Fundamentals of Security Flashcards
What is the differences between information security and information system security?
Information security refers to protecting actual data and
Information system security refers to protecting the actual devices/ systems that store data.
What are the 4 main types of security controls?
Managerial control/ Administrative controls -
Technical controls -
Operational controls -
Physical controls -
Give me few examples of techniques to keep data confidential.
- Encryption
- Implementing access controls
- Data masking
- tokenization
- User training and awareness
- Implementing physical controls to block unauthorized access
How we can maintain integrity of data?
- using hashing algorithms
- checksum
- reviewing logs
- Digital signatures
- Access controls
What is non-repudiation and it’s concept is achieved?
It refers to the concept that if someone has taken some action, they cannot deny it.
In email communication, it is ensured using Digital Signatures.
What are different ways to authenticate someone? What are its factors?
- Something you know - like a password or pincode. Or it could be KBA (Knowledge based authentication like answering security questions)
- Something you have -
Like having a access card, or
using token fob/key token - Something you are - involves biometrics
Define something you have authentication factor.
- We might have a access card. Access card uses NFC or RFID (Radio Frequency Identification) technology in them. Normally these cards have a microchip in them that has a certificate with a private key.
- We may also use key fob/token fob.
Note there is a software implementation of key fob as well. Two open source protocols are available to implement software key-fob technology.
1st is HOTP (Hash based one time password)
2nd is TOPT (Time based one time password)
What technologies/tools we can use to implement accounting in our networks?
Syslog servers
SIEM - Security Incident and Event Management tool
Network Protocol analyzers
Define technical controls.
There are the controls are implemented once like implementing ACLs in firewalls, and they will do their work automatically after.
Define Managerial or Administrative controls.
Managerial controls are administrative in nature. It involves strategic planning and governance side of security.
Like planning the incident response plans, or making security policies, procedures and guidelines.
What are operational controls?
Operational controls are related to day-to-day activities and it involves human participation.
Ex - employees following clean-desk policy or making sure that their LAN password length is at-least 12 characters long.
Other examples of operational controls are back-up procedures, Account reviews, user training programs
What are the different types of security controls?
Preventative controls
Detective controls
Deterrent controls
Corrective controls
Compensating controls
Directive controls
What is the use of compensative controls?
Compensative controls are used where primary control mechanisms fail or are not effective.
What is GAP analysis and what are different steps involved in it?
Gap analysis refers to the process of finding differences between the organizations current state and its desired state.
It involves following steps -
- Finding the scope of the GAP analysis
- Evaluating/analyzing the current state of the organization as per defined-scope
- Finding out the gaps between the current state and the desired state/goal
- Developing a plan to bridge the gap
What are 2 types of GAP analysis?
Technical GAP analysis
Business GAP analysis
What is the concept of Zero trust?
Todays networks are decentralized. So companies goal is to implement the zero trust in their organization.
It demand the verification of every device, user and transaction within the network, regardless of its origin.
What is a common goal of fault tolerance and redundancy techniques?
To remove the SPOF (Single Point Of Failure)
Define hping command.
Hping is command is used in linux (SAYAD).
With hping command, we can send message using TCP, UDP, and ICMP protocol.
Define ifconfig command
This command is used in Linux to see the TCP/IP suite information.
Command is
ifconfig eth0 promisc
What do we use netstat command for?
netstat command is used to see TCP/IP connections.
To get more information about it, use :
netstat /? -> In windows
What do we use tracert command for?
tracert command is used to find the path that a packet takes to reach it destination.
This command is used in Windows and gives use the IP address of each hop in the packet path.
Linux equivalent command is traceroute
What is pathping command?
Pathping command is combination of ping and tracert
Define journalctl command.
This command is used to get the log entries that journald protocol has collected from different sources.
What are some of the connection states of netstat command?
Close_WAIT -> Waiting for a connection termination request
Time_WAIT -> This indicates the system is waiting for enough time to pass to be sure the remote system received a TCP-based acknowledgement of the connection.
SYN_SENT -
SYN_Received -
What tool in windows can we use to view logs?
We can Windows Event Viewer.
