Term
“A computer is secure if you can depend on it
and its software to behave as you expect.”
A system that does what it is intended to do
d hi l and nothing else.
“The protection afforded to an automated
information system in order to attain the
objectives of preserving confidentiality,
integrity, and availability.” |
|
Definition
– Garfinkle and Spafford
– Charles Pfleeger
–NIST |
|
|
Term
|
Definition
The real question, as we all know, should be,
“against what sort of attacks am I vulnerable?”
–Curt Sampson |
|
|
Term
|
Definition
| Organizational law, Must, may, must not. |
|
|
Term
|
Definition
Information
considered confidential (by policy) is not
disclosed to unauthorized persons. |
|
|
Term
|
Definition
Assurance that individuals control
htdt ll td b tth dh what data are collected about them and how
those data are used and disclosed |
|
|
Term
|
Definition
Data agree with the source
from which they are derived, and data and
programs are changed only in authorized (by
policy) manners. |
|
|
Term
|
Definition
A system performs its
intended function (and nothing else)
unimpaired and free from unauthorized
manipulation. |
|
|
Term
|
Definition
We can be sure that data
came from the ostensible source. |
|
|
Term
|
Definition
The ability to verify the source
of data, messages, etc. (This is really origin
integrity.) |
|
|
Term
|
Definition
We can tie actions to a
ti l tit (Thi i ii i i particular entity. (This is origin integrity
again.) |
|
|
Term
| NIST 3 levels of security failure |
|
Definition
• Low: Minimal adverse effect
• Moderate: An organization can perform its
primary functions but with reduced effectiveness primary functions, but with reduced effectiveness.
• High: Performance of an organization’s mission
is significantly impaired |
|
|
Term
|
Definition
Safeguards (Policy, Human Factors, Technology)
Facets (CIA)
States of information (Processing, Storage, Transmissions) |
|
|
Term
|
Definition
| Disclosure Alteration Deception |
|
|
Term
|
Definition
• Disclosure (failure of confidentiality)
• Deception (failure of origin integrity)
• Disruption (failure of availability)
•Usurpation (this one is more a mechanism p(
than a consequence; usurpation will lead to
one or more of the consequences above. |
|
|
Term
Vulnerability
Exploit
Threat
Risk |
|
Definition
• Vulnerability: a weakness that could allow a
system to enter a state not permitted by policy.
• Exploit: a mechanism for taking advantage of
a vulnerability.
• Threat: a circumstance that could allow a
vulnerability to be taken advantage of.
• Risk: the probability that both a threat and a
corresponding vulnerability exist |
|
|
Term
|
Definition
Prevention
• Prevent attackers from violating security policy
Detection
• Detect attackers’ violation of security policy
RdR Response and Recovery
• Stop attack, assess and repair damage
• Continue to function correctly even if attack
succeeds
• Return system to a state consistent with policy |
|
|
Term
|
Definition
• Unambiguously partition system states
• Correctly capture security requirements |
|
|
Term
|
Definition
• Specification assurance
• Requirements analysis
• Statement of desired functionality
• Design assurance
• How system will meet specification
•Implementation assurance
• Programs/systems carry out the design
• A system does what is was designed to do…
• and nothing else! |
|
|
Term
|
Definition
• Risk management: process of identifying and
controlling risks facing an organization
• Risk identification: process of examining an
organization’s current information organization s current information
technology security situation
• Risk control: applying controls to reduce
risks to an organizations data and information
systems |
|
|
Term
|
Definition
• Message integrity
• Non-repudiation (origin integrity)
• Authentication (origin integrity) |
|
|
Term
| Types of symmetric encryption cyphers |
|
Definition
• Transposition ciphers
• Substitution ciphers
• Combinations are called product ciphers |
|
|
Term
|
Definition
Encrypt by applying the key to the
plaintext using an algorithm.
