System Security Prep

Two distinct methods of identifying a trojan horse

Monitoring - Make use of virus monitors to see if any virus activities are going on. With detecting these abnormal behaviour, The detection of the trojan can be complete before complete infection, However, a lot of false alarms may be generated.

Signature scanning - most common and simplest approach. The infection is disassembled and the key portions are identified. Next, the key portions are combined to form a signature. The signature is then checked against a large library of programs to reduce the chance of false positives

How does BLP and Biba become restrictive if applied together?

As BLP is used for confidentiality and Biba is used for integrity, some properties are denied by each other. 

To resolve it, usage of labels for both clearance and classification 

How does syncookies provide protection against connection based DOS? 

They do it by not dropping connection when the SYN queue fills up until the server receives a “correct” ACK from the client. At this time, the server can reconstruct the SYN queue entry and then connection proceeds as usual

Why is tailored or spear phishing attacks more effective than general phishing attacks. 

Tailored/ spear phishing are more effective as the attack involves using what we know about the victim to increase the chances of the attack being successful while general phishing is brute force (inefficient)

BLP ds-property provides

permission that may be passed from an authorized subject to another, level authorized subject.

What is a “sandbox environment”?

Sandbox environment is a virtual environment which restricts sharing by controlling the domain boundaries. It is important as if a software is suspected to be a malware, only the virtual environment is affected.

The channels uses two channel authentication are

One is between client and server and the other is between server to client which is independent

Major role of a honeypot

Divert attackers from a critical system or collect information about the attackers activities

What does Biba attempt to control? And its policy

Biba attempts to control the integrity of data. Its policy is no read down and no write up.

Pharming is more technical and less social engineering than deceptive phishing because

it involves technology to perform the phishing act. It is carried out by modifying the hosts file thorough virus or "poison" DNS servers

How does stack randomization protect against buffer overflow?

It randomizes the new buffer location, new instance of the program run is probably in a different memory location and hence make the overflow attack difficult

Describe the difference between direct action and memory residence

Viruses install themselves into the memory of the host computer. Direct action viruses is only active when an infected object is active.

Memory residence does not require the original program to be running

Explain the ideas of threshold models and statistical models in the context of an intrusion detection system

Statistical model for anomaly detection is where statistic of past data is used to detect the anomaly and threshold model which is the simplest statistical model is where an alarm is triggered if more than the certain number of something happened or less than the certain number of something is happened

One resource that can be targeted in a DOS attack is

Network bandwidth(network)

Memory Storage and processor capacity(Computer)

What are the 2 classes of intruder in an intrusion detection system?

Clandestine: Tries to avoid the intrusion detection 

Masquerader: Pretends to be a legitimate user

What is logging?

Logging is recording of events or statistics to provide information fo the system use, misuse and performance.

Context: This is a client puzzle

What is sent and how is it generated?

X[j](k+1,L) is sent to the client. This is generated by taking a sub-puzzle and taking k bit as the solution of the puzzle 

What should the client respond with?

The client should respond with x[j](1,k) to be joined with x[j](k+1,L) to get y[j]. 

What is the role of k?

𝑘 is the number of bits that are missing from the puzzle

How much work would we expected the client to do? 

The client is expected to do minimal work so that the authentication can be fast.

Is this process stateless?

Yes, the puzzle stores no information. The solution itself contains all the information the server needs other than their own server secret

What is sanitization?

It is the context of logs involving removal of information from the log that the user should not be able to see to provide confidentiality of the log.

What are the three distinct types of attacks against password systems.

1. dictionary attack - uses dictionary of all known words to try to find the password
2. brute-force attack is trying all possible combinations of the password until it is correct
3. hybrid attack is both brute force and dictionary attack.

Why is the use of external variables in languages such as PHP or Bash is dangerous?

They register all kinds of external variables in the global namespace, hence the is no way to ensure that those external variables contain authentic data.

Name and describe two methods of providing protection against inferential attacks.

Design a database in such a way that inferences is reduced

Attempt to reject specific queries which may lead to inference attack

What is considered to be a honeytoken?

A honey token is a non-computer honeypot. Fake data in database, where is it similar to the real data to encourage the attacker to be in the system long enough to respond to the attack

Aggregate functions

provide aggregate data which is likely to be less sensitive than individual values

What does anomaly modelling look for and how do we measure this?

Anomaly modelling looks for an abnormal event that has exceeded the predefined threshold. In an IDS, there is a counter which is twice the sum of the weight of all the event for a day

Why is a master password typically used?

To protect sensitive information such as other passwords and certificates

Two types of disclosure

Disclosure of exact data. Person A is 25 years old

Disclosure of bound. Person A is younger than 30 years old

Name and describe two of the ACIDity properties

ACIDity properties refers to the atomicity, consistency, isolation and durability of database transaction properties. Two ACID properties are consistency and durability. A consistent database transaction can be thought of as not violating any integrity constraints during its execution. Durability is the property guaranteeing that transactions that have been committed will survive permanently

How does SQL rand protect database against SQL injection?

By adding a random key to SQL keywords. However, before it is sent to the database, the random keys are removed.

How does Trojan horses have overt and covert behaviours? 

overt behaviours are documented effects (DOS)
covert behaviours are non-documented effects (backdoor)

Two primary properties used in malware classification are

Based first on how it spreads to reach their desired targets.

Then on the actions or payloads it performs once a target is reached.

What is DNS-based phishing? 

It is poisoning of hosts file or polluting the user's DNS cache with wrong information resulting in corrupted DNS

Why is random seeding a password generator with time alone a bad idea?

