10.1 explain the differences among the terms security class, security level, sec

1. 10.1 explain the differences among the terms security class, security level, security clearance, and security classification.
2.  
3. Context: BLP model, access control concept
4.  
5. security class - assigned to each subject and object, in the simplest form:
6. security level - form a strict hierarchy and are referred to as security levels (top secret -> secret -> ...)
7. security clearance - a subject is said to have a security clearance of a given level
8. security classification - an object is said to have a security classification of a given level
9.  
10. 10.2 what are the three rules specified by the BLP model?
11.  
12. ss-property (simple security) - no read up; subject can only read object of less or equal security level
13. *-property - no write down; subject can only write into an object of greater or equal security level
14. ds-propery (discretionary) - an individual may grant to another individual access to a document based on the owner's discretion, constrained by the MAC rules
15.  
16. 10.3 how is discretionary access control incorporated into the BLP models?
17.  
18. an individual may grant to another individual access to a document based on the owner's discretion, constrained by the MAC rules. site policy overrides any discretionary access controls.
19.  
20. 10.4 what is the principal difference between the BLP model and the Biba model?
21.  
22. BLP - confidentiality, concerned with unauthorized disclosure of information
23. Biba - integrity, concerned with the unauthorized modification of data
24.  
25. 10.5 what are the three rules specified by the Biba model?
26.  
27. simple integrity - subject can modify an object only if integrity level I(S) of subject >= I(O)
28. integrity confinement - subject can read an object only if I(S) <= I(O)
29. invocation property - subject S1 can invoke (= communication from one subject to another) other subject only if I(S1) >= I(S2)
30.  
31. 10.6 explain the difference between certification rules and enforcement rules in the clark-wilson model.
32.  
33. certification - security policy restrictions on the behavior of IVPs (integrity verification procedures, p316) and TPs (transformation procedures)
34. enforcement - built-in system security mechanisms that achieve the objectives of the certification rules
35.  
36. 10.7 what is the meaning of the term chinese wall in the chinese wall model?
37.  
38. subjects are only allowed access to information that is not held to conflict with any other information that they already possess. once information from one dataset is accessed, a wall is set up to protect information in other datasets in the same CI (conflict of interest class).
39.  
40. 10.8 what are the two rules that a reference monitor enforces?
41.  
42. no read up, no write down
43.  
44. 10.9 what properties are required of a reference monitor?
45.  
46. complete mediation - security rules are enforced on every access (not just on file open)
47. isolation - reference monitor and database are protected from unauthorized modification
48. verifiability - reference monitor's correctness must be provable
49.  
50. 10.10 in general terms, how can MLS be implemented in an RBAC system?
51.  
52. MLS (multilevel secure) - class of system that has resources at more than one level of security level and permits concurrent access by users who differ in clearances
53. RBAC (role based access control)
54.  
55. a role can include access permissions for multiple objects. r-level of role indicates the highest security classification for the objects assigned to the role. w-level of the role indicates the lowest security classification of its objects.
56.  
57. 10.11 describe each of the possible degrees of granularity possible with an MLS database system.
58.  
59. entire database, tables, columns, rows, individual elements
60.  
61. 10.12 what is polyinstantiation?
62.  
63. creating a new row at a lower level without modifying row at higher level. creates db with conflicting entries.
64.  
65. 10.13 briefly describe the three basic services provided by a TPMs.
66.  
67. TPM (trusted platform module)
68. authenticated boot service - booting in stages, and ensuring each portion of the os is approved for use
69. certification service - certify a specific configuration (hardware, software) for other systems
70. encryption service - enables encryption of data in such a way that the data can be decrypted only by a certain machine and only if that machine is in a certain configuration
71.  
72. 10.14 what is the aim of evaluating an IT product against a trusted computing evaluation standard?
73.  
74. to provide greater confidence in the security of IT products as a result of formal actions taken during the process of developing, evaluating and operating these products.
75.  
76. 10.15 what is the difference between security assurance and security functionality as used in trusted computing evaluation standards?
77.  
78. functional requirements - desired security behavior
79. assurance requirements - basis for gaining confidence that the claimed security measures are effective and correct
80.  
81. 10.16 who are the parties typically involved in a security evaluation process?
82.  
83. sponsor - customer or vendor of a product
84. developer - provides evidence on the processes used to design, implement and test the product
85. evaluator - performs technical evaluation work
86. certifier - govt agency that monitors the process
87.  
