Sec

Question 1

Symmetric encryption

Answer 1

• Same key to encrypt and decrypt.
• Faster than asymmetric.
• AES, DES, Blowfish, RC4,5,6

Question 2

Protocols / OSI model

Answer 2

1) Physical - Cables etc (Base10T, Base100T, Full Duplex)
2) Data Link - (IEEE such as ethernet and wifi, PPP, ARP, MAC, TAP)
3) Network - IP, IPSec, ICMP, TUN, Wireguard
4) Transport - TCP, UDP, TLS/SSL
5) Session - sockets, connections
6) Presentation -
7) Application

Question 3

Block ciphers vs stream ciphers

Answer 3

• Block ciphers encrypt data using blocks (usually 128 bits, such as in AES).
• Stream ciphers encrypt data by bit or byte(mostly).

Question 4

Asymmetric encryption

Answer 4

• Uses two keys do encrypted data transfer
• One key to encrypt (public key)
• One key to decrypt (private key)
• DH, ECC, RSA

Question 5

HMAC

Answer 5

• hash-based message authentication code
• used to ensure data integrity and authenticity (as some ciphers lack that such as AES)
• in ciphers you can modify send data which will result in corrupted data mostly
• uses any hash, but mostly SHA-2 or SHA-3

Question 6

Symmetric encryption modes

Answer 6

• ECB - electronic codebook (outdated)
• CBC - Cipher Block Chaining
• ECB, CBC, OFB, CFB, CTR, and XTS provide confidentiality but not protect against modification/tampering (need to use HMAC)
• this led to new encryption algorithms “Authenticated encryption” which provide data integrity as well
• GCM does the GMAC with Galois Counter
• GCM is stream cipher
• GCM - uses nonce to initialize the counter -> counter gets encrypted -> output xored with plaintext -> output encrypted and sent
• CBC - uses nonce to xor it with first block-> output is encrypted and sent -> next block xors with the previous one etc…

https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

Question 7

Initialization Vector / Cryptographic nonce

Answer 7

• used to randomize the encryption, so that the same data encrypted with the same key would not be similar.
• should be random/pseudorandom in CBC/GCM modes
• Cryptographic nonce is used only once to initiate the

Question 8

RSA

Answer 8

• public key cryptosystem
• part of PKI used for SSL certificates, digital signatures etc
• used in TLS/SSL, OpenVPN
• public/private keys
• quite slow as it is asymetric
• does not provide Perfect Forward secrecy, but can be extended with ECDHE

Question 9

DH

Answer 9

• Diffie-Hellman
• one of the first public key protocols
• derives a secret key for further use in symmetric ciphers
  Alice Bob
  Orange Orange
  Blue Green
  Mix1 Mix2
  Mix2 Mix1
  +Blue + Green
  Mix3 Mix3
• best way to deploy PFS with ECDHE and DHE

Question 10

AEAD

Answer 10

• authenticated encryption with additional data
• uses counters for authentication
• older encryption standarts doesn’t authenticate the data, and need to use additional MAC (message authentication code)
• GCM

Question 11

Perfect Forward Secrecy

Answer 11

• feature that session keys won’t be compromised even if long term secrets are revealed
• new key for each session
• keys are not kept on server

Question 12

On which port goes ping?

Answer 12

It’s ICMP! none of them, but in some rare cases it may go to UDP 7 or TCP 7

Question 13

Encoding, Encryption and Hashing?

