SlideShare a Scribd company logo

Chapter 9 security vulnerabilities, threats,and countermeasur

Download as DOCX, PDF
N
nand15

Chapter 9 security vulnerabilities, threats,and countermeasur

Education
1 of 15
Chapter 9 Security Vulnerabilities, Threats, and Countermeasures Assess and Mitigate Security Vulnerabilities Hardware Hardware Components Protection Mechanisms Memory Memory Addressing Secondary Memory Input/Output Devices Firmware overview Hardware Components Processor / central processing unit (CPU) Execution types: Multitasking Multicore Multiprocessing: SMP and MPP Multiprogramming Multithreading Processing types: Singles state Multistate
Protection Mechanisms 1/3 Protection rings Kernel mode or privileged mode User mode Mediated access/ system call Protection Mechanisms 2/3 Process states/Operating states OS: supervisory or problem Processes: Ready, Waiting, Running, Supervisory, Stopped Process scheduler or program executive Protection Mechanisms 3/3 Security Modes Requirements: MAC Physical control over who can access console Physical control over who can enter room Dedicated System high Compartmented
Multilevel Memory Read only memory (ROM) Programmable Read-Only Memory (PROM) Erasable Programmable Read-Only Memory (EPROM) Electronically Erasable Programmable Read-Only Memory (EEPROM) Flash Random access memory (RAM) Real Cache Registers Memory Addressing Register Immediate Related to a register or as part of an instruction Direct Actual address of memory location Indirect An address of memory location which holds the address of the target data Base plus Offset Base address stored in a register, offset is relative location
Secondary Memory 1/2 Magnetic, optical, or flash media Not immediately available to CPU Virtual memory Paging Security issues Theft, purging, physical access Primary vs. secondary Volatile vs. nonvolatile Random vs. sequential Secondary Memory 2/2 Data remanence SSD wear leveling Theft – encryption Device access control Data retention over use lifetime - availaibility Input/Output Devices Monitors Printers Keyboards and mice Modems Firmware
Microcode Basic Input/Output System (BIOS) Unified Extensible Firmware Interface (UEFI) Phlashing Device firmware EEPROM Client-Based Systems 1/2 Applets Java and JVM ActiveX Local Caches 1/2 ARP ARP cache poisoning Client-Based Systems 2/2 Local Caches 2/2 DNS DNS cache poisoning: HOSTS file Authorized DNS Caching DNS DNS lookup address change DNS query spoofing Defence: split DNS, IDS Internet files Temporary Internet files and cache
Server Based Systems Data flow control Load balancing Management between processes, devices, networks, or communication channels Efficient transmission with minimal delays or latency Reliable throughput using hashing and confidentiality protection with encryption Database Systems Security Aggregation Inference Data Mining and Data Warehousing Data dictionary Meta data Data mart Data Analytics Big Data Large-Scale Parallel Data Systems AMP, SMP, MPP Distributed Systems and Endpoint Security -server model Distributed architectures Endpoint security Screening/filtering email
Download/upload policies Robust access controls Restricted user-interfaces File encryption (see list in book) Cloud-Based Systems and Cloud Computing 1/3 Hypervisor, virtual machine monitor (VMM) Type I hypervisor (native or bare-metal hypervisor) Type II hypervisor (hosted hypervisor) Cloud storage Elasticity Cloud computing PaaS SaaS IaaS Cloud-Based Systems and Cloud Computing 2/3 On-premise vs. hosted vs. cloud Private, public, hybrid, community Issues: Privacy concerns Regulation compliance difficulties Use of open/closed-source solutions Adoption of open standards Whether or not cloud-based data is actually secured (or even securable)
Cloud-Based Systems and Cloud Computing 3/3 Cloud access security broker (CASB) Security as a service (SECaaS) Cloud shared responsibility model Grid and Peer to Peer Grid Computing Parallel distributed processing Members can enter and leave at will Work content is potentially exposed publicly Work packets are sometimes not returned, returned late, or returned corrupted Peer to Peer No central management system Services provided are usually real time VoIP, file distribution, A/V streaming/distribution Internet of Things Smart devices Automation, remote control, or AI processing Extensions or replacements of existing devices, equipment, or systems Security may not be integrated Top concerns: access and encryption Consider deploying in isolated subnet
Industrial Control Systems Distributed Control Systems (DCS) Manage/control industrial processes over a large-scale deployment from a single location Programmable Logic Controllers (PLC) Single-purpose or focused-purpose digital computers Supervisory Control and Data Acquisition (SCADA) Stand-alone or internetworked Does not always properly address security Assess and Mitigate Vulnerabili ties in Web-Based Systems 1/2 eXtensible Markup Language (XML) Security Association Markup Language (SAML) Web-based authentication Singe sign-on Open Web Application Security Project (OWASP) Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) Injections (SQL, LDAP, XML), XML exploitation, Cross-site scripting (XSS), Cross-site request forgery (XSRF) Assess and Mitigate Vulnerabilities in Web-Based Systems 2/2 Static vs. dynamic content Web applications Server side executables, scripts, databases Publicly accessed Web servers should be hosted outside of LAN
DMZ, co-location, cloud hosting Input validation Length, patterns, metacharacters Limit account privileges Assess and Mitigate Vulnerabilities in Mobile Systems Device Security Application Security BYOD Concerns overview Device Security 1/2 Full device encryption Remote wiping Lockout Screen locks GPS Application control Storage segmentation Asset tracking Device Security 2/2 Inventory control Mobile Device Management (MDM) Device access control Removable storage
Disabling unused features Application Security Key management Credential management Authentication Geotagging Encryption Application whitelisting BYOD Concerns 1/3 Bring your own device (BYOD) Company owned, personally enabled (COPE) Choose your own device (CYOD) Corporate-owned mobile strategy Virtual desktop infrastructure (VDI) virtual mobile infrastructure (VMI) BYOD Concerns 2/3 Data ownership Support ownership Patch management Antivirus management Forensics Privacy
Onboarding/offboarding Adherence to corporate policies BYOD Concerns 3/3 User acceptance Architecture/infrastructure considerations Legal concerns Acceptable use policy Onboard camera/video Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical Systems Embedded system Stand system, static environment Examples of embedded and static systems Methods of securing overview Examples of Embedded and Static Systems Network-enabled devices Cyber-physical systems
Internet of Things (IoT) Mainframes Game consoles In-vehicle computing systems Methods of Securing Network segmentation Security layers Application firewalls Manual updates Firmware version control Wrappers Monitoring Control redundancy and diversity Essential Security Protection Mechanisms Technical Mechanisms Security Policy and Computer Architecture Policy Mechanisms overview Technical Mechanisms Layering Abstraction Data hiding
Process isolation Hardware segmentation Security Policy and Computer Architecture Informs and guides design, development, implementation, testing, and maintenance Define rules and practices Addresses hardware and software Policy Mechanisms Principle of least privilege Separation of privilege Accountability Common Architecture Flaws and Security Issues 1/2 Covert Channels Covert timing channels Covert storage channels Attacks Based on Design or Coding Flaws and Security Issues Trusted recovery Input and parameter checking Maintenance hooks and privileged programs Incremental attacks Data diddling, salami (aggregation) attack
Common Architecture Flaws and Security Issues 2/2 Programming Sanitize input, buffer overflow, exceptions, testing Timing, State Changes, and Communication Disconnects Time of check to time of use (TOCTOU) attacks Technology and Process Integration Service-oriented architecture (SOA) Electromagnetic Radiation TEMPEST Faraday cage Jamming, noise generators, control zones Conclusion Read the Exam Essentials Review the Chapter Perform the Written Labs Answer the Review Questions

