General Flashcards
What is in CIA triad
Confidentially
Integrity
Availability
List 6 step incident response
Prepare
Detection and analysis
Containment
Eradication
Recovery
Post incident activity or lessons learned
What are the triple AAA
Stands for accounting, authentication, and authorization
What is MITREs model for post attack techniques called
ATT&CK
adversial tactics , techniques, and common knowledge
List 7 steps of kill chain attack
Recon
Weaponization
Delivery
Exploitation
Installation
Command and control
Actions on objectives
What are the general 5 steps to hacking
Recon
Scanning
Gaining access
maintaining access
Covering tracks
What are 5 steps of pen test
Planning
Scanning
Gaining access
Maintaining access
Analysis & reporting
List examples of substitution ciphers
Rot13, Caesar cipher, and keyword cipher
What is one time pad
It’s unbreakable if properly used. Each person would get copy of pad to encrypt message which was the key
What is symmetric crypto
Uses one key to encrypt and decrypt
Symmetric key crypto uses what two ciphers and how do they encrypt
Block and stream
Block is by bytes while stream is bit at a time
List some symmetric key algorithms
Des,3des, and aes
List popular stream ciphers
RC4, seal, and ORYX
What two keys does asymmetric crypto use
Public and private
List common asymmetric algorithms
RSA, ECC, ECDSA, DSS, el gamal, and diffie hellman
List common hash algorithms
Sha, md5, and RACE
How does a digital signature get made using PKI
First hashed
Encrypted using private key
Receiver uses public key to decrypt
Ocsp versus crl
CRL is list download and checked
While online certificate services protocol checks certificate online to see if valid
What is ocsp stapling
Instead of web browser reaching out to ca. Web server caches response from oscp, and then staples response to certificate sent to client
What are the 5 threat intelligence lifecycle steps
Planning & requirements
Collection and processing
Analysis
Dissemination
Feedback
What are pkcs
Public key cryptographic standards for different uses in PKI infrastructure
What is pkcs 7 used for
Sign or encrypt messages
What is pkcs 10 used for
It’s standard to be used to request certificate from CA
What is pkcs 12 or pfx
File that stores private key, certificate chain, and certificate can be protected by password
What are 2 use cases of pkcs 7
Store certificates or CRL lists
What does windows event logon type 2 mean
It was an interactive login
What does windows event log type 3 mean
It was network login such as connection to shared drive
What does windows event logon type 10 mean?
Remote interactive such as rdp or terminal services
What trust model does full disk encryption use
Hardware root of trust
What are standard operating procedures
Step by step instructions on how to carry out a task
What are the iso 27000 standards
Series of standards that provide framework for info sec management practices
What is iso 27001
Framework and standards for information security management systems
What is operational technology?
It is systems that are used to monitor and manage manufacturing or industrial process assets
What is an ics and scada system
industrial control systems
Supervisory control and data acquisition systems
What vulnerabilities do legacy industrial systems like modbus possess
Don’t always support authentication, confidentiality, and replay protection
What are the 7 logging facility levels in syslog
1 Alert
2 Critical
3 Error
4 Warning
5 Notice
6 Informational
7 Debug
What is ntp and what port does it use?
Network time protocol
Uses udp port 123
What is log normalization
Converting log data into particular data representation and categorizing consistently
Why should logs use UTC time
It’s universal can easily convert to whatever time zone analyst is working in
What are the 4 areas in diamond model
Adversary
Capabilities
Infrastructure
Victim
What are 2 examples of hardware root of trust devices
TPM and HSM hardware security module
What do physical controls do?
Mitigate risks to physical security and also include technical controls
What do administrative/managerial controls do?
Mitigate risks by implementing certain processes and procedures
What do technical controls do?
Manage risk using technical measures such as antivirus or firewall
What are key and compensating controls
Key are ones that are primary and can affect an entire process if they fail
Compensating replace impracticable or unfeasible key controls
What is nist sp 800-53
Security and privacy controls for info systems
What 2 frameworks are common for cyber security
Iso 2700 series and nist sp 800-37 risk management and sp 800-35 security and privacy controls
What is iaas, paas, and saas
Iaas is cloud stuff like vps
Paas platform with some control like azure and
Saas is little to no control like office 365
What else are counter measures called in risk management?
Security controls
What is user acceptance testing
Where users test stuff like beta testing
What is regression testing ?
re-running functional and non-functional tests to ensure that previously developed and tested software still performs as expected after a change
What can regression testing help with in security ?
Make sure any new changes don’t introduce new security vulnerabilities
What is machine code
Compiled form like a pe file
What is assembly code
low-level programming language with a very strong correspondence between the instructions in the language and the architecture’s machine code instructions
What is high level code
At a human readable level for humans
What is a disassembler
Coverts compiled to assembly
What is a decompiler
Converts compiled back into human readable output
Do debuggers do dynamic or static analysis
Dynamic
What are the 5 stages of threat intelligence
Planning & requirements
Collection & processing
Analysis
Dissemination
Feedback
What are the 4 categories in threat intel
Strategic
Tactical
Operational
Technical
What is in strategic threat intel category
High level for non technical audiences
What is in tactical threat intel category
Details of tactics techniques and procedures TTPs
What is in operational Intel category
Actionable info about incoming attacks
What is in technical Intel category
Technical threat indicators like hash or C2 IP address
What are the 3 ways to assess threat intel sources
Timeliness
Relevancy
Accuracy
What is an ISAC
Information sharing and analysis centers
Why are ISACs good to use?
They tend to be focused for certain industries like healthcare
What are the two benefits of PAM?
