Security Final

studied byStudied by 20 people
5.0(1)
Get a hint
Hint

Vulnerability

1 / 100

flashcard set

Earn XP

Description and Tags

Art History

101 Terms

1

Vulnerability

weakness that could exploited to cause harm/attack surface - need to be controlled

New cards
2

Threats

Circumstances that could cause harm - is limited - are blocked by control of vulnerabilities

New cards
3

Controls

prevents threats from exercising vulnerabilities

New cards
4

3 properties of security

Confidentiality, Integrity, Availability

New cards
5

Confidentiality

asset is viewed by authorized parties

  • who + what + how

New cards
6

Integrity

asset is modified only by authorized parties

New cards
7

availability

asset can be used by any authorized parties

New cards
8

types of attackers

terrorist, hacker, individual, group

New cards
9

Securing Weakest Link

attackers are more likely to attack a weak spot - Risk = Probability X Impact ; eg. admins, users, tech support are the weakest

New cards
10

Defense in Depth

Layer security defenses with multiple mechanisms

New cards
11

Failing Securely

unless given explicit access, deny user access. when system fails, undo changes and secure defaults to deny information

New cards
12

Separation of Privilege

system should not be granted permission based on a single condition - multiple security checks

New cards
13

Economy of Mechanism

mechanisms should be as simple as possible, reduce number of choke points - bridge

New cards
14

Least Common Mechanism

mechanisms used to access resources should not be shared

New cards
15

Reluctance To Trust

assume environment is insecure, not trustworthy

New cards
16

Never Assuming that your secret are safe

design should not be secret, don’t depend on attackers not knowing

New cards
17

Complete Mediation

all accesses to object to be checked to ensure that they are allowed, system wide view of access control

New cards
18

Psychological Acceptability

security cannot hinder usability of app and should be transparent

New cards
19

Promoting Privacy

prevent attackers from accessing private information

New cards
20

3 types of tools

authentication, access control (authorization), cryptography

New cards
21

identification

who the person is (username)

New cards
22

authentication

proving an asserted identify (password)

New cards
23

ACL - Access Control Lists

list of permissions attached to an object - token created

New cards
24

ACD - access control directory

one directory pointing to ACL per user

New cards
25

ACM - access control matrix

matrix containing all permissions and all users - inefficient to search

New cards
26

Symmetric Keys

using the same key to encrypt and decrypt

New cards
27

Asymmetric keys

using different keys to encrypt and decrypt - public and private

New cards
28

Stream Cipher

encrypts each unit of data of stream + speed, low error

New cards
29

Block Ciphers

encypts groups of data as a block, fixed in size + high diffusion, can insert

New cards
30

AES

  • substitution, shift, mix, permutation, XOR

  • 1999

  • 128 bits block size

  • 128,192,256 bits key

  • operations: 10,12,14

  • open design/rationale

  • dutch

  • symmetric 128 bit block cipher

New cards
31

public key (assymmetric)

same symmetric key, one user has public and private key

  • n * (n-1)/2 = number of keys

  • unlimited key size

  • slower algo

New cards
32

MITM

intercepts and substitutes a return address meant for the other person

New cards
33

Hash Codes/Checksum/Message Digest

computed with every change of the message to detect if the message was tampered with

  • SHS/SHA algorithm to compute

New cards
34

Digital Signatures

authentic/unforgeable and not alterable or reusable

  • public key cryptography + message digest

  • Need: file, proof of non alteration (hash), identification of signer (private key), validation, connection of signature to file

New cards
35

Certificate

public key + identity and signed by certificate authority

New cards
36

certificate authority

who accurately verifies identities before generating certificates

New cards
37

Buffer Overflow

When data is written beyond the space allocated for it

New cards
38

Command Injection

User input intended to be data is instead interpreted as a command

New cards
39

cross site scripting

Unique to web-based applications where a user's data tied to a vulnerable web server (e.g. a cookie) is disclosed to a malicious third party - command injection with html and get requests

New cards
40

Format String Problems

a string that formats data for display or storage - not specificied and allows attacker to read from or write to specific memory location

New cards
41

Integer Range Errors

arithmetic operation creates a value too large to be stored

New cards
42

SQL Injection

Using an input as a SQL command to get information from the dataset

New cards
43

Trusting Network Name Resolution

Resolution of website names to IP addresses, usually through Domain Name System (DNS)

New cards
44

Failing to Protect Network Traffic

Network attacks can come in many forms • Eavesdropping - Listening and/or recording conversations • Replay - Replaying information such as providing authentication information • Spoofing - Mimicking a party • Tampering - Manipulating data • Hijacking - Cutting out one of the parties

New cards
45

Failing to store and protect data

Protected data in the system not in transit, ACLs, privileges, allow vs. deny

New cards
46

Weak Random Numbers

improper seeding to create predictable seeds and numbers - throws off crypto algos

New cards
47

Improper File Access

Three types of errors: • A race condition where a window of vulnerability is exploited between Time Of Check and the Time Of Use (TOCTOU • Opening a file without regard for the nature of the file; it could actually be a simlink placed by an attacker • Giving attackers some control of filenames so they can updated and access sensitive information

New cards
48

Improper Use of SSL and TLS

server authentication performed poorly using public key infrastructure through ssl and tls

New cards
49

Use of weak password based systems

not using social engineering, side channel problems

New cards
50

Unauthenticated key exchange

man in the middle attack

New cards
51

Signal Race Conditions

two executions are changing a resources and interfering with each other

New cards
52

Use of magic URLS and hidden forms

urls storing important data

New cards
53

Failure to handle errors

failing securely

New cards
54

Poor usability

presenting security info to users, not being simple and clear

New cards
55

Information leakages

side channels, timing ang storage providing too much info .

