Software Development Security Flashcards
(209 cards)
1
Q
What is a distributed application?
A
An application that consists of components that reside on separate, networked systems.
2
Q
What are the 3 distinct issues to be aware of when securing distributed systems?
A
- Software integrity
- Data integrity
- Access Control
3
Q
What is an agent in relation to distributed systems?
A
A software component in a distributed system that performs a particular service
4
Q
Patch Management, Host base Intrusion Detection systems and Performance & Capacity Management Systems are all examples of what?
A
Agents in a distributed system
5
Q
What is an applet in a distributed system?
A
A component that’s downloaded and executed by a web browser
6
Q
What are the two most common applets?
A
Java and Active X
7
Q
Java code runs in a constrained environment meaning that it can only communicate with the host from which it was downloaded? What is this commonly known as?
A
A sandbox
8
Q
How does the security philosophy for Active X differ to that of Java?
A
The person running the web browser gets to determine whether they trust all Active X applets coming from a particular server. Digital certificates prove whether the Active X applet is genuine.
9
Q
Which of the following applets doesn’t use a concept of a sandbox? Java or Active X?
A
Active X
10
Q
Mobile code thats downloaded from a server and run on a client is otherwise known as what?
A
An applet
11
Q
Should Active X be blocked by enterprises?
A
Yes
12
Q
What is Web 2.0?
A
web features such as wikis, blogs, web services, mashups, communities, information sharing, etc. that utilises different features on other websites.
13
Q
In terms of applets, what is a mashup?
A
A web page or applications that combines functionality from external applications through their published Application Programming Interfaces (API)
14
Q
An online map that displays locations that come from different online applications implement what?
A
Mashups
15
Q
What is the principle of an Object-oriented environment?
A
Objects after they are written, can be used again and again making an enterprises entire software development more efficient over time
16
Q
What is encapsulation with regards an object oriented environment?
A
inner workings of the object are hidden
17
Q
What term is used to describe an object performing a function?
A
A method
18
Q
What term is used to describe an object that is running?
A
An instance (also refers to an object that is a member of a class of objects)
19
Q
What is a behaviour in relation to an object oriented environment?
A
The result of an object having received a message
20
Q
A template that defines the methods and variables to be included in a particular type of object is known as what?
A
A class
21
Q
Real world example of a class?
A
Class = Cake Object = Chocolate Cake Method = recipe
22
Q
the tree structure of a collection of classes and objects is known as what?
A
Class hierarchy
23
Q
What is delegation in relation to OO?
A
An object that delegates a message to another object that contains the correct method. Happens when an object doesn’t have the requested method.
24
Q
An object that gets some of it’s characteristics from a class is known as what?
A
Inheritance
25
How do objects communicate with one another?
Through messages
26
What is Multi-inheritance?
When an object inherits characteristics from more than one class
27
What is the basic unit in OO?
The Object
28
What is Poly-instantiation?
the process of developing one object from another object, but with different values in the new object
29
What is Polymorphism?
the ability to hide implementation details behind a common message interface. permits objects to be added to the system without having to re-write existing procedures
30
What are the 4 most common types of databases in use today?
Relational
Hierarchical
Object-oriented
Network
31
What is one way of simplifying security issues in a database, by allowing granular access, but through a virtual table using fields and rows from one or more tables in the database.
A View
32
What does aggregation mean with regards databases?
the process of combining separate low sensitive data items to produce a high sensitive data item
33
Which concept refers to the ability of someone to deduce or infer something about sensitive data that beyond normal reach because of its sensitivity level
Inference
34
An application that cites the existence of highly sensitive information within it to users is know as what?
Inference
35
What is a database of databases known as?
Data dictionary
36
What 3 things can you control with a data dictionary?
- create or re-create tables
- manage security access
- a control point for managing the schema of an applications database
37
What is the difference between a data warehouse and production database?
production database used for business operations, whereas data warehouse is used for research, decision support, planning, etc.
38
Why should a production database not be used for data warehousing purposes?
can impact the performance of normal business operations.
39
In a data warehouse, figuring out trends about customers/business activities is commonly known by which two terms?
