Final Deck Flashcards
What are the four kinds of attackers?
- Rogue hackers
- Organized crime
- Insider threat
- Nation states
Rogue hackers
Hackers not affiliated with an organized group. Usually hacking on a moral basis or political agenda.
Doxxing
The practice of revealing private information publicly
Organized crime
Organized group attacking bigger targets. Ex. Bank theft, SWIFT hack.
Insider threat
Threat of hacker working within a corporation. Ex. Edward Snowden
Nation states
Countries using their resources to attack another country or corporation. Ex. Stuxnet.
What are the four aspects of good cryptography?
- Confidentiality
- Integrity (ensure contents haven’t been tampered with)
- Authenticity (prove who a message came from / who performed transaction)
- Non-repudiation (ensure party can’t back out of a transaction)
True or false: IP packets are encrypted by default
FALSE! They’re plaintext, like sending a postcard.
True or false: My computer’s communication is by default broadcast across the entire network.
True! Like the old telephones. Our computers can run in promiscuous mode and record other packets.
How was crypto classified historically?
As a munition until the 1990s when businesses needed to be able to encrypt their data.
What is the idea of crypto wars?
Gov wants special access to tech, and companies believe this makes the tech less secure. Ex. San Bernadino shooter –> FBI asking for backdoor.
Cryptography vs. cryptanalysis
Cryptography is the science of creating uncrackable codes. Cryptanalysis is the science of cracking them. Cat and mouse game!
Cryptology
Umbrella term covering cryptanalysis and cryptography
Steganography
The art of concealing information (NOT encrypting).
If I shave CJ’s head and write a message to her parents on her scalp, which “-ography” am I using?
Steganography. The information is hidden, but not encrypted.
If I write a secret letter to nacho in lemon juice and scramble the letters using a key, which “-ography” am I using?
Both steganography (writing in lemon juice) and cryptography (scramble the letters).
What are the two types of cryptography?
Substitution and transposition
I want to see Jeremy at Koelbel at 4:30. I write a letter to him saying “Teme ta lebelok ta rofu iytrhit” what type of cryptography am I using?
Transposition! I didn’t substitute any letters, I just moved them around.
Using substitution of a mod 28 alphabet and key = 15, what does the word “rat” become?
r (18) + 15 = 33 - 28 = 5
a (1) + 15 = 16
t (20) + 15 = 35 - 28 = 7
epg
Scytale
A stick with a certain number of sides. Wrap leather band with letters around stick to see message
A scytale is a form of ancient (transposition/substitution)
Transposition
How does the Caesar cypher differ from the Vignere cypher?
The Caesar cypher is much simpler and uses a fixed key to substitute letters. The Vignere cypher changes each letter differently.
What was Claude Shannon’s discovery?
He demonstrated that substitution and transposition, sufficiently combined, yield encrypted data that is indistinguishable from random data.
What is Kerckhoff’s Principle for encryption?
The secret is in the key, not the algorithm. Think of a door lock! It doesn’t matter if you know who makes the lock.
What is the opposite of Kerckhoff’s Principle?
Security through obscurity. Ex. DVD developed their own crypto.
What are three time tested public algorithms we discussed?
DES encryption
AES encryption
Diffie-Hellman (asymm key exchange, not encryption)
RSA (NSA has paid them off)
Where is Diffie Hellman used?
All web browsers for sites that use SSL. DH is used in the key exchange.
Keyspace
The set of all possible keys
What is the DES keyspace?
56-bit key, so 2^58. Originally had 128-bit, but NSA influenced them to weaken.
What is the AES keyspace
128-bit key, so 2^128. Assuming 350B guesses per second, it would take 1.2B times longer than age of the universe to crack.
What did Tesla do wrong in creating their key fob?
They used a proprietary crypto algorithm with only a 40-bit key. Could be cracked in seconds.
What are the three requirements for a one-time pad?
