Qns

Question 1

Explain what is a security assessment.

Answer 1

It is a joint collaboration between sech arch team, pentest and sadly team to identify security risks at the start of creating an application and verify if it complies with visa’s security standards

Question 2

As a security accessor, explain how you will approach a security assessment?
Si

Answer 2

Scoping - identify the scope of the change in the application
Ensure that the application aligns with visa security standards.

break down the change into diff parts, find out where the data is being stored. What kind of data i need to protect, PII PAN, how do i break it down into components, what part of the network is being exposed.

Question 3

What are the stages in a Cyber Security Incident Response.

Answer 3

identify protect prepare detect respond recover (+review)

Question 4

DLP

Answer 4

Data loss prevention - prevent unauthorised data loss or leakage - one is at host level, one is at network level - if you are sending anything out illegal on the network level

Question 5

WAF

Answer 5

Web application firewall (cloudflare)- monitor filter and block http traffic between web application and internet
- http payload inspection - tls stripping, get payload, contains private keys of visa to extract and read the payload
- whitelist IP

Question 6

IAM

Answer 6

Identity and access management - people who provision accounts and permissions

Question 7

Application Layer

Answer 7

7: Interfaces with the user and provides network services.
Eg: HTTP, FTP, SMTP, DNS

Controls: - Application firewalls- Input validation- Authentication mechanisms- Data encryption

Question 8

Presentation Layer

Answer 8

6: Translates data formats, encrypts/decrypts, and compresses data.
Eg: JPEG, SSL/TLS, ASCII

Controls: - Strong encryption protocols (e.g., TLS)- Data format validation- Secure coding practices

Question 9

Session Layer

Answer 9

5: Manages sessions and controls dialogs between systems.
NetBIOS, PPTP, RPC

Controls: - Session encryption- Secure session management (e.g., session timeouts)- Multi-factor authentication

Question 10

Transport Layer

Answer 10

4: Provides end-to-end communication and error recovery.
TCP, UDP

Controls: - Transport Layer Security (TLS)- Port filtering- Anti-DDoS measures

Question 11

network layer

Answer 11

3: Routes data packets between devices across different networks.
IP, ICMP, ARP, OSPF

Controls: - Firewall rules- Network segmentation- Intrusion Detection Systems (IDS)

Question 12

Data link layer

Answer 12

2: Handles data transfer between nodes and error detection.
Ethernet, PPP, MAC

Controls: - MAC address filtering- VLANs (Virtual LANs)- ARP inspection

Question 13

Physical layer

Answer 13

Concerned with physical hardware connections and signaling.
Cables, switches, NIC

Controls: - Physical security (locks, surveillance)- Secure hardware (e.g., tamper-proof devices)- Regular hardware audits

Question 14

MAC vs IP, which layer, description

Answer 14

Mac: layer 2 (data), identifying devices on the same network, (local)
on layer 2, devices use mac address to deliver frames to correct destination
48bit hexadecimal format
Ip: layer3 (network), identify devices across networks
Routes data packets across networks. Used for internet routing - global
IPv4 (32) / IPv6 (128)

Question 15

STRIDE S

Answer 15

Impersonation of a trusted entity, such as a user or system.

Unauthorized access to systems or data

• Use strong authentication (e.g., MFA). - Implement identity verification mechanisms. - Use secure protocols (e.g., HTTPS, TLS).

Question 16

STRIDE T

Answer 16

Unauthorized modification of data in transit or at rest.

Data corruption, loss of integrity

• Use cryptographic techniques like hashing and digital signatures. - Encrypt data in transit and at rest. - Implement checksums and audits.

Question 17

STRIDE R

Answer 17

Lack of evidence or logging to prove an action occurred, allowing denial of actions.

Fraud, accountability issues - Implement logging and auditing mechanisms.

• Use tamper-proof logs (e.g., immutable logs with cryptographic hashes). - Employ digital receipts.

Question 18

STRIDE I

Answer 18

Unauthorized access to or exposure of sensitive information.

Data leaks, privacy violations

• Use data encryption (e.g., AES). - Implement access controls and data masking. - Apply secure coding practices to prevent data exposure.

