types of entries can you expect to see in a connection table for a stateful packet filtering?
1. Source Port
2. Source IP Address
3. Destination IP Address
4. Destination Port
5. Connection State
88
Why are cookies needed in HTTP?
HTTP is stateless meaning it needs cookies for persistance and tracking
89
What's the difference between reflected and persistent in XXS?
Reflected: javascript injected throught the URL, persistent: javascript stored on the site e.g. comments which is executed everytime the any user opens that web browser.
90
How does CSRF exploit user trust?
It uses the user's browser and cookies to submit requests they didn't intend to.
91
What's one way to stop CSRF?
Include a unique token in every form and validate it on the server-side.
92
CSFRG Why is escaping user input so important?
To prevent scripts from being executed in the browsers (XSS attacks).
93
What is TLS?
A protocol that provides encrypted and authenticated communication over the internet
94
What are the 2 main layers in TLS?
1. Handshake layer - Sets up a secure connection (key exchange, authentication)
2. Record layer - sends encrypted application data using session keys.
95
What are the 5 major steps in a TLS Handshake? (1.2)
1. Client Hello
2. Server Hello
3. Server Authentication + Certificates
4. Key Exchange (ECDHE)
5. Finished Messages (encrypted + MAC and hashed etc as agreed.)
96
What is a cipher suite?
The combo of algorithms, key exchange, authentication, encryption and hashing
97
What does ephemeral mean in ECDHE?
means a new key for every session which means forward secrecy
98
What is the role of certificates in TLS?
Is to provide server's identity using a public key verified by a trusted CA
99
How is trust established in certificates?
Through a chain of trust
end-entity certificate -> intermediate certificate signed by a root certificate -> root certificate
100
What is a protocol downgrade attack?
Forcing two parties to use a weaker version of TLS (SSL3) to exploit old vulnerabilities
101
What is the main problem with PKI?
Is that, if one CA is trusted, all its signed certs are trusted and if one is bad then can break the chain.
102
How are revoked certs handled?
With CRLS (Certificate revocation lists) or OCSP (live status check) though clients often don't chem them properly
103
How does meltdown and spectre work?
meltdown and spectre take advantage of how CPUs guess which instruction to run next even without checking access rights, and use the cache to infer protected data and by doing this they bypass the security enforced by os in these memory
104
What is a side-channel attack?
A side channel attack is an attack that exploits indirect signals like timing, cache usage to infer protected data.1
105
What is address space translation?
It's how the CPU translates virtual addresses into physical memory.
106
address space layer randomisation
Security technique that randomises the memory addresses used by key parts of a program such as stack or heap, etc...
107
What does can't be tampered means?
can't be changed / altered.
108
Differences between paging and segmentation? and why it's segmentation not used anymore.
Paging means it splits memory into fixed-length pages whereas segmentation divides memory / splits memory into logical units.
Segmentation is not used anymore because it's very challenging for memory management, good for security but so is paging.
Paging is used nowadays because it's good for memory management, and also its good for security the only downside is it's not great for access control since there is a lot to worry / think about.
109
How are ownerships of files dealt with in linux? (e.g. discretionary vs mandatory)
Discretionary means the owner decides who accesses the file
Mandatory means a system-wide policy of who can access what.
110
What is a group? in Windows and Linux and why is it used.
Group is quite a simple term which means a collection of users and it's used to give similar users the same access rights e.g. UoN students every year they need the same access rights accounts.
111
Difference between the files /etc/passwd and /etc/shadow
/etc/passwd stores user information, e.g. permissions and UID, GID
/etc/shadow stores hashes of the user's passwords.
112
Why Increase rounds of hashing is good?
Increases complexity and makes it computationally heavier meaning its harder to brute force
113
Why are Access Control Matrix (ACM) not used anymore? and why is Access Control Lists better?
ACMs -> can't scale because of the limitation of memory, think about like 10k users, storing all of that data and also the empty entries in the tables just lose memory.
ACLs -> objects actually hold/knows who is allowed to access it, making it much easier to manage and to scale.
114
Explain the login process of a local user Windows
1. User inputs password in interactive logon, 2. LSA receives the credentials and passes to NTLM so that it can be checked. 3. NTLM then hashes the password and compares it to the hash stored in the SAM database. 4. After sam has checked and authorised the login, LSA creates its access token and logs its stuff.
115
What are the types of cookies?
1. Session - Deleted when browser exits
2. Persistent - expire at a given time
3. Secure - can only be used over HTTPS
4. HTTPOnly - inaccessible from JS
116
What is the time of check to time of use? and why is it an issue?
TOCTTOU is a race condition where a program checks a resource (file, permission, etc.) then later uses it, but the resource changes in between.
An attacker can exploit the time gap by changing the resource after it's checked but before it's used, causing the program to act on malicious or unintended data.
117
Explain the process of an OS making a discretionary access control decision for a principal performing an operation on an object on Windows
Remember Discretionary = owners sets who can access the object, mandatory = system-wide policy meaning the OS sets the rules of who can access what.
Process:
1. Every user has an access token that includes its User ID and Group ID.
2. The reference monitor will get this access token to be able to compare and match if it can find an entry in ACL where the user is allowed / permitted to do such action, if so then access is granted, if not access is denied.
118
What's the difference between an Application Gateway and Stateful Protocol Analysis in IDS?
Application gateway: enforces security policies at the firewall level by understanding application protocols e.g. SSH / HTTP etc.
where as stateful protocol analysis is used more for the network and to understand malicious packets coming through the internet used in IDS e.g.
119
What is heuristic-based detection?
heurisitic based detection looks for patterns and behaviours or code traits that are commanly found in malware even if it's not a known virus.
120
Explain signature-based detection, anomaly-based detection and heuristics-based detection differences.
Signature-based detection: has seen the malware before and knows what to look for if it was to come through the network and what to flag.
Anomaly-based detection: Builds a normal profile/base of what it is like for the system behaviour and anomalies within system behaviour could be flagged.
Heuristics: similar to anomaly but, it doesn't know what is normal for the system behaviour but it knows what to look for in terms of traits, behaviours and patterns of malware and that is what flags if found.
