SlideShare a Scribd company logo

8.Information Security

Export Promotion Bureau, profile picture
Export Promotion Bureau

This document discusses information security and various threats and attacks. It defines information security as preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. The seven principles of security are outlined as confidentiality, authentication, integrity, non-repudiation, availability, reliability and accountability. Various security attacks are also described, including denial of service attacks, phishing, spoofing, and malware such as viruses, worms, trojan horses, and rootkits. Threats are classified as personal threats, technological threats, or physical threats.

Education
1 of 18
Download to read offline
1
2
Most read
3
4
Most read
5
6
7
8
Most read
9
10
11
12
13
14
15
16
17
18
Cloud IT Solution Page 329 Information security Preservation of confidentiality, integrity, and availability of information; in addition, other properties such as, authenticity, accountability, non-repudiation, and reliability can also be involved Information security is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. Principal of Security 1. Confidentiality 2. Authentication 3. Integrity 4. Non-repudiation 5. Availability 6. Reliability 7. Accountability Confidentiality It specifies that only sender and intended recipients should be able to access the contents of message. e.g.: e-mail send by person A to person B. Authentication It helps to establish proof of identities. e.g.: Login using Userid and Password Integrity Integrity means that changes need to be done only by authorized entities and through authorized mechanisms. Non- repudiation Non- repudiation does not allow the sender or receiver of a message to refuse the claim of not sending or receiving that message. Information Security
Cloud IT Solution Page 330 Availability The property of being accessible and usable upon demand by an authorized entity. Accountability The property that ensures that the actions of an entity may be traced uniquely to the entity. Reliability The property of consistent intended behavior and results. Attacks: The X.800 Threat Model Item Figure Destruction (an attack on availability):  Destruction of information and/or network resources Corruption (an attack on integrity) :  Unauthorized tampering with an asset Removal (an attack on availability) :  Theft, removal or loss of information and/or other resources Disclosure (an attack on confidentiality) :  Unauthorized access to an asset. Interruption (an attack on confidentiality) :  Network becomes unavailable or unusable. Alice Bob I’m Alice. See, here’s my certificate
Cloud IT Solution Page 331 Security Attacks (Stallings) Threats (or Perils) Threats (or perils) are things which may cause loss to information assets. Examples of threats that pertain to the Internet and other networks include the following.  Tapping  The interception of data by a third party with malicious intent.  Falsification  The fraudulent rewriting of information in e-mail or web pages.  Spoofing  The performance of fraudulent actions by impersonating another person (e.g., authorized user)  Theft  The theft of files or data by a third party with malicious intent  Destruction  The fraudulent destruction or erasure of files or data  Threats are classified into three types as follows:  Personal threat  This is the type of threat that is caused by human behavior (with or without malicious intent).  Technological threat Source Destination Normal flow Source Destination Interruption Interception Source Destination Third-party Modification Source Destination Third-party Fabrication Source Destination Third-party
Cloud IT Solution Page 332  This is the type of threat in which a third party with malicious intent uses computer technology to make attacks.  Physical threat  This is the type of threat against equipment itself or against the buildings in which equipment is located. Personal threats  Information leakage  This is the leakage of information to a third party. It includes intentional leakage with the aim of receiving payment for information provision, and unintentional leakage of important information accidentally overheard by a third party. In addition, information in discarded equipment may be restored and leaked if not physically deleted (i.e., destroyed).  Loss / Theft / Damage  This means that IT devices, such as PCs and USB memory, where information is stored are left behind, stolen, or destroyed during use.  Error / Incorrect operation  This is data erasure or such other error that is caused by wrong operation. It includes the leakage of important information through mistaken entry of recipient e-mail addresses.  Social engineering  This is the act of stealing information through every day and common means.  Trashing (scavenging, dumpster diving)  This is the act of stealing important information from memos thrown away in the garbage bin, data left in memory or cache, etc. It is also used as a method of foot printing for prior collection of information about the target of attacks.  Spoofing  This is the impersonation of a person by a third party. The spoofed may pretend to be a customer or a supervisor in order to ask for PINs (PIN Numbers) or passwords.  Peeping  This is the act of sneaking a peek at keyboard operation of a person who is entering a password, or classified information displayed on another person’s screen. In particular, the act of sneaking a peek at information over a person’s shoulder is called shoulder hacking.  Cracking  This is the act of intruding into another person’s PC with malicious intent, to steal or destroy data. A person who engages in cracking is called a cracker. Note that the software package used by a cracker after unauthorized intrusion is called a rootkit,and the path installed to facilitate later intrusion is called a back door.
Cloud IT Solution Page 333  Targeted attack  This is the act of attacking a specific organization or person as a target. Since humans select the target of the attack, this is classified as a personal threat. However, the attack method itself is primarily classified as a technological threat. Technological threats  DoS attack (Denial of Service)  This is an attack that sends a large amount of data continually to the target server to place an excessive load on the server’s CPU and memory, and thereby obstructs service. In addition, there is also a DDoS (Distributed DoS) attack in which malicious programs used for targeted attacks are used to attack the single target all at once from multiple PCs.  Key logger  This is an attack that uses the mechanism (e.g., software) that records keyboard input,and fraudulently acquires information (e.g., password) entered by another person.  Click jacking  This is an attack that sets up a web page with some sort of function that causes a user’s click to execute operations not intended by the user.  Phishing  This is an attack that leads a user to a fake website through means such as e-mail pretending to be sent from a real company (e.g., financial institution), and defrauds the user of the credit card number, a bank account number, a PIN, and other personal information.  Cache poisoning  This is an attack that fraudulently overwrites cache information. In particular, DNS cache poisoning, which overwrites DNS cache, is used to lead users to fake websites for phishing.  IP spoofing  This is an attack that sends packets to another party with the source IP address disguised. This is used in actions including leading users to fake websites for phishing.  XSS (Cross Site Scripting)  This is an attack where a vulnerable target website is used as a stepping stone; a malicious script is sent to a user who is accessing the target website, and then executed on the user’s browser to enable the theft of information.  CSRF (Cross Site Request Forgery)  This is an attack which, when a user is logged in to a website and then accesses another website that has a trap installed, causes a malicious request to be sent to and executed by the logged-in website in the guise of a request from the user (i.e., as a forgery).
