SQL Database Management

Questions and Answers

What is the purpose of pilot testing in software development?

To feed test data into two systems

To rerun a portion of a test scenario

To replace other testing methods

To evaluate a specific aspect of a system (correct)

What type of IDS stores attributes that characterize an attack for reference?

Inferent-based IDS

Statistical anomaly-based IDS

Signature-based IDS (correct)

Event-based IDS

What is regression testing used for?

To evaluate a specific aspect of a system

To feed test data into two systems

To test a new product feature

To rerun a portion of a test scenario (correct)

Who developed one of the first mathematical models of a multilevel-security computer system?

Bell and LaPadula

What is the main difference between parallel testing and regression testing?

Parallel testing involves feeding test data into two systems

What is proof of concept related to?

Pilot testing

What is the purpose of feeding test data into two systems?

To compare the results of two systems

What is the main purpose of regression testing?

To ensure that changes or corrections have not introduced new errors

Which access control model uses security clearance for subjects?

Mandatory access control

What is the primary difference between discretionary access control and mandatory access control?

The way access is controlled and enforced

Which protocol was used by the initial version of TACACS for communication between clients and servers?

UDP

What is the primary purpose of a TACACS authentication server?

To authenticate users and determine access

What is the default port used by TACACS?

Port 49

What is the relationship between TACACS and TCP?

TACACS uses either TCP or UDP

What is the name of the daemon that runs on the TACACS authentication server?

TACACSD

What is the RFC that defines TACACS?

RFC 1492

What is the purpose of the 'money' argument in the Data Definition Language?

To specify a format for storing salaries

What is the effect of the 'null' keyword in the Data Definition Language?

It allows a field to contain no value

What is the purpose of the DROP command in the Data Definition Language?

To remove entire database objects from the DBMS

What is the difference between the DROP command and the DELETE command?

DROP removes entire tables, while DELETE removes individual records

What is the purpose of the Data Manipulation Language (DML)?

To retrieve, insert, and modify database information

What is the purpose of the INSERT command in the Data Manipulation Language?

To add a new record to an existing table

What is the most commonly used command in SQL?

SELECT

What is the purpose of the SELECT command in the Data Manipulation Language?

To retrieve specific records from a table

What is the primary function of preventive technical controls?

To prevent unauthorized personnel or programs from gaining remote access to computing resources

What is an example of a technical control used to enforce access control policies?

Access control software

What is the primary purpose of synchronous dynamic password tokens?

To authenticate users

What type of control is a password considered?

Technical control

What is the purpose of a smart card?

To authenticate users

What is the primary purpose of antivirus software?

To detect malware

What is an example of a logical control?

Access control software

What is the purpose of dial-up access control and callback systems?

To prevent unauthorized remote access

What is the primary purpose of using banners at log-on time for external users?

To notify users of monitoring being conducted

What is an essential element of individual accountability?

Unique identifiers

What is the benefit of using a well-crafted logon banner?

Better legal standing

Which of the following is NOT an aspect of individual accountability?

Policies and procedures

What is the main objective of access control?

To provide timely access to authorized users

Which of the following is an additional access control objective?

Reliability and utility

What is the primary purpose of logon banners for anonymous or external users?

To notify users of monitoring being conducted

Which of the following is a key aspect of accountability?

Identifying individual users

What type of attack is an employee trying to protect against by ensuring all cables are shielded, building concrete walls, and installing a white noise generator?

Emanation Attacks

What is the term for an error that causes a system to be vulnerable due to its installation environment?

Environmental error

What is the primary purpose of shielding cables in a security setup?

To prevent emanation attacks

What is the term for the act of intercepting electrical signals that radiate from computing equipment?

Emanation attacks

What is the purpose of a white noise generator in a security setup?

To prevent emanation attacks

What is the name of the equipment used to prevent emanation attacks?

TEMPEST equipment

What is the purpose of building concrete walls that extend from the true floor to the true ceiling in a security setup?

To prevent emanation attacks

What is the primary purpose of degaussing a device or overwriting it multiple times?

To sanitize storage media

What is the primary limitation of white-box testing?

It has the potential to miss unimplemented parts of the specification

What is the primary difference between alpha testing and beta testing?

Alpha testing is performed by internal users, while beta testing is performed by external users

What is the primary purpose of pilot testing?

To provide a limited evaluation of the system

What is the primary characteristic of a proof of concept?

It is an early pilot test, usually on an interim platform and with only basic functionalities

What is the primary benefit of using white-box testing?

It can test paths within a unit, paths between units, and between subsystems

What is the primary purpose of beta testing?

To test the system in a real-world environment

What is the primary difference between unit testing and integration testing?

