Educação em Controle de Acesso - ASSI
41 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

Qual é a fórmula correta para calcular a entropia de uma senha?

  • E = log2(RL) (correct)
  • E = L / log2(R)
  • E = L * log2(L)
  • E = L + log2(R)
  • O que indica um valor alto de entropia por byte em um arquivo?

  • O arquivo tem baixa complexidade e pode ser comprimido facilmente.
  • O arquivo contém muitos dados redundantes.
  • O arquivo possui alta aleatoriedade e não será comprimido significativamente. (correct)
  • O arquivo é simples e bem estruturado.
  • Qual é um exemplo de arquivo que teria alta entropia?

  • Arquivo de texto simples
  • Planilha de Excel
  • Imagem .jpg
  • Arquivo compactado (correct)
  • Qual ferramenta pode ser utilizada para calcular a entropia de um arquivo no Linux?

    <p>ent</p> Signup and view all the answers

    Em que situação um arquivo provavelmente terá baixa entropia?

    <p>Quando possui muitos caracteres repetidos ou estruturados.</p> Signup and view all the answers

    O que é considerado na medição da robustez de uma senha?

    <p>A entropia da senha</p> Signup and view all the answers

    Qual fórmula é utilizada para calcular a entropia de uma senha?

    <p>E = L * log2(R)</p> Signup and view all the answers

    O que indica a entropia de uma senha em relação ao número médio de tentativas para adivinhá-la?

    <p>A quantidade média de tentativas necessárias para adivinhar a senha</p> Signup and view all the answers

    Qual é uma boa prática relacionada ao uso de senhas?

    <p>Usar senhas únicas para cada site ou conta de e-mail</p> Signup and view all the answers

    Como a entropia de uma senha é afetada pelo tamanho do conjunto de caracteres únicos utilizados?

    <p>A entropia cresce com um maior número de caracteres únicos</p> Signup and view all the answers

    Qual das seguintes opções descreve melhor o que é SIM-jacking?

    <p>Controle sobre um número de telefone de outra pessoa</p> Signup and view all the answers

    Qual método não é uma forma comum de realizar SIM-jacking?

    <p>Fazer uso de conteúdo malicioso para invasão</p> Signup and view all the answers

    Quais medidas podem ser tomadas para se proteger contra SIM-jacking?

    <p>Implementar autenticação de dois fatores baseada em TOTP</p> Signup and view all the answers

    O que foi um dos resultados do ataque realizado por Harris?

    <p>Ele obteve acesso a chaves privadas para roubar criptomoeda</p> Signup and view all the answers

    Qual afirmação é verdadeira sobre a abordagem que Harris usou para seu ataque?

    <p>Ele hackeou a conta pessoal do CEO</p> Signup and view all the answers

    Qual é o principal objetivo do Quishing?

    <p>Enganar as pessoas para que divulguem informações pessoais.</p> Signup and view all the answers

    Qual é uma característica comum do BEC que o torna perigoso?

    <p>A criação de um senso de urgência na comunicação.</p> Signup and view all the answers

    Qual é uma estratégia usada pelos golpistas de BEC?

    <p>Posar como um gerente ou fornecedor confiável.</p> Signup and view all the answers

    O que os golpistas geralmente pedem em um e-mail de BEC?

    <p>Transferência de fundos ou compra de cartões-presente.</p> Signup and view all the answers

    Qual ano marcou a quinta vez consecutiva em que os esquemas de BEC lideraram as reclamações no FBI?

    <p>2020</p> Signup and view all the answers

    Qual é uma característica que distingue o BEC de outros tipos de phishing?

    <p>Concentrar-se em pessoas que pagam contas em empresas e governos.</p> Signup and view all the answers

    Qual é o tipo de urgência mais comum utilizado no BEC?

    <p>Urgência para evitar consequências financeiras.</p> Signup and view all the answers

    Qual desses não é um pedido típico em um golpe de BEC?

    <p>Atualização de contratos.</p> Signup and view all the answers

    Qual arguição corresponde à especificação do arquivo que contém os hashes a serem decifrados ao utilizar o Hashcat?

    <p>Argumento #3</p> Signup and view all the answers

    Ao utilizar o Hashcat, qual é a opção para definir o tipo de hash correspondente ao MD5?

