Must know Items

Question 1

Information Security - InfoSec

Answer 1

Information security (or infosec) refers to the protection of data resources from unauthorized access, attack, theft, or damage

Question 2

InfoSec Properties - CIA Triad & how it is enforced

Answer 2

Three main tenants of Information Security

Confidentiality

• info known to certain people
• enforced by permissions, authentication, encryption

Integrity

• Data is correct and transferred as intended
• enforced by hash/checksum

Availability

• accessible to authorized user to view and/or modify
• enforced by backups/redundancy

Question 3

non-repudiation

Answer 3

A fourth important tenant of InfoSec

non-repudiation

• A subject can not deny creating or modifying data
• enforced by signing electronically
• related to integrity

Question 4

Security Control Categories

Answer 4

Technical

• controls implemented as a system
• hw, sw, security appliances, firewalls

Operational

• controls that depend on a person for implementation
• security guard, training programs

Managerial

• controls that give oversight to the system
• NDA, risk identification, tools to evaluate and select other security controls

Question 5

Security Control Functional Types

Answer 5

Preventative
- before an attack happens and attempts to block it

Detective
- during an attack to identify it

Corrective
- after an attack to mitigate it

Physical
- alarms, gates, locks, fences, lighting, security cameras, guards

Deterrent
- psychologically discourages - signs, warnings of legal penalties

Compensating
- controls which serve as a substitute

Question 6

NIST Cyber Security Framework (CFS)

Answer 6

A list of activities/objectives taken to mitigate risks

Provides

• a statement of current capabilities
• a measure of progress
• verifiable for regulatory compliance reporting

Question 7

ISO 27001

Answer 7

International Standard relating to InfoSec rules and regulations

Question 8

ISO 27002

Answer 8

International Standard relating to InfoSec best practices

Question 9

ISO 27701

Answer 9

International Standard relating to personal data and privacy

Question 10

ISO 27017 and 27018

Answer 10

International Standard relating to cloud security

Question 11

ISO 31000

Answer 11

International Standard relating to enterprise risk management (ERM)

Question 12

Regs, Standards and Legislation

Answer 12

Sarbanes-Oxley (SOX)

• relates to due diligence, criminalizes negligence
• risk assessments, internal controls, and audit procedures

General Data Protection Regulation (GDPR)

• EU’s fairness and right to privacy regulation
• very common standard in use today

Grahm-Leach-Bliley Act (GLBA) - for financial industry
HIPPA - how to handle health data from a corporate view point
PCI DSS - how to handle credit card info

Question 13

Risk impact

Answer 13

Vulnerability + Threat = Risk

Vulnerability
- weakness which could cause a data breach

Threat
- someone or something which could exploit a vulnerability to cause a data breach

Risk

• likelihood and impact/consequence of threat actor exploiting a vulnerability
• assess by identifying a vulnerability and then evaluate the likelihood of it being exploited by a threat and the impact that a successful exploit would have.

Question 14

Attack Surface

Answer 14

points where an attacker can discover/exploit vulnerabilities in a network or application

Question 15

Attack Vector

Answer 15

How to access a system

• direct access
• removable media
• email
• remote and wireless
• supply chain
• web and social media
• cloud

Question 16

Threat Intelligence

Answer 16

Can learn from anywhere, just need to research and follow up

• Tools - Mitre ATT&CK, OWASP, CVE, CVSS
• honeypots/nets

Question 17

TTP and IoC

Answer 17

Tactics, Techniques and Procedures (TTP)

• how you know you are being attacked
• identify attackers

Indicators of Compromise

• knowing a system has been compromised
• evidence of TTP on the system

Question 18

SIEM

Answer 18

Security Information and Event Management

- a platform which uses cyber threat intelligence (CTI) data and AI to produce actionable intelligence on an attack

Question 19

SOAR

Answer 19

Security Orchestration, Automation, and Response

• a solution to the problem of an Analysts’ ability to respond to an overwhelming volume of alerts
• usually automates SIEM
• used to drive incident response and threat hunting

Question 20

Threat Data Feeds

Answer 20

STIIX - Structured Threat Information eXpression - syntax
TAXII - Trusted Automated eXchange - protocol/service
AIS - Automated Indicator of Sharing - service for sharing threat intel
Threat Maps - global attack maps
CVE - Common Vulnerabilities and Exposure - database by Mitre

Question 21

SCAP

Answer 21

Security Content Application Protocol

• used by many scanners to obtain feed updates
• defines ways to compare a systems actual configuration to a target secure baseline
• defines common identifiers

