Exam 2

Question 1

What are the 5 functional categories of the NIST Cybersecurity Framework?

Answer 1

1. Identify – critical processes and assets; document flow; software/hardware inventory;roles and responsibilities; threats and vulnerabilities
2. Protect – establish safeguards and practices
3. Detect – establish and implement activities to detect breaches
4. Respond – establish detailed guidelines of actions to take when a breach is detected
5. Recover – establish plans for recovering and restoring operations back to normal

National Institute of Standards and Technology (NIST)

Question 2

What’s the difference between threats, vulnerabilities, and exploits?

Answer 2

Threat – any potential danger to an asset. (Latent vs realized; latent threat has not been exploited, and may not be publicly known. A realized threat is when attackers actively exploit vulnerabilities.)

Vulnerability – a weakness in design, implementation, code. Can include lack of mechanisms (for example, not having a firewall).

Exploits – a piece of software, tool, or technique that takes advantage of a vulnerability. (Zero-day exploit, Exploit-DB & Metasploit)

Question 3

What is a CVE & what organization catalogs them?

Answer 3

CVE (Common Vulnerabilities and Exposure) identifier & MITRE is the agency responsible for cataloging CVEs.

Question 4

What a zero-day exploit is?

Answer 4

Zero-day exploit – vulnerability that is not publicly known, but is actively
being exploited

Question 5

What are the 3 elements used to determine risk?

Answer 5

Risk – probability of the occurrence of a threat.

Risk is based upon 3 elements:
1. Assets
2. Threats
3. Vulnerabilities

Question 6

What are some of the most common forms of authentication-based vulnerabilities?

Answer 6

Authentication-based – vulnerability that is exploited by manipulating, bypassing, or stealing authentication credentials.

Common forms:
1. Session hijacking
2. Brute force
3. Default credentials
4. Redirecting
5. Unpatched Kerberos vulnerabilities

Question 7

What are the two types of firewalls?

Answer 7

Hardware-based, stand-alone appliance

Software-based installed on host devices

Question 8

What’s the differences between the 3 profiles for Windows firewalls?

Answer 8

3 Profiles: Domain, Private,
Public.

• Domain Profile is applied
  when joined to domain; This
  allows firewall settings
  through Group Policy.
• Private Profile – home use or
  non-domain office use.
• Public Profile – when
  connected to public
  networks, such as public
  library, etc.

Question 9

What is Netfilter & the difference between it and iptables/nftables?

Answer 9

Netfilter is a component of the Linux kernel. It interacts with the network stack to intercept and examine traffic.

iptables and firewalld were the defacto tools until 2015-ish.

nftables was introduced in 2014 and has slowly become the defacto tool.

Question 10

What is a chain?

Answer 10

iptables chains; organizes traffic into categories called “chains.”

There are 5 chains:
1. INPUT –packets coming into the host.
2. OUTPUT –packets going out of the host.
3. FORWARD –packets coming into the host that are to be routed to another destination.
4. PREROUTING –used for NAT when the packet arrives at the host.
5. POSTROUTING –used by NAT before the packet exits the host.

The INPUT, OUTPUT, and FORWARD chains are the most common

Question 11

In iptables, what are the 3 targets?

Answer 11

“Target” refers to the action applied to traffic.

There are 3 targets:
1. ACCEPT –packet is accepted and passed through the firewall.
2. REJECT –packet is dropped and not allowed to pass through the firewall. A rejection
message is sent to the sending device.
3. DROP –packet is dropped and no rejection message is sent

Question 12

What’s nft?

Answer 12

nft is the CLI command keyword to interact with the nftables tool

Question 13

How do you display the current nftables rules?

Answer 13

nft list ruleset

Question 14

Where is the nftables config file located?

Answer 14

located in /etc/nftables.conf

type in command line, nano /etc/nftables.conf

Question 15

How do you restart nftables from the command line?

Answer 15

systemct1 restart nftables

Question 16

Define Metasploit and Meterpreter.

Answer 16

Metasploit and Meterpreter are custom-built tools that are usually used to performed sandbox escapes attacks

Metasploit Framework (MSF) is a highly customizable penetration testing tool written in
Ruby. It contains an updatable database of thousands of exploits and payloads. Additionally, it houses a development environment for creating your own custom exploits and payloads.

Meterpreter is arguably the most powerful payload in the Metasploit Framework. It is a Linux
shell that is deployed into the target’s RAM. Because it runs in memory and is not written to the target’s hard drive, it leaves behind very little forensic evidence of the attack.

Note: Metasploit exploits and payloads that create bind or reverse shells will have “bind” and
“reverse” in their names. Likewise, payloads that open Meterpreter shells will have “meterpreter” in their names.

Question 17

what is a subject?

Answer 17

Subject – entity that requests access to a resource. The subject usually performs the request on behalf of a principal.

Question 18

what is an object?

Answer 18

Object – entity that is, or contains, the requested resource

Question 19

What does AAA stands for, and name the differences between each

Answer 19

Authentication, Authorization, and Accounting are known as “AAA.” Several protocols exist to implement them

Question 20

Define Authentication.

Answer 20

Authentication – challenge issued to user to prove their identity.