Answer 13

Encoding may be reversed with the same algorithm used to encode it. It is used to represent the data in suitable way.
Encryption used to protect data’s confidentiality and in some cases (GCM) it’s authenticity and integrity
Hashing is not reversible in theory(hello rainbow tables) and is used to map data of arbitrary size to fixed-size values.
Hash use cases:
- data authenticity and integrity in ciphers
- checksum
- hash tables in programming
- check digits (like in credit card)

Question 14

CIA triangle

Answer 14

Confidentiality
Integrity
Availability

Question 15

PKI

Answer 15

Public Key Ifrastructure
A public key infrastructure (PKI) is a system for the creation, storage, and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity. The PKI creates digital certificates which map public keys to entities, securely stores these certificates in a central repository and revokes them if needed.[6][7][8]

A PKI consists of:[7][9][10]

A certificate authority (CA) that stores, issues and signs the digital certificates;
A registration authority (RA) which verifies the identity of entities requesting their digital certificates to be stored at the CA;
A central directory—i.e., a secure location in which keys are stored and indexed;
A certificate management system managing things like the access to stored certificates or the delivery of the certificates to be issued;
A certificate policy stating the PKI’s requirements concerning its procedures. Its purpose is to allow outsiders to analyze the PKI’s trustworthiness.

Question 16

cpb

Answer 16

Cycles per byte. Number of clock cycles a microprocessor will perform per byte of data processed

Question 17

Wireguard

Answer 17

• ChaCha20 for symmetric encryption, authenticated with Poly1305
• Curve25519 for ECDH (one of the fastest, provides 128 bit security)
• BLAKE2s for hashing and keyed hashing (hashing algorithm)
• SipHash24 for hashtable keys
• HKDF for key derivation,

Question 18

Security level (cryptography)

Answer 18

Measure of the strength that a cryptographic primitive achieves : n-bit security means that the attacker would have to perform 2n operations to break it. For symmetric ciphers equals to key size. (AES-128bit key is 128 bit security) For asymmetric: depends on best known alogrithm. For 128 bit sec needs: RSA 3072, or ECDHA around 256 bits (Curve25519 for example)

Question 19

Hash functions

Answer 19

Hash use cases:

• data authenticity and integrity in ciphers
• checksum
• hash tables in programming
• check digits (like in credit card)

Most used: SHA-1, 2, 3 , Blake2, MD5

Question 20

(H)KDF

Answer 20

Key derivation function - is a cryptographic hash function that derives one or more secret keys from a secret value such as a main key
Hash Key derivation function - a simple KDF based on HMAC

Question 21

SLA

Answer 21

5 nines - 99,999% - 5 minutes
4 nines - 99,99% - 50 minutes
3,5 nines - 99,95% - 250 minutes
3 nines - 99,9% - 9 hours

Question 22

PGP

Answer 22

Pretty Good Privacy
is an encryption program that provides cryptographic privacy and authentication for data communication.
Public key asymetric encryption used to share teh symmetric key.
PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.
PGP fingerprint - can derive public key from short text

PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a username or an e-mail address. The first version of this system was generally known as a web of trust to contrast with the X.509 system, which uses a hierarchical approach based on certificate authority and which was added to PGP implementations later. Current versions of PGP encryption include both options through an automated key management server.

Question 23

Digital Signature

Answer 23

• provide authenticity and integrity
• have legal significance
• asymmetric cryptography
• uses RSA, DSA, SHA etc
• makes a hash, signs with private key - that can be decrypted only with public key

Question 24

non-repudiation

Answer 24

a situation where a statement’s author cannot successfully dispute its authorship or the validity of an associated contract.

Question 25

EFAIL

Answer 25

security hole in email systems with which content can be transmitted in encrypted form. This gap allows attackers to access the decrypted content of an email if it contains active content like HTML or JavaScript, or if loading of external content has been enabled in the client. Affected email clients include Gmail, Apple Mail, and Microsoft Outlook.

Question 26

Heartbleed

Answer 26

• present since 2012
• discovered in 2014
• It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension.
• Buffer over-read (program, while reading data from a buffer, overruns the buffer’s boundary and reads (or tries to read) adjacent memory.)

-Heartbeat Request message, consisting of a payload, typically a text string, along with the payload’s length as a 16-bit integer. The receiving computer then must send exactly the same payload back to the sender.

