Exam 3

Question 1

Define Plain/Clear Text & Cipher text.

Answer 1

Plain/Clear Text – the original, unaltered data. Not always “text,” but rather, the data.

Cipher Text –data that has been converted into an encrypted form using an algorithm. Can be decrypted using an algorithm.

Question 2

Know what hashes are and why they are used?

Answer 2

Hashing – one-way encryption that cannot be reversed (in theory) & provides assurance of data integrity.

• A hash value of a given data set will never change unless the data set changes.

Question 3

Which MD algorithms are broken?

Answer 3

MD2, MD4, & MD5 – “MD” stands for “message digest”

Question 4

What a collision attack is? what the code for this?

Answer 4

Collision Attacks – an attack that tries to find 2 different message data sets with the same hash.

• If 2 different data sets result in the same hash value when run through a hashing algorithm, that algorithm is broken.
  Ex: hash(m1) = hash(m2)

CODE// hash (p1 | md) = ct
hash (p2 | md) = ct

Question 5

What needs to be understood with Symmetric encryption?

Answer 5

Symmetric Cryptography – Any cryptographic algorithm that uses a single key to both ENCRYPT and DECRYPT.

Question 6

Which two of the listed symmetric algorithms are broken?

3DES, Blowfish, DES, AES, RC2, RC4, RC5, RC6, IDEA

Answer 6

DES is broken and that RC4 (also broken) was used in WEP for home routers

Question 7

Define Cipher & Key.

Answer 7

Cipher – the algorithm used for encrypting plain text into cipher text.

Key – a discrete piece of information, usually random in nature, that “unlocks” the cipher text.

Question 8

What are the two biggest weaknesses of symmetric encryption?

Answer 8

Symmetric encryption lacks nonrepudiation and secure key sharing.

Question 9

What are the two keys that asymmetric encryption use?

Answer 9

two keys: private and public

Question 10

Describe how a session key is generated.

Answer 10

The client accepts the server public key,
generates a session key using agreed-upon algorithm, then encrypts the session key using the public key.

Question 11

Between a public and private key, which is the one that can decrypt anything?

Answer 11

Only the private key can decrypt anything encrypted with the public key.

Question 12

For RSA, know the formulas to encrypt and decrypt.

Answer 12

Encrypt: t^e (mod n) = c
Decrypt: c^d (mod n) = t

Question 13

What are the two forms of ECC?

Answer 13

group addition—when there are 3 points of intersection
point doubling—when there are 2 points of intersection

Question 14

In an ECC public key what does (P, T) stand for?

Answer 14

P in public key is the leftmost point or the first point of the intersection
T is some random point or an agreed-upon point on the curve

Question 15

In an ECC private key, what does (d) stand for?

Answer 15

(d) is the number of group additions or point doubling to get back to T
( reflected across the x-axis until you reach T)

Question 16

Why is ECC popular?

Answer 16

ECC is popular because it can reach the same (or higher) levels of security as RSA, but uses much shorter key lengths.

Question 17

What are the two forms of VPNs?

Answer 17

site-to-site and remote-access

Question 18

Of the 6 VPN protocol families, which are the most widely
used?

Answer 18

MPLS, IPsec, and SSL/TLS

Question 19

MPLS doesn’t do what by itself?

Answer 19

MPLS does not encrypt traffic by itself

Question 20

Which VPNs are the most secure?

Answer 20

IPsec and SSL/TLS

Question 21

IPsec uses 3 families of protocols: IKE, AH, ESP. What is each one responsible for?

Answer 21

IKE (Internet Key Exchange) – tunneling protocol used to establish the connection between sites. Establishing the tunnel is broken into 2 phases, discussed later. Uses UDP port 500.

AH (Authentication Header) Protocol – used to authenticate the sender and verify data integrity; no encryption. Establishes what is known as “transport mode.”

ESP (Encapsulating Security Payload) – responsible for encrypting data. Establishes “tunnel mode.”

Question 22

What does IPsec Phase 1 create?

Answer 22

a security association between the endpoints.

Question 23

IPsec Phase 2 creates what?

Answer 23

the tunnel client data passes through.

Question 24

What does AH provide?

Answer 24

AH only provides authentication, not encryption

Question 25

What does ESP provide?

