Cryptography and Mitigation (Ch. 10,11)

Question 1

PKI

Answer 1

_ public key infrastructure

Question 2

Symmetric vs asymmetric encryption

Answer 2

_ same key to encrypt and decrypt vs different keys
_ asymmetric requires PKI for certificates
_ asymmetric is much more resource intensive (so mainly only used to exchange symmetric keys)

Question 3

Stream cipher

Answer 3

_ encrypts one bit or one byte at a time
_ more efficient with unknown or variable length data

Question 4

Block cipher

Answer 4

_ encrypts data in blocks
_ more efficient with known-length data

Question 5

ECC

Answer 5

_ elliptic curve cryptography
_ minimal overhead
_ useful in mobile devices

Question 6

steganography

Answer 6

_ hides data within other files
_ e.g. embed data within whitespace of an image

Question 7

Digital signature for email

Answer 7

_ has of email encrypted with private key

Question 8

Benefits of a digital signature

Answer 8

_ authentication
_ non-repudiation
_ integrity

Question 9

MD5

Answer 9

_ message digest 5
_ hashing algorithm producing 128-bit hash
_ has vulnerabilities, so now used as a checksum
_ susceptible to has collisions, making it unsuitable as a cryptographic hash (e.g. for hashing passwords)

Question 10

SHA

Answer 10

_ secure hashing algorithm
_ can be used to verify integrity

Question 11

SHA-2

Answer 11

_ created by NSA
_ SHA-256 creates 256-bit hashes
_ SHA-512 creates 512-bit hashes
_ SHA-224 truncates SHA-256
_ SHA-384 truncates SHA-512

Question 12

SHA-3

Answer 12

_ created in a non-Nsa public competition
_ alternative to SHA-2 (making same sizes available)

Question 13

HMAC

Answer 13

_ hash-based message authentication code
_ fixed-length string requiring a shared secret to create and validate
_ encrypts MD5 hash
_ provides both integrity and authenticity
_ used in IPsec and TLS
_ (if hash is transmitted with message, attacker could revise hash for a revised message, but not with HMAC)

Question 14

sha256sum

Answer 14

_ calculates SHA-256 of a file

Question 15

Password spraying attack

Answer 15

_ a kind of brute force attack
_ loops over many accounts for each attempted password
_ increases time between attempts on any given account, helping to avoid password lockout

Question 16

Pass the hash attack

Answer 16

_ attacker first somehow acquires a hash for a password
_ attacker then uses that hash in authentication

Question 17

Birthday attack

Answer 17

_ named for the mathematical “birthday paradox”
_ in any group of 23 people, there is a 50% chance 2 of them were born on the same day of their birth year
_ attack guesses the hash (which has collisions)

Question 18

Rainbow table attack

Answer 18

_ attempts to discover a password from a hash
_ rainbow table is a DB of hashes for passwords (e.g. hashes for every possible 9-digit password)
_ hashes are time-consuming to produce, but rainbow tables can be so huge that they save time

Question 19

Key stretching

Answer 19

_ applies cryptographic stretching to a salted password to make the effort of guessing hashes much more time consuming
_ Bcrypt, PBKDF2, and Argon2 also key stretch

Question 20

Bcrypt

Answer 20

_ salts password prior to encrypting
_ repeats process up to 60 times to make computationally expensive
_ 60-character string

Question 21

pepper

Answer 21

_ a second random salt number

Question 22

PBKDF2

Answer 22

_ 64+ bit salt with HMAC
_ can (but need not) repeat process many times to make computationally expensive

Question 23

AES

Answer 23

_ advanced encryption standard
_ symmetric key algorithm
_ encrypts into 128-bit blocks
_ key sizes 128, 192, or 256 bits
_ fast, efficient, strong

Question 24

3DES

Answer 24

_ “triple DES” (Data Encryption Standard)
_ improves on DES
_ encrypts in 3 passes with 3 different keys
_ more resource intensive than AES
_ used when hardware doesn’t support AES

Question 25

Key exchange

Answer 25

_ asymmetric keys are used to secretly exchange a symmetric key
_ the symmetric key is then used for encryption and decryption because it’s much more efficient

