Security engineering Flashcards

Question

Register Addressing

Answer 1

When the CPU needs information from one of its registers to complete an operation, it uses a register address (for example, “register 1”) to access its contents.

Answer 2

CPU might process the command “Add 2 to the value in register 1.” This command uses two addressing schemes. The first is immediate addressing—the CPU is being told to add the value 2 and does not need to retrieve that value from a memory location—it’s supplied as part of the command. The second is register addressing; it’s instructed to retrieve the value from register 1.

Answer 3

CPU is provided with an actual address of | the memory location to access.

Answer 4

CPU as part of the instruction doesn’t contain the actual value that the CPU is to use as an operand. Instead,the memory address contains another memory address (perhaps located on a different page).

Answer 5

Base+offset addressing uses a value stored in one of the | CPU’s registers as the base location from which to begin counting.

Answer 6

Secondary memory is a term commonly used to refer to magnetic, optical, or flash-based media or other storage devices that contain data not immediately available to the CPU hard disks, floppy drives, and optical media such as CDs and DVDs can all function as secondary memory.

Answer 7

is an inexpensive way to make a computer operate as if it had more real memory than is physically installed Drawback overhead, slowing down the entire system

Answer 8

operating system to read (and sometimes write) immediately from any point

Answer 9

operating system to read (and sometimes write) immediately from any point Almost all primary storage devices are random access devices. Most secondary storage devices are also random access

Answer 10

magnetic tape To provide access to data stored in the middle of a tape, the tape drive must physically scan through the entire tape (even if it’s not necessarily processing the data that it passes in fastforward mode) until it reaches the desired point.

Answer 11

Data may remain on secondary storage devices even after it has been erased. This condition is known as data remanence.

Answer 12

If you truly want to remove data from a secondary storage device, you must use a specialized utility designed to destroy all traces of data on the device or damage or destroy it beyond possible repair (commonly called sanitizing).

Answer 13

SSD wear leveling means that there are often blocks of data that are not marked as “live” but that hold a copy of the data when it was copied off to lower wear leveled blocks

Answer 14

SSD wear leveling means that there are often blocks of data that are not marked as “live” but that hold a copy of the data when it was copied off to lower wear leveled blocks This means that a traditional zero wipe is ineffective as a data security measure for SSDs.

Answer 15

For this reason, it is important to use full disk | encryption to reduce the risk of an unauthorized entity gaining access to your data

Answer 16

Fortunately, many HDD and SSD devices offer on-device native encryption. It is good security practice to encrypt SSDs prior to storing any data on them due to their wear leveling technology.

Answer 17

program known as TEMPEST can compromise the security of data displayed on a monitor. TEMPEST is a technology that allows the electronic emanations that every monitor produces (known as Van Eck radiation) to be read from a distance (this process is known as Van Eck phreaking) and even from another location.

Answer 18

Unfortunately, the protective controls required to prevent Van Eck radiation (lots and lots of copper!) are expensive to implement and cumbersome to use

Answer 19

it may be much easier to walk out with sensitive information in printed form than to walk out with a floppy disk or other magnetic media. Printers are usually exposed on the network for convenient access and are often not designed to be secure systems. These are all issues that are best addressed by an organization’s security policy.

Answer 20

vulnerable to TEMPEST monitoring vulnerable to less sophisticated bugging A simple device can be placed inside a keyboard Additionally, if your keyboard and mouse are wireless, including Bluetooth, their radio signals can be intercepted.

Answer 21

Memory-Mapped I/O

Answer 22

Interrupt (IRQ) is an abbreviation for interrupt request, a technique for assigning specific signal lines to specific devices through a special interrupt controller.

Answer 23

Interrupt (IRQ) is an abbreviation for interrupt request, a technique for assigning specific signal lines to specific devices through a special interrupt controller. From a security standpoint, only the operating system should be able to mediate access to IRQs at a sufficiently high level of privilege to prevent tampering or accidental misconfiguration.

Answer 24

Direct Memory Access (DMA) works as a channel with two signal lines, where one line is a DMA request (DMQ) line and the other is a DMA acknowledgment (DACK) line. Devices that can exchange data directly with real memory (RAM) without requiring assistance from the CPU use DMA to manage such access. Using its DRQ line, a device signals the CPU that it wants to make direct access (which may be read or write or some combination of the two) to another device, usually real memory. The CPU authorizes access and then allows the access to proceed independently while blocking other access to the memory locations involved From a security standpoint, only the operating system should be able to mediate DMA assignment and the use of DMA to access I/O devices.