New cards
56

3 Types of Malware

virus, worm, trojan horse

New cards
57

transient virus

has a life span dependent on its host program

New cards
58

resident virus

resides in memory and can run as a standalone program

New cards
59

virus

program that can replicate itself and pass on malicious code by modifying other programs

New cards
60

worm

A program that spreads copies of itself through a network

New cards
61

trojan horse

program with no apparent effect but second hidden effect

New cards
62

Zero-Day Attacks

active malware that exploits a product vulnerability where the software provider has no countermeasure available or has not been implemented

New cards
63

Four Aspects (Properties) of Malicious Code

Harm (How they affect users and systems), Transmission and Propagation (How they are transmitted and replicated), Activation (How they gain control and install themselves so they can reactivate), Stealth (How they avoid detection)

New cards
64

3 Types of Harm

Nondestructive, Destructive, Commercial or criminal intent

New cards
65

Man-in-the-Browser

Trojan horse, reads, copies and redirects data when user enters browser; attack on a browser

New cards
66

Keystroke-logger

hardware or software recording keystrokes (malware)

New cards
67

Page-in-the-middle

directed to a different page than intended; attack on a website.

New cards
68

Program download substitution

page with programs to download, installs malware

New cards
69

User-in-the-middle

clickbait to trick users into solving captcha’s

New cards
70

Substitute Content (malicious)

type of malicous web content that replaces parts of a web site with malicious intent in a way that doesn’t attract attention.

New cards
71

Web Bug

similar to cookies to send data to web bug owner

New cards
72

Clickjacking

pop-up adds that have the user click on them

New cards
73

Drive-By Download

code downloaded without user knowing, through clickjacking, fake code, program download substitution

New cards
74

OS Loading

BIOS, Bootstrap

New cards
75

Virtualization

OS presents each user with just the resources that user should see

New cards
76

Fence

Confine a user to one side of a boundary

New cards
77

Separation and Sharing

keeping one user’s objects seperate from another user. physical, temporal, logical, cryptographic

New cards
78

Base Registers

identify the starting address for a program

New cards
79

Bounds register

upper bound if necessary to manage allocation of memory - prevents programs from overwriting code

New cards
80

Paged Segementation

dividing programs into logical segments and physically storing them in fixed size pages

New cards
81

Rootkits

taking advange of identity of the most powerful user, owning all sensitive system resources - part of the os

New cards
82

OSI Model (Open System Interconnection)

APSTNDP → how senders and receivers process messages

New cards
83

Dos Attacks

Denial of Service → targets availability through high, rapid attacks → ping of death, smurf attack (echo request), echo-chargen (looping echo packet), teardrop attack(inconsistent fragments), dns spoofing, rerouting routing (all traffic one node), session hijacking (src address change)

New cards
84

Botnets

isolates attacker from attacks, continuous attacks from an hierarchy

New cards
85

WEP

client and access points have a pre-shared key → encrypts a key, AP decrypts and client is authenticated

New cards
86

SSL Session

request on SSL session with a server, responds with a public key cert, returns a symmetric session key encrypted server’s public key

New cards
87

Onion Routing

knows immediate/last sender, next recipient

New cards
88

Packet Filtering Gateway

examines the control information of every packet - src, dest,

New cards
89

Stateful Inspection Firewall

judges multiple packets (ping to multiple ports)

New cards
90

Application Proxy

looks at messages (app layer) and runs pseudo-apps to inspect

New cards
91

Circuit-Level Gateway

one network is extension of another through virtual gateway - establishes vpns through circuits

New cards
92

Guard

interprets data and responds - implements rules (emails, bandwidth, filters docs)

New cards
93

Personal Firewalls

enforces set policies and works with other firewalls

New cards
94

DMZ

containing firewall, web page, email, ftp services

New cards
95

FldM Process Sequence

federated identity management access requestauthentication/authorization requestauthentication requestauthentication credentialsauthorization responseaccess response

New cards
96

SaML

security assertion markup language web browser single sign on to exchange user identity and privileged information - authentication standard → browsers

New cards
97

OAuth

allows 3rd party apps to access API’s and account resources → native apps

New cards
98

OIDC

single set of credentials for all internet sites - better support for native apps + identity token; requires TLS

New cards
99

Copyrights

  • expression of ideas

  • made public to promote publication

  • requirement to distribute

  • 75-100 years

New cards
100

Patent

  • invention

  • made public for design at patent office

  • 19 years

New cards

Explore top notes

note Note
studied byStudied by 11 people
... ago
5.0(1)
note Note
studied byStudied by 9 people
... ago
5.0(1)
note Note
studied byStudied by 2701 people
... ago
4.8(12)
note Note
studied byStudied by 3 people
... ago
5.0(1)
note Note
studied byStudied by 14 people
... ago
5.0(1)
note Note
studied byStudied by 32 people
... ago
4.0(1)
note Note
studied byStudied by 23 people
... ago
4.7(3)
note Note
studied byStudied by 37186 people
... ago
4.9(69)

Explore top flashcards

flashcards Flashcard (78)
studied byStudied by 10 people
... ago
5.0(1)
flashcards Flashcard (200)
studied byStudied by 4 people
... ago
5.0(1)
flashcards Flashcard (98)
studied byStudied by 2 people
... ago
5.0(1)
flashcards Flashcard (32)
studied byStudied by 31 people
... ago
5.0(3)
flashcards Flashcard (25)
studied byStudied by 1 person
... ago
5.0(1)
flashcards Flashcard (69)
studied byStudied by 61 people
... ago
5.0(1)
flashcards Flashcard (71)
studied byStudied by 4 people
... ago
4.0(1)
flashcards Flashcard (29)
studied byStudied by 10 people
... ago
5.0(1)
robot