- Must be perfectly random
- Pad must be as long as the message
- Must be used only once
Should you trust a software product claiming to use one-time pads?
No! Computers are bad at generating random numbers.
Pseudo-random number generators (PRNG) and examples
Introducing entropy into the equation to generate more random numbers. Ex. move mouse around to create key, Cloudflare lava lamp and camera.
How does XOR work?
XOR: Exclusive OR. So if two inputs are (1 and 0) or (0 and 1) then output is 1. Otherwise output is 0. Not AND.
Block vs. stream ciphers
Stream ciphers encrypt data one bit at a time.
Block ciphers use transposition to move blocks to other same-size locations in a way that appears random.
Is block cipher encryption more efficient that steam cipher encrypting?
Yes! Block cipher is more efficient but not as secure.
Are AES and DES block or stream ciphers?
Block ciphers
Electronic Code Book (ECB) vs. Cipher Block Chaining (CBC)
ECB encrypts every block the same way every time - info can be gained through freq. analysis (you can see the penguin).
CBC uses XOR on plaintext with last encrypted block, requires an initialization vector.
What’s the initialization vector (IV) used in CBC?
IV is needed to create the first encrypted block. First encrypted block used for second, and so on…
What part of InfoSec can be equated to a digital fingerprint?
Hashing. It provides integrity!
What is hashing useful for?
Ensuring files are unchanged in transmission. Compare hashed file before and after transmission.
How should you store passwords on your database?
Store hashed passwords!
What’s another name for a hash and why does it have this name?
Message digest (md) bc a hash digests input of any size –> fixed-size output.
Avalanche effect
One small change to the input completely changes the output (hash)
Collision resistance
Two different inputs can’t have the same output (hash)
In the birthday question, how many people do we need to get a 50% chance of collision?
2^n = 365 –> n = 8.51. 2^n/2 –> 50% chance of collision. Only 2^4.2 which is about 23 people.
What did Flame malware do?
Performed an MD5 hash collision to hijack Microsoft server, MD5 was known to be broken! Had to be found within a millisecond. Was the work of Equation Group (NSA TAO)
How did Google force companies to switch their encryption to SHA-2 and why?
Chrome showed a warning that the site could be potentially dangerous if it was using SHA-1, which was already cracked. Businesses don’t want that!
What is hashing used for in web surfing?
Hashing is used for the browser SSL to ensure you’re at the site you think you are.
How long has key sharing been a problem?
The history of the world! Up to 1970
What’s the problem with Diffie Hellman?
No authentication, so you are subject to a MITM attack (how does Alice know that she’s talking to Bob?)
How does RSA work?
Uses trapdoor one-way function. Multiply together two really large prime numbers. The product is the public key, the two primes make up the private key.
Why is key size so much larger for asymmetric encryption?
Because you’re only using prime numbers - there are too few if you just use 128-bit, so you need to use something like 4096-bit.
What two parts of RSA’s crypto give it digital signature capability?
Authentication and non-repudiation.
What is the problem with encrypting using asymmetric cryptography?
It is 1000x slower than symmetric, can’t be used for websites.
Why not use RSA for both key exchange and authentication?
Because if RSA was compromised, all of your past communication would be compromised. Solution is to use ephemeral DH for key exchange.
X.509
A chain of trust certificates, ultimately trusted by a root cert bundled with your computer/browser
What are the problems with the X.509 model?
You have to trust that root authorities…
- Will act in good faith.
- Have good operational security protecting their keys.
What’s the alternative to X.509 cert model, and what’s the major difference?
PGP. Big difference is that it does not rely on a central authority like the certification structure of X.509
Phil Zimmerman
Creator of PGP while encryption was a munition. He printed a book called PGP source code and internals.
Gaining access to a system involves what three things?
- Identification (who are you?)
- Authentication (prove it)
- Authorization (this is what you can do after you’ve been authenticated)
If Will leaves a typed note on our kitchen table signed “ - Will” has he been authenticated?
