Zi

shanSi
r’
s
Zee-
TechAcademy
Secur
it
yinComput
ing
UNI
T-2
Q1.Whati
scr
ypt
ogr
aphy
?Expl
ainv
ari
oust
ermsr
elat
edt
oit
.
Cr
ypt
ogr
aphyi
sthear
tsandsci
enceofachi
evi
ngsecur
it
ybyencodi
ng
messaget
omaket
hem nonr
eadabl
e.
Fol
l
owi
ngdi
agr
am showst
heov
erv
iewofcr
ypt
ogr
aphy
:

Thecombinat
ionofcr
ypt
ogr
aphyandcr
ypt
oanal
ysi
siscal
l
ed
cr
yptol
ogy
.

Cryptographers:Peopl
ewhoindul gei
ncr ypt
ographyar eknownas
cry
ptographers.
Cryptanalysi
s:Theartorsci
enceofdecry pti
ngaci phertextwi
thoutknowi
ngt
he
authori
zedkeyi sknownascr y
pt anal
ysi
s.
Cryptanalyst
s:Peoplewhoindulgeincryptanal
ysis.
Fol
l
owi
ngar
evar
ioust
ermsr
elat
edt
ocr
ypt
ogr
aphy
:

Plai
nText :Itsi
gnif
iesthemessaget hatcanbeunder stoodbysender,reci
pient
andalsobyany oneelse.Iti
salsocall
edascl eartext.
CipherText :Whenthepl ai
ntextmessagei scodifi
edusi nganysuit
ablescheme,
theresulti
ngmessagei scall
edasciphertext.
Encrypti
on:Thepr ocessofconv ert
ingplaintextint
oci phertextusi
ng
anappr opri
atekey.
Decryption:Theprocessofconv ert
ingciphert extintoplai
ntextusi
ng
anappr opri
atekey.
Key:Iti
st heobjectusedt oencry
pttheplaint
ext .

Q2.Expl
ainSy
mmet
ri
cKeyCr
ypt
ogr
aphywi
thdi
agr
am.
Symmet ri
cKeyCr ypt ogr
aphy
Symmet ri
cKeyCr yptographyisr ef
err
edbyv ari
oust er
mssuchassecr etkey
cry
ptographyorpr i
vat ekeycrypt
ography.
Inthi
sonekeyi susedandsamekeyi susedforbothencrypt
ionanddecr ypt
ion
ofmessages.
Boththepar ti
esmustagr eeupont hekeybeforeanyt r
ansmi ssionbegi
nsand
nobodyel seshouldknowabouti t.Belowdiagram showsworki ngofsymmet ri
c
keycryptography.
Atsender( A)endpl aintextconvert
edintoci
phertextform.Atr ecei
ver(
B)end
samekeyi susedtodecr yptencr
y pt
edmessage.

Sy
mmet
ri
cKeyCr
ypt
ogr
aphyhasf
ewpr
obl
emsasf
oll
ows:
Thef
ir
stpr
obl
em i
skeyagr
eementorkeydi
str
ibut
ion.
Thesecondpr
oblem i
smor
eser
ioussi
ncesamekeyi
susedf
orencr
ypt
ionas
wel
lasdecr
ypt
ion.

SupposeAwant
stosecur
elycommut
atewi
thBandal
sowi
thC.

Thenther
emustbeonekeyforal
lcommuni
cati
onbetweenAandBandt
her
e
mustbeanot
herdi
sti
nctkeyf
oral
lcommuni
cat
ionsbet
weenAandC.

ThesamekeyasusedbyAandBcannotbeusedf
orcommuni
cat
ionbet
ween
AandC.

Other
wiset
her
eisachancethatCcanint
erpr
etmessagesgoi
ngbet
weenA
andBorBcandothesamef
ormessagesgoi
ngbet
weenAandC.

Disadv
antagesofsy mmetri
ckey:
Asy mmetri
c-keyal
gorit
hm hastwomajordi
sadvantages.
Eachpairofusersmusthav eauni
quesymmetrickey.
Thismeanst hati
fNpeopl eint
heworl
dwantt ouset hi
smet
hod,
ther
eneedst
o
beN( N-1)/2
symmet r
ickeys.
Forexample,for1thousandpeopl
etocommuni cat
e,1000*999/
2=4, 99,
500
 (
4lacs99t
housandandf
ivehundr
ed)sy
mmet
ri
ckey
sar
eneeded.
Thedist
ri
buti
onofthekey
sbetweentwopart
iescanbedi
ff
icul
t.
Thesenderneedst
oexchangethekeyt
otherecei
ver
.
I
tmaybehi j
ackedi
nbetween.

Q3.Compar
eSy
mmet
ri
cver
susAsy
mmet
ri
ckeycr
ypt
ogr
aphy
.

Q4.Whati saut
hent
icat
ion?Expl
aint
ypesofaut
hent
icat
ioni
ndet
ail
.
Authent
icati
on:

Authent
icat
ioni
saboutv
ali
dati
ngyourcr
edent
ial
sli
keUserName/
UserI
Dand
passwordtover
if
yyouri
denti
ty.

Thesy
stem det
ermi
neswhet
hery
ouar
ewhaty
ousayy
ouar
eusi
ngy
ourcr
edent
ial
s.

Inpubli
candpr
ivat
enet
wor
ks,
thesy
stem aut
hent
icat
est
heuseri
dent
it
yvi
alogi
n
passwords.

Authenti
cati
onisusual
lydonebyausernameandpasswor
d,andsometi
mesin
conjunct
ionwit
hfactor
sofauthent
icat
ion,
whi
chref
erstot
hev ar
iousway
stobe
authenti
cat
ed.

Authenti
cati
onfactor
sdet
ermi
net hevar
iouselement
st hesyst
em usetoveri
fyone’
s
i
dentit
ypriortogr
anti
nghi
m accesstoanythi
ngfrom accessi
ngafil
etorequest
inga
banktransact
ion.
 Auser
’si
dent
it
ycanbedet
ermi
nedbywhatheknows,
whathehas,
orwhathei
s.

Whenitcomestosecur
it
y,atl
eastt
woorallt
hethr
eeaut
hent
icat
ionf
act
orsmustbe
ver
if
iedi
nordert
ograntsomeoneaccesst
othesyst
em.

Basedont
hesecur
it
ylev
el,
aut
hent
icat
ionf
act
orcanv
aryf
rom oneoft
hef
oll
owi
ng:
Single-
Factor 
Authenticati
on:
 It
’sthesimplestauthent i
cati
onmethodwhi chcommonl yrel
iesonasimplepasswor
d
tograntuseraccesst oapar ti
cul
arsyst
em suchasa  website 
oranet
work.
 Th epersoncanr equestaccesstothesystem usingonlyoneofthecr
edenti
alsto
verif
yhisidenti
ty.
 Th emostcommonexampl eofasingl
e-f
actorauthent
icati
onwouldbelogi
n
credenti
alswhichonl yrequir
eapasswordagai nstausername.