Data Mining
| Business Intelligence
40
Data mining can be used to detect fraud. true or false?
true
41
```
Which type of database is arranged in a tree structure with parent records at the top of the database and child records at successive layers?
Relational
Hierarchical
Object-oriented
Network
```
Hierarchical
42
Which type of database is an improvement to the design of hierarchical databases where records can be networked to other records via paths that don't follow the normal tree structure?
Relational
Object-oriented
Network
Network
43
Which type of database has relationships between datasets with the freedom of a network database, but without the constraints of a hierarchical database?
Relational
Object-oriented
Relational
44
```
Which type of database is part of the overall object oriented application design?
Relational
Hierarchical
Object-oriented
Network
```
Object-oriented
45
What are two characteristics of a Relational Database?
- is defined by its schema
| - records are often called rows and rows are stored in tables
46
In a relational database what would you use to query a table to look for a specific record?
A primary key
47
What is a primary key?
A field in a table that contains a unique value
48
In relational databases, what is a foreign key?
A field in a table that points to the primary key in another table.
49
A sub-routine that can be accessed by software applications is know by what term?
Stored procedures
50
Prepared statements are basically canned statements that can be called by the application. What are they also known as?
Parametrised statements
51
In a relational database what 2 methods can be used to protect against SQL injection attacks?
Stored procedures and Prepared statements
52
What is a distributed database?
A database whose components exist in multiple physical locations
53
A distributed database can be network, object oriented, relational, hierarchical or any other design. True or False?
True
54
An action performed on a database that results in the addition, alternation or removal of data on a database is called what?
Transaction
55
What can be used to protect data in a database and permit users to alter certain data in that database?
Database management System
56
What is the dominant computer language used to manipulate data in a database?
SQL (Structured Query Language)
57
In databases a mechanism used to avoid collisions in which two or more programs may be trying to update the same table or row at the same time is known as what?
Locking
58
What is used to describe a system that can make decisions or predict the future based on historical data?
Knowledge Based System
59
Which type of system builds a database of past events in order to predict outcomes in future situations?
Expert Systems
60
Expert systems are designed to work with a degree of uncertainty. In what two ways do they do this?
- Fuzzy logic
| - Certainty factors
61
What is fuzzy logic?
the component of an expert system that produces a quantitative result based on uncertainties. breaks down the factors influencing a decision
62
What is a certainty factor?
Operates on the numeric probabilities of yes/no, true/false, etc.
63
What is a neural network?
accumulates knowledge by observing events, measuring their input and outcome. Overtime it becomes proficient at predicting the correct outcome. Learns that input components are weighted.
64
What is the central component of an operating system?
The kernel
65
What are the 4 primary activities carried out by the kernel?
- Process Management: controls execution/termination of programs
- Memory Management: allocated memory to itself as well as running processes
- Interrupts: signal sent to the kernel to temporarily suspend processing
- Hardware Resource Management: manage process access to computer hardware.
66
What part of the OS permits interaction between the kernel and specific hardware connect to the computer?
Device Drivers
67
What are the two primary OS interfaces?
Graphical and Command Line
68
What are the 5 main security functions that an OS carries out on a computer?
- Authentication
- Access Control
- Process isolation
- Network communication
- File-system Access
69
What are the 2 objectives of a system development life-cycle?
- A system that performs its intended function correctly and securely
- A development project that's completed on time and in budget
70
In which type of system development model are stages performed sequentially?
Waterfall
71
```
In a Waterfall model which of the following is used to provide a high level description of a system?
Conceptual Definition
Functional Requirements
Functional Specifications
Design
Design Review
Coding
Code review
System test
Certification & Accreditation
Maintenance
```
Conceptual Definition
72
```
In a Waterfall model which of the following lists required characteristics/features of a system?
Conceptual Definition
Functional Requirements
Functional Specifications
Design
Design Review
Coding
Code review
System test
Certification & Accreditation
Maintenance
```
Functional Requirements
73
```
In a Waterfall model at which stage should a test plan be outlined detailing characteristics of the system that should be tested?
Conceptual Definition
Functional Requirements
Functional Specifications
Design
Design Review
Coding
Code review
System test
Certification & Accreditation
Maintenance
```
Functional Requirements
74
```
In a Waterfall model at which stage are the "what we think we can build" statements included?