88. 10.17 what are the three main stages in an evaluation of an IT product against a trusted computing standard, such as the common criteria?
89.  
90. preparation - initial contact, confirm all parties are adequately prepared, review of security target, ...
91. conduct of evaluation - structured and formal process, ...
92. conclusion - final evaluation report
93.  
94. 12.1 define the difference between software quality and reliability and software security.
95.  
96. quality and reliability - concerned with the accidental failure of a program as a result of some theoretically random, unanticipated input, system interaction, or use of incorrect code.
97. security - the attacker chooses the probability distribution, targeting specific bugs that result in a failure that can be exploited by the attacker.
98.  
99. 12.2 define defensive programming.
100.  
101. form of defensive design intended to ensure the continuing function of a piece of software in spite of unforeseeable usage of said software.
102.  
103. 12.3 list some possible sources of program input.
104.  
105. user keyboard/mouse entry, files, network connections, data supplied in execution environment, configuration values, values supplied by operating system.
106.  
107. 12.4 define an injection attack. list some examples of injection attacks. what are the general circumstances in which injection attacks are found?
108.  
109. flaws related to invalid handling of input data. specifically, when input data can accidentally or deliberately influence the flow of execution of the program.
110.  
111. command injection, sql injection, code injection, remote code injection.
112.  
113. can occur when input data is passed as a parameter to other helper programs on the system, whose output is then processed and used by the original program.
114.  
115. 12.5 state the similarities and differences between command injection and sql injection attacks.
116.  
117. both injection attacks are made possible by using an unchecked value (from user input) to construct a command. the difference is the type of metacharacters used - sql attacks use SQL metacharacters. bash injections use bash metachars.
118.  
119. 12.6 define a cross-site scripting attack. list an example of such an attack.
120.  
121. concerns input provided to a program by one user that is subsequently output to another user. exploits the assumption that all content from one site is equally trusted (browser data) and attempts to bypass the browser's security checks to gain elevated access privileges to sensitive data belonging to another site.
122.  
123. 12.7 state the main technique used by a defensive programmer to validate assumptions about program input.
124.  
125. compare input data to what is wanted, accepting only valid input. for example, this can be be done by using regular expressions. (?)
126.  
127. 12.8 state a problem that can occur with input validation when the unicode character set is used.
128.  
129. if a character has multiple encodings in ASCII and UTF-8 (for example '/' is '2F', 'C0 AF', 'E0 80 AF') and the programmer only checks for the short encoding, attackers can bypass input validation. solved by canonicalization (replacing alternate, equivalent encodings by one common value).
130.  
131. 12.9 define input fuzzing. state where this technique should be used.
132.  
133. a software testing technique that uses randomly generated data as input to a program. input can be completely random or generated according to some template. in general, only identifies simple types of faults with input handling.
134.  
135. 12.10 list several software security concerns associated writing safe program code.
136.  
137. correct algorithm implementation - incorrect implementation might expose weakness by running some seemingly legitimate input
138. ensuring that machine language corresponds to algorithm - compilers generate correct code, compilers aren't compromised
139. correct interpretation of data values - buffer overflows, corruption through incorrect pointer operations. best defense - strongly typed language.
140. correct use of memory - memory leaks (can lead to denial of service attacks)
141. preventing race conditions with shared memory - corrupted/lost values
142.  
143. 12.11 define race condition. state how it can occur when multiple processes access shared memory.
144.  
145. overlapping access, use, and replacement of shared values. occurs when multiple processes and threads compete to gain uncontrolled access to some resource.
146.  
147. 12.12 identify several concerns associated with the use of environment variables by shell scripts.
148.  
149. provide another path for untrusted data to enter a program and need to be validated.
150. local user subverts a program that grants admin privileges, coercing it to run code of attacker's selection.
151.  
152. redefine PATH combined with path-less program calls in script
153. redefine IFS if PATH is reset in app to make PATH=... call execute program
154. redefine custom application env vars
155.  
156. 12.13 define the principle of least privilege.
157.  
158. every program should execute with the least amount of privileges needed to complete their function.
159.  
160. 12.14 identify several issues associated with the correct creation and use of a lockfile.
161.  
162. - a program can ignore the existence of the lockfile
163. - race condition on creation during lock-create; both programs create file, both access resources
164.  
165. 12.15 identify several issues associated with the correct creation and use of a temporary file in a shared directory.
