Mid_Term

Question 1

List 5 Principle Threats to the secrecy of passwords

Answer 1

1. Specific Account Attack
2. Popular Password Attack
3. Exploiting User Mistakes
4. Exploiting Multiple Password Use
5. Offline Dictionary Attack
6. Workstation Hijacking
7. Electronic Monitoring
8. Password Guessing against a single user

Question 2

Specific Account Attack

Answer 2

An attack where the attacker targets a specific account and submits password guesses until the correct pass is found

Question 3

Popular Password Attack

Answer 3

An attack that uses common passwords against a wide array of user accounts.

Question 4

Password Guessing Against Single User

Answer 4

The attacker attempts to gain knowledge about the account holder and system password policies to guess the password

Question 5

Workstation Hijacking

Answer 5

The attacker accesses an active workstation that is unattended

Question 6

Exploiting user mistakes

Answer 6

This type of attack depends on the carelessness of the user. Viewing their credentials from over the shoulder or attaining a password that they have written down.

Question 7

Electronic Monitoring

Answer 7

The attackers eavesdrops on network communication and decrypts the data to obtain the password.

Question 8

What is the cloud computing reference architecture?

Answer 8

The NIST cloud computing reference architecture is a tool for describing and developing a system-specific architecture using a common reference.

Question 9

Name Two Categories of Passive Attack

Answer 9

Release of message contents and traffic analysis

Question 10

Name Three Categories of Active Attack

Answer 10

Masquerade, replay, modification of message, denial of service

Question 11

What is an active attack?

Answer 11

A network exploit in which a hacker attempts to make changes to data on the target

Question 12

What is a Passive Attack?

Answer 12

A passive attack is a network attack where a system is monitored or scanned to gain information.

Question 13

Biometric Enrollment

Answer 13

Biometric enrollment is the process off associating the users identification with his password and biometric data.

Question 14

BIometric Verifcation

Answer 14

Is the process of the user utilizing his credentials biometric and otherwise to access the system.

Question 15

Biometric Authentication

Answer 15

The user is authenticated if his user id, password and biometric data all match the stored records on the system.

Question 16

List 4 Cloud Specific Threats

Answer 16

1. Abuse and Nefarious use of cloud computing
2. Malicious Insider
3. Insecure Interfaces and API’s
4. Shared Technology Issues
5. Data loss or leakage
6. Account or service hijacking
7. Unknown risk profile

Question 17

Abuse and Nefarious use of cloud computing

Answer 17

This enables to attacker to execute malicious code or perform spamming and denial of service attacks using valid credentials.

Question 18

Insecure Interfaces and API’s

Answer 18

Cloud Service Provides (CP’s) provide interfaces and API’s to help customers manages their cloud resources. Weaknesses in these policies can be used can allow attackers to circumvent policy.

Question 19

Malicious Insider

Answer 19

An attacker that has credentials or is a valid administrator of system security uses his authority to perform a malicious act.

Question 20

Data Loss of Leakage

Answer 20

The loss of access to information due to an attack.

Question 21

Account/Service Hijacking

Answer 21

Attackers can access critical areas of deployed cloud computing services allowing them to compromise CIA.

Question 22

What is DAC?

Answer 22

Discretionary Access Control

controls access based on user identity and access rules that define his access to the system.

Question 23

What is MAC?

Answer 23

Mandatory Access Control
controls access based on security levels. A user is associated with an access level that determines his privileges on the system.

Question 24

What is RBAC?

Answer 24

Roles Based Access Control controls access based on roles that users have within the system and the rules that define what access are allowed for each role.

Question 25

Name Three Cloud Service Models

Answer 25

(SaaS) Software as a service Provides service to customers in the form of software. (PaaS) Platform as a service provides a platform for running applications (IaaS) Infrastructure as a service provides hardware resources to user remotely.

Question 26

Account/Service Hijacking

Answer 26

The attackers uses stolen credentials to access critical areas and negatively impact CIA.

Question 27

Unknown Risk Profile

Answer 27

The client cedes control of resources and systems to the CP. There exist a number of issues that the client may not be aware of or have the access to mitigate.

Question 28

List and define the four types of entities in a base model RBAC system as mentioned in our text.

Answer 28

User: An individual that has access to this computer system. Each individual has an associated user ID. Role: A named job function within the organization that controls this computer system. Typically, associated with each role is a description of the authority and responsibility conferred on this role, and on any user who assumes this role. Permission: An approval of a particular mode of access to one or more objects. Equivalent terms are access right, privilege, and authorization. Session: A mapping between a user and an activated subset of the set of roles to which the user is assigned.

Question 29

List and define the three classes of subject in an access control system as mentioned in our text.

Answer 29

Owner: This may be the creator of a resource, such as a file. For system resources, ownership may belong to a system administrator. For project resources, a project administrator or leader may be assigned ownership. Group: In addition to the privileges assigned to an owner, a named group of users may also be granted access rights, such that membership in the group is sufficient to exercise these access rights. In most schemes, a user may belong to multiple groups. World: The least amount of access is granted to users who are able to access the system but are not included in the categories owner and group for this resource.

Question 30

List and briefly describe four common techniques for selecting or assigning passwords that are mentioned in our text.

Answer 30

User education: Users can be told the importance of using hard-toguess passwords and can be provided with guidelines for selecting strong passwords. Computer-generated passwords: the system selects a password for the user. Reactive password checking: the system periodically runs its own password cracker to find guessable passwords. Proactive password checking: a user is allowed to select his or her own password. However, at the time of selection, the system checks to see if the password is allowable and, if not, rejects it.

Question 31

What are the essential ingredients, mentioned in our text, of a symmetric cipher?

Answer 31

Plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm.

Question 32

Define the terms database, database management system, and query language as mentioned in our text.

Answer 32

A database is a structured collection of data stored for use by one or more applications. In addition to data, a database contains the relationships between data items and groups of data items. A database management system (DBMS), which is a suite of programs for constructing and maintaining the database and for offering ad hoc query facilities to multiple users and applications. A query language provides a uniform interface to the database for users and applications.

Question 33

List and briefly define four of the fundamental security design principles mentioned in our text.

Answer 33

• Economy of mechanism • Fail-safe defaults • Complete mediation • Open design • Separation of privilege • Least privilege • Least common mechanism • Psychological acceptability • Isolation • Encapsulation • Modularity • Layering • Least astonishment - Page 28 - 31 gives details of each

Question 34

Define computer security and what it includes.

Answer 34

Computer security refers to protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).

Question 35

List and briefly describe some administrative policies that can be used with a RDBMS as mentioned in our text.

Answer 35

Centralized administration: A small number of privileged users may grant and revoke access rights. Ownership-based administration: The owner (creator) of a table may grant and revoke access rights to the table. Decentralized administration: In addition to granting and revoking access rights to a table, the owner of the table may grant and revoke authorization to other users, allowing them to grant and revoke access rights to the table.

Question 36

List and briefly define three uses of a public-key cryptosystem.

Answer 36

Encryption/decryption: The sender encrypts a message with the recipient's public key. Digital signature: The sender "signs" a message with its private key. Key exchange: Two sides cooperate to exchange a session key.