Using it, we can view following kind of logs-
Security logs
Application logs
System logs
Define Syslog protocol.
It is a logging protocol that defines a general format for logs and it defines rules to transport the log data to some centralized logging server.
With this protocol, we can connect log data from different sources.
For unencrypted log messages, this protocol uses UDP port 514.
For send encrypted messages, it uses TCP port with port number 6514 with Transport Layer Security.
This protocol stores log data in plain text at /var/log/syslog
What is the use of logger command.
We can use logged command to timestamp some event like when the backup was created.
It will add this entry in /var/log/syslog
What are some other alternatives of using Syslog protocol.
syslog-ng
rsyslog
nxlog is another log management tool and is similar to rsyslog and syslog-ng
What is most secure method out of different biometric methods?
Iris and Retina scans
Iris is preferred.
What is Account Management?
It is the process of creating account, managing accounts, suspending and terminating them.
What are different types of account types?
User accounts :
Admin Accounts :
Device accounts :
Service accounts : Some applications and services need to run under the context of an account and a service account fills this need.
Guest Accounts:
Third Part Accounts:
Shared and Generic accounts :
What is PAM?
PAM stands for privileged Access Management.
It recommends to use 2 accounts by administrators.
How and why do we use Kerbros in Enterprise systems?
It is used to implement SSO solution in Enterprise networks.
SSO should always be implemented with other kind of MFA.
kerbros is a network authentication protocol within Microsoft Windows Active Directory domain.
Kerbros has 3 components :
- Some Key Distribution Centre server that generates TGT (Ticket granting tickets)
- Time Synchronization.
- a database of users and objects. In Windows systems, this database is Active Directory.
How can we implement SSO over the internet over different networks/systems/environments?
One way of implementing SSO among different environments is by creating a federation of companies in which 2 different companies create a Federated Access Management system.
One way of implementing Federated Access Management system over the internet is using SAML (Security Assertion Markup Language)
Define SAML.
SAML is Security Assertion Markup Language.
It is a protocol with which we can implement SSO over the internet.
It involves 3 entities :
- Principle - Typically a user
- Service Provider
- Identity provider
Another alternative to using SAML is openID connection (OIDC) - it uses JSON Web Token (JWT) messages instead of XML used in SAML.
What is Oauth?
It is an open standard for authorization many companies use to provide secure access to protected resources.
What are different motivations behind threat actors?
- Data exfiltration
- War
- Service Disruption
- Espionage
- Social cause / Philosophical or Political Beliefs
- Revenge
- Ethical hacking
- Blackmail
- Financial Gain
What are different threat actor attributes?
Internal VS external
Level of Sophistication And capability
Resources and Funding
Who are unskilled attackers and what are their motives?
These are also called Script-kiddies
They don’t have financial again motive but their motive might include learning new tool.
Who is a Hactivist
An Hactivist is an individual or group of people who might hack systems due to some social cause or to promote a Social change.
They can end up doing following things:
- Doxing - it is process in which a threat actor publicly release someone individuals personal information
- Denial Of service
- Website Defacement
- Leaking of sensitive information
Who are Organized crime group?
These are group of hackers who are very sophisticated and hight level of expertise. Their main motive is financial gain.
Example of such group is FIN7, carbanak
Who are Nation State actors?
These are the state sponsored threat actors who spy on individuals, group of people or other state to gain sensitive information or classified information.
These nation state threat actors usually use “False flag attack” in which they try to hide the attack origin.
What is shadow IT?
This term refers to the scenario when someone make use of devices, applications, processes without IT approval in a corporate environment. This action might lead to increased number of vulnerabilities in a corporate network.
For example - Someone might install an application without approval on their system.
Define term attack vector and attack surface area.
Attack surface area refers to all the vulnerabilities in the organizational network.
Attack vector refers to specific mean or path by which an threat actor can penetrate a network to steal data or to enter malicious data.
Give me some examples of attack vector.
Messages (email message, text message)
Files
Images
Unsecured network
Social media
Removable devices
Voice calls
What are Blueborne and Bluesmack attacks?
Blueborne attack - It is an attack in which a threat actor exploits a number of vulnerabilities in Bluetooth and it can allow can attacker to take over devices or spread malware.
