100% satisfaction guarantee Immediately available after payment Both online and in PDF No strings attached
logo-home
Summary Midterm (Lecture 1-9) 2024 | Information security (INFOB3INSE) | UU information science $5.93   Add to cart

Summary

Summary Midterm (Lecture 1-9) 2024 | Information security (INFOB3INSE) | UU information science

 36 views  1 purchase
  • Course
  • Institution

This document contains the most recent summary of a combination of lectures 1-9 and the reading materials for these lectures. Making this summary, I have used my lecture notes, notes from reading the book, and the lecture slides. Everything you need to know for the midterm exam on is explained and ...

[Show more]
Last document update: 5 months ago

Preview 2 out of 14  pages

  • May 24, 2024
  • May 29, 2024
  • 14
  • 2023/2024
  • Summary
avatar-seller
Information Security midterm summary
Lectures 1-9; book Computer Security and the Internet H1, H2, H3,
H5, H6, H7, H9; book Security in Computing H7

Glossary

Access control: controlling who access files / databases / access etc.
Access control directory: table per user, defines access rights per file
Access control matrix: sparse matrix containing right per user per object (efficiency!)
Accountability: identify principals that are responsible for actions.
Accuracy: (how many associations are correct): TP + TN / (N+P)
Active adversary: adversary alters data & injects
Active token: token does something himself, e.g. interact with sensor
Adversary model: consider objectives / methods / resources of adversary (attacker).
Anonymity: someone’s identity cannot be linked to their actions
Asset (CORAS): something the party values.
Asset diagram (CORAS): diagram with involved parties, (in)direct assets, harm relationships
Attack: deliberate execution, consisting of method + opportunity + motive
Attack surface: all vulnerabilities in total
Attribute-based credentials: certificate of certain attributes by trusted verifier, you keep your
privacy!
Auditability (DB requirement): it should be possible to track who did what in DB
Audit record (of DBs): log about subjects, who did what
Authentication: assure identity is approved (are you who you say you are?) (see L5)
Authentication: checking if the person is who he says he is
Authorization: asset is only accessible to authorized parties
Availability: asset remains accessible / can be used by authorized parties
Backdoors: bypass normal entry points.
Bijection: one-to-one function, each element is directly mapped to one another.
Block cipher: split up ciphertext in ‘blocks’ of fixed size
Breakable encryption scheme: 3rd party can systematically recover key in feasible timeframe
Brute force attack: trying any possible password. takes very long
Buffer overflow: data trespasses boundaries of data structures (can affect other data)
Caesar shift: directly map each letter to another (e.g. shift alphabet 13 times)
Canary value: random int, placed in between prog ctr and stack ptr.
Capabilities protection: access token used for entry regardless identity of token holder
Changelog (of DBs): log about how objects changes reverting back
Clickjacking: framing technique, user clicks on invisible superimposed button
Collaborative computation: secure multi-party computation, trust is necessary!
Commit (in two-phase update): step 2, actually make permanent change
Confidentiality: asset is viewed only by authorized parties
Consequence scale (CORAS): mapping impact of unwanted incidents in terms of harm
CORAS: stepwise, concrete model-driven risk assessment framework
Cryptography: mathematical techniques related to confidentiality, integrity, privacy, etc.

, CSRF (cross-site request forgery): attacker gets user to carry out a (bad) request created by
the attacker, without the attacker ever needing to possess / know the content of the
authentication cookies
Data anonymization: decouple identity from information
Defaced website: attacker modifies content on real site (mostly as activist)
Dictionary attacks: inferring likely passwords using password ‘dictionaries’
Differential privacy: (property of algorithm): maximize accuracy, minimize risk of identify
revealing.
Diffie-Hellman: exchange keys over a public channel
Discretionary access control: object owner decides permissions for subjects
Domain Name System (DNS): translate domain name (google.com) to IP address
Dot-dot-slash (../) : access private files on target server
dummy addition: add fake entries
Dynamic token: value changes over time. at interval / on button press
Email-based malware (Virus+Worm): spreads through email files/links, requires user action
Encryption: algorithm + cryptographic key → convert plaintext into ciphertext. Reversible.
Decryption key: use this + algorithm to convert ciphertext to plaintext
Error: human made mistake (in code)
Failure: system does not behave as required (users experience this in practice)
Fake code: user intentionally installs program, it turns out to do something different
Fake website: fake website pretending to be the real one (e.g. fake bank website)
False acceptance rate: (hacker can get in): FP / (N+P)
False rejection rate: (you can’t get in): FN / (N+P)
Fault: incorrect step in computer program, resulting from error (developers see faults)
Flaw: faults and failure are both called faults.
generalization: remove precision (instead of age 48, put 30-50)
H1, one-way property (pre-image resistance), hashing property: it should be infeasible to find
input back based on output
H2, second-preimage resistance, hashing property: with 1 given (!) input, it should be
infeasible to find another input with the same hash result
H3, collision resistance, hashing property: it should be infeasible to find to 2 arbitrary inputs
(which are not the same), which yield the same hash output
Handshake layer (TSL): key exchange, authentication. first step in TSL procedure
Hashing: function to convert string to other fixed length string, should be impossible to
convert back.
Heap: dynamic memory allocation (first in first out)
High-level risk analysis (CORAS): table with high-level risk descriptions
Homomorphic encryption: ciphertext can still be treated as original data
HTTP Secure (HTTPS): secure traffic via TSL (Transport Security Layer)
Hypertext transfer protocol (HTTP): data transfer between server & browser (TCP
(Transmission Control Protocol) connection)
ID-based protection: identify is verified, instead of just the fact you have a token
Impact: negative consequence of executed threat
Incomplete mediation: attacker can modify parameters that are not validated
Integer-based vulnerabilities: exploit bugs from integer representation in memory
Integer overflow/underflow: occurs when value is too high or too low for storage limit
Integrity: asset is modified only by authorized parties

The benefits of buying summaries with Stuvia:

Guaranteed quality through customer reviews

Guaranteed quality through customer reviews

Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.

Quick and easy check-out

Quick and easy check-out

You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.

Focus on what matters

Focus on what matters

Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!

Frequently asked questions

What do I get when I buy this document?

You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.

Satisfaction guarantee: how does it work?

Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.

Who am I buying these notes from?

Stuvia is a marketplace, so you are not buying this document from us, but from seller danielgeelhoed. Stuvia facilitates payment to the seller.

Will I be stuck with a subscription?

No, you only buy these notes for $5.93. You're not tied to anything after your purchase.

Can Stuvia be trusted?

4.6 stars on Google & Trustpilot (+1000 reviews)

67866 documents were sold in the last 30 days

Founded in 2010, the go-to place to buy study notes for 14 years now

Start selling
$5.93  1x  sold
  • (0)
  Add to cart