Which attackers most difficult to detect and prevent
Insider Attackers
What does Denial of Service do ?
prevents or inhibits the normal use or management of communications facilities
An example of a rootkit is
is a set of programs installed on a system to maintain covert access to
that system with administrator (root) privileges while hiding evidence
of its presence
A Misfeasor is
is a legitimate user who accesses data, programs, or resources for
which such access is not authorized, or who is authorized for such
access but misuses his or her privileges
what does a keylogger do
Bot can use a to capture keystrokes on the infected machine to retrieve sensitive information
The masquerader is most likely an insider
True
What is the difference between passive and active security threats
Passive attacks have to do with eavesdropping on, or monitoring, transmissions. Electronicmail, file transfers, and client/server exchanges are examples of transmissions that can bemonitored. Active attacks include the modification of transmitted data and attempts to gainunauthorized access to computer systems
List and briefly define categories of passive and active network security threats
Passive attacks: release of message contents and traffic analysis. Active attacks: masquerade,replay, modification of messages, and denial of service.
Consider an online internet banking system in which users provide a password and accountnumber for account access. Give examples of confidentiality, integrity and availabilityrequirements associated with the system and, in each case, indicate the degree ofimportance of the requirement
Consider an online internet banking system in which users provide a password and accountnumber for account access. Give examples of confidentiality, integrity and availabilityrequirements associated with the system and, in each case, indicate the degree ofimportance of the requirement.The
What are the three broad mechanisms that malware can use to propagate
The three broad mechanisms malware can use to propagate are: infection of existing executableor interpreted content by viruses that is subsequently spread to other systems; exploit ofsoftware vulnerabilities either locally or over a network by worms or drive-by-downloads toallow the malware to replicate; and social engineering attacks that convince users to bypasssecurity mechanisms to install trojans, or to respond to phishing attacks
What are the four broad categories of payloads that malware may carry
Four broad categories of payloads that malware may carry are: corruption of system or datafiles; theft of service in order to make the system a zombie agent of attack as part of a botnet;theft of information from the system, especially of logins, passwords or other personal details bykeylogging or spyware programs; and stealthing where the malware hides it presence on thesystem from attempts to detect and block it.
What types of resources are targeted by denial of service attacks?
Resources that could be attacked include any limited resources such as: network bandwidth,system resources, or application resources.
Define a distributed denial of service attack.
distributed denial of service (DDoS) attack uses multiple attacking systems, often usingcompromised user workstations or PC’s. Large collections of such systems under the control ofone attacker can be created, collectively forming a “botnet”. By using multiple systems, theattacker can significantly scale up the volume of traffic that can be generated. Also by directingthe attack through intermediaries, the attacker is further distanced from the target, andsignificantly harder to locate and identify.
List and briefly define three classes of intruders
Masquerader: An individual who is not authorized to use the computer and who penetrates asystem's access controls to exploit a legitimate user's account. Misfeasor: A legitimate user whoaccesses data, programs, or resources for which such access is not authorized, or who isauthorized for such access but misuses his or her privileges. Clandestine user: An individualwho seizes supervisory control of the system and uses this control to evade auditing and accesscontrols or to suppress audit collection.
What type of malicious software is this?
Consider the following fragment in an authentication program:userid = read_userid();password = read_passowrd();if userid is “257u h4fk0q”return ALLOW_LOGIN;if userid and password are validreturn ALLOW_LOGIN;else return DENY_LOGIN;
Backdoor (trapdoor
In general terms, what are four means of authenticating a user’s identity include examples
Something the individual knows: Examples includes a password, a personal identificationnumber (PIN), or answers to a prearranged set of questions.
Something the individual possesses: Examples include electronic keycards, smart cards,and physical keys. This type of authenticator is referred to as a token.
Something the individual is (static biometrics): Examples include recognition byfingerprint, retina, and face.
Something the individual does (dynamic biometrics): Examples include recognition byvoice pattern, handwriting characteristics, and typing rhythm.
used for selecting and assigning passwords.
User education: Users can be told the importance of using hard-to-guess passwords andcan be provided with guidelines for selecting strong passwords.
Computer-generated passwords: the system selects a password for the user.
Reactive password checking: the system periodically runs its own password cracker tofind guessable passwords.
Proactive password checking: a user is allowed to select his or her own password.However, at the time of selection, the system checks to see if the password is allowableand, if not, rejects it.