Bluesmack - It is a type of denial of service attack that targets bluetooth enabled devices.
What are different tools with which we can learn TTPs (Tools, Tactics and procedures) of threat actors?
By using following -
Honeypots
Honeynets
Honeytokens
Honeyfiles
What are Honeytoken?
It is some kind of object that does hold any legitimate value like fake admin account.
These are planted or created in organization network to find insider threats . For example, if someone ends of using these objects like fake admin account, security team will know that there is a insider threat.
What are few methods to confuse an attacker?
- using bogus DNS entries
- Creating decoy entries
- Generating dynamic pages
- Using port triggering
- spoofing fake telemetry data
What are different surveillance system tools?
Cameras
Security guards
Sensors like infrared sensors, Pressure sensors, Microwave sensor, Ultrasonic sensor
What are few ways to bypass surveillance systems?
Blinding sensors and cameras
By creating electro-magnetic interference
Visual obstruction
Physical environment attack
What are access control vestibules?
These are installed to prevent piggybacking and tailgating attack.
Define term FAR and FRR (Related to biometric devices).
FAR - False Acceptance rate - It is the rate that shows percentage of falsely authenticated people by an biometric device
FRR - It is False Rejection Rate
There is CER - Cross-over Error rate where FRR and FAR meet on a graph. This point is also called Equal error rate
What tool can we use to clone Access Cards and how we can protect from it?
Flipper Zero
For preventing from these attacks -
1. We can implement advanced encryption in card-based authentication systems
2. Implement MFA
3. Use shielded wallets
4. Monitor and audit access logs
What is a cipher lock?
It is a mechanical lock that uses push buttons often numbered and requires correct combination to be entered for access.
What are different motivational triggers that can lead to Social Engineering attacks?
- Urgency
- Scarcity
- Authority
- Social proof - Psychological phenomenon
- Likability -
- Fear
What are different impersonation attacks?
- Brand Impersonation
- Watering Hole attack
- Typesquatting - A threat actor buys a closely spelled domain.
Pretexting is also part of it in which an attacker impersonates someone and try to get more information regarding some object or subject to carry on their main attack they are planning.
Give me some example of phishing attacks?
BEC - Business email compromise
Whaling -
Spear phishing
Vishing and Smishing
How can we prevent phishing attacks?
By conducting training - Running anti Phishing campaigns
Recognizing phishing attempts
Report suspicious messages
What are some clues to recognize an phishing email?
- Complicated email
- Grammatical mistake
- Mismatched URLS
- Unusual requests
- Urgency
Give me url of a website on which we can run phishing campaign.
phishinsight.trendmicro.com
What is difference between Identity fraud and Identity theft?
Identity theft - It is the process of stealing users personal information like their credit card, SIN number, DAB etc. Identity theft might include the scenario when some thief tries to use some victims credit card.
Identity fraud is the term used when someone takes over someone’s identity. For example - a scammer might use some victims information to open some bank account.
What are influence Campaigns?
These are co-ordinated efforts to affect public perception or behaviour toward a particular cause, individual or group.
These campaigns can be breeding ground for misinformation and disinformation
What is a Virus?
It is a malware that spreads on a target system after an user open some infected file or click on a malicious link.
There different kind of Viruses.
What is a Boot-sector-virus?
Boot sector virus resides in the boot drive and runs its every time OS loads.
To protect from a boot sector virus, we should install a anti-virus that can detect boot sector viruses.
What is a Marco virus?
It is a specific kind of virus that infects files that are used by users very often. For example - office 365 files.
This Macro virus might increase the size of a file exponentially.
What is a program virus?
It is a virus that infects program files or executable files. Such virus might change some of the code of targeted program file or might change its full code.
Every time a user runs this infected program, the malicious code in it also runs.
What is a multi-partite virus?
It is a virus that is a mix of boot sector virus and program virus. This virus resides in the boot sector and when OS loads, it runs a malicious program automatically.
What is an encrypted virus?
It is a virus that encrypts its payload and avoid detection from Anti-virus programs as they are unable to read the virus data.
What is polymorphic virus?