Cloud IT Solution Page 334  Session hijacking  This is an attack that takes over a session (i.e., a series of communications between specified parties) during communication between correctly authorized users.  Directory traversal  This is an attack that accesses normally undisclosed directories (or files) by appending “../ ” to file names, to traverse upward through directories.  Drive-by download  This is an attack that causes a user to download a malicious program, without permission during website browsing.  SQL injection  This is an attack that falsely modifies a database or fraudulently obtains information by providing part of an SQL statement as a parameter to a program (CGI program) in the website that is linked to the database.  Side channel attack  This is an attack that obtains confidential information by measuring and analyzing some additional information (i.e., side channel information), such as the electric power consumption or radiated electromagnetic waves of active IC chips.  Zero-day attack  This is an attack that takes advantage of vulnerability in software before fix for the vulnerability can be released by the software vendor.  Password cracking  This is an attack that fraudulently decodes or otherwise obtains the password of a true user. ❖ Dictionary attack  This is a method that uses a file (i.e., a dictionary file) that contains character strings likely to be used as passwords, to try such words in sequence. ❖ Brute force attack  This is a brute-force method that attempts every combination of characters. It is used as an attack method of performing the exhaustive search for a decryption key.  Third-party relay  This is an attack that abuses a freely usable server (e.g., mail server) as a “steppingstone” to transmit e-mail and other data.  Gumblar  This is an attack that falsifies the website of a famous company or public institution, and infects the computer of a user who is browsing the falsified website with a computer virus.  Buffer overflow  This is an attack that continually sends long character strings or such other data to flood the memory area (i.e., buffer) secured by a program, for the purpose of seizing access privileges to the program and creating malfunctions.
Cloud IT Solution Page 335 ✓ The following computer crimes are also said to be types of technological threats.  Salami technique (Salami slicing)  This is a method of repeatedly stealing assets little by little so that they are negligibly small when taken as a whole. An example is a technique that collects money from a bank account into another account, in fractions of less than one yen.  One-click fraud  This is a type of fraudulent act; for example, clicking an image or link on matchmaking or adult websites causes an unfair fee to be charged.  Phishing fraud  This is a general name for the act of phishing, or for fraudulent acts committed using information obtained illicitly through phishing. Physical threats  Disaster ✓ This means that equipment or buildings are made unusable, or equipment itself is lost, due to a natural disaster (e.g., earthquake, flood) or a human disaster (e.g., fire).  Destruction  This means that equipment or buildings are made unusable, due to sabotage or destructive acts by a third party with malicious intent.  Accident / failure  This means that equipment or buildings are made unusable, due to unforeseen accidents or failures.  Unauthorized intrusion  This means that unauthorized persons intrude into buildings or rooms in which equipment is located.  Vulnerabilities (or Hazards)  Vulnerabilities (or hazards) are weaknesses or flaws that are exploited by threats, becoming the cause of even greater threats. A variety of vulnerabilities in equipment, technologies, management, and many other areas cause problems.  Security hole  This is a vulnerability of software or systems that is caused software design flaws, bugs, etc.  Man-made vulnerability  This is a vulnerability that is caused by human behavior, due to lack of enforcement or preparation of a code of conduct for companies, organizations, and people. Malicious software Malicious software, commonly known as malware, is any software that brings harm to a computer system. Malware can be in the form of worms, viruses, trojans, spyware, adware and root kits etc, which steal protected data, delete documents or add software not approved by a user.
Cloud IT Solution Page 336 Fraudulent programs (i.e., malware) created with malicious intent are also classified as technological threats. The following are typical examples of malware. Trapdoor  Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using.  A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication. Trojan horse  A Trojan horse is a program that appears harmless, but is, in fact, malicious. The term comes from Greek mythology about the Trojan War. Trojans may allow an attacker to access users' personal information such as banking information, passwords, or personal identity (IP address). It can infect other devices connected to the network. Ransom ware attacks are often carried out using a Trojan.  A Trojan horse is a code segment that misuses its environment. A Trojan may give a hacker remote access to a targeted computer system. Operations that could be performed by a hacker on a targeted computer system may include- ✓ Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-Service attacks) ✓ Electronic Money theft ✓ Data Theft(e.g. retrieving passwords or credit card information) ✓ Installation of software, including third-party malware ✓ Downloading or uploading of files on the user's computer ✓ Modification deletion of files ✓ Crashing the Computer ✓ Anonym zing Internet Viewing Malicious Program Need host Program Independent Trapdoor Logic Bom Trojan horse Virus Worm Zombie Replicate
Cloud IT Solution Page 337 Logic bomb A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files (such as a salary database trigger), should they ever be terminated from the company. Computer virus Computer Viruses a computer virus is defined as “a program that is created to intentionally cause some form of damage to third parties’ programs or databases, and that has one or more of the following functions.  Self-infecting function: Viruses make copies of themselves to infect other systems.  Concealment function: Viruses do not reveal symptoms until the onset of their action.  Onset function: Viruses perform actions not intended by designers, such as destruction of data. Virus Phases 1. Dormant phase: The virus is idle. 2. Propagation Phase: The virus places an identical copy of itself into other programs. 3. Triggering Phase: The virus is activated to perform the function for which it was intended. 4. Execution Phase: The function is performed. However, in general at present, file-infecting viruses that infect specific files are called computer viruses (in a narrow sense).  Boot sector virus: This virus infects the boot sector (i.e., the system area that contains the boot program) that is read before an OS starts up.  Program file virus: This virus infects the executable program files such as applications.  Interpreter virus: This virus infects non-executable files, such as data files, other than program files. It includes two types of viruses: a macro virus that infects through the macro functions of application software, and a script virus that infects through a scripting language like JavaScript or VB Script. Worm A worm proliferates by duplicating itself on other computers through networks, without the need for a program to be infected. It often spreads a copy of itself automatically as an e-mail attachment file, or uses networks to continue spreading infection. Bot This is a program that is created for the purpose of controlling infected computers from outside via networks (e.g., the Internet).
Cloud IT Solution Page 338 Spyware This is a program that illicitly obtains a user’s information, such as personal information and access histories, and automatically sends such information to another party other than the user. Zombie A zombie is a computer connected to the Internet that has been compromised by a hacker, computer virus or Trojan horse program and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam and launch denial-of-service attacks (DOS attacks). DoS vs DDos attack  DoS: when a single host attacks  DDoS: when multiple hosts attacks simultaneously Root kit  A root kit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. The term rootkit is a concatenation of root (the traditional name of the privileged account on Unix-like operating systems) and the word kit (which refers to the software components that implement the tool). The term rootkit has negative connotations through its association with malware.  Rootkit installation can be automated, or an attacker can install it after having obtained root or Administrator access. Obtaining this access is a result of direct attack on a system, i.e. exploiting a known vulnerability (such as privilege escalation) or a password (obtained by cracking or social engineering tactics like phishing). Once installed, it becomes possible to hide the intrusion as well as to maintain privileged access. The key is the root or administrator access. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent it.  Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternative and trusted operating