Conceptual Definition
Functional Requirements
Functional Specifications
Design
Design Review
Coding
Code review
System test
Certification & Accreditation
Maintenance
```
Functional Specifications
75
```
In a Waterfall model at which stage should details about authentication, authorisation, access control, confidentiality, transaction auditing, integrity, availability, etc. be contained?
Conceptual Definition
Functional Requirements
Functional Specifications
Design
Design Review
Coding
Code review
System test
Certification & Accreditation
Maintenance
```
Functional Specifications
76
```
In a Waterfall model at which stage would database schemas, data flow diagrams, over the wire protocols etc. be inlcuded?
Conceptual Definition
Functional Requirements
Functional Specifications
Design
Design Review
Coding
Code review
System test
Certification & Accreditation
Maintenance
```
Design
77
```
In a Waterfall model At which stage would unit testing (process of verifying all the modules that are built) be carried out?
Conceptual Definition
Functional Requirements
Functional Specifications
Design
Design Review
Coding
Code review
System test
Certification & Accreditation
Maintenance
```
Coding
78
What is OWASP (The Open Web Applications Security Project)?
Provides guidelines for secure coding practices
79
```
In a Waterfall model At which stage would you check for programming erros?
Conceptual Definition
Functional Requirements
Functional Specifications
Design
Design Review
Coding
Code review
System test
Certification & Accreditation
Maintenance
```
Code review
80
What is Unit Testing?
allows a tester or developer to verify the correct functioning of individual modules of an application.
81
```
In a Waterfall model At which stage is a system tested end to end?
Conceptual Definition
Functional Requirements
Functional Specifications
Design
Design Review
Coding
Code review
System test
Certification & Accreditation
Maintenance
```
System test
82
```
In a Waterfall model At which stage is a system evaluated and declared fully functional?
Conceptual Definition
Functional Requirements
Functional Specifications
Design
Design Review
Coding
Code review
System test
Certification & Accreditation
Maintenance
```
Certification & Accreditation
83
What is the difference between certification and accreditation?
Certification is a formal system evaluation whereas accreditation is done by senior management tat have said it's ok to put the system into production.
84
```
In a Waterfall model At which stage is change management and configuration management carried out?
Conceptual Definition
Functional Requirements
Functional Specifications
Design
Design Review
Coding
Code review
System test
Certification & Accreditation
Maintenance
```
Maintenance
85
The process of approving modifications to a production environment is known as what?
Change Management (the what)
86
the process of recording modifications made to a production environment is called what?
Configuration Management (the how)
87
name 4 common system development life-cycle models?
Waterfall
Spiral
Scrum
RAD (Rapid Application Development)
88
What should the 5 security principles be in software development?
- Security in the requirements
- Security in the design
- Security in testing
- Security in the implementation
- Ongoing security testing
89
What 12 applications security controls should be considered when developing a system?
- process isolation
- hardware segmentation
- separation of privilege
- accountability
- defence in depth
- abstraction
- data hiding
- system high mode
- security kernel
- reference monitor
- supervisor and user mode's
- SLA's
90
Application Security: What is process isolation?
running processes aren't allowed to view or modify memory or cache assigned to another process (isolation carried out by OS so developer shouldn't have to worry about this)
91
Application Security: What is hardware segmentation?
the practice of isolating functions to separate hardware platforms to ensure the integrity and security of system functions, ie separation of a development environment and a production environment.
92
Which two of the following are used to re-enforce the concept of separation of duties and least privilege?
- process isolation
- hardware segmentation
- separation of privilege
- accountability
- defence in depth
- abstraction
- data hiding
- system high mode
- security kernel
- reference monitor
- supervisor and user mode's
- SLA's
- hardware segmentation
| - separation of privilege
93
Application Security: What is separation of privileges?
assures that no individuals or objects have excessive functions on a system
94
Application Security: What is Abstraction?
a process of viewing an application from its highest level functions, which make all lower level functions into abstractions.
95
In abstraction, lower level functions are treated as black boxes. What does this mean?
Known to work, even if we don't know how.
