API tools faq
paste
Guest User

Untitled

a guest
Dec 12th, 2018
90
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.91 KB | None | 0 0
raw download clone embed print report
  1. • Definitions of security
  2. • Define adversary model, threat model, and security model
  3. • Create and critique security models for familiar systems
  4. • Define: confidentiality, integrity, availability, asset, participant, vulnerability, threat, adversary, defense, authorization, authentication
  5. • List, Define, and Identify types of attacker (i.e. casual user, cybercriminals, nation-state,
  6. etc.)
  7. • List, Define, and Identify the four archetype attacks and the five archetype defenses
  8. • Create and and articulate threat models for well-understood systems
  9. • Define the principle of adequate protection
  10. • Define: cryptology, cryptography, cryptanalysis, plaintext, ciphertext, encryption, decryption, key, keyspace, perfect secrecy
  11. • Define Kirckhoffs’s principle and why cryptosystems should conform to it
  12. • Identify key management problems
  13. • Explain OTP, how it offers perfect secrecy, and list issues that complicate its use
  14. • Give examples of how crypto systems fail in practice (From the Anderson Paper)
  15. • NOT: Understand symmetric cipher internals
  16. • Define stream cipher, block cipher, block size, permutation, substitution, confusion, diffusion
  17. • Explain the distinction between stream and block ciphers
  18. • List and explain potential problems with using stream ciphers
  19. • Explain, diagram, and identify pros and cons of ECB, CBC, and CTR cipher modes
  20. • Choose an application-appropriate symmetric cipher and mode.
  21. • Identify which cipher modes guarantee integrity
  22. • Create cryptographic constructions that provide integrity and authenticity
  23. • Identify and explain the three properties of a cryptographic hash function
  24. • Explain the significance of the birthday paradox to hash function security
  25. • Explain how HMAC works and why it is needed
  26. • Identify at least three applications of hash functions
  27. • Explain common uses of RSA
  28. • Explain the components of RSA public and private keys and their relationship
  29. • Given a small public/private key, encrypt/decrypt a message using RSA
  30. • Identify and explain the hard problem underlying RSA
  31. • Explain digital signatures, common uses, and compute a digital signature given a small RSA public/private key pair
  32. • Explain the differences between a digital signature and an HMAC
  33. • Explain the uses of Diffie-Hellman
  34. • Given a small modulus and base, complete both steps of a DH exchange
  35. • Identify and explain the hard problem underlying DH
  36. • Define and explain perfect forward secrecy
  37. • Explain Public Key Infrastructures and potential problems with their use
  38. • Explain the tradeoffs between “web of trust” and PKI models
  39. • Define authentication, credential (and 3 types)
  40. • Define and explain multi-factor authentication
  41. • Identify and explain common problems, attacks and defenses related to passwords and secret questions, including online and offline brute-force attacks
  42. • Identify examples of bearer-authenticators (“something you have”)
  43. • Identify examples of biometric authenticators and explain issues with their use
  44. • Explain web authentication protocols and security issues with their use
  45. • Explain cryptographic authentication protocols
  46. • Design and critique cryptographic authentication protocols
  47. – How to study: look at questions at end of KPS Chapter 11
  48. – Explain why a protocol authenticates a party
  49. – Identify flaws in a protocol (e.g., reflection, replay attacks)
  50. • Explain how tickets can provide single sign-on (SSO)
  51. • Explain attacks and defenses for:
  52. – TCP/IP message spoofing
  53. – sequence number guessing
  54. – source routing
  55. – other routing attacks
  56. – ICMP attacks (including “ping of death”)
  57. – ARP spoofing
  58. • Explain the “simplified” SSL protocol presented in class
  59. • Identify, explain, and compare key exchange methods
  60. • Explain and identify the six values generated for sessions
  61. • Explain the differences between server and mutual authentication
  62. • Identify attacks that circumvent SSL and/or TLS
  63. • Identify and explain two main types of VPNs
  64. • Identify, explain, and draw packets for the two modes and two protocols of IPsec packet processing (four total options)
  65. – Describe the protection provided to different fields
  66. • Define SA, SPI, SAD, SA Bundle, SPD
  67. • Describe the two phases of IKE
  68. • Describe the advantages and disadvantages of a split VPN
  69. • Define and compare stateless and stateful firewalls
  70. • Write a firewall policy (stateless or stateful) given a set of requirements
  71. – Evaluate a firewall a policy for a given packet
  72. • Define and compare signature vs. anomaly IDS
  73. • Define and apply the base rate fallacy
  74. • Draw ROC curves for a given detection system
  75. • Identify threats to DNS
  76. • Explain how DNS cache poisoning works (“vanilla” and “Kaminsky”)
  77. • Identify defenses against DNS attacks
  78. • Explain common routing security issues
  79. – Link cutting
  80. – Hijacking
  81. – Denial of service
  82. • Explain and Identify the principle security problems with BGP, including lack of authentication and how prefix highjacking is conducted.