Question 22

OSINT

Answer 22

Open Source Intelligence

-an open source threat intelligence service

Question 23

Network Reconnaissance and Discovery

Footprinting

Answer 23

Basic command line tools:
ipconfig - win - shows assigned network interfaces (MAC to IP, default gateway)
ifconfig - linux form of ipconfig

ping - probe a host on a particular IP or hostname using ICMP
- ICMP - Internet Control Message Protocol

arp - display the local machines Address Resolution Protocol (ARP) cache

• useful for showing recent MACs associated with each IP
• can show a Man in the middle attack (gateway MAC IP is not real routers MAC address)

Question 24

Network Reconnaissance and Discovery

Routes/Routing

Answer 24

Tools to test routing configurations and connectivity with remote hosts and networks
route - view/config the hosts local routing table
- usually shows the gateway router and any subnets, additional host entries are suspicious

tracert - win - using ICMP, reports round trip time (RTT) for hops between host and remote host
traceroute - linux form of tracert, but uses UDP

pathping - win - provides latency stats and packet loss along a route over a longer measuring period
mar - linux form of pathping
- high latency times to gateway indicate Man in the Middle attack
- high latency times on other hops indicate DoS or could be network congestion

Question 25

Network Reconnaissance and Discovery

Nmap

Answer 25

Nmap is an open source IP Scanner
Basic use for port scanning and port identification:
nmap

Service discovery - which hosts are operating and which applications it is using
nmap can scan protocols (TCP SYN -s S, UDP -s U, port ranges -p)

Fingerprinting - detailed analysis of services on a particular host
nmap can scan more intently using -s V or -A
- provides protocol, app name and version, os type and version, device type

Question 26

Network Reconnaissance and Discovery

netstat and nslookup

Answer 26

netstat used for state of TCP/UDP ports on the local machine

nslookup used for IP resolution uses DNS

Question 27

Network Reconnaissance and Discovery

other tools

Answer 27

theHarvester - gathers OSINT
dnsenum - hosting info, name records, and ip ranges in use
scanless - scans for open ports that should not be open
curl - client tool for performing data transfers over many types of protocols
nc, ncat - connection tool to test connections
Nessus - network scanner to show vulnerabilities

Question 28

Network Reconnaissance and Discovery

Packet Capture and Analysis tools

Answer 28

tcpdump - lin - cmd line tool to capture packet traffic

wireshark - performs a pcap ( packet capture) and analysis of traffic

Question 29

Network Reconnaissance and Discovery

Packet Injection and Replay tools

Answer 29

Tools to allow for spoofing/forged data on network traffic
hping - can test host/prot detection and firewall testing, traceroute testing, and DoS testing

tcpreplay - can replay captured traffic (.pcap files) through a network interface

Question 30

RAT

Answer 30

Remote Access Trojan - gives an attacker a means of remote access to the system

Question 31

Scanning Intrusive vs non-Intrusive

Answer 31

Non-Intrusive is not using network bandwidth to perform the scan, like looking at types of traffic generated by a device

Intrusive uses network bandwidth or network connections

Question 32

Pen testing

Answer 32

Black Box/Hat - unknown environment - non credentialed testing

White Box/Hat - known environment - credentialed testing

Grey Box/Hat - partially known environment

Question 33

Attack Exercises Teams

Answer 33

Red team - attack unknown environment
Blue team - defensive role
White team - knows the rules, arbitrator
Purple team - red and blue team meet for regular debriefs during the exercise

Question 34

Pen test attack life cycle

Answer 34

persistence
- able to reconnect to attack sys

privilege escalation
- higher perm for actions

lateral movement
- move to another host

pivoting
- ability to bypass network boundary

actions/objectives
- exfiltrate (steal) data

cleanup
- remove evidence of attack

Question 35

Kill Chain Reconnaissance tools

and if Passive or Active technique

Answer 35

OSINT - passive
Social Engineering - passive and active
Footprinting -nmap and packet sniffing - active
War driving - mapping the location and type of wireless networks target is operating
Drones/UAV

Question 36

Worm

Answer 36

an in memory-resident malware that can run without user intervention and replicate over network resources

a worm gets into a system from exploiting a vulnerability in a process when the user browses a website, runs a vulnerable server application, or is connected to an infected file share

Question 37

Virus

Answer 37

malware designed to replicated and spread from computer to computer usually infecting executable applications or program code

is only execute when the user performs an action such as downloading and running an infected process

multiparite a virus using multiple vectors

polymorphic a virus which changes dynamically or obfuscate their code to evade detection

Question 38

Logic bomb

Answer 38

malware which has a trigger before exposing itself

a trigger could be pre-configured time or date, user event

a mine is when a script is left as a trap

Question 39

Malware Indicators

Answer 39

Browser changes or over ransomware notification

Anti-virus notification

Sandbox execution
- Cuckoo tool

Resource utilization/consumption
- taskmanager or top cmd

File system changes

• Registry
• Temp files

Question 40

Process Analysis

Answer 40

Requires a baseline of ‘normal’ by taking benchmarks of the system in order to be able to spot abnormalities