Cloud IT Solution Page 339 system, behavioral-based methods, signature scanning, difference scanning, and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel; reinstallation of the operating system may be the only available solution to the problem. When dealing with firmware rootkits, removal may require hardware replacement, or specialized equipment. Ransomware  Ransomware is a form of malicious software (or malware) that, once it's taken over your computer, threatens you with harm, usually by denying you access to your data. The attacker demands a ransom from the victim, promising not always truthfully to restore access to the data upon payment.  Users are shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals in Bitcoin. How Ransom ware works. There are a number of vectors ransom ware can take to access a computer. One of the most common delivery systems is phishing spam — attachments that come to the victim in an email, masquerading as a file they should trust. Once they're downloaded and opened, they can take over the victim's computer, especially if they have built-in social engineering tools that trick users into allowing administrative access. Some other, more aggressive forms of ransom ware, like Not Petya, exploit security holes to infect computers without needing to trick users. Session Hijacking  Whenever a new session is created a cookie is generated for that user , this cookie becomes the session ID , so all the request can serve using that session ID.  If somehow a hacker can sniff or steal the session id he can forge the request as a valid user (i.e impersonate as you). Phishing. Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. Innocent User Black hat Hacker Authentic Request Hijacking session ID Impersonate Request Server
Cloud IT Solution Page 340 Phishing types 1. Spear phishing 2. Clone phishing 3. Whaling Others Security Category  Related security categories  Cyber warfare  Computer security  Mobile security  Network security  Internet security  Threats  Computer crime  Vulnerability  Eavesdropping  Exploits  Trojans  Viruses and worms  Denial of service  Malware  Payloads  Rootkits  Key loggers  Defenses  Computer access control  Application security ✓ Antivirus software ✓ Secure coding ✓ Security by design ✓ Secure operating systems  Authentication ✓ Multi-factor authentication  Authorization  Data-centric security  Firewall (computing)  Intrusion detection system  Intrusion prevention system  Mobile secure gateway Types of Attacks Networks are subject to attacks from malicious sources. 1. Attacks 2. Passive An active attack is an attempt to change data or alter the functioning of a system. A passive attack is an attempt to obtain or make use of information.
Cloud IT Solution Page 341 Active Attack Passive Attack Access and modify information Access information System is harmed No harm to system Easy to detect than prevent Difficult to detect than prevent Threat to integrity and availability Threat to confidentiality Masquerading ,Repudiation and DOS Snooping and Traffic analysis. A passive attack  A passive attack makes use of information from the system but does not affect system resource.  Passive attacks are Release of Message Contents, Traffic Analysis. Release of Message Contents Traffic Analysis Active Attack  It involves some modification of data stream or creation of a false stream.  Active attacks are Release of Replay, Modification, Denial of service and Masquerade.
Cloud IT Solution Page 342 Replay  It involves passive capture of data unit and its subsequent retransmission to produce an unauthorized effect. Modification  In which some portion of message is altered or that message are delayed or reordered to produce an unauthorized affect. Denial of service  It have a specific target (Server), in which prevents or inhabits the normal use or management of communication facilities.
Cloud IT Solution Page 343 Masquerade  A masquerade is a type of attack where the attacker acts as an authorized user system in order to gain access to it or to gain greater privileges than they are authorized for. Malicious Types of attacks are included  Passive  Wiretapping  Port scanner  Idle scan  Encryption  Traffic Analysis  Active  Virus  Eavesdropping  Data Modification  Denial-of-service attack  DNS spoofing  Man in the middle  ARP poisoning  VLAN hopping
Cloud IT Solution Page 344  Smurf attack  Buffer overflow  Heap overflow  Format string attack  SQL injection  Phishing  Cross-site scripting  CSRF  Cyber-attack Compare GET vs. POST Types GET POST BACK button/Reload Harmless Data will be re-submitted (the browser should alert the user that the data are about to be re- submitted) Bookmarked Can be bookmarked Cannot be bookmarked Cached Can be cached Not cached Encoding type application/x-www-form- urlencoded application/x-www-form- urlencoded or multipart/form- data. Use multipart encoding for binary data History Parameters remain in browser history Parameters are not saved in browser history Restrictions on length data Yes, when sending data, the GET method adds the data to the URL and the length of a URL is limited (maximum URL length is 2048 characters) No restrictions Restrictions on data type Only ASCII characters allowed No restrictions. Binary data is also allowed Security Never use GET when sending passwords or other sensitive information! POST is a little safer than GET because the parameters are not stored in browser history or in web server logs Visibility Data is visible to everyone in the URL Data is not displayed in the URL Race Condition A race condition or race hazard is the behavior of electronic, software, or other system where the output is dependent on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended. The term originates with the idea of two signals racing each other to influence the output first. Race conditions can occur in electronics systems, especially logic circuits, and in computer software, especially multithreaded or distributed programs.
Cloud IT Solution Page 345 Race condition example Consider the following set of operations: Let left portion read first time Left Portion Right Portion Read X=10 Read X=10 X=10+10 X=10+10 X=20 X=20 Actual X=20 Actual X=30 Solution  Locking Read X X=X+10 Read X X=X+10 X 10 10 20 20 Read X X=X+10 Read X X=X+10 X 10 20 20 30 Locking
Cloud IT Solution Page 346 1. Confidentiality with asymmetric-key cryptosystem has its own a. Entities b. Data c. Problems d.Translator 2. SHA-l has a message digest of b. 160 bits b. 512 bits c. 628 bits d. 820 bits 3. Message authentication is a service beyond a. Message Confidentiality b. Message Integrity c. Message Splashing d. Message Sending 4. In Message Confidentiality, transmitted message must make sense to only intended a. Receiver b. Sender c. Modulor d. Translator 5. A hash function guarantees integrity of a message. It guarantees that message has not be c. Replaced b. Over view c. Changed d. Violated. 6. To check integrity of a message, or document, receiver creates the a. Hash-Table b. Hash Tag c. Hyper Text d. Finger Print 7. A digital signature needs a a. Private-key system b. Shared-key system c. Public-key system d. All of them 8. One way to preserve integrity of a document is through use of a a. Eye-Rays b. Finger Print c. Biometric d. X-Rays 9. A session symmetric key between two parties is used d. Only once b. Twice c. Multiple times d. Conditions dependant 10. Encryption and decryption provide secrecy, or confidentiality, but not a. Authentication b. Integrity c. Privacy d. All of the above 1 2 3 4 5 6 7 8 9 10 c a b a c b c b a b Model Test Answer Model Test