Two-
Fact
orAut
hent
icat
ion:
 

I
tisatwo-
stepveri
fi
cat
ionprocesswhi
chnotonl
yrequi
resausernameandpasswor d,
butal
sosomethingonl
ytheuserknows,t
oensur
eanadditi
onall
evelofsecur
it
y,such
asanATM pin,
whichonlyt
heuserknows.

 Usi
ngausernameandpasswordal
ongwithanaddi
ti
onalpieceof
Confi
dent
ial
inf
ormat
ionmakesitv
irt
ual
l
yimpossi
bleforf
raudster
stost
eal
val
uabl
e
dat
a.

Mul ti
-Fact orAut henticati
on:
 It
’sthemostadv ancedmet hodofaut henti
cati
onwhi chusest woormor el evelsof
securityf rom i ndependentcat egoriesofauthenticat i
ontograntuseraccesst othe
system.
 Allthef act orsshoul dbei ndependentofeachot hert oeli
minat eanyv ul
ner abil
ityinthe
system.
 Financi alor ganizat i
ons, banks,andl awenforcementagenci esusemul t
iple-factor
authent icationt osaf eguar dtheirdataandappl i
cat ionsfrom pot enti
al t
hreats.
Forexampl e,wheny ouent eryourATM car dintot heATM machi ne,the machi ne asks
yout oent ery ourpi n.
Aftery ouent ert hepincor r
ectl
y,thebankt henconf ir
msy ourident i
tythatt hecar d
reall
ybel ongst oy ouandy ou’r
et heright
ful
 owner  ofthecard.
Byv alidat i
ngy ourATM car dpin,thebankact uall
yv eri
fi
esyouri dentity,
whi chi scall
ed
authent ication.I tmer elyidenti
fi
eswhoy ouar e,
not hi
ngelse.

Q5.Whati sAut
hent
icat
ion?Expl
ainconceptofKer
ber
osi
ndet
ail
.
Authent
icati
on:

Authent
icati
onistheprocessofdet erminingwhethersomeoneorsomethingis,
inf
act
,
whoorwhati tdeclar
esitselftobe.
Authent
icati
ontechnologypr ovi
desaccesscontrolforsy
stemsbycheckingtoseei
fa
user'
scredenti
alsmatcht hecredenti
alsinadatabaseofauthor
izeduser
sorinadata
authent
icat
ionserver
.
Usersareusuall
yidenti
fi
edwithauserID,andaut
henti
cationi
saccompli
shedwhen
theuserprovi
desacr edent
ial
,forexampl
eapassword,thatmatcheswi
ththatuserI
D.

Basicstepstobet akentoauthenti
catei
naKer ber osenv i
ronment :
1.Cl i
entrequestsanauthenti
cati
onti
cket(TGT)f rom theKeyDi st
ri
buti
onCent
er
(KDC)
2.TheKDCv eri
fi
esthecredent
ial
sandsendsbackanencr yptedTGTandsession
key
3.TheTGTi sencry
ptedusingtheTi
cketGr antingService(TGS)secretkey
4.Thecl ientstor
estheTGTandwheni texpirest hel
ocal sessionmanagerwi
ll
requestanotherTGT(thi
sprocessistranspar enttotheuser )

I
ftheCl i
entisrequest i
ngaccesst oaser vi
ceorotherresourceont henet
work,thi
sis
t
hepr ocess:
5.Thecl i
entsendst hecurrentTGTt otheTGSwi ththeSer v
icePri
nci
palName
(
SPN)oft her esourcetheclientwantstoaccess
6.TheKDCv er
ifiestheTGToft heuserandthattheuserhasaccesst otheservi
ce
7.TGSsendsav al
idsessionkeyf ort
heservi
cet otheclient
8.Clientforwardst hesessionkeyt otheser
vicetopr ov
et heuserhasaccess,and
t
heser vi
cegr antsaccess.
Q6.Explaintheauthor i
zati
onsy st
ems.
Thecounter
partt
oauthent
icat
ioni
sauthor
izat
ion.

Authenti
cationestabl
isheswhotheuseris;author
izati
onspecifi
eswhatt hatusercan
do.Typicall
ythoughtofasawayofest abli
shingaccesst oresour
ces,suchasf i
lesand
pri
nters,Author
izati
onalsoaddr
essesthesuiteofpr i
vi
legesthatausermayhav eon
thesystem oront henetwor
k.

Init
sultimateuse,author
izat
ionevenspecif
ieswhethertheusercanaccessthe
system atall
.Ther
ear eav ar
iet
yoft y
pesofauthor
izati
onsy stems,i
ncl
udi
nguser
ri
ghts,r
ole-basedauthori
zati
on,accesscont
roll
ist
s,andr ul
e-basedaut
hori
zat
ion.

UserRi
ght
s:
Pri
vi
legesoruserri
ghtsaredifferentf
rom per
mi ssions.
Userri
ghtspr
ovidetheauthorizationt
odot hi
ngst hataff
ectt
heenti
resy
stem.
Theabil
it
ytocreat
egr oups,assignuserstogroups, l
ogintoasyst
em,andmany
moreuserri
ghtscanbeassi gned.
Otheruserrightsar
ei mpli
citandareri
ght
sthataregr
antedtodefaultgr
oups—gr
oups
thatarecreatedbytheoperatingsyst
em i
nsteadofbyadmini
str
ators.
Theser i
ghtscannotber emov ed.
Role-BasedAut hor
izati
on(RBAC) :
Eachjobwi t
hinacompanyhasar oletoplay.
Eachempl oyeerequi
respri
vil
eges( t
her i
ghttodosomet hi
ng)andpermissi
ons(the
ri
ghttoaccessparti
cularr
esourcesanddospeci fi
edthingswit
hthem)iftheyareto
dotheirj
ob.
Earl
ydesignersofcomputersystemsr ecogni
zedthattheneedsofpossi
bleusersof
syst
em wouldv ar
y,andthatnotallusersshouldbegiventheri
ghtt
oadmi nist
erthe
syst
em.