166.  
167. temp files should be unique and not accessed by other processes; temp filenames should be random and permissions should only allow deletion by owner.
168. temp file could be replaced by symbolic link to sensitive file (passwd).
169.  
170. 12.16 list some problems that may result from a program sending unvalidated input from one user to another user.
171.  
172. the receiving user assumes that the input has already been validated.
173. can contain metachars, html markup, ...
174. output must conform to the expected from and interpretation.
175.  
176. 14.1 what are the benefits of a security awareness, training, and education program for an organization?
177.  
178. improving employee behavior
179. increasing the ability to hold employees accountable for their actions
180. mitigating liability of the organization for an employee's behavior
181. complying with regulations and contractual obligations
182.  
183. 14.2 what is the difference between security awareness and security training?
184.  
185. a security awareness program seeks to inform and focus an employee's attention on issues related to security within the organization. it teaches the "what"
186.  
187. a security training program is designed to teach people the skills to perform their IS related tasks more securely. teaches the "what" and the "how"
188.  
189. 14.3 what is an organizational security policy?
190.  
191. a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide.
192.  
193. 14.4 who should be involved in developing the organization's security policy and its security policy document?
194.  
195. site security administrator
196. information technology technical staff
197. supervisors of large user groups within the organization
198. security incident response team
199. representatives of the user groups affected by the security policy
200. responsible management
201. legal counsel
202.  
203. 14.5 what is ISO 17799?
204.  
205. standard for writing and implementing securiity policies (Code of Practice for Information Security Management). comprehensive set of controls comprising best practices in information security. internationally recognized generic information security standard.
206.  
207. 14.6 what principles should be followed in designing personnel security policies?
208.  
209. least privilege
210. separation of duties - people involved in checking for inappropriate use are not also capable of making such inappropriate use
211. limited reliance on key employees - no one should be irreplaceable
212.  
213. 14.7 why is an email and internet use policy needed?
214.  
215. significant time may consumed in non-work activities
216. significant resources may be consumed by such non-work activities
217. increased risk of introduction of malicious software
218. non-work activities could result in harm to other organizations or individuals outside the organization, creating liability for organization
219. email/inet can be used as tools of harassment
220. inappropriate online conduct may damage organization reputation
221.  
222. 16.1 define IT security management.
223.  
224. a process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability.
225.  
226. 16.2 list the three fundamental questions IT security management tries to addres.
227.  
228. what assets do we need to protect?
229. how are those assets threatened?
230. what can we do to counter those threats?
231.  
232. 16.3 list the steps in the process used to address the three fundamental questions.
233.  
234. determine a clear view of an organization's IT security objectives and risk profile.
235. IT security risk assessment for each asset in the organization requiring protection (must answer questions above)
236. (?)
237.  
238. 16.4 list some of the key national and international standards that provide guidance on IT security management and risk assessment.
239.  
240. NIST02
241. ISO27000-27005
242. ISO13335
243.  
244. 16.5 list and briefly define the four steps in the iterative security management process.
245.  
246. plan (establish policy, objectives, processes relevant to managing risk and improving information security)
247. do (implement and operate the security policy, controls, processes, procedures)
248. check (assess and measure process performance against policy, objectives, ..., and report results to management)
249. act (take corrective and preventive actions based on internal review)
250.  
251. 16.6 organizational security objectives identify what IT security outcomes are desired, based in part on the role and importance of the IT systems in the organization. list some questions that help clarify these issues.
252.  
253. what key aspects of the organization require IT support in order to function efficiently?
254. what tasks can only be performed with IT support?
255. which essential decisions depend on the accuracy, currency, integrity, or availability of data managed by the IT systems?
256. what data create, managed, processed, and stored by the IT systems need protecton?
257. what are the consequences to the organization of a security failure in the organization's IT systems?
258.  
259. 16.7 list and briefly define the four approaches to identifying and mitigating IT risks.
260.  
261. baseline approach - implement a basic general level of security controls on systems using baseline documents, codes of practice and industry best practice
262. informal approach - involves conducting some form of informal, pragmatic risk analysis (not a formal, structured process) for the organization's IT systems.
263. detailed risk analysis - detailed risk assessment of the organization's IT systems, using a formal structured process.
264. combined approach - combine elements of previous approaches to provide reasonable protection sa quickly as possible
265.  