96
Application Security: What is system high mode?
refers to a system that operates at the highest level of information classification.
97
Application Security: What is the Security Kernel?
- composed of hardware, software and firmware components that mediate access and functions between subjects and objects.
- part of the protection ring model in which the OS kernel operates the innermost ring and has full access to all system data/hardware with user programs occupying outer rings with fewer access privileges.
98
What does the security kernel use to enforce access control on a system?
Reference Monitor
99
Why should a business application run in user mode rather than supervisor mode?
An application running in supervisor mode could bypass some or all security controls
100
What 8 minimum standards should be defined in an SLA?
- Hours of availability
- Average and peak number of concurrent users
- Transaction throughput
- Data storage capacity
- Application Response Times
- Service Desk Response Times
- Security Incident Response Times
- Escalation process during times of failure
101
What are the characteristics of a virus?
- to replicate itself. spreads by making identical copies of itself on files that are likely to be transported to other computers.
- can be booted from media, run from a .exe, macros in documents/image files, Javascript, Active X, etc.
102
A virus that can spread by both using the boot sector and executable files is called what?
A multi-partite virus
103
What is the difference between a worm and a virus?
Worms propagate by attacking known weaknesses on systems whereas viruses propagate via programs, ie .exe
104
Conficker, Code Red, NIMDA and Storm are all types of what?
Worms
105
A malicious program that hides itself within the target machine in order to evade detection is known at what?
A rootkit
106
Name 5 types of rootkits?
- Hardware
- Firmware
- Hypervisor
- Kernel
- Library
107
Which type of rootkit normally requires a compromise in the manufacturers supply chain that permits the substitution of a component in a computer with one that includes rootkit code?
- Hardware
- Firmware
- Hypervisor
- Kernel
- Library
Hardware
108
What is the most likely scenario in which a firmware could be infected by a rootkit?
Firmware updates
109
What are the characteristics of a Hypervisor rootkit?
- Operates as a virtual machine running between the hardware and the OS.
- The running OS is a guest on the hypervisor environment.
- can intercept all communications such as input/output with devices such as disk drives.
110
What is a kernel rootkit?
Utilises malicious code to insert itself into the OS kernel.
111
What is a Library rootkit?
Inserts rootkit code into an OS code's library. Rather than alter the disk copy of a library file, a rootkit alters the memory image only.
112
Why are rootkits difficult to detect?
rootkits exist in a location that the Anti-Virus program is unable to access or is not designed to access.
113
An object that claims to be one thing, but turns out to be something else is known as what type of malicious code?
Trojan Horse
114
What are the characteristics of a trojan horse?
- generally don't spread by replicating themselves
- normally delivered either via email with a malicious payload such as .exe or file with macros or via a pop-window with a link.
115
Which two types of malicious could generally spread through replication?
Worms and Viruses
116
A pop-up windows trojan that attempts to pressure a user into installing software because their machine is infected is known as what?
Scareware
117
A phony virus warning message that is designed to cause panic is otherwise known as what?
A hoax
118
Which type of program is designed to cause damage when some sort of computer/network event has occurred?
Logic Bomb
119
What are the characteristics of a logic bomb?
- invokes when a specific computer/network event occurs.
| - don't replicate, but can be delivered via viruses or worms
120
What would be two ways of combating logic bombs?
- code reviews
| - controls that prevent unauthorised changes from being inserted into software and systems.
121
What is a malicious applet?
Active X/ Java applet carrying malicious code.
122
Why is it easier to write a destructive Active X applet than a Java applet?
Active X applets normally have unfettered access to the entire computer, whereas a Java applet is sandboxed.
123
Which type of logic bomb functions as part of a program and performs an undocumented function whenever certain conditions are met to bypass security controls?
Trapdoor
124
What is Hidden Code in relation to Malicious Code?
If an attacker can modify or replace programs on the target system, he or she may elect to install hidden code that usually carries out some sort of malicious act.
125
An applications reporting program that also happens to erase certain entries fro an audit trail can be categorised as which type of malicious code?
Hidden code
126
An attack where the attacker attempts to insert instructions into a computer programs input field, in an attempt to prompt the program to perform functions unintended by the programs developer is known as which type of attack?