Decrypt by reversing the process using
th k d th i l ith the same key and the inverse algorithm. |
|
|
Term
Computationally secure
Kirkoff's principal |
|
Definition
• We must assume the algorithm is known.
(Kerckhoffs’ Principle.)
• A cryptosystem that is breakable may require
considerable effort. That is known as being
“computationally secure. |
|
|
Term
|
Definition
The strength is in the key, not the algorithm!
(Assume that the bad guys know the algorithm.)
That is Kerckhoffs’ Principle.)
However, the algorithm must be free from “shortcut
attacks.” |
|
|
Term
| Types of cypher attacks 3 |
|
Definition
h l dhl ih li • ciphertext only: adversary has only ciphertext; goal is to
find plaintext and possibly the key
• known plaintext: adversary has ciphertext,
corresponding plaintext; goal is to find key
• chosen plaintext: adversary may supply plaintext and
obtain corresponding ciphertext; goal is to find key |
|
|
Term
| Problem wiht csear cypher |
|
Definition
• Can be found by exhaustive search
• Statistical frequencies not concealed
• They look too much like regular English (or
Latin!) words Latin!) words |
|
|
Term
| Difference between csear and vingere |
|
Definition
| ceaser does not use phrases and vingere is polyalphabetic |
|
|
Term
| Period, Polyalphabetic, tableau |
|
Definition
• period: length of key
• In the “BCD” example, the period is 3
• tableau: table used to encipher and decipher
• Vigènere cipher tableau has key letters on top,
plaintext letters on the left plaintext letters on the left
• polyalphabetic: the key has several different
letters (Cæsar cipher is monoalphabetic) |
|
|
Term
| random key as long as message, proovably unbreakable |
|
Definition
|
|
Term
| Schannon's Characteristics |
|
Definition
• The amount of secrecy needed determines the
amount of work that’s appropriate.
• The key space and algorithm should be free
of artificial constraints.
• Implementation should be as simple as
possible.
• Errors in enciphering should not propagate
• Enciphering should not increase message
size. |
|
|
Term
• Provides confidentiality for the message.
• Provides authentication. (Assuming the key
is really secret.) |
|
Definition
|
|
Term
| Parameters and Design Features of Block Cypher or Fistel Structure |
|
Definition
• block size • block size
• key size
• number of rounds
• subkey generation algorithm
• round function
• also: fast software encrypt/decrypt, ease of analysis |
|
|
Term
|
Definition
|
|
Term
| Methods of key deliver NON PK |
|
Definition
• A selects key, physically delivers to B
• Third party select keys, physically delivers to A and B;
reasonable for link encryption; does not scale well.
• A selects new key, sends encrypted using previous old
key to B; good for either, but security fails if any key
discovered
• Third party C selects key, sends encrypted to each of A
and B using existing key with each
• Distribution using public key cryptography |
|
|
Term
| Problem with 3rd party distribution of key NON PK |
|
Definition
|
|
Term
|
Definition
The MD5 hash code is 128 bits; SHA is 160.
MD5 vulnerable to colission attack |
|
|
Term
Message Digest Encrypted With
Decrypted with |
|
Definition
Senders Private Key
S Public Key |
|
|
Term
| Entire Message Encrypted With |
|
Definition
|
|
Term
|
Definition
• Alice wants to send a message m to Bill
Assume public key encryption
Alice generates a random cryptographic key
ks and uses it to encipher m
• To be used for this message only
• Called a session key
She enciphers ks with Bill’s public key kB
• kB called an interchange key
Alice sends { m } ks { ks } kB |
|
|
Term
| How is session key used in PK |
|
Definition
• Encrypt the message with the secret key.
• Encrypt the secret key with the recipient’s
public key.
