Chapter 1

1.1 Define computer security

The protection afforded to an automated information system in order to attain

the applicable objectives of preserving the integrity, availability and
confidentiality of information system resources (includes hardware, software,
firmware, information/data, and telecommunications).

1.2 What is the difference between passive and active security threats?
Passive attacks have to do with eavesdropping on, or monitoring,
transmissions. Electronic mail, file transfers, and client/server
exchanges are examples of transmissions that can be monitored.
Active attacks include the modification of transmitted data and
attempts to gain unauthorized access to computer systems

1.3 List and briefly define categories of passive and active network security attacks.

Passive attacks: release of message contents and traffic analysis.

Active attacks: masquerade, replay, modification of messages, and denial
of service.

1.5 List and briefly define the fundamental security design principles
Authentication: The assurance that the communicating entity is the one that it
claims to be.
Access control: The prevention of unauthorized use of a resource (i.e., this service
controls who can have access to a resource, under what conditions access can
occur, and what those accessing the resource are allowed to do).
Data confidentiality: The protection of data from unauthorized disclosure.
Data integrity: The assurance that data received are exactly as sent by an
authorized entity (i.e., contain no modification, insertion, deletion, or replay).
Nonrepudiation: Provides protection against denial by one of the entities involved in
a communication of having participated in all or part of the communication.
Availability service: The property of a system or a system resource being accessible
and usable upon demand by an authorized system entity, according to
performance specifications for the system (i.e., a system is available if it provides
services according to the system design whenever users request them).

1.6 Explain the difference between an attack surface and an attack tree.
Attack Surface - Consists of the reachable and exploitable vulnerabilities in a system.
Attack Tree - is a branching, hierarchical data structure that represents a set of
potential techniques for exploiting security vulnerabilities

1
 Chapter 3
3.1 In general terms, what are four means of authenticating a user’s identity?
Something the individual knows: Examples includes a password, a personal
identification number (PIN), or answers to a prearranged set of questions.
Something the individual possesses: Examples include electronic keycards, smart
cards, and physical keys. This type of authenticator is referred to as a token.
Something the individual is (static biometrics): Examples include recognition by
fingerprint, retina, and face.
Something the individual does (dynamic biometrics): Examples include recognition
by voice pattern, handwriting characteristics, and typing rhythm.

3.2 List and briefly describe the principal threats to the secrecy of passwords.
We can identify the following attack strategies and
countermeasures:
Offline dictionary attack: Typically, strong access controls are used to
protect the system's password file. However, experience shows that
determined hackers can frequently bypass such controls and gain
access
to the file. The attacker obtains the system password file and
compares
the password hashes against hashes of commonly used passwords.
If a
match is found, the attacker can gain access by that ID/password
combination.
Specific account attack: The attacker targets a specific account and
submits password guesses until the correct password is discovered.
Popular password attack: A variation of the preceding attack is to use
a popular password and try it against a wide range of user IDs. A
user's
tendency is to choose a password that is easily remembered; this
unfortunately makes the password easy to guess.
Password guessing against single user: The attacker attempts to
gain knowledge about the account holder and system password
policies
and uses that knowledge to guess the password.
Workstation hijacking: The attacker waits until a logged-in
workstation is unattended.
Exploiting user mistakes: If the system assigns a password, then the
user is more likely to write it down because it is difficult to
remember.
This situation creates the potential for an adversary to read the
written
password. A user may intentionally share a password, to enable a
colleague to share files, for example. Also, attackers are frequently

2
3.3What are two common techniques used to protect a password file
One technique is to restrict access to the password file using standard access
control measures.
Another technique is to force users to select passwords that are difficult to
guess.

3.4List and briefly describe four common techniques for selecting or assigning passwords.
User education: Users can be told the importance of using hard-to-guess passwords and
can be provided with guidelines for selecting strong passwords.

Computer-generated passwords: the system selects a password for the user.

Reactive password checking: the system periodically runs its own password cracker to
find guessable passwords.
Proactive password checking: a user is allowed to select his or her own password.
However, at the time of selection, the system checks to see if the password is allowable
and, if not, rejects it.

3.5Explain the difference between a simple memory card and a smart card.
Memory cards can store but not process data.
Smart cards have a microprocessor.

