Quiz 2 Ch.9, 10, 11, 17 Flashcards
(90 cards)
1
Q
Ch. 9 Need for firewalls
A
Internet connectivity is essential but creates threat
FW inserted between premises network and internet to establish link
2
Q
FW characteristics
A
Design goals
- all traffic from inside to outside must pass through FW
- FW immune to penetration
3
Q
FW access policy
A
this lists types of traffic authorized to pass through FW
- includes address ranges, protocols, applications, content
4
Q
FW Filter Characteristics
A
IP address and protocol values
- Application protocol
- User identity
- Network activity
5
Q
FW Capabilities and limits
A
C: Defines single choke point
- can serve as platform for IPSec
L: Cannot protect against attacks bypassing firewall
- may not protect fully against internal threats
6
Q
Types of FW
A
- Packet Filtering FW
- Stateful inspection FW
- Application-level gateway
- Circuit-level gateway
7
Q
Packet Filter
A
adv.
- Simplicity
- typically transparent to users and fast
weaknesses.
- cant prevent attacks that employ application specific vulnerabilities
- applies rules to each incoming and outgoing ip packet
8
Q
Stateful Inspection FW
A
Tighten rules for TCP traffic by creating directory of outbound TCP connections
- Reviews packet info but also records info about TCP connections
9
Q
Application Level gateway
A
acts as relay of application level traffic
- must have proxy code for each application
- tend to be more secure than packet filters
- disadv. is additional processing overhead on each connection
10
Q
Circuit level gateway
A
Sets up 2 TCP connections, one between itself and a TCP user on inner host and one on an outside host
- used when inside users are trusted
11
Q
SOCKS circuit level gateway
A
To provide framework for client-server applications in TCP/UDP domains
12
Q
Bastion Hosts
A
- System identified as critical strong point
- Serves as platform for an application level or circuit level gateway
13
Q
Characteristics of BH
A
- runs secure OS only essential services
- may require user authentication to access proxy
each proxy: - restrict features
- small, simple
14
Q
Host-based FW
A
used to secure an individual host
- available in OS or can be provided as an add-on package
15
Q
Personal FW
A
- Controls traffic between a PC and internet
- software module
16
Q
FW Topologies
A
- Host-resident FW
- Screening router
- Single bastion inline
- Single bastion T
- Double bastion inline
- Double bastion T
- Distributed FW configuration
17
Q
DMZ demilitarized zone
A
Systems that are externally accessible but need some protections are usually located on DMZ
18
Q
Intrusion Prevention Systems IPS
A
Capability to attempt to block/prevent detected malicious activity
- host-based, network-based, distributed/hybrid
- use anomaly detection to identify behavior that is not that of legit users
19
Q
Host-Based IPS (HIPS)
A
Can make use of either signature or anomaly detection techniques to identify attacks
Sig: focus is on the specific content of app. network traffic
Ano.: IPS is looking for behavior patterns that indicate malware
20
Q
HIPS Examples of the types
A
Modification of system resources
- Privilege-escalation exploits
- Buffer-overflow exploits
- access to email contact list
21
Q
HIPS capabilities
A
Can be tailored to specific platform
- set of general purpose tools may be used for desktop or server
- Use sandbox approach
22
Q
Role of HIPS
A
provide an integrated, single-product suite of functions
23
Q
Network-Based IPS NIPS
A
Inline NIDS with authority to modify or discard packets and tear down TCP connections
24
Q
NIPS
A
Makes use of signature/heuristic detection and anomaly
- provide flow data protection
25
NIPS- methods used to identify malicious packets
- Pattern matching
- Stateful matching
- Protocol anomaly
- Traffic anomaly
- Statistical anomaly
26
Distributed or hybrid approach
| Digital Immune System
Comprehensive defense against malicious behavior caused by malware
- gathers data from a large number of host and network-based sensores, relays this info to central analysis system to analyze then send respond/defend
27
Snort inline
- Enables Snort to function as an intrusion prevention system
- includes a replace option which allows the snort user to modify packets rather than drop them
28
Ch. 10 Buffer overflow
- very common attack mechanism - first - Morris Worm in 1988
- a condition at an interface under which more input can be placed into buffer or data holding area than the capacity allocated, overwriting other info
29
BO basics
Programming error when a process attempts to store data beyond the limits of a fixed-sized buffer
- Overwrites adjacent memory locations
- Buffer could be located on stack
30
BO Attacks
| To exploit a BO an attacker needs:
- to identify a BO vulnerability in some program that can be triggered using externally sourced data under the attackers control
- to understand how that buffer is stored in memory and determine potential for corruption
31
Stack BO
| Occur when buffer is located on stack
- also called as stack smashing - used by Morris Worm
- exploits included an unchecked BO
Stack frame - when one function calls another it needs somewhere to save return address
32
Shellcode - Code supplied by attacker
| - function was to transfer control to user command-line interpreter, or shell, which will give access to any program
- Machine code -specific to processor and OS
- need good assembly language skills to create
- Metasploit project - provides useful info to people who perform penetration
33
BO Defenses
- Compile time defenses
| - Run-time defenses
34
Compile time defenses
Use modern high-level language
- not vulnerable to BO attacks
DISADV.