Injection Attack
127
What are two common types of injection attacks?
SQL injection: injects SQL statements in an attempt to trick a backend database to perform specific funtions.
Frame injection: attacker attempts to load arbitrary code into a browser into order to steal other data from other frames present in the browser session.
128
Frame injections are also commonly known by which two names?
Cross Frame Scripting
| XFS
129
Which type of attack is one where an attacker is able to inject client-side scripts into web pages viewed by other intended victims and allows an attacker to bypass security mechanisms in websites/browsers?
Cross-site scripting attack (XSS)
130
What are the two principal types of XSS attacks?
Non-persistent and persistent
131
Which type of XSS attacks tricks a user to clicking a malicious URL containing a malicious script, which for instance could steal the users session cookies?
Non-persistent XSS attack.
132
Which type of XSS attack is malicious code stored within a browser/website?
Persistent XSS attack
133
In which type of an attack, does an attacker attempt to trick a victim into clicking on a link which then performs some sort of action that the victim would not approve?
Cross-site request forgery (CSRF)
134
What are two common methods of protecting against Cross-site request forgery attacks?
- the inclusion of a one-time-use hidden variable such as a nonce on important web pages. the website keeps track of these hidden variables and any variation indicates potential tampering.
- inclusion of a secondary approval dialogue for any significant transaction, ie on a banking website.
135
What is the purpose of a Denial of Service attack?
To make a system unavailable
136
What are the two types of Dos Attacks?
- attacker floods the victims system with a large number of network packets that legitimate users of the system cannot reach.
- attacker creates a specific message that is designed to cause the target system in malfunction and stop running
137
What is a DoS SYN attack?
- exhausts a systems resources to the point that it can no longer function.
138
What is the Ping of Death attack?
a malformed or extremely large ping packet is sent to the target system
139
What is a Distributed Denial of Service attack (DDoS)?
occurs when an attacker uses multiple systems to attack a target system simultaneously
140
Which type of attack is used to crack computer passwords using common words found in the dictionary?
A dictionary attack
141
What does a dictionary attack first require in order to be successful?
A copy of the Unix password/shadow file or Windows SAM file.
142
Which type of attack changes the network identity of a computer or program so as to trick the targeted system into granting access? ie a target system may only accept telnet requests from specific IP's which the attacker masquerades as
Spoofing
143
In a spoofing attack, when the target system replies, will the reply go to the attacker spoofing the address or the actual address itself?
Address itself
144
What are 4 ways of preventing spam?
- Centralised appliance: appliance connected to the network ahead of the email server.
- Spam blocking service: third party service receives the email, blocks out the spam. advantage is a complete absence of spam consuming network resources.
- Spam blocking software: anti-spam software running on email server removing spam when they enter or after they are stored. less widely used.
- Workstation based software: almost never used anymore.
145
What are the most effective spam blocking services?
those that are centralised and placed as far ahead of the email servers as possible.
146
What are 4 technical forms of social engineering?
Phishing
Pharming
Spear-phishing
Whaling
147
```
Which technical form of social engineering involves the create of genuine looking email messages that direct a user to a fake site such as on-line banking to enter details?
Phishing
Pharming
Spear-phishing
Whaling
```
Phishing
148
```
Which technical form of social engineering hacks a user's DNS to re-direct them to a fake site?
Phishing
Pharming
Spear-phishing
Whaling
```
Pharming
149
What is spear phishing?
An attacker targets certain users or groups of users, ie a phisher may know the specific online financial institutions that a group of users use.
150
What is Whaling?
A type of phishing attack that targets seniot executives in an organisation.
151
Which type of social engineering attack is a special form where an attacker poses as an admin or vendor, telling unsuspecting users that a flaw has been discovered in the system and they should install a certain patch (usually a trojan horse)
Pseudo flaw attack
152
A developer that buries software code in order to expose features, functionality, data , etc is known as what?
A maintenance hook
153
What can be the problems with identifying maintenance hooks?
Normally undocumented and are designeed to evade detection
154
What is a technical form of eavesdropping?
packet sniffers
155
How can an attacker use traffic analysis and inference?