Unit testing is used for testing individual units, while integration testing is used for testing multiple units together

What is the primary benefit of using alpha testing?

It identifies defects early in the development process

What is the primary purpose of using banners at log-on time for external users?

To notify external users of any monitoring that is being conducted

What is the benefit of using a well-crafted logon banner?

It gives a legal stand and makes it obvious to users who should access the system

Which of the following is NOT an aspect of individual accountability?

Policies and procedures

What is the main objective of access control?

To assure that a system's authorized users have timely and uninterrupted access to the information in the system

Which of the following is an additional access control objective?

Reliability and utility

What is the primary purpose of logon banners for anonymous or external users?

To notify external users of any monitoring that is being conducted

What is an essential element of individual accountability?

Unique identifiers

Which of the following is a key aspect of accountability?

Unique identifiers

What is the primary focus of access control mechanisms?

Supporting the mission of the organization

What is the main objective of Business Impact Analysis (BIA)?

Supporting the mission of the organization

What is the primary concern in a highly secure environment where data at high classifications cannot be leaked to subjects at lower classifications?

Identification of potential covert channels

Which model would an Information Security Professional recommend for a highly secure environment where data at high classifications cannot be leaked to subjects at lower classifications?

Information Flow Model combined with Bell Lapadula

What is the primary purpose of access control mechanisms?

To control access to information

What is the primary concern in planning and implementing access control mechanisms?

All of the above

What is the primary objective of Business Impact Analysis (BIA)?

To support the mission of the organization

What is the primary purpose of access control mechanisms in a highly secure environment?

To control access to information

What is the security flaw that occurs when two or more processes use the same resource and the sequence of steps within the software can be carried out in an improper order?

Race condition

What is the process of intercepting and examining messages to deduce information from patterns in communication?

Traffic analysis

What is the term for secretly listening to private conversations of others without their consent?

Eavesdropping

What is the result of carrying out processes in an improper sequence in software development?

Drastically affected output

What is the goal of an attacker who exploits a race condition in software?

To force the authorization step to take place before the authentication step

What is the term for the process of intercepting and examining messages to infer information?

Traffic analysis

What is the consequence of carrying out processes in a correct sequence in software development?

Improved security

What is the main difference between the correct and incorrect sequence of processes in software development?

Output is drastically affected

In a DAC system, who decides who has access to a file?

The file owner

What is the main characteristic of Discretionary Access Control (DAC)?

Access is based on the discretion of the owner

In synchronous dynamic password tokens, what is generated at fixed time intervals?

A unique password value

What is the role of the owner in a DAC system?

To specify which subjects can access specific resources

What is the primary purpose of synchronous dynamic password tokens?

To provide one-time passwords

In a DAC system, who can be made the owner of files and resources?

Specific individuals, such as department managers

What is an access control matrix used for in a DAC system?

To store an identifier for the file owner

What is the main advantage of using DAC?

It provides flexible access control

In biometric identification systems, what parts of the body are conveniently available for identification when people are fully clothed?

hands, face, and eyes

What is the access control model also known as Non Discretionary Access Control (NDAC)?

Role-based access control

In Mandatory Access Control (MAC), what is used to specify the sensitivity of objects and the categories they belong to?

Labels

What is the primary data access control decision that an organization must make?

The level of control given to system and data owners

What is the main difference between Discretionary Access Control (DAC) and Mandatory Access Control (MAC)?

DAC gives control to system owners, while MAC uses sensitivity labels

What is the primary function of a TACACS authentication server?

To authenticate clients and authorize access

What is the relationship between TACACS and TCP?

TACACS is a protocol used on top of TCP

What is the name of the daemon that runs on the TACACS authentication server?

tac_plus

What is the primary function of a view in a database?

To provide a virtual table composed of a query result set

What is the main advantage of using views in a database?

They provide a simple way to subset and simplify complex data

What happens to the data in a view when the underlying table is changed?

The data in the view is updated accordingly

What is a key difference between a view and a physical table?

A table is physical, while a view is virtual

How much space does a view take up in a database?

Very little space, as it only stores the definition

What is one advantage of using views in terms of security?

They provide an additional layer of security by hiding complex data

What is an example of how a view can simplify complex data?

By creating a virtual table that appears as 'Sales2000' or 'Sales2001'

What is the primary purpose of the SELECT command in the example query?

To retrieve specific data from multiple tables

What is the primary purpose of Directive Access Control?

To specify rules of acceptable behavior

Which type of access control is used to prevent a security incident or information breach?

Preventive Access Control

What is the primary purpose of Detective Access Control?

To detect and respond to security incidents

What type of access control is used to remedy a circumstance, mitigate damage, or restore control?