OpenSSL allocate a memory buffer for the message to be returned based on the length field in the requesting message, without regard to the actual size of that message’s payload. Because of this failure to do proper bounds checking, the message returned consists of the payload, possibly followed by whatever else happened to be in the allocated memory buffer.[

Question 27

Poodle

Answer 27

2014 TLS/SSL downgrade MITM attack

• downgrades the connection to SSL3.0 which can be cracked as it uses RC4 (insecure)
• attacker interferes in TLS version exchange and downgrades the version to SSL3.

Question 28

Shellshock/Bashdoor

Answer 28

2014 Bash passes env variables and exported functions to the called scripts. Exported functions are being encoded in certain way (start with “()”) to be decoded on the fly. You can encode malicious function as a variable so it decodes as a function in some bash versions.

env x=’() { :;}; echo Vuln’ bash -c “echo Test run”

Question 29

Spectre/Meltdown

Answer 29

• 2017 hardware vulnerability affecting Intel x86, IBM POWER and some ARM-based
• speculative execution
• It allows a rogue process to read all memory, even when it is not authorized to do so
• software workaround slowing computers between 5 and 30 percent in certain workloads
• exploits a race condition
• occurs between memory access and privilege checking during instruction processing
• allows an unauthorized process to read data from any address that is mapped to the current process’s memory space
• data from an unauthorized address will almost always be temporarily loaded into the CPU’s cache
• undetectable

Question 30

Eternal Blue

Answer 30

Vulnerability

Question 31

BlueKeep

Answer 31

Vulnerability

Question 32

XSS

Answer 32

Cross Site Scripting: Attacket i

Question 33

XSRF

Answer 33

Cross Site Request Forgery

Question 34

Least Privilege

Answer 34

Give a minimum access which is barely enough to perform entities tasks.

Question 35

Threat, Asset, Vulnerability, Risk

Answer 35

Vulnerabilites - weakness (known bug, no protection)
Threat - a danger of someone taking advantage of vulnerability
Risk - probability: how likely of the threat to exploit vulnerability and what is the impact

Question 36

Risk analysis

Answer 36

Quantitative - evidence based.
- ALE - annual loss expectancy
- SLE - single loss expectancy
- EF - Exposure Factor : Asset Value * EF = SLE
- ARO - annual rate of ocurrence (how often) : ALE = ARO * SLE
Qualitative - expert running through scenarios. Opionion based.

Question 37

RBAC

Answer 37

Role Based Access Control

Question 38

DDoS attack types

Answer 38

HTTP, TCP, UDP, (Syn, ACK) QUIC
https://www.cloudflare.com/en-gb/learning/ddos/what-is-a-quic-flood/
Memcached, NTP, DNS amplifications

Question 39

Binary Search

Answer 39

Sorted array as an input, we take the element in the middle and compare to the target. then decide in which part solution is left or right and continue in this part.

Question 40

SQL(MySQL) vs NoSQL(MongoDB)

Answer 40

SQL:

• Tables
• Strict schema
• Relations
• Difficult horizontal scaling
• Limitations on big amount of reads

NoSQL:

• Collections -> Documents
• NO Schema
• No /few relations
• Faster queries, but duplicate data > storage needed
• Collections are easily splittable for horizontal scaling

Question 41

K8S Security

Answer 41

CLUSTER -> Node -> Pod -> Container

• protect API !!! Network rules, RBAC and least privilege
• protect kubelet (Node Agent, takes yaml spec of pods to run and ensure that they are running)
• pod/container sec:
• • don’t run as a root
• • read only file system if possible
• -disallow privilege escalation (exact option)

Seccomp -> AppArmor-> SELinux
- seccomp - kernel filter which allows only a certain system calls for a container (default one is OK)
- apparmor - Linux kernel security module that you can use to restrict the capabilities of processes running on the host operating system
- SELinux - Security-Enhanced Linux is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).
MAC -  operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target.

