This document contains the most recent summary of a combination of lectures 1-9 and the reading materials for these lectures. Making this summary, I have used my lecture notes, notes from reading the book, and the lecture slides. Everything you need to know for the midterm exam on is explained and...
Information Security midterm summary
Lectures 1-9; book Computer Security and the Internet H1, H2, H3,
H5, H6, H7, H9; book Security in Computing H7
Glossary
Access control: controlling who access files / databases / access etc.
Access control directory: table per user, defines access rights per file
Access control matrix: sparse matrix containing right per user per object (efficiency!)
Accountability: identify principals that are responsible for actions.
Accuracy: (how many associations are correct): TP + TN / (N+P)
Active adversary: adversary alters data & injects
Active token: token does something himself, e.g. interact with sensor
Adversary model: consider objectives / methods / resources of adversary (attacker).
Anonymity: someone’s identity cannot be linked to their actions
Asset (CORAS): something the party values.
Asset diagram (CORAS): diagram with involved parties, (in)direct assets, harm relationships
Attack: deliberate execution, consisting of method + opportunity + motive
Attack surface: all vulnerabilities in total
Attribute-based credentials: certificate of certain attributes by trusted verifier, you keep your
privacy!
Auditability (DB requirement): it should be possible to track who did what in DB
Audit record (of DBs): log about subjects, who did what
Authentication: assure identity is approved (are you who you say you are?) (see L5)
Authentication: checking if the person is who he says he is
Authorization: asset is only accessible to authorized parties
Availability: asset remains accessible / can be used by authorized parties
Backdoors: bypass normal entry points.
Bijection: one-to-one function, each element is directly mapped to one another.
Block cipher: split up ciphertext in ‘blocks’ of fixed size
Breakable encryption scheme: 3rd party can systematically recover key in feasible timeframe
Brute force attack: trying any possible password. takes very long
Buffer overflow: data trespasses boundaries of data structures (can affect other data)
Caesar shift: directly map each letter to another (e.g. shift alphabet 13 times)
Canary value: random int, placed in between prog ctr and stack ptr.
Capabilities protection: access token used for entry regardless identity of token holder
Changelog (of DBs): log about how objects changes reverting back
Clickjacking: framing technique, user clicks on invisible superimposed button
Collaborative computation: secure multi-party computation, trust is necessary!
Commit (in two-phase update): step 2, actually make permanent change
Confidentiality: asset is viewed only by authorized parties
Consequence scale (CORAS): mapping impact of unwanted incidents in terms of harm
CORAS: stepwise, concrete model-driven risk assessment framework
Cryptography: mathematical techniques related to confidentiality, integrity, privacy, etc.
, CSRF (cross-site request forgery): attacker gets user to carry out a (bad) request created by
the attacker, without the attacker ever needing to possess / know the content of the
authentication cookies
Data anonymization: decouple identity from information
Defaced website: attacker modifies content on real site (mostly as activist)
Dictionary attacks: inferring likely passwords using password ‘dictionaries’
Differential privacy: (property of algorithm): maximize accuracy, minimize risk of identify
revealing.
Diffie-Hellman: exchange keys over a public channel
Discretionary access control: object owner decides permissions for subjects
Domain Name System (DNS): translate domain name (google.com) to IP address
Dot-dot-slash (../) : access private files on target server
dummy addition: add fake entries
Dynamic token: value changes over time. at interval / on button press
Email-based malware (Virus+Worm): spreads through email files/links, requires user action
Encryption: algorithm + cryptographic key → convert plaintext into ciphertext. Reversible.
Decryption key: use this + algorithm to convert ciphertext to plaintext
Error: human made mistake (in code)
Failure: system does not behave as required (users experience this in practice)
Fake code: user intentionally installs program, it turns out to do something different
Fake website: fake website pretending to be the real one (e.g. fake bank website)
False acceptance rate: (hacker can get in): FP / (N+P)
False rejection rate: (you can’t get in): FN / (N+P)
Fault: incorrect step in computer program, resulting from error (developers see faults)
Flaw: faults and failure are both called faults.
generalization: remove precision (instead of age 48, put 30-50)
H1, one-way property (pre-image resistance), hashing property: it should be infeasible to find
input back based on output
H2, second-preimage resistance, hashing property: with 1 given (!) input, it should be
infeasible to find another input with the same hash result
H3, collision resistance, hashing property: it should be infeasible to find to 2 arbitrary inputs
(which are not the same), which yield the same hash output
Handshake layer (TSL): key exchange, authentication. first step in TSL procedure
Hashing: function to convert string to other fixed length string, should be impossible to
convert back.
Heap: dynamic memory allocation (first in first out)
High-level risk analysis (CORAS): table with high-level risk descriptions
Homomorphic encryption: ciphertext can still be treated as original data
HTTP Secure (HTTPS): secure traffic via TSL (Transport Security Layer)
Hypertext transfer protocol (HTTP): data transfer between server & browser (TCP
(Transmission Control Protocol) connection)
ID-based protection: identify is verified, instead of just the fact you have a token
Impact: negative consequence of executed threat
Incomplete mediation: attacker can modify parameters that are not validated
Integer-based vulnerabilities: exploit bugs from integer representation in memory
Integer overflow/underflow: occurs when value is too high or too low for storage limit
Integrity: asset is modified only by authorized parties
Alle Vorteile der Zusammenfassungen von Stuvia auf einen Blick:
Garantiert gute Qualität durch Reviews
Stuvia Verkäufer haben mehr als 700.000 Zusammenfassungen beurteilt. Deshalb weißt du dass du das beste Dokument kaufst.
Schnell und einfach kaufen
Man bezahlt schnell und einfach mit iDeal, Kreditkarte oder Stuvia-Kredit für die Zusammenfassungen. Man braucht keine Mitgliedschaft.
Konzentration auf den Kern der Sache
Deine Mitstudenten schreiben die Zusammenfassungen. Deshalb enthalten die Zusammenfassungen immer aktuelle, zuverlässige und up-to-date Informationen. Damit kommst du schnell zum Kern der Sache.
Häufig gestellte Fragen
Was bekomme ich, wenn ich dieses Dokument kaufe?
Du erhältst eine PDF-Datei, die sofort nach dem Kauf verfügbar ist. Das gekaufte Dokument ist jederzeit, überall und unbegrenzt über dein Profil zugänglich.
Zufriedenheitsgarantie: Wie funktioniert das?
Unsere Zufriedenheitsgarantie sorgt dafür, dass du immer eine Lernunterlage findest, die zu dir passt. Du füllst ein Formular aus und unser Kundendienstteam kümmert sich um den Rest.
Wem kaufe ich diese Zusammenfassung ab?
Stuvia ist ein Marktplatz, du kaufst dieses Dokument also nicht von uns, sondern vom Verkäufer danielgeelhoed. Stuvia erleichtert die Zahlung an den Verkäufer.
Werde ich an ein Abonnement gebunden sein?
Nein, du kaufst diese Zusammenfassung nur für 5,49 €. Du bist nach deinem Kauf an nichts gebunden.