Final Deck

Question 1

What are the four kinds of attackers?

Answer 1

1. Rogue hackers
2. Organized crime
3. Insider threat
4. Nation states

Question 2

Rogue hackers

Answer 2

Hackers not affiliated with an organized group. Usually hacking on a moral basis or political agenda.

Question 3

Doxxing

Answer 3

The practice of revealing private information publicly

Question 4

Organized crime

Answer 4

Organized group attacking bigger targets. Ex. Bank theft, SWIFT hack.

Question 5

Insider threat

Answer 5

Threat of hacker working within a corporation. Ex. Edward Snowden

Question 6

Nation states

Answer 6

Countries using their resources to attack another country or corporation. Ex. Stuxnet.

Question 7

What are the four aspects of good cryptography?

Answer 7

1. Confidentiality
2. Integrity (ensure contents haven’t been tampered with)
3. Authenticity (prove who a message came from / who performed transaction)
4. Non-repudiation (ensure party can’t back out of a transaction)

Question 8

True or false: IP packets are encrypted by default

Answer 8

FALSE! They’re plaintext, like sending a postcard.

Question 9

True or false: My computer’s communication is by default broadcast across the entire network.

Answer 9

True! Like the old telephones. Our computers can run in promiscuous mode and record other packets.

Question 10

How was crypto classified historically?

Answer 10

As a munition until the 1990s when businesses needed to be able to encrypt their data.

Question 11

What is the idea of crypto wars?

Answer 11

Gov wants special access to tech, and companies believe this makes the tech less secure. Ex. San Bernadino shooter –> FBI asking for backdoor.

Question 12

Cryptography vs. cryptanalysis

Answer 12

Cryptography is the science of creating uncrackable codes. Cryptanalysis is the science of cracking them. Cat and mouse game!

Question 13

Cryptology

Answer 13

Umbrella term covering cryptanalysis and cryptography

Question 14

Steganography

Answer 14

The art of concealing information (NOT encrypting).

Question 15

If I shave CJ’s head and write a message to her parents on her scalp, which “-ography” am I using?

Answer 15

Steganography. The information is hidden, but not encrypted.

Question 16

If I write a secret letter to nacho in lemon juice and scramble the letters using a key, which “-ography” am I using?

Answer 16

Both steganography (writing in lemon juice) and cryptography (scramble the letters).

Question 17

What are the two types of cryptography?

Answer 17

Substitution and transposition

Question 18

I want to see Jeremy at Koelbel at 4:30. I write a letter to him saying “Teme ta lebelok ta rofu iytrhit” what type of cryptography am I using?

Answer 18

Transposition! I didn’t substitute any letters, I just moved them around.

Question 19

Using substitution of a mod 28 alphabet and key = 15, what does the word “rat” become?

Answer 19

r (18) + 15 = 33 - 28 = 5
a (1) + 15 = 16
t (20) + 15 = 35 - 28 = 7

epg

Question 20

Scytale

Answer 20

A stick with a certain number of sides. Wrap leather band with letters around stick to see message

Question 21

A scytale is a form of ancient (transposition/substitution)

Answer 21

Transposition

Question 22

How does the Caesar cypher differ from the Vignere cypher?

Answer 22

The Caesar cypher is much simpler and uses a fixed key to substitute letters. The Vignere cypher changes each letter differently.

Question 23

What was Claude Shannon’s discovery?

Answer 23

He demonstrated that substitution and transposition, sufficiently combined, yield encrypted data that is indistinguishable from random data.

Question 24

What is Kerckhoff’s Principle for encryption?

Answer 24

The secret is in the key, not the algorithm. Think of a door lock! It doesn’t matter if you know who makes the lock.

Question 25

What is the opposite of Kerckhoff’s Principle?

Answer 25

Security through obscurity. Ex. DVD developed their own crypto.

Question 26

What are three time tested public algorithms we discussed?

Answer 26

DES encryption
AES encryption
Diffie-Hellman (asymm key exchange, not encryption)
RSA (NSA has paid them off)

Question 27

Where is Diffie Hellman used?

Answer 27

All web browsers for sites that use SSL. DH is used in the key exchange.

Question 28

Keyspace

Answer 28

The set of all possible keys

Question 29

What is the DES keyspace?

Answer 29

56-bit key, so 2^58. Originally had 128-bit, but NSA influenced them to weaken.

Question 30

What is the AES keyspace

Answer 30

128-bit key, so 2^128. Assuming 350B guesses per second, it would take 1.2B times longer than age of the universe to crack.

Question 31

What did Tesla do wrong in creating their key fob?

Answer 31

They used a proprietary crypto algorithm with only a 40-bit key. Could be cracked in seconds.

Question 32

What are the three requirements for a one-time pad?

Answer 32

1. Must be perfectly random
2. Pad must be as long as the message
3. Must be used only once

Question 33

Should you trust a software product claiming to use one-time pads?