Recommended

Application and Systems Development
Application and Systems DevelopmentApplication and Systems Development
Application and Systems Developmentamiable_indian
 
OSCh19
OSCh19OSCh19
OSCh19Joe Christensen
 
Operating system security (a brief)
Operating system security (a brief)Operating system security (a brief)
Operating system security (a brief)cnokia
 
Protection
ProtectionProtection
ProtectionMohanlal Sukhadia University (MLSU)
 
Operations_Security - Richard Mosher
Operations_Security - Richard MosherOperations_Security - Richard Mosher
Operations_Security - Richard Mosheramiable_indian
 
System protection in Operating System
System protection in Operating SystemSystem protection in Operating System
System protection in Operating Systemsohaildanish
 
Chapter 14 - Protection
Chapter 14 - ProtectionChapter 14 - Protection
Chapter 14 - ProtectionWayne Jones Jnr
 
Security models
Security models Security models
Security models LJ PROJECTS
 

Recommended

Application and Systems Development
Application and Systems DevelopmentApplication and Systems Development
Application and Systems Developmentamiable_indian
 
OSCh19
OSCh19OSCh19
OSCh19Joe Christensen
 
Operating system security (a brief)
Operating system security (a brief)Operating system security (a brief)
Operating system security (a brief)cnokia
 
Protection
ProtectionProtection
ProtectionMohanlal Sukhadia University (MLSU)
 
Operations_Security - Richard Mosher
Operations_Security - Richard MosherOperations_Security - Richard Mosher
Operations_Security - Richard Mosheramiable_indian
 