How does RBAC relate to DAC and MAC
Role-based access control (RBAC) controls access based on the roles that users havewithin the system and on rules stating what accesses are allowed to users in given roles.RBAC may have a discretionary or mandatory mechanism
List and define the three classes of subject in an access control system
Owner: This may be the creator of a resource, such as a file. For system resources,ownership may belong to a system administrator. For project resources, a projectadministrator or leader may be assigned ownership.
Group: In addition to the privileges assigned to an owner, a named group of users mayalso be granted access rights, such that membership in the group is sufficient to exercisethese access rights. In most schemes, a user may belong to multiple groups.
World: The least amount of access is granted to users who are able to access the systembut are not included in the categories owner and group for this resource
In the context of access control, what is the difference between a subject and an object
A subject is an entity capable of accessing objects. Generally, the concept of subjectequates with that of process. Any user or application actually gains access to an object bymeans of a process that represents that user or application.
An object is anything to whichaccess is controlled. Examples include files, portions of files, programs, and segments ofmemory.Problems
Explain the suitability or unsuitability of the following passwords:a. LM04TTT b. mfpiny (for “my favourite place in new York”) c. Jacquelined. New South Wales e. Newton f. Hj9kst g.555666777h. Laminallams
a. If this is a license plate number, that is easily guessable.
b. suitable
c. easily guessable
d. easily guessable
e. easily guessable
f. suitableg. very unsuitable
h. This is smallanimal in reverse; not suitable
What are the essential ingredients of a symmetric cipher
Plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm. Detaileddescriptions in the slides and book.
How many keys are required for two people to communicate via a symmetric cipher
One secret key.
What properties must a hash function have to be useful for message authentication
1. H can be applied to a block of data of any size.
2. H produces a fixed-length output.
3. H(x) is relatively easy to compute for any given x, making both hardware and softwareimplementations practical.
4. For any given value h, it is computationally infeasible to find x such that H(x) = h.
5. For any given block x, it is computationally infeasible to find y ≠ x with H(y) = H(x).
6. It is computationally infeasible to find any pair (x, y) such that H(x) = H(y).
What is a digital signature?
A digital signature is an authentication mechanism that enables the creator of a message toattach a code that acts as a signature. The signature is formed by taking the hash of themessage and encrypting the message with the creator's private key. The signature guaranteesthe source and integrity of the message.
How can public-key encryption be used to distribute a secret key
Several different approaches are possible, involving the private key(s) of one or both parties.One approach is Diffie-Hellman key exchange. Another approach is for the sender to encrypt asecret key with the recipient's public key.
Define buffer overflow?
A “buffer overflow” results from adding more information to a program’s buffer than it wasdesigned to hold.
What are the possible consequences of a buffer overflow occurring?
The consequences of a buffer overflow include corruption of data used by the program,unexpected transfer of control in the program, possibly memory access violations, and verylikely eventual program termination. When done deliberately as part of an attack on a system,the transfer of control could be to code of the attacker’s choosing, resulting in the ability toexecute arbitrary code with the privileges of the attacked process
What Type of programming languages are vulnerable to Buffer Overflow
The programming languages vulnerable to buffer overflows are those without a very strongnotion of the type of variables, and what constitutes permissible operations on them. Theyinclude assembly language, and C and similar languages. Strongly typed languages such asJava, ADA, Python, and many others are not vulnerable to these attacks.
Define shellcode???
“shellcode” is code supplied by the attacker, and often saved in the buffer being overflowed. Itis called “shellcode” because traditionally its function was to transfer control to a usercommand-line interpreter, or shell, which gave access to any program available on the systemwith the privileges of the attacked program.
What is defensive programming?
Defensive programming is a form of defensive design intended to ensure the continuing functionof a piece of software in spite of unforeseeable usage of said software. The idea can be viewedas reducing or eliminating the prospect of Murphy's Law having effect. Defensive programmingtechniques come into their own when a piece of software could be misused mischievously orinadvertently to catastrophic effect.
State the similarities and differences between command injection and SQL injection attacks
In a command injection attack, the unchecked input is used in the construction of a commandthat is subsequently executed by the system with the privileges of the attacked program. In anSQL injection attack, the user-supplied input is used to construct a SQL request to retrieveinformation from a database. In both cases the unchecked input allows the execution ofarbitrary programs/SQL queries rather than the program/query specified by the programdesigner. They differ in the syntax of the respective shell/SQL meta-characters used that allowthis to occur.