No, anyone could have written that! He’s been identified but not authenticated.
If Will leaves a handwritten note on our table signed “ - Will” and saying something that only we know, has he been authenticated?
Yes, he’s proven that it’s really him because he has information that nobody else should have.
What do the username and password provide in terms of the three parts of gaining access?
Username (identity)
Password (authentication)
What are the three primary means of authentication (proving who you are)
- Something you know (ex. password)
- Something you have (ex. key, debit card)
- Something you are (ex. Touch ID)
Why do passwords persist?
Most password replacements trade usability and deployability for more security.
Passphrase
Using a phrase with a long character length that is easy to remember (ex. “crated beetle charger famous”)
Cracking is a function of what two inputs?
Entropy and speed
How many guesses will you need to make to guess 50% of the keyspace for a 128-bit password?
2^128 / 2 = 2^127 guesses
A 128-bit AES password has how many bits of entropy?
2^128 so 128 bits of entropy
How much entropy does an 8-character lowercase password have?
2^x = 26^8. x = 37.6 (bits of entropy)
What are Bruce Schneier’s best security password recs for businesses?
- Encourage passphrases instead of very complex passwords
- Don’t force people to change passwords
- Let people use password managers
THC Hydra
Used for password guessing of online attacks. Much slower than offline bc of network latency.
Why is THC Hydra called “Hydra”?
Websites may limit guesses, but THC Hydra spawns a lot of processes and guesses to limit.
What part of the computer does offline password guessing use?
Uses GPU, which is really good for password cracking.
Work factor
Through bcrypt. 2^X (X is work factor) which determines how many rounds of hashing occur before the final hash.
How many rounds of hashing occur with a bcrypt hash with a work factor of 10
2^10 = 1024 rounds of hashing.
Salting
Random salt is added to plaintext password before it is hashed. Salt is stored next to hash. [SALT]$[HASH]
Peppering
Database server and web server are separate. Database server is encrypted with password held by web server. Compromised DB can’t be decrypted without compromising web server.
What does salting password protect against?
Brute forcing hashes and rainbow table attacks!
How can targeted attacks assist with password cracking?
People usually create passwords based on their life. Find out everything you can about a person and use this information to create targeted PW lists.
What is the VERY first thing to do when vulnerability scanning?
Reconnaissance, aka passive information gathering (build a dossier!)
Scanning vs. reconnaissance
Scanning is active, reconnaissance is passive
Risk = _____ x ______ x ______
Asset x vulnerability x threat.
Define assets, then find vulnerabilities in assets.
What are the six phases in active vulnerability scanning?
- Network sweeps
- Network tracing
- Port scans
- OS Fingerprinting
- Version scans
- Vulnerability scans
What is management’s goal from a business perspective?
Minimize your attack surface.
How might a business minimize its attack surface?
Tunnel traffic, shut down open but unused ports, apply updates as soon as they’re released!
True or false: creating a complex IT structure is more secure because attackers won’t understand it.
False, complexity is the enemy of security.
Metasploit
Framework containing ~1500 exploits.
Bug vs. vulnerability
A bug is simply some flaw in code. If the flaw is exploitable, it’s a vulnerability.
EternalBlue
Exploit developed by NSA that exploits older versions of Microsoft. Told Microsoft about it once they figured out it was leaked.
What was WannaCry based on? Who made it?
North Korea took the leaked EternalBlue and developed WannaCry with it.
What are the four reasons why it’s hard to patch? (Wendy Nather, CISO)
- You can’t update a system that isn’t under your control.
- Organizational constraints
- “Built to last” conflicts with “update early and often”
- Systems with external, highly entangled dependencies will take longer to update (ex. Niagara)
What are the five principles of physical security?
Deter, detect, alarm, delay, respond.
What is the weakest link in a secure system?
The humans! Aka “wetware”
Spear phishing
A phishing attack that targets a specific organization or person.
What are two defenses to (spear) phishing scams?