Higher level privileges are temporarily given
Auditing is done to monitor what is done
What is IAM versus PAM
Identity access management is 5 Ws of access to resources. Also management of passwords and user lifecycle
Privileged access management is subset of IAM. Identifies accounts needing privileged access, and specifies policies that apply to them
What is Microsoft’s PIM
Provides time based and approval based privileged access. Some vendors include this in their PAM product they sell
What is JIT PAm
Just in time which refers to given privileged access only for a certain time period to do the jobs or tasks that require it
What is a sla
Service level agreement between provider and client about metrics, responsiveness, and responsibilities
What is an SLO
Service level objective is an agreement about a specific metric or response time
What is an SLI
Service level indicator is used to measure compliance with a SLO and SLA
What are operational controls
Executed by company personnel during day to day operations
3 examples of operational security controls
Change management
Security awareness training
Business continuity plan
What are deterrent controls
Includes some preventative controls like guard dog. Meant to deter someone like cctv or warning sign
What are detective controls
Used to investigate an incident examples are log files and CCTV
What are Corrective/responsive controls
Actions you take to recover from incident like restore from back up tape. Or a fire suppression system
What are preventative controls
In place to deter an attack like security guard with dog. Disabling user accounts and OS hardening
What is DAC
Discretionary access control based on user and permission to objects such as NTFS full control
What is mandatory access control?
Based on classification level of data such as top secret, secret, and confidential
In Linux permissions what are these area -r-srwxr-x
Left part is type such as d for folder, l for link, and - for normal file
The next 3 parts are permissions left is owner,group, and all others
s means a setuid has been set and regular user will execute it with privileges of owner
What is useful about sticky bit in Linux
Has t means anyone can write but only owner can delete files
What is time offset
Regional time of where data was collected
What is Time synchronization ?
Evidence from multiple time zones put in one time such as UTC. Also a protocol like NTP used so all devices have correct time
What port does ntp use
Port 123
What is STIX
It’s a standard for sharing information about cyber threats and to share cyber threat intel. Version 2 is json
What is a Stix domain object ?
Sdo’s allow you to categorize each piece of info with specific attributes
What is a STIX relationship object?
Way to link data there are 2 relationship and sighting
What is TAXII
A protocol to share threat intelligence data
What is the diamond model usually used for?
Use threads to show how an attacker behaves during attack. Can be mapped to kill chain
What is threat modeling ?
Proactive way they uncover threats and how they are doing it
What is the open source testing methodology manual OSSTMM?
Provides a guide on performing a security test or audit
What is the owasp testing guide?
Provides a guide to testing web applications
5 steps part of risk assessment
Gather info about what assets are there, applications, and IT systems
Define and classify assets
Explore potential vulnerabilities
Explore potential threats
Create mitigation strategies
What is passive scanning
Using sources such as OSINT, and traffic captures. No direct interaction with host
What is active scanning
Provides more details like updates installed on machine
Port scanning is another example
What is device fingerprinting
Uniquely identifies assets on device such as what OS they are running
What is a map scan?
Wide scan that shows all assets on a network such as LAN
Why is credentialed scanning better than non credentialed
Provides more detail non credential may not have all permissions
Agent versus non agent vulnerability scanning ?
Credentialed by default, doesn’t use as much bandwidth, increased management over head
Agentless less overhead,can be credentialed or not, won’t always provide all information without configuration changes
What is a cpe in vulnerability scanning?
Way to show info about os,hardware and software such as OS running
What is the point of a CVSS score?
Metric for comparing and prioritizing vulnerabilities
What is a true positive
Legit attack detected
What is a false positive
Alert when there was no attack
False negative
No alarm raised but attack happened
True negative
No alert given when legit activity occured
What are the CVE score levels
From 0 none
0.1-3.9 Low
4.0-6.9 medium
7-8.9 High
9-10 critical
What is the attack vector metric in CVSS
Reflects context by which vulnerability is exploitable
What are the 3 metrics in CVSS score
Base required
Temporal
What are the 4 attack vectors?
Network, adjacent, local, and physical
In CVSS score what is the attack complexity?
Measure conditions beyond attackers control there are two low and high
In CVSS score what are privileges required
Describes privileges attacker must have none,low,and high
In CVSS score what is user interaction
Metric measures if a other user is required to participate in successful compromise. None or required like phishing link
What does dynamic ARP inspection do?
It checks a database such as the DHCP snooping database to prevent arp spoofing.
What does DHCP snooping do?
Builds a database of Mac and DHCP leases. Which helps DAI against arp spoofing. Also prevents rogue DHCP servers and DHCP starvation attacks
What is a kerberoasting attack?
What is an XXE web attack and what is the typical field used?
An attack that allows one to interfere with an applications processing of xml data. Typically the external entities field is used which loads stuff from outside xml file
What are the 4 types of XXE attacks?
Exploiting to retrieve files
Used to perform SSRF
Blind XXE to exfiltrate data out of bound
Blind XXE to retrieve data via error messages
What is a local file inclusion web vulnerability?
Attacker tricks website into running or exposing files
What is a remote file inclusion web vulnerability?
An attacker forces webserver to include code and run code form remote url.
What is cross site scripting XSS?
Allows an attacker to manipulate web server to run malicious code for other users
What is a reflected XSS attack?
Malicious script comes from HTTP request
What is a stored XSS attack and what is one example?
When an app receives data from untrusted source and includes it in later http responses
An example is a comment on a web server page that will run malicious code
What are DOM based cross site scripting
An app contains client side JavaScript that processes data from untrusted source in malicious way
What is a cross site request forgery CSRF web attack?
An attacker exploits web app to make users do action they didn’t intend to do
How do you prevent cross site request forgery attacks?
Use same site cookies
And or a unique CSRF token
What is a server side request forgery?
Web app attacked to make vulnerable backend server run malicious code