It is an advanced version of encrypted virus but instead of just encrypting the contents, it will actually change the virus code each time it infects a new file in order for it to evade detection.
What is metamorphic virus?
It is an advanced version of polymorphic virus. These viruses are able to rewrite itself entirely before it attempts to infect a given file.
What is a Armoured virus?
This is a specific type of virus that has layers of protection to confuse program or human who is trying to analyze it.
What are worms?
It is a malware that spreads into systems and networks without requiring any user action. They will just find some vulnerability in a system and will scan the other systems in the network to spread across the network.
What is a Trojan?
It is malware that disguises itself as legitimate driver/software/program but it hides a malicious code in it. User unknowingly runs this program and the malicious code is also run.
One specific type of trojan is RAT (Remote Access Trojan)
RAT will let a threat actor to take remote control of the target system by opening some backdoor on them.
What are some ways to protect from Ransomware attack?
- Keeps system up to date
- back-up data regularly
- Provide security awareness training
- Implement MFA
What are Zombies and botnets?
Botnets is a network of infected systems that are under the control of Command and Control server that is controlled by a threat actor. This command and control server is also known as C2 node.
These infected systems are know as zombies.
What is a root-kit?
It is a specific type of malware that gives remote control administrative access to a threat actor and remains undetected.
Rootkits tries to gan more permissions by moving from ring 3 to 2 to 2 to 0 (Kernel permissions)
Another technique used by rootkits to gain deeper level of access is know as DLL injection.
What are Backdoors, logic-bombs and Easter Egg?
Backdoors are means or pathways to access a system without going through the regular access controls.
It bypass the normal security and authentication functions.
Logic-bomb - it malware gets activated when certain condition is met.
Easter egg - It is unnecessary code that is introduced to a program.
What is a keylogger?
It is a software or a hardware device that will log keys pressed by a user. For exmaple - by logging user-pressed keys, it might capture usernames and passwords.
What is spyware and Bloatware?
Spyware - it is a malware that steals users personal information without any authorization and will send it to a remote threat actor.
Bloatwares are unnecessary programs that are not needed and have no value to use. These comes pre-installed on our systems.
What is File less Malware and how it is deployed.
Fileless malware only stays in memory and it does not save any of its code on the computer file system. Thus this way it is able to avoid detection from Anti-virus programs that are based on malware-signatures.
Usually it is deployed in 2 phases -
- Phase 1 = Dropper/Downloader
In Dropper phase, user clicks on some infected link and doing so cause a light weight malicious script/code to run within a payload on an infected system.
In Downloader phase, it will retrieves additional tools post the initial injection facilitated by dropper.
- Stage 2 - Downloader - in this stage, RAT is installed on victimized system.
What are some of the ways with which, malware can inserted into a host?
Code injection
DLL sideloading
Masquerading
Process hallowing
DLL injection
What are some of the indicators of Malware attack?
Account Lockouts
Blocked content
Concurrent session Utilization
Impossible travel
Resource consumption
Resource inaccessibility
Out-Off-Cycle logging
Missing logs
What are the normal categories for data classification in a Commercial business?
- Public Data - it can be disclosed with public and there is no impact on the company.
- Sensitive data - It has minimal impact on the company if disclosed. Example includes Organization’s financial data
- Private Data - This kind of data normally belong to people like their personal information, SIN number.
If released, It can have financial and reputational impact on the organization. It can also lead to legal implications. - Confidential data - If released, this kind of data can have very large impact on the organization. This includes information like trade secret, Intellectual property, source code etc.
Discloser of this information might lead to a company losing its competitive edge. - Critical Data - It contains valuable information. Data like credit card numbers.
What are the different categories for data classification in a government company?
- Unclassified - this information can shared be shared with public or can be requested by the public under the Freedom Of Information act.
- Sensitive but unclassified - If disclosed, this information won’t pose any risk on nation security but it will impact the individual who this information belong to.
Example of such information is Military personnel’s health record - Confidential information - Data that could seriously affect the government if unauthorized disclosures happen. Ex - Data like trade secrets.
- Secret Data - Data that could seriously impact national security if disclosed. This information include Military plans, Safeguard-Deployment techniques
- Top secret - It will severely impact national security if disclosed. This include information like Weapon Blueprint.