State the main techniques used by a defensive programmer to validate assumptions aboutprogram input
The main technique used by a defensive programmer to validate assumptions about programinput is to compare it against a regular expressions, which is a pattern that describes eitherwhat is wanted or what is known to be dangerous. The result of the comparison is used to eitheraccept wanted, or reject dangerous, input.
What are the three main properties of the Bell-LaPadula (BLP) Model?
no read up: A subject can only read an object of less or equal security level. This isreferred to in the literature as the simple security property (ss-property).no write down: A subject can only write into an object of greater or equal securitylevel. This is referred to in the literature as the *-property.ds-property: An individual (or role) may grant to another individual (or role) access toa document based on the owner's discretion, constrained by the MAC rules. Thus, asubject can exercise only accesses for which it has the necessary authorization andwhich satisfy the MAC rules.
What is the main difference between the BLP and Biba model?
The BLP model deals with confidentiality and is concerned with unauthorizeddisclosure of information. The Biba models deals with integrity and is concerned withthe unauthorized modification of data
What is the meaning of the term Chinese wall in the Chinese Wall Model
The Chinese wall is a logical barrier that prevents a subject that accesses data fromone side of the wall from accessing data on the other side
In general terms how can Multi Level Security (MLS) be implemented in a Role-BasedAccess Control (RBAC) system
Roles can be defined by type of access and clearance level
Briefly describe the three basic services provided by a TPM?
Authenticated boot service: The authenticated boot service is responsible for bootingthe entire operating system in stages and assuring that each portion of the OS, as it isloaded, is a version that is approved for use.
Certification service: Once a configuration is achieved and logged by the TPM, theTPM can certify the configuration to other parties. The TPM can produce a digitalcertificate by signing a formatted description of the configuration information using theTPM's private key. Thus, another user, either a local user or a remote system, can haveconfidence that an unaltered configuration is in use.
Encryption service: The encryption service enables the encryption of data in such away that the data can be decrypted only by a certain machine and only if that machineis in a certain configuration
Describe some malware countermeasure elements
Malware countermeasure elements include prevention in not allowing malware to getinto the system in the first place, or blocking its ability to modify the system, via policy,awareness, vulnerability mitigation and threat mitigation; detection to determine that ithas occurred and locate the malware; identification to identify the specific malwarethat has infected the system; and removal to remove all traces of malware virus fromall infected systems so that it cannot spread further
Briefly describe the four generations of anti-virus software?
• First generation: simple scanners that require a malware signature to identify it
• Second generation: heuristic scanners use heuristic rules to search for probable malware instances, or uses integrity checking to identify changed files
• Third generation: activity traps that identify malware by its actions rather than its structure in an infected program
• Fourth generation: full-featured protection uses packages of a variety of antivirustechniques used in conjunction, including scanning and activity trap components
What defences are possible against non-spoofed flooding attacks? Can such attacks beentirely prevented?
Non-spoofed flooding attacks are best defended against by the provision of significantexcess network bandwidth and replicated distributed servers, particularly when theoverload is anticipated. This does have a significant implementation cost though. Ratelimits of various types on traffic can also be imposed. However such attacks cannot beentirely prevented, and may occur “accidentally” as a result of very high legitimate trafficloads
What do the terms slashdotted and flash crowd refer to? What is the relation between these instances of legitimate network overload and the consequences of a DoS attack?
The terms slashdotted or flash crowd refer to very large volumes of legitimate traffic, asresult of high publicity about a specific site, often as a result of a posting to the wellknownSlashdot or other similar news aggregation site. There is very little that can bedone to prevent this type of either accidental or deliberate overload, without alsocompromising network performance.
What steps should be taken when a DoS attack is detected?
In order to successfully respond to a denial of service attack, a good incident responseplan is needed to provide guidance. When a denial of service attack is detected, the firststep is to identify the type of attack and hence the best approach to defend against it.
From this analysis the type of attack is identified, and suitable filters designed to block the flow of attack packets.
These have to be installed by the ISP on their routers.
If the attack targets a bug on a system or application, rather than high traffic volumes, then this must be identified, and steps taken to correct it to prevent future attacks. In the caseof an extended, concerted, flooding attack from a large number of distributed orreflected systems, it may not be possible to successfully filter enough of the attackpackets to restore network connectivity.
In such cases the organization needs acontingency strategy to switch to alternate backup servers, or to rapidly commissionnew servers at a new site with new addresses, in order to restore service.