AccessCont
rolLi
sts(
ACLs)
:
Attendanceatsomesoci alev entsisli
mi t
edt oinv i
teesonl y.
Toensur et hatonl yinvitedguest sarewel comedt ot hepar ty,alistofauthor i
zed
i
ndi vidualsmaybepr ovidedt ot hosewhoper mi ttheguest sin.
Ifyouar r
ive,thenamey oupr ovideischeckedagai nstt hislist,andent r
yisgr antedor
deni ed.
Aut hent i
cation,i
nt hef or m ofaphot oidentifi
cationcheck, mayormaynotpl ayapart
here, butt hi
si sagood, simpl eexampl eoft heuseofanaccesscont r
olli
st( ACL).
Informat ionsy stemsmayal souseACLst odet ermi newhet herther equestedser v
ice
orr esour ceisaut horized.
Accesst of i
lesonaser verisof tencont r
ol l
edbyi nfor mationt hatismai ntainedon
eachf i
le.
Likewi se, t
heabi li
tyfordi ff
er enttypesofcommuni cationtopassanet wor kdevice
canbecont roll
edbyACLs.
Rule- BasedAut horization:
Rule-basedauthori
zationrequiresthedev el
opmentofrulesthatstipul
atewhata
specificusercandoonasy st
em.
Theser ulesmightprovideinformationsuchas“ UserAl
icecanaccessr esourceZbut
cannotaccessr esourceD.”
Mor ecompl exrul
esspeci f
ycombi nat i
ons,suchas“UserBobcanr eadfi
lePonl yifhe
i
ssi t
tingattheconsolei nthedatacent er.
”
Inasmal lsy
stem,rul
e-basedaut horizat
ionmaynotbet oodiffi
culttomaintain,butin
l
argersy stemsandnet works, i
tisexcruciat
ingl
ytedi
ousanddi f
ficultt
oadmi nister
.

Q7.Expl
ainAsy
mmet
ri
cKeyCr
ypt
ogr
aphywi
thdi
agr
am orpubl
i
ckeycr
ypt
ogr
aphy
wit
hdiagr
am

Asy
mmet
ri
cKeyCr
ypt
ogr
aphy
:

I
tisal
socall
edaspubl
i
ckeycr
ypt
ogr
aphy
,itconsi
stoft
wodi
ff
erentkey
s(whi
chf
orm
akeypai
r)ar
eused.
Onekeyisusedf
orencr
ypt
ionandonl
ytheot
hercor
respondi
ngkeymustbeusedf
or
decr
ypt
ion.

Nootherkeycandecr
yptt
hemessagenotev
ent
heor
igi
nal
fir
stkeyusedf
or
encr
ypti
on.

Thebeaut
yofthi
sschemeist
hatever
ycommunicati
onpartyneedsj
ustakeypai
rfor
communicat
ingwi
thanynumberofot
hercommunicat
ingpart
ies.

Oneoft
het
wokey
siscal
l
edt
hepubl
i
ckeyandot
heri
sthepr
ivat
ekey
.

Thepriv
atekeyr
emai
nswi
thusasecr
et.Wemustnotdi
scl
oseourpr
ivat
ekeyt
o
anybody.

Howev
er,
thepubl
i
ckeyi
sforgener
alpur
pose.

Bel
owdi
agr
am showt
hewor
kingofasy
mmet
ri
ckeycr
ypt
ogr
aphy
.

Asy
mmet
ri
ckeycr
ypt
ogr
aphywor
kasf
oll
ows:

WhenAwantstosendamessaget oB,
Aencry
ptsthemessageusi
ngB’
spubl
i
c
key
.Thi
sispossi
blebecauseAknowsB’
spubl
ickey.

Asendst
hemessaget
oB.

Bdecr
yptA’
smessageusi
ngB’spri
vat
ekey.Onl
yBknowsaboutherpr
ivat
ekey
,
t
hemessagecanbedecr
yptedonl
ybyB’spri
vat
ekeyandnot
hingel
se

Q8.Expl
ainDat
abase-
Lev
elSecur
it
y.

Databasesarecommonlyusedt
ohostmanydiff
erentdat
abasesand
appli
cati
ons,anduser
sshoul
dhavedi
ff
erentt
ypesofpermissi
onsbasedon
thei
rjobfuncti
ons.
Onceauserhasbeenal lowedt oconnecttoaserver(
throught heuseofa
ser
verlogin),
theuserwil
l begiv
enonlythepermissi
onst hataregrant
edt
othat
l
ogin.Thisprocessofdetermini
ngpermissionsi
sgenerallyknownas
aut
horizati
on.

Thefi
rstt
y peofdat
abase-
level
secur
it
yisgener
all
yusedt
odet
ermi
net
owhi
ch
dat
abase(s)auserhasaccess.

Databaseadmi
nist
rator
scanspecif
ywhetherornotcer
tai
ndat
abasescanbe
accessedbyauserlogi
n.Forexampl
e,onelogi
nmaybe

grant
edper
mi ssi
onstoaccessonlyt
heHumanResourcesdatabaseandnot
anysyst
em databasesordat
abasesusedbyot
herappl
icat
ions.

Dat
abaseAdmi
nist
rat
ionSecur
it
y

Oneimpor
tanttaskrel
atedt
owor
kingwi
thar
elat
ional
dat
abasei
smai
ntenance
oft
heserv
eritsel
f.

I
mpor t
antt
asksincl
udecreatingdat
abases,
removi
ngunneededdatabases,
managingdi
skspaceall
ocation,monit
ori
ngper
for
mance,andperf
orming
backupandrecover
yoper
ations.

Databaseplatformsal l
owt hedef aul
tsystemsadmi nist
ratoraccountto
del
egat epermissionstoot herusers,all
owingthem t operformthesei mport
ant
operati
ons.Asanexampl e,Microsof
t’sSQLSer verplatf
orm prov i
desbuil
t-i
n
ser
v er-
lev
elroles,i
ncludingDat abaseCreators,
Di skAdmi nist
rators,
Server
Admi ni
strat
ors,Securit
yAdmi ni st
rat
ors,andmanyot hers.

Dat
abaseRol
esandPer
missi
ons

Havi
ngav al
idserv
erlogi
nonlyal
lowsausert
hepermi
ssi
ontoconnectt
oa
ser
ver.Inordertoact
uall
yaccessadat
abase,t
heuser
’sl
ogi
nmustbe
aut
horizedtouseit.

Thegeneral
processbegi
nswi
thspeci
fyi
ngtowhi
chdatabase(
s)alogi
nmay
connect
.Then,per
missi
onsmustbeassi
gnedwit
hint
hedatabase.

Thedetai
l
sheredovarybet
weent
ypesofr
elat
ional
dat
abasepl
atf
orms,
butt
he
over
all
concept
sarethesame.

Gener
all
y,databaseadmini
str
ator
swi
l
lcr
eat
e“gr
oups”or“
rol
es,
”andeachof
t
hesewillcontai
nusers.

Speci
fi
cper
missi
ons(
whi
chwe’
l
llookati
nthenextsect
ion)ar
eassi
gnedt
othe
rol
es.

Thi
sprocessisqui
tesimi
lart
ot hebestpr
act
icest
hatar
esuggest
edf
ormost
moder
nnet workoper
ati
ngsystems.
 Obj
ect
-Lev
elSecur
it
y

Rel
ati
onal
dat
abasessuppor
tmanydi
ff
erentt
ypesofobj
ect
s.

