Sec Flashcards

1
Q

Symmetric encryption

A
  • Same key to encrypt and decrypt.
  • Faster than asymmetric.
  • AES, DES, Blowfish, RC4,5,6
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Protocols / OSI model

A

1) Physical - Cables etc (Base10T, Base100T, Full Duplex)
2) Data Link - (IEEE such as ethernet and wifi, PPP, ARP, MAC, TAP)
3) Network - IP, IPSec, ICMP, TUN, Wireguard
4) Transport - TCP, UDP, TLS/SSL
5) Session - sockets, connections
6) Presentation -
7) Application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Block ciphers vs stream ciphers

A
  • Block ciphers encrypt data using blocks (usually 128 bits, such as in AES).
  • Stream ciphers encrypt data by bit or byte(mostly).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Asymmetric encryption

A
  • Uses two keys do encrypted data transfer
  • One key to encrypt (public key)
  • One key to decrypt (private key)
  • DH, ECC, RSA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

HMAC

A
  • hash-based message authentication code
  • used to ensure data integrity and authenticity (as some ciphers lack that such as AES)
  • in ciphers you can modify send data which will result in corrupted data mostly
  • uses any hash, but mostly SHA-2 or SHA-3
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Symmetric encryption modes

A
  • ECB - electronic codebook (outdated)
  • CBC - Cipher Block Chaining
  • ECB, CBC, OFB, CFB, CTR, and XTS provide confidentiality but not protect against modification/tampering (need to use HMAC)
  • this led to new encryption algorithms “Authenticated encryption” which provide data integrity as well
  • GCM does the GMAC with Galois Counter
  • GCM is stream cipher
  • GCM - uses nonce to initialize the counter -> counter gets encrypted -> output xored with plaintext -> output encrypted and sent
  • CBC - uses nonce to xor it with first block-> output is encrypted and sent -> next block xors with the previous one etc…

https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Initialization Vector / Cryptographic nonce

A
  • used to randomize the encryption, so that the same data encrypted with the same key would not be similar.
  • should be random/pseudorandom in CBC/GCM modes
  • Cryptographic nonce is used only once to initiate the
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

RSA

A
  • public key cryptosystem
  • part of PKI used for SSL certificates, digital signatures etc
  • used in TLS/SSL, OpenVPN
  • public/private keys
  • quite slow as it is asymetric
  • does not provide Perfect Forward secrecy, but can be extended with ECDHE
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

DH

A
  • Diffie-Hellman
  • one of the first public key protocols
  • derives a secret key for further use in symmetric ciphers
    Alice Bob
    Orange Orange
    Blue Green
    Mix1 Mix2
    Mix2 Mix1
    +Blue + Green
    Mix3 Mix3
  • best way to deploy PFS with ECDHE and DHE
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

AEAD

A
  • authenticated encryption with additional data
  • uses counters for authentication
  • older encryption standarts doesn’t authenticate the data, and need to use additional MAC (message authentication code)
  • GCM
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Perfect Forward Secrecy

A
  • feature that session keys won’t be compromised even if long term secrets are revealed
  • new key for each session
  • keys are not kept on server
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

On which port goes ping?

A

It’s ICMP! none of them, but in some rare cases it may go to UDP 7 or TCP 7

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Encoding, Encryption and Hashing?

A

Encoding may be reversed with the same algorithm used to encode it. It is used to represent the data in suitable way.
Encryption used to protect data’s confidentiality and in some cases (GCM) it’s authenticity and integrity
Hashing is not reversible in theory(hello rainbow tables) and is used to map data of arbitrary size to fixed-size values.
Hash use cases:
- data authenticity and integrity in ciphers
- checksum
- hash tables in programming
- check digits (like in credit card)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

CIA triangle

A

Confidentiality
Integrity
Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

PKI

A

Public Key Ifrastructure
A public key infrastructure (PKI) is a system for the creation, storage, and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity. The PKI creates digital certificates which map public keys to entities, securely stores these certificates in a central repository and revokes them if needed.[6][7][8]

A PKI consists of:[7][9][10]