Question 26

Digital certificate

Answer 26

_ means by which public keys are shared
_ includes a public key
_ describes owner of the certificate
_ serial number
_ certificate authority issuer
_ validity dates
_ valid usage (encryption, authentication, etc.)
_ CN
_ sent to clients in response to an HTTPS request

Question 27

CA

Answer 27

_ certificate authority
_ issues and manages digital certificates
_ provides trust in certificates

Question 28

Ephemeral key

Answer 28

_ lasts only the duration of a session

Question 29

RSA key lengths

Answer 29

_ 1024, 2048, 4096 bits
_ 1024 no longer considered secure

Question 30

tokenization

Answer 30

_ obfuscation technique that replaces sensitive data with non-sensitive placeholders (i.e. tokens)
_ tokens have to be looked up within a database to retrieve what they represent
_ reduces exposure when one of the datasets is compromised

Question 31

masking

Answer 31

_ showing asterisks instead of a typed value

Question 32

Encryption with private key

Answer 32

_ for making digital signatures
_ not used to encrypt web traffic; that’s done with an ephemeral symmetric key

Question 33

DSA

Answer 33

_ digital signature algorithm
_ encrypted hash of a message, using sender’s private key
_ authenticates the sender
_ sender can’t repudiate that they sent the message
_ ensures message integrity, as the hash was included
_ encrypting the message would do the same but take far more resources

Question 34

S/MIME

Answer 34

_ secure/multipurpose internet mail extensions
_ used for digitally signing and encrypting/decrypting email

Question 35

HTTPS TLS handshake

Answer 35

_ client requests an HTTPS session (but TLS is not restricted to HTTP)
_ server responds with certificate containing its public key
_ client creates a symmetric key
_ client encrypts symmetric key with server’s public key
_ client sends encrypted symmetric key to server
_ server decrypts symmetric key with server’s private key
_ data is thereafter encrypted with the symmetric key

Question 36

Downgrade attack

Answer 36

_ forces system to downgrade its security
_ attacker then exploits the lesser security
_ e.g. if SSL is enabled and client says it doesn’t support TLS, server might allow SSL
_ e.g. if server supports a weak cipher suite, client might force it to downgrade to that

Question 37

blockchain

Answer 37

_ distributed, decentralized public ledger

Question 38

Blockchain block

Answer 38

Contains:
_ info about the transaction
_ info about the parties involved (digital signatures rather than names)
_ a hash that uniquely identifies the block

Question 39

Blockchain block creation process

Answer 39

_ transaction occurs
_ networked computers verify transaction
_ transaction is recorded in a block
_ block is assigned a hash
_ block is added to the blockchain (referencing the prior block’s hash)

Question 40

entropy

Answer 40

_ randomness of a cryptographic algorithm
_ greater randomness provides greater security

Question 41

Plaintext attack

Answer 41

_ attacker has plaintext and its associated ciphertext
_ can then determine the encryption method
_ can then decrypt any ciphertext

Question 42

Chosen-plaintext attack

Answer 42

_ attacker has part of the text associated with some ciphertext
_ can be used to find the encryption method

Question 43

Root certificate

Answer 43

_ certificate that identifies the CA
_ goes in Os or browser’s root certificate store
_ browsers often ship with root certificates
_ can be used to sign certificates of other CAs to convey trust to those CAs, making CAs hierarchical
_ leaf node CAS of this hierarchy are used in apps and services
_ may be kept offline to prevent compromise, enabling it to re-issue certs for compromised certs

Question 44

Certificate chain/path

Answer 44

_ chain of all certs from root to any given cert

Question 45

CSR

Answer 45

_ certificate signing request
_ includes purpose of certificate, a public key, and info about the owner of the public key
_ CA receives CSR, validates owner’s identity, and issues a certificate containing the public key
_ validation process depends on declared purpose

Question 46

RA

Answer 46

_ registration authority
_ assists with registration process
_ doesn’t issue certificates
_ used by large organizations