System protection in Operating System
System protection in Operating SystemSystem protection in Operating System
System protection in Operating Systemsohaildanish
 
Chapter 14 - Protection
Chapter 14 - ProtectionChapter 14 - Protection
Chapter 14 - ProtectionWayne Jones Jnr
 
Security models
Security models Security models
Security models LJ PROJECTS
 
Information systems security(1)
Information systems security(1)Information systems security(1)
Information systems security(1)Sandeep Agarwal
 
Core Trace PCI DSS Compliance
Core Trace PCI DSS ComplianceCore Trace PCI DSS Compliance
Core Trace PCI DSS ComplianceCoreTrace Corporation
 
3 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp013 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp01wardell henley
 
It security
It securityIt security
It securityavi2607
 
Security assignment (copy)
Security assignment (copy)Security assignment (copy)
Security assignment (copy)Amare Kassa
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security PresentationWajahat Rajab
 
A Secure Software Engineering Perspective
A Secure Software Engineering PerspectiveA Secure Software Engineering Perspective
A Secure Software Engineering Perspectiveidescitation
 
FIT 10 - Hargun - Cyberoam
FIT 10 - Hargun - CyberoamFIT 10 - Hargun - Cyberoam
FIT 10 - Hargun - Cyberoamchephz DJ
 
Mis presentation by suraj vaidya
Mis presentation by suraj vaidyaMis presentation by suraj vaidya
Mis presentation by suraj vaidyaSuraj Vaidya
 
XP in Quarantine - Isolate and Protect Your Mission Critical Systems
XP in Quarantine - Isolate and Protect Your Mission Critical SystemsXP in Quarantine - Isolate and Protect Your Mission Critical Systems
XP in Quarantine - Isolate and Protect Your Mission Critical SystemsUnisys Corporation
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical SecurityAlfred Ouyang
 
Coud discovery chap 5
Coud discovery chap 5Coud discovery chap 5
Coud discovery chap 5Alain Charpentier
 
A guide to Unified Threat Management Systems (UTMs) by Rishabh Dangwal
A guide to Unified Threat Management Systems (UTMs) by Rishabh DangwalA guide to Unified Threat Management Systems (UTMs) by Rishabh Dangwal
A guide to Unified Threat Management Systems (UTMs) by Rishabh DangwalRishabh Dangwal
 
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...Tonex
 
Security framework for connected devices
Security framework for connected devicesSecurity framework for connected devices
Security framework for connected devicesHCL Technologies
 
Database security
Database securityDatabase security
Database securityArpana shree
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 
Operating systems introduction
Operating systems introductionOperating systems introduction
Operating systems introductionveeravanithaD
 
Operating System & Application Security
Operating System & Application SecurityOperating System & Application Security
Operating System & Application SecuritySunipa Bera
 
Access control3
Access control3Access control3
Access control3Awhydot
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models7wounders
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architectureamiable_indian
 

More Related Content

What's hot

Information systems security(1)
Information systems security(1)Information systems security(1)
Information systems security(1)Sandeep Agarwal
 
3 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp013 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp01wardell henley
 
It security
It securityIt security
It securityavi2607
 
Security assignment (copy)
Security assignment (copy)Security assignment (copy)
Security assignment (copy)Amare Kassa
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security PresentationWajahat Rajab
 
A Secure Software Engineering Perspective
A Secure Software Engineering PerspectiveA Secure Software Engineering Perspective
A Secure Software Engineering Perspectiveidescitation
 
FIT 10 - Hargun - Cyberoam
FIT 10 - Hargun - CyberoamFIT 10 - Hargun - Cyberoam
FIT 10 - Hargun - Cyberoamchephz DJ
 
Mis presentation by suraj vaidya
Mis presentation by suraj vaidyaMis presentation by suraj vaidya
Mis presentation by suraj vaidyaSuraj Vaidya
 
XP in Quarantine - Isolate and Protect Your Mission Critical Systems
XP in Quarantine - Isolate and Protect Your Mission Critical SystemsXP in Quarantine - Isolate and Protect Your Mission Critical Systems
XP in Quarantine - Isolate and Protect Your Mission Critical SystemsUnisys Corporation
 
A guide to Unified Threat Management Systems (UTMs) by Rishabh Dangwal
A guide to Unified Threat Management Systems (UTMs) by Rishabh DangwalA guide to Unified Threat Management Systems (UTMs) by Rishabh Dangwal
A guide to Unified Threat Management Systems (UTMs) by Rishabh DangwalRishabh Dangwal
 