• Send encrypted message and encrypted
key |
|
|
Term
|
Definition
| replace public key of recipient with hacker's public key |
|
|
Term
|
Definition
| bind identity to a key, not possible with cryptography because keys are not unique |
|
|
Term
| What components are in the PKI and how do they offer authentication |
|
Definition
Version number
• Owner (Subject)
• Public key
• Issuer (CA)
• Serial number
• Validity dates
• Certificate usage
• Extensions
These items are digitally signed (hash) using the private key of the authority. |
|
|
Term
|
Definition
• Real UID: user identity at login, but changeable
• Effective UID: user identity used for access
control; Setuid changes effective UID
S d UID UID b f l t h f UID • Saved UID: UID before last change of UID
Used to implement least privilege
Work with privileges, drop them, reclaim them
later
• Audit/Login UID: user identity used to track
original UID. Cannot be altered; used to tie
actions to login identity |
|
|
Term
|
Definition
• Used to share access privileges
• First model: alias for set of principals
Processes assigned to groups
Processes stay in those groups for their lifetime
• Second model: principals can change Second model: principals can change
groups
Rights due to old group discarded; rights due to
new group added
This is a way to implement RBAC.
• A role is a group membership tied to
function. |
|
|
Term
|
Definition
| can't see duplicates, increases difficulty against dictionary attacks, impossible to find out if a password on one system corresponds with another. |
|
|
Term
|
Definition
A: information that proves identity
C: information stored on computer and used to
validate authentication information
F: mapping function F: mapping function
f : A C
L: functions that tests identity
l : A C {true, false}
S: functions enabling entity to create or alter
information in A or C( |
|
|
Term
| Preventing password attacks |
|
Definition
• Hide one of a, f, or c
Prevents obvious attack from above
Example: Unix/Linux shadow password file
hides c’s
• Block access to all l L or result of l(a) ( )
Prevents attacker from knowing if guess
succeeded
Example: preventing any logins to an account
from a network
Prevents knowing results of l (or accessing l)
Not always practical |
|
|
Term
Using Anderson's Password Formula
• Goal
Passwords drawn from a 96-char alphabet
Can test 104 guesses per second
Probability of a success to be 0.5 over a 365
day period
What is minimum password length required? |
|
Definition
• Solution
N ≥ TG/P = (365246060)104/0.5 =
6.311011
Choose s such that 96
i
≥ N
So s ≥ 6, meaning passwords must be at least 6
characters long. |
|
|
Term
|
Definition
• Complete mediation: Check every access.
(What happens if access is removed while I
am using a file? What should happen?)
• Least privilege: In granting access to an
bj t d t l t i ht th object, do not also grant more rights than
needed, nor rights to other objects.
• Acceptable use: Permitted operations depend
upon the nature of the object and access
granted. |
|
|
Term
|
Definition
• Complete mediation: Check every access.
(What happens if access is removed while I
am using a file? What should happen?)
• Least privilege: In granting access to an
bj t d t l t i ht th object, do not also grant more rights than
needed, nor rights to other objects.
• Acceptable use: Permitted operations depend
upon the nature of the object and access
granted. |
|
|
Term
| Types of Access Control Policies |
|
Definition
• Discretionary access control: Access to
objects is at the discretion of the object owner.
• Mandatory access control: Access to objects is
based on externally-enforced policies.
• Role-based access control: Access is based
upon a role assumed by the subject.
• Not mutually exclusive. |
|
|
Term
|
Definition
• Reliable input
• Support for fine and coarse specifications
• Least privilege
•Separation of duties p
• Dual control
• Open and closed policies
• Combination of policies: conflict resolution
• Administrative mechanisms |
|
|
Term
| Components of an access control record |
|
Definition
• Object - access controlled resource
• e.g. files, directories, records, programs etc.
• number/type depend on environment
• Subject - entity that can access objects
• a process representing user/application
• often have 3 classes: owner, group, world
• Access right - way in which subject accesses
an object |
|
|
Term
| Access Control List v. Capabilities List |
|
Definition
Access Control list is file centric and maintains a list of what user has what rights to that file. Column.