266. 16.8 which of the four approaches for identifying and mitigating IT risks does ISO13335 suggest is the most cost effective for most organizations?
267.  
268. the combined approach
269.  
270. 16.9 list the steps in the detailed security risk analysis process.
271.  
272. system characterization
273. threat identification
274. vulnerability identification
275. control analysis
276. likelihood determination
277. impact analysis
278. risk determination
279. control recommendations
280. results documentation
281.  
282. 16.10 define asset, control, threat, risk, and vulnerability.
283.  
284. asset - anything that has value to the organization
285. threat - a potential cause of an unwanted incident which may result in harm to a system or organization
286. vulnerability - a weakness in an asset or group of assets which can be exploited by a threat
287. risk - the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets
288.  
289. 16.11 indicate who provides the key information when determining each of the key assets, their likelihood of compromise, and the consequence should any be compromised.
290.  
291. people in the relevant areas of the organization (, ... ?)
292.  
293. 16.12 state the two key questions answered to help identify threats and risks for an asset. briefly indicate how these questions are answered.
294.  
295. who or what could cause it harm?
296. how could this occur?
297.  
298. 16.13 define consequence and likelyhood.
299.  
300. likelyhood of the risk occurring (likely, possible, unlikely, ...)
301. consequences to the organization should that occur
302.  
303. 16.14 what is the simple equation for determining risk? why is this equation not commonly used in practice?
304.  
305. risk = probability that threat occurs x cost to organization
306.  
307. not commonly used because both the threat probability and the cost to the organization are often impossible to determine exactly.
308.  
309. 16.15 what are the items specified in the risk register for each asset/threat identified?
310.  
311. asset, threat, existing controls, likelyhood, consequence, level of risk, risk priority
312.  
313. 16.16 list and briefly define the five alternatives for treating identified risks.
314.  
315. risk acceptance - accept risk level greater than normal for business reasons
316. risk avoidance - not proceeding with activity that creates risk
317. risk transferal - sharing responsibility with third party (insurance)
318. reduction of consequences - modifying structure or use of assets to reduce impact on organization should risk occur
319. reduction of likelihood - implementing suitable controls to lower chance of vulnerability exploitation
320.  
321. 18.1 describe a classification of computer crime based on the role that the computer plays in the criminal activity?
322.  
323. - Computers as targets: This form of crime targets a computer system to gain unauthorized access to data, gain control over the system...
324. This form of crime involves an attack on: Integrity, confidentiality and availability
325. - Computers as storage devices: A computer can be used to store all kind of illegal data (like password files, pirated software, pornographic files,...)
326. - Computers as communication tools: A computer is used to commit a non-cyber crime like selling illegal things ,...
327.  
328. 18.2 define three types of property?
329.  
330. - Real property (German: “Immobilie”): Land and things permanently attached to the land, such as trees, buildings and stationary mobile homes.
331. - Personal property: Personal effects, moveable property (cars, cellphones, bank accounts, furniture,...)
332. - Intellectual property: Any intangible (nicht physisch, nicht greifbar) asset that consists of human knowledge and ideas, like software, data, novels, designs,...
333.  
334. 18.3 define three types of intellectual property?
335.  
336. - Copyrights
337. - Trademarks
338. - Patents
339.  
340. 18.4 what are the basic conditions that must be fulfilled to claim a copyright?
341.  
342. - The work is original
343. - The creator has put his idea in a concrete form (hard copy, software, multimedia)
344.  
345. 18.5 what rights does a copyright confer?
346.  
347. - Reproduction right: The owner has the right to produce copies of a work
348. - Modification right:
349. - Distribution right: The owner may sell, rent, lease or lend copies of a work
350. - Public-performance right: applies mainly to live performances
351. - Public-display right:
352.  
353. 18.6 briefly describe the Digital Millennium Copyright Act:
354.  
355. DMCA strengthens the protection of copyrighted materials in digital form. It further encourages copyright owners to use technological measures to protect their work from being copied or even being accessed. The attempt to bypass such security measures is illegal.
356.  
357. 18.7 what is digital rights management?
358.  
359. Digital rights management (DRM) is used to ensure that the holders of digital rights are clearly identified. People who have no rights on an object are not allowed to use it in any way.
360. DRM might also add further restrictions on objects (printing, copying,... not allowed) digital rights management.
361. DRM is not a single standard, there are many different approaches. It generally supports many platforms (PC, Mac, Iphone, ...)
362.  