Corrective Access Control

What is the primary purpose of Compensating Access Control?

To substitute for the loss of a primary control or add additional mitigation

What type of access control is used to restore conditions to normal after a security incident?

Recovery Access Control

Which of the following is an example of a Directive Access Control?

A policy stating that employees may not use Facebook

What is the primary purpose of access control categories?

To shape employee behavior to better maintain an environment that supports business objectives

What is the main objective of strong authentication?

To use two factors from different categories

What is the purpose of a database view?

To retrieve the results of a query

What is relational algebra used for?

To operate on relational databases

What is the purpose of mandatory access control?

To enforce a set of rules for access control

What is the primary purpose of access control?

To authorize access to resources

What is the difference between discretionary access control and mandatory access control?

Discretionary access control is more flexible

What is the purpose of a lattice-based access control model?

To enforce a hierarchical access control model

What is the primary purpose of role-based access control?

To limit access based on user role

What is the primary purpose of preventive physical controls?

To prevent unauthorized personnel from entering computing facilities

Which of the following is an example of a preventive administrative control?

Security awareness and technical training

What is the primary purpose of backup files and documentation?

To ensure business continuity

What is the purpose of site selection in preventive physical controls?

To select a safe location for computing facilities

What is the primary purpose of double door systems in preventive physical controls?

To prevent unauthorized access

What is the primary purpose of security guards in preventive physical controls?

To prevent unauthorized access

What is the primary purpose of badge systems in preventive physical controls?

To control access to computing facilities

What is the primary purpose of fences in preventive physical controls?

To prevent unauthorized access to computing facilities

What is the primary characteristic of a limited RBAC system?

Roles are defined within an application and not necessarily based on the user's organizational job function

What is the primary characteristic of mandatory access control?

Controlling access based on security clearance

What is the key difference between Hybrid RBAC and Full RBAC?

Hybrid RBAC uses a role that is applied to multiple applications or systems, while Full RBAC uses a role defined by the organization's policy

What is the primary purpose of Full RBAC?

To apply permissions based on the organization's policy and access control infrastructure

What protocol was used by the initial version of TACACS for communication between clients and servers?

UDP

What is the main difference between Mandatory Access Control (MAC) and Role-Based Access Control (RBAC)?

MAC is based on the sensitivity of the object and uses categories to implement the need to know, while RBAC is based on the user's role within the organization

What is the primary function of a TACACS authentication server?

To authenticate user requests

What is a key characteristic of Hybrid RBAC?

Roles are applied to multiple applications or systems based on a user's specific role within the organization, and may also be assigned solely within specific applications

What is the default port used by TACACS?

49

What is the primary benefit of using Role-Based Access Control (RBAC)?

It simplifies the management of access control by assigning roles to users

What is the relationship between TACACS and TCP?

TACACS uses TCP for communication

What is the main difference between Limited RBAC and Full RBAC in terms of where roles are defined?

In Limited RBAC, roles are defined within an application, while in Full RBAC, roles are defined by the organization's policy

What is the name of the daemon that runs on a TACACS authentication server?

TACACSD

What is the RFC that defines TACACS?

RFC 1492

What is the primary purpose of attribute certificates?

To store user attributes

What is the primary purpose of a mobile communications service provider customizing the mobile terminal client distribution?

To include one or more root certificates with associated capabilities or permissions

What is the purpose of a developer acquiring a certificate from a commercial Certificate Authority (CA)?

To validate their identity and obtain a certificate to sign their software

What is the advantage of separating the identity and authorization certificates?

To improve key management and recovery from errant software

What is typically done to the software submitted by a developer before generating an authorization certificate?

It is tested or profiled by the processor

What is the purpose of the 'install and execute' capability in a root certificate?

To allow developers to install and execute their software

What is the purpose of validating a developer's identity through out-of-band mechanisms?

To verify the developer's identity and issue a certificate

What is the purpose of an ephemeral asymmetric key-pair in the software distribution process?

To sign the software as the last step of preparation for distribution

What is the benefit of customizing the mobile terminal client distribution with root certificates?

It enables service providers to control and manage access to the mobile phone operating system

What is a masquerade attack?

An attack that uses a fake identity to gain unauthorized access to personal computer information

What determines the amount of access a masquerade attacker gets?

The level of authorization they've managed to attain

What is the purpose of a security model like Bell-LaPadula?

To apply specific rules to control how the subject-to-object interactions take place

What type of security system is the Bell-LaPadula model?

Multilevel security system

When can a masquerade attack be triggered?

By someone within the organization or by an outsider if the organization is connected to a public network

What is the result of a masquerade attack if the attacker gains the highest access authority?