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...Tonex
 
Security framework for connected devices
Security framework for connected devicesSecurity framework for connected devices
Security framework for connected devicesHCL Technologies
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 
Operating systems introduction
Operating systems introductionOperating systems introduction
Operating systems introductionveeravanithaD
 
Operating System & Application Security
Operating System & Application SecurityOperating System & Application Security
Operating System & Application SecuritySunipa Bera
 
Access control3
Access control3Access control3
Access control3Awhydot
 

What's hot (20)

Information systems security(1)
Information systems security(1)Information systems security(1)
Information systems security(1)
 
Core Trace PCI DSS Compliance
Core Trace PCI DSS ComplianceCore Trace PCI DSS Compliance
Core Trace PCI DSS Compliance
 
3 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp013 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp01
 
It security
It securityIt security
It security
 
Security assignment (copy)
Security assignment (copy)Security assignment (copy)
Security assignment (copy)
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security Presentation
 
A Secure Software Engineering Perspective
A Secure Software Engineering PerspectiveA Secure Software Engineering Perspective
A Secure Software Engineering Perspective
 
FIT 10 - Hargun - Cyberoam
FIT 10 - Hargun - CyberoamFIT 10 - Hargun - Cyberoam
FIT 10 - Hargun - Cyberoam
 
Mis presentation by suraj vaidya
Mis presentation by suraj vaidyaMis presentation by suraj vaidya
Mis presentation by suraj vaidya
 
XP in Quarantine - Isolate and Protect Your Mission Critical Systems
XP in Quarantine - Isolate and Protect Your Mission Critical SystemsXP in Quarantine - Isolate and Protect Your Mission Critical Systems
XP in Quarantine - Isolate and Protect Your Mission Critical Systems
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical Security
 
Coud discovery chap 5
Coud discovery chap 5Coud discovery chap 5
Coud discovery chap 5
 
A guide to Unified Threat Management Systems (UTMs) by Rishabh Dangwal
A guide to Unified Threat Management Systems (UTMs) by Rishabh DangwalA guide to Unified Threat Management Systems (UTMs) by Rishabh Dangwal
A guide to Unified Threat Management Systems (UTMs) by Rishabh Dangwal
 
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
 
Security framework for connected devices
Security framework for connected devicesSecurity framework for connected devices
Security framework for connected devices
 
Database security
Database securityDatabase security
Database security
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
 
Operating systems introduction
Operating systems introductionOperating systems introduction
Operating systems introduction
 
Operating System & Application Security
Operating System & Application SecurityOperating System & Application Security
Operating System & Application Security
 
Access control3
Access control3Access control3
Access control3
 

Similar to Chapter 9 security vulnerabilities, threats,and countermeasur

3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models7wounders
 
Information Security Management. Security solutions copy
Information Security Management. Security solutions copyInformation Security Management. Security solutions copy
Information Security Management. Security solutions copyyuliana_mar
 
Chapter14 -- networking security
Chapter14 -- networking securityChapter14 -- networking security
Chapter14 -- networking securityRaja Waseem Akhtar
 
Sanctuary Device Control
Sanctuary Device ControlSanctuary Device Control
Sanctuary Device ControlHassaanSahloul
 
Primend praktiline konverents - Office 365 turvalisus
Primend praktiline konverents - Office 365 turvalisusPrimend praktiline konverents - Office 365 turvalisus
Primend praktiline konverents - Office 365 turvalisusPrimend
 
Institutional IT Security
Institutional IT SecurityInstitutional IT Security
Institutional IT SecurityCRISIL Limited
 
Right-sized security for IoT - ARM
Right-sized security for IoT - ARMRight-sized security for IoT - ARM
Right-sized security for IoT - ARMPhil Hughes
 
8. operations security
8. operations security8. operations security
8. operations security7wounders
 
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOvervChapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOvervEstelaJeffery653
 
Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systemsAlan Tatourian
 
Access control3
Access control3Access control3
Access control3Awhydot
 
lecture_1_introduction.ppt
lecture_1_introduction.pptlecture_1_introduction.ppt
lecture_1_introduction.pptRandyGaray
 
Value Microsoft 365 E5 English
Value Microsoft 365 E5 EnglishValue Microsoft 365 E5 English
Value Microsoft 365 E5 EnglishGuillaume Lagache
 
501 ch 5 securing hosts and data
501 ch 5 securing hosts and data501 ch 5 securing hosts and data
501 ch 5 securing hosts and datagocybersec
 

Similar to Chapter 9 security vulnerabilities, threats,and countermeasur (20)

3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
Information Security Management. Security solutions copy
Information Security Management. Security solutions copyInformation Security Management. Security solutions copy
Information Security Management. Security solutions copy
 