2FA or physical tokens. Ex. Google requires employees to use YubiKeys and system hasn’t been phished.
Vishing
Voice phishing, coercing people into revealing critical information over voice
What is the problem with security warnings?
We treat security warnings like whack-a-mole. Dismiss them quickly. Most phishing sites that use SSL make sure there are no certificate errors.
Dual-task interference
Refers to how multitasking between 2+ tasks causes brain interference and performance of all tasks suffers
Where does working memory occur in the brain?
The medial temporal lobe (MTL), which includes the hippocampus and amygdala
What happens to the medial temporal lobe (MTL) during dual task interference (DTI)?
Neural activity in MTL decreases for those in a high DTI condition
When should Chrome show security warnings for maximum benenefit?
Low DTI times such as when waiting for a page to load or when a download finished. Leads to much fewer warnings being dismissed.
Warning fatigue
Users habitually devote less attention to messages with each repeated viewing.
How should Chrome show warnings to avoid habituation?
Use polymorphic warnings, which are warnings that change how they are shown, even for the same warning. Also, show warnings less frequently!
Generalization of habituation
When the effects of habituation to one stimulus carry over to a different stimulus that looks similar, but never seen before!
Why is the basic UI idea of visual consistency dangerous to security messages?
Because of the generalization of habituation. Users will habitually dismiss regular notifications and this will carry over to security notifications.
How did Kevin Mitnick hack into big companies
- Called employee
- Said he was an employee
- Asked for employee to run code or give him info
Dwell time
Amount of time a breach was in effect but not discovered
Incident response is the intersection of _______ and _______. It is (offensive/defensive) security.
Security and forensics. Defensive! It’s a response to an attack.
What does Krebs recommend as a first step for network security?
Monitor, then harden! You can’t defend what you can’t see.
What are the phases of incident response
- Plan
- Prevent
- Detect (assuming intruder)
- Respond
Circular, so response will improve the plan and prevent future attacks of similar nature.
Kill-chain concept
As a defender if you can detect an attack before the attacker accomplishes their goal, EVEN IF THEY BREACH YOUR NETWORK, you win.
Breach vs. compromise
If you were breached but never compromised, you win as a defender! Compromise is the damage done once a breach occurs.
What is the issue with a simple intrusion detection systems (IDS)?
Set of warnings but don’t do anything. Like a check engine light, you decide whether to respond to it.
How does NSM improve simple IDS system?
Gives the defender the data to look into IDS (the check engine light)
True or false: NSM is the practice of collecting everything.
True! Extracted content Alert data Metadata Session data Transaction data
Combine!!
What are the principles of a defensible network, and what benefit does this provide?
Can be watched, audited, inventoried, etc. Benefit is that you don’t need as large of a security team.
What are key metrics that the Computer Incident Response Team (CIRT) should account for?
- The classification and count of incidents.
- The time elapsed from incident detection to containment.
Maybe think about the profits lost?
CIO vs. CISO
CIO wants things to be faster, better, cheaper. Implements tech without thinking security.
CISO tasked with incident response, forensics, security education, etc.
The two are often in conflict!
What group of employees does security training not help?
Doesn’t help with intentional, malicious employees who will disregard training.
Worm vs. virus
Worm: Self-replicating
Virus: Attached to file
Malware static analysis vs. dynamic analysis
Static analysis: Not running the file but looking at code to determine its functionality, purpose, and identifying traits. Certain tools may execute malware without warning!
Dynamic analysis: Run malware and analyze, also analyze machine once malware has run.
What are the five steps of security evaluation as referenced in Beyond Fear?
- What are you trying to protect?
- What are the risks to those assets?
- How well does the security solution mitigate those risks?
- What other risks does the security solution cause?
- What trade-offs does the security solution require?
What are you trying to protect when evaluating terrorism (Beyond Fear security evaluation step 1)
People. Your assets are not the buildings or the locations, but the people there.
PII
Personally identifiable information
PHI
Protected health information