They have a full smorgasbord of cybercrime opportunities

What is the purpose of the authorization process in a system?

To control how the subject-to-object interactions take place

What is the difference between a masquerade attack and a personal attack?

A personal attack is less common but still harmful

What is the primary function of a Host-Based Intrusion Detection System (HIDS)?

To monitor system and event logs

Why is it important to have both NIDS and HIDS on critical servers?

To detect patterns of attacks on both network and host levels

What is NOT a security characteristic to consider when choosing a biometric identification system?

Cost

What is the main difference between a HIDS and a NIDS?

A HIDS monitors system logs, while a NIDS monitors network traffic

What is the primary objective of using a HIDS?

To detect and prevent attacks on a host

What is monitored by a HIDS?

Dynamic behavior and state of a computer system

What is the purpose of a HIDS in relation to security policy?

To detect circumvention of security policy

What is the benefit of having both NIDS and HIDS on critical servers?

To provide comprehensive security coverage

What is the primary purpose of views in databases?

To provide abstraction and security

What type of attack involves using a fake identity to gain unauthorized access to personal computer information?

Masquerade attack

What is a characteristic of rows in a view?

They are not ordered

What is the difference between black-box testing and white-box testing?

White-box testing tests internal structures, while black-box testing tests functionality

What is the primary goal of a masquerade attack?

To gain unauthorized access to personal computer information

In which security model is the subject's clearance compared to the object's classification?

Bell-LaPadula model

What is the purpose of normalization in databases?

To organize data to minimize data redundancy

What is the main advantage of using views in databases?

They provide abstraction and security

What is the main characteristic of the Bell-LaPadula model?

It uses a multilevel security system

Who developed the Bell-LaPadula model?

US Military

What is the primary purpose of a view in a database?

To provide abstraction and security

What is the primary purpose of the Data Definition Language (DDL)?

To create, modify, and delete views and relations in a database

What is the primary limitation of a masquerade attack?

The amount of access the attacker can gain

What is a common use of views in databases?

To make it easier to create lossless join decomposition

What is the primary purpose of a database administrator using DDL commands?

To create and modify database structures

What is the primary benefit of a masquerade attack?

It allows the attacker to gain full access to the system

What is the relationship between views and tables?

A view is a relational table

What is the main difference between the CREATE and DROP commands in DDL?

CREATE is used to create database objects, while DROP is used to delete database objects

What access control model is based on a lattice structure?

Bell-LaPadula model

What is the primary motivation behind a masquerade attack?

To gain unauthorized access to personal computer information

What is the purpose of the least upper bound in the Bell-LaPadula model?

To determine the highest level of access a user can have to a file

What is the star property in the Bell-LaPadula model?

A user's least upper bound access is 'READ', and their least lower bound is 'NO WRITE'

What is the main difference between the Bell-LaPadula model and Role-Based Access Control (RBAC)?

Bell-LaPadula is based on a lattice structure, while RBAC is based on roles

What is the primary purpose of the Data Manipulation Language (DML)?

To perform data manipulation operations

What is an example of something you do that involves strong authentication?

Typing text on your keyboard

What type of access control technique is NOT included in the common techniques?

Relevant Access Controls

What operations are used to define a database view?

Join, Project, and Select

What is the term for a single entry in a relational database?

Tuple

What is the primary function of Mandatory Access Control?

To provide access based on security clearance

What is the primary difference between Discretionary Access Control and Mandatory Access Control?

DAC is based on user identity, MAC is based on security clearance

What is the term for the mathematics underlying SQL operations?

Relational Algebra

What is the purpose of a database view?

To present the result of a query

What type of controls are also known as logical controls and can be built into the operating system, be software applications, or can be supplemental hardware/software units?

Preventive/Technical Pairing

What best describes a scenario where a user has more computer rights, permissions, and access than what is required for the tasks the user needs to fulfill?

Excessive Privileges

What information do sensitivity labels attached to objects contain in Mandatory Access Control?

The item's classification and category set

What is the primary purpose of technical controls such as encryption and access control?

To prevent security breaches

What is an example of a logical control used to enforce access control policies?

Access control lists

What is the primary purpose of antivirus software?

To prevent security breaches

What is an example of a physical control used to enforce access control policies?

Shielded cables

What is the primary purpose of logon banners for external users?

To inform users of their responsibilities

What is the primary purpose of synchronous dynamic password tokens?

To generate a new password value at fixed time intervals

What type of control is a password considered?

Preventive technical control

What is the primary purpose of preventive technical controls?

To prevent unauthorized access

What is an example of a technical control used to enforce access control policies?