- additional code must be executed at run time to impose checks
- flexibility and safety comes at a cost in resource use
35
CTD
| - C designers placed much more emphasis on space efficiency and performance than on type safety
- Programmers need to inspect the code and rewrite any unsafe coding
- P have audited existing code base, including OS, standard libraries and common util.
36
CTD Stack Protection
add function entry and exit code to check stack for signs of corruption
- use random canary
- Stackshield and Return Address Defender (RAD)
37
Run-time Defenses: Executable address space protection
use virtual memory support to make some regions of memory non-executable
38
RTD: Address Space Randomization
- Manipulate location of key data structures
- Randomize location of heap buffers
- Random location of standard library functions
39
RTD: Guard Pages
- Place guard pages between critical regions of memory
| - Further extension places guard pages between stack frames and heap buffers
40
Other forms of overflow attacks
| - Replacement stack frame
Variant that overwrites buffer and saved frame pointer address
- off by one attacks - allows 1 more byte to be copied than there is space available
Defenses - any stack protection
- use non-executable stacks
- randomization
41
Return to System call
- Defenses - any stack protection, non executable stacks, randomization of stack
- Stack overflow variant replaces return address with standard library function
42
Heap overflow
Attack buffer located in heap - located above program code
- no return address - no easy transfer of control
Defenses - make heap non-executable, randomizing allocation of memory on heap
43
Global data overflow
Defenses - non-executable or random global data region, move function pointers, guard pages
- Can attack buffer located in global data - may be located above program code
44
Ch. 11 Software Security
Vulnerabilities result from poor programming practices
| - consequence from insufficient checking, validation of data, error codes
45
Software quality and reliability: concerned with accidental failure of program
- improve using structured design and testing; eliminate as many bugs as possible
- concern is not how many bugs but how often they are triggered
SS: Attacker chooses probability distribution
46
Defensive Programming
Designing software that it continues to function even when attacked
Key rule is to never assume anything, check all assumptions and handle any possible error states
47
DP
| - Programmers often make assumptions about the type of inputs a program will receive
- Requires a changed mindset to traditional programming practices
48
Security by design
Software Assurance Forum for Excellence in Code SAFECode
49
Handling Program input
- incorrect handling is a very common failing
- input is any source of data from outside and whose value is not explicitly known by programmer
- must identify all data sources
- explicitly validate assumptions on size and type
50
Input size & Buffer Overflow
Allocated buffer size isnt confirmed
- resulting in BO
- Testing may not identify vulnerability
- safe coding treats all input as dangerous
51
Writing safe program code
- Correct algorithm implementation - compare machine code with original source
- ensuring that machine language corresponds to algorithm
- correct interpretation of data values -
- correct use of memory
- prevent race conditions with shared memory
52
Interpretation of program input
may be binary or text
- character sets being used
- failure to validate may result in an exploitable vulnerability
- 2014 Heartbleed OpenSSL bug
53
Injection attacks
occur in scripting languages
| - encourage reuse of other programs
54
Cross Site Scripting XSS ATTACKS
where input provided by one user is subsequently output to another user
- in scripted web apps
55
Validating Numeric Input
- internally stored in fixed sized value - 8, 16, 32, 64 bit integers
- must correctly interpret text form and process consistently
- issues comparing signed to unsigned
56
Input fuzzing
1989 UNI of Wisconsin
- software testing technique that uses randomly generated data as inputs to program
- can also use templates to generate classes of known problem inputs
57
Operating System interaction
- programs execute on systems under the control of OS - systems have concept of multiple users
58
Environment variables
collection of string values inherited by each process from its parent
- common use is by local user attempting to gain increased privileges
59
Use of least privilege
run programs with least privilege needed to complete their function
- determine appropriate user and group priv.