More Related Content

PDF
Network security
nafisarayhana1
 
PPTX
Types of Cyber Security Attacks- Active & Passive Attak
Souma Maiti
 
PPT
Computer Security
Vaibhavi Patel
 
PPT
Computer Security
Vaibhavi Patel
 
PDF
What Is Denial Of Service Attack
Stephanie Williams
 
PPTX
Network security presentation
Kudzai Rerayi
 
PPTX
Security threats ecom
Vijay Kumar Verma
 
DOCX
CNS unit -1.docx
Padamata Rameshbabu
 
Network security
nafisarayhana1
 
Types of Cyber Security Attacks- Active & Passive Attak
Souma Maiti
 
Computer Security
Vaibhavi Patel
 
Computer Security
Vaibhavi Patel
 
What Is Denial Of Service Attack
Stephanie Williams
 
Network security presentation
Kudzai Rerayi
 
Security threats ecom
Vijay Kumar Verma
 
CNS unit -1.docx
Padamata Rameshbabu
 

Similar to 8.Information Security (20)

PDF
IT Security.pdf
ManassahIjudigal
 
PPTX
Security in network computing
Manoj VNV
 
PPTX
Security & threats Presentation => (Presenter: Komal Mehfooz)
Komal Mehfooz
 
PPTX
Computer security
sruthiKrishnaG
 
PPTX
Types of cyber attacks
krishh sivakrishna
 
PPT
Lecture8 to identify the (Cyber Crime).ppt
engrkarimullah5806
 
DOC
Cape it unit 2 module 3 unedited students notes (compiled from internet)
Jevaughan Edie
 
PPTX
Health information security 3 vulnerability threat and risk
Dr. Lasantha Ranwala
 
PDF
2.Security (1).pdfccccccccccccccccccccccccccccccccccccccccccccc
jacobdiriba
 
PPTX
why security is needed
sourov_das
 
DOCX
Cyber Security.docx
TanushreeChakraborty27
 
PDF
Chapter 2 konsep dasar keamanan
newbie2019
 
PPTX
INS_CH-1INS_CH-1INS_CH-1INS_CH-1INS_CH-1.pptx
rukminipamul123
 
PPTX
A Taken on Cyber Attacks - The Cyber Physical System.pptx
animeshdabral007
 
PPTX
System Security
Reddhi Basu
 
PDF
Network security
Md. Asifur Rahman Siddiki
 
PPTX
Exploring the Spectrum of Cyber Attacks .pptx
abinayar6760
 
PDF
Insecurity vssut
RAVIKUMAR Digital Signal Processing
 
PPT
Security Attacks.ppt
Zaheer720515
 
PDF
1 ijaems sept-2015-3-different attacks in the network a review
INFOGAIN PUBLICATION
 
IT Security.pdf
ManassahIjudigal
 
Security in network computing
Manoj VNV
 
Security & threats Presentation => (Presenter: Komal Mehfooz)
Komal Mehfooz
 
Computer security
sruthiKrishnaG
 
Types of cyber attacks
krishh sivakrishna
 
Lecture8 to identify the (Cyber Crime).ppt
engrkarimullah5806
 
Cape it unit 2 module 3 unedited students notes (compiled from internet)
Jevaughan Edie
 
Health information security 3 vulnerability threat and risk
Dr. Lasantha Ranwala
 
2.Security (1).pdfccccccccccccccccccccccccccccccccccccccccccccc
jacobdiriba
 
why security is needed
sourov_das
 
Cyber Security.docx
TanushreeChakraborty27
 
Chapter 2 konsep dasar keamanan
newbie2019
 
INS_CH-1INS_CH-1INS_CH-1INS_CH-1INS_CH-1.pptx
rukminipamul123
 
A Taken on Cyber Attacks - The Cyber Physical System.pptx
animeshdabral007
 
System Security
Reddhi Basu
 
Network security
Md. Asifur Rahman Siddiki
 
Exploring the Spectrum of Cyber Attacks .pptx
abinayar6760
 
Insecurity vssut
RAVIKUMAR Digital Signal Processing
 
Security Attacks.ppt
Zaheer720515
 
1 ijaems sept-2015-3-different attacks in the network a review
INFOGAIN PUBLICATION
 
Ad

More from Export Promotion Bureau (20)