Question 47

Reasons to revoke a cert

Answer 47

_ private key compromise
_ CA compromise
_ change of affiliation
_ superseded by another cert
_ cease of operation
_ certificate hold
_ certificate holder’s request

Question 48

CRL

Answer 48

_ certificate revocation list
_ publicly available
_ often downloaded and cached, so it might not be up-to-date

Question 49

OCSP

Answer 49

_ online certificate status protocol
_ API for determining whether a cert has been revoked
_ signs the response (+ timestamp) so that response can be reused by others with trust (aka “stapling”)

Question 50

Validating a cert

Answer 50

_ check whether expired
_ check whether issued by a trusted CA (i.e. whether it’s in the certificate authorities store)
_ check whether revoked (requiring that the client request the CRL from the CA or use OCSP)
_ if the site provides a “stapled” OCSP response, the client can verify this response and need not perform the above checks, reducing traffic to the OCSP and CA

Question 51

Certificate pinning

Answer 51

_ HTTPS response includes a header listing hashes derived from public keys that the site uses
_ each hash also has a max-age telling the client when to expire the hash
_ when clients reconnect to a website, they recalculate the hashes and compare with the returned values
_ matching hashes indicate a return to an already-verified website

Question 52

Key escrow

Answer 52

_ process of placing coy of a key in a safe environment for recovery purposes

Question 53

KMS

Answer 53

_ key management system
_ manages entire life cycle of cryptographic keys (generation, storage, distro, rotation, retirement/revocation/destruction)

Question 54

Common cert types

Answer 54

_ machine/computer - identifies the device within a domain
_ user - for encryption or authentication
_ email - encryption and signing
_ code signing - signing software and scripts
_ self-signed - privately used certs, not CA-backed
_ root - root cert of a CA
_ wildcard - starts with an asterisk, applying to all subdomains of a given domain
_ subject alternative name (SAN) - applies to different domains owned by the same org
_ domain validation - asserts an org owns a domain

Question 55

Cert filename extensions

Answer 55

_ there are many cert file formats
_ e.g. .crt, .cer, .pem, .p7b, .p7c, .p7s, .pfx, .p12
_ file may have a format different from that indicated by its extension

Question 56

CER

Answer 56

_ ASCII format cert

Question 57

DER

Answer 57

_ binary format cert

Question 58

PEM

Answer 58

_ privacy-enhanced email (cert format)
_ certs can be used for purposes other than email
_ very common format

Question 59

P7B

Answer 59

_ cert format often used to share public keys

Question 60

P12 and PFX

Answer 60

_ cert formats used to hold private keys

Question 61

Perfect forward secrecy

Answer 61

_ generates a new random public key for each session
_ generates key non-deterministically (given same input, generates a different public key)
_ keys therefore are not reused
_ past compromised keys can’t be used in a later attack

Question 62

Backout plan

Answer 62

_ steps to follow if a change goes wrong
_ restores system to a previous operational state ASAP

Question 63

wiping

Answer 63

_ erases data from disks by overwriting various patterns multiple times
_ does not apply to SSDs, which require a special erase process; SSDs are usually therefore destroyed

Question 64

degaussing

Answer 64

_ a powerful magnet renders data on tapes and disk drives unreadable
_ not effective on SSDs

Question 65

COD

Answer 65

_ certification of (device or drive) destruction

Question 66

Incident response plan

Answer 66

_ formal plan of how to respond to an incident
_ defines incident types (distinguishing events from incidents)
_ response team
_ roles and responsibilities
_ communication plan

Question 67

Incident communication plan

Answer 67

_ first responders should know who to contact under what conditions
_ further internal communication plans with others
_ reporting requirements with external entities
_ constraints on external communication
_ plan for communicating with the customer

Question 68

SOC

Answer 68

_ security operations center

Question 69

Incident response process

Answer 69

_ preparation before an incident, including establishing procedure to prevent incidents
_ detection processes and operations
_ analysis to determine whether an event is an incident
_ containment of incident (e.g. isolating or unplugging system)
_ eradication of the components of the attack (and forensic analysis)
_ recovery, returning systems to normal
_ lessons learned