    <p>-m 0</p> Signup and view all the answers

    Qual ataque é caracterizado como o uso de palavras de uma lista, conforme a documentação do Hashcat?

    <p>Ataque de dicionário</p> Signup and view all the answers

    Qual é a opção que representa a utilização de caracteres em minúsculas ao criar uma máscara no Hashcat?

    <p>?l</p> Signup and view all the answers

    Qual versão otimizada do Hashcat é projetada especificamente para GPUs da NVIDIA?

    <p>cudaHashcat</p> Signup and view all the answers

    Na utilização do Hashcat, qual argumento especifica o modo de ataque brute-force?

    <p>-a 3</p> Signup and view all the answers

    Qual dos seguintes é um charset válido para a configuração da máscara no Hashcat?

    <p>?l?l?l?l</p> Signup and view all the answers

    Qual é o objetivo do software Hashcat?

    <p>Decifrar hashes</p> Signup and view all the answers

    Qual é a função dos códigos de backup no sistema de autenticação?

    <p>Eles devem ser mantidos em um lugar seguro e protegido.</p> Signup and view all the answers

    Qual é a principal característica do protocolo TOTP?

    <p>Ele utiliza um algoritmo que considera o tempo atual e uma chave secreta.</p> Signup and view all the answers

    O que deve ser feito para evitar falhas na autenticação em duas etapas (2FA)?

    <p>Jamais compartilhar códigos de autenticação com terceiros.</p> Signup and view all the answers

    Como o FIDO2 garante a autenticação sem senha?

    <p>Emprega uma combinação de chaves públicas e privadas mantidas em dispositivos.</p> Signup and view all the answers

    Qual é a principal preocupação com o uso da 2FA?

    <p>Phishing pode ser utilizado para obter os códigos de autenticação.</p> Signup and view all the answers

    O que caracteriza a autenticação por Passkey?

    <p>Ela requer um dispositivo físico próximo ao usuário para autenticação.</p> Signup and view all the answers

    Qual é um dos métodos de autenticação descritos no Passkey?

    <p>É baseado no protocolo CTAP para autenticação.</p> Signup and view all the answers

    O que o TOTP utiliza para evitar problemas de sincronia de relógios?

    <p>Intervalos de tempo em N segundos para geração de senhas.</p> Signup and view all the answers

    Qual é uma falha conhecida no sistema 2FA?

    <p>A possibilidade de ataques de phishing que capturam códigos.</p> Signup and view all the answers

    Qual é a diferença chave entre chaves públicas e privadas na autenticação Passkey?

    <p>A chave privada é armazenada no dispositivo do usuário, enquanto a pública está no servidor.</p> Signup and view all the answers

    Study Notes

    Administração de Segurança de Sistemas Informáticos (ASSI) - System Administration Access Control

    • Topic: System Administration Access Control
    • Presenter: Patrício Domingues
    • Date: 2024
    • Institution: ESTG/IPLeiria

    User Education

    • Topic: User education on system administration access control.
    • Presenter: Patrício Domingues

    Phishing, keyloggers

    • Topic: Cyber threats and security vulnerabilities.
    • Key fact: Cyber-thieves steal almost 250,000 valid log-in names and passwords for Google accounts every week.
    • Key fact: 12 months of log-in and account data from websites and criminal forums was analyzed.
    • Key fact: More than 788,000 credentials were stolen via keyloggers, 12 million via phishing, and 1.9 billion from breaches at other companies.
    • Key fact: Only 3.1% of hijacked accounts subsequently started using improved security measures like two-factor authentication.
    • Recommendation: Educating users about better ways to protect accounts should be a major initiative.

    Users as targets

    • Topic: Regular users are targets of attacks.
    • Key attack methods: Phishing, Ransomware.
    • Key attack method: Social engineering to gain access.
    • Key point: Human beings are prone to trust.

    Phishing 101

    • Topic: Attacks that trick people into revealing personal information.
    • Examples: usernames/passwords, phishing scams, emails from "princes" demanding money transfer.
    • Modern phishing attacks: Often very targeted (spear-phishing).
    • Modern phishing attacks: May seem to come from someone known to the victim.

    Need to educate users (#1)

    • Topic: Need for user education in securing accounts.
    • Important point: People are still falling for phishing.
    • Important point: 95% of breaches are linked to some sort of software installation.
    • Tactics used by cyber-thieves: Hacking (62%), Malware (51%), stolen passwords/weak passwords (81%).

