InfoSec Exam 1

What is a macro?

A small program written to do something quickly

How do macros pose a threat?

They can be embedded in documents and used maliciously to obtain access to another machine.

What is a keylogger?

Program that records when a user types on their machine and sends that to the attackers machine

The ___ ___ ___ establishes relationships among documents

Word Wide Web

How do computers communicate?

Using TCP/IP

What is TCP?

Transmission Control Protocol

What is IP?

Internet Protocol

What three things are required for a risk to exist?

An asset, threat, and vulnerability

What is an asset?

Something of value that I want to protect

Can the amount of assets be zero?

No

What is a threat?

An entity that can damage assets

What is a vulnerability?

A weakness in the system that can be exploited by the threat

What is the only ingredient required for risk that we can control?

Vulnerability

What is a risk?

The possibility of suffering damage

(T/F) If there exists only a threat and an asset, but no vulnerabilities, there exists risk.

False

(T/F) If someone steals your data, you no longer have access to it.

False

What does it mean for someone to steal data?

To read data in an unauthorized manner.

What are the three Security Requirements?

Confidentiality, Integrity, and Availability (CIA)

What is confidentiality?

Unauthorized people should not be able to read data.

What is integrity?

Unauthorized people should not be able to modify data

What is availability?

Authorized users must be able to access data whenever they need

How do you measure system availability?

Divide up-time by up-time + down-time

What are the three main parts of a Security Paradigm?

Protect, Detect, and Recover/React

What is included under protect in the Security Paradigm?

Strong password, firewall, security updates, access control, and encryption

What are the pros of Encryption?

Protects against confidentiality violation (i.e. the hacker cannot read what they cannot understand)

What are some cons of encryption?

Does not protect against integrity violations (hacker can modify encryption) and it affects availability

What is included under detect in the Security Paradigm?

Intrusion detection tools, honey pots, logs

What is a honey pot?

A trap for a hacker (such as a fake passwords file, which is monitored to detect who looks at the folder)

How do logs play a role in detection?

They log activity in the system to ensure there’s no funny business going on

What are the limitations of logs?

If you log too much, the system may overwrite the file, but if too little is logged, you may not catch when there is a hacker.

What is Recover/React in the Security Paradigm?

The best practices and knowledge required to recover or react to an event

Why does recovery/react need to be fast and correct?

Fast to ensure availability and correct to ensure integrity

How many values does an attacker need to change to cause a domino effect?

Just one

How can the user recover after an attack?

They must go through and recalculate everything with the correct values

Why must the system be unavailable during recovery?

The hacker can continue doing damage if the system is available.

What is the weakest link in IT Infrastructure?

User Domain

What are the seven domains in IT Infrastructure?

User, Workstation, Local Area Network (LAN), LAN-to-WAN, Wide Area Network (WAN), System/Application, and Remote Access Domains.

What are security policies?

A set of statements that can be implemented to enforce security

What are security mechanisms?

Mechanisms that define how policies can be implemented

What relationship exists between policies and mechanisms?

Many-to-Many

(T/F) A system may have many vulnerabilities, so many security policies are needed. Therefore there needs to be many security mechanisms. 

True

What defines a secure state?

No security violations occur

What causes the system to enter an unsecure state?

When a security mechanism fails.

What can mechanisms guarantee?

That the machine will remain in a secure state, a portion will be either state, OR a portion of the system will remain secure.

What is the broad set of mechanisms?

A bad and possibly evil set of mechanisms that may allow the system to reach an insecure state.

What is a precise set of mechanisms?

An amazing and beautiful set of mechanisms that never allow the system to reach an unsecure state, but is allowed to reach every secure state.

What is the secure set of states?

A subset of secure states

What is risk management?

Balancing the cost of risk vs countermeasures

(T/F) The cost of countermeasures must not exceed the cost of the damage.

True

What is impact?

The amount of damage caused by threats

To understand the risk, we must understand the _____.

Impact

What is an event?

A measurable occurrence which as an impact.

(T/F) An event must be security related.

False

What is an incident?

An event that violates or threatens to violate security policies.

(T/F) An incident must be security related.

True

What is an outsider threat?