Answer 25

Firmware is a term used to describe software that is stored in a ROM chip. This type of software is changed infrequently (actually, never, if it’s stored on a true ROM chip as opposed to an EPROM/EEPROM) and often drives the basic operation of a computing device. There are two types of firmware: BIOS on a motherboard and general internal and external device firmware.

Answer 26

The BIOS is contained in a firmware device that is accessed immediately by the computer at boot time. In most computers, the BIOS is stored on an EEPROM chip to facilitate version updates. The process of updating the BIOS is known as “flashing the BIOS.”

Answer 27

There have been a few examples of malicious code embedding itself into BIOS/firmware. There is also an attack known as phlashing, in which a malicious variation of official BIOS or firmware is installed that introduces remote control or other malicious features into a device.

Answer 28

Many hardware devices, such as printers and modems, also need some limited processing power to complete their tasks while minimizing the burden placed on the operating system itself. In many cases, these “mini” operating systems are entirely contained in firmware chips onboard the devices they serve. As with a computer’s BIOS, device firmware is frequently stored on an EEPROM device so it can be updated as necessary.

Answer 29

applets are actually selfcontained | miniature programs that execute independently of the server that sent them.

Answer 30

applets are actually selfcontained | miniature programs that execute independently of the server that sent them.

Answer 31

The processing burden is shifted to the client, freeing up resources on the web server to process requests from more users. The client is able to produce data using local resources rather than waiting for a response from the remote server. In many cases, this results in a quicker response to changes in the input data. In a properly programmed applet, the web server does not receive any data provided to the applet as input, therefore maintaining the security and privacy of the user’s financial data.

Answer 32

They allow a remote system to send code to the local system for execution Security administrators must take steps to ensure that code sent to systems on their network is safe and properly screened for malicious activity.

Answer 33

Java applets are simply short Java programs transmitted over the Internet to perform operations on a remote system.

Answer 34

Sun’s development team created the “sandbox” concept to place privilege restrictions on Java code. The sandbox isolates Java code objects from the rest of the operating system and enforces strict rules about the resources those objects can access. For example, the sandbox would prohibit a Java applet from retrieving information from areas of memory not specifically allocated to it, preventing the applet from stealing that information.

Answer 35

ActiveX controls are Microsoft’s answer to Sun’s Java applets. They operate in a similar fashion, but they are implemented using a variety of languages, including Visual Basic, C, C++, and Java.

Answer 36

There are two key distinctions between Java applets and ActiveX controls. First, ActiveX controls use proprietary Microsoft technology and, therefore, can execute only on systems running Microsoft browsers. Second, ActiveX controls are not subject to the sandbox restrictions placed on Java applets.

Answer 37

They have full access to the Windows operating environment and can perform a number of privileged actions. Therefore, you must take special precautions when deciding which ActiveX controls to download and execute. Some security administrators have taken the somewhat harsh position of prohibiting the download of any ActiveX content from all but a select handful of trusted sites.

Answer 38

Once ARP poisoning has occurred, whether against a permanent entry or a dynamic one, the traffic transmitted from the client will be sent to a different system than intended. This is due to have the wrong or a different hardware address (that is, the MAC address) associated with an IP address. ARP cache poisoning or just ARP poisoning is one means of setting up a man-in-the-middle attack.

Answer 39

Similar to ARP cache, once a client receives a response from DNS, that response will be cached for future use. If false information can be fed into the cache, then misdirecting communications is trivially easy. There are many means of performing DNS cache poisoning, including HOSTS poisoning, authorized DNS server attacks, caching DNS server attacks, DNS lookup address changing, and DNS query spoofing.

Answer 40

The HOSTS file is the static file found on TCP/IP supporting system that contains hardcoded references for domain names and their associated IP addresses. Administrators or hackers can add content to the HOSTS file that sets up a relationship between a FQDN (fully qualified domain name) and the IP address of choice. If an attacker is able to plant false information into the HOSTS file, then when the system boots the contents of the HOSTS file will be read into memory where they will take precedence. Unlike dynamic queries, which eventually time out and expire from cache, entries from the HOSTS file are permanent.

Answer 41

Authorized DNS server attacks aim at altering the primary record of a FQDN on its original host system.A caching DNS server is any DNS system deployed to cache DNS information from other DNS servers. The content hosted on a caching DNS server is not being watched by the worldwide security community, just the local operators. Thus, an attack against a caching DNS server can potentially occur without notice for a significant period of time.

Answer 42

A fifth example of DNS poisoning is that of DNS query spoofing This attack occurs when the hacker is able to eavesdrop on a client’s query to a DNS server. The attacker then sends back a reply with false information. If the client accepts the false reply, they will put that information in their local DNS cache. When the real reply arrives, it will be discarded since the original query will have already been answered.

