Quiz Ch 7: Security and Privacy Flashcards
(20 cards)
List three types of security threat.
Threats to the availability of a system, threats to the integrity of a system or its data, threats to the confidentiality of the data managed by a system.
List four types of management procedure that are needed to maintain overall system security.
Authentication and authorisation management, system infrastructure management, attack monitoring, backup policies and management.
Suggest three features that may be included in cloud-based systems to help users with operational security.
Auto-logout, user command logging, multi-factor authentication.
What is an injection attack?
A type of attack where a malicious user uses a valid input field to input malicious code or database commands, which are aimed at causing some damage to the system.
How does a cross-site scripting attack work?
An attacker introduces malicious code into a legitimate website using some security weakness. When a valid request is made to that website, the malicious code is executed and information, such as user keystrokes, are sent from the user’s browser to the attacker.
What is session hijacking?
is a type of attack where authentication information set up in a user session (session cookie) is stolen by an attacker who uses this to impersonate a legitimate user.
What is a distributed denial of service attack?
A distributed denial of service attacker involves a network of remote computers flooding a legitimate site with requests so that it is overloaded and cannot deliver normal service.
List three ways of authenticating a user of a software product.
Something the user knows such as a password, something the user owns, such as a mobile phone, some attribute of a user such as a fingerprint.
What are the major weaknesses of password-based authentication?
Insecure passwords, phishing attacks, password reuse, forgotten passwords.
Explain what is meant by ‘federated identity’.
is an approach to authentication where an authenticating site relies on an external service, such as Google, to authenticate a user.
What is an ‘access control list’?
An access control list is a list of user permissions that sets out the access to system resources that is allowed for each user.
What is the difference between symmetric and asymmetric encryption?
In symmetric encryption, the same key is used to encrypt and decrypt confidential information; in asymmetric encryption, a different key is used for encryption and decryption.
Why do we continue to use symmetric encryption?
is widely used because it is much faster than asymmetric encryption.
List the five main elements of a digital certificate.
Subject information about the certificate holder, certificate authority information, certificate information, digital signature of the certificate, public key information for the certificate holder.
What are the four different levels in a system where data may be encrypted?
Media level (e.g., disk encryption), file level, database level, application level.
What are the major drawbacks of application-level encryption?
Most software engineers are not encryption experts and so can make mistakes in encryption implementation, encryption and decryption slows down application.
Briefly explain what is meant by ‘key management’.
means generating and securely storing encryption keys and managing these keys over time. They must be linked to the right version of the encrypted information.
What is ‘privacy’?
is a social concept that relates to the collection, dissemination and use of personal information held by a third-party.
What areas may be covered by data protection laws?
Responsibilities of data controllers such as data storage, data use, security and subject access. Rights of data subjects including access rights, error correction, data deletion and usage consent.
List 5 data protection principles that underlie the GDPR.
Any five from: users must be aware of what data collected and have control over its use, the purpose for which data is collected and stored must be explained, user consent for data storage must be granted, data must only be stored for as long as it is required, data must be stored securely, users must be able to find out what information is stored and be allowed to correct errors, data must not be stored in countries with weaker data protection laws.