60
System calls and standard library functions
- programs use system calls and standard library functions for common operations
61
Preventing race conditions
programs may need to access common system resource
| - need suitable synchronization mechanisms - lockfile
62
Safe temporary files
secure temp file creation and use requires use of random names
63
Ch. 16 Physical and Infrastructure Security
Logical security
Physical security
Premises security
64
Physical Security Threats
```
- protects physical assets that support the storage of processing info
Threats:
- Environmental threats
- Technical threats
- human-caused threats
```
65
Water damage
- primary danger is an electrical short
- pipe may burst
- sprinkler set off
- floodwater leaving muddy residue
66
Chemical, Radiological, Biological hazards - discharges can be introduced through vents, windows,
Dust and infestation
| - block ventilation
67
Technical Threats
Power util. problems:
- under-voltage - dips/brownouts/outages; interrupts service
- over-voltage - surges/faults; destroy chips
- noise - powerlines; may interfere with device operation Electromagnetic interference EMI
68
Human -caused threats
- less predictable
- unauthorized physical access
- theft of equipment
- vandalism
- misuse of resources
69
Physical Security Prevention and Mitigation measures
- one prevention measure is use of cloud computing
- inappropriate temp
- fire and smoke alarms
- water; cutoff sensors
70
Mitigate Tech threats
critical equipment should be connected to emergency power source
- deal with EMI with filters and shielding
71
Mitigate Human caused threats
Restrict building access
- patrol and guarded
- locks at entry points
- tracking device on movable resources
- sensors alarms
- surveillance
72
Recovery from Physical security breaches
Redundancy - provides recovery from loss of data
- important data available off-site
- encrypted remote backup
73
Physical and logical security integration
- numerous detection and prevention devices
- personal identity verification
- use of PIV credentials in physical access control systems
74
Ch. 17 Human Resources Security
Security Awareness, Training and Education
75
Benefits to Organizations
improve employee behavior, accountability, liability, comply with regulations
76
Awareness
- Seeks to inform and focus an employee's attention on security issues within org.
- program tailored to needs of org.
77
Training
What people should do and how
- focus on computer security practices
- develop secure mindset
- how to make tradeoffs involving security risks, costs, benefits
- risk management goals, measurement, leadership
78
Education
Targeted at security pros whose jobs require expertise in security
- career development
- most in depth program
79
Employment Practices and Policies
- Managing personnel with potential access is an essential part of information security
Employee involvement
80
Security in Hiring process
to ensure employees understand their responsibilities and are suitable for the roles they are considered for
- need appropriate background checks and screening
81
During employment
Objectives with respect to current employees - reduce risk of human error
- 2 elements of personnel security: - comprehensive security policy document
- an ongoing awareness and training program
82
Termination of employment
- termination security objectives: - ensure employees exit org. in an orderly manner
- critical actions:
- remove name from all authorized access lists
- inform guards that ex employees is not allowed
83
Email and internet use policies
concerns for employers:
- work time consumed in non-work related activities
- risk of importing malware
- possible harm, harassment
84
Security incident response
- procedures need to reflect possible consequences of an incident
- systematic incident response
- quicker recovery to minimize loss, theft, disruption of service
85
Computer Security Incident Response Team (CSIRT)
Rapidly detecting incidents
- Minimizing loss and destruction
- Mitigating weaknesses that were exploited
- restoring computing services
86
Security incidents
unauthorized access to system
| modification of info on system
87
Detecting incidents
- by users or admin. staff
| - automated tools - system integrity veification, log analysis, network, host IDS
88
Triage Functions
Ensure that all info destined for incident handling service is channeled through a single focal point
- responds to incoming info by:
requesting additional info in order to categorize incident
89
Responding to incidents
procedures should:
- detail how to identify the cause
- describe action taken to recover
- identify categories of incidents and approach taken
- identify management personnel responsible
- identify circumstances when security breaches should be reported
90
Documenting incidents
should immediately follow a response to an incident