The necessity of the “no read up” rule for a multilevel secure system is fairly obvious.What is the importance of the “no write down” rule
The purpose of the "no write down" rule, or *-property is to address the problem of Trojanhorse software. With the *-property, information cannot be compromised through the useof a Trojan horse. Under this property, a program operating on behalf of one user cannotbe used to pass information to any user having a lower or disjoint access class.
Describe the three logical components of an IDS?
Sensors: Sensors are responsible for collecting data. The input for a sensor may be any part of a system that could contain evidence of an intrusion. Types of input to a sensor include network packets, log files, and system call traces. Sensors collect and forward this information to the analyzer.
Analyzers: Analyzers receive input from one or more sensors or from other analyzers. The analyzer is responsible for determining if an intrusion has occurred. The output of this component is an indication that an intrusion has occurred. The output may include evidence supporting the conclusion that an intrusion occurred. The analyzer may provide guidance about what actions to take as a result of the intrusion.
User interface: The user interface to an IDS enables a user to view output from the system or control the behavior of the system. In some systems, the user interface may equate to a manager, director, or console component.
Describe the differences between a host-based IDS and a network-based IDS
Host-based IDS: Monitors the characteristics of a single host and the events occurring within that host for suspicious activity
Network-based IDS: Monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity
List some desirable characteristics of an IDS
•Run continually with minimal human supervision.
•Be fault tolerant in the sense that it must be able to recover from system crashes and reinitializations.
•Resist subversion. The IDS must be able to monitor itself and detect if it has been modified by an attacker.
•Impose a minimal overhead on the system where it is running.
•Be able to be configured according to the security policies of the system that is being monitored.
•Be able to adapt to changes in system and user behavior over time.
•Be able to scale to monitor a large number of hosts.
•Provide graceful degradation of service in the sense that if some components of the IDS stop working for any reason, the rest of them should be affected as little as possible.
•Allow dynamic reconfiguration; that is, the ability to reconfigure the IDS without having to restart it
Describe the types of sensors that can be used in a NIDS.
An inline sensor is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.
A passive sensor monitors a copy of network traffic; the actual traffic does not pass through the device.
List the three design goals for a firewall
1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the local network except via the firewall. Various configurations are possible, as explained later in this section.
2. Only authorized traffic, as defined by the local security policy, will be allowed to pass. Various types of firewalls are used, which implement various types of security policies, as explained later in this section.
3. The firewall itself is immune to penetration. This implies that use of a trusted system with a secure operating system
What information is used by a typical packet filtering firewall?
Source IP address: The IP address of the system that originated the IP packet.
Destination IP address: The IP address of the system the IP packet is trying to reach. Source and destination transport-level address: The transport level (e.g., TCP or UDP) port number, which defines applications such as SNMP or TELNET. IP protocol field: Defines the transport protocol. Interface: For a router with three or more ports, which interface of the router the packet came from or which interface of the router the packet is destined for
Why is it useful to have host-based firewalls?
• Filtering rules can be tailored to the host environment. Specific corporate security policies for servers can be implemented, with different filters for servers used for different application.
• Protection is provided independent of topology. Thus both internal and external attacks must pass through the firewall.
• Used in conjunction with stand-alone firewalls, the host-based firewall provides an additional layer of protection. A new type of server can be added to the network, with its own firewall, without the necessity of altering the network firewall configuration
How does an Intrusion Prevention System (IPS) differ from a Firewall
An IPS blocks traffic, as a firewall does, but makes use of the types of algorithms developed for IDSs
Who are the parties that are typically involved in a security evaluation process?
Sponsor: Usually either the customer or the vendor of a product for which evaluation is required. Sponsors determine the security target that the product has to satisfy.
Developer: Has to provide suitable evidence on the processes used to design, implement, and test the product to enable its evaluation.
Evaluator: Performs the technical evaluation work, using the evidence supplied by the developers, and additional testing of the product, to confirm that it satisfies the functional and assurance requirements specified in the security target. In many countries, the task of evaluating products against a trusted computing standard is delegated to one or more endorsed commercial suppliers.
Certifier: The government agency that monitors the evaluation process and subsequently certifies that a product as been successfully evaluated. Cookies generally manage a register of evaluated products, which can be consulted by customers
What are the three main stages in an evaluation of an IT product against a trusted computing standard, such as the Common Criteria
Preparation: Involves the initial contact between the sponsor and developers of a product, and the evaluators who will assess it. It will confirm that the sponsor and developers are adequately prepared to conduct the evaluation and will include a review of the security target and possibly other evaluation deliverables. It concludes with a list of evaluation deliverables and acceptance of the overall project costing and schedule.