  83. • Explain the mechanism and impacts of prominent BGP security incidents
  84. • Explain, compare, and contrast the different proposed solutions to defend BGP, including S-BGP and RPKI.
  85. • Express access control as subjects, objects, rights (SOR model) and draw an access control matrix
  86. • Explain the three properties of a reference monitor (tamperproof, complete mediation, simple enough to verify)
  87. • Explain the principle of least privilege, protection domain, protection state, and protection state operations
  88. • Compare and contrast MAC and DAC and relate the safety problem
  89. • Explain why RBAC is different than groups
  90. • Evaluate simple information flow control policies (e.g., BLP, Biba)
  91. • Identify practical issue with Clark Wilson
  92. • Compare and contrast ACLs and C-Lists, and identify when to use them.
  93. • Describe the basics of UNIX file system access control, including setuid
  94. • Explain the implication of monotonicity of access control policy w.r.t. checking and defining policy
  95. • Explain how capabilities address the confused deputy problem
  96. • Describe how to protect capabilities
  97. • Describe how Hydra uses capabilities and the implications
  98. • Evaluate Multics access control policy using rings and brackets
  99. • Construct protocols for cookie-based authentication
  100. • Identify the limitation of code-signing (e.g., Authenticode)
  101. • Describe different injection attacks (e.g., XSS, shell, filename, SQL) and fundamental cause
  102. • Describe solutions to injection attacks
  103. • Describe Same Origin Policy (SOP) and limitations
  104. • Describe Cross-Origin Resource Sharing (CORS), including where it is enforced and the implications
  105. • Describe modern browser architecture and isolations
  106. • Explain how browser extensions can impact security
  107. • Describe how mobile OSes differ from traditional Oses
  108. • Explain the importance of app security for smartphones
  109. • Explain methods and goals of mobile malware
  110. • Describe privacy problems in mobile apps
  111. • Contrast app permission models (install-time vs. runtime)
  112. • Explain the challenge of authentication on mobile devices
  113. • Compare and contrast static analysis and dynamic analysis approaches for analyzing apps
  114. • Explain the significance of metadata for security / privacy
  115. • Explain the Dining Cryptographer’s problem
  116. • Identify hardness assumptions (unconditional anonymity vs. computational anonymity)
  117. • Calculate degree of anonymity with sets and Shannon entropy (and know limitations)
  118. • Critique anonymizing proxies, Crowds, Onion Routing
  119. • Describe how anonymity systems can enable security attacks
  120. • Explain the significance of the referrer field to privacy
  121. • Describe the general rules for sending information to a Web server (and implications of getting it wrong)
  122. • Describe how Cookies are used for tracking (1st party vs 3rd party)
  123. • Describe Evercookies, Flash cookies, etc.
  124. • Explain how stateless tracking / fingerprinting works
  125. • Explain how advertising frameworks can be abused to target individuals
  126. • Describe the different types of advertising models
  127. • Describe tracking defenses, naming several
  128. • Explain what “Do Not Track” provides, and how this differs from common perception
  129. • Describe different techniques for private browsing and their caveats
  130. • Explain the challenges with self reporting (e.g., privacy paradox)
  131. • Explain the challenges with framing
  132. • Describe privacy segmentation techniques (e.g., Westin Index) and limitations
  133. • Describe privacy nudges
  134. • Explain why privacy harms are important to define and measure
  135. • Describe the AOL search log problem and its generalization
  136. • Explain collaborative filtering
  137. • Describe k-anonymity (at a high level) and its shortcomings
  138. • Describe l-diversity (at a high level) and its shortcomings
  139. • Describe t-closeness (at a high level) and its shortcomings
  140. • Describe differential privacy (at a high level)
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!