    Need to educate users (#2)

    • Topic: Organizations should have strict rules to prevent dangerous behaviors.
    • Dangerous behavior example: Using unknown USB drives (road apples).
    • Example: Selling cheap infected USB drives near targeted facilities

    Need to educate users (#3)

    • Topic: Positive user reinforcement when reporting issues.
    • Key point: It's not the end of the world to fall victim to an attack.
    • Key point: Negative actions (punishment/shaming) can make users hide potential issues.
    • Recommendation: Users should have confidence in alerting IT personnel about abnormalities.
    • Recommendation: Better to report false positives than let true problems go unreported.

    Need to educate users (#4)

    • Topic: Risky behavior concerning USB thumb drives.
    • Risk example: Losing malware-infected devices in parking lots to spy on or harm the people in organizations.

    (some) Phishing internet domains for "Microsoft"

    • Topic: Common phishing domains targeting users associated with Microsoft services.
    • List: A list of domains found to be associated with phishing attempts.

    Smishing and Quishing (social engineering attacks)

    • Topic: Social engineering attacks using text messages (smishing) and QR codes (quishing).

    Smishing (#1)

    • Topic: Describes phishing attacks employing SMS messages.
    • Key fact: SMS has a significantly higher open rate (98%) compared to email (20%).
    • Key fact: 60% of people open and read text messages within 1-5 minutes of receiving them.
    • Key fact: Users are 4.5 times more likely to respond to a text message than an email.

    Smishing (#2)

    • Topic: Case study of a phishing attack using SMS messages.
    • Example: Fake postal service messages tricking users into entering credit card details.
    • Data revealed: 438,669 unique credit cards entered into 1,133 domains.

    Quishing (#1)

    • Topic: Phishing attack that uses QR codes.

    Quishing (#2) - Example

    • Topic: Describes examples of quishing attacks using a FedEx delivery email.

    Quishing (#3) - Example

    • Topic: Describes examples of quishing attacks using a DHL delivery email.

    Case-study: Business Email Compromise (BEC)

    • Topic: Business email compromise (BEC).
    • Scam type: Scammers impersonate legitimate individuals (e.g., the boss, a vendor) to demand money transfers.
    • Motivation: Often, the demand appears legitimate (e.g., urgent invoice payment).
    • Example: Boss in foreign country with cancelled card needing money, vendor/supplier asking for invoice payment.
    • Key point: BEC is a common and costly threat facing customers, with massive financial losses recorded between 2016 and 2020.

    Case-study: Passwords

    • Topic: Common passwords and security vulnerabilities.
    • Key fact: 123456 is the most commonly used (and thus most vulnerable) password.
    • Password guidelines: Passwords should be frequently changed, using robust characters, mixed cases and length.
    • Key point: People often fail to create strong, easily remembered passwords.

    Case-study: Passwords (#1)

    • Topic: Details about passwords and their common vulnerabilities.
    • Data based fact: 123456 is a commonly hacked password.

    Case-study: Passwords (#2)

    • Topic: User behavior related to password selection and memorization.
    • Key fact: Users are not good at selecting passwords.
    • Key fact: Strong passwords are random and with high entropy but difficult to remember.

    Case-study: Passwords (#3)

    • Topic: NIST Password Guidelines.
    • Time period: 2003.
    • Recommendation: Periodically change passwords.
    • Recommendation: New passwords should be different from old ones.

    Passwords breach?

    • Topic: How to determine if an email address appeared in a data breach.
    • Tool: haveibeenpwned.com

    Entropy of a password

    • Topic: Describes complexity of passwords, measured via entropy, as a measure of how difficult it is to guess a password.
    • Formula E = log2(RL) <=> E = L * log2(R): Shows how entropy increases with greater password length and character diversity.

    Entropy of a file

    • Topic: How to understand the entropy of an ordinary file, using tools such as ENT (linux).

    IHG hack

    • Topic: Describes that a FTSE-100 firm was hacked due to a weak password.

    Password/xkcd

    • Topic: Discusses the difficulty of passwords (given their length, complexity, and frequency).