If an attacker knows the time, the attacker can use the same time as the seed to the random generator to regenerate the same sequence of password

3 Factors of Authentication

Something you know (password)
Something you have (Keycard)
Something you are (Fingerprint)

What differs between Oligomorphic, polymorphic and metamorphic viruses?

Oligomorphic changes the decryption of the algorithm between generations

Polymorphic viruses change form each time they are inserted in another program

Metamorphic viruses change form AND complete rewrites itself

What are two things that packet filtering firewalls filter?

Collection of rules and default security policy

Why is a minimum time between password specified?

So users are able to change the passwords and to make sure that the passwords are secured from attacker who may be trying to hack their passwords 

How do you provide protection against inference attack?

Data perturbation which can be used in statistical database to change values in the database such that the statistical information is accurate, but inferential data is inaccurate.

An advantage of stateless puzzles over stateful puzzle is

The answer to stateless puzzle is nothing

Describe how virus and worm propagation differs

Virus propagates on the manual transfer of virus infected files while worm propagates using network connection

How does one-time password system of lamport work?

Consist of two parts: 
Set up - A user selects a password that is secret.

            - The system will use this password together with some value and generate a sequence of passwords

Process - User request for a connection to server

               - User will enter with one-time password

               - If password matches, server will update the password with the next one-time password until it n reaches 0 in which a new set up will begin

What is the relevance of the principle of least privilege in the context of buffer overflows?

To limit the access an attacker can have so even if he finds a way through. 

What is auditing?

It is the analysis of the log events provided by logging and to provide the information of the system in a more readable and understandable manner. 

What the two primary bases for intrusion detection agents?

Host based and Network base

3 types of malware

Viruses 
Trojan horses
Worms

What does PAT (Port address translation) hide?

It hides internal network addresses (TCP/IP) from outside world by mapping the external addresses to multiple internal addresses.

How does CAPTCHA can be used as protection against DOS attacks?

bot (zombies) or automated system cannot read distorted image and hence this can be used to differentiate between a human (person) accessing system and a zombie accessing a system

What are race conditions?

It is a situation in which two or more threads or processes are reading or writing some shared data, and the final result depends on the timing of how the threads are scheduled.

Why is treating programs as data until verified considered as providing protection against malware attack?

If a program is treated as data, it would not be executed and the virus will not take effect

What cant a firewall protect against?
 

Internal attackers or services that by-pass the firewall 

What is inference?

Sensitive information from non-sensitive, typically aggregate data

What is XSS?

It stands for cross site scripting. A type of injection attack where an attacker can use to send a malicious script to an unsuspecting user.
It exploits vulnerabilities of web pages as it involves the use of those vulnerabilities to gather data from a user that should not be gathered

What does it mean to be stateless?

A server has not committed any resources and is relevant in context of client puzzle connection protocol

What does pseudonumising santizer remove?

it removes information from the log such that the originator of the log can reconstruct the deleted information but preserves information and the relationship relevant for the analysis

How does stateful inspection firewall differ from the traditional packet filters?

Stateful inspection allows more dynamic structure such as authentication before an "allow" entry for a particular connection while traditional packet only deal with individual packets

A master password is typically used to

protect sensitive information such as other passwords and certificates

Why is C library functionstrcpy() considered unsafe?

It does not check for array boundary which may result in buffer overflow

What is a true positive?

It refers to a situation when we make a match but which is actually not

What does BLP attempt to control? And its policy

BLP attempts to control the confidentiality of the data. It is no read up, no write down. Permission can be passed from an authorized person to another.

What is the difference between persistent and non-persistent XSS? 

Persistent XSS data provided by Web Client is stored on the server whereas non-persistent the data is used immediately without proper sanitisation

The purpose of sanitization

remove any information for which there is a user who is not allowed to see that information

Name and describe the two type of error rates that occur in authentication systems, and in intrusion detection systems.

False positive and false negative

false negative is rejecting a valid person and false positive is accepting a illegitimate person

In IDS, False negative is false rejecting that the attack has not taken place when in fact an attack has taken place and false positive is falsely informing that there is an attack when no attack has taken place.

What is the purpose of IDIP?

IDIP an abbreviation for Intrusion detection and isolation protocol. Its purpose is to stop an attack by blocking the connection between the source of an attack and the target of the attack. It works by detecting an attack and blocking the connection to the target from the source and inform the previous node about the attack which then blocks the connection and inform its previous node until which the connection is blocked from the source to the target

The two primary aims of digital forensics

Gather evidence from computer devices to investigate a crime
Recover lost data

What is the purpose of a role in a database system?

The purpose is to organize the granting of privileges base on least (minimal) required privileges by job scope or functional activities

Two applications of reverse engineering

Malware and digital rights management

What are the three basic components in an access control triplet?

The three basic components are S, O, A

S: Set of subjects

O: set of Objects

A: an access control matrix with entries of S, O

What is the difference between logging and auditing? 

Logging is the recording of events or statistics to provide information about the system use, misuse and performance. Auditing is analysis of log records obtained by logging and present information about the system in a clear and understandable manner

What is false acceptance rate?

It is the proportion of authentication attempts resulting in false acceptance/

The two primary bases for intrusion detection agents

Host based Network base 

What is the chinese wall model designed to handle?

Conflict of interest, a concept that is used to control access to objects that might conflict the interest of the subject. 

How does online and offline differ?

Online requires the connection to be active while offline does not which gives unlimited chances to break the password. Online might have restrictions before the account is locked.

One advantage of using roles in database 

To organize the granting of privileges base on least required privileges by job scope or functional activities

What typical phishing?

It deceives the user into believing that there are issues with his account and enter his account details to fix the issue but it is actually stored by the attacker

An example of role-base access control

Protection rings