Answer 43

Aggregation attacks are used to collect numerous low-level security items or low-value items and combine them to create something of a higher security level or value. it’s especially important for database security administrators to strictly control access to aggregate functions and adequately assess the potential information they may reveal to unauthorized individuals.

Answer 44

Inference attacks involve combining several pieces of nonsensitive information to gain access to information that should be classified at a higher level. However, inference makes use of the human mind’s deductive capacity rather than the raw mathematical ability of modern database platforms. As with aggregation, the best defense against inference attacks is to maintain constant vigilance over the permissions granted to individual users

Answer 45

A data dictionary is commonly used for storing critical information about data, including usage, type, sources, relationships, and formats. DBMS software reads the data dictionary to determine access rights for users attempting to access data.

Answer 46

One common security example of metadata is that of a security incident report. An incident report is the metadata extracted from a data warehouse of audit logs through the use of a security auditing data mining tool. In most cases, metadata is of a greater value or sensitivity (due to disclosure) than the bulk of data in the warehouse. Thus, metadata is stored in a more secure container known as the data mart.

Answer 47

Data warehouses and data mining are significant to security professionals for two reasons. First, as previously mentioned, data warehouses contain large amounts of potentially sensitive information vulnerable to aggregation and inference attacks, and security practitioners must ensure that adequate access controls and other security measures are in place to safeguard this data. Second, data mining can actually be used as a security tool when it’s used to develop baselines for statistical anomaly–based intrusion detection systems.

Answer 48

Data analytics is the science of raw data examination with the focus of extracting useful information out of the bulk information set.

Answer 49

Big data refers to collections of data that have become so large that traditional means of analysis or processing are ineffective, inefficient, and insufficient. Big data involves numerous difficult challenges, including collection, storage, analysis, mining, transfer, distribution, and results presentation. The potential to learn from big data is tremendous, but the burdens of dealing with big data are equally great. Big data analysis requires high-performance analytics running on massively parallel or distributed processing systems. With regard to security, organizations are endeavoring to collect an ever more detailed and exhaustive range of event data and access data. This data is collected with the goal of assessing compliance, improving efficiencies, improving productivity, and detecting violations.

Answer 50

From a security standpoint, this means that because processing and storage are distributed on multiple clients and servers, all those computers must be properly secured and protected. It also means that the network links between clients and servers (and in some cases, these links may not be purely local) must also be secured and protected. When evaluating security architecture, be sure to include an assessment of the needs and risks related to distributed architectures. -- For example, modems attached to a desktop machine that’s also attached to an organization’s network can make that network vulnerable to dial-in attacks. There is also a risk that wireless adapters on client systems can be used to create open networks. Likewise, users who download data from the Internet increase the risk of infecting their own and other systems with malicious code, Trojan horses, and so forth.

Answer 51

Full Device Encryption However, encryption isn’t a guarantee of protection for data, especially if the device is stolen while unlocked or if the system itself has a known backdoor attack vulnerability. Remote Wiping remote wipe lets you delete all data and possibly even configuration settings from a device remotely. The use of an undelete or data recovery utility can often recover data on a wiped device.

Answer 52

remote wipe lets you delete all data and possibly even configuration settings from a device remotely. The use of an undelete or data recovery utility can often recover data on a wiped device. To ensure that a remote wipe destroys data beyond recovery, the device should be encrypted.

Answer 53

Lockout on a mobile device is similar to account lockout on a company workstation. When a user fails to provide their credentials after repeated attempts, the account or device is disabled (locked out) for a period of time or until an administrator clears the lockout flag. Mobile devices may offer a lockout feature, but it’s in use only if a screen lock has been configured.

Answer 54

A screen lock is designed to prevent someone from casually picking up and being able to use your phone or mobile device. However, most screen locks can be unlocked by swiping a pattern or typing a number on a keypad display. Neither of these is truly a secure operation. To unlock the device, you must enter a password, code, or PIN; draw a pattern; offer your eyeball or face for recognition; scan your fingerprint; or use a proximity device such as a near-field communication (NFC) or radio-frequency identification (RFID) ring or tile.

Answer 55

Near field communication (NFC) is a standard to establish radio communications between devices in close proximity. It lets you perform a type of automatic synchronization and association between devices by touching them together or bringing them within inches of each other. It’s often used to perform device-to-device data exchanges, set up direct communications, or access more complex services such as WPA-2 encrypted wireless networks by linking with the wireless access point via NFC. NFC is a radio-based technology, it isn’t without its vulnerabilities. NFC attacks can include man-in-the-middle, eavesdropping, data manipulation, and replay attacks.

