CpSc 433, Data Security and Encryption Techniques
Final Exam Review
Please note that the Final Exam is comprehensive: you are still responsible for material from the Midterm Exam.
Read Section 15.1 on PGP. Given what you've already learned about symmetric and asymmetric encryption, the operations described in Figure 15.1 should come as no surprise. You should be able to describe how to use public-key encryption for authentication, confidentiality, or both. Understand the desirable properties of compression described on p. 441. Understand the concept of key rings as described on p. 447: what they contain and how they are stored. Understand how PGP addresses the Public-Key Management problem (the "web of trust," pp. 451-455).
Networking and TCP/IP
There won't be any questions directly about networking, but the concepts are necessary background material. Specifically, you should be comfortable with TCP and UDP ports and how they relate to services, the TCP three-way handshake, and the purposes of the ICMP and DNS protocols.
Understand why MAC and IP addresses aren't very good for authentication, why TCP Initial Sequence Numbers should be hard to predict, how to DoS a host, why no one lets you do source routing or do network-directed broadcasts any more, and why you should be careful about which DNS servers you trust.
Know what a VPN is. Be able to distinguish between AH and ESP, and the algorithms used to implement each. Understand that an SA allows you to associate different IPSec parameters with different endpoints (e.g., you can have two connections, one of which uses AH-SHA-HMAC and ESP-DES and has a lifetime of 24 hours, and the other of which uses ESP-3DES and ESP-MD5 with a lifetime of 1,000 Mbits); you do not need to know all of the SA Parameters or the selectors in an SPD entry
Know the difference between transport and tunnel mode and how they affect IP packets. You do not need to memorize packet header formats like those shown on pp. 492 and 496. Know what traffic padding is used for. Understand the purpose of IKE/ISAKMP (establishing session keys), and how endpoints authenticate each other in the first place (pre-shared keys or certificates).
Read Section 17.1, and be prepared to describe various kinds of web-based attacks. In Section 17.2, understand the four pieces of SSL: the SSL Record Protocol, the Handshake Protocol, the Change Cipher Spec Protocol, and the Alert Protocol. As usual, you do not need to memorize specific packet formats or message types, but you need to understand how they fit together. Figures 17.2 and 17.3 are good guides, and the handshake shown in Figure 17.6 should make sense to you. Don't worry about TLS or Section 17.3's discussion of SET.
SQL Injection and Cross-Site Scripting
Be able to give an example of each.
Read Chapter 18 through p. 587. Section 18.1 is interesting, but don't put too much stock in the listed "classes" of intruder.
Read Section 18.2 and understand the different approaches to intrusion detection. Know the difference between false positives and false negatives, and know which one is likely to be a bigger problem. Know the drawbacks of attempting to detect intrusions based on pattern matching, but understand why we do it anyway (specifically, understand the implications of the Base-Rate fallacy for statistical anomaly detection). Be able to suggest good locations to place IDS sensors.
Section 18.3 should be a review, but read it anyway and be able to describe what makes for a good password policy. If you hit Markov models, you've gone too far.
You should be familiar with the different kinds of malware: know the difference between trojan horses, viruses, and worms, for example. Understand how viruses work, and how they can be detected.
In Section 20.1, know the different kinds of firewall technology (Packet Filtering, Stateful Inspection, Application-level Gateways, and Circuit-Level Gateways). Understand how each works, and its advantages and disadvantages. Know what a bastion host is, and how to build one. Study the firewalls configuration, and keep in mind that these days the "screened subnet" is usually referred to as a DMZ.
Section 20.2 has nothing to do with firewalls, but read it anyway: we will cover the material in the lecture on AAA, and you will need to know the concepts of multilevel security and Mandatory vs. Discretionary Access Control.
Understand the concept of "Defense in Depth": be able to explain it, and be ready to apply it in various situations. Understand the purpose of ingress and egress filtering, and why it's worth having both a screen router and a firewall. see the white paper mentioned in the course outline for an extended example.
Hardening and the SANS Top 20
Understand the tasks involved in hardening a host (e.g., restrict use of installed software or remove it completely, disable unused accounts, set restrictive file permissions, monitor changes to the file system, crank up the logging, disable unused network services, restrict access to the services you do provide, and patch early and often.) See the SANS Top 20 list for examples.
Vulnerability Assessment and Penetration Testing
Know the difference between vulnerability assessment and penetration testing (i.e., locating vulnerabilities vs. exploiting them). Know why you should be careful running VA systems against production machines (if you're not sure about this, make sure to read the two articles on Nessus). Be able to name several ways to conduct reconnaissance against a network (e.g., port scans, OS and server fingerprinting, DNS, whois). The book chapter on network scanning mention in the course outline contains more detail than you will need, but I'm certain that some of you will want to read it all anyway. There will not be any questions about specific hacker tools, although I'm sure you've downloaded them all by now.
Buffer Overflows and Shellcode
Know what buffer overflows are, be able to spot them in code, and be able to suggest ways to fix them. Understand the implications of being able to corrupt the stack.
Understand default-deny and default-allow policies, and the circumstances under which each is appropriate. Be able to distinguish between mechanism and policy. Know why you need a written policy. Understand the Principle of Least Privilege, and when you should and and should not delegate trust. Understand the tradeoffs between security and convenience.
Threat Modeling and Risk Assessment
Note that I've added a reading to the outline.
Be able to identify assets and threats, and understand the implications of choosing the wrong assets to protect or the wrong threats to protect them from. Know the difference between a vulnerability and a threat. Know how to decide which threats are worth protecting against. Know where to look for threats (e.g., trust boundaries, entry points, and privileged code), and what kind of threats to look for (STRIDE). Know the appropriate countermeasures for each threat. Be able to draw an attack tree.
Authentication, Authorization, and Accounting
Read Section 20.2, and see the section on Chapter 20 above for comments. Understand the concept of two-factor authentication, and risks of using biometric data.
Incident Response and Forensics
Know the basic steps you should take in responding to an incident. Understand the chain of custody, and how to collect forensic evidence.