Chapter14 -- networking security
Chapter14 -- networking securityChapter14 -- networking security
Chapter14 -- networking security
 
Sanctuary Device Control
Sanctuary Device ControlSanctuary Device Control
Sanctuary Device Control
 
cloud
cloudcloud
cloud
 
Primend praktiline konverents - Office 365 turvalisus
Primend praktiline konverents - Office 365 turvalisusPrimend praktiline konverents - Office 365 turvalisus
Primend praktiline konverents - Office 365 turvalisus
 
Institutional IT Security
Institutional IT SecurityInstitutional IT Security
Institutional IT Security
 
Right-sized security for IoT - ARM
Right-sized security for IoT - ARMRight-sized security for IoT - ARM
Right-sized security for IoT - ARM
 
8. operations security
8. operations security8. operations security
8. operations security
 
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOvervChapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
 
OS Security 2009
OS Security 2009OS Security 2009
OS Security 2009
 
Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systems
 
Access control3
Access control3Access control3
Access control3
 
Lect13 security
Lect13 securityLect13 security
Lect13 security
 
lecture_1_introduction.ppt
lecture_1_introduction.pptlecture_1_introduction.ppt
lecture_1_introduction.ppt
 
Irm11g overview
Irm11g overviewIrm11g overview
Irm11g overview
 
Value Microsoft 365 E5 English
Value Microsoft 365 E5 EnglishValue Microsoft 365 E5 English
Value Microsoft 365 E5 English
 
Firewalls-Intro
Firewalls-IntroFirewalls-Intro
Firewalls-Intro
 
501 ch 5 securing hosts and data
501 ch 5 securing hosts and data501 ch 5 securing hosts and data
501 ch 5 securing hosts and data
 

More from nand15

Diversity presentationlearner’s namecapella universitycult
Diversity presentationlearner’s namecapella universitycultDiversity presentationlearner’s namecapella universitycult
Diversity presentationlearner’s namecapella universitycultnand15
 
Discussion a interview yourself—or, better yet, have someone inte
Discussion a interview yourself—or, better yet, have someone inteDiscussion a interview yourself—or, better yet, have someone inte
Discussion a interview yourself—or, better yet, have someone intenand15
 
Discussion 1. explain why it is important that software product
Discussion 1. explain why it is important that software productDiscussion 1. explain why it is important that software product
Discussion 1. explain why it is important that software productnand15
 
Directed patrol and proactive policing for this assignment, you w
Directed patrol and proactive policing for this assignment, you wDirected patrol and proactive policing for this assignment, you w
Directed patrol and proactive policing for this assignment, you wnand15
 
Details distribution, posting, or copying of this pdf is st
Details distribution, posting, or copying of this pdf is stDetails distribution, posting, or copying of this pdf is st
Details distribution, posting, or copying of this pdf is stnand15
 
Describe your ethnic, racial, and cultural background.african am
Describe your ethnic, racial, and cultural background.african amDescribe your ethnic, racial, and cultural background.african am
Describe your ethnic, racial, and cultural background.african amnand15
 
Data location fooddécorservicesummated ratingcoded locationcostcity2
Data location fooddécorservicesummated ratingcoded locationcostcity2Data location fooddécorservicesummated ratingcoded locationcostcity2
Data location fooddécorservicesummated ratingcoded locationcostcity2nand15
 
Dataimage9 45.png dataimage7-31.pngdataimage4-47.png
Dataimage9 45.png dataimage7-31.pngdataimage4-47.pngDataimage9 45.png dataimage7-31.pngdataimage4-47.png
Dataimage9 45.png dataimage7-31.pngdataimage4-47.pngnand15
 
Data id agesexemployededucation_levelannual_incomeweightheightsm
Data id agesexemployededucation_levelannual_incomeweightheightsmData id agesexemployededucation_levelannual_incomeweightheightsm
Data id agesexemployededucation_levelannual_incomeweightheightsmnand15
 
Data sheet activity genetics all content is copyright protecte
Data sheet activity genetics all content is copyright protecteData sheet activity genetics all content is copyright protecte
Data sheet activity genetics all content is copyright protectenand15
 
Data analysis and application
Data analysis and application Data analysis and application
Data analysis and application nand15
 
Dargeangrix business scenario  dargean grix, inc. is a fict
Dargeangrix business scenario  dargean grix, inc. is a fictDargeangrix business scenario  dargean grix, inc. is a fict
Dargeangrix business scenario  dargean grix, inc. is a fictnand15
 
Costco, walmart want ag control by alan guebert ma
Costco, walmart want ag control by alan guebert maCostco, walmart want ag control by alan guebert ma
Costco, walmart want ag control by alan guebert manand15
 