Answer 56

Many mobile devices include a GPS chip to support and benefit from localized services, such as navigation, so it’s possible to track those devices. The GPS chip itself is usually just a receiver of signals from orbiting GPS satellites. However, applications on the mobile device can record the GPS location of the device and then report it to an online service.

Answer 57

Application control is a device-management solution that limits which applications can be installed onto a device. enforce the settings of certain applications, in order to support a security baseline or maintain other forms of compliance.

Answer 58

Storage segmentation is used to artificially compartmentalize various types or values of data on a storage medium. On a mobile device, the device manufacturer and/or the service provider may use storage segmentation to isolate the device’s OS and preinstalled apps from user-installed apps and user data.

Answer 59

You can use asset tracking to verify that a device is still in the possession of the assigned authorized user. Some asset-tracking solutions can locate missing or stolen devices. Some asset-tracking solutions expand beyond hardware inventory management and can oversee the installed apps, app usage, stored data, and data access on a device.

Answer 60

Using a mobile device camera, apps that can take photos or scan bar codes can be used to track physical goods

Answer 61

Mobile device management (MDM) is a software solution to the challenging task of managing the myriad mobile devices that employees use to access company resources. The goals of MDM are to improve security, provide monitoring, enable remote management, and support troubleshooting You can use MDM to push or remove apps, manage data, and enforce configuration settings both over the air (across a carrier network) and over Wi-Fi connections.

Answer 62

The best option for key storage is usually removable hardware or the use of a Trusted Platform Module (TPM), but these are rarely available on mobile phones and tablets.

Answer 63

Whenever possible, use a password, provide a PIN, offer your eyeball or face for recognition, scan your fingerprint, or use a proximity device such as an NFC or RFID ring or tile. As mentioned previously, it’s also prudent to combine device authentication with device encryption to block access to stored information via a connection cable.

Answer 64

This allows a would-be attacker (or angry ex) to view photos from social networking or similar sites and determine exactly when and where a photo was taken. This geotagging can be used for nefarious purposes, such as determining when a person normally performs routine activities.

Answer 65

Application whitelisting is a security option that prohibits unauthorized software from being able to execute. Whitelisting is also known as deny by default or implicit deny. Due to the growth of malware, an application whitelisting approach is one of the few options remaining that shows real promise in protecting devices and data.

Answer 66

BYOD is a policy that allows employees to bring their own personal mobile devices into work and use those devices to connect to (or through) the company network to business resources and/or the Internet.

Answer 67

Although BYOD may improve employee morale and job | satisfaction, it increases security risk to the organization.

Answer 68

Establishing data ownership can be complicated. For example, if a device is lost or stolen, the company may wish to trigger a remote wipe, clearing the device of all valuable information. However, the employee will often be resistant to this, especially if there is any hope that the device will be found or returned. Some MDM solutions can provide data isolation/segmentation and support business data sanitization without affecting personal data.

Answer 69

When an employee’s mobile device experiences a failure, a fault, or damage, who is responsible for the device’s repair, replacement, or technical support? The BYOD policy should define what support will be provided by the company and what support is left to the individual and, if relevant, their service provider.

Answer 70

The BYOD policy should define the means and mechanisms of patch management for a personally owned mobile device. Is the user responsible for installing updates? Should the user install all available updates? Should the organization test updates prior to ondevice installation? Are updates to be handled over the air (via service provider) or over Wi-Fi? Are there versions of the mobile OS that cannot be used? What patch or update level is required?

Answer 71

The BYOD policy should dictate whether antivirus, anti-malware, and anti-spyware scanners are to be installed on mobile devices. The policy should indicate which products/apps are recommended for use, as well as the settings for those solutions.

Answer 72

A static environment is a set of conditions, events, and surroundings that don’t change.

Answer 73

Basically, any computational device that can cause a movement to occur in the real world is considered a robotic element, whereas any such device that can detect physical conditions (such as temperature, light, movement, and humidity) are sensors.

Answer 74

The IoT is the collection of devices that can communicate over the Internet with one another or with a control console in order to affect and monitor the real world.

Answer 75

layering, abstraction, data hiding, process isolation, and | hardware segmentation.

Answer 76

It puts the most sensitive functions of a process at the core, surrounded by a series of increasingly larger concentric circles with correspondingly lower sensitivity levels (using a slightly different approach, this is also sometimes explained in terms of upper and lower layers, where security and privilege decrease when climbing up from lower to upper layers).