Answer 33

No! Computers are bad at generating random numbers.

Question 34

Pseudo-random number generators (PRNG) and examples

Answer 34

Introducing entropy into the equation to generate more random numbers. Ex. move mouse around to create key, Cloudflare lava lamp and camera.

Question 35

How does XOR work?

Answer 35

XOR: Exclusive OR. So if two inputs are (1 and 0) or (0 and 1) then output is 1. Otherwise output is 0. Not AND.

Question 36

Block vs. stream ciphers

Answer 36

Stream ciphers encrypt data one bit at a time.

Block ciphers use transposition to move blocks to other same-size locations in a way that appears random.

Question 37

Is block cipher encryption more efficient that steam cipher encrypting?

Answer 37

Yes! Block cipher is more efficient but not as secure.

Question 38

Are AES and DES block or stream ciphers?

Answer 38

Block ciphers

Question 39

Electronic Code Book (ECB) vs. Cipher Block Chaining (CBC)

Answer 39

ECB encrypts every block the same way every time - info can be gained through freq. analysis (you can see the penguin).
CBC uses XOR on plaintext with last encrypted block, requires an initialization vector.

Question 40

What’s the initialization vector (IV) used in CBC?

Answer 40

IV is needed to create the first encrypted block. First encrypted block used for second, and so on…

Question 41

What part of InfoSec can be equated to a digital fingerprint?

Answer 41

Hashing. It provides integrity!

Question 42

What is hashing useful for?

Answer 42

Ensuring files are unchanged in transmission. Compare hashed file before and after transmission.

Question 43

How should you store passwords on your database?

Answer 43

Store hashed passwords!

Question 44

What’s another name for a hash and why does it have this name?

Answer 44

Message digest (md) bc a hash digests input of any size –> fixed-size output.

Question 45

Avalanche effect

Answer 45

One small change to the input completely changes the output (hash)

Question 46

Collision resistance

Answer 46

Two different inputs can’t have the same output (hash)

Question 47

In the birthday question, how many people do we need to get a 50% chance of collision?

Answer 47

2^n = 365 –> n = 8.51. 2^n/2 –> 50% chance of collision. Only 2^4.2 which is about 23 people.

Question 48

What did Flame malware do?

Answer 48

Performed an MD5 hash collision to hijack Microsoft server, MD5 was known to be broken! Had to be found within a millisecond. Was the work of Equation Group (NSA TAO)

Question 49

How did Google force companies to switch their encryption to SHA-2 and why?

Answer 49

Chrome showed a warning that the site could be potentially dangerous if it was using SHA-1, which was already cracked. Businesses don’t want that!

Question 50

What is hashing used for in web surfing?

Answer 50

Hashing is used for the browser SSL to ensure you’re at the site you think you are.

Question 51

How long has key sharing been a problem?

Answer 51

The history of the world! Up to 1970

Question 52

What’s the problem with Diffie Hellman?

Answer 52

No authentication, so you are subject to a MITM attack (how does Alice know that she’s talking to Bob?)

Question 53

How does RSA work?

Answer 53

Uses trapdoor one-way function. Multiply together two really large prime numbers. The product is the public key, the two primes make up the private key.

Question 54

Why is key size so much larger for asymmetric encryption?

Answer 54

Because you’re only using prime numbers - there are too few if you just use 128-bit, so you need to use something like 4096-bit.

Question 55

What two parts of RSA’s crypto give it digital signature capability?

Answer 55

Authentication and non-repudiation.

Question 56

What is the problem with encrypting using asymmetric cryptography?

Answer 56

It is 1000x slower than symmetric, can’t be used for websites.

Question 57

Why not use RSA for both key exchange and authentication?

Answer 57

Because if RSA was compromised, all of your past communication would be compromised. Solution is to use ephemeral DH for key exchange.

Question 58

X.509

Answer 58

A chain of trust certificates, ultimately trusted by a root cert bundled with your computer/browser

Question 59

What are the problems with the X.509 model?

Answer 59

You have to trust that root authorities…

1. Will act in good faith.
2. Have good operational security protecting their keys.

Question 60

What’s the alternative to X.509 cert model, and what’s the major difference?

Answer 60

PGP. Big difference is that it does not rely on a central authority like the certification structure of X.509

Question 61

Phil Zimmerman

Answer 61

Creator of PGP while encryption was a munition. He printed a book called PGP source code and internals.

Question 62

Gaining access to a system involves what three things?

Answer 62

1. Identification (who are you?)
2. Authentication (prove it)
3. Authorization (this is what you can do after you’ve been authenticated)

Question 63

If Will leaves a typed note on our kitchen table signed “ - Will” has he been authenticated?

Answer 63

No, anyone could have written that! He’s been identified but not authenticated.

