Foundations of Security - What Every Programmer Needs to Know (1)

When an authentic user is rejected by the biometric authentication device.

They are straightforward and familiar to most users.

They are less socially accepted than entering a password.

Client authentication, server authentication, and mutual authentication.

Cameras, card readers, biometric locks, and vaults.

Sensitive files, like spreadsheets, could be unintentionally exposed.

They want to prevent a third party, like Mallory, from modifying the contents of their messages.

The act of verifying someone’s identity.

Application security, operating system (OS) security, and network security.

When it is being edited or written.

To minimize possible methods of attack.

An updated version of the software that fixes security-related bugs.

The system decides who has access to resources, and users cannot grant access to others.

If an attacker obtains a user's biological measurements, they can impersonate the user.

Because a user cannot get a new fingerprint.

They can inadvertently crawl and index sensitive documents.

It is a secret sequence of bits used to encrypt and decrypt messages between parties.

Something you know, something you have, and something you are.

Mandatory or discretionary access model.

It helps prevent fraudulent withdrawal requests if one is stolen.

Authentication verifies identity, while authorization verifies a user's authority.

A computer asks a user to say a phrase and compares the voice signals to a databank.

A standard for information security management.

Read, write, and execute.

Most users do not choose strong passwords, making them easy to guess.

Administrator and Programmer.

Physical security, technological security, and good policies and procedures.

The user must enter a PIN into a smart card reader after inserting the card.

Firewalls and intrusion detection systems (IDSs).

A camera takes a picture of a person's iris and stores certain features about it.

By considering the user's position or role, such as administrative assistant or CEO.

By repeating critical information in the message, such as the dollar amount, to detect tampering.

Password schemes are simple to implement compared to other mechanisms like biometrics.

It is crucial for protecting systems and data, alongside technological security mechanisms.

To keep the contents of communication or data secret from unauthorized users.

SQL injection attack.

It self-destructs if tampered with, and its components are epoxied together.

The server verifying the client's identity.

Users can determine which other users can access the resources they create.

A system that requires a new password each time a user logs in.

Unclassified, confidential, secret, and top secret.

To prevent clients from submitting sensitive information to spoofed or impostor websites.

Eve will not be able to understand their communication.

Security goals and mechanisms for protecting systems.

People generally associate taking fingerprints with criminal activity.

A vulnerability in the web browser code that can give the attacker control of the machine.

Roles that enable a user to access particular resources.

Just prior to conducting an action, such as doing a backup or modifying a file.

A user from writing files or creating resources with a lower level of access than their own.

Encryption technology.

Something You Are, which is based on biometric techniques.

Application security, OS security, and network security.

The smart card reader must be trusted; a rogue reader can capture the user's PIN.

They ensure that employees follow security practices, such as not sharing passwords.

Many government and military organizations.

A technique that uses infrared light to read the pattern of retinal blood vessels.

Cyclic Redundancy Checks (CRCs).

To establish the key goals of computer security and to provide an overview of the core principles of secure systems design.

The use of various rules to guide decisions about resource access.

A user cannot access information resources with a higher classification than their own.

A tamper-resistant card that authenticates users based on something they have.

Security is a process, not a product.

No, only the system can determine access; Alice cannot grant access to her document.

Alice, Bob, Eve, Mallory, and Trent.

The client verifying the server's identity.

Mallory is an active eavesdropper who can modify messages, while Eve is a passive eavesdropper who cannot.

Users may struggle to remember all the different passwords.

A bank can verify a user's location via their cell phone's GPS when processing a transaction.

Iris scan, as it requires the user to just look in a particular direction.

Access to salary information about any employee in the company.

Access control lists (ACLs).

A bug in how it ascertains the identity of the user.

Read data from all user home directories (/home/*).

To ensure that computers can verify each other's identities since not all computers can be trusted equally.

The simple property of the Bell-LaPadula model.

It runs software that authenticates a user and guards secret information.

To ensure only valid data packets are delivered to the web server and to block malicious traffic.

By issuing a command to the system, such as 'chmod a+r /home/Alice/product_specs.txt'.

It takes a key and a message as input and scrambles the message in a way that is mathematically dependent on the key.

It generates a new password periodically for user authentication.

It will not be secure overall.

Integration into personal digital assistants (PDAs) and cell phones.

A technique that records a user's signature along with the pressure and timing of writing.

An attacker may gain access to valuable documents.

A synchronization constraint that requires all users currently using a file to stop before it can be modified, ensuring no confidential information is written while it may be declassified.

To guard sensitive corporate information and educate employees against social engineering attacks.

Operating systems can contain vulnerabilities that attackers may exploit.

Password-cracking programs that try common login names and simple concatenations.

The Windows Update feature, which installs critical system patches.

Read access to all resources (/home/*).

Authentication based on two methods, such as something the user has and something the user knows.

A biometric technique that measures the size and curves of a person's hand and fingers.

A model where access decisions are based on the user's role within an organization.

They can use an integrity check.

Trent is a trusted third party who helps Alice and Bob accomplish their work.

Access to salary information about their subordinates only.

False positives and negatives, varying social acceptance, and key management issues.

It indicates all files and subdirectories within a particular home directory.

Mandatory Access Control (MAC), Discretionary Access Control (DAC), and Role-Based Access Control (RBAC).

They should be kept behind locked doors with access limited to privileged employees.

To ensure users do not inadvertently modify files while performing specific actions.

To prevent information leakage from a higher classification to a lower one.

Read, write, and execute access to all resources (/*).

It requires both the card and a PIN for authentication.

It is one component of ensuring overall, holistic security.

To check whether a user has permission to conduct a specific action.

They can use software tools to access all network traffic, potentially eavesdropping on communications.

An active eavesdropper like Mallory may still conduct a denial-of-service attack by forcing message discards.

A set of users and a corresponding set of resources they are allowed to access.

An attack where an attacker impersonates another employee to extract sensitive information like usernames or passwords.

An attacker may exploit vulnerabilities to take control of the database.

Authentication, Authorization, Confidentiality, Data/message integrity, Accountability, Availability, Non-repudiation.

Smart cards are harder to copy due to their tamper-resistance features.

An attack method where hackers sift through garbage to gather sensitive information.

By using the command 'chgrp' to change the group of the file.

Both the client and server verifying each other's identities.

A web server.

By setting up rogue readers in public places to capture PINs.

The server knows the algorithm used by the OTP card to generate passwords.

Alice sends the message 'I, Alice, owe you, Bob, $1.00. Confirm,$1.00.'

Web browsers may not interpret data robustly, allowing downloads from malicious websites.

When an impersonator successfully impersonates a user.

Read, write, and execute files anywhere on the file system.

The harder it is for an attacker to copy the artifact, the stronger the authentication.

An eavesdropper who attempts to intercept and understand the information exchanged between Alice and Bob.

It gives attackers multiple opportunities to intercept the password.

Because all three types (physical, technological, and policies) are typically required for overall security.

The classification of a file cannot be changed while it is in use by any user.

Mallory can modify, inject, or delete parts of the conversation, which is a more significant threat.

A password that only Alice should know.

They should never give out their passwords, even to security administrators.

ATM cards are not tamper-resistant and can be easily copied.

Mallory can modify both the message and the CRC to match, thus bypassing detection.

By using electronic badges and badge readers for access control.

A card with a magnetic stripe that stores the user's account number for authentication.

When Alice attempts to withdraw $500 but is only authorized to withdraw$300.

They incorporate holograms or other hard-to-copy elements.