Who is a Data owner?
Data owner is a senior executive in a company who is responsible for the confidentiality, Integrity, Availability of information.
One task of data owner is to classify the different types of organizational data.
Ex - they can direct everyone to classify data with Balance Sheets as financial information.
There are not the actual person who creates this data.
Who are data controllers?
Data controller is an individual or a group of individual who decides the purpose of data collection and method of collecting, storing Data. They also ensures organization is adhering to legal to processes while performing these actions.
Data processors work on behalf of Data controllers and help on the above processes.
Who is a Data Steward?
Data Steward is an individual or group of individuals who make sure data is classified properly and work under the guidance of Data owner.
They are focused on the quality of data and meta data.
What is a Data Custodian?
Data Custodian is an individual or a group of people who are responsible of managing the systems that store data. They are responsible for setting up Security controls to safeguard data.
Ex - System admins
Who is a privacy Officer?
Privacy Office is an individual who makes sure data like PII, SPII or PHI related data is handled properly.
Is Data Owner some individual from IT department?
No they are not always someone from IT.
Data Owner should be decided based on the type of organization.
What are different states of Data?
Data in Transit - Data that is travelling over the network, or data that moves to and from the processor.
Data in rest -
Data in use - Data when it is being created, modified, or processed in some way.
How are different ways of encrypting data at rest?
- Full Encryption - When users logs Off the machine, Data remains encrypted but when user logs back in, it is un-encrypted.
- Partition encryption - Some specific partition is encrypted.
- File encryption
- Volume Encryption - a set of folder is encrypted
- Database encryption - Full Database is encrypted or we can also encrypt data at column, row and table level.
- Record encryption - Encrypts specific fields within a Database record. This is beneficial when multiple users are accessing a single document and all of them don’t have same view rights to this document.
6.
What are few ways to protect in transit?
Using TLS/SSL encryption
Using IPsec protocol
Using VPN
How we can protect Data in Use and how it is more vulnerable?
When data is in use, it is in unencrypted state and that is why it is more vulnerable to attacks.
To protect the Data in Use, we can make use of following techniques :
- Access control policies
- Encrypting Data at the application layer
- Use of Secure Enclaves where data can be processed in a protected isolated environment
- Using “Intel Software guard” - this technology encrypts the data while it is in memory so that other untrusted processes can’t decode this data.
What are different types of Data?
- Regulated data - this is the data that is regulated by laws, industry standards.
Example is such data is PHI, SPII, PII or credit card information. - Trade secrets - This is the data that gives competitive edge to a business over other business. It includes data like proprietary Software, Marketing strategies.
- Intellectual property - This data is the creation of mind. Like someone’s invention, someone’s literary or art work.
- Legal Data - This is the data that is used in legal proceedings, contracts, or regulatory compliance.
- Financial information - It Involves data that is related to an organization’s financial transactions, such as sales records, invoices, tax documents and bank statements.
What is the concept of Data Sovereignty?
What are different methods of securing data?
- Encryption -
- Data Masking -
- Tokenization -
- Access controls
- User awareness training
- Hasing
- Geographic restrictions
- Obfuscation -
- Segments -
What is governance in an organization?
Governance means governing something.
In an organization, it is the process of managing IT infrastructure and creating policies, procedures and standards to mitigate risks to assets and making sure that the IT infrastructure is aligned with the organizational goal.
(Mine - It is an entity who creates frameworks that consist of procedures, policies, processes and standards to mitigate risk and make sure IT infrastructure processes are aligned with the organization goals.)
It is the strategic leadership, structures, and processes that ensure an organization’s infrastructure aligns with its business objectives.
Governance is the first element of GRC triad (Governance, Risk and compliance)
What are different governance structures that govern an organization?
- Board of members - the shared holders elect these to observe the organization’s management. They are responsible for making key decisions and making policies.
- Committees - These are subgroups of board members and are responsible for governing the specific areas or tasks in an organization.
- Government entities -
- Centralized and de-centralized structures.
What are policies?
Policies are the back bone of governance.