Need for advanced attacks

Question 41

Social Engineering Principles

Reasons for Effectiveness

Answer 41

Familiarity/liking
- establishes trust with victim

Consensus/social proof
- exploit polite behaviors

Authority and intimidation

• make victim afraid to refuse
• exploit lack of knowledge or awareness

Scarcity and urgency
- rush victim into a decision

Question 42

Pretexting

Answer 42

Using a scenario with convincing details

Question 43

tailgating

Answer 43

unknown
access premises covertly
follow someone through a door

Question 44

Piggybacking

Answer 44

Known
access premises without authorization but with knowledge of employee
getting employee to hold a door

Question 45

Symmetrical Encryption

Answer 45

sender and receiver must use the same key

Fast therefore good for bulk encryption

Difficult to pass the key between the two parties w/out compromise

asymmetrical better for key sharing

Question 46

Asymmetrical Encryption

Answer 46

Utilizes key pairs - a private and a public key
each key can encrypt and decrypt but the key used to encrypt can not then decrypt
private key encrypts, then the public key decrypts and vice versa

Typical process of sending encrypted message between two parties:
1 two parties exchange the public keys
2 each can then encrypt the message being sent with their private key
3 send the encrypted message to the reciever
4 the receiver then decrypts the encrypted message with the senders public key

Question 47

Signing with Public keys

Answer 47

Signatures are asymmetrical encryption in reverse

to Sign - Sender who is signing uses their private key
to Verify - Receiver then uses the senders public key to decrypt the signing message

Question 48

Digital Certificate

Answer 48

A wrapper for a public key associated with a digital identity

Identity assertion is validated by a Cert Authority (CA) (a 3rd party) by signing the certificate

Both parties must trust the CA

This is known as Public Key Infrastructure (PKI) standard is X.509

Question 49

Access Controls

Answer 49

Subjects
- user or sw that requests access

Objects
- resources networks, servers, data

Identification
- associating a subject with computer/network account

Authentication

• Challenge the subject to supply credentials to gain access to the account
• passwords, pin, biometrics

Authorization

• rights/permissions/privileges assigned to the account
• What we are allowed to access

Accounting

• auditing use of the account
• who did what on the system

Question 50

Authentication Factors

Answer 50

Something you know

• knowledge factor
• password, PIN, challenge questions, date of birth

Something you have

• Ownership factor
• Hardware token, FOB, smart card, birth certificate

Something you are/do

• biometric factor
• fingerprint, iris

Question 51

Authentication Attributes

Answer 51

somewhere you are

• geolocation
• IP location
• switch port, VLAN, wireless network

something you can do
-perform an action uniquely

something you exhibit
-behavior or trait unique to you

someone you know
-web of trust

Question 52

Kerberos

Answer 52

Kerberos players: Supplicant(client), the KDC svr, and the app svr

Client needs to use the app svr

Kerberos Authentication

• client requests ticket to app svr
• KDC verifies user and produces a session ticket to be used on specified app svr
• client has now been authenticated and has the session key to use with app svr

Kerberos Authorization

• client requests session ticket to app svr
• KDC provides a session ticket key and a TGT for the app svr to the client
• client sends the session key and TGT to the app svr plus an authenticator
• app svr verifies the TGT and session key, send the client an authenticator
• client verifies the authenticator
• now have mutual authentication
• client and app svr can now do business

Question 53

EAP and 802.1

Answer 53

See diagram, think RADIUS and TACACS+, AAA servers

Know process of authentication it uses

Question 54

Biometric Authentication

Answer 54

FRR - False Rejection Rate
FAR - False Acceptance Rate
CER - Cross-over Error Rate, the sweet spot

Question 55

Role Based Access Control (RBAC)

Answer 55

• Non-discretionary and more centralized control
• Based on defining roles then allocating users to roles
• Users should only inherit role permissions to perform particular tasks
Similar to group based permission management

Question 56

Discretionary Access Control (DAC)

Answer 56

• Based on resource ownership
• Access Control Lists (ACLs)
• Vulnerable to compromised privileged user accounts

Question 57

Mandatory Access Control

Answer 57

Uses sensitivity labels for objects
Uses security clearance labels for subjects
Centralized point of management:
Rules are set and can not be changed by any subject account and are therefore no-discretionary
Subjects can not change object labels nor their own label
system defined, very rigid
Used by trusted OS, like SE Linux

Question 58

Attribute Based Access Control (ABAC)

Answer 58

Limits access based off of any attribute tied to a file.

