Midterm Review Flashcards
(79 cards)
1
Q
Vulnerability
A
System weakness vulnerable to a threat
2
Q
Categories of vulnerabilities
A
- Corruption (Integrity)
- Leakiness (Confidentiality)
- Unavailability or very slow responsiveness (Availability)
3
Q
CIA Triad
A
- Confidentiality
- Integrity
- Availability
4
Q
Confidentiality
A
- Keeping data and resources hidden
- “Need to know”, personnel records, trade secrets
- Often, organizations want to protect system configuration and network topology info (resources) as well
5
Q
Integrity
A
- Data integrity (trustworthiness) - data protected against unauthorized change
- Origin integrity (authentication)
- Mechanisms fall into two classes
- Prevention
- Detection
6
Q
Availability
A
- Ability to use data and resources
- Denial of service attacks are designed to prevent access
7
Q
Prevention
A
- Prevent attackers from violating security policy
- Typically done by employing mechanisms users cannot override
- Mechanisms can be cumbersome for users
8
Q
Detection
A
- Detect attackers’ violation of security policy
- Also an indicator of the effectiveness of prevention mechanisms
9
Q
Recovery
A
- Stop attack, assess and repair damage
- Continue to function correctly even if the attack succeeds
- Difficult to implement
- Typically only used in safety-critical systems
10
Q
Security Policy
A
A formal statement of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources
11
Q
Security Implementation
A
- Prevention
- Detection
- Response
- Recovery
12
Q
Assurance
A
The degree of confidence one has that the security measures, both technical and operational, work as intended to protect the system and the information it processes
13
Q
Evaluation
A
Process of examining a computer product or system with respect to certain criteria
14
Q
The ideal solution to malware
A
Prevention
15
Q
Main elements of prevention
A
- Policy
- Awareness
- Vulnerability
- Threat mitigation
16
Q
If prevention fails, what mechanisms can be used to mitigate the threat?
A
- Detection
- Identification
- Removal
17
Q
Worm defense approaches
A
- Signature-based worm scan filtering
- Filter-based worm containment
- Payload-classification-based worm containment
- Threshold random walk (TRW) scan detection
- Rate limiting
- Rate halting
18
Q
Policy
A
Says what is and is not allowed. Defines security for the site/system/etc.
19
Q
Security Mechanisms
A
Enforces policy
20
Q
Virus
A
Piece of software that infects programs
21
Q
Virus Actions
A
- Modifies them to include a copy of the virus
- Replicates and goes on to infect other content
- Easily spread through network environments
22
Q
Virus Components
A
- Infection mechanism
- Trigger
- Payload
23
Q
Infection Mechanism
A
- Means by which a virus spreads or propagates
- Also referred to as the infection vector
24
Q
Trigger
A
- Event or condition that determines when the payload is activated or delivered
- Sometimes known as a logic bomb
25
Payload
- What the virus does (besides spreading)
| - May involve damage or benign but noticeable activity
26
Virus Phases
- Dormant phase
- Triggering phase
- Propagation phase
- Execution phase
27
Dormant Phase
- Virus is idle
- Will eventually be activated by some event
- Not all viruses have this stage
28
Triggering Phase
- Virus is activated to perform the function for which it was intended
- Can be caused by a variety of system events
29
Propagation Phase
- Virus places a copy of itself into other programs or into certain system areas on the disk
- May not be identical to the propagation version
- Each infected program will now contain a clone of the virus which will itself enter a propagation phase
30
Execution Phase
- Function is performed
| - May be harmless or damaging
31
Virus Classifications
- Classification by target
| - Classification by concealment strategy
32
Classification by Target
- Boot sector infector
- File infector
- Macro virus
- Multipartite virus
33
Classification by Concealment Strategy
- Encrypted virus
- Stealth virus
- Polymorphic virus
- Metamorphic virus
34
Boot sector infector
Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus
35
File infector
Infects files that the operating system or shell considers to be executable
36
Macro virus
Infects files with macro or scripting code that is interpreted by an application
37
Multipartite virus
Infects files in multiple ways
38
Encrypted virus
A portion of the virus creates a random encryption key and encrypts the remainder of the virus
39
Stealth virus
A form of virus explicitly designed to hide from detection by anti-virus software
40
Polymorphic virus
A virus that mutates with every infection
41
Metamorphic virus
A virus that mutates and rewrites itself completely at each iteration and may change behavior as well as appearance
42
Worm
A program that actively seeks out more machines to infect and each infected machine serves as an automated launching pad for attacks on other machines
43
Worm Replication
- Electronic mail or instant messenger facility
- File sharing
- Remote execution capability
- Remote file access or transfer capability
- Remote login capability
44
Electronic mail or instant messenger facility
- Worm emails a copy of itself to other systems
| - Sends itself as an attachment via an instant message service
45
File sharing
Creates a copy of itself or infects a file as a virus on removable media
46
Remote execution capability
Worm executes a copy of itself on another system
47
Remote file access or transfer capability
The worm uses remote file access or transfer service to copy itself from one system to the other
48
Remote login capability
Worm logs onto a remote system as a user and then sues commands to copy itself from one system to the other
49
Scanning (or fingerprinting)
- First function in the propagation phase for a network worm
| - Searches for other systems to infect
50
Worm Scanning Strategies
- Random
- Hit-list
- Topological
- Local subnet
51
Random Scanning
- Each compromised host probes random addresses in the IP address space using a different seed
- This produces a high volume of Internet traffic which may cause generalized disruption even before the actual attack is launched
52
Hit-list
The attacker first compiles a long list of potentially vulnerable machines. Once the list is compiled the attacker begins infecting machines on the list. Each infected machine is provided with a portion of the list to scan. This results in a very short scanning period which may make it difficult to detect that infection is taking place.