Access control software

What is the primary purpose of antivirus software?

To prevent virus attacks

What is the primary purpose of dial-up access control and callback systems?

To prevent unauthorized access

What is the primary purpose of logon banners for external users?

To notify users of legal responsibilities

What is the primary objective of access control?

To prevent unauthorized access

What is the main focus of a Business Impact Analysis (BIA)?

Supporting the mission of the organization

Which model would you recommend to a client looking to identify potential covert channels in a highly secure environment?

Information Flow Model combined with Bell Lapadula

What is the primary concern of the client in the highly secure environment?

Identification of potential covert channels

What is the purpose of an access control policy?

To control access to information and personnel

What is the term for the act of intercepting electrical signals that radiate from computing equipment?

Emanation

What is the primary purpose of degaussing a device or overwriting it multiple times?

To delete sensitive data

What is the primary purpose of building concrete walls in a security setup?

To prevent emanation attacks

What is the main objective of access control?

To prevent unauthorized access

What is the primary goal of a noninterference model in information security?

To minimize leakages that may happen through covert channels

What is the main limitation of access control lists in file systems?

They do not control how the data is used afterwards

What is the primary purpose of assigning security levels to variables in low-level information flow analysis?

To control the flow of information between variables

What is the main difference between publicly observable information and secret information?

Publicly observable information is assigned a low security level, while secret information is assigned a high security level

What is the primary benefit of using a lattice model to represent security levels?

It allows information to flow only upwards in the lattice

What is the primary goal of cryptography in information security?

To exchange information privately across a non-secure channel

What is the main limitation of firewalls in information security?

They provide no guarantees about information propagation

What is the primary purpose of restricting flows to high variables in information security?

To ensure confidentiality by restricting flows to high variables

What is the primary goal of the Biba Integrity Model?

Prevent data modification by unauthorized parties

What is the key principle of the Biba model?

no read down, no write up

What is a key limitation of the Bell-LaPadula model?

It only addresses data confidentiality

What is the relationship between a subject's integrity level and their ability to create content?

Subjects can only create content at or below their own integrity level

What is the main difference between the Biba model and the Clark-Wilson model?

The Biba model only addresses the first goal of data integrity

What is the purpose of the Biba model?

To ensure data integrity

What is the main goal of the Biba model in terms of data modification?

Prevent data modification by unauthorized parties

What is the relationship between a subject's integrity level and their ability to view content?

Subjects can only view content at or above their own integrity level

What is the primary function of a Host-Based Intrusion Detection System (HIDS)?

To monitor system and event logs for signs of attack

Why is it important to have both NIDS and HIDS on a critical server?

To ensure that the server is protected from both network and host-based attacks

What is a key benefit of using a HIDS?

It can detect attacks that a NIDS might miss

What is NOT a security characteristic to consider when choosing a biometric identification system?

Cost

What is the primary purpose of a biometric system's enrollment process?

To capture and store user biometric data

What is a key advantage of using a HIDS over a NIDS?

A HIDS can detect attacks that a NIDS might miss

What type of control is a password considered?

Logical control

What is the primary purpose of a bastion host?

To provide an additional layer of security for a critical server

What is the purpose of acquiring a certificate from a commercial CA in a mobile software deployment?

To verify the developer's identity

What is the benefit of separating identity and authorization certificates?

Improved risk mitigation

What is the purpose of an ephemeral asymmetric key-pair in mobile software deployment?

To sign the software for distribution

What is the primary advantage of customizing the mobile terminal client distribution?

Improved security

What is the purpose of submitting the software to a processor before distribution?

To test or profile the content

What is the purpose of an identity certificate in mobile software deployment?

To verify the developer's identity

What is the main focus of the Bell-LaPadula model?

Data confidentiality

What is the primary purpose of a root certificate in mobile software deployment?

To associate with a set of capabilities or permissions

What is the Bell-LaPadula model based on?

A state machine model

What is the purpose of security labels in the Bell-LaPadula model?

To classify data based on sensitivity

What is the primary benefit of vetting developers or publishers in mobile software deployment?

Improved security

What is the goal of the Bell-LaPadula model's state transition?

To ensure each state transition preserves security

Who developed the Bell-LaPadula model?

David Elliott Bell and Leonard J. LaPadula

What is the primary difference between the Bell-LaPadula model and the Biba Integrity Model?

The Bell-LaPadula model focuses on data confidentiality, while the Biba Integrity Model focuses on data integrity

What is a 'secure state' in the Bell-LaPadula model?

A state where access modes of subjects to objects are in accordance with a security policy

What is the purpose of transition functions in the Bell-LaPadula model?

