General Knowledge

Question 1

What is BIOS?

Answer 1

Basic Input Output System

• It is firmware, comes on a chip - normally a Electrically Erasable Programmable Read-Only Memory (EEPROM).
• Multiple BIOS (Motherboard, Hard Drive Controllers, Video Cards, Network cards etc.).
• First program that gets executed
• Performs a set of functions (self-test, measurements to ensure correct configurations, authenticate hardware), load the OS, before handling control over to the hypervisor or OS.

Question 2

What are BIOS Security Features? Per NIS SP 800-147b.

Answer 2

1. Authenticated updates - digital signatures prevent the execution of non-authentic BIOS images
2. Secure local update - requires an admin to be physically present to install BIOS image without signature verification
3. Firmware integrity protection - prevents unintended or malicious updates outside of authenticated BIOS update process
4. Non-bypassability - no mechanism to allow main processor to bypass BIOS protections.

Question 3

What is a TPM?

Answer 3

Trusted Platform Module or cryptographic co-processor
- Supports cryptographic functions
- Enables trust in computing systems
- Has a processor, persistent memory and volatile memory
- Used as roots of trust.
- Provides tamper resistance
- TPMs are HW-based.
SW-based TPMs are also available, though not as secure.

Question 4

What are storage controllers and what do they do?

Answer 4

Storage controllers are hardware used to control storage devices.

They provide:

• Access Control
• assembly of data
• provide users/apps an interface to the storage device

Examples include iSCSI and FCoE (Fiber Channel over Ethernet).

Question 5

What is KVM switch?

Answer 5

Keyboard Video Mouse Switch
Allows a single set of human interface peripherals to connect to multiple computers
Saves space.
Users can switch between multiple computers.

Question 6

What is VXLAN?

Answer 6

• Virtual Extensible LAN
• Used in cloud environments
• VLAN is a Layer 2 concept that uses tags.
• VXLAN - extends this to Layer 3 allows VLANs to exist across data centers

Question 7

What are the steps in DHCP exchange between server and client?

Answer 7

The mnemonic is DORA
Discover - client to server on UDP Port 67
Offer - DHCP responds with IP address on Port 68
Request - Client confirms it will use the IP address
Acknowledge - Server acks its.

DHCP v6 uses IPSec.

Question 8

What are write-blockers?

Answer 8

• Write-blockers are used in digital forensics to preserve evidence - essentially, they block writes
• They are used to read from a disk for evidence analysis without writing to it thereby preserving the evidence.
• They can be SW-based -e.g. installed on a forensics computer
• Or HW-based - e.g. blockers on a chip/portable device through which the disk is connected to a computer. It traps and prevents writes.

Question 9

Per CSA - what are the two key techniques that underpin cloud computing?

Answer 9

• Abstraction and Orchestration
• Abstraction - resources are abstracted from the underlying physical hardware/what virtualization does.
• Orchestration - coordinate carving out and delivering a set of resources from a pool to the consumer.

Question 10

Per CSA - what’s the difference between traditional virtualization and cloud computing?

Answer 10

Traditional virtualization abstracts the resources, but does not orchestrate to pool resources together. This often requires manual processes.

Question 11

What is utility computing?

Answer 11

Utility computing is the idea that computing resources can be consumed like water or electricity and paying only for what you use (metering).

Question 12

What capabilities to PaaS offer?

Answer 12

• Databases, Messaging, Queuing, application development frameworks are some of the capabilities that PaaS have.
• In a PaaS, users only sees the platform - e.g. DBs may expand/contract automatically without the user having to manage the underlying servers.

Question 13

Noteworthy

Answer 13

1. Organizations can outsource cloud, but not the responsibility for governance.
2. Moving to the cloud doesn’t change your risk tolerance. It just changes how risk is managed.

Question 14

What information does PCI-DSS prevent you from storing?

Answer 14

CVV - Card Verification Value

CVV can be used in a transaction but cannot be stored.

Question 15

What are merchant levels in PCI-DSS?

Answer 15

Merchants are classified into levels 1 through 4 based on the number of transactions annually.
Level 1 is the highest (unlike FIPS and CC/EAL) . These levels determine risk and ascertain the appropriate level of security for their businesses

Level 1 - over 6 million transactions annually
Level 4 - Less than 20,000 annually.

Question 16

How must cardholder data be protected in PCI-DSS?

Answer 16

Using either Tokenization or Encryption.