A threat that comes from outside of the organization.

What is an insider threat?

A threat that comes from inside of the organization

Does an insider threat or an outsider threat have a higher impact?

Insider threat

What is a quantitative risk assessment?

When financial cost is assessed. Based off of hard data (numeric value)

What is a qualitative risk assessment?

A scenario based assessment based off of soft data. It is difficult to get an exact cost.

What is considered in a qualitative risk assessment?

Impact vs probability of damage occurrence

What are the three types of hackers?

Black Hat, White Hat, and Grey Hat

What are black hat hackers?

Hackers that have advanced skills and access systems in an unauthorized way.

What are white hat hackers?

Hackers that have advanced skills but access systems in an authorized way.

What is the objective of black hat hackers?

Financial gain

What is the objective of white hat hackers?

To test system vulnerability

What are grey hat hackers?

Hackers that have medium skills, who could become a black hat or white hat

What is a birthday attack?

When a hashed password file is compromised.

What is a dictionary password attack?

Running words from the dictionary to crack a password (brute force)

What is IP spoofing?

When an attacker spoofs an IP address such that it appears that the source is a trusted location.

What is session high jacking?

When a valid user logs in and an attacker takes control of the system.

What is a man-in-the-middle attack?

When an attacker intercepts packets in between the target and the rest of the network.

What is a replay attack?

When an attack sends a message over and over again (such as requesting a user to login multiple times to get their password)

What are the four parts of access control?

Identification, Authentication, Authorization, and Accountability

What is authentication in access control?

The way the system verifies that a user is who they claim to be

What is identification in access control?

Assigning an identity to each user

What is authorization in access control?

What a user can or cannot do (ex: admin vs regular user)

What is accountability in access control?

The way the system checks user activities log

What are the four ways we can authenticate a user?

By what the user knows, what the user has, what the user is, and where the user is

What is a password?

A string of characters

What is a password domain?

Defines the specifications for a password (ex: 8 characters, A-Z, etc)

What is the Authentication Information?

A set of passwords chosen by users

What are the four parts of a password system?

Authentication info, authentication function, complimentary info, and complimentary function

What is an authentication function?

The interface where the system allows the user to login. (i.e. what is provided to the user)

What is the complimentary function?

A one-way function which modifies the password from the authentication information.

How does a password system work?

The user enters in their info using the authentication function. The password is then the authentication information. Then, the complimentary function takes the password, and does a one-way modification on the password. If the user is setting their password, the modified password is then stored in the complimentary info. If the user is logging in, then the modified password is checked against existing passwords stored in the complimentary info.

What is the complimentary info?

The user info stored in the system.

What is the authentication info?

What the user provides to the system.

What are the two methods of password attacks?

Guessing the password or knowing/figuring out the complementary function and get access to complimentary info

What is a type 1 Dictionary attack?

When the complementary function & complementary info are used to find a password

How do you defend against a type 1 dictionary attack?

Hiding the complimentary function and/or complimentary info

What is a type 2 dictionary attack?

When the attacker uses the authentication function to find a password

How to defend against type 2 dictionary attack?

After n failed attempts, take action (ex: lock account for some time period)

How do you calculate the number of possible passwords?

(number of character options)^(password length)

Assume there are N number of passwords in the password domain. An attacker can guess G number of passwords per minute. The attacker tries for T minutes. 

What is the total number of passwords the attacker can try?

TG (time * passwords per minute)

Assume there are N number of passwords in the password domain. An attacker can guess G number of passwords per minute. The attacker tries for T minutes. 

What is the probability of the attacker breaking the password?

P>= (TG)/N (Probability is greater than or equal to time * passwords per minute over the number of passwords)

Assume there are N number of passwords in the password domain. An attacker can guess G number of passwords per minute. The attacker tries for T minutes. 

What factors can we control?

We cannot control T, can try to control G but not really, but we can control N (number of passwords in domain)

How can we reduce the probability of an attacker breaking a password?

By increasing the password domain

What are the three types of passwords?

User selected, computer generated, and pronounceable passwords

What are user selected passwords?

Typically something easier for the user to remember. They tend to be easy to break.