To define the transition from one state to another

What is the primary goal of the Biba Integrity Model?

Prevent data modification by unauthorized parties

What is the main difference between the Biba Model and the Bell-LaPadula model?

The Biba Model addresses integrity, while Bell-LaPadula addresses confidentiality

In the Biba Model, what is the rule for users creating content?

Users can create content at or below their own integrity level

What is the phrase characterized by the Biba Model?

No read down, no write up

What is the primary goal of the Clark-Wilson model, in contrast to the Biba Model?

To address all three goals of integrity

In the Biba Model, what is the rule for users viewing content?

Users can view content at or above their own integrity level

What is the main purpose of the Biba Integrity Model?

To ensure data integrity

What is the relationship between the Biba Model and boolean policies?

The Biba Model is one type of boolean policy

What is the primary purpose of the Simple Integrity Axiom?

To prevent a subject from reading an object at a lower integrity level

What is the principle behind the * (star) Integrity Axiom?

No write up

What is the primary characteristic of Lattice-Based Access Control (LBAC)?

It is a mandatory access control model

In LBAC, what determines the security level of an object?

The meet of the levels of the subjects accessing the object

What is the purpose of the lattice structure in LBAC?

To define the levels of security for subjects and objects

What is the result of combining two objects, X and Y, in LBAC?

A new object with the join of the security levels of X and Y

What is the analogy used to explain the concept of integrity in the Biba model?

The military chain of command

What is the primary difference between the Biba model and the Bell-LaPadula model?

The Biba model is based on integrity, while the Bell-LaPadula model is based on confidentiality

Study Notes

Data Definition Language (DDL)

• The DROP command is used to remove entire database objects from a DBMS.
• DROP TABLE command is used to remove a specific table, and DROP DATABASE command is used to remove an entire database.

Data Manipulation Language (DML)

• The INSERT command is used to add records to an existing table.
• The SELECT command is the most commonly used command in SQL, used to retrieve data from a database.

Intrusion Detection System (IDS)

• An IDS stores attributes of an attack for reference using a signature-based IDS.

Access Control Models

• Mandatory access control (MAC) requires security clearance for subjects, where authorization is dependent on labels indicating the subject's clearance.

Terminal Access Controller Access Control System (TACACS)

• The original TACACS used UDP transport, while the extended version uses TCP.
• TACACS allows a client to send a username and password to a TACACS authentication server, which verifies the authentication request.

Authentication

• Synchronous dynamic password tokens generate a new password value at fixed time intervals, which is entered along with a PIN for authentication.

Access Control Policies

• Preventive/technical pairing uses technology to enforce access control policies, including technical controls such as access control software, antivirus software, and encryption.

Accountability

• Accountability includes unique identifiers, access rules, and audit trails, but not policies and procedures.

Emanation Attacks and Security Measures

• Emanation attacks involve intercepting electrical signals that radiate from computing equipment.
• Countermeasures include:
  • Shielding cabling
  • Using white noise generators
  • Implementing control zones
  • Using TEMPEST equipment (a Faraday cage around the equipment)

Error Types and Testing

• Environmental error: an error that causes a system to be vulnerable due to the environment in which it is installed.
• White-box testing: a method of test design that uses internal perspectives of the system and programming skills to design test cases.
• Alpha testing: an early version of the application system submitted to internal users for testing.
• Beta testing: a form of user acceptance testing that involves a limited number of external users.

Accountability and Access Control

• Individual accountability includes:
  • Unique identifiers
  • Access rules
  • Audit trails
• But does not include policies and procedures.
• Additional access control objectives include:
  • Reliability
  • Utility

Business Impact Analysis

• Business Impact Analysis (BIA) is about supporting the mission of the organization.
• BIA is not about technology or risk assessment.

Information Security Models

• The Information Flow Model combined with Bell-LaPadula is recommended for a highly secure environment where data at high classifications cannot be leaked to subjects at lower classifications.
• This model is concerned with the identification of potential covert channels.

Biometric Identification Systems

• In biometric identification systems, conveniently available parts of the body for identification are hands, face, and eyes.
• This is because most identity authentication takes place when people are fully clothed (neck to feet and wrists).

Access Control Models

• Role-Based Access Control (RBAC) is also called Non-Discretionary Access Control (NDAC).
• RBAC is sometimes referred to as Rule-Based Access Control (RuBAC).
• Mandatory Access Control (MAC) makes use of Labels, which contain the sensitivity of objects and the categories they belong to.
• No labels means MAC is not being used.