Question 17

What is XSS and how do you protect against it?

Answer 17

XSS = Cross Site Scripting

• Attacker inserts code into a Web App through HTML using the Java Code tag.
• Code eventually gets downloaded when a victim accesses the Web App and his/her browser executes the code in the background without victim’s awareness.
• WAF is one method of protecting web app against an XSS attack.
• Use of modern browsers which isolate un-trusted HTML code segments and won’t run them.

Question 18

OWASP 2021 - Top 10 List

Answer 18

A01 - Broken Access Control
A02- Cryptographic Failures (weak crypto keys, unprotected passwords/secrets)
A03 - Injection (SQL, XSS)
A04-Insecure design

Question 19

What is an insecure direct object reference?

Answer 19

• IDOR is when an application exposes a reference to an internal implementation object - e.g. HR application revealing format of Employee ID (EMP-0001).
• Allows an attacker to launch an enumeration attack to identify other resources (e.g. EMP-0001 to EMP-9999)
• Can be combined with broken access control resulting in sensitive data leaks.

Question 20

What does data/information governance mean?

Answer 20

Use of Data/information complies with the organizational policies, standards and strategy including regulatory, contractual and business requirements and objectives.

Question 21

How does cloud use affect data/information governance?

Answer 21

1. Multi-tenancy
2. Jurisdictional issues
3. Data Privacy
4. Inclusion of a third party (CSP) in the governance framework
5. Destruction/removal of data
6. Shared responsibility: Ownership vs. Custodianship (data controller, processor).

Question 22

NIST Cybersecurity Framework vs Incident Response Comparison

Answer 22

NIST CSF: Identify -> Protect -> Detect -> Respond -> Recover

Incident Response: Prepare -> Detect&Analysis -> Containment/Eradicate/Recover -> Post-Mortem.

Question 23

In Cloud, what is the equivalent of “Striping” used in traditional RAID storage?

Answer 23

The equivalent of RAID in the cloud is data dispersion.

The terms chunking and sharding is used in the cloud.

Chunking is at a file level - e.g. 100KB file broken into 5 20 KB chunks

Sharding is at a DB level - e.g. phone directory in a DB stored across 5 computers. A-to-E in computer 1 etc..

Question 24

What is Transparent Database Encryption?

Answer 24

TDE encrypts the entire database file.
This is encryption of data at rest that protects against theft of storage devices.
Does NOT protect data in transit or data in use.

TDE does page level encryption - i.e. before a page is written to disk it is encrypted. It is decrypted before loading into memory.

Question 25

What is static and dynamic masking?

Answer 25

Static masking involves modifying an entire data set all at once. Good for testing an application.

Dynamic masking is masking a particular record in a dataset when accessed - for e.g. when a customer service rep accesses a particular account.

Question 26

What is algorithmic masking?

Answer 26

Using an algorithm to mask data in a dataset.

Risk: If algorithm is reverse engineered, an attacker could infer the original data from the masked data.

Question 27

What is Inference in cybersecurity?

Answer 27

Inference is a type of attack - e.g. reverse engineering real data from masked data by cracking the masking algorithm.

Question 28

What’s the difference between Data Dispersion and bit splitting?

Answer 28

Data dispersion - data is broken up into smaller chunks and stored across multiple storage - e.g. multiple clouds. Risk: If one cloud provider is unavailable, then whole data set is unavailable.

Bit splitting - The data is first encrypted, then separated into pieces, and the pieces are distributed across several storage areas. Processing is intensive. Not great if data is constantly changing as the erasure codes have to be constantly recreated.

Question 29

In IAM, what’s the difference between Authorization, Access Control and Entitlement?

Answer 29

• Authorization is permission to do something (e.g. access a file). Cloud provider enforces this.
• Access control is allowing denying the expression of that authorization - for example, only allowing a user to perform the task allowed if he/she is authenticated. Cloud provider enforces this.
• Entitlement - maps identities to authorizations (e.g. user x can access resource y). Cloud user is responsible for defining this.

Question 30

In SW Development what is Utility and Warranty?

Answer 30

Utility = functionality of a product and service to meet a specific need; what the service does

Warranty = assurance that the product/service will meet the agreed-upon requirements (SLA)

Utility + Warranty = Value in the mind of the customer

Question 31

In virtualization, what is limit vs reservation vs share?

Answer 31

Concepts used in allocating CPU to tenants.