Analyse traffic patterns and other types of transmissions in order to make inferences about something her or she wants to know more about, ie sabotage a system during high network utilisation. normally part of a bigger plan.
156
Which type of attack involves an attacker attempting to login with a user ID using every possible password?
Brute force attack
157
How can a brute force attack easily be prevented?
Account lockout after a number of failed attempts.
158
how does Anti-Virus software work?
intercepts OS routines that store files and open files.
159
What is heuristics in relation to AV?
the AV software detects certain kinds of anomalous behaviour instead of checking for a virus signature such as the replacement of a .exe with a newer version.
160
What are the two common methods used by AV vendors today?
Signatures and heuristics
161
What are the 3 benefits of using heuristics?
- conservation of space: signature files grow large.
- decreased download time: rate of virus creation means that you need to update signatures more and more frequently.
- improved computer performance: computer is focused on symptoms rather than does or doesn't a file possess a virus signature.
162
What is the difficulty in preventing new forms of malware?
virus code is scrambled each time it is sent to another computer meaning that a new signature is required for each one
163
Other than AV, what are 3 other ways of commonly fighting against malware?
- Application whitelisting: permit only registered applications to execute on a workstation
- Data Leakage Prevention: Programs and network devices are designed to detect possible data leakage
- malware callback detection: network devices that listen for signs of malware calling home, ie point of origin
164
What is a hacker?
A broad-brush term describing anyone with computer hacking skills?
165
An individual with a low technical acumen of that of real hackers and that use programs developed by hackers are called what?
Script kiddies?
166
What was the original terms to describe someone that cracked long distance telephone networks in order to get free long distance calls?
Phreakers (often used to describe hackers that break into systems in order to obtain free services)
167
What is the difference between a black hat hacker and white had hacker?
Black hat = bad guys
| White hat = good guys
168
What is bounds checking?
Field size, time, date, etc. think of buffer overflow attacks
169
software development is covered in which ISO standard?
ISO 9000
170
Which type of software development method is preferred for system security?
Non-iterative or iterative
Non-iterative
171
What are three types of non-iterative security models?
- Structured Programming Development: requires defined processes and modular development. Each phase is subject to reviews and approval
- Spiral Method: nested version of Waterfall model. each phase of waterfall has 4 sub-stages based on the common Deming PDCA (Plan-Do-Check-Act). incudes risk assessment.
- Cleanroom: engineering process for development of high quality software. method of controlling bugs in software. goal is to write code correctly the first time. more time spent on early phases to reduce testing. quality achieved through design rather than testing.
172
What is the difference between iterative and non-iterative system development models?
Iterative allow for refinements of design, coding, requirements.
173
What are 5 types of iterative system development models?
- Prototyping: objective is to build a simplified version of the app.
- Modified Prototype Model (MPM): form of prototyping that's ideal for web app development. maintenance phase begins straight after deployment. app evolves as business requirements evolve.
- Rapid Application Development (RAD): form of rapid prototyping. disadvantage is rapid development can result in poor decisions on design.
- Joint Analysis Development (JAD): Integral part of RAD and other methods. based on key players communicating at critical phases of project
- Exploratory Model: based on assumptions without structure. due to this security may play second fiddle.
174
What 4 system development methods do not rely on the iterative/non-iterative model?
- Computer Aided Software Engineering (CASE):
- Component Based Development (similar to Object oriented programming)
- Reuse Model (object oriented)
- Extreme Programming:based on values or simplicity, communication and feedback. fairly structured approach.
175
What 3 sub-languages are there in SQL?
- Data Definition Language (DDL):used to create databases, tables, views.
- Data Manipulation Language:used to query, insert,extract data
- Data Control Language:used to control access to data
176
Which sub-language of SQL is of primary concern in relation to security?
Data Control Language (DCL)
177
What are the 5 database interface languages?
- Open Database Connectivity (ODBC)
- Java Database Connectivity (JDBC)
- eXtensible Markup Language (XML)
- Object Linking and Embedding Database (OLE DB)
- Active X Data Objects (ADO)
178
Which Database Language Interface is the dominant means of standardised data access?
ODBC
179
What are common security issues with ODBC?