Copyright 1987. uni
Copyright 1987. uniCopyright 1987. uni
Copyright 1987. uninand15
 
Content samplereflectionjournalentry.htmlsample reflection
Content samplereflectionjournalentry.htmlsample reflectionContent samplereflectionjournalentry.htmlsample reflection
Content samplereflectionjournalentry.htmlsample reflectionnand15
 
Consider what you learned about art therapy in the beginning of this
Consider what you learned about art therapy in the beginning of thisConsider what you learned about art therapy in the beginning of this
Consider what you learned about art therapy in the beginning of thisnand15
 
Complete the answer for 1 and 2 in the text box.be constructive an
Complete the answer for 1 and 2 in the text box.be constructive anComplete the answer for 1 and 2 in the text box.be constructive an
Complete the answer for 1 and 2 in the text box.be constructive annand15
 
Company information acct 370 excel projectjohnson & johnsoncompany
Company information acct 370 excel projectjohnson & johnsoncompany Company information acct 370 excel projectjohnson & johnsoncompany
Company information acct 370 excel projectjohnson & johnsoncompany nand15
 
College of administrative and financial sciences assignment 1
College of administrative and financial sciences assignment 1College of administrative and financial sciences assignment 1
College of administrative and financial sciences assignment 1nand15
 
College of administrative and financial sciences assignme
College of administrative and financial sciences assignmeCollege of administrative and financial sciences assignme
College of administrative and financial sciences assignmenand15
 

More from nand15 (20)

Diversity presentationlearner’s namecapella universitycult
Diversity presentationlearner’s namecapella universitycultDiversity presentationlearner’s namecapella universitycult
Diversity presentationlearner’s namecapella universitycult
 
Discussion a interview yourself—or, better yet, have someone inte
Discussion a interview yourself—or, better yet, have someone inteDiscussion a interview yourself—or, better yet, have someone inte
Discussion a interview yourself—or, better yet, have someone inte
 
Discussion 1. explain why it is important that software product
Discussion 1. explain why it is important that software productDiscussion 1. explain why it is important that software product
Discussion 1. explain why it is important that software product
 
Directed patrol and proactive policing for this assignment, you w
Directed patrol and proactive policing for this assignment, you wDirected patrol and proactive policing for this assignment, you w
Directed patrol and proactive policing for this assignment, you w
 
Details distribution, posting, or copying of this pdf is st
Details distribution, posting, or copying of this pdf is stDetails distribution, posting, or copying of this pdf is st
Details distribution, posting, or copying of this pdf is st
 
Describe your ethnic, racial, and cultural background.african am
Describe your ethnic, racial, and cultural background.african amDescribe your ethnic, racial, and cultural background.african am
Describe your ethnic, racial, and cultural background.african am
 
Data location fooddécorservicesummated ratingcoded locationcostcity2
Data location fooddécorservicesummated ratingcoded locationcostcity2Data location fooddécorservicesummated ratingcoded locationcostcity2
Data location fooddécorservicesummated ratingcoded locationcostcity2
 
Dataimage9 45.png dataimage7-31.pngdataimage4-47.png
Dataimage9 45.png dataimage7-31.pngdataimage4-47.pngDataimage9 45.png dataimage7-31.pngdataimage4-47.png
Dataimage9 45.png dataimage7-31.pngdataimage4-47.png
 
Data id agesexemployededucation_levelannual_incomeweightheightsm
Data id agesexemployededucation_levelannual_incomeweightheightsmData id agesexemployededucation_levelannual_incomeweightheightsm
Data id agesexemployededucation_levelannual_incomeweightheightsm
 
Data sheet activity genetics all content is copyright protecte
Data sheet activity genetics all content is copyright protecteData sheet activity genetics all content is copyright protecte
Data sheet activity genetics all content is copyright protecte
 
Data analysis and application
Data analysis and application Data analysis and application
Data analysis and application
 
Dargeangrix business scenario  dargean grix, inc. is a fict
Dargeangrix business scenario  dargean grix, inc. is a fictDargeangrix business scenario  dargean grix, inc. is a fict
Dargeangrix business scenario  dargean grix, inc. is a fict
 
Costco, walmart want ag control by alan guebert ma
Costco, walmart want ag control by alan guebert maCostco, walmart want ag control by alan guebert ma
Costco, walmart want ag control by alan guebert ma
 
Copyright 1987. uni
Copyright 1987. uniCopyright 1987. uni
Copyright 1987. uni
 
Content samplereflectionjournalentry.htmlsample reflection
Content samplereflectionjournalentry.htmlsample reflectionContent samplereflectionjournalentry.htmlsample reflection
Content samplereflectionjournalentry.htmlsample reflection
 