• OS hardening
• Least privilige
• Network isolation
• KMS (Key management system) Google/Hashicorp vault
• DEK ( Data encruption key)
• KEK ( Key Encryption Key) - can invalidate multiple DEKs with corresponding data at the same time
• Secure API server
• SSH access?
• Shell in container?
• Access to secrets?
• Check the binding of master
• run kubectl to enumerate things
• explore unauthenticated services redis, etcd, dashboards
• log outside of the cluster
• check default settings/permissions
• use updated images
• use tools /CIS benchmark
• deny all, explicit allow
• each pod has a service account with certain privileges to run against k8s API

Useful commands:
kubectl - control
kubectl clusterrolebinding - give role to a certain account
kubectl exec $pod $command - execute command in given pod
/var/run/secrets/kubernetes.io/serviceaccount/token - where the account token is stored

https: //www.youtube.com/watch?v=vTgQLzeBfRU&ab_channel=CNCF%5BCloudNativeComputingFoundation%5D
https: //www.youtube.com/watch?v=v6a37uzFrCw&ab_channel=ContainerCamp

Question 42

etcd

Answer 42

• Key value store widely used in kubernetes
• Watch - is the main function that notifies the watcher of value change
• Raft - is the type of value consenusus - master node pushes value to secondary nodes and only updates itself once they are all updated
• Lead elect - if master is not avaialble follower nodes elect a new leader
• Reliable due to replication
• In case of K8S needs to be properly secured and moved away from cluster itself
• better to use with KMS (hashicorp etc)
• if multiregional cluster - latency will increase as leader waits for the value propagation on majority of systems

Question 43

Jenkins

Answer 43

Free and open source automation server widely used in CI/CD workflow (building, testing, and deploying, facilitating continuous integration and continuous delivery. )

Question 44

REST(ful)

Answer 44

Representational state transfer (REST) is a software architectural style that defines a set of constraints to be used for creating Web services. Web services that conform to the REST architectural style, called RESTful Web services, provide interoperability between computer systems on the internet. RESTful Web services allow the requesting systems to access and manipulate textual representations of Web resources by using a uniform and predefined set of stateless operations. Other kinds of Web services, such as SOAP Web services, expose their own arbitrary sets of operations.[1]

Question 45

Horizontal/ vertical scalability

Answer 45

• Horizontal - more smaller nodes

- Vertical - pump up the main node perf

Question 46

Statelessness

Answer 46

The constraint of storing application state on the client rather than on the server makes the communication stateless.

Question 47

ACID

Answer 47

Atomicity, consistency, isolation, durability

Question 48

Kafka (topics)

Answer 48

pubsub apache opensource. You subscribe to topic

Question 49

IDE

Answer 49

Integrated development environment

Question 50

AuthN vs AuthZ

Answer 50

Authentication / Authorization

Question 51

Authentification architecture

Answer 51

Latency is the key!!! should be < 0.2 ms

• portability is key (libs in all languages)
• IOR (Identity, Operation, Resource)
• Aggregator / passes data to ->
• Distributor / is used by
• Authorization agent

OPA - open policy agent / dev in GO/ resource agnostic / unit testing

https://www.youtube.com/watch?v=R6tUNpRpdnY&ab_channel=CNCF%5BCloudNativeComputingFoundation%5D

Question 52

SPLUNK

Answer 52

and analyzing machine-generated big data via a Web-style interface.

Question 53

Server hardening

Answer 53

• cis benchmarks
• nmap + nmap vulners repo
• pen test
• least privileges for users
• up to date packages
• only used services
• only used ports
• proper remote control authentification
• proper firewall rules
• logging and audits (where it streams logs, what triggers log audit)

In the different context we can look at it from organizational point of view

• there should be well described policies concerning this server
• its assets should be registered

Question 54

ECDSA

Answer 54

Elliptic Curve DSA

Digital Signature Algorithm (DSA) is a Federal Information Processing Standard for digital signatures, bas

Question 55

JWE

Answer 55

Json Web encryption

Question 56

JWT token

Answer 56

“JAT”
JSON Web Token - is an Internet standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims.