PPTX
Advance Technology
Export Promotion Bureau
 
PDF
16.psc.pdf
Export Promotion Bureau
 
PDF
Advance Technology
Export Promotion Bureau
 
PDF
14.Linux Command
Export Promotion Bureau
 
PDF
12.Digital Logic.pdf
Export Promotion Bureau
 
PDF
11.Object Oriented Programming.pdf
Export Promotion Bureau
 
PDF
9.C Programming
Export Promotion Bureau
 
PDF
4.Database Management System.pdf
Export Promotion Bureau
 
PDF
Lab Question
Export Promotion Bureau
 
PPTX
DMZ
Export Promotion Bureau
 
PPTX
loopback address
Export Promotion Bureau
 
PPTX
Race Condition
Export Promotion Bureau
 
PPTX
BCS (WRITTEN) EXAMINATION.pptx
Export Promotion Bureau
 
PPTX
Nothi_update.pptx
Export Promotion Bureau
 
PPTX
word_power_point_update.pptx
Export Promotion Bureau
 
PPTX
ICT-Cell.pptx
Export Promotion Bureau
 
PPTX
Incoterms.pptx
Export Promotion Bureau
 
PPTX
EPB-Flow-Chart.pptx
Export Promotion Bureau
 
PPTX
Subnetting.pptx
Export Promotion Bureau
 
PPTX
Software-Development.pptx
Export Promotion Bureau
 
Advance Technology
Export Promotion Bureau
 
16.psc.pdf
Export Promotion Bureau
 
Advance Technology
Export Promotion Bureau
 
14.Linux Command
Export Promotion Bureau
 
12.Digital Logic.pdf
Export Promotion Bureau
 
11.Object Oriented Programming.pdf
Export Promotion Bureau
 
9.C Programming
Export Promotion Bureau
 
4.Database Management System.pdf
Export Promotion Bureau
 
Lab Question
Export Promotion Bureau
 
DMZ
Export Promotion Bureau
 
loopback address
Export Promotion Bureau
 
Race Condition
Export Promotion Bureau
 
BCS (WRITTEN) EXAMINATION.pptx
Export Promotion Bureau
 
Nothi_update.pptx
Export Promotion Bureau
 
word_power_point_update.pptx
Export Promotion Bureau
 
ICT-Cell.pptx
Export Promotion Bureau
 
Incoterms.pptx
Export Promotion Bureau
 
EPB-Flow-Chart.pptx
Export Promotion Bureau
 
Subnetting.pptx
Export Promotion Bureau
 
Software-Development.pptx
Export Promotion Bureau
 
Ad

Recently uploaded (20)

PDF
Virat Kohli- the Pride of Indian cricket
kushpar147
 
PPTX
How to Apply for a Job From Odoo 18 Website
Celine George
 
PPTX
Tips Management in Odoo 18 POS - Odoo Slides
Celine George
 
PPTX
CARE OF UNCONSCIOUS PATIENTS .pptx
AneetaSharma15
 
PPTX
BASICS IN COMPUTER APPLICATIONS - UNIT I
suganthim28
 
PPTX
How to Close Subscription in Odoo 18 - Odoo Slides
Celine George
 
PPTX
HISTORY COLLECTION FOR PSYCHIATRIC PATIENTS.pptx
PoojaSen20
 
PDF
Antianginal agents, Definition, Classification, MOA.pdf
Prerana Jadhav
 
PPTX
Continental Accounting in Odoo 18 - Odoo Slides
Celine George
 
PDF
Module 2: Public Health History [Tutorial Slides]
JonathanHallett4
 
PPTX
Five Point Someone – Chetan Bhagat | Book Summary & Analysis by Bhupesh Kushwaha
Bhupesh Kushwaha
 
PPTX
Introduction to pediatric nursing in 5th Sem..pptx
AneetaSharma15
 
PPTX
Cleaning Validation Ppt Pharmaceutical validation
Ms. Ashatai Patil
 
PPTX
Basics and rules of probability with real-life uses
ravatkaran694
 
PPTX
family health care settings home visit - unit 6 - chn 1 - gnm 1st year.pptx
Priyanshu Anand
 
PPTX
Measures_of_location_-_Averages_and__percentiles_by_DR SURYA K.pptx
Surya Ganesh
 
PPTX
Python-Application-in-Drug-Design by R D Jawarkar.pptx
Rahul Jawarkar
 
PPTX
How to Track Skills & Contracts Using Odoo 18 Employee
Celine George
 
PDF
Review of Related Literature & Studies.pdf
Thelma Villaflores
 
PPTX
Artificial Intelligence in Gastroentrology: Advancements and Future Presprec...
AyanHossain
 
Virat Kohli- the Pride of Indian cricket
kushpar147
 
How to Apply for a Job From Odoo 18 Website
Celine George
 
Tips Management in Odoo 18 POS - Odoo Slides
Celine George
 
CARE OF UNCONSCIOUS PATIENTS .pptx
AneetaSharma15
 
BASICS IN COMPUTER APPLICATIONS - UNIT I
suganthim28
 
How to Close Subscription in Odoo 18 - Odoo Slides
Celine George
 
HISTORY COLLECTION FOR PSYCHIATRIC PATIENTS.pptx
PoojaSen20
 
Antianginal agents, Definition, Classification, MOA.pdf
Prerana Jadhav
 
Continental Accounting in Odoo 18 - Odoo Slides
Celine George
 
Module 2: Public Health History [Tutorial Slides]
JonathanHallett4
 
Five Point Someone – Chetan Bhagat | Book Summary & Analysis by Bhupesh Kushwaha
Bhupesh Kushwaha
 
Introduction to pediatric nursing in 5th Sem..pptx
AneetaSharma15
 
Cleaning Validation Ppt Pharmaceutical validation
Ms. Ashatai Patil
 
Basics and rules of probability with real-life uses
ravatkaran694
 
family health care settings home visit - unit 6 - chn 1 - gnm 1st year.pptx
Priyanshu Anand
 
Measures_of_location_-_Averages_and__percentiles_by_DR SURYA K.pptx
Surya Ganesh
 
Python-Application-in-Drug-Design by R D Jawarkar.pptx
Rahul Jawarkar
 
How to Track Skills & Contracts Using Odoo 18 Employee
Celine George
 
Review of Related Literature & Studies.pdf
Thelma Villaflores
 
Artificial Intelligence in Gastroentrology: Advancements and Future Presprec...
AyanHossain
 

