Lab: security
The Security Lab is different than our other labs.
For this lab, you answer questions in your notebook and we discuss your answers during our Security Lab class.
Students must answer the questions such that they can lead a discussion on these topics. Students should study all topics.
The class may organize itself where specific students have been assigned topics to lead.
I may use my random student selector to select students to lead discussion topics.
Use the Internet and OSTEP Security Section to collect information about these basic security concepts.
When studying the concepts consider their relationships to operating systems and the material we have learned.
Students must be in class and active participants. Students are not allowed to fiddle with their laptops or with their phones or any other electronic devices.
In this lab, there are several questions for you to answer. Questions are in boxes with a light orange background.
Write each question and its answer in your notebook. Use your notebook answers to participate during our class discussion.
Security Attributes and Vulnerabilites
Discover answers to these terms and write them in your notebook. OSTEP Chapter 53 will be helpful for these terms.
1. Social engineering, phishing
2. Buffer Overflows, NOP Sled, Address Space Randomization, Stack Guard
3. Network Attacks, Unauthorized Access, DDoS, Man in Middle, Code/SQL Injection
4. Confidentiality, Integrity, Availability, Non-repudiation
5. Security Policies, Policy, Implementation, Enforcement
6. SELinux, Multi-Level Security, Multi-category Security
7. Access control, subject, object, access, discretionary access control, mandatory access control, Role-based access control
8. Authentication, multi-factor authentication, what you know, what you have, dongle, CAC, what you are
9. Hash, Cryptographic Hash, SHA-3, Dictionary Attack, Salt
10. Public-private keys, ~/.ssh/authorized_keys, RSA, id_rsa, id_rsa.pub, ssh-keygen
11. Cryptography, cipher, key, plain text, cipher text
12. E(plain text, key) > cipher text, D(cipher text, key) > plain text
13. Public-private keys, HTTP, HTTPS, TLS, session key, certificate authority
14. Symmetric encryption (AES 256-bit), asymmetric encryption (RSA 2048-bit), AES, WEP, WPA, WPA2, WPA3
15. Block cipher, digital signature, Kerckhoffs’ Principle, defense in depth
Secure Design
Most existing software was designed well, but often did not consider vulnerabilities. As a result, a lot of cybersecurity is (1) “patching” existing code after a vulnerability is discovered and (2) building (selling) tools to guard existing systems. Tools are things like Norton, McAfee, port blockers, etc. We are playing whack-a-mole. Hackers discover a vulnerability. We discover that a hacker has intruded. We create a patch/tool to fix the vulnerability. As new systems are created, it is important to use a secure design. I think the definition of a secure design is evolving. The following topics are part of the evolving definition of secure design. Discover answers to these terms and write them in your notebook. OSTEP Chapter 53 will be helpful for these terms.
16. Economy of mechanism
17. Fail-safe defaults
18. Complete mediation
19. Open design
20. Separation of privilege
21. Least privilege
22. Least common mechanism
23. Acceptability
Security News
Discover answers to these questions and write them in your notebook. OSTEP Chapter 53 will be helpful for these terms.
24. What is a recent zero-day vulnerability?
25. What is a recent ransomware attack?
26. What is some other security news?
27. What is the stuxnet worm and how did it work?
28. What is a side channel attack?
29. Do you think the US power grid is vulnerable to a cyber attack?
30. Do you think the US military is vulnerable to a cyber attack?
31. What is the most vulnerable security hole?
32. Have you ever experienced a security hack? If so, describe the hack and how you recovered.
32. If you had to choose, which of these would you choose. (a) a massive cyber attack or (b) a nuclear missile attack.
Submit the lab
This completes the lab. You do not have to submit this lab. Please come to class prepared to discuss your answers.