Security + Computer System Security

Name: Shaamim Ahmed

DCOM 258 E31

Chapter 04
I.

Define the following key terms: (14 Points)

1. Locally Shared Objects (LSO),
Local shared objects (LSOs), commonly called Flash cookies (due to their similarities
with HTTP cookies), are pieces of data that websites which use Adobe Flash may store
on a user's computer. Local shared objects have been used by all versions of Flash Player
2. User Access Control (UAC),
A security component of Windows Vista that keeps every user (besides the actual
Administrator account) in standard user mode instead of as an administrator with full
administrative rights
3. Secure Code Review
Secure code review, an in-depth code inspection procedure.
4. Threat Modeling
Threat modeling, a way of prioritizing threats to an application.
5. Principle of Least Privilege
Applications should be coded and run in such a way as to main- tain the principle of least
privilege. Users should only have access to what they need. Processes should run with
only the bare minimum access needed to complete their functions. However, this can be
coupled with separation of privilege, where access to objects depends on more than one
condition (for example, authentication plus an encrypted key).
6. Principle of Defense in Depth (DID)
Principle of defense in depth: The more security controls the better. The layering of
defense in secure coding may take the form of validation, auditing, special authentication
techniques, and so on
7. Applications should never trust user input
Applications should never trust user input: Input should be validated carefully
8. Minimize the attack surface area
Minimize the attack surface area: Every additional feature that a programmer adds to an
application increases the size of the attack surface and increases risk. Unnecessary
functions should be removed, and necessary functions should require authorization.
9. Establish Secure defaults
Establish secure defaults: Out-of-the-box offerings should be as secure as possible. If
possible, user password complexity and password aging default policies should be
configured by the programmer, not the user. Permissions should default to no access and
should be granted only as they are needed.
10. Fail Securely
Fail securely: At times, applications will fail. How they fail determines their security.
Failure exceptions might show the programming language that was used to build the
application, or worse, lead to access holes
11. Fix Security Issues Correctly

Security + Computer System Security

Name: Shaamim Ahmed

DCOM 258 E31

Fix security issues correctly: Once found, security vulnerabilities should be thoroughly
tested, documented, and understood. Patches should be developed to fix the problem, but
not cause other issues or application regression.
12. Black-Box Testing
Black-box testing, when people test a system but have no specific knowledge of the
system code involved with the system.
13. White-Box Testing
White-box testing, a method of testing applications or systems where the tester is given
access to the internal workings of the system."
14. Cookies,
A piece of text stored by a website
Can be used for authentication, shopping carts, and sessions
Mini-lab: Adjust the Cookies Slider Within the Privacy Tab of the Internet
Options Dialog Box in IE
Differences between tracking cookies and session cookies
15. Sandbox
When a web script runs in its own environment for the express purpose of not interfering
with other processes
16. Systems development life cycle (SDLC),
Systems development life cycle (SDLC)an organized process of planning, developing,
testing, deploying, and maintaining systems and applications, and the various
methodologies used to do so.
17. Input Validation
Integer overflow, when arithmetic operations attempt to create a numeric value that is too
big for the available memory space.
18. Fuzz Testing
Fuzz testing (or fuzzing) is another smart concept. This is where random data is inputted
into a computer program in an attempt to find vulnerabilities. This is often done without
knowledge of the source code of the program. The program to be tested is run, has data
inputted to it, and is monitored for exceptions such as crashes.
19. Buffer Overflow
When a process stores data outside of the memory that the developer intended
20. Integer Overflow
Integer overflow, when arithmetic operations attempt to create a numeric value that is too
big for the available memory space. In this attack (also known as a one- click
attack), the users browser is compromised and transmits unauthorized
commands to the website. The chances of this attack can be reduced
by requiring tokens on web pages that contain forms, special
authentication techniques (possibly encrypted), scanning .XML files
(which could contain the code required for unauthorized access), and
submitting cookies twice instead of once, while verifying that both
cookie submissions match.

Security + Computer System Security

Name: Shaamim Ahmed

DCOM 258 E31

21. Cross-site Scripting (XSS)

XSS holes are vulnerabilities that can be exploited with a type of code injection. Code
injection is the exploitation of a computer programming bug or flaw by inserting and
processing invalid informationit is used to change how the program executes data. In
the case of an XSS attack, an attacker inserts malicious scripts into a web page in the
hopes of gaining elevated privileges and access to session cookies and other information
stored by a users web browser.
22. Cross-site Request Forgery (XSRF)
XSRF attack, exploits the trust that a website has in a users browser. In this attack (also
known as a one- click attack), the users browser is compromised and transmits
unauthorized commands to the website. The chances of this attack can be reduced by
requiring tokens on web pages that contain forms, special authentication techniques
(possibly encrypted), scanning .XML files (which could contain the code required for
unauthorized access), and submitting cookies twice instead of once, while verifying that
both cookie submissions match.
23. Zero Day Attack
An attack executed on a vulnerability in software but before the vulnerability is known to
the creator
II. Short Answers. (6 points)
1. What is Application whitelisting? (5)
Application whitelisting is when there is an approved list of applications for use by
mobile devices. Usually implemented as a policy, if the mobile device attempts
to open an app that is not on the list, the process will fail, or the system will ask for proof
of administrative identity.
2. Identify six points that can help users to keep their computer well maintained and secure.
1. Use a surge protector or UPSMake sure the computer and other equipment
connect to a surge protector, or better yet a UPS if you are concerned about power
loss.
2. Update the BIOS and/or UEFIFlashing the BIOS isnt always necessary; check
the manufacturers website for your motherboard to see if an update is needed.
3. Update the OSFor Windows, this includes the latest SPs and any Windows
Updates beyond that, and setting Windows to alert if there are any new updates. For
Linux and OS X, it means simply updating the system to the latest version and
installing individual patches as necessary.
4. Update anti-malwareThis includes making sure that there is a current license for
the anti-malware (antivirus and anti-spyware) and verifying that updates are turned on
and the software is regularly scanning the system.
5. Update the firewallBe sure to have some kind of firewall installed and enabled;
then update it. If it is Windows Firewall, updates should happen automatically
through Windows Update. However, if you have a SOHO router with a built-in

Security + Computer System Security

Name: Shaamim Ahmed

DCOM 258 E31

firewall, or other firewall device, you need to update the devices ROM by
downloading the latest image from the manufacturers website.
6. Maintain the disksThis means running a disk cleanup program regularly and
checking to see whether the hard disk needs to be defragmented from once a week to
once a month depending on the amount of usage. It also means creating restore
points, doing computer backups, or using third-party backup or drive imaging
software.
3. What are the six phases of the SDLC?
Systems development life cycle (SDLC)an organized process of planning, developing,
testing, deploying, and maintaining systems and applications, and the various methodologies used to do so. The SDLC can be broken down into several phases, including
1. Planning and analysisGoals are determined, needs are assessed, and high-level
planning is accomplished.
2. Systems designThe design of the system or application is defined and diagramed in
detail.
3. ImplementationThe code for the project is written.
4. TestingThe system or application is checked thoroughly in a testing environment.
5. DeploymentThe system or application is put into production and is now available to
end- users.
6. MaintenanceSoftware is monitored and updated throughout the rest of its life cycle.