Capabilities List is user centeric and maintains a list of files and rights relative to the user. Row. |
|
|
Term
|
Definition
• Mechanisms put into place to allow or disallow
object access
• Any potential barrier to unauthorized access
• Controls are organized into different categories
• Common categories
• Administrative (enforce security policy through
procedures, rules)
• Logical/Technical (implement object access
restrictions)
• Physical (limit physical access to hardware) |
|
|
Term
|
Definition
Remember ACID
Atomic All or noting
Ci Al b i Consistent Always obeys constraints
Isolated Transactions are serialized
Durable Transactions are not lost |
|
|
Term
| prevents concurrent bank withdraw and deposit actions from returning the wrong value via DBMS |
|
Definition
• Read lock: Others can read the same data,
but no one can write it because the
Database management systems maintain
isolation and consistency by locking.
but no one can write it because the
transaction with the read lock could get
inconsistent data.
• Write lock: No one else can read until the
write transaction has completed |
|
|
Term
|
Definition
• Attribute integrity: Each field (attribute)
The database designer describes what is
required for consistency. The DBMS
enforces those rules.
contains valid data.
• Entity integrity: Rows are unique; no part of
primary key is null
• Referential integrity: Connections among
tables are consistent. |
|
|
Term
|
Definition
• Inference detection at database design
• alter database structure or access controls
• Inference detection at query time
• by monitoring and altering or rejecting queries
• We need an inference detection algorithm
• a difficult problem
• consider the employee-salary exampleIn |
|
|
Term
Ping/ICMP
RawSocket
How TCP breaks |
|
Definition
Syn - syn/ack
create packets with false source IP
Table of syn/ack (half open connections) full. |
|
|
Term
| Verifying the reverse path |
|
Definition
| Cisco looks at packet to verify route back to source, else dropped (reverse path forward RPF) |
|
|
Term
| incoming and outgoing blocking measure |
|
Definition
Own netowrk addresses incomign should be blocked
Block offnetowrk addresses outgoing. |
|
|
Term
|
Definition
UDP - send to machine from target, syn/ack gets sent to target from machine.
Bad guy sends small packets, and the target receives big packets. |
|
|
Term
|
Definition
| character generator port. |
|
|
Term
|
Definition
| Block all ports not needed, ICMP and ECHO...turn off and block. (Defense in depth) |
|
|
Term
|
Definition
| ping sent to broadcast address of a large network, several response packets to spoofed source. UDP. |
|
|
Term
| What could potentially eliminate spoofed source address attacks? |
|
Definition
| Block outgoing traffic that is not on personal network. |
|
|
Term
| an option for limiting risk to DOS and avoid filling up conn table |
|
Definition
Rate limit TCP/UDP/ICMP requests
Syn cookie uses senquenc # to validate communication
Shorten timeouts when close to full
Drop random or selected connections
Don't accept broadcast packets on incoming address (blcoked at edge router)
Block services not used.