Question 19

STRIDE D

Answer 19

Disruption of service availability through resource exhaustion or targeted attacks.

Service downtime, loss of availability

• Use rate limiting and throttling. - Deploy DDoS protection (e.g., cloud-based services like AWS Shield). - Implement resource allocation limits.

Question 20

STRIDE E

Answer 20

Exploiting vulnerabilities to gain unauthorized privileges or permissions.

Unauthorized actions, full system compromise

• Enforce least privilege principles. - Regularly patch vulnerabilities. - Use privilege separation and role-based access controls (RBAC).

Question 21

Dmz

Answer 21

physical and logical subnet that seperates local area network (LAN) and other untrusted networks. Provides network segmentation to protect corporate network
Attackers need to pass through firewall before getting into dmz, > dmz > internal firewall. And these actions shd have set off alarms to prevent attacks from happening

Question 22

How to identify threats early in the DMZ

Answer 22

Network Traffic Monitoring: Analyze traffic to and from the DMZ for abnormal patterns (e.g., high traffic volumes, unauthorized access attempts).

Intrusion Detection Systems (IDS) Deploy IDS tools in the DMZ to detect suspicious activities like scanning, brute force attempts, or unusual traffic patterns.

Vulnerability Scanning Regularly scan DMZ systems for unpatched vulnerabilities or misconfigurations.

Question 23

TLS Process

Answer 23

Client verify server
1. Client Hello
2. Server hello - send out cert to prove identity
3. Cert validation - client check if valid CA (asymmetric)
4. Key Exchange - shared session key using either RSA or Diffie Hellman methods
5. Secure communication using shared session key (symmetric key to encrypt data)

Question 24

How would you secure an API

Answer 24

1. Access to API
   1. VPVP / VDP are of API Gateway
   2. Authentiation —> API Key + Shared Secret, mTLS OR LDAP
   3. Authorization —> AD Groups (LDAP), Client ID
2. JWT Token / API Token (Keberos)
   1. First you authenticate
   2. You recieve 15min timeout, you can use token to gain access to in scope systems
   3. When you present the token, they will validate the token and then check if its still applicable.
   4. JWT MUST BE SIGNED

Question 25

What is mTLS

Answer 25

1. TLS —> Client verifying the Server
   2. mTLS —> Client Verifying Server, Server verifying clients
   3. MTLS is exchanging certificates.
   4. Provides TLS and Authentication of both sides

Question 26

What is OAuth

Answer 26

OAuth (Open Authorization) is a token based authentication tool that allows for

Third party applications to authenticate users without exposing user credentials

OAuth provides secure, token-based authentication and authorization.

Question 27

Explain the difference between a public and private key?

Answer 27

1. What are the private algorithms and strength (just say AES-GCM-256 or AES-CBC-256) GCM for CI and CBC for C only
   2. What are the public key algorithms:
      
      1. Most common ECC, RSA (Prime Number Factorization) or PGP (EMAIL)
      2. And Diffie Hellman (Logarithmic challenge for co-primes) for Key Exchange

Question 28

Hash vs hmac vs password stretching

Answer 28

HASH (One way irreversible algorithm - no secret and provide integrity), HMAC (Hash with a Secret Key - integrity + authenticity + some include timestamps, SHA256 ) and Pasword Stretching algorithms like PBKDF or bcrypt(PROVIDES CONFIDENTIALITY - Password storing algorithm - use to store a user password in hash form. Salted —> Adding a random string before hashing. Password Stretching Algorithm, makes it difficult to reverse the hash)? Explain how each work.

Question 29

Burp suite

Answer 29

Burp Suite is a widely used tool for web application penetration testing. It acts as an intercepting proxy that allows testers to capture, analyze, and manipulate HTTP and HTTPS traffic between the client and server. Its primary use is to identify and exploit vulnerabilities in web applications.