- username and password stored in plaintext
- call and returned data sent in cleartext
- calling applications must be checked to ensure they don't combine data from multiple sources, ie data aggregation.
- calling applications must be checked to ensure they do not exploit ODBC drivers.
- poor user verification
180
How can access to databases through the internet be secured?
create a tiered application approach that manages data in layers. most use a three tier approach: presentation layer, business logic layer and data layer (internet computing model)
181
What are the advantages and disadvantaged to the internet computing model for db access via the web?
Advantage is that the user does not directly access the data.
Disadvantage is that if the db has security featuresm they may be lost through the middle translation layer.
182
What is a general metadata standard relating to the retrieval of information resources? (particularly form the web)
The Dublin Core Metadata Element Set
183
What is Online Analytical processing?
provide an analyst with the ability to formulate queries, and based on the outcome of the queries, define further queries.
184
The locking of data in a database and related requirements is known as an ACID test. What does this stand for?
- Atomicity: when all parts of a transaction's execution is committed or rolled back.
- Consistency: occurs when a database is transformed form one valid state to another valid state.
- Isolation: isolating one transaction from another
- Durability: ensures completed results are permanent.
185
In which SQL standards can individual object rights be assigned?
SQL 92
186
In a non object oriented database, how can restrictions be applied to a database?
by user
by view
by individual items
187
What 3 security controls can be applied to object oriented databases?
Metadata controls ,ie data dictionary
Data contamination controls, ie input/output controls
Online Transaction Processing: record all busines transactions
188
What are the security concerns for OLTP systems?
Concurrency and Atomicity
189
What is "Full Disclosure" in relation to software licensing?
where an individual publicly disseminates information regarding vulnerabilities they have found in software.
190
What is a low level programming language?
machine and assembly languages (closer in form to the binary language of the computer)
191
What are high level languages?
High level languages become closer to human language and introduce standards which can be beneficial for security. Java and C are examples.
192
Languages are generally separated into generations what are they?
1st: binary, hex
2nd: symbols as abbreviations for instructions
3rd: meaningful words
4th: query languages
5th: natural language interfaces
193
What is JavaScript?
allows control over most of the features of a web browser. security management in javascript is minimal. either its enabled or disabled.
194
What are the 3 parts of the Java Security approach?
1. Verifier: memory and bounds checking
2. Class Loader: Load and unloads classes
3. Security Manager: protects against rogue functionality
195
What is a weakness of the 3 part java security model?
if any of the 3 parts fail to operate the security model may be compromised.
196
Security enhancements to Java can provide:
- validating certification paths
- managing certificate revocation lists
- kerberos support
- authentication and access controls
- encryption, key generation, message authentication
- Java Secure Sockets Extension: implements java version of SSL/TLS and inlcudes data encryption, serevr authentication, message integrity, optional client authentication.
197
What is a "Between the Lines Attack"?
occurs when telecommunications lines used by an authorised user are tapped into and data falsely inserted.
198
Klez and SirCam are which type of virus?
have the ability to send data files form your system to another system.
199
Jerusalem is a type of which virus?
File Infector
200
Brain, Stoned and Michaelangelo are types of which type of virus?
Boot sector
201
What is a Companion/Spawning virus?
doesn't physically touch the target file. if files are copied to a certain directory in a specific order then the directory will get infected.
202
Melissa, Loveletter, Hybris and SirCam are common viruses that are delivered by what means?
Email
203
Concept and CAP are common examples of which type of virus?
Macro Virus
204
What is a Macro Virus?
uses macro programming of an application such as a word processor. most common use visual basic for applications in microsoft word.
205
What is a script virus?
usually standalone files that can be executed by an interpretor, ie Microsoft Windows Script Host ,.vbs.
206
CodeRed, LION and Nimda are types of what?
Worms
207
What is a Remote Access Trojan (RAT)?
designed to be installed, usually remotely, after systems are in production, not in development as is the case with logic bombs and backdoors.
208
BlackShades, Back Orifice, Netbus, Bionet and SubSeven are types of what?
Remote Access Trojans
209
What is a "Processor Privileged State"?
protects the processor and the activities it performs.