363.  
364. 18.8 describe the principal categories of users of digital rights management systems:
365.  
366. Content Provider: The holder of the digital right, who wants to protect them. (record lable, ...)
367. Distributor: Distributes digital content (music, software, ...)
368. Consumer: Uses the digital content
369. Clearinghouse (Abrechnungsstelle): Handles the financial part.
370.  
371. 18.9 what are the key principles embodied in the EU Directive on Data Protection?
372.  
373. Notice: Individuals must be informed, if personal information is collected.
374. Consent: Individuals must be able to choose whether and how their personal information is used by, or disclosed to, third parties. They have the right, that there is no sensitive data (health, religion,...) collected.
375. Consistency: Information must only be used in accordance to the terms of notice.
376. Access: Individuals must be able to access or change their stored information
377. Security: Organisations must protect integrity and confidentially of personal information
378. Onward transfer: If information is passed to a third party, they must provide the same level of security, as the organisation that passed them the information
379. Enforcement: Violation of these rules is not allowed. Each EU member has a own enforcement agency concerned with privacy rights enforcement.
380.  
381. 18.10 how do the concerns relating to privacy in the Common Criteria differ from the concerns usually expressed in official documents, standards and organizational policies?
382.  
383. In the Common Criteria the purpose of privacy functions is to provide a user protection against discovery and misuse of identity by other users.
384. ????
385.  
386.  
387. 18.11 what functions can a professional code of conduct (Verhaltensnorm) serve to fulfil?
388.  
389. - be a positive stimulus (Ansporn) and instil confidence
390. - be educational
391. - provide a measure of support
392. - be a means of deterrence and discipline
393. - enhance the profession's public image
394.  
395. 19.1 what are the essential ingredients of a symmetric cipher?
396.  
397. - Plaintext
398. - Encryption algorithm
399. - Secret key
400. - Cipher text
401. - Decryption algorithm
402.  
403. 19.2 what are the two basic functions used in encryption algorithms?
404.  
405. Substitution: An element is replaced by another element.
406. Transposition: Elements are rearranged.
407.  
408. 19.3 how many keys are required for to people to communicate via a symmetric cipher?
409.  
410. Only a single key is required
411.  
412. 19.4 what is the difference between a block cipher and a stream cipher?
413.  
414. A block cipher processes one block of elements at a time, production an output block for each input block.
415. A stream cipher processes the input elements continuously. Each single element produces a different element of output
416.  
417. 19.5 what are the two general approaches to attack a cipher?
418.  
419. Cryptanalysis, brute force
420. ?????????????
421.  
422. 19.6 why do some block cipher modes of operation only use encryption while others use both encryption and decryption?
423.  
424. Some block cipher modes of operation only use encryption because the input is set to some initialization vector and the leftmost bits of the output of the encryption function are XORed with the first segment of plain text p1 to produce the first unit of cipher text C1 and it is transmitted. While in decryption, the cipher text is XORed with the output of the encryption function to produce the plain text.
425.  
426. 19.7 what is triple encryption?
427.  
428. Triple encryption (or 3DES) is enhancement of DES. It applies DES three times:
429. ENCRYPT, DECRYPT, ENCRYPT
430.  
431. 19.8 why is the middle portion of 3DES a decryption rather than an encryption?
432.  
433. Security does not benefit form the decryption. The only advantage is, that 3DES can also decrypt Cipher text encrypted with DES!
434.  
435. 19.9 what is the difference between link and end-to-end encryption?
436.  
437. End-to-end encryption: Data is encrypted by the sender, passes the network encrypted and is decrypted by the receiver.
438. Link encryption: encrypts and decrypts all traffic at each end of a communications line.
439.  
440. 19.10 list ways which secret keys can be distributed to two communicating parties:
441.  
442. - Selected by A and physically delivered to B
443. - Selected by a third party and physically delivered to A and B
444. - If A and B were using a cipher before to communicate, the new key could be encrypted with the old cipher.
445. - If both A and B have a encrypted connection to C, C can send them the new key.
446.  
447.  
448. 19.11 what is the difference between a session key and a master key?
449.  
450. A session key is a one time key, only used for the duration of one logical connection.
451. The master key is a pre-shared Key Encrypting Key, used to distribute session keys.
452.  
453. 19.12 what is a key distribution centre?
454.  
455. The key distribution centre (KDC) determines which systems are allowed to communicate with each other.