Tables,howev er,ar
ethefundamentaluni
tofdatastor
age.Eachtableis
general
lydesi gnedtoref
ertosomet ypeofent
ity(
suchasanEmpl oyee,
a
Customer ,oranOr der
).Col
umnswi thi
nthesetabl
esstor
edetail
sabouteachof
theseit
ems( Fir
stNameorCustomer Numberarecommonexampl es).
Permissionsar egrant
edtoexecuteoneormor eofthemostcommonl yused
SQLcommands.

Thesecommandsar
e

• SELECT:Ret
rievesi
nfor
mati
onfr
om databases.SELECTstat
ement
scan
obtai
nandcombi nedat
afr
om manydiffer
enttables,
andcanal
sobe
usedforper
formingcompl
exaggregat
ecalcul
ations.

• I
NSERT:
Addanewr
owt
oat
abl
e.

• UPDATE:
Changest
hev
aluesi
nanexi
sti
ngr
oworr
ows.

• DELETE:
Del
etesr
owsf
rom at
abl
e.

TheANSISt
andardSQLl anguageprov
idesf
ortheabi
li
tyt
ouset hree
commandsforadmini
steri
ngpermissi
onstotabl
esandotherdatabaseobj
ect
s:

• GRANT:Speci
fi
esthatapart
icul
aruserorr
olewi
l
lhav
eaccesst
o
per
for
m aspecif
icact
ion.

• REVOKE:
Remov esanycur
rentper
missi
onsset
ti
ngsf
ort
hespeci
fi
ed
user
sorr
oles.

• DENY:
Prev
entauserorr
olef
rom per
for
mingaspeci
fi
cact
ion.

Ot
herDat
abaseObj
ect
sforSecur
it
y

Views:
Av iewisal ogicalrel
ati
onal dat
abaseobjectthatact
uall
yref
erst
ooneormore
underl
yingdatabaset ables.
Viewsar egener al
l
ydef i
nedsi mplyastheresultofaSELECTquery
.
Thisquery,i
nt urn,canpullinfor
mat i
onfr
om manydi ff
erentt
abl
esandcanal
so
perfor
m commoncal cul
ationsont hedat
a.
St
oredpr
ocedur
es:
Databasesofferdeveloper
stheabil
i
tytocreat
eandr euseSQLcodethrought heuse
ofobject
scal l
edstoredprocedur
es.
Storedprocedurescanbeusedt operf
orm anyfunct
ionthati
spossi
blethroughthe
useofstandardSQLcommands.
Addi
ti
onal
l
y ,
theycantakear
guments(muchl
ikefuncti
onsandsubr
out
inesi
not
her
pr
ogramminglanguages)
,maki
ngthem v
eryf
lexi
ble.
Tr
igger
s:
Tr
igger
saredesi
gnedt oaut
omat
ical
l
ybe“
fi
red”whenev
erspeci
fi
cat
ionact
ionst
ake
pl
acewithi
nadatabase.

Q9.
Expl
ai
ndi
f
fer
entt
ype
sofda
taba
seba
ckups
.
Threebasictypesofdatabasebackups:
Ful
l
I
ncrement aland
Dif
ferenti
al
Normal orFullBackups
Whenanor mal orful
lbackuprunsonasel ect
eddri
v e,allt
hefil
esonthatdr
ivear
e
backedup.
This,
ofcourse,incl
udessystem f
il
es,appli
cat
ionfi
les,userdataevery
thi
ng.
Thosefi
lesarethencopiedtotheselecteddesti
nat
ion( backuptapes,
asecondar
y
dri
veorthecloud),andallt
hearchiv
ebitsarethencleared.

Normal backupsaret hef

ast estsourcetorestorelostdat
abecauseallt
hedataona
dri
vei ssavedinonelocation.
Thedownsi deofnor malbackupsi sthattheytakeav eryl
ongtimetorun,andin
somecasest hi
sismor etimet hanacompanycanal l
ow.
Dri
v esthatholdalotofdat amaynotbecapabl eofaf ul
l 
backup,
eveniftheyr
un
overnight
.
Inthesecases, i
ncrementalanddi f
ferent
ialbackupscanbeaddedt othebackup
scheduletosav eti
me.
I
ncr
ement
alBackups
Acommonwayt odealwitht helongr unningt i
mesr equir
edforfull
 backupsi stor un
them onlyonweekends.
Manybusi nessest henr unincr ement albackupst hroughouttheweeksi ncet heyt ake
farlessti
me.
Ani ncr
ement albackupwi llgrab onl ythefilesthathav ebeenupdat edsincethel ast
normal backup. 
Oncet heincrement albackuphasr un,thatf i
l
ewi llnotbebackedupagai nunlessi t
changesordur ingt henext 
f ullbackup.
Whi l
eincrement aldatabasebackupsdor unf aster,therecovery 
processi sabitmor e
compl i
cated.
Ifthenormal backupr unsonSat urdayandaf il
ei sthenupdat edMondaymor ni
ng,
shouldsomet hinghappent ot hatfileonTuesday ,onewoul dneedt oaccesst he
Mondayni ghtbackupt orestor eit.
Foronef il
e,t
hat ’
snott oocompl icated.Howev er,shoul danentir
edr i
vebel ost,one
wouldneedt orestor
et henormalbackup,pl
useachandev eryi
ncr ement albackup
runsincethenor malbackup.
Diff
erenti
alBackups:
Diff
erenti
albackupsandr ecover
yaresimil
artoi
ncr ementalinthatt hesebackups
grabonlyf i
l
esthathavebeenupdat edsi
ncethelastnor malbackup.
Howev er,di
ffer
enti
albackupsdonotclearthearchivebit.
Soaf il
ethatisupdatedafteranormalbackupwillbearchivedever ytimea
dif
ferent
ialbackupisrununtil
thenextnormalbackupr unsandcl ear sthearchi
vebit
.

Similartoourlastexample,i
fanormal backupr unsonSatur
daynightandaf i
legets
changedonMonday ,t
hatfi
lewouldthenbebackedupwhent hedif
ferent
ialbackup
runsMondayni ght
.
Sincethearchivebitwil
lnotbecleared, evenwi t
hnochanges, t
hatfi
lewil
l conti
nueto
becopi edontheTuesdayni ghtdi
fferentialbackupandtheWednesdayni ght
diff
erenti
albackupandev eryaddi
tional nightunti
lanor
mal backuprunsagai n
capturingal
lthedrive’
sfi
lesandreset t
ingt hearchi
vebi
t.

