CPSC 329 Final Exam

avatar
Created by
Vivian

Cards (245)

  • Security Triad
    A (computing) system is secure only if it exhibits these 3 properties: Confidentiality, Integrity, Availability
  • Principle of easiest penetration
    Expect attacker to use any available means of penetration, attackers will go after the weakest link, not the most obvious link nor the most convenient link to fortify
  • Principle of adequate protection
    Digital assets should be protected to a degree consistent with their value and updated when the value changes
  • Spending $100,000 to protect an asset that can cause only $1,000 in losses would be rather silly
  • Spending $100,000 to attack a system that can only yield $1,000 in rewards would be also rather silly
  • Attack Tree
    A method to systematically enumerate all the ways an attacker can breach a system
  • Attack methods
    • Find Written Combo
    • Get Combo From Target
    • Pick Lock
    • Learn Combo
    • Cut Open Safe
    • Install Improperly
    • Open Safe
    • Threaten
    • Blackmail
    • Eavesdrop
    • Bribe
    • Listen to Conversation
    • Get Target to State Combo
  • PIPEDA is the Personal Information Protection and Electronic Documents Act, a Canadian private-sector law related to digital privacy
  • PIPEDA applies to organizations that collect personal information, except in provinces that already have similar laws
  • Alberta has the Personal Information Protection Act
  • PIPEDA violations must be reported, which are then investigated
  • PIPEDA principles
    • Identify purpose of data collection
    • Obtain consent
    • Limit collection
    • Limit use, disclosure and retention
    • Use appropriate safeguards
    • Give individuals access
    • Be accurate
    • Be open
    • Be accountable
    • Provide recourse
  • The Office of the Privacy Commissioner of Canada is at https://www.priv.gc.ca/en
  • Identification
    The process of determining which principal an agent wishes to act as, e.g. the answer to "Who are you?"
  • Authentication
    Proving/verifying the claimed identity of the agent, e.g. the answer to "Prove it!"
  • Means of authenticating user identity
    • Something the individual knows (password, PIN, answers to pre arranged questions)
    • Something the individual has (token, barcode, smartcard, electronic keycard, physical key)
    • Something the individual is (static biometrics: fingerprint, iris, face)
    • Something the individual does (dynamic biometrics: voice pattern, handwriting, typing rhythm, gait)
  • Password
    A secret word or string of characters used for user authentication
  • Password guessing attacks
    • Brute-force attack
    • Dictionary attack
    • Dictionary + brute force attack
    • Reverse brute force attack
    • Online guessing
    • Offline guessing
  • Keystroke logging
    Capturing the keys pressed by a user, can be done via hardware (USB keylogger, electromagnetic emissions, wireless sniffing, acoustic) or software (trojans, spyware)
  • Social engineering
    Psychological manipulation of people to disclose confidential information and/or to perform some actions that are beneficial to the attacker
  • Social engineering types
    • Phishing
    • Pretexting
    • Quid pro quo
    • Baiting
  • NIST Password Guidelines (2019) include: no complexity requirements, at least 8 (sometimes 6) characters, support at least 64 characters, allow any characters, blacklist frequently used passwords, no "password hints" or "secret questions", do NOT force users to change passwords periodically, allow passwords to be copy-pasted, use two- or multi-factor authentication, at least 10 attempts before lockout
  • Password managers
    Secure repositories for storing passwords, unlocked by a single master password
  • Graphical/visual passwords
    Recognition based: users memorize a set of images and identify them during authentication. Recall based: users create/draw something and reproduce it during authentication. Cued-recall based: similar to recall based, with cues to help the recall process.
  • Neural passwords
    Passwords that users learn subconsciously, allowing them to prove knowledge of the password without being able to reveal it
  • Password storage methods
    • Clear text (plaintext)
    • Encrypted
    • Hashed
    • Salted & hashed
    • Salted, peppered, & hashed
  • Cryptographic hash function
    A function that turns any message into a short, unique-ish, and irreversible-ish string of bits, called a hash, digest or fingerprint
  • Collision resistance
    It should be "hard" to find different x and y such that H(x)=H(y)
  • Preimage resistance

    Given H(x), it should be infeasible to find x. H(x) reveals nothing about x beyond the ability to confirm guesses.
  • Authorization
    Who is allowed to do what, typically decided by the owners of the system and expressed as an authorization policy
  • Access control

    The enforcement of the authorization policy
  • Access control models
    • Discretionary (DAC)
    • Mandatory (MAC)
    • Role-based (RBAC)
    • Attribute-based (ABAC)
    • Relationship-based (ReBAC)
    • Rule-set-based (RSBAC)
  • Role-based access control (RBAC)

    Access control based on user roles within an organization
  • Unix file permissions (DAC example)

    Read, write, execute permissions for owner, group, and others
  • Examples - permissions for directories

    • drwxr-xr-x
    • drwxrwx---
    • drwx--x--x
    • drwxrwxrwx
  • Changing permissions
    Using commands like chown, chmod to modify file/directory permissions
  • Root user (superuser)

    Has system-wide access, exempt from usual access control restrictions, needs good practices
  • Linux setuid, setgid and sticky bits
    Special bits that can be set on files to modify their access control behavior
  • drwxrwxrwx
    Full access to owner, while group & others can access only known files
  • CHANGING PERMISSIONS
    1. chown -R root dir1
    2. chmod g+w,o-rwx f1 f2
    3. chmod -R o-rwx .
    4. chmod u+rw,g+rw,u-x,g-x,o-rwx f1
    5. chmod 660 f1
    6. chmod a+x f1
    7. chmod og-rwx f1