• File extension
• time
• size
• content

Centralized point of management

Very flexible but can become complex

Question 59

PAM - Privileged Access Management

Answer 59

Refers to policies, procedures, and technical controls to prevent malicious abuse of privileged accounts
Attempts to mitigate risks from weak configuration control over privileges

Question 60

SAML

Answer 60

Security Assertions Markup Language

• open standard for implementing identity and service provider communications
• attestations/assertions
  
  • xml format
  • signed using XML signature
• communication protocols
  
  • HTTPS
  • SOAP (Simple Object Access Protocol)

-tied to OAUTH and OpenId

Question 61

Network Appliances and the OSI Model

All People Seem To Need Data Processing

Please Do Not Throw Sausage Pizza Away

Answer 61

See diagram for details of each layer

1 Physical - moves bits - wires, fiber, etc
2 Datalink - Switch, Bridge, WAP local networks, connects nodes inside a LAN
arp (address resolution protocol)
3 Network - Router (IP) - global networking LAN to LAN connections
firewall
4 Transport - end to end connections TCP, UDP
DNS
5 Session - host to host (process to process)
6 Presentation - Syntax layer, encryption and formatting
7 Application - End user layer, creates to send, open received

Question 62

Private IP addresses found on a host

Answer 62

These are non-routable over the internet

10. x.x.x (Class A private)
11. 16-31.x.x (Class B private)
12. 168.x.x (Class C private)

Question 63

Compare and contrast Network based solution vs Host based solution

Answer 63

Network based solution:
Pro:
- wide overarching picture of network
- offloads processing from individual hosts
Con:
- not detailed

Host based solution:
Pro:
- fine picture of individual host
- Can be cheaper: cost of solution, cost of implementation
Con:
- No overarching network context

Question 64

Know common ports and protocols

Answer 64

Which of these ports can be used to not alter SFTP? 20/21
SFTP - FTP via SSH - port 22
FTPS - FTP via TLS - port 21

unsecure: SMTP (25), POP3 (110), IMAP (143)
secure: STMPS (587 STARTTLS, 465 IMPLICIT TLS), POP3S (995), IMAPS (993)

udp - DNS (53) for for queries, TFTP (69), NTP (123), SNMP (161,162) RADIUS (1812,1813)

either - TACACS(49), Kerberous (88), SMB(server Msg Block 137-139), LDAP (389), LDAPS (636)

Question 65

CASB

Answer 65

Cloud Access Security Broker

Enterprise management SW used to mediate (broker) access to cloud services by users across all types of devices

Functions provided:

• enable single sign-on authentication, access controls, and authorizations
• scan for malware and rogue access points (APs)
• monitor and audit user and resource activity
• mitigate data exfiltration through prevention of access to unauthorized could services
• prevent unauthorized application and plugin updates

implemented using

• forward proxy at the CLIENT net edge
• reverse proxy at the CLOUD net edge without modifying a user’s system
• application programming interface (API) using connections between the cloud service and cloud consumer

Question 66

As a Service items - SaaS

Answer 66

SW as a Service

• client brings data
• CSP provides Apps, OS, HW

Example: Web Mail

Question 67

As a Service items - PaaS

Answer 67

Platform as a Service:

• client provides Data and App
• CSP provides OS and HW and multi-tier DB

Example: Azure Development platform

Question 68

As a Service items - IaaS

Answer 68

Infrastructure as a Service

• client provides Data, App, and OS
• CSP provode HW

Example: Amazon Web Services (AWS)

Question 69

Cross Site Scripting (XSS)

Know for test

Answer 69

Run a script on your system
can do anything permissions allow
automates malicious actions
Know for TEST:
Two Flavors:
Non-Persistent/reflected
- coded in a link
Persistent/stored
- injected into Database
Client side
- Document Object Model (DOM)
- infects the browser

Question 70

SQLi

Answer 70

SQL injections
will always have a totality in the query, like A=A or 1=1

recognize as SQL query

Question 71

Incident Response Cycle
PICERL
-will be on test, usually describes scenario and asks what is next step

Answer 71

Note: Can have overlaps in steps

Prep
- have tools and training up to date and ready for use

Identify

• Detection and Analysis (it happened and what happened)
• we have a virus and which virus

Containment
-isolation

Eradication
-Removal and destruction

Recovery

• Recover data, bring systems back online
• Go back to Identify, may have not fully recovered

Post-Incident

• lessons learned, documentation
• improve Prep stage, go back to prep stage

Question 72

Cyber Kill Chain Attack Framework
or
Steps of Attack / Framework
will be on test

Answer 72

Steps of Attack / Framework
Reconnaissance / Research
Weaponization / Build your attack
Delivery / get into; Component Access
Exploitation / Breach Security or Activation 
Installation / Persistence - how to stay
Cmd & Control / Reach back to Attacker
Actions on Objectives / The Attack