Consider what you learned about art therapy in the beginning of this
Consider what you learned about art therapy in the beginning of thisConsider what you learned about art therapy in the beginning of this
Consider what you learned about art therapy in the beginning of this
 
Complete the answer for 1 and 2 in the text box.be constructive an
Complete the answer for 1 and 2 in the text box.be constructive anComplete the answer for 1 and 2 in the text box.be constructive an
Complete the answer for 1 and 2 in the text box.be constructive an
 
Company information acct 370 excel projectjohnson & johnsoncompany
Company information acct 370 excel projectjohnson & johnsoncompany Company information acct 370 excel projectjohnson & johnsoncompany
Company information acct 370 excel projectjohnson & johnsoncompany
 
College of administrative and financial sciences assignment 1
College of administrative and financial sciences assignment 1College of administrative and financial sciences assignment 1
College of administrative and financial sciences assignment 1
 
College of administrative and financial sciences assignme
College of administrative and financial sciences assignmeCollege of administrative and financial sciences assignme
College of administrative and financial sciences assignme
 

Recently uploaded

internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerunnathinaik
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfMahmoud M. Sallam
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfUjwalaBharambe
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxsocialsciencegdgrohi
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfadityarao40181
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,Virag Sontakke
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 

Recently uploaded (20)

internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developer
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdf
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdf
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 