A certificate authority (CA) that stores, issues and signs the digital certificates;
A registration authority (RA) which verifies the identity of entities requesting their digital certificates to be stored at the CA;
A central directory—i.e., a secure location in which keys are stored and indexed;
A certificate management system managing things like the access to stored certificates or the delivery of the certificates to be issued;
A certificate policy stating the PKI’s requirements concerning its procedures. Its purpose is to allow outsiders to analyze the PKI’s trustworthiness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

cpb

A

Cycles per byte. Number of clock cycles a microprocessor will perform per byte of data processed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Wireguard

A
  • ChaCha20 for symmetric encryption, authenticated with Poly1305
  • Curve25519 for ECDH (one of the fastest, provides 128 bit security)
  • BLAKE2s for hashing and keyed hashing (hashing algorithm)
  • SipHash24 for hashtable keys
  • HKDF for key derivation,
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Security level (cryptography)

A

Measure of the strength that a cryptographic primitive achieves : n-bit security means that the attacker would have to perform 2n operations to break it. For symmetric ciphers equals to key size. (AES-128bit key is 128 bit security) For asymmetric: depends on best known alogrithm. For 128 bit sec needs: RSA 3072, or ECDHA around 256 bits (Curve25519 for example)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Hash functions

A

Hash use cases:

  • data authenticity and integrity in ciphers
  • checksum
  • hash tables in programming
  • check digits (like in credit card)

Most used: SHA-1, 2, 3 , Blake2, MD5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

(H)KDF

A

Key derivation function - is a cryptographic hash function that derives one or more secret keys from a secret value such as a main key
Hash Key derivation function - a simple KDF based on HMAC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

SLA

A

5 nines - 99,999% - 5 minutes
4 nines - 99,99% - 50 minutes
3,5 nines - 99,95% - 250 minutes
3 nines - 99,9% - 9 hours

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

PGP

A

Pretty Good Privacy
is an encryption program that provides cryptographic privacy and authentication for data communication.
Public key asymetric encryption used to share teh symmetric key.
PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.
PGP fingerprint - can derive public key from short text

PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a username or an e-mail address. The first version of this system was generally known as a web of trust to contrast with the X.509 system, which uses a hierarchical approach based on certificate authority and which was added to PGP implementations later. Current versions of PGP encryption include both options through an automated key management server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Digital Signature

A
  • provide authenticity and integrity
  • have legal significance
  • asymmetric cryptography
  • uses RSA, DSA, SHA etc
  • makes a hash, signs with private key - that can be decrypted only with public key
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

non-repudiation

A

a situation where a statement’s author cannot successfully dispute its authorship or the validity of an associated contract.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

EFAIL

A

security hole in email systems with which content can be transmitted in encrypted form. This gap allows attackers to access the decrypted content of an email if it contains active content like HTML or JavaScript, or if loading of external content has been enabled in the client. Affected email clients include Gmail, Apple Mail, and Microsoft Outlook.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Heartbleed

A
  • present since 2012
  • discovered in 2014
  • It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension.
  • Buffer over-read (program, while reading data from a buffer, overruns the buffer’s boundary and reads (or tries to read) adjacent memory.)

-Heartbeat Request message, consisting of a payload, typically a text string, along with the payload’s length as a 16-bit integer. The receiving computer then must send exactly the same payload back to the sender.

OpenSSL allocate a memory buffer for the message to be returned based on the length field in the requesting message, without regard to the actual size of that message’s payload. Because of this failure to do proper bounds checking, the message returned consists of the payload, possibly followed by whatever else happened to be in the allocated memory buffer.[

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Poodle

A

2014 TLS/SSL downgrade MITM attack

  • downgrades the connection to SSL3.0 which can be cracked as it uses RC4 (insecure)
  • attacker interferes in TLS version exchange and downgrades the version to SSL3.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Shellshock/Bashdoor

A

2014 Bash passes env variables and exported functions to the called scripts. Exported functions are being encoded in certain way (start with “()”) to be decoded on the fly. You can encode malicious function as a variable so it decodes as a function in some bash versions.

env x=’() { :;}; echo Vuln’ bash -c “echo Test run”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Spectre/Meltdown