53
Topological
This method uses information contained on an infected victim machine to find more hosts to scan
54
Local subnet
- If a host can be infected behind a firewall that host then looks for targets in its own local network
- The host uses the subnet address structure to find other hosts that would otherwise be protected by the firewall
55
Botnet
Collection of bots capable of acting in a coordinated manner
56
Attack Agent Bots (AAB)
Takes over another Internet attached computer and uses that computer to launch or manage attacks
57
AAB Uses
- Distributed denial of service (DDoS) attacks
- Spamming
- Sniffing traffic
- Keylogging
- Spreading new malware
- Installing advertisement add-ons and browser helper objects (BHOs)
- Attacking IRC chat networks
- Manipulating online polls/games
58
Remote Control Facility (RCF)
RCF is what distinguishes a bot from a worm
59
DDoS
An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.
60
DDoS Attack Resource Categories
- Network bandwidth
- System resources
- Application resources
61
Flooding ping command
- Classic DoS Attack
| - Aim of this attack is to overwhelm the capacity of the network connection to the target organization
62
Distributed Denial of Services DDoS Attacks
- Use of multiple systems to generate attacks
- Attacker uses a flaw in the operating system or in a common application to gain access and installs their program on it (zombie)
- Large collections of such systems under the control of one attacker's can be created, forming a botnet
63
DoS Attack Defenses
- These attacks cannot be prevented entirely
| - High traffic volumes may be legitimate
64
Four lines of defense against DDoS attacks
- Attack prevention and preemption (before the attack)
- Attack detection and filtering (during the attack)
- Attack source traceback and identification (during and after the attack)
- Attack reaction (after the attack)
65
IP - Internet Protocol
IP has the task of delivering packets from the source host to the destination host solely based on the IP addresses in the packet headers.
66
TCP - Transmission Control Protocol
TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network.
67
UDP - User Datagram Protocol
With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an IP network. Prior communications are not required in order to set up communication channels or data paths.
68
Virtualization
A technology that provides an abstraction of the resources used by some software which runs in a simulated environment called a virtual machine (VM)
69
Virtualization Benefits
Better efficiency in the use of the physical system resources
70
Virtualization Security Issues
- Guest OS Isolation
- Guest OS monitoring by the hypervisor
- Virtualized environment security
71
Access Control Principles
Measures that implement and assure security services in a computer system, particularly those that assure access control service.
72
Access Control Policies
- Discretionary access control (DAC)
- Mandatory access control (MAC)
- Role-based access control (RBAC)
- Attribute-based access control (ABAC)
73
Discretionary access control (DAC)
Controls access based on the identity of the requestor and on access rules (authorization) stating what requestors are (or are not) allowed to do
74
Mandatory access control (MAC)
Controls access based on comparing security labels with security clearances
75
Role-based access control (RBAC)
Controls access based on the rules that users have within the system and on rules stating what accesses are allowed to users in given rules
76
Attribute-based access control (ABAC)
Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions
77
Subject
- An entity capable of accessing objects
- Three classes
- - Owner
- - Group
- - World
78
Object
- A resource to which access is controlled
| - Entity used to contain and/or receive information
79
Access right
- Describes the way in which a subject may access an object
- Could include:
- - Read
- - Write
- - Execute
- - Delete
- - Create
- - Search
- - …
