Secure Computing Final

Card Set Information

Secure Computing Final
2014-12-01 14:27:46

Show Answers:

  1. 3 properties of security
    • Confidentiality
    • Integrity
    • Availability
  2. confidentiality
    info about a system or users cannot be learned by an attacker
  3. Integrity
    • When you ask for data, you get the right data.
    • Everything is as expected to be.
  4. Availability
    actions by an attack do not prevent users from having access to use the system.
  5. Reliability
    is the ability of a system to consistently perform its intended function on demand without failure.
  6. Accountability
    all operations can be identified and the trace to the author and the operation is kept.
  7. non-repudiation
    the ability to prove that an operation or event has taken place
  8. Authentication
    proving that you are who you say you are
  9. Assets
    • things we want to protect
    • hardware, software, data
  10. Vulnerabilities
    flaws/weaknesses in a system that may be used to cause damage.
  11. Threats
    a potential cause of an incident, that may result in harm of systems.
  12. 2 types of threats
    • intentional
    • accidental
  13. 4 threat categories
    • interception
    • interruption
    • modification
    • fabrication
  14. black hat
    white hat
    grey hat
    • BH - bad intentions without invitation
    • WH - good intentions with invitation
    • GH - good intentions without invitation
  15. control
    removing or reducing a vulnerability
  16. adware
    • advertising-supported software
    • software package which automatically renders ads
  17. key loggers
    the action of tracking or logging keys in a hidden manner
  18. scareware
    scare the user into buying their product
  19. crimeware
    using identity to access a user's online accounts
  20. PDDDR
    • Prevent it: block the attack
    • Deter it: make attack harder
    • Deflect it: make less attractive
    • Detect it: notice the attack is occurring(or has)
    • Recover from it: mitigate the effects
  21. XHTML Restrictions
    • lowercase
    • structured
    • nested
    • closed
    • quoted
    • title first in head
  22. script
    • can find things about the state of the page
    • can change things in response to events, including user events
  23. HTML DOM
    is made available to scripts running in the browser, not just the browser itself
  24. XMLHttpRequest
    allows a javascript to communicate with a server from within a web page
  25. AJAX
    • Asynchronous JavaScript And XML
    • combo of JavaScript and XML
    • allows web pages to be updated with new info from the server, without the page refreshing
  26. JavaScript client-side vs server-side
    • cs - code is downloaded and run locally
    • ss - requires JavaScript engines
    •     - use AJAX
    •     - concurrent connections
  27. Cookie
    • an HTTP cookie prev. sent be the server
    • address of the previous web page
    • user agent string of the user agent
    • transmit a variety of directives
  28. status codes 
    success, redirection, client error, server error
    200 OK, 301, 403, 500
  29. Image tags security issues
    • communicate with other sites
    • hide image
    • spoof other sites
  30. Drive-by Pharming
    reprogramming the router
  31. same origin policy
    manipulating browser windows, frames, documents, cookies
  32. CORS
    • Cross-origin resource sharing
    • allows many resources on a web page to be requested from another domain
  33. Guninski Attack
    • permissive
    • a frame can navigate any frame
  34. Gadget Hijacking
    • Window
    • a frame can navigate frames in the same window
  35. secure cookies
    • confidentiality against network attacker
    • browser will only send cookie back over HTTPS
    • no integrity - attack can rewrite
  36. httpOnly cookies
    • not accessible to scripts
    • prevent XSS
  37. Http Session
    a series of HTTP transactions between a client and a server
  38. Surf Jacking
    • victim logs into using HTTPS
    • victim logs in another window
    • attacker sends 301 moved permanently
    • browser starts a new http connection to sending cookie in the clear
    • attack gets the cookie
  39. frame busting
    technique to prevent a site from functioning when loaded inside a frame
  40. 3 primary defense approaches
    • input validation - never trust the user
    • access surface reduction - don't give users access to functionality they don't need
    • classification and prioritization of threats - know what the risks are and focus on them
  41. difficulties with blacklist validation
    difficult to anticipate everything that should be blocked
  42. difficulties with whitelist validation
    not all valid inputs are easy to define
  43. Attack surface reduction
    controlling the code and functionality users can access
  44. STRIDE
    • Spoofing 
    • Tampering 
    • Repudiation 
    • Info Disclosure have access to
    • Denial of Service 
    • Elevation of Privilege
  45. spoofing
  46. tampering
    changing data they shouldn't have access to
  47. Repudiation
    attacker denies that they preformed an action
  48. Information Disclosure
    attacker being able to read data they shouldn't have access to
  49. CWE
    • Common weakness enumeration
    • Common Vulnerabilities and Exposures
  50. XSS Types
    • Reflected - linked to other website
    • Stored - forum
    • DOM-Based - modify DOM environment
  51. script vs programming language
    • interpreted line by line
    • compiled from source code to binary
  52. PHP variables
    • case sensitive
    • begin with $
    • letters digits and underscore
  53. 3 types of PHP Arrays
    • numeric - numeric index
    • associative - each ID key is associated with a value
    • multidimensional - contains one or more arrays
  54. functions are case sensitive
  55. what is $_GET and why use it?
    • superglobal array
    • visible to everyone
    • limits amount of info sent
    • faster than post
  56. what is $_POST
    • superglobal array
    • invisible and no limits of info sent
  57. grant total access to a database
    grant all on a databasename.* to username@localhost identified by 'password';
  58. Bound Parameter
    • query template created and sent to server
    • server returns a special handle for future use
    • data fills template and sent to server
    • execution
  59. bound result
    values of variables are tied to the value of fields of data in a query result set
  60. ACID
    • Atomicity - all of nothing
    • Consistency - rows remain consistent
    • Isolation - no transaction
    • Durability - transactions are protected against crashed