8.Information Security

  • 1. Cloud IT Solution Page 329 Information security Preservation of confidentiality, integrity, and availability of information; in addition, other properties such as, authenticity, accountability, non-repudiation, and reliability can also be involved Information security is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. Principal of Security 1. Confidentiality 2. Authentication 3. Integrity 4. Non-repudiation 5. Availability 6. Reliability 7. Accountability Confidentiality It specifies that only sender and intended recipients should be able to access the contents of message. e.g.: e-mail send by person A to person B. Authentication It helps to establish proof of identities. e.g.: Login using Userid and Password Integrity Integrity means that changes need to be done only by authorized entities and through authorized mechanisms. Non- repudiation Non- repudiation does not allow the sender or receiver of a message to refuse the claim of not sending or receiving that message. Information Security
  • 2. Cloud IT Solution Page 330 Availability The property of being accessible and usable upon demand by an authorized entity. Accountability The property that ensures that the actions of an entity may be traced uniquely to the entity. Reliability The property of consistent intended behavior and results. Attacks: The X.800 Threat Model Item Figure Destruction (an attack on availability):  Destruction of information and/or network resources Corruption (an attack on integrity) :  Unauthorized tampering with an asset Removal (an attack on availability) :  Theft, removal or loss of information and/or other resources Disclosure (an attack on confidentiality) :  Unauthorized access to an asset. Interruption (an attack on confidentiality) :  Network becomes unavailable or unusable. Alice Bob I’m Alice. See, here’s my certificate
  • 3. Cloud IT Solution Page 331 Security Attacks (Stallings) Threats (or Perils) Threats (or perils) are things which may cause loss to information assets. Examples of threats that pertain to the Internet and other networks include the following.  Tapping  The interception of data by a third party with malicious intent.  Falsification  The fraudulent rewriting of information in e-mail or web pages.  Spoofing  The performance of fraudulent actions by impersonating another person (e.g., authorized user)  Theft  The theft of files or data by a third party with malicious intent  Destruction  The fraudulent destruction or erasure of files or data  Threats are classified into three types as follows:  Personal threat  This is the type of threat that is caused by human behavior (with or without malicious intent).  Technological threat Source Destination Normal flow Source Destination Interruption Interception Source Destination Third-party Modification Source Destination Third-party Fabrication Source Destination Third-party
  • 4. Cloud IT Solution Page 332  This is the type of threat in which a third party with malicious intent uses computer technology to make attacks.  Physical threat  This is the type of threat against equipment itself or against the buildings in which equipment is located. Personal threats  Information leakage  This is the leakage of information to a third party. It includes intentional leakage with the aim of receiving payment for information provision, and unintentional leakage of important information accidentally overheard by a third party. In addition, information in discarded equipment may be restored and leaked if not physically deleted (i.e., destroyed).  Loss / Theft / Damage  This means that IT devices, such as PCs and USB memory, where information is stored are left behind, stolen, or destroyed during use.  Error / Incorrect operation  This is data erasure or such other error that is caused by wrong operation. It includes the leakage of important information through mistaken entry of recipient e-mail addresses.  Social engineering  This is the act of stealing information through every day and common means.  Trashing (scavenging, dumpster diving)  This is the act of stealing important information from memos thrown away in the garbage bin, data left in memory or cache, etc. It is also used as a method of foot printing for prior collection of information about the target of attacks.  Spoofing  This is the impersonation of a person by a third party. The spoofed may pretend to be a customer or a supervisor in order to ask for PINs (PIN Numbers) or passwords.  Peeping  This is the act of sneaking a peek at keyboard operation of a person who is entering a password, or classified information displayed on another person’s screen. In particular, the act of sneaking a peek at information over a person’s shoulder is called shoulder hacking.  Cracking  This is the act of intruding into another person’s PC with malicious intent, to steal or destroy data. A person who engages in cracking is called a cracker. Note that the software package used by a cracker after unauthorized intrusion is called a rootkit,and the path installed to facilitate later intrusion is called a back door.
  • 5. Cloud IT Solution Page 333  Targeted attack  This is the act of attacking a specific organization or person as a target. Since humans select the target of the attack, this is classified as a personal threat. However, the attack method itself is primarily classified as a technological threat. Technological threats  DoS attack (Denial of Service)  This is an attack that sends a large amount of data continually to the target server to place an excessive load on the server’s CPU and memory, and thereby obstructs service. In addition, there is also a DDoS (Distributed DoS) attack in which malicious programs used for targeted attacks are used to attack the single target all at once from multiple PCs.  Key logger  This is an attack that uses the mechanism (e.g., software) that records keyboard input,and fraudulently acquires information (e.g., password) entered by another person.  Click jacking  This is an attack that sets up a web page with some sort of function that causes a user’s click to execute operations not intended by the user.  Phishing  This is an attack that leads a user to a fake website through means such as e-mail pretending to be sent from a real company (e.g., financial institution), and defrauds the user of the credit card number, a bank account number, a PIN, and other personal information.  Cache poisoning  This is an attack that fraudulently overwrites cache information. In particular, DNS cache poisoning, which overwrites DNS cache, is used to lead users to fake websites for phishing.  IP spoofing  This is an attack that sends packets to another party with the source IP address disguised. This is used in actions including leading users to fake websites for phishing.  XSS (Cross Site Scripting)  This is an attack where a vulnerable target website is used as a stepping stone; a malicious script is sent to a user who is accessing the target website, and then executed on the user’s browser to enable the theft of information.  CSRF (Cross Site Request Forgery)  This is an attack which, when a user is logged in to a website and then accesses another website that has a trap installed, causes a malicious request to be sent to and executed by the logged-in website in the guise of a request from the user (i.e., as a forgery).