Database Access Control

• A view is a virtual or logical table composed of the result set of a query.
• Views can:
  • Subset the data contained in a table
  • Join and simplify multiple tables into a single virtual table
  • Act as aggregated tables, where aggregated data is calculated and presented
  • Hide the complexity of data
  • Take very little space to store; only the definition is stored, not a copy of all the data they present
  • Provide extra security depending on the SQL engine used

Discretionary Access Control (DAC)

• DAC is suitable for low-level security environments.
• The owner of the file decides who has access to the file.
• Ownership might also be granted to a specific individual, such as a department manager.
• DAC enables the owner of the resource to specify which subjects can access specific resources.

Synchronous Dynamic Password Tokens

• In Synchronous dynamic password tokens, the token generates a new password value at fixed time intervals, based on the time of day encrypted with a secret key.

Access Control Categories

• Access Control Categories include:
  • Directive: specifies rules of acceptable behavior
  • Deterrent: designed to discourage people from violating security directives
  • Preventive: implemented to prevent a security incident or information breach
  • Detective: used to mitigate the loss
  • Compensating: substitutes for the loss of a primary control or adds additional mitigation
  • Corrective: remedies circumstances, mitigates damage, or restores control
  • Recovery: restores conditions to normal after a security incident

Access Control Techniques

• Access Control Techniques include:
  • Discretionary Access Control
  • Mandatory Access Control
  • Lattice-Based Access Control
  • Rule-Based Access Control
  • Role-Based Access Control

Access Control Models

• Limited RBAC: Users can access non-RBAC-based applications or data, and have direct access to another application or system independent of their assigned role.
• Hybrid RBAC: Introduces a role applied to multiple applications or systems based on a user's specific role within the organization.
• Full RBAC: Controlled by roles defined by the organization's policy and access control infrastructure, applied to applications and systems across the enterprise.

Mandatory Access Control (MAC)

• Requires security clearance for subjects.
• Authorization of a subject's access to an object is dependant upon labels, which indicate the subject's clearance.
• Uses labels to indicate the sensitivity of the object and categories to implement the need to know.

Other Access Control Models

• Identity-based access control: a type of discretionary access control.
• Role-based access control: a type of non-discretionary access control.

TACACS

• Original TACACS used UDP transport.
• Extended in the early 1990s to include additional functionality and changed to TCP transport.
• Uses port 49 by default.

Preventive Controls

• Preventive physical controls: prevent unauthorized personnel from entering computing facilities and protect against natural disasters.
  • Examples: Backup files and documentation, Fences, Security guards, Badge systems, Double door systems, Locks and keys, Backup power, Biometric access controls, Site selection, Fire extinguishers.
• Preventive administrative controls: personnel-oriented techniques for controlling people's behavior to ensure confidentiality, integrity, and availability of computing data and programs.
  • Examples: Security awareness and technical training, Separation of duties, Procedures for recruiting and terminating employees, Security policies and procedures, Supervision, Disaster recovery, Contingency and emergency plans, User registration for computer access.

Masquerade Attacks

• An attack that uses a fake identity to gain unauthorized access to personal computer information through legitimate access identification.
• Can be perpetrated using stolen passwords and logons, by locating gaps in programs, or by finding a way around the authentication process.

Bell-LaPadula Model

• A security model where the subject's clearance is compared to the object's classification, and specific rules are applied to control how the subject-to-object interactions take place.
• Developed by the US Military in the 1970s.
• Also called a multilevel security system because users with different clearances use the system and the system processes data with different classifications.

Host-Based Intrusion Detection Systems (HIDS)

• A HIDS monitors the system and event logs to detect an attack on the host and determine if the attack was successful.
• Critical servers should have a HIDS installed.
• HIDS can detect patterns of attacks within encrypted traffic after decryption on the host.
• HIDS monitors all or part of the dynamic behavior and state of a computer system.
• HIDS detects which program accesses what resources and assures that a program hasn't suddenly modified the system password database.
• HIDS checks the state of a system, stored information, and ensures that the contents appear as expected.

Biometric Identification Systems

• Data acquisition process is a security characteristic to consider when choosing a biometric identification system.
• Enrollment process is a security characteristic to consider when choosing a biometric identification system.
• Speed and user interface are security characteristics to consider when choosing a biometric identification system.
• Cost is not a security characteristic when choosing a biometric identification system.

Access Control Models

• Bell-LaPadula model compares the subject's clearance to the object's classification to apply specific rules to control subject-to-object interactions.
• In the Bell-LaPadula model, the subject's clearance is compared to the object's classification, and specific rules are applied to control interactions.
• The Bell-LaPadula model is a multilevel security system that processes data with different classifications.