Ar estoreoft hatf i
le,ifneeded, couldbef oundint hepr evi
ous night’stape.Inthe
eventofacompl et edr ivefailure, onewoul dneedt or estorethelastnor mal backup
andonl ythelatestdi fferentialbackup.
Thisisl esstimeconsumi ngt hanani ncremental backupr estore.
Howev er,eachni ghtt hatadi fferenti
albackupr uns, thebackupf ilesgetlargerandt he
ti
mei ttakestor unt hebackupl engthens.
DailyBackups:
Ther eisaf ourth,lesscommonf orm ofbackup, knownasdai l
ybackups.
Thisisusual lysav edf ormi ssion- cri
ti
calfil
es.
Iffi
lest hatareupdat edconst ant lycannotwaitaf ull twenty-
four hoursfortheni ghtl
y
backupt orunandcapt urethem, dailybackupsar et hebestchoi ce.
Thist ypeofbackupusest hef ile’
st i
mest amp,nott hear chiv
ebi t,toupdatet hefil
e
oncechangesar emade.
Thist ypeofdat abasebackupr unsdur ingbusinesshour s,andhav i
ngtoomanyof
thesef il
escani mpactnet wor kspeeds.

Q10.Wri
teanot eonBi omet ri
cTechni ques.
 Biomet ri
caut henticationi nvolveshumanchar acter
ist
icssuchasfingerpr
int
,
voice,orpat t
ernofl inesi nt heirisofeye.
 Processi nvolvescr eat i
onoft heuser’
ssampl eanditsstorageint
heuser
database.
 Theuseri sr equiredt opr ov i
desampl eofsamenat ure.
I fthetwosampl emat ch,theuseri sauthenti
catedsuccessful
ly
.
Bi
ometri
cTechni ques:
Bi
ometri
ct echniquesar ecl assifiedintotwocat egor
ies:
1)Phy si
ological techniques
2)Behav i
or altechni ques
Physi
ologi
cal techni ques:Thesearebasedonthephysi
calchar
act
eri
sti
csofhuman
bei
ngs.Several sucht echni
quesare:
a)Face
b)Voi ce
c)Fi ngerpr i
nt
d)I ri
s
e)Ret ina
Behavi
oraltechniques:
Behavi
oraltechniquei stoobserv
eaper sont
oensurethatshe/
heisnottr
yingt
ocl
aim
tobesomeoneel se.
Twomai ntechni quesar e:
a)Key str
oke
b)Si gnature

Q11.Expl
aincer
ti
fi
cat
ebasedaut
hent
icat
ion.
Itisbasedont hedigit
alcer
ti
fi
cateoftheuser.
 Worki
ngofCBAi nvol
vesfol
lowi
ngsteps:
St
ep1-Cr eat
ion,stor
ageanddistr
ibut
ionofDigi
tal
Cer
ti
fi
cat
es

Step2-Loginrequest
:
 Logi
nr equestonl
ycont
ainsuseri
d.

Step3-Servercreat
esar andom chall
enge:
 Theserver’
suseraut henticat
ionprogram checksonlyuseri
dagai
nstt
hedat
abase
 Theservercreatesar andom chall
enge
 Theserversendst herandom challengebackt otheuser
Step4-Usersignst herandom chall
enge:
Theuserhast onowsi gntherandom chal
l
engewithherpri
vatekey.
Theusermustent ert
hesecr etpasswordf
oropeningupthepriv
atekeyfi
l
e.
Theapplicat
ionusest hispri
vatekeytoencry
pttherandom chal
lenget
ocreat
etheuser
’s
digi
talsi
gnature.
Ser
v ert
henv eri
fi
estheuser’ssignat
ure
St
ep5-Ser
verr
etur
nsappr
opr
iat
emessagebackt
otheuser

Q12.Whati
sdi
git
alsi
gnat
ure?Expl
ainwi
thexampl
e.

 I
nasymmet r
ickeycrypt
ography,
ifAist
hesenderofthemessageandBi sthe
r
ecei
ver,Aencry
ptsthemessagewi t
hB’spubli
ckeyandsendstheencry
pted
messagetoB.
 WhereasinDigi
tal
signatur
e,I
fAisthesenderofthemessageandBi st
he
r
ecei
ver,Aencry
ptsthemessagewi t
hA’spri
vatekeyandsendstheencr
ypted
messagetoB.
 IfAisthesenderandBistherecei
ver,
thenwhenAsendsthemessagetoB,A
encr
y pt
sthemessageusingherpriv
atekeyandsendsi
t.WhenBrecei
vesit
,it
usesA’spubli
ckeytodecryptt
hemessage.

I
nt hispr
ocess,theconfi
dent iali
tyoft hemessagei nnotmai ntained,because
A’spublickeyi savail
ablet oany one,andhenceany onecandecr yptthe
messagesentbyA.Howev er,int hisscheme,t hei nt
entionofAwasnott o
hi
det hemessage,buttopr ovet heident i
tyoft heSender ,
i
.e.A.WhenBi sabletodecryptt
hemessage, usingA’ spublickey ,i
tprovesthatthe
messagewasencr yptedusi
ngA’ spr ivatekey ,andsinceA’ sprivatekeymustbeknown
onlyt
oA, themessageindeedwassentbyA.Mor eover,i
ncaseofdi spute,Bcant ake
theencry
pt edmessageanddecry ptitwi thA’spubl i
ckey ,toprov ethatthemessage
i
ndeedcamef r
om A.Thisachiev
est henon- repudiati
on, i
.e.Acannotr efusethatshe
hadsentthemessage.

Q13.Wr
it
eashor
tnot
eonCer
ti
fi
cat
eHi
erar
chy
.

TheCer ti
fi
cati
onAuthorit
y(CA)hierarchybeginswiththerootCA.
Ther ootCAhasoneormor esecondl evelCAsbelow.
Eachoft hesesecond-l
evelCAscanhav eoneormor ethirdlev
elCAs,whi
chintur
ncan
havel owerlev
elCAs,andsoon.
IfAl
icehasobt ai
nedhercerti
fi
catefrom at hi
rd-l
evelCAandBobhasobt ai
nedhi
s
cert
ifi
catefrom adi
ffer
entthi
rd-
levelCA, howcanAl i
cev eri
fyBob’
scert
if
icat
e?
Now, supposethatAli
ce’sCAisB1,whereasBob’
sCAisB11.
Clearl
y,Ali
cecannotstrai
ght
awayknowt hepubl
ickeyofB11.
Therefore,i
nadditi
ontohisowncert
ifi
cate,
Bobmustsendt hecer
ti
fi
cat
eofhisCA(
i.
e.
B11)toAl i
ce.
Thiswoul dtel
lAl
icethepubli
ckeyofB11.
Now, usingthepubli
ckeyofB11,Ali
cecande-si
gnandv er
if
yBob’scer
ti
fi
cat
e.