    Password rules by NIST - 2024

    • Topic: Password guidelines laid out by the NIST.
    • Key fact: Passwords should have at least 8 characters, ideally 15-64.
    • Key fact: ASCII and Unicode characters should be allowed for password construction.
    • Important fact: Password changes are not recommended based on a periodic schedule, but rather as needed based on known breaches.

    7 steps to password perfection

    • Topic: How to create strong and robust passwords.
    • Recommendation: Use a password manager to avoid password reuse/duplication.
    • Recommendation: Use long, complex passwords, not repeating similar characters.
    • Recommendation: Separate special characters.
    • Recommendation: Do not change passwords on a schedule.
    • Recommendation: Do not use the same password for different sites.

    Credential stuffing

    • Topic: Describes how criminals may try to take advantage of password reuse.
    • Key fact: Criminals may use lists of previously compromised usernames and passwords to access accounts.

    Passwords and users

    • Topic: Recommendations to educate users on safe password management.
    • Recommendation: Do not leave passwords written where they can be seen.
    • Recommendation: Do not share passwords with anyone.

    Passwords on photos

    • Topic: Describes how images may reveal security information.
    • Example: A case of a government official's photo revealing his password.

    Passwords on videos

    • Topic: Revealing security information on a video

    The same goes for physical keys

    • Topic: Discusses the importance of not displaying access keys.

    Some authentication credentials are left publicly available.

    • Topic: Describing cases where security information was made available in easily accessible spots or via search queries. Explains the need/ use of "Google Dorks".

    Saving passwords in publicly accessible web pages

    • Topic: Highlighting the importance of not saving passwords in publicly accessible web pages (e.g., Trello boards).

    #2 #3 #5 #0

    • Topic: Illustrates examples where security codes are vulnerable to guesswork, particularly for access codes.

    4-digit PIN

    • Topic: Discusses statistics concerning common and less common 4-digit PINs/passwords, often created using user's birth year.

    Leaked passwords

    • Topic: Describes a common scam and its mechanism.
    • Type: Cyberthugs who impersonate others.

    Password managers (#1)

    • Topic: Description of various password managers to improve security.
    • Types: online (cloud based), and local.

    Password managers (#2)

    • Topic: Different types of password managers (Online and Local).
    • Features: Online password managers keep the passwords online, and the user only needs the master password.
    • Security: Online password managers avoid “fake similar URLs”
    • Security: Local password managers are vulnerable to copy/paste hijacking.

    Copy-paste hijacking

    • Topic: Explain how malware can interfere with copy-paste operations to steal important data, such as passwords.

    Keepass

    • Topic: Overview of the KeePass password manager.
    • Data encryption: Passwords are encrypted and kept in a local database.
    • Encryption Algorithms: Using AES/Rijndael and Twofish algorithms for encryption.

    Google Password Manager

    • Topic: Overview of Google's cloud-based password manager.
    • Features: Saving passwords across various devices, auto-sign-in functionality, exporting and importing passwords.

    Contingency plan for passwords

    • Topic: Essential planning for contingency scenarios involving employee or organization issues/disappearance.
    • Practical scenario: Illustrates the importance of creating a plan to manage security issues should employees, or the institution itself, be compromised.

    Cantor Fitzgerald company

    • Topic: Describes a real-world incident where the loss of employees and sensitive data required emergency measures.

    Tools to crack passwords

    • Topic: Describes password cracking tools such as hashcat.
    • Tools: Provides descriptions of useful tools to test password security.

    Hashcat 101

    • Topic: Details about hashcat, a tool for cracking passwords.

    Which hash is it? hashid

    • Topic: Describes a tool that helps identify the type of hash that is being assessed.

    Attack on credentials

    • Topic: Explanation on the risks associated with storing credentials in clear text format.

    Password security

    • Topic: Shows how passwords can be cracked in different ways, alongside how they can be better protected.

    More about passwords

    • Topic: Details concerning password security and best practices to avoid vulnerabilities.

    Bibliography

    • Topic: List of various sources containing specific information and resources.

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Related Documents

    Description

    Este quiz aborda a administração de segurança em sistemas informáticos, com foco na educação dos usuários sobre o controle de acesso. O conteúdo inclui informações sobre ameaças cibernéticas, como phishing e keyloggers, além de estatísticas alarmantes sobre roubo de credenciais. Aprenda como se proteger e melhorar a segurança da sua informação.

    More Like This

    Use Quizgecko on...
    Browser
    Browser