  • 6. Cloud IT Solution Page 334  Session hijacking  This is an attack that takes over a session (i.e., a series of communications between specified parties) during communication between correctly authorized users.  Directory traversal  This is an attack that accesses normally undisclosed directories (or files) by appending “../ ” to file names, to traverse upward through directories.  Drive-by download  This is an attack that causes a user to download a malicious program, without permission during website browsing.  SQL injection  This is an attack that falsely modifies a database or fraudulently obtains information by providing part of an SQL statement as a parameter to a program (CGI program) in the website that is linked to the database.  Side channel attack  This is an attack that obtains confidential information by measuring and analyzing some additional information (i.e., side channel information), such as the electric power consumption or radiated electromagnetic waves of active IC chips.  Zero-day attack  This is an attack that takes advantage of vulnerability in software before fix for the vulnerability can be released by the software vendor.  Password cracking  This is an attack that fraudulently decodes or otherwise obtains the password of a true user. ❖ Dictionary attack  This is a method that uses a file (i.e., a dictionary file) that contains character strings likely to be used as passwords, to try such words in sequence. ❖ Brute force attack  This is a brute-force method that attempts every combination of characters. It is used as an attack method of performing the exhaustive search for a decryption key.  Third-party relay  This is an attack that abuses a freely usable server (e.g., mail server) as a “steppingstone” to transmit e-mail and other data.  Gumblar  This is an attack that falsifies the website of a famous company or public institution, and infects the computer of a user who is browsing the falsified website with a computer virus.  Buffer overflow  This is an attack that continually sends long character strings or such other data to flood the memory area (i.e., buffer) secured by a program, for the purpose of seizing access privileges to the program and creating malfunctions.
  • 7. Cloud IT Solution Page 335 ✓ The following computer crimes are also said to be types of technological threats.  Salami technique (Salami slicing)  This is a method of repeatedly stealing assets little by little so that they are negligibly small when taken as a whole. An example is a technique that collects money from a bank account into another account, in fractions of less than one yen.  One-click fraud  This is a type of fraudulent act; for example, clicking an image or link on matchmaking or adult websites causes an unfair fee to be charged.  Phishing fraud  This is a general name for the act of phishing, or for fraudulent acts committed using information obtained illicitly through phishing. Physical threats  Disaster ✓ This means that equipment or buildings are made unusable, or equipment itself is lost, due to a natural disaster (e.g., earthquake, flood) or a human disaster (e.g., fire).  Destruction  This means that equipment or buildings are made unusable, due to sabotage or destructive acts by a third party with malicious intent.  Accident / failure  This means that equipment or buildings are made unusable, due to unforeseen accidents or failures.  Unauthorized intrusion  This means that unauthorized persons intrude into buildings or rooms in which equipment is located.  Vulnerabilities (or Hazards)  Vulnerabilities (or hazards) are weaknesses or flaws that are exploited by threats, becoming the cause of even greater threats. A variety of vulnerabilities in equipment, technologies, management, and many other areas cause problems.  Security hole  This is a vulnerability of software or systems that is caused software design flaws, bugs, etc.  Man-made vulnerability  This is a vulnerability that is caused by human behavior, due to lack of enforcement or preparation of a code of conduct for companies, organizations, and people. Malicious software Malicious software, commonly known as malware, is any software that brings harm to a computer system. Malware can be in the form of worms, viruses, trojans, spyware, adware and root kits etc, which steal protected data, delete documents or add software not approved by a user.
  • 8. Cloud IT Solution Page 336 Fraudulent programs (i.e., malware) created with malicious intent are also classified as technological threats. The following are typical examples of malware. Trapdoor  Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using.  A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication. Trojan horse  A Trojan horse is a program that appears harmless, but is, in fact, malicious. The term comes from Greek mythology about the Trojan War. Trojans may allow an attacker to access users' personal information such as banking information, passwords, or personal identity (IP address). It can infect other devices connected to the network. Ransom ware attacks are often carried out using a Trojan.  A Trojan horse is a code segment that misuses its environment. A Trojan may give a hacker remote access to a targeted computer system. Operations that could be performed by a hacker on a targeted computer system may include- ✓ Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-Service attacks) ✓ Electronic Money theft ✓ Data Theft(e.g. retrieving passwords or credit card information) ✓ Installation of software, including third-party malware ✓ Downloading or uploading of files on the user's computer ✓ Modification deletion of files ✓ Crashing the Computer ✓ Anonym zing Internet Viewing Malicious Program Need host Program Independent Trapdoor Logic Bom Trojan horse Virus Worm Zombie Replicate
  • 9. Cloud IT Solution Page 337 Logic bomb A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files (such as a salary database trigger), should they ever be terminated from the company. Computer virus Computer Viruses a computer virus is defined as “a program that is created to intentionally cause some form of damage to third parties’ programs or databases, and that has one or more of the following functions.  Self-infecting function: Viruses make copies of themselves to infect other systems.  Concealment function: Viruses do not reveal symptoms until the onset of their action.  Onset function: Viruses perform actions not intended by designers, such as destruction of data. Virus Phases 1. Dormant phase: The virus is idle. 2. Propagation Phase: The virus places an identical copy of itself into other programs. 3. Triggering Phase: The virus is activated to perform the function for which it was intended. 4. Execution Phase: The function is performed. However, in general at present, file-infecting viruses that infect specific files are called computer viruses (in a narrow sense).  Boot sector virus: This virus infects the boot sector (i.e., the system area that contains the boot program) that is read before an OS starts up.  Program file virus: This virus infects the executable program files such as applications.  Interpreter virus: This virus infects non-executable files, such as data files, other than program files. It includes two types of viruses: a macro virus that infects through the macro functions of application software, and a script virus that infects through a scripting language like JavaScript or VB Script. Worm A worm proliferates by duplicating itself on other computers through networks, without the need for a program to be infected. It often spreads a copy of itself automatically as an e-mail attachment file, or uses networks to continue spreading infection. Bot This is a program that is created for the purpose of controlling infected computers from outside via networks (e.g., the Internet).
  • 10. Cloud IT Solution Page 338 Spyware This is a program that illicitly obtains a user’s information, such as personal information and access histories, and automatically sends such information to another party other than the user. Zombie A zombie is a computer connected to the Internet that has been compromised by a hacker, computer virus or Trojan horse program and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam and launch denial-of-service attacks (DOS attacks). DoS vs DDos attack  DoS: when a single host attacks  DDoS: when multiple hosts attacks simultaneously Root kit  A root kit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. The term rootkit is a concatenation of root (the traditional name of the privileged account on Unix-like operating systems) and the word kit (which refers to the software components that implement the tool). The term rootkit has negative connotations through its association with malware.  Rootkit installation can be automated, or an attacker can install it after having obtained root or Administrator access. Obtaining this access is a result of direct attack on a system, i.e. exploiting a known vulnerability (such as privilege escalation) or a password (obtained by cracking or social engineering tactics like phishing). Once installed, it becomes possible to hide the intrusion as well as to maintain privileged access. The key is the root or administrator access. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent it.  Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternative and trusted operating