Q.Wri
teashor
tnot
eoni
ntegr
it
yri
sks.
I
ntegr
it
yRi
sks

I
ntegrit
yrisksaffectboththeval
idit
yofinf
ormati
onandt heassurancet
hatthe
i
nformat i
oni scorr
ect.
Somegov ernmentregulat
ionsar
epar ti
cul
arl
yconcernedwithensuri
ngt
hatdatais
accurate.
I
finformationcanbechangedwi thoutwar
ning,
authori
zati
on,oranaudi
ttr
ail,
its
i
ntegrit
ycannotbeguar anteed.

Mal
funct
ions

Comput erandst oragefailurest hatcorruptdat adamaget heintegri

tyofthatdat a.
DefenseMakesur ethestor agei nfrastr
uct ureyousel ecthasappr opri
ateRAI D
redundancybui ltinandt hatar chivesofi mpor tantdataar epartoftheservice.
DetectionEmpl oyi ntegri
tyv er i
fi
cat i
onsof twar ethatuseschecksumsorot her
meansofdat av er i
fi
cati
on.
Deterr
enceDuet ot henatur eofdat a,becauset her
ei snohumanel ementinv olv
ed,
thereisn’tmucht hatcanbedone.
Residual ri
sk:Technol ogyf ailurest hatdamagedat amayr esulti
noper ati
onal or
compl i
ancer isk(especiall
yr elatingtoSar banes- Oxleyrequi
rement sforpublicl
yt r
aded
compani estoensur etheint egr i
tyoft heirfinancialdata).

DataDeletionandDat aLoss
Datacanbeacci dentall
yori
ntenti
onal
lydestr
oyedduet ocomputersystem f
ail
uresor
mishandli
ng.Suchdat amayincludefi
nancial
,or
ganizat
ional
,per
sonal,andaudittr
ail
i
nformation.
Defense:Ensurethatyourcr
it
icaldat
aisredundant
lystoredandhousedi nmorethan
onelocation.Det
ecti
on: Mai
ntai
nandr ev
iewauditl
ogsofdat adel
eti
on.
Deterr
ence:Maint
aineducationalandawarenesspr
ogramsf ori
ndiv
idual
swhoaccess
andmanagedat a.Ensurethatdataownersareassi
gnedthathaveauthori
tyandcont
rol
overdataandresponsi
bili
tyforit
sloss.
Residualr
isk:
Oncecrit
icaldataisgone,i
fitcan’
tberest
ored,i
tisgoneforev
er.

Dat
aCor
rupt
ionandDat
aTamper
ing

Changest odat acausedbymal functionincomput erorst oragesy stems, orby

maliciousindi
vidualsormal war e,candamaget hei ntegrit
yoft hatdata.Integrit
ycan
al
sobedamagedbypeopl ewhomodi f
ydat awi thintentt odef r
aud.
• Defense: Ut i
li
zev ersioncont rolsof twar etomai ntainarchivecopi esof
i
mpor tantdat abef oreitismodi f
ied.Ensur ethatalldataispr otectedby
anti
virussof twar e.Mai ntai
nr ole-basedaccesscont roloveral l
dat a
basedonl eastpr ivil
egepr inci
ples, pursuantt ojobf uncti
onandneedt o
know.
• Detection: Useint egri
ty-checkingsof twar etomoni torandr epor t
alt
erationst okeydat a
.•Det er
rence:Maintaineducat ional andawar enesspr ogramsf orindivi
dualswho
accessandmanagedat a.Ensur ethatdat aowner sar eassi gnedthathav eaut horit
yand
controloverdataandr esponsi bili
tyforitsloss.
• Residual ri
sk: Cor r
uptedordamageddat acancausesi gni
ficantissues
becausev ali
d, r
eliabledat aisthecor ner st
oneofanycomput i
ngsy stem.

Accident
al Modif
icati
on
Perhapsthemostcommoncauseofdat aintegr i
tyl
oss,accidental modificati
onoccur s
ei
therwhenauseri ntentionallymakeschangest odatabutmakest hechangest othe
wrongdat aorwhenauseri nputsdataincorrectly.
• DefenseUt i
l
izev ersi
oncontrol softwaretomai ntainar chi
vecopi esof
impor t
antdat abef or
eitismodi f
ied.Maintainrole-basedaccesscont rol
overall databasedonl eastpr ivi
legepri
nciples,pur suanttojobf unction
andneedt oknow.
• DetectionUsei nt
egri
ty-
checki ngsof t
waret omoni torandr eport
alt
erationst okeydat a.
• DeterrenceMai nt
aineducational andawar enesspr ogr amsf orindivi
dual s
whoaccessandmanagedat a.Ensur ethatdat aowner sareassi gnedt hat
haveaut horityandcont r
olov erdat aandresponsi bili
tyfori
t sl
oss.
• Residual r
iskCor rupt
edordamageddat acancausesi gni
fi
canti ssues
becausev alid,rel
iabl
edat aist hecornerst
oneofanycomput i
ngsy stem.