Chapter 9 security vulnerabilities, threats,and countermeasur

  • 1. Chapter 9 Security Vulnerabilities, Threats, and Countermeasures Assess and Mitigate Security Vulnerabilities Hardware Hardware Components Protection Mechanisms Memory Memory Addressing Secondary Memory Input/Output Devices Firmware overview Hardware Components Processor / central processing unit (CPU) Execution types: Multitasking Multicore Multiprocessing: SMP and MPP Multiprogramming Multithreading Processing types: Singles state Multistate
  • 2. Protection Mechanisms 1/3 Protection rings Kernel mode or privileged mode User mode Mediated access/ system call Protection Mechanisms 2/3 Process states/Operating states OS: supervisory or problem Processes: Ready, Waiting, Running, Supervisory, Stopped Process scheduler or program executive Protection Mechanisms 3/3 Security Modes Requirements: MAC Physical control over who can access console Physical control over who can enter room Dedicated System high Compartmented
  • 3. Multilevel Memory Read only memory (ROM) Programmable Read-Only Memory (PROM) Erasable Programmable Read-Only Memory (EPROM) Electronically Erasable Programmable Read-Only Memory (EEPROM) Flash Random access memory (RAM) Real Cache Registers Memory Addressing Register Immediate Related to a register or as part of an instruction Direct Actual address of memory location Indirect An address of memory location which holds the address of the target data Base plus Offset Base address stored in a register, offset is relative location
  • 4. Secondary Memory 1/2 Magnetic, optical, or flash media Not immediately available to CPU Virtual memory Paging Security issues Theft, purging, physical access Primary vs. secondary Volatile vs. nonvolatile Random vs. sequential Secondary Memory 2/2 Data remanence SSD wear leveling Theft – encryption Device access control Data retention over use lifetime - availaibility Input/Output Devices Monitors Printers Keyboards and mice Modems Firmware
  • 5. Microcode Basic Input/Output System (BIOS) Unified Extensible Firmware Interface (UEFI) Phlashing Device firmware EEPROM Client-Based Systems 1/2 Applets Java and JVM ActiveX Local Caches 1/2 ARP ARP cache poisoning Client-Based Systems 2/2 Local Caches 2/2 DNS DNS cache poisoning: HOSTS file Authorized DNS Caching DNS DNS lookup address change DNS query spoofing Defence: split DNS, IDS Internet files Temporary Internet files and cache
  • 6. Server Based Systems Data flow control Load balancing Management between processes, devices, networks, or communication channels Efficient transmission with minimal delays or latency Reliable throughput using hashing and confidentiality protection with encryption Database Systems Security Aggregation Inference Data Mining and Data Warehousing Data dictionary Meta data Data mart Data Analytics Big Data Large-Scale Parallel Data Systems AMP, SMP, MPP Distributed Systems and Endpoint Security -server model Distributed architectures Endpoint security Screening/filtering email
  • 7. Download/upload policies Robust access controls Restricted user-interfaces File encryption (see list in book) Cloud-Based Systems and Cloud Computing 1/3 Hypervisor, virtual machine monitor (VMM) Type I hypervisor (native or bare-metal hypervisor) Type II hypervisor (hosted hypervisor) Cloud storage Elasticity Cloud computing PaaS SaaS IaaS Cloud-Based Systems and Cloud Computing 2/3 On-premise vs. hosted vs. cloud Private, public, hybrid, community Issues: Privacy concerns Regulation compliance difficulties Use of open/closed-source solutions Adoption of open standards Whether or not cloud-based data is actually secured (or even securable)
  • 8. Cloud-Based Systems and Cloud Computing 3/3 Cloud access security broker (CASB) Security as a service (SECaaS) Cloud shared responsibility model Grid and Peer to Peer Grid Computing Parallel distributed processing Members can enter and leave at will Work content is potentially exposed publicly Work packets are sometimes not returned, returned late, or returned corrupted Peer to Peer No central management system Services provided are usually real time VoIP, file distribution, A/V streaming/distribution Internet of Things Smart devices Automation, remote control, or AI processing Extensions or replacements of existing devices, equipment, or systems Security may not be integrated Top concerns: access and encryption Consider deploying in isolated subnet
  • 9. Industrial Control Systems Distributed Control Systems (DCS) Manage/control industrial processes over a large-scale deployment from a single location Programmable Logic Controllers (PLC) Single-purpose or focused-purpose digital computers Supervisory Control and Data Acquisition (SCADA) Stand-alone or internetworked Does not always properly address security Assess and Mitigate Vulnerabili ties in Web-Based Systems 1/2 eXtensible Markup Language (XML) Security Association Markup Language (SAML) Web-based authentication Singe sign-on Open Web Application Security Project (OWASP) Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) Injections (SQL, LDAP, XML), XML exploitation, Cross-site scripting (XSS), Cross-site request forgery (XSRF) Assess and Mitigate Vulnerabilities in Web-Based Systems 2/2 Static vs. dynamic content Web applications Server side executables, scripts, databases Publicly accessed Web servers should be hosted outside of LAN
  • 10. DMZ, co-location, cloud hosting Input validation Length, patterns, metacharacters Limit account privileges Assess and Mitigate Vulnerabilities in Mobile Systems Device Security Application Security BYOD Concerns overview Device Security 1/2 Full device encryption Remote wiping Lockout Screen locks GPS Application control Storage segmentation Asset tracking Device Security 2/2 Inventory control Mobile Device Management (MDM) Device access control Removable storage
  • 11. Disabling unused features Application Security Key management Credential management Authentication Geotagging Encryption Application whitelisting BYOD Concerns 1/3 Bring your own device (BYOD) Company owned, personally enabled (COPE) Choose your own device (CYOD) Corporate-owned mobile strategy Virtual desktop infrastructure (VDI) virtual mobile infrastructure (VMI) BYOD Concerns 2/3 Data ownership Support ownership Patch management Antivirus management Forensics Privacy
  • 12. Onboarding/offboarding Adherence to corporate policies BYOD Concerns 3/3 User acceptance Architecture/infrastructure considerations Legal concerns Acceptable use policy Onboard camera/video Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical Systems Embedded system Stand system, static environment Examples of embedded and static systems Methods of securing overview Examples of Embedded and Static Systems Network-enabled devices Cyber-physical systems
  • 13. Internet of Things (IoT) Mainframes Game consoles In-vehicle computing systems Methods of Securing Network segmentation Security layers Application firewalls Manual updates Firmware version control Wrappers Monitoring Control redundancy and diversity Essential Security Protection Mechanisms Technical Mechanisms Security Policy and Computer Architecture Policy Mechanisms overview Technical Mechanisms Layering Abstraction Data hiding
  • 14. Process isolation Hardware segmentation Security Policy and Computer Architecture Informs and guides design, development, implementation, testing, and maintenance Define rules and practices Addresses hardware and software Policy Mechanisms Principle of least privilege Separation of privilege Accountability Common Architecture Flaws and Security Issues 1/2 Covert Channels Covert timing channels Covert storage channels Attacks Based on Design or Coding Flaws and Security Issues Trusted recovery Input and parameter checking Maintenance hooks and privileged programs Incremental attacks Data diddling, salami (aggregation) attack
  • 15. Common Architecture Flaws and Security Issues 2/2 Programming Sanitize input, buffer overflow, exceptions, testing Timing, State Changes, and Communication Disconnects Time of check to time of use (TOCTOU) attacks Technology and Process Integration Service-oriented architecture (SOA) Electromagnetic Radiation TEMPEST Faraday cage Jamming, noise generators, control zones Conclusion Read the Exam Essentials Review the Chapter Perform the Written Labs Answer the Review Questions