Tanya Janca - Alice and Bob Learn Application Security

Not multi-factor: A username and a password. This is two examples of the same factor; they are both something that you know. Multi-factor authentication means that you have more than one of the different types of factors of authentication, not one or more of the same factor.

Not multi-factor: Using a username and password, and then answering security questions. These are two of the same fact, something you know.

Multi-factor: Username and password, then using your thumb print.

NOTE Many in the information security industry are in disagreement as to whether or not using your phone to receive an SMS (text message) with a pin code is a “good” implementation of MFA, as there are known security flaws within the SMS protocol and some implementations of it. It is my opinion that having a “pretty-darn-good second factor,” rather than having only one factor, is better. Whenever possible, however, ask users to use an authentication application instead of SMS text messages as the second factor.

These exercises are meant to help you understand the concepts in this chapter. Write out the answers and see which ones you get stuck on. If you have trouble answering some of the questions, you may want to reread the chapter. Every chapter will have exercises like these at the end. If there is a term you are unfamiliar with, look it up in the glossary at the end of the book; that may help with your understanding.

If you have a colleague or professional mentor who you can discuss the answers with, that would be the best way to find out if you are right or wrong, and why. Some of the answers are not Boolean (true/false) and are just to make you contemplate the problem.

1 Bob sets the Wi-Fi setting on his pacemaker to not broadcast the name of his Wi-Fi. What is this defensive strategy called?

2 Name an example of a value that could be hard coded and why. (What would be the motivation for the programmer to do that?)

3 Is a captcha usable security? Why or why not?

4 Give one example of a good implementation of usable security.

5 When using information from the URL parameters do you need to validate that data? Why or why not?

6 If an employee learns a trade secret at work and then sells it to a competitor, this breaks which part(s) of CIA?

7 If you buy a “smart” refrigerator and connect it to your home network, then have a malicious actor connect to it and change the settings so that it’s slightly warmer and your milk goes bad, which part(s) of CIA did they break?

8 If someone hacks your smart thermostat and turns off your heat, which part(s) of CIA did they break?

9 If a programmer adds an Easter egg (extra code that does undocumented functionality, as a “surprise” for users, which is unknown to management and the security team), does this qualify as an insider threat? If so, why? If not, why not?

10 When connecting to a public Wi-Fi, what are some of the precautions that you could take to ensure you are doing “defense in depth”?

11 If you live in an apartment with several roommates and you all have a key to the door, is one of the keys considered to be a “factor of authentication”?

Текст предоставлен ООО «ЛитРес».

Прочитайте эту книгу целиком, на ЛитРес.

Безопасно оплатить книгу можно банковской картой Visa, MasterCard, Maestro, со счета мобильного телефона, с платежного терминала, в салоне МТС или Связной, через PayPal, WebMoney, Яндекс.Деньги, QIWI Кошелек, бонусными картами или другим удобным Вам способом.