Flashcards in Information Security Deck (47)
In the context of information security what do you need to assess before you can determine the risk you are facing?
Asset values, threats, and vulnerabilities.
Briefly explain the difference between Constrained Data Items (CDIs) and Un-constrained Data Items (UDIs).
CDIs are data items for which the integrity has to be upheld. Data items for which this is not the case are called UDIs.
Is a person who certies Transformation Procedures allowed to execute them?
No, this would violate the concept of separation of duty: dierent subparts of a task should be executed by dierent persons to make fraud more dicult.
Briefly describe the basic tendency of human nature that is exploited during a social engineering attack and give a brief example of an attack using this approach.
Authority, liking, reciprocation, consistency, social validation, scarcity.
Briefly explain the dierence between an arbitrated and an adjudicated protocol.
An arbitrated protocol always requires a trusted third party in order to work. In an adjudicated protocol the trusted third party only gets involved if there is a dispute.
Briefly describe the three most common ways of authenticating users.
• Something you have": a physical device e.g., a key
• Something you know": present secret knowledge e.g., a password
• Something you are": physical appearance e.g., an iris scan
Briefly explain the main difference between a restricted cryptographic algorithm and a key-based one.
i. The security of a restricted algorithm relies on being kept secret.
ii. In a key-based algorithm the algorithm itself can be published, all the security lies in the key.
Which is a better choice - restricted cryptographic algorithm and a key-based one?
The security of a key-based algorithm can be scrutinised by experts in the field, uncovering potential weaknesses (making the algorithm more secure). If a participant using the algorithm loses the trust of the group, they only need to
switch to another secret key (and not replace the whole algorithm).
Give a brief definition of the term demilitarized zone (DMZ) in the context of firewalls.
Part of the network that is visible to the outside world including services such as a web server, mail proxy, and other proxies. May be connected to the outside via a
simple packet filter. The connection of the DMZ to the internal network is protected by further filters.
List four warning signs that indicate that a social engineering attack may be taking place.
• Unusual request
• Refusal to give callback number
• Claim of authority
• Stresses urgency
• Threatens negative consequences in case of non-compliance
• Shows discomfort when questioned or challenged
• Name dropping
• Compliments or flattery
In an extension of Role-Based Access Control (RBAC), roles are allowed to be members of other roles, creating a hierarchy of roles - What is the main advantage of this extension?
There is often an overlap between different roles in terms of permitted transactions, i.e., roles higher up in the hierarchy may execute a superset of the transaction of roles lower in the hierarchy. A hierarchical approach makes this more manageable.
How could you map the following roles of a development team and the transactions they are allowed to execute to this RBAC extension?
The role project member may execute runCode and runTest. A test engineer is a member of the role project member and has one additional transaction: modifyTest.
A programmer is also a member of the role project member and has one additional transaction: modifyCode. A project supervisor is a member of both, test engineer and programmer, with the additional transaction releaseCode.
In risk assessment, what is the difference between an attack and a vulnerability? Provide one example for each of these terms.
An attack is an action that actually leads to a violation of security.
An example of an attack is an employee illegitimately reading confidential material.
A vulnerability is a weakness that makes an attack possible.
An example of a vulnerability is an office computer that does not have an up to date virus detection software.
Describe the 5 steps in the Flaw Hypothesis Methodology framework.
1 Information gathering: testers try to become as familiar with system as possible (in their role as external or internal attackers)
2 Flaw hypothesis: drawing on knowledge from step 1 and known vulnerabilities, testers hypothesize flaws
3 Flaw testing: tester try to exploit possible flaws identified in step 2. If flaw does not exist, go back to step 2. If flaw exists, go to next step
4 Flaw generalization: testers try to find other similar flaws, iterate test again (starting with step 2)
5 Flaw elimination: testers suggest ways of eliminating flaw
In cryptography what is the difference between a symmetric algorithm and an asymmetric algorithm?
These algorithms relate to two different approaches of encryption/decryption. In a symmetric algorithm, the same key is used for both encryption and decryption, whereas in an asymmetric algorithm the key used for encryption is different to the key used for decryption.
How might the hacker determine whether the passwords have been salted?
Salting passwords is designed to prevent the same password mapping to the same hash value for storage in the password file. Hence a hacker can determine that a salt
has been used if the password hashes are all unique.
Assuming the password file has not been salted, how might the hacker use this information to greatly increase the chance of cracking a password?
If a salt has not been used, then a hash value might appear multiple times in the password file. The hacker should extract all the unique hashes and sort them by greatest
frequency. A high frequency hash value is likely to have been generated by a very commonly used password. Hence the hacker can then try a brute force attack on these high frequency hashes using a set of the most commonly used passwords.
In order to gain access to your bank account at an ATM you only need a 4 digit password. Why is such a weak password acceptable in this case?
This is primarily due to the fact that the ATM limits the number of guesses, after 3 wrong guesses the account is blocked.
Briefly describe the rˆole of a Commercial Licensed Evaluation Facility.
A commercial licensed evaluation facility (CLEF) performs security evaluations based on the international standards known as the Common Criteria. These evaluations are (usually) recognized in all countries that have officially adopted these standards.
Alice and Bob wish to communicate using a hybrid cryptosystem, which combines a symmetric algorithm with a public-key algorithm. They have already agreed on the choice of cryptosystems to use and Alice has Bob’s public key. What are the steps Alice and Bob must perform in order to begin a session of communication?
1 Alice generates a random session key for the symmetric algorithm
2 She encrypts the session key using Bobs public key
3 Alice sends the ciphertext to Bob
4 Bob decrypts the ciphertext using his private key to recover the session key
Alice and Bob can now continue to communicate using the symmetric algorithm.
What is the advantage of using a hybrid cryptosystem over using an asymmetric cryptosystem?
The session key is only used for a limited time and then destroyed. The longer a key is used, the higher the chances that it is vulnerable to compromise. The publickey
cryptosystem is only used very sporadically, generating a very small number of ciphertexts. The less data, the harder it is to break a code.
What is the primary purpose of a Firewall?
The primary purpose of a firewall is to stand between a local network and the Internet in order to filter out traffic that might be harmful.
Describe what a Circuit-Level Gateway firewall is designed to do, also where might you find one?
A Circuit-Level Gateway firewall is designed to automatically discard any data that has not been requested by a machine from within the firewall. (It does this by examining only packet address and port information.) It also acts as an intermediary between the internal network and the Internet. No machine from within the firewall can directly access the Internet. Home DSL routers are typically of this type, since it is easy to combine it with Internet sharing capabilities.
Where are you likely to find a logic bomb?
Embedded in a legitimate program.
Who, or what, is best placed to defend against logic bombs? Explain your answer.
It is difficult to implement operating system controls to guard against logic bombs. So it is the creator or maintainers of software who are best placed to defend against logic bombs. Security measures need to focus on the development and update of the code.
When does the Base Rate Fallacy occur and when does it become a problem?
The Base Rate Fallacy occurs when the size difference in
classes is not taken into account. It only becomes a problem when there is a large difference
in class size.
Why is the Base Rate Fallacy a problem in Intrusion detection?
The problem of the uneven class size makes practical
intrusion detection very difficult.
What us a threat?
A threat is a potential danger to an information asset.
What is Info Sec three key objectives?
1 - Confidentiality: Refers to restricting access to information.
2 - Integrity: Refers to preventing improper or unauthorised used changes of data.
3 - Availability: To ensure the data is accessible when needed by authorised users.