Database Management Systems

• SQL Data Definition Language (DDL) is used to create, modify, and delete views and relations (tables) in a database.
• DDL commands are used primarily by database administrators during setup and removal phases of a database project.
• Views are used to create abstraction, and they can make it easier to create lossless join decomposition.
• Views are relational tables, and the relational model states that a table is a set of rows, which means the rows in a view are not ordered.

Software Testing Methods

• White-box testing (also known as clear box testing, glass box testing, transparent box testing, or structural testing) examines the internal structure or workings of an application.
• White-box testing is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality.

Security Models

• Masquerade attacks use a fake identity to gain unauthorized access to personal computer information through legitimate access identification.
• Masquerade attacks can be perpetrated using stolen passwords and logons, by locating gaps in programs, or by finding a way around the authentication process.

Access Control Techniques

• Access Control techniques include Discretionary Access Control, Mandatory Access Control, Lattice-Based Access Control, Rule-Based Access Control, and Role-Based Access Control.
• Relevant Access Controls is not an Access Control technique.

Database Views

• A database view is the result of Join, Project, and Select operations.
• Relational algebra operations include Select, Project, Union, Difference, and Product, which can be used to build relations and operate on data.

Technical Controls and Access Control

• Technical controls, also known as logical controls, can be built into the operating system, software applications, or supplemental hardware/software units.
• Preventive technical controls are used to prevent unauthorized personnel or programs from gaining remote access to computing resources.
• Examples of technical controls include access control software, antivirus software, library control systems, passwords, smart cards, encryption, dial-up access control, and callback systems.

Excessive Privileges

• Excessive privileges occur when a user has more computer rights, permissions, and access than what is required for the tasks the user needs to fulfill.

Mandatory Access Control

• In Mandatory Access Control, sensitivity labels attached to objects contain the item's classification and category set.

Access Control Policies

• The preventive/technical pairing uses technology to enforce access control policies.
• Technical controls are sometimes referred to as logical controls.
• Three things that must be considered for the planning and implementation of access control mechanisms are the threats to the system, the system's vulnerability to these threats, and the risk that the threat may materialize.

Business Impact Analysis (BIA)

• Business Impact Analysis (BIA) is about supporting the mission of the organization.
• BIA is not about technology.

Information Security Models

• The Information Flow Model combined with Bell-Lapadula is recommended for a highly secure environment where data at high classifications cannot be leaked to subjects at lower classifications.
• The Biba Model or Biba Integrity Model is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity.
• The Biba Model focuses on data integrity and is characterized by the phrase: "no read down, no write up".
• Noninterference Models help minimize damage from covert channels by maintaining activities at different security levels to separate these levels from each other.

Host-Based Intrusion Detection Systems (HIDS)

• A HIDS is a system that monitors the dynamic behavior and state of a computer system to detect attacks and determine if they were successful.
• It reviews system and event logs to detect patterns of attacks, including those within encrypted traffic.
• Critical servers should have both NIDS and HIDS for comprehensive security.
• A HIDS monitors which programs access resources and ensures that they do not modify the system in unexpected ways.
• It also checks the state of a system, its stored information, and ensures that it appears as expected.

Biometric Identification Systems

• Security characteristics to consider when choosing a biometric identification system include:
  • Data acquisition process
  • Enrollment process
  • Speed and user interface
• Cost is not a security characteristic, but rather a factor to consider when choosing a biometric system.

Bell-LaPadula Model

• A formal state machine model used for enforcing access control in government and military applications.
• It focuses on data confidentiality and controlled access to classified information.
• Security labels range from most sensitive (e.g. "Top Secret") to least sensitive (e.g. "Unclassified" or "Public").
• The model ensures that each state transition preserves security by moving from secure state to secure state.

Biba Integrity Model

• A formal state transition system that describes a set of access control rules designed to ensure data integrity.
• Data and subjects are grouped into ordered levels of integrity.
• The model is designed to prevent data modification by unauthorized parties and maintain internal and external consistency.
• It is characterized by the phrase "no read down, no write up".
• The model defines two security rules:
  • The Simple Integrity Axiom: a subject at a given level of integrity must not read an object at a lower integrity level.
  • The * (star) Integrity Axiom: a subject at a given level of integrity must not write to any object at a higher level of integrity.

Lattice Model

• A complex access control model based on the interaction between objects and subjects.
• It uses a lattice to define the levels of security that an object may have and that a subject may have access to.
• The subject is only allowed to access an object if the security level of the subject is greater than or equal to that of the object.
• The security level access may be expressed in terms of the lattice (a partial order set) where each object and subject have a greatest lower bound (meet) and least upper bound (join) of access rights.

Description

This quiz covers SQL commands for creating and managing database tables, including the use of the DROP command to remove database objects.