Question 70

Order of volatility

Answer 70

Order in which to collect evidence. Most to least volatile:
_ cache
_ RAM
_ swap file or pagefile
_ disk
_ attached devices (e.g. USB drives)
_ network

Question 71

dd

Answer 71

_ data duplicator command
_ good for taking snapshots for forensic examination

Question 72

Legal hold

Answer 72

_ legal obligation to maintain different types of data as evidence

Question 73

eDiscovery

Answer 73

_ identification and collection of electronically stored data (for legal purposes)

Question 74

Chain of custody

Answer 74

_ process that assures that evidence has been properly controlled and handled
_ in security, this is form that gets filled out indicating every person who was in possession of the asset
_ control is the effort to ensure that the written chain of custody remains valid

Question 75

TTP

Answer 75

_ tactics, techniques, and procedures of an attack

Question 76

SOAR

Answer 76

_ security orchestration, automation, and response
_ tools that respond to low-level security events automatically
_ e.g. responding to phishing emails
_ e.g. opening attachments in a sandbox to observe behavior
_ uses playbooks and runbooks

Question 77

playbook

Answer 77

_ general guidelines
_ e.g. what to check to detect a phishing email

Question 78

runbook

Answer 78

_ technical details for implementing playbook
_ uses the tools of the organization
_ either auto-handles the event or tasks an admin

Question 79

Security governance

Answer 79

_ responsibilities and processes established by an organization to manage its security efforts
_ provides framework for making decisions
_ sets strategic direction and goals
_ indicates how to manage risk

Question 80

AUP

Answer 80

_ acceptable use policy
_ of computer system or network

Question 81

Information security policy

Answer 81

_ protects data and information systems
_ rules for managing, protecting, distributing information
_ e.g. password complexity, handling of sensitive data

Question 82

Security guidelines

Answer 82

_ best practices (optional)
_ unlike policies, standards, and procedures, which are mandatory

Question 83

Data governance

Answer 83

_ processes an organization uses to manage, process, and protect data
_ helps ensure or improve quality of data

Question 84

Data roles

Answer 84

_ data owner - responsible for the data, including classifying it
_ data steward - entity to whom owner delegates management of the data
_ data custodian - does routine daily tasks like backup
_ data controller - org that collects info from employees for payroll processing
_ data processor - third-party org that works with data on behalf of the data controller

Question 85

EOSL

Answer 85

_ end of service life
_ end of vendor support

Question 86

Right-to-audit clause

Answer 86

_ clause in cloud contracts giving customers right to hire an auditor to review cloud provider’s records and systems

Question 87

SLA

Answer 87

_ service level agreement
_ stipulates performance expectation
_ e.g. uptime/downtime levels
_ may include a monetary penalty for failure to meet

Question 88

MOU

Answer 88

_ memorandum of understanding
_ aka memorandum of agreement (MOA)
_ expresses understanding between parties to work together toward a goal
_ less formal than an SLA and no monetary penalties

Question 89

BPA

Answer 89

_ business partners agreement
_ written agreement detailing relationship between business partners and obligations

Question 90

MSA

Answer 90

_ master services agreement
_ structured agreement for vendors used repeatedly
_ agreement applies across projects
_ a work order (WO) or statement of work (SOW) is written per project

Question 91

Rules of engagement

Answer 91

_ what one is and is not allowed to do in security testing

Question 92

GLBA

Answer 92

_ Gramma-Leach Bliley Act
_ aka Financial Services Modernization Act
_ requires financial institutions to provide consumers with privacy notices

Question 93

GDPR

Answer 93

_ general data projection regulation
_ an EU directive mandating privacy for EU individuals
_ applies globally

Question 94

PCI DSS

Answer 94

_ payment card industry data security standard
_ contractual relationship between banks that issue credit cards and merchants
_ provides strict requirements for handling cardholder data

Question 95

Due diligence

Answer 95

_ actions taken to ensure organization is aware of all legal requirements

Question 96

Due care

Answer 96

_ continuous effort to ensure organization adhere to legal requirements and identifies non-compliance in a timely manner

Question 97

CBT

Answer 97

_ computer based training