Question 64

If Will leaves a handwritten note on our table signed “ - Will” and saying something that only we know, has he been authenticated?

Answer 64

Yes, he’s proven that it’s really him because he has information that nobody else should have.

Question 65

What do the username and password provide in terms of the three parts of gaining access?

Answer 65

Username (identity)

Password (authentication)

Question 66

What are the three primary means of authentication (proving who you are)

Answer 66

1. Something you know (ex. password)
2. Something you have (ex. key, debit card)
3. Something you are (ex. Touch ID)

Question 67

Why do passwords persist?

Answer 67

Most password replacements trade usability and deployability for more security.

Question 68

Passphrase

Answer 68

Using a phrase with a long character length that is easy to remember (ex. “crated beetle charger famous”)

Question 69

Cracking is a function of what two inputs?

Answer 69

Entropy and speed

Question 70

How many guesses will you need to make to guess 50% of the keyspace for a 128-bit password?

Answer 70

2^128 / 2 = 2^127 guesses

Question 71

A 128-bit AES password has how many bits of entropy?

Answer 71

2^128 so 128 bits of entropy

Question 72

How much entropy does an 8-character lowercase password have?

Answer 72

2^x = 26^8. x = 37.6 (bits of entropy)

Question 73

What are Bruce Schneier’s best security password recs for businesses?

Answer 73

1. Encourage passphrases instead of very complex passwords
2. Don’t force people to change passwords
3. Let people use password managers

Question 74

THC Hydra

Answer 74

Used for password guessing of online attacks. Much slower than offline bc of network latency.

Question 75

Why is THC Hydra called “Hydra”?

Answer 75

Websites may limit guesses, but THC Hydra spawns a lot of processes and guesses to limit.

Question 76

What part of the computer does offline password guessing use?

Answer 76

Uses GPU, which is really good for password cracking.

Question 77

Work factor

Answer 77

Through bcrypt. 2^X (X is work factor) which determines how many rounds of hashing occur before the final hash.

Question 78

How many rounds of hashing occur with a bcrypt hash with a work factor of 10

Answer 78

2^10 = 1024 rounds of hashing.

Question 79

Salting

Answer 79

Random salt is added to plaintext password before it is hashed. Salt is stored next to hash. [SALT]$[HASH]

Question 80

Peppering

Answer 80

Database server and web server are separate. Database server is encrypted with password held by web server. Compromised DB can’t be decrypted without compromising web server.

Question 81

What does salting password protect against?

Answer 81

Brute forcing hashes and rainbow table attacks!

Question 82

How can targeted attacks assist with password cracking?

Answer 82

People usually create passwords based on their life. Find out everything you can about a person and use this information to create targeted PW lists.

Question 83

What is the VERY first thing to do when vulnerability scanning?

Answer 83

Reconnaissance, aka passive information gathering (build a dossier!)

Question 84

Scanning vs. reconnaissance

Answer 84

Scanning is active, reconnaissance is passive

Question 85

Risk = _____ x ______ x ______

Answer 85

Asset x vulnerability x threat.

Define assets, then find vulnerabilities in assets.

Question 86

What are the six phases in active vulnerability scanning?

Answer 86

1. Network sweeps
2. Network tracing
3. Port scans
4. OS Fingerprinting
5. Version scans
6. Vulnerability scans

Question 87

What is management’s goal from a business perspective?

Answer 87

Minimize your attack surface.

Question 88

How might a business minimize its attack surface?

Answer 88

Tunnel traffic, shut down open but unused ports, apply updates as soon as they’re released!

Question 89

True or false: creating a complex IT structure is more secure because attackers won’t understand it.

Answer 89

False, complexity is the enemy of security.

Question 90

Metasploit

Answer 90

Framework containing ~1500 exploits.

Question 91

Bug vs. vulnerability

Answer 91

A bug is simply some flaw in code. If the flaw is exploitable, it’s a vulnerability.

Question 92

EternalBlue

Answer 92

Exploit developed by NSA that exploits older versions of Microsoft. Told Microsoft about it once they figured out it was leaked.

Question 93

What was WannaCry based on? Who made it?

Answer 93

North Korea took the leaked EternalBlue and developed WannaCry with it.

Question 94

What are the four reasons why it’s hard to patch? (Wendy Nather, CISO)

Answer 94

1. You can’t update a system that isn’t under your control.
2. Organizational constraints
3. “Built to last” conflicts with “update early and often”
4. Systems with external, highly entangled dependencies will take longer to update (ex. Niagara)

Question 95

What are the five principles of physical security?

Answer 95

Deter, detect, alarm, delay, respond.

Question 96

What is the weakest link in a secure system?

Answer 96

The humans! Aka “wetware”

Question 97

Spear phishing

Answer 97

A phishing attack that targets a specific organization or person.

Question 98

What are two defenses to (spear) phishing scams?