These are the guidelines that are created by leadership to meet organizational goals.
There are different kinds of policies -
1. Acceptable use policy
2. IT security policy
3. Business Continuity policy
4. Disaster recovery policy
5. Incident response policy
6. SDLC (Software development Life cycle)
7. Change management policy - that defines how changes should be implemented to avoid their impact on other devices and to roll them back if needed.
What are standards?
Standards are the specific processes that are implemented or followed to adhere to policies.
Here are some Common standards -
- Password standards
- Access Control standards
- Encryption standards
- Physical security standards
What are procedures?
The systematic sequence of actions or steps taken to achieve a specific outcome.
For example - Data backup procedures
3 types of procedures are discussed here -
- Change management procedures - That tells how change management should be implemented.
It has main 3 steps -
- a need for a change is identified and its potential impacts are assessed.
- a plan is created to implement change
- After implementation, changes are reviewed. - Off-boarding/On-boarding procedures
- Playbooks -
What are different governance considerations?
- Regulatory considerations
- Legal considerations
- Industry considerations
- Geographical considerations
What is compliance and what are its 2 elements?
Compliance refers to adhering to rules, regulations, laws.
Its elements -
1. Compliance reporting - involves internal reporting and external compliance reporting
2. Compliance monitoring - Monitoring and analysis of organization operations to find any non-compliance.
It involves the following -
Due Diligence -
Due care -
Attestation -
Acknowledgment -
What are some non- compliance consequences?
- Fines
- Sanctions
- Reputational damage
- Loss of license
- Contractual impacts
Where does the strength of the encryption system and cryptography comes from?
From a secure key.
What is Stream and block Cipher?
Stream Cipher is a Cipher that encrypts data bit by bit.
Block Cipher is a Cipher that takes a fixed length of data from the data as blocks and then encrypts these blocks.
Block Ciphers can be hardware or Software-based.
But Stream Ciphers are most hardware-based solutions and it needs more processing power.
What are different Symmetric Algorithms?
These are the algorithms that use a common key to encrypt and decrypt data.
- DES - Data Encryption Standard - It is a block Cipher
- 3DES - Block Cipher - not used anymore
- IDEA - International Data Encryption Algorithm - It is also a block Cipher and Symmetric algorithm. It uses a key length of 128 bits
- AES - Can use 128, 192, 256 Key lengths. It is also a block Cipher.
- Blowfish - Block Cipher.
- Two fish - also a Block Cipher
- RC4 - Only Symmetric stream Cipher.
- RC5, RC6 - both block Ciphers
Define Diffie-Hellman algorithm.
It is focused on conducting key exchanges when we are creating a VPN tunnel establishment as part of the IPsec protocol.
It is susceptible to on-path attacks.
What is RSA?
RSA stands for Rivest Shamir Addleman - it is a asymmetric algorithm. It can be used for encryption, authentication (encrypting something with private key), Non-repudiation (using digital signatures).
It is commonly used in access cards.
It uses a key-length between 1024 bits and 4096 bits
What is ECC algorithm?
ECC stands for Elliptic Curve Cryptography.
It is used on devices that have low processing power like mobile devices.
It is a great way of providing better security than an equivalent RSA key of the same size.
ECC with 256 bit key is just as secure as RSA with a 2048 bit key.
There are different variations of ECC -
ECDH - Elliptic Curve Diffie Hellman
ECDHE - Diffie Hellman Ephemeral
ECDSA - Elliptic Curve Digital Signature algorithm
What is one of the most effective way to protect against software and OS vulnerabilities?
It is to implement a effective patch management system.
What is one of the most effective way to protect against software and OS vulnerabilities?
It is to implement a effective patch management system.
What is Microsoft Component object model?
COM is an interface that provides inter-operability between 2 applications that might have been programmed in different languages.
- was created by Microsoft.
What is Windows management instrumentation?
WMI - it is the very powerful tool that we can use to access, configure and monitor nearly all windows resources.
It is accessed via COM.
If we have a drive protected with NTFS access controls but its data is not encrypted, can we insert this drive into some other system and access the data on the drive?
Yes, we can take-over the files on the NTFS drive as we are the admin on this new system.