Limit = the max ceiling for resource allocation
Reservation = guaranteed minimum for each tenant
Shares = after reservations are met, how the rest of the resources are prioritized between guests.

Question 32

What is Brewer-Nash or Chinese Wall Model?

Answer 32

Information Security Access Controls - designed to prevent conflicts of interest in a managed service environment where a company provides services to other companies which may compete with each other.

E.g. law firm advising companies A and B who may be competitors.

Question 33

What is ISO 27034?

Answer 33

The standard for Application Security. Key concepts are:

a) Application Security Control (ASC) - a control to prevent a security weakness within an application. e.g. an ASC to mask credit card numbers on screen
b) Application level of trust - not all applications need the same level of security controls Level 0 (low) to Level 2 (high)
c) Organization Normative Framework (ONF) - company-wide repository of ASCs. Stored in a central repository
d) Application Normative Framework (ANF) - ASCs that apply to specific applications.

Question 34

How does TLS preserve integrity?

Answer 34

Use a HMAC (Hashed Message Authentication Code)

Question 35

What is the difference between SAML and SOAP?

Answer 35

• SAML is an XML based language - it describes formats; SOAP is a protocol.
• SAML is carried over SOAP
• SOAP itself is carried over HTTP/S.

Question 36

What is OAuth?

Answer 36

• Authorization protocol defined by IETF
• Uses HTTP
• Delegates authorizations between services

Question 37

What is OIDC?

Answer 37

OIDC = Open ID Connect - Standard for federated authentication
Uses REST and JSON (not XML like SAML).
Extends OAuth2.0
Uses Java Web Tokens (JWT).

Question 38

What’s the difference between SAML and OIDC?

https://www.onelogin.com/blog/real-difference-saml-oidc

Answer 38

Both are identity protocols. SAML is older. OIDC is easier and becoming more popular.
SAML - used in enterprise settings v/s OIDC - used in mobile gaming, social media integration
SAML based on XML vs. OIDC on REST/JSON

Question 39

What is due care vs due diligence?

Answer 39

Due care - minimal level of effort necessary to perform your duty to others; lack of due care is negligence. Developing security policies/standards/controls .

Due diligence - understanding current threats and implementing counter measures. Activities undertaken in support or furtherance of due care.

Question 40

What is the difference between liability and risk?

Answer 40

Liability is a measure of responsibility for providing due care.
While an organization can share risk, it cannot share liability.

Question 41

What is risk?

Answer 41

The probability of a threat materializing.

Risk = Asset * Threat * Vulnerability.

If there is no threat, there is no vulnerability
If there is no vulnerability, there is no risk
If the asset value is zero, there is no risk.

Question 42

In Data Center Management what is Hot and Cold Aisle?

Answer 42

Hot/Cold Aisle have to do with air flow management.
Objective is to lower energy costs
Cold air intake is on one side, while hot air exhaust is on the other side.

Question 43

What do HVACs do?

Answer 43

Heat exchange with the outside world.
Thus the ambient temperature determines how much energy is actually used.
If outside is hot, more energy is needed to cool the air.

Question 44

What is a underfloor plenum?

Answer 44

Data center floors are raised by 2 feet (18-24”).
Underneath the floor is a plenum or duct
Used for cold air circulation and optionally cabling.
If cabling is used, then gaskets are important to prevent cold air leakage.

Question 45

What are the four components of risk management?

Answer 45

1. Risk Framing - characterizing the risk environment.
2. Risk Assessment - identify, estimate, prioritize information security risk. Likelyhood and impact are key factors. Assets, Threats and Vulnerabilities are considered. Qualitative and quantitative risk assessments
3. Responding to Risk -
4. Monitoring for Risk.

Question 46

Why would you use SOAP?

Answer 46

• SOAP can be carried over multiple transport - e.g. HTTP, HTTPS, FTP etc.
• In SOAP, data is put inside an envelop which can be encrypted. This is why bank applications use them.
• This gives an additional layer of protection without having to rely on transport layer protection.

Question 47

What is SLE, ALE, AV, ARO and EF?

Answer 47

• AV = Asset Value - the value of your asset in $$$
• EF = Exposure Factor = what portion of your asset is actually at risk for a particular threat
• SLE = Single Loss Expectancy - how much you can expect to loss by a single attack (AV * EF).
• ARO = Annual rate of occurrence - number of times a year you can expect an attack to occur
• ALE=Annual Loss Expectancy = your loss each year = (SLE * ARO).