3.6List and briefly describe the principal physical characteristics used for biometric
identification.
Facial characteristics: Facial characteristics are the most common
means of human- to-human identification; thus it is natural to consider
them for identification by computer. The most common approach is to
define characteristics based on relative location and shape of key facial
features, such as eyes, eyebrows, nose, lips, and chin shape. An
alternative approach is to use an infrared camera to produce a face
thermogram that correlates with the underlying vascular system in the
human face.
• Fingerprints: Fingerprints have been used as a means of identification
for centuries, and the process has been systematized and automated
particularly for law enforcement purposes. A fingerprint is the pattern of
ridges and furrows on the surface of the fingertip. Fingerprints are
believed to be unique across the entire human population. In practice,
automated fingerprint recognition and matching system extract a number
of features from the fingerprint for storage as a numerical surrogate for
the full fingerprint pattern.
• Hand geometry: Hand geometry systems identify features of the hand,
including shape, and lengths and widths of fingers.

3
• Retinal pattern: The pattern formed by veins beneath the retinal
surface is unique and therefore suitable for identification. A retinal
biometric system obtains a digital image of the retinal pattern by
projecting a low-intensity beam of visual or infrared light into the eye.
• Iris: Another unique physical characteristic is the detailed structure of
the iris.
• Signature: Each individual has a unique style of handwriting and this is
reflected especially in the signature, which is typically a frequently
written sequence. However, multiple signature samples from a single
individual will not be identical. This complicates the task of developing a
computer representation of the signature that can be matched to future
samples.
• Voice: Whereas the signature style of an individual reflects not only the
unique physical attributes of the writer but also the writing habit that has
developed, voice patterns are more closely tied to the physical and
anatomical character is tics of the speaker. Nevertheless, there is still a
variation from sample to sample over time from the same speaker,
complicating the biometric recognition task.

3.7In the context of biometric user authentication, explain the terms, enrollment,
verification, and identification.
Enrollment
For a biometric system, the user presents a name and, typically, some
type of password or PIN to the system. At the same time the system
senses some biometric characteristic of this user
Verification
Verification is analogous to a user logging on to a system by using a memory
card or smart card coupled with a password or PIN. For biometric verification,
the user enters a PIN and also uses a biometric sensor.
Identification
For an identification system, the individual uses the biometric sensor but
presents no additional information. The system then compares the presented
template with the set of stored templates. If there is a match, then this user is
identified. Otherwise, the user is rejected.
Figure 3.8 illustrates the operation of a biometric system

3.8Define the terms false match rate and false nonmatch rate, and explain the use
of a threshold in relationship to these two rates.
The false match rate is the frequency with which biometric samples from
different sources are erroneously assessed to be from the same source.
The false nonmatch rate is the frequency with which samples from the same
source are erroneously assessed to be from different sources.

4
3.9Describe the general concept of a challenge-response protocol

Problems
Explain the suitability or unsuitability of the following passwords:

a) YK 334 – too short of a password, might be a license plate number (easy to get)

b) mfmitm (for “my favorite movie is tender mercies”) - this is an acceptable

password – it is not something in a dictionary and unless you know the person
intimately it would not be easily found out.

c) Natalie1 – too easily guessed – shouldn’t use common names for passwords

d) Washington – also too easily guessed – likely to be in a dictionary

e) Aristotle - also too easily guessed – likely to be in a dictionary

5
 Chapter 8

8.1.List and briefly define four classes of intruders.

 Cyber criminals: Are either individuals or members of an organized crime group with
a goal of financial reward. To achieve this, their activities may include identity theft,
theft of financial credentials, corporate espionage, data theft, or data ransoming.
 Activists: Are either individuals, usually working as insiders, or members of a larger
group of outsider attackers, who are motivated by social or political causes. They are
also known as hacktivists, and their skill level is often quite low. The aim of their
attacks is often to promote and publicize their cause, typically through website
defacement, denial of service attacks, or the theft and distribution of data that results in
negative publicity or compromise of their targets.
 State-sponsored organizations: Are groups of hackers sponsored by governments to
conduct espionage or sabotage activities. They are also known as Advanced Persistent
Threats (APTs), due to the covert nature and persistence over extended periods
involved with many attacks in this class.
 Others: Are hackers with motivations other than those listed above, including classic
hackers or crackers who are motivated by technical challenge or by peer-group esteem
and reputation