Answer 25

ESP can provide both authentication & encryption

Question 26

What are the advantages of SSL/TLS over IPsec?

Answer 26

Always secure (no AH only)

Ubiquity (port 443 is a commonly used port)

Cheap

Easily traverses firewalls and NATs (IPsec has trouble here)

Question 27

Know the four phases of IAM (short answer)

Answer 27

Four Phases:
1. Registration and Identity Validation
2. Privileges Provisioning
3. Access Review
4. Access Revocation

Question 28

Know the 3 things a security policy should address in terms of password security

Answer 28

The policy should address:
* Strength – password length and complexity
* Age – how long between forcing password reset
* Reusability – how many reset cycles due to age are allowed before an already used password can be reused.

Question 29

Know the best way to offset weak passwords?

Answer 29

One of the best ways to offset weak passwords is by using MFA
(multi-factor authentication)… entering a password triggers a text,
phone call, etc with an additional pin number.

Question 30

What is SSO?

Answer 30

single sign-on; sign on once and receive access to all permitted resources

Question 31

What is Kerberos?

Answer 31

a SSO protocol used in Active Directory

Question 32

Define Federated SSO.

Answer 32

establishes a trust relationship between two different organizations’
networks

Question 33

What is SAML?

Answer 33

Security Assertion Markup Language
(SAML) – widely used standard for federated SSO.

SAML is XML-based; it is a framework for securely exchanging “assertions.”

Question 34

In SAML, what are SP and IdP?

Answer 34

Service provider (SP) – an entity that provides the requested service to the principal.

Identity provider (IdP) – authentication authority

EX: SP is blackboard & IdP authenticates you

Question 35

What is SIEM?

Answer 35

SIEM systems – Security Information and Event Management software.

Question 36

What is a baseline configuration?

Answer 36

a set of attributes related to a system that has been reviewed and tested. Can only be altered through a formal change process

Question 37

What are the 3 phases of vulnerability management? (short answer)

Answer 37

3 Phases of vulnerability management:
1. Identification
2. Analysis and Prioritization
3. Remediation

Question 38

What should IR SOPs (standard operating procedures) include?

Answer 38

The SOPs should include specific technical processes, techniques, checklists.

Question 39

What are the 4 phases of IR process?

Answer 39

Phase 1 – Preparation
Phase 2 – Detection and Analysis
Phase 3 – Contain, Eradicate, Recover
Phase 4 – Post-Incident Activity (Postmortem)

Question 40

Detection/Analysis and Containment/Eradication phases are often what?

Answer 40

loops

Question 41

Which phase is intended to improve the IR response in the future?

Answer 41

the Postmortem phase is intended to improve the IR response in the future

Question 42

What are the parts of the 5-Tuple?

Answer 42

The 5-Tuple – common industry term for the minimum event artifacts
that should be recorded:

1. Source IP address
2. Destination IP address
3. Source port
4. Destination port
5. Protocol

(Note that all 5 are found in packet headers)

Question 43

What is attribution?

Answer 43

Attribution is the process of analyzing forensic data and building
timelines to attribute the act to a specific individual or party.

Question 44

What are the 3 types of digital evidence?

Answer 44

1. best (physical copy/disk)
2. corroborating
3. indirect/circumstantial

Question 45

What’s the difference between a physical copy and a logical copy?

Answer 45

A physical copy of digital evidence is usually a bit-for-bit duplicate (image) of the entire original storage medium, even free space is copied exactly.

A logical copy is a duplicate of the data; metadata is often altered during the copy process.

Question 46

.aff, .dd, .vmdk, and .vdi, what are these files and what are they used for?

Answer 46

common image/virtual image file types used in forensics

Question 47

What is chain of custody?

Answer 47

Chain of custody is the formal process of documenting all procedures
performed on the evidence and how the evidence was handled.

(Chain of custody must be followed from the beginning of
investigation all the way to the day the evidence is presented in
court.)

Question 48

What are the 6 things that should always be documented for a chain of custody? (short answer)

Answer 48

how it was collected
when it was collected
how it was transported
how it was tracked
how it was stored
who had access to it

Question 49

What is the Windows Registry and how do you access it?

Answer 49

command line: ps -aux
(can also use top & htop instead of ps)