Q.Whatar ethethreepr i
marycategor
iesofst orageinf
rast
ruct
ureinmodernstor
age
securi
ty
Modernstorageenvir
onment scanbeconsi deredassepar at
eITinfr
ast
ruct
uresof
thei
rown.Manyor ganizati
onsarenowdividingt heirI
Torgani
zat
ionsal
ongtheli
nesof
networks,
server
s,andst or
age—acknowledgingt hatstor
agemer i
tsapl
acealongsi
de
thesel
ong-vener
atedinstit
uti
ons.
Storageinfrastructurecanoftenbefoundonadedi catedLAN, withservers,ar
rays,
and
NASappl iances, withspecial
izedoper
ati
ngsy stemstosuppor tthestorage.Stor
age
canal sobel ocatedi nmult
iplesit
es,i
ncl
udinggeographicall
ydiverseregional
dist
ributi
ons, andev enthi
rd-part
yandInternetl
ocati
ons.Insecur i
ngthese
component s, youmustt akeintoaccountthreepri
marycat egori
es:
• Storagenetworks
• Arrays
• Servers
St
orageNet
wor
ks
Separ ationofdut i
esshoul dbeappl i
edwi thint hest or agei nfr
ast ruct ure.Sinceal l
stor
agedev icesar econnect edphy sically,eitherov eranet wor kort hroughast orage
connect ionpr otocol ,separatingaccesst ot hephy sical serverspr ev ent sast orage
admi nistrat orfrom connect i
ngar ogueser v
eri ntot heenv i
ronmentandt hen
provisioningi taccesst orestrictedl ogical uni tnumber s(LUNs) .
ALUNi st hemechani sm anar rayusest opr esenti t
sst oraget oahostoper ating
system.Li kewi se, whi l
esomeonemayconnectaser vertot heenv ironmentand
configur ei t,met hodsofpr otect i
ngt heLUNsar eappl i
edsot hatt heser vercannotgai n
accesst or est r
ictedLUNs.
PortZoni ng:
Themostnot ablechar acteri
st i
cofpor tzoni ngi st hatt heaccessi bi li
tyoft hehostt o
theLUNsi sdef i
nedbyt heswi tchpor t.
Theadv ant aget ozoni ngint hismanneri st hatani nt rudercannotconnectahostt ot he
switch, enabl espoof ingofagoodWWN, andaccessLUNsofanot herhost .Sincet he
protectioni senf orcedont hepor tinterface, thei ntruderwoul dneedt odisconnectt he
goodhosti nt erf
aceandconnectt hei ntrudinghosti ntot hedef inedpor t.
Allt
hi swoul dneedt obedonewi thoutanyal ertsbei ngf l
aggedbyt hehostoper ati
ng
system, whi chi spr actical
lyimpossi ble.
WWNZoni ng
Theal ternat ivet opor tzoning, inwhi chthezonesar ecr eatedr elativ etothepor tsthe
serversar econnect edt oont heswi tch,isWWNzoni ng, whichdef inest hei ndividual
zonebasedont heWWNI Doft hehostbusadapt er( HBA) .
TheWWNi sv erymuchl i
ket heMACaddr essofanet wor kcar d.Iti sa16- digi
t
hexadeci mal numbert hatuni quelyi dent i
fiest heHBAwi t
hint heSANf abri
c.
Thesenumber sar eassi gnedi nmucht hesamewayasMACaddr essesar eassi gned
toOEM manuf acturers, wit
ht hef irsteightdi gi t
sassi gnedt ospeci ficmanuf acturers
andt her estoft henumber sassi gnedbyt hemanuf act urers.
Ar
ray
s
Anot
herar
eaofri
ski
sthestor
agear r
ayit
self
.
WhenLUNsarecr
eat
ed,i
tisnecessaryf
orthear
rayt
opr
ovi
deascr
eent
opr
eventt
he
datathatresidesont hearrayfrom bei
ngaccessedbyot herhoststhatar
eableto
connecttot hearray.
Storagearraysaret heref
oreequippedwi t
hamechani sm t
hatprov i
desprot
ecti
on
knownasLUNmaski ng.
Thisall
owsmul ti
plehoststocommuni catewi
ththearrayandonlyaccessLUNst hat
areassignedt hr
ought heapplicati
onthatprov
idestheLUN-maski ngprot
ecti
on.
Considerthedi f
ferencesinprotecti
onbetweenzoningandLUNmaski ng.
Fi
gur
esecur
it
yar
eaofar
ray
s

Ser
ver
s

.Stor
ageadmini
str
ator
softenhavel
imi
tedcont
rol
overwhatcanorcannotbedoneon
thehost
,ast
hisadmini
str
ationi
shandl
edbythesyst
emsadmi ni
str
ator
s.
Howev er
,inmanyorgani
zat
ions,
thesyst
emsadmi ni
str
atori
sal
sothestor
age
admini
str
ator,whi
chmeansthatper
sonhasf
ullaccesstobotht
hestor
ageandthe
syst
emst hatusei
t.
Asl
ongast
hedat
a“r
est
s”ont
heser
ver
,thepot
ent
ial
toaccesst
hatdat
aexi
sts.
Manyopt
ionsar
eav
ail
abl
etopr
otectt
hatdat
awhi
l
eiti
satr
estont
heser
ver
.
Theconcernofthestor
ageadmi ni
str
atoriswhathappensifsomeoneisableto
accesst
hedataeitherl
ocall
yorremotely.I
ntheworst-
casescenari
o,anatt
ackermay
obtai
naccesstotheserverandescal
atehisauthor
it
ytoattempttoreadthedata.
Inor
dertokeept
hedat
asecur
eint
hisscenar
io,
iti
snecessar
ytoi
mpl
ementdat
a
encr
ypt
ion.
Ther
efor
e,whensecur
ingdat
a,acompr
ehensi
vesol
uti
oni
snecessar
y.
Theoper
ati
ngsystem mustbesecur
edandpat
ched,f
il
eper
mi ssi
onsmustbepl
anned
andappl
i
edtoreduceaccessasmuchaspossi
ble,
andmonitori
ngneedst
obe
per
for
med.
Fi
nal
l
y,conf
ident
ial
dat
ashoul
dal
sobeencr
ypt
edt
opr
otecti
tfr
om unwant
edaccess.
Fi
gur
esecur
it
yar
eaofser
ver
s

Q.Expl
ainconf
ident
ial
l
yri
sks.

Confidenti
all
yri
sksareassoci
atedwi
thvulner
abi
li
ti
esandthr
eatspertaini
ngtothe
pr
ivacyandcont r
olofi
nformati
ongi
venthatwewanttomaket heinf
ormat i
onavai
lable
i
nacont rol
ledfashi
ontothosewhoneeditwit
houtexposi
ngi
tt ounauthori
zedpar
ties.

Dat
aleakage,
Thef
t,Exposur
e,For
war
ding:

Dataleakageisther i
skoflossofinformationsuchasconf i
dent
ialdataandi nt
ell
ect
ual
propert
yt hr
oughi nt
enti
onalorunintent
ionalmeans.Therearefourmaj orthr
eatvector
s
fordataleakage:thef
tbyoutsider
’smal i
cioussabotagebyinsi
ders(includi
ng
unauthori
zeddat apri
nti
ngcopy i
ngorf orwarding)i
nadver
tentmisusebyaut hori
zed
usersandmi stakescreatedbyunclearpolici
es.

 Defenseempl oysof t
war econt rolst oblocki nappr opri
atedat
aaccessusi nga
datalosspr evention(DLP)sol ut i
onand/orani nformat i
onri
ghtsmanagement
(I
RM)sol uti
on.
 Detect i
onusewat ermarkinganddat acl assi
f i
cationlabeli
ngalongwi t
h
moni tori
ngsof twaretotrackdat af l
ow.
 Deterrenceest abli
shsecur it
ypol iciesthatassi gnser iousconsequencest o
empl oyeeswhol eakdataandi ncludecl earlanguagei ncontractswithservi
ce
providersspecifyinghowdat apr ivacyist obepr otectedandmai ntai
nit.
 Residual ri
sksdat apersistencewi t
hint hest orageenv ir
onmentcanexposedat a
l
ongaf t
eritisnol ongerneededespeci al l
yifthest orageishostedonav endor
providedser vi
cet hatdynami callymov esdat aar oundi nanuntraceablemanner.

Administ
rati
veaccessthatal
l
owssy st
em admini
str
ator’
sfull
accesstoall
f i
l
es
fol
dersanddirect
ori
esaswellastheunderl
yi
ngstorageinf
rastr
uct
ureit
selfcan
exposepriv
atedatatoadmini
str
ator
s.

