Exam 3 Flashcards
Define Plain/Clear Text & Cipher text.
Plain/Clear Text – the original, unaltered data. Not always “text,” but rather, the data.
Cipher Text –data that has been converted into an encrypted form using an algorithm. Can be decrypted using an algorithm.
Know what hashes are and why they are used?
Hashing – one-way encryption that cannot be reversed (in theory) & provides assurance of data integrity.
- A hash value of a given data set will never change unless the data set changes.
Which MD algorithms are broken?
MD2, MD4, & MD5 – “MD” stands for “message digest”
What a collision attack is? what the code for this?
Collision Attacks – an attack that tries to find 2 different message data sets with the same hash.
- If 2 different data sets result in the same hash value when run through a hashing algorithm, that algorithm is broken.
Ex: hash(m1) = hash(m2)
CODE// hash (p1 | md) = ct
hash (p2 | md) = ct
What needs to be understood with Symmetric encryption?
Symmetric Cryptography – Any cryptographic algorithm that uses a single key to both ENCRYPT and DECRYPT.
Which two of the listed symmetric algorithms are broken?
3DES, Blowfish, DES, AES, RC2, RC4, RC5, RC6, IDEA
DES is broken and that RC4 (also broken) was used in WEP for home routers
Define Cipher & Key.
Cipher – the algorithm used for encrypting plain text into cipher text.
Key – a discrete piece of information, usually random in nature, that “unlocks” the cipher text.
What are the two biggest weaknesses of symmetric encryption?
Symmetric encryption lacks nonrepudiation and secure key sharing.
What are the two keys that asymmetric encryption use?
two keys: private and public
Describe how a session key is generated.
The client accepts the server public key,
generates a session key using agreed-upon algorithm, then encrypts the session key using the public key.
Between a public and private key, which is the one that can decrypt anything?
Only the private key can decrypt anything encrypted with the public key.
For RSA, know the formulas to encrypt and decrypt.
Encrypt: t^e (mod n) = c
Decrypt: c^d (mod n) = t
What are the two forms of ECC?
group addition—when there are 3 points of intersection
point doubling—when there are 2 points of intersection
In an ECC public key what does (P, T) stand for?
P in public key is the leftmost point or the first point of the intersection
T is some random point or an agreed-upon point on the curve
In an ECC private key, what does (d) stand for?
(d) is the number of group additions or point doubling to get back to T
( reflected across the x-axis until you reach T)
Why is ECC popular?
ECC is popular because it can reach the same (or higher) levels of security as RSA, but uses much shorter key lengths.
What are the two forms of VPNs?
site-to-site and remote-access
Of the 6 VPN protocol families, which are the most widely
used?
MPLS, IPsec, and SSL/TLS
MPLS doesn’t do what by itself?
MPLS does not encrypt traffic by itself
Which VPNs are the most secure?
IPsec and SSL/TLS
IPsec uses 3 families of protocols: IKE, AH, ESP. What is each one responsible for?
IKE (Internet Key Exchange) – tunneling protocol used to establish the connection between sites. Establishing the tunnel is broken into 2 phases, discussed later. Uses UDP port 500.
AH (Authentication Header) Protocol – used to authenticate the sender and verify data integrity; no encryption. Establishes what is known as “transport mode.”
ESP (Encapsulating Security Payload) – responsible for encrypting data. Establishes “tunnel mode.”
What does IPsec Phase 1 create?
a security association between the endpoints.
IPsec Phase 2 creates what?
the tunnel client data passes through.
What does AH provide?
AH only provides authentication, not encryption
What does ESP provide?
ESP can provide both authentication & encryption
What are the advantages of SSL/TLS over IPsec?
Always secure (no AH only)
Ubiquity (port 443 is a commonly used port)
Cheap
Easily traverses firewalls and NATs (IPsec has trouble here)
Know the four phases of IAM (short answer)
Four Phases:
1. Registration and Identity Validation
2. Privileges Provisioning
3. Access Review
4. Access Revocation
Know the 3 things a security policy should address in terms of password security
The policy should address:
* Strength – password length and complexity
* Age – how long between forcing password reset
* Reusability – how many reset cycles due to age are allowed before an already used password can be reused.
Know the best way to offset weak passwords?
One of the best ways to offset weak passwords is by using MFA
(multi-factor authentication)… entering a password triggers a text,
phone call, etc with an additional pin number.
What is SSO?
single sign-on; sign on once and receive access to all permitted resources
What is Kerberos?
a SSO protocol used in Active Directory
Define Federated SSO.
establishes a trust relationship between two different organizations’
networks
What is SAML?
Security Assertion Markup Language
(SAML) – widely used standard for federated SSO.
SAML is XML-based; it is a framework for securely exchanging “assertions.”
In SAML, what are SP and IdP?
Service provider (SP) – an entity that provides the requested service to the principal.
Identity provider (IdP) – authentication authority
EX: SP is blackboard & IdP authenticates you
What is SIEM?
SIEM systems – Security Information and Event Management software.
What is a baseline configuration?
a set of attributes related to a system that has been reviewed and tested. Can only be altered through a formal change process
What are the 3 phases of vulnerability management? (short answer)
3 Phases of vulnerability management:
1. Identification
2. Analysis and Prioritization
3. Remediation
What should IR SOPs (standard operating procedures) include?
The SOPs should include specific technical processes, techniques, checklists.
What are the 4 phases of IR process?
Phase 1 – Preparation
Phase 2 – Detection and Analysis
Phase 3 – Contain, Eradicate, Recover
Phase 4 – Post-Incident Activity (Postmortem)
Detection/Analysis and Containment/Eradication phases are often what?
loops
Which phase is intended to improve the IR response in the future?
the Postmortem phase is intended to improve the IR response in the future
What are the parts of the 5-Tuple?
The 5-Tuple – common industry term for the minimum event artifacts
that should be recorded:
- Source IP address
- Destination IP address
- Source port
- Destination port
- Protocol
(Note that all 5 are found in packet headers)
What is attribution?
Attribution is the process of analyzing forensic data and building
timelines to attribute the act to a specific individual or party.
What are the 3 types of digital evidence?
- best (physical copy/disk)
- corroborating
- indirect/circumstantial
What’s the difference between a physical copy and a logical copy?
A physical copy of digital evidence is usually a bit-for-bit duplicate (image) of the entire original storage medium, even free space is copied exactly.
A logical copy is a duplicate of the data; metadata is often altered during the copy process.
.aff, .dd, .vmdk, and .vdi, what are these files and what are they used for?
common image/virtual image file types used in forensics
What is chain of custody?
Chain of custody is the formal process of documenting all procedures
performed on the evidence and how the evidence was handled.
(Chain of custody must be followed from the beginning of
investigation all the way to the day the evidence is presented in
court.)
What are the 6 things that should always be documented for a chain of custody? (short answer)
how it was collected
when it was collected
how it was transported
how it was tracked
how it was stored
who had access to it
What is the Windows Registry and how do you access it?
command line: ps -aux
(can also use top & htop instead of ps)