  • 11. Cloud IT Solution Page 339 system, behavioral-based methods, signature scanning, difference scanning, and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel; reinstallation of the operating system may be the only available solution to the problem. When dealing with firmware rootkits, removal may require hardware replacement, or specialized equipment. Ransomware  Ransomware is a form of malicious software (or malware) that, once it's taken over your computer, threatens you with harm, usually by denying you access to your data. The attacker demands a ransom from the victim, promising not always truthfully to restore access to the data upon payment.  Users are shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals in Bitcoin. How Ransom ware works. There are a number of vectors ransom ware can take to access a computer. One of the most common delivery systems is phishing spam — attachments that come to the victim in an email, masquerading as a file they should trust. Once they're downloaded and opened, they can take over the victim's computer, especially if they have built-in social engineering tools that trick users into allowing administrative access. Some other, more aggressive forms of ransom ware, like Not Petya, exploit security holes to infect computers without needing to trick users. Session Hijacking  Whenever a new session is created a cookie is generated for that user , this cookie becomes the session ID , so all the request can serve using that session ID.  If somehow a hacker can sniff or steal the session id he can forge the request as a valid user (i.e impersonate as you). Phishing. Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. Innocent User Black hat Hacker Authentic Request Hijacking session ID Impersonate Request Server
  • 12. Cloud IT Solution Page 340 Phishing types 1. Spear phishing 2. Clone phishing 3. Whaling Others Security Category  Related security categories  Cyber warfare  Computer security  Mobile security  Network security  Internet security  Threats  Computer crime  Vulnerability  Eavesdropping  Exploits  Trojans  Viruses and worms  Denial of service  Malware  Payloads  Rootkits  Key loggers  Defenses  Computer access control  Application security ✓ Antivirus software ✓ Secure coding ✓ Security by design ✓ Secure operating systems  Authentication ✓ Multi-factor authentication  Authorization  Data-centric security  Firewall (computing)  Intrusion detection system  Intrusion prevention system  Mobile secure gateway Types of Attacks Networks are subject to attacks from malicious sources. 1. Attacks 2. Passive An active attack is an attempt to change data or alter the functioning of a system. A passive attack is an attempt to obtain or make use of information.
  • 13. Cloud IT Solution Page 341 Active Attack Passive Attack Access and modify information Access information System is harmed No harm to system Easy to detect than prevent Difficult to detect than prevent Threat to integrity and availability Threat to confidentiality Masquerading ,Repudiation and DOS Snooping and Traffic analysis. A passive attack  A passive attack makes use of information from the system but does not affect system resource.  Passive attacks are Release of Message Contents, Traffic Analysis. Release of Message Contents Traffic Analysis Active Attack  It involves some modification of data stream or creation of a false stream.  Active attacks are Release of Replay, Modification, Denial of service and Masquerade.
  • 14. Cloud IT Solution Page 342 Replay  It involves passive capture of data unit and its subsequent retransmission to produce an unauthorized effect. Modification  In which some portion of message is altered or that message are delayed or reordered to produce an unauthorized affect. Denial of service  It have a specific target (Server), in which prevents or inhabits the normal use or management of communication facilities.
  • 15. Cloud IT Solution Page 343 Masquerade  A masquerade is a type of attack where the attacker acts as an authorized user system in order to gain access to it or to gain greater privileges than they are authorized for. Malicious Types of attacks are included  Passive  Wiretapping  Port scanner  Idle scan  Encryption  Traffic Analysis  Active  Virus  Eavesdropping  Data Modification  Denial-of-service attack  DNS spoofing  Man in the middle  ARP poisoning  VLAN hopping
  • 16. Cloud IT Solution Page 344  Smurf attack  Buffer overflow  Heap overflow  Format string attack  SQL injection  Phishing  Cross-site scripting  CSRF  Cyber-attack Compare GET vs. POST Types GET POST BACK button/Reload Harmless Data will be re-submitted (the browser should alert the user that the data are about to be re- submitted) Bookmarked Can be bookmarked Cannot be bookmarked Cached Can be cached Not cached Encoding type application/x-www-form- urlencoded application/x-www-form- urlencoded or multipart/form- data. Use multipart encoding for binary data History Parameters remain in browser history Parameters are not saved in browser history Restrictions on length data Yes, when sending data, the GET method adds the data to the URL and the length of a URL is limited (maximum URL length is 2048 characters) No restrictions Restrictions on data type Only ASCII characters allowed No restrictions. Binary data is also allowed Security Never use GET when sending passwords or other sensitive information! POST is a little safer than GET because the parameters are not stored in browser history or in web server logs Visibility Data is visible to everyone in the URL Data is not displayed in the URL Race Condition A race condition or race hazard is the behavior of electronic, software, or other system where the output is dependent on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended. The term originates with the idea of two signals racing each other to influence the output first. Race conditions can occur in electronics systems, especially logic circuits, and in computer software, especially multithreaded or distributed programs.
  • 17. Cloud IT Solution Page 345 Race condition example Consider the following set of operations: Let left portion read first time Left Portion Right Portion Read X=10 Read X=10 X=10+10 X=10+10 X=20 X=20 Actual X=20 Actual X=30 Solution  Locking Read X X=X+10 Read X X=X+10 X 10 10 20 20 Read X X=X+10 Read X X=X+10 X 10 20 20 30 Locking
  • 18. Cloud IT Solution Page 346 1. Confidentiality with asymmetric-key cryptosystem has its own a. Entities b. Data c. Problems d.Translator 2. SHA-l has a message digest of b. 160 bits b. 512 bits c. 628 bits d. 820 bits 3. Message authentication is a service beyond a. Message Confidentiality b. Message Integrity c. Message Splashing d. Message Sending 4. In Message Confidentiality, transmitted message must make sense to only intended a. Receiver b. Sender c. Modulor d. Translator 5. A hash function guarantees integrity of a message. It guarantees that message has not be c. Replaced b. Over view c. Changed d. Violated. 6. To check integrity of a message, or document, receiver creates the a. Hash-Table b. Hash Tag c. Hyper Text d. Finger Print 7. A digital signature needs a a. Private-key system b. Shared-key system c. Public-key system d. All of them 8. One way to preserve integrity of a document is through use of a a. Eye-Rays b. Finger Print c. Biometric d. X-Rays 9. A session symmetric key between two parties is used d. Only once b. Twice c. Multiple times d. Conditions dependant 10. Encryption and decryption provide secrecy, or confidentiality, but not a. Authentication b. Integrity c. Privacy d. All of the above 1 2 3 4 5 6 7 8 9 10 c a b a c b c b a b Model Test Answer Model Test