I
nappr
opr
iat
eadmi
nist
rat
oraccess:
Ifusersaregi venpri
vil
egelevel
susuallyreservedforsystem admi nistr
atorsthat
providefullaccesstosystem andalldatathatsystem hasaccesst otheywi ll
be
abletov i
ewdat aormakechangeswi thoutbeingpr operl
yrestri
ctedt hroughthe
systemsaut hori
zati
onprocesses.Administr
atorshav etheauthoritytoby passall
securitycont r
olsandthi
scanbeusedt ointenti
onallyormistakenlycompr omise
pri
vat edata.

Defensereducethenumberofadmi ni
str
atorsforeachFunct
ion(ser
vers,
network,andstorage)toasl owanumberaspossi bl
eandensurethatthorough
backgroundchecksar eusedt oscreenpersonnelwhohaveadmi ni
str
ative
access.Av endorsecuri
tyrev i
ewshouldbeper f
ormedtov al
i
datethesepractices
beforeengaginganyv endors.

Det
ecti
onreviewtheprovi
der
’sadmini
str
ati
veaccesslogsfori
tsi
nter
nal
i
nfr
astr
uctureonamont hl
yorquart
erl
ybasisr
eviewtheprovi
der’
sli
stof
admini
str
atorsonabiannual
basis.

Deterrenceestabl
ishsecur i
typoli
ciesespecial
lyforadmini
str
atorsthatassi
gn
seriousconsequencesf orinappropriat
edataaccessinhostedenv i
ronments
selectonlyprovi
dersthathav egoodsy stem andnetworkadministr
ati
on
practicesandmakesur et heirpr
acticesarerevi
ewedonar egularbasis.

Residual
riskbecauseadmi ni
str
atorshavefullcontr
oltheycanabuset
hei
r
accesspri
v i
l
egeseitheri
ntenti
onall
yoraccidentall
yresult
ingi
ncompromi
seof
personali
nformati
onorser vi
ceavail
abi
li
ty.

Mi
suseofdat
a:

Peoplewhohav eauthorizedaccesstodatacandot hi
ngswi t
hthedatathatthey
arenotsupposedt odo.examplesareempl oyeeswhol eakinf
ormati
ont o
competit
iondeveloper
swhoper f
ormt est
ingwi t
hproductiondataand
employeeswhot akedat aoutofthecontr
ol l
edenvir
onmentoft heorganizat
ion’
s
networkint
otheirunprotect
edhomeenv i
ronment .

Defenseforempl
oyeesusesecuri
tycont
rolssi
mil
artothosei
npr i
vat
edata
networks,
suchasDLP,RBAC,andscramblingoft
estanddevelopmentdat
a.
Blocktheabil
i
tyt
osende-mailat
tachmentstoext
ernale-
mailaddr
esses.

Detecti
onusewater
markinganddatacl
assi
fi
cat
ionl
abel
i
ngal
ongwi
th
monitori
ngsof
twaretot
rackdatafl
owIRM canbeusedt
oper
for
mthese
funct
ions.

Deterr
enceemployast r
ictsecur
it
ypoli
cypairedwit
hanawar enesspr
ogr
am to
deterpeoplef
rom ext
racti
ngdatafrom cont
roll
edenvi
ronmentsandmovi
ngitto
uncontrol
l
edenvir
onment s.
Residualr
iskpeoplecanf
indwaysaroundcont
rol
sandtransf
erdat
aint
o
uncontrol
l
edenv i
ronment
swhereitcanbestol
enormisused.

Fr
aud

Aper sonwhoil
legal
lyordecept
ivel
ygainsaccesstoinfor
mati
ont heyar
enot
authorizedt
oaccesscommi tsf
raud.Maybeper pet
ratedbyout
sidersbuti
s
usuallycommit
tedbytrust
edempl oyees.

Defenseusechecksandbalancesalongwithseparat
ionofdut
iesandapprov
als
tor
educet hedependenceonsingl
eindiv
idual
sforinf
ormati
onaccesssoif
somebodydoesper for
m afr
audulentacti
onitwil
lbenoti
ced.Thi
scanalsobe
det
errentact
ions.

Det
ect
ionper
for
msr egul
araudi
tsoncomputingsy
stem accessanddat
ausage
gi
vi
ngspeci
alat
tent
iontounaut
hori
zedaccess.

Deterr
enceensuresthatsecuri
typol
ici
esincludepenalt
iesforemployeeswho
accesswhoaccessdat atheyarenotauthori
zedf or
.Inhostedenvi
ronments
tr
ansferri
sktoservi
ceprovider
susingcontractuall
anguagethatholdsthe
servi
ceprovi
derresponsi
bleforfr
audcommi tt
edbyaser vi
ceprovi
der
employees.

Resi
dualr
iskf
raudul
entdat
aaccesscanoccurdespi
tet
hecont
rol
sthatar
e
desi
gnedtopr
eventi
t.

Hi
j
acki
ng:

Hijackingi nthecont extofcomput ingr ef

erstot heexploi t
ati
onofav ali
d
comput ersession-somet imesalsocal l
edasessi onkey -
togainunaut hori
zed
accesst oinf
ormat ionorser v
icesinacomput ersy st
em.I npar t
icul
ar,it
’st
he
theftofamagi ccooki eusedt omai ntainasessi ononmanywebsi tescanbe
stolenusi ngani ntermediarycomput erorwi t
haccesst osav edcookiesont he
victi
m’ scomput er.Ifanat t
ackerisabl etosteal theauthent i
cati
oncooki ethey
canmaker equestst hemselvesasi ftheywer ethegenui neusergainingaccess
topr i
vil
egedi nformat i
onorchangi ngdat aifthiscooki eisaper sist
entcookie
thent heimper sonat i
oncancont inuef oraconsi derableper i
odoft i
me.Any
protocol inwhichst ateismai nt
ainedusi ngakeypassedbet weentwopar ti
esis
vulnerableespeci all
yifit
’snotencr ypted.

Defenselookforsoli
didenti
tymanagementsol utionsthatspecif
ical
lyaddr
ess
thi
sriskusingst
rongdiffi
cul
t-t
o-guesssessionkey swithencrypti
on.Usegood
keymanagementkeyescr owandkeyr ecoverypracti
cesasacust omersothat
employeedeparturesdonotresultint
heinabili
tytomanagey ourdata.
Detecti
onrouti
nelymonitorl
ogsl ooki
ngforunexpectedbehav ior
.
Det
err
encenotmuchcanbedonetodeterat
tacker
sfr
om hi
j
acki
ngsessi
ons
ot
herthanaggr
essi
vel
egal
response.

Resi
dualri
skat
tacker
scanimpersonat
ev al
i
dusersorevenuseadmi
nist
rat
ive
cr
edenti
alstol
ockyououtordamagey ouri
nfr
ast
ruct
ure.