8.2.List and briefly describe the steps typically used by intruders when attacking a system.
a. Target Acquisition and Information Gathering : Where the attacker identifies and
characterizes the target systems using publicly available information, both technical
and non- technical, and the use network exploration tools to map target resources.
b. Initial Access : The initial access to a target system, typically by exploiting a remote
network vulnerability, by guessing weak authentication credentials used in a remote
service, or via the installation of malware on the system using some form of social
engineering or drive-by- download attack.
c. Privilege Escalation: Actions taken on the system, typically via local access
vulnerability, to increase the privileges available to the attacker to enable their desired
goals on the target system.
d. Information Gathering or System Exploit : Actions by the attacker to access or
modify information or resources on the system, or to navigate to another target system.
e. Maintaining Access: Actions such as the installation of backdoors or other malicious
software, or through the addition of covert authentication credentials or other
configuration changes to the system, to enable continued access by the attacker after
the initial attack.
f. Covering Tracks : Where the attacker disables or edits audit logs, to remove evidence
of attack activity, and uses rootkits and other measures to hide covertly installed files
or code.

6
8.4 Describe the three logical components of IDS (Intrusion Detection System).

An IDS comprises three logical components:

a. Sensors: Sensors are responsible for collecting data. The input for a sensor may be
any part of a system that could contain evidence of an intrusion. Types of input to a
sensor include network packets, log files, and system call traces.
b. Analyzers: Analyzers receive input from one or more sensors or from other
analyzers. The analyzer is responsible for determining if an intrusion has occurred.
The output of this component is an indication that an intrusion has occurred. The
output may include evidence supporting the conclusion that an intrusion occurred.
The analyzer may provide guidance about what actions to take as a result of the
intrusion. The sensor inputs may also be stored for future analysis and review in a
storage or database component.
c. User interface: The user interface to an IDS enables a user to view output from the
system or control the behavior of the system. In some systems, the user interface may
equate to a manager, director, or console component.

8.5 Describe the differences between a host-based IDS and a network-based

IDS. How can their advantages be combined into a single system?

Host-based IDS: Monitors the characteristics of a single host and the events
occurring within that host for suspicious activity.
Network-based IDS: Monitors network traffic for particular network segments
or devices and analyzes network, transport, and application protocols to identify
suspicious activity.
Distributed or hybrid IDS: Combines information from a number of sensors,
often both host and network-based, in a central analyzer that is able to better
identify and respond to intrusion activity.What are three benefits that can be
provided by an IDS.

8.6 What are three benefits that can be provided by an IDS

1. If an intrusion is detected quickly enough, the intruder can be identified and

ejected from the system before any damage is done or any data are
compromised.
2. An effective intrusion detection system can serve as a deterrent, so acting
to prevent intrusions.
3. Intrusion detection enables the collection of information about intrusion
techniques that can be used to strengthen the intrusion prevention facility.

7
8.7 What is the difference between a false positive and a false negative in the context of
an IDS?
A false positive, or false alarm, is where authorized users are identified as intruders
by an IDS.
A false negative is when intruders are not identified as intruders by an IDS, as a
result of a tighter interpretation of intruder behavior in an attempt to limit false
positives.

8.8 Explain the base-rate fallacy

The base rate fallacy is an error that occurs when the conditional probability of some
hypothesis H (is this an intruder?), given some evidence E (network data), is assessed
without taking into account the prior probability of H and the total probability of
evidence E.
If the actual numbers of intrusions is low compared to the number of legitimate uses
of a system, then the false alarm rate will be high unless the test is extremely
discriminating. This is known as base-rate fallacy.

8.9 List some desirable characteristics of an IDS

1. Run continually with minimal human supervision
2. It must be able to recover from system crashes and reinitializations.
3. Resist subversion (= must be able to monitor itself).
4. Impose a minimal overhead on the system where it is running
5. Be able to adapt to changes in system and user behavior over time.
6. Be able to scale to monitor a large number of hosts.

8.10 What is the difference between anomaly detection and signature or heuristic
intrusion detection?
Anomaly detection: Involves the collection of data relating to the behavior of
legitimate users over a period of time. Then statistical tests are applied to
observed behavior to determine with a high level of confidence whether that
behavior is not legitimate user behavior (Threshold detection, profile based).
Signature detection: Involves an attempt to define a set of rules or attack
patterns that can be used to decide that a given behavior is that of an intruder.

8.11 List and briefly define the three broad categories of classification approaches
used by anomaly detection systems.
1. Statistical: Analysis of the observed behavior using univariate, multivariate, or time-
series models of observed metrics.
2. Knowledge based: Approaches use an expert system that classifies observed behavior
according to a set of rules that model legitimate behavior.
3. Machine-learning: Approaches automatically determine a suitable classification model
from the training data using data mining techniques.