Answer 98

2FA or physical tokens. Ex. Google requires employees to use YubiKeys and system hasn’t been phished.

Question 99

Vishing

Answer 99

Voice phishing, coercing people into revealing critical information over voice

Question 100

What is the problem with security warnings?

Answer 100

We treat security warnings like whack-a-mole. Dismiss them quickly. Most phishing sites that use SSL make sure there are no certificate errors.

Question 101

Dual-task interference

Answer 101

Refers to how multitasking between 2+ tasks causes brain interference and performance of all tasks suffers

Question 102

Where does working memory occur in the brain?

Answer 102

The medial temporal lobe (MTL), which includes the hippocampus and amygdala

Question 103

What happens to the medial temporal lobe (MTL) during dual task interference (DTI)?

Answer 103

Neural activity in MTL decreases for those in a high DTI condition

Question 104

When should Chrome show security warnings for maximum benenefit?

Answer 104

Low DTI times such as when waiting for a page to load or when a download finished. Leads to much fewer warnings being dismissed.

Question 105

Warning fatigue

Answer 105

Users habitually devote less attention to messages with each repeated viewing.

Question 106

How should Chrome show warnings to avoid habituation?

Answer 106

Use polymorphic warnings, which are warnings that change how they are shown, even for the same warning. Also, show warnings less frequently!

Question 107

Generalization of habituation

Answer 107

When the effects of habituation to one stimulus carry over to a different stimulus that looks similar, but never seen before!

Question 108

Why is the basic UI idea of visual consistency dangerous to security messages?

Answer 108

Because of the generalization of habituation. Users will habitually dismiss regular notifications and this will carry over to security notifications.

Question 109

How did Kevin Mitnick hack into big companies

Answer 109

1. Called employee
2. Said he was an employee
3. Asked for employee to run code or give him info

Question 110

Dwell time

Answer 110

Amount of time a breach was in effect but not discovered

Question 111

Incident response is the intersection of _______ and _______. It is (offensive/defensive) security.

Answer 111

Security and forensics. Defensive! It’s a response to an attack.

Question 112

What does Krebs recommend as a first step for network security?

Answer 112

Monitor, then harden! You can’t defend what you can’t see.

Question 113

What are the phases of incident response

Answer 113

1. Plan
2. Prevent
3. Detect (assuming intruder)
4. Respond

Circular, so response will improve the plan and prevent future attacks of similar nature.

Question 114

Kill-chain concept

Answer 114

As a defender if you can detect an attack before the attacker accomplishes their goal, EVEN IF THEY BREACH YOUR NETWORK, you win.

Question 115

Breach vs. compromise

Answer 115

If you were breached but never compromised, you win as a defender! Compromise is the damage done once a breach occurs.

Question 116

What is the issue with a simple intrusion detection systems (IDS)?

Answer 116

Set of warnings but don’t do anything. Like a check engine light, you decide whether to respond to it.

Question 117

How does NSM improve simple IDS system?

Answer 117

Gives the defender the data to look into IDS (the check engine light)

Question 118

True or false: NSM is the practice of collecting everything.

Answer 118

True! Extracted content
Alert data
Metadata
Session data
Transaction data

Combine!!

Question 119

What are the principles of a defensible network, and what benefit does this provide?

Answer 119

Can be watched, audited, inventoried, etc. Benefit is that you don’t need as large of a security team.

Question 120

What are key metrics that the Computer Incident Response Team (CIRT) should account for?

Answer 120

1. The classification and count of incidents.
2. The time elapsed from incident detection to containment.

Maybe think about the profits lost?

Question 121

CIO vs. CISO

Answer 121

CIO wants things to be faster, better, cheaper. Implements tech without thinking security.

CISO tasked with incident response, forensics, security education, etc.

The two are often in conflict!

Question 122

What group of employees does security training not help?

Answer 122

Doesn’t help with intentional, malicious employees who will disregard training.

Question 123

Worm vs. virus

Answer 123

Worm: Self-replicating
Virus: Attached to file

Question 124

Malware static analysis vs. dynamic analysis

Answer 124

Static analysis: Not running the file but looking at code to determine its functionality, purpose, and identifying traits. Certain tools may execute malware without warning!
Dynamic analysis: Run malware and analyze, also analyze machine once malware has run.

Question 125

What are the five steps of security evaluation as referenced in Beyond Fear?

Answer 125

1. What are you trying to protect?
2. What are the risks to those assets?
3. How well does the security solution mitigate those risks?
4. What other risks does the security solution cause?
5. What trade-offs does the security solution require?

Question 126

What are you trying to protect when evaluating terrorism (Beyond Fear security evaluation step 1)

Answer 126

People. Your assets are not the buildings or the locations, but the people there.

Question 127

PII

Answer 127

Personally identifiable information

Question 128

PHI

Answer 128

Protected health information