2. Conduct of evaluation: A structured and formal process in which the evaluators conduct a series of activities specified by the CC. These include reviewing the deliverables provided by the sponsor and developers, and other tests of the product, to confirm it satisfies the security target. During this process, problems may be identified in the product, which are reported back to the developers for correction.
3. Conclusion: The evaluators provide the final evaluation technical report to the certifiers for acceptance. The certifiers use this report, which may contain confidential information, to validate the evaluation process and to prepare a public certification report. The certification report is then listed on the relevant register of evaluated prod
Define IT Security management.
IT security management is a process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity and reliability. IT security management functions include: determining organizational IT security objectives, strategies and policies; determining organizational IT security requirements; identifying and analyzing security threats to IT assets within the organization; identifying and analyzing risks; specifying appropriate safeguards; monitoring the implementation and operation of safeguards that are necessary in order to cost effectively protect the information and services within theversion: IN3012_Tutorial_8_v01_modelAnswers.doc p. 2 of 3organization; developing and implementing a security awareness program; detecting and reacting to incidents
List the three fundamental questions IT security management tries to address
The three fundamental questions IT security management tries to address are: 1. What assets do we need to protect? 2. How are those assets threatened? 3. What can we do to counter those threats?
List and briefly define the four steps in the iterative security management process
The four steps in the iterative security management process are to: Plan – to establish security policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives; Do – is to implement and operate the security policy, controls, processes and procedures; Check – is to assess and, where applicable, measure process performance against security policy, objectives and practical experience and report the results to management for review; and Act – to take corrective and preventive actions, based on the results of the internal security audit and management review or other relevant information, to achieve continual improvement of the security management process.
List the steps in the detailed security risk analysis process.
The steps in the detailed security risk analysis process include: Establish Context or System Characterization, Identify Threats, Identify Vulnerabilities, Analyze Existing Controls, Determine Likelihood, Determine Consequence or Impact on Organization, Determine Resulting Risk, Document Results in Risk Register, Evaluate Risks, Treat Risks
Describe a classification of computer crime based on the role that the computer plays in the criminal activity?
• Computers as targets: This form of crime targets a computer system, to acquire information stored on that computer system, to control the target system without authorization or payment (theft of service), or to alter the integrity of data or interfere with the availability of the computer or server. Using the terminology of Chapter 1, this form of crime involves an attack on data integrity, system integrity, data confidentiality, privacy, or availability.
• Computers as storage devices: Computers can be used to further unlawful activity by using a computer or a computer device as a passive storage medium. For example, the computer can be used to store stolen password lists, credit card or calling card numbers, proprietary corporate information, pornographic image files, or "warez" (pirated commercial software).
• Computers as communications tools: Many of the crimes falling within this category are simply traditional crimes that are committed online. Examples include the illegal sale of prescription drugs, controlled substances, alcohol, and guns; fraud; gambling; and child pornography.
What are the basic conditions that must be fulfilled to claim a copyright
(1) The proposed work is original. (2) The creator has put this original idea into a concrete form, such as hard copy (paper), software, or multimedia form.
What is a Digital Rights Management (DRM)
Digital Rights Management (DRM) refers to systems and procedures that ensure that holders of digital rights are clearly identified and receive the stipulated payment for their works.
19.11What functions can a professional code of conduct serve to fulfil
1. A code can serve two inspirational functions: as a positive stimulus for ethical conduct on the part of the professional, and to instill confidence in the customer or user of an IS product or service. However, a code that stops at just providing inspirational language is likely to be vague and open to an abundance of interpretations.
2. A code can be educational. It informs professionals about what should be their commitment to undertake a certain level of quality of work and responsibility for the well being of users of their product and the public, to the extent the product may affect nonusers. The code also serves to educate managers on their responsibility to encourage and support employee ethical behavior and on their own ethical responsibilities.
3. A code provides a measure of support for a professional whose decision to act ethically in a situation may create conflict with an employer or customer.
4. A code can be a means of deterrence and discipline. A professional society can use a code as a justification for revoking membership or even a professional license. An employee can use a code as a basis for a disciplinary action.
5. A code can enhance the profession's public image, if it is seen to be widely honored.