Questions

1. Explain the difference between a vulnerability and a threat. Threats: Something that has the potential to cause harm Vulnerabilities: Weaknesses that can be used to harm 2. List six items that might be considered logical controls. 3. What term might we use to describe the usefulness of data?

4. Which category of attack is an attack against confidentiality? 5. How do we know at what point we can consider our environment to be secure? 6. Using the concept of defense in depth, what layers might we use to secure ourselves against someone removing confidential data from our office on a USB flash drive? 7. Based on the Parkerian hexad, what principles are affected if we lose a shipment of encrypted backup tapes that contain personal and payment information for our customers? 8. If the Web servers in our environment are based on Microsoft’s Internet Information Server (IIS) and a new worm is discovered that attacks Apache Web servers, what do we not have? 9. If we develop a new policy for our environment that requires us to use complex and automatically generated passwords that are unique to each system and are a minimum of 30 characters in length, such as !Hs4(j0qO$ &zn1%2SK38cn^!Ks620!, what will be adversely impacted? 10. Considering the CIA triad and the Parkerian hexad, what are the advantages and disadvantages of each model?

1

1. What is the difference between verification and authentication of an identity? 2. How do we measure the rate at which we fail to authenticate legitimate users in a biometric system? 3. What do we call the process in which the client authenticates to the server and the server authenticates to the client? 4. A key would be described as which type of authentication factor? 5. What biometric factor describes how well a characteristic resists change over time? 6. If we are using an identity card as the basis for our authentication scheme, what steps might we add to the process in order to allow us to move to multifactor authentication? 7. If we are using an 8-character password that contains only lowercase characters, would increasing the length to 10 characters represent any significant increase in strength? 8. Name three reasons why an identity card alone might not make an ideal method of authentication. 9. What factors might we use when implementing a multifactor authentication scheme for users who are logging on to workstations that are in a secure environment and are used by more than one person? 10. If we are developing a multifactor authentication system for an environment where we might find larger-than-average numbers of disabled or injured users, such as a hospital, which authentication factors might we want to use or avoid? Why?

2

1. Discuss the difference between authorization and access control. 2. What does the Clark-Wilson model protect against? 3. Why does access control based on the MAC address of the systems on our network not represent strong security? 4. Which should take place first, authorization or authentication? 5. What are the differences between MAC and DAC in terms of access control? 6. The Bell-LaPadula and Biba multilevel access control models each have a primary security focus. Can these two models be used in conjunction? 7. Given a file containing sensitive data and residing in a Linux operating system, would setting the permissions to rw-rw-rw- cause a potential security issue? If so, which portions of the CIA triad might be affected? 8. Which type of access control would be used in the case where we wish to prevent users from logging in to their accounts after business hours? 9. Explain how the confused deputy problem can allow privilege escalation to take place. 10. What are some of the differences between access control lists and capabilities?

3

1. What is the benefit of logging? 2. Discuss the difference between authentication and accountability. 3. Describe nonrepudiation. 4. Name five items we might want to audit. 5. Why is accountability important when dealing with sensitive data? 6. Why might auditing our installed software be a good idea? 7. When dealing with legal or regulatory issues, why do we need accountability? 8. What is the difference between vulnerability assessment and penetration testing? 9. What impact can accountability have on the admissibility of evidence in court cases? 10. Given an environment containing servers that handle sensitive customer data, some of which are exposed to the Internet, would we want to conduct a vulnerability assessment, a penetration test, or both? Why?

4

1. What type of cipher is a Caesar cipher? 2. What is the difference between a block and a stream cipher? 3. ECC is classified as which type of cryptographic algorithm? 4. What is the key point of Kerckhoffs’ Principle? 5. What is a substitution cipher? 6. What are the main differences between symmetric and asymmetric key cryptography? 7. Explain how 3DES differs from DES. 8. How does public key cryptography work? 9. Decrypt this message: V qb abg srne pbzchgref. V srne gur ynpx bs gurz. -Vfnnp Nfvzbi 10. How is physical security important when discussing cryptographic security of data?

5

1. Why is it important to identify our critical information? 2. What is the first law of OPSEC? 3. What is the function of the IOSS? 4. What part did George Washington play in the origination of operations security? 5. In the operations security process, what is the difference between assessing threats and assessing vulnerabilities? 6. Why might we want to use information classification? 7. When we have cycled through the entire operations security process, are we finished? 8. From where did the first formal OPSEC methodology arise? 9. What is the origin of operations security? 10. Define competitive counterintelligence.

6

1. Name the three major concerns for physical security, in order of importance. 2. Name the three main categories in which we are typically concerned with physical security. 3. Why might we want to use RAID? 4. What is the foremost concern as related to physical security? 5. What type of physical access control might we put in place in order to block access to a vehicle? 6. Give three examples of a physical control that constitutes a deterrent. 7. Give an example of how a living organism might constitute a threat to our equipment. 8. Which category of physical control might include a lock? 9. What is residual data and why is it a concern when protecting the security of our data? 10. What is our primary tool for protecting people?

7

1. For what might we use the tool Kismet? 2. Explain the concept of segmentation. 3. If we needed a command-line tool that could sniff network traffic, what tool might we use? 4. What are the three main types of wireless encryption? 5. What tool might we use to scan for devices on a network? 6. Why would we use a honeypot? 7. Explain the difference between signature and anomaly detection in IDSes. 8. What would we use if we needed to send sensitive data over an untrusted network? 9. What would we use a DMZ to protect? 10. What is the difference between a stateful firewall and a deep packet inspection firewall?

8

1. What is a vector for malware propagation? 2. What is an exploit framework? 3. What is the difference between a port scanner and a vulnerability assessment tool? 4. Explain the concept of an attack surface 5. Why might we want a firewall on our host if one already exists on the network? 6. What is operating system hardening? 7. What is the XD bit and why do we use it? 8. What does executable space protection do for us? 9. How does the principle of least privilege apply to operating system hardening? 10. Download Nmap from www.nmap.org and install it. Conduct a basic scan of scanme.nmap.org using either the Zenmap GUI or the command line. What ports can you find open?

9

1. What does a fuzzing tool do? 2. Give an example of a race condition. 3. Why is it important to remove extraneous files from a Web server? 4. What does the tool Nikto do and in what situation might we use it? 5. Name the two main categories of Web security. 6. Is an SQL injection attack an attack on the database or an attack on the Web application? 7. Why is input validation important? 8. Explain a cross-site request forgery (XSRF) attack and what we might do to prevent it. 9. How might we use a sniffer to increase the security of our applications? 10. How can we prevent buffer overflows in our applications?

10