Use puzzles to validate human/machine interaction. |
|
|
Term
| Preventative measures for DDoS |
|
Definition
Pre arranged contacts and upstream traffic filtering
Analyze traffic with wireshark on edge router
IDS to find anomoly |
|
|
Term
| Dropping closed port packets |
|
Definition
| recovers outbound badnwidth |
|
|
Term
|
Definition
|
|
Term
| Firewalls do not hlep in this secnario |
|
Definition
| laptop is taken home, infected, then returned to office enviro |
|
|
Term
| use fixed addressses on firewalls so |
|
Definition
| if DNS fails, they stay in service |
|
|
Term
| Things to parse email for |
|
Definition
known malicious content
failure to follow SMTP Specs
Proprietary info |
|
|
Term
| to interact with SSH in DMZ |
|
Definition
|
|
Term
| how to handle customer data |
|
Definition
| order placed on machine stored in memory encryped with PK from internal trusted network and stored to unix data storage where webserver in DMZ has write but not read privlidge |
|
|
Term
|
Definition
| written to one time write media and stored in internal centeral log server |
|
|
Term
| What to do with attacks on external firewall |
|
Definition
| log them and ignore to justify security budget |
|
|
Term
|
Definition
untrustworthy admin
faulty software
external firewall failrue |
|
|
Term
|
Definition
| Unsolicited traffic is dropped. There is not a table entry for it in the NAT table. |
|
|
Term
|
Definition
| os calls function which loads retun addy for OS and start addy for current function, current function calls second function, second function writes it's addy and a return addy so that the stack can return to previous place (cur func). if enough data is inserted into secondFunc to write up to the return instruction, the attacker can inject code/system library commands and execute wiht the privlidge of the app. |
|
|
Term
| Compile time defenses stack overflow |
|
Definition
strongly typed language
Canarie
Safe libraries
Good coding |
|
|
Term
| buffer voerflow runtime def |
|
Definition
non executable memory (need special hardware, write stack in NEM)
Randomly generated OS libraries (256 configs in windows)
Guard pages in memory to crash program. |
|
|
Term
|
Definition
| mark as NXE and randomize heap |
|
|
Term
| Global data overflow defenses |
|
Definition
Defenses: non executable or random
global data region, move function
pointers, guard pages |
|
|
Term
| mysql escape string and unicode checking |
|
Definition
used to prevent mysql execution
can't convert ascii chars for sql injection because they are detected. |
|
|
Term
| better than escape strings |
|
Definition
| parameters, they're always treated as variables. |
|
|
Term
| how to detect torjan being compiled into a program |
|
Definition
| compare machine code to source code. |
|
|
Term
|
Definition
| OS sync used so we know what process is going to use the shared memory first. |
|
|
Term
|
Definition
| if a library is going to be priv, we must staticly link it so we know what it is and can account for it in the enviro vars. Enumerating goodness. |
|
|
Term
|
Definition
| break down into modules and assign privs to modules on a need basis, then remove privs. |
|
|
Term
|
Definition
| need this for to replace UPS battery. |
|
|
Term
|
Definition
| two different ups's powered by two different circuits |
|
|
Term
|
Definition
• The single loss exposure (SLE) of an adverse
event is the cost incurred if the event takes
place.
• It may be a range. Example: the SLE of an
tbil k(fth l) automobile wreck (for the car only) may
range from a coupe of thousand dollars to a
“totaled” car, the entire cost. |
|
|
Term
|
Definition
• Probability of risk occurring in one year
times economic impact (SLE).
•The actual cost is either zero or the full
economic impact.
• A good ALE depends on good estimates of
both probability and cost.
• For large numbers (e.g. car insurance) this
can be a quite precise actuarial estimate.
• ALE can be a range |
|
|
Term
|
Definition
• Risks are probabilities: annual rate of occurrence
(ARO)
• The “cost” of a risk is the probability that the
adverse event will be realized times the
economic impact if it is. This is “annualized loss
expectation.” ALE = SLE × ARO |
|
|
Term
|
Definition
• ALE = Annualized Loss Expectation
• ACC = Annual Cost of Control
• B = ALE(before) – ALE(after) – ACC
• If B (benefit) is positive, it makes financial
sense to implement the control. |
|
|
Term
|
Definition
Sufficient
Compitent
Relevant |
|
|
Term
|
Definition
Direct - oral testimony and knowledge
real - physical
Documentary - documented
Demonstration |
|
|
Term
|
Definition
|
|
Term
|
Definition
| Dated Signed Contemporaneous notes |
|
|
Term
|
Definition
| Good to proove tampering of evidence |
|
|
Term
|
Definition
| references to files are gone, slack space exists that may contain original data, we do this in event of law involvement. |
|
|
Term
|
Definition
anonymity
Psuedonymity
unlinkability
unobservability |
|
|