Key uses include:
1. Intercepting Traffic: Capturing and modifying requests and responses to test for vulnerabilities.
2. Automated Scanning: Identifying issues like SQL injection, XSS, and CSRF using its scanner (in the Professional Edition).
3. Manual Testing: Tools like Repeater and Intruder allow custom payload testing and parameter manipulation.
4. Crawling Applications: Mapping the structure of an application using the Spider.
5. Token Analysis: Assessing session randomness and security through the Sequencer.
6. Extensibility: Using extensions to enhance functionality and integrate with other tools.

In short, Burp Suite is an essential tool for finding security flaws and ensuring the overall security of web applications.”

Question 30

HSM

Answer 30

“An HSM (Hardware Security Module) securely store and manage cryptographic keys and perform sensitive operations like encryption, decryption, and digital signing.

All cryptographic operations are done within the HSM to ensure the keys never leave the device in plaintext, providing maximum security.

HSMs are used in applications like payment systems, PKI, digital signatures, and database encryption. They meet regulatory standards (e.g., FIPS 140-2) and are essential for secure and compliant cryptographic key management.”

Question 31

Explain Key Vault on Cloud systems

Answer 31

“A Key Vault in cloud systems is a managed service that securely stores and manages cryptographic keys, secrets (like API keys, passwords), and certificates.

It provides centralized control, enabling encryption operations, key rotation, and access management through role-based access control (RBAC) and audit logging.

Keys never leave the vault unencrypted, ensuring data security and compliance with standards. Examples include Azure Key Vault, AWS KMS, and Google Cloud KMS.”

Question 32

IDS and IPS

Answer 32

“IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) are security tools for monitoring network traffic. IDS detects and alerts on suspicious activity, while IPS actively blocks malicious traffic in real time. IDS is passive, focusing on alerting, whereas IPS is proactive, preventing threats.

“IDS and IPS operate at the Network Layer (Layer 3) and Transport Layer (Layer 4) for analyzing IP packets and protocols (e.g., TCP/UDP).

Question 33

OWASP TOP 10

Answer 33

broken access control
cryptographic failures - insufficient
injection
insecure design
security misconfig
vulnerable and outdated components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server-Side Request Forgery (SSRF)

Question 34

RSA Algo

Answer 34

public key is embedded in private key and therefore public private key cannot be interchanged

Question 35

Integrity

Answer 35

before you send it and after you receive it package is exactly the same - no one has modified it without my knowledge

Question 36

non repudiation

Answer 36

someone cannot claim that they did not make that change

Question 37

authenticity

Answer 37

you are who you are

Question 38

Digital cert

Answer 38

authenticity is ensured

Core componnets of PKI - public key infra
Ensures secure communication, integrity and authentication
Electronic credential issued by a trusted entity (certificate authority CA)
Binds public key to entity
Used to establish trust in secure communication like https

Question 39

Components of digital cert

Answer 39

Public key
Subject info (entity cert is issued to) - eg domain name
Issuer info - CA
Validity period - start n expiry
Signature - digital signature of CA - authenticity

Question 40

Digital signatures

Answer 40

Intergrity, authentication, non repudiation

Question 41

Ocsp (pnline certificate statue protocol)

Answer 41

• managing certs
  Check the revocation status of digital certs
  Real time
  Client sends request to Ocsp responder that is managed by CA with cert details
  Replies with good, revoked or unknown
  Allows for real time verification
  Caused reliance om availability of ocsp server

Question 42

Stapling

Answer 42

Query ocsp responder for cert status
Done during TLS handshake
Response from ocsp is stapled to TLS handshake
Client verifies OCSP without contactive the server

Question 43

API

Answer 43

C - SSL/TLS
I -
A - rate limiting

Question 44

RAG

Answer 44

retrieveal augemnted generation
- retrieve a chunk of data that u know is very similar then u use it to generate a response
embedding the data and question, getting similarity score, get highest similarity

takes data, ask question, replies

in chatgpt:
everything is represented in vectors / embedding - numerical representation of the message
similarity comparison between vectors
find the top 3 passages that are the most similar to the questions

chatting functionality is the prompt engineering portion and

Question 45

langchain

Answer 45

if chatgpt needs context of everything from a previous scope, they need to send in the summary of the previous conversation along with the added on data from the current query