Exam2 Flashcards
(20 cards)
How can you provide access to data in a dynamic organization?
The use of roles, tasks and resources. You would assign some user to a role, which would then have access to a given resource to complete a given task.
Please describe what the M-cube is.
McCumber cube was an early systematic way to organize thinking about security. Has 3^3 -> 27 total combinations exist.
Split up into:
1. Qualities of Data - CIA
a. Confidentiality of Data
b. Integrity of Data
c. Availability of Data
2. Protection of Data - HPT
a. Human Factors
b. Policy/Practices
c. Technology
3. Vulnerabilities of Data - TSP
a. Transmission
b. Storage
c. ProcessingA firewall has been proposed to protect the colleges research campus from international hackers. Critics rubut that the FBI
believes the internatioanl hackers are students that are on campus.
An adversary sounds a fire alarm and gains access to a building and the server room within the confusion by exibiting different
types of people to gain access.
How can you make it easier to a generelless manager to access information within an organization?
Which aspect of the M cube has been publically identified by Kevin Mitnick?
Social Engineering - because he believes that people are the weakest security link.
Hackers claim to intersect fake trades in the stock exchange, making the prices unrealiable.
A campus imagaing database holds all documents of a researher who passed suddenly. The documents include a study of drug addicted war vets
and of thier war crimes. Documents hold thier medical/legal records of the person(s) and the University doesn’t know about this other than a database
specialist who accidentally found the information.
What is the smallest possible matrix for privelleges for people and database objects?
ACL - Access contorl list, which is a table that shows what users was access right to different system objects/files/data/etc given within a system.
Give at least three different reasons to uncouple poeople from making data decisions.
a. Leaving links between data/people will leave data orphaned data dur to staff turnovers.
a. Human resource choices should not be maniupulated by database specialists
a. Privlellege Leakage - access to one set of data but in turn is also able to access other data they were not supposed to.
Identify and describe 3 ethical principles for conducting research on accesc control on humans.
Respect for persons - recongination that people are automous and entitled to thier own opinions
Benefience - people are treated in equal manner and sequreing their well-being
Justice - who recieves the benefits of the research and who bears the burdens.
What is a zero-day vulenerbability?
A zero-day vulenerbability is a software bug that is un-patch within a system that hackers can use to potentially exploit the system they are attacking.
Descirbe as many things from teh OSWAP.
Broken Access Control - users being able to act outside fo their intended permissions.
b. Injection - SQL Injection c. authentication failures - able to login without correct creds d. Logging Failures - Not deleting logs after a given time period
What was the usage of password during the October 2016 attack.
The uasge of password during this attack was through the malware called mirai, which attacked IoT devices and scanned for more IP addresses. It would then
iterate through a list of 60 defualt usernames and password to infect new devices.
What does SALT differ from the 56-bit secret?
the 56-bit secret was a two-way transaction, meaning you can turn the encrypted data back into normal. Salt it is much much harder to do.
Types/Kinds of permissions can be given to users with sensitive data?
What is crypto SALT
SALT is random data that is used as an additional input to a one-way funciuton that hashes data.
PCI DES Requirement 6 - list 7 ways to protect
a. Establish process to identify secruity vulnerabilities
b. Ensuure all system components and software are protected
c. Develop internal and external software apps
d. Examine policis and procedures to verify test data
e. Address common coding vulnerabilities in software
f. Address new threats on an ongoing basis
g. Ensure policies are documented
How do you classify adversaries?
Indi
Corporate Entities
Nation-States
Describe 3-factor authentication. Include one barrier to it’s acceptence.
Something you are, know, have (bio, password, token(keychain)
b.
Meaning...
- biometrics
- password
- token
c. One barrier
- All of these can live on a single device (your phone) and if you lose your phone you are screwed.