1. Auth by knowledge – user provides secret. Ex: password, pin, answers to
   security questions, etc.
2. Auth by ownership – user must provide proof of owning something specific. Ex: employee badges, smart cards, randomized tokens.
3. Auth by characteristic – user provides biometric or behavioral attributes.

Ex of biometric: fingerprint, facial recognition, eye scan, voice, etc. Ex of characteristic: signature, keystroke pattern.

Question 21

Define authorization

Answer 21

Authorization – process that grants subject access to object. These come in the form of permissions.

1. Need to Know – access is granted only if job role requires it. Put another way: grant users the least possible permissions needed to complete their
   jobs. Ex: user in engineering dept shouldn’t have permissions to HR files.
2. Implicit Deny – if no permission is specified, access is implicitly denied.

• Think RWX in Linux: read, write, execute. Windows uses similar permissions.
• Linux breaks permissions into 3 levels: owner, group, other (everyone else)

Question 22

Define Accounting

Answer 22

Accounting – process of logging and monitoring what a user does
once a resource is accessed.

• Accounting is critical in security. Trail of actions help provide non-repudiation.
• Non-repudiation – in security, refers to collection of facts proving a user (or someone masquerading as the user) took some action.

Question 23

Which authentication by characteristic is highly error prone?

Answer 23

• Auth by behavioral characteristic is error prone. Should not be implemented as the only authentication challenge…in other words,
  use it only in multifactor auth processes

Question 24

What’s the Linux command to print permissions for the current directory contents?

Answer 24

ls -la prints permissions in Linux

Question 25

Define DAC.

Answer 25

Discretionary access control – in this model, access is decided by the object owner. If a user creates a file, the user owns that file and can decide who else can access it.

• Primary benefit is the simplicity.
• Two big disadvantages: 1. No centralized technical control 2. Privilege creep.
• Privilege creep – when permissions are granted to a user, but never revoked,
  even when user no longer needs access to object.

Question 26

Define MAC models

Answer 26

Mandatory access control – access authorization is provided by the operating system. Owner has no control over who can access the resource.
* Used in high security environments.

• Labels are applied to objects that indicate:
  1. security level (Top Secret, Secret, Confidential, etc.)
  2. category (category description is up to the organization…usually indicates
  the workgroup, department, project, etc).
• Labels are also applied to subjects. Indicates the subjects clearance level.
• Example of MAC-based OS: SELinux.
• Disadvantages: 1.) Rigid enforcement 2.) Complicated to administer.

Question 27

Define RBAC models

Answer 27

Role-based access control – this model uses a subject “role” to make authorization decisions.

• Each role (not the subject) is assigned permissions over an object.
• In Windows, a role is equivalent to a group. You assign permissions to the
  group, and place as many users as needed into the group.
• Each subject must be assigned to at least one role, but can be assigned multiple roles.
• Offers great flexibility and scalability.
• Drawback: can be complex to manage when many users are members of many groups with many permissions…essentially, a many-to-many relationship

Question 28

What are the two forms of reconnaissance? Name some examples.

Answer 28

Two forms: passive & active

a Google search & Social media are passive; an nmap scan & Burp Suit are active

Passive recon – no active scanning of target network; instead, search engines and open source tools are used to find publicly available information.

Active recon – attacker actively scans target network

Question 29

What is Shodan?

Answer 29

Shodan – online database of pre-scanned network devices with public IP addresses; basically, if a device has a public IP address, Shodan has a record for it. (Passive)

• Data includes IP addresses, open ports, running services, APIs, etc.
• Has search filters that allow fine-tuning of results based on country, CIDR block, open ports, etc.

Question 30

What’s the difference between a SYN and FIN scan?

Answer 30

TCP SYN – also known as half-open scan; TCP handshake is reset by scanner if the target port responds with SYN/ACK; originally considered a stealthy scan, but most IDSs can detect them now.

• TCP FIN – skips the TCP handshake and instead sends a FIN packet to target port. Effective for Unix/Linux targets, but not Windows. Open ports will give no response. Closed ports respond with RST/ACK packet.

Question 31

What’s the difference between a NULL and XMAS scan?

Answer 31

TCP NULL – scanner sends packet with no flags set; originally a stealthy scan,
but is now easily detectable, because legitimate traffic will always have at least one TCP flag set.

TCP XMAS – named XMAS due to all TCP flags being set (lit up like a Christmas tree). Effective against Unix/Linux, but not Windows.

Question 32

How do you run an aggressive nmap scan?

Answer 32

nmap -A [target]

Question 33

How do you run an OS detection scan with nmap?

Answer 33

nmap -O [target]

Question 34

What’s an aircrack-Ng?

Answer 34

Aircrack-ng – suite of tools for assessing wireless network
security. Included with Kali.

aircrack-ng –component of the suite used for actual wireless PSK cracking.

Question 35

WEP was replaced with what and what actually got implemented?

Answer 35

WPA was intended to replace WEP, however, it was too easy to crack also.

So WEP3 was implemented replaces the (PSK) exchange with simultaneous authentication of equals (SAE) exchange.

• Wired Equivalent Privacy (WEP) – oldest and weakest wireless encryption.

Question 36

What can you do to secure your own network?

Answer 36

use a long, complex password (12+ ch, upper case, lower case, digits & special characters)