Header.
Payload.
Signature

Question 57

Authentication recommendations

Answer 57

• Zero trust everywhere
• TLS for data in-transit
• do not build own - delegate
• mandate 2-fa!
• ensure correct token validation
• sign message on message queues
• ensure strong cryptographic algo (ECDSA)
  Possible bypass: change “alg” to HMAC for symmetric key and use public key ;)

Question 58

SAML

Answer 58

Security Assertion Markup Language (XML based)

Single Sign on protocol

Three actors:
User Agent
Identity Provider
Service Provider

SAML is possible only on one security domain and cross domain interactions are troubling.
Therefore OpenID was created.

Question 59

Delegated authorization

Answer 59

when third party authorizes you

Question 60

OAuth 2.0

+ OpenID

Answer 60

• Front channel (less secure) e.g. between browser and and authorization server
• Back channel (highly secure) e.g. between code and backend servers
• Authorization code: received through front channel (in callback)
• Access token: received through back channel using Authorization code
• OAuth wasn’t build for AuthN, it’s more for delegated AuthZ
• OpenID was implemented for AuthN
• • ID token
• • Userinfo endpoint for extra info on the user
• • to use openid “scope” is changed to openid, response type “id_token”

Token types:
By reference:
- contains only a unique reference and the values are not exposes
By value:
- contains the values
Token translation:
reference token -> value token

Refresh token:
sent to Oauth AS to extend access token expiration

Question 61

Questions SNAP sec?

Answer 61

Where do you see your team in 3-5 years?
How stuffed you are right now?
What are the current challenges?
Which of them can I overcome? What are the expectations?
What is the day look like?
How frequent do you have incidents required unusual handling?

Question 62

ISTIO/ Service Mesh / envoy proxy

Answer 62

Service Mesh:

• is a way to control how different parts of an application share data with one another.
• is a way to comprise a large number of discrete services into a functional application.
• a dedicated infrastructure layer built right into an app
• individual proxies that make up a service mesh are sometimes called “sidecars,” since they run alongside each service, rather than within them.
• ISTIO features:
• load balancing
• fine grain control
• access control
• visibility (logging/graphing)
• mutually encrypted traffic
• telemetry
• envoy proxy: is a modern, high performance, small footprint edge and service proxy. Developed by lyft.
• • runs in the same pod as a microservice
    https: //www.redhat.com/en/topics/microservices/what-is-a-service-mesh
    https: //www.youtube.com/watch?v=6zDrLvpfCK4&ab_channel=IBMCloud

Question 63

OKTA

Answer 63

• doesn’t have GCP provisionning

Question 64

Bubble sort

Answer 64

compares two elements and swaps them. Fills the right part of an array with the biggest values with each cycle.

Question 65

insertion sort

Answer 65

Moving from left to right sorting the elements on the left side (swaping them)

Question 66

selection sort

Answer 66

run through array to find a minimum and swap it to the left element. Take the next element and repeat.

Question 67

Golang advantages

Answer 67

• native parallel computing (for multiple core processing) - Multithreading And Concurrency
• ease of programming
• simpler code -> more secure
• compiled language (not interpreted)
• created by titans
• highest growing
• efficient compilation
• efficient execution

good for web services/ crypto/ image processing

Question 68

Data minimization

Answer 68

have as little data as possible. Only the required data.

Question 69

CRUD

Answer 69

Create -> HTTP POST
Read -> HTTP GET
Update -> HTTP PUT
Delete -> HTTP DELETE

Question 70

Positive Security / Negative security

Answer 70

A “positive security” model is one that allows only known behavior and identities, while rejecting everything else. “negative security” allows everything except for requests coming from problematic IPs, ASNs, countries or requests with problematic signatures (SQL injection attempts, etc.).

Question 71

BLOB

Answer 71

Binary Large Object

Question 72

SDLC

Answer 72

Software Development Lifecycle

1) Plan
2) Analyse
3) Design
4) Implement
5) Test & integration
6) Maintenance