A
  • 2017 hardware vulnerability affecting Intel x86, IBM POWER and some ARM-based
  • speculative execution
  • It allows a rogue process to read all memory, even when it is not authorized to do so
  • software workaround slowing computers between 5 and 30 percent in certain workloads
  • exploits a race condition
  • occurs between memory access and privilege checking during instruction processing
  • allows an unauthorized process to read data from any address that is mapped to the current process’s memory space
  • data from an unauthorized address will almost always be temporarily loaded into the CPU’s cache
  • undetectable
30
Q

Eternal Blue

A

Vulnerability

31
Q

BlueKeep

A

Vulnerability

32
Q

XSS

A

Cross Site Scripting: Attacket i

33
Q

XSRF

A

Cross Site Request Forgery

34
Q

Least Privilege

A

Give a minimum access which is barely enough to perform entities tasks.

35
Q

Threat, Asset, Vulnerability, Risk

A

Vulnerabilites - weakness (known bug, no protection)
Threat - a danger of someone taking advantage of vulnerability
Risk - probability: how likely of the threat to exploit vulnerability and what is the impact

36
Q

Risk analysis

A

Quantitative - evidence based.
- ALE - annual loss expectancy
- SLE - single loss expectancy
- EF - Exposure Factor : Asset Value * EF = SLE
- ARO - annual rate of ocurrence (how often) : ALE = ARO * SLE
Qualitative - expert running through scenarios. Opionion based.

37
Q

RBAC

A

Role Based Access Control

38
Q

DDoS attack types

A

HTTP, TCP, UDP, (Syn, ACK) QUIC
https://www.cloudflare.com/en-gb/learning/ddos/what-is-a-quic-flood/
Memcached, NTP, DNS amplifications

39
Q

Binary Search

A

Sorted array as an input, we take the element in the middle and compare to the target. then decide in which part solution is left or right and continue in this part.

40
Q

SQL(MySQL) vs NoSQL(MongoDB)

A

SQL:

  • Tables
  • Strict schema
  • Relations
  • Difficult horizontal scaling
  • Limitations on big amount of reads

NoSQL:

  • Collections -> Documents
  • NO Schema
  • No /few relations
  • Faster queries, but duplicate data > storage needed
  • Collections are easily splittable for horizontal scaling
41
Q

K8S Security

A

CLUSTER -> Node -> Pod -> Container

  • protect API !!! Network rules, RBAC and least privilege
  • protect kubelet (Node Agent, takes yaml spec of pods to run and ensure that they are running)
  • pod/container sec:
    • don’t run as a root
    • read only file system if possible
  • -disallow privilege escalation (exact option)
Seccomp -> AppArmor-> SELinux
- seccomp - kernel filter which allows only a certain system calls for a container (default one is OK)
- apparmor - Linux kernel security module that you can use to restrict the capabilities of processes running on the host operating system
- SELinux - Security-Enhanced Linux is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).
MAC -  operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target.
  • OS hardening
  • Least privilige
  • Network isolation
  • KMS (Key management system) Google/Hashicorp vault
  • DEK ( Data encruption key)
  • KEK ( Key Encryption Key) - can invalidate multiple DEKs with corresponding data at the same time
  • Secure API server
  • SSH access?
  • Shell in container?
  • Access to secrets?
  • Check the binding of master
  • run kubectl to enumerate things
  • explore unauthenticated services redis, etcd, dashboards
  • log outside of the cluster
  • check default settings/permissions
  • use updated images
  • use tools /CIS benchmark
  • deny all, explicit allow
  • each pod has a service account with certain privileges to run against k8s API

Useful commands:
kubectl - control
kubectl clusterrolebinding - give role to a certain account
kubectl exec $pod $command - execute command in given pod
/var/run/secrets/kubernetes.io/serviceaccount/token - where the account token is stored

https: //www.youtube.com/watch?v=vTgQLzeBfRU&ab_channel=CNCF%5BCloudNativeComputingFoundation%5D
https: //www.youtube.com/watch?v=v6a37uzFrCw&ab_channel=ContainerCamp

42
Q

etcd

A
  • Key value store widely used in kubernetes
  • Watch - is the main function that notifies the watcher of value change
  • Raft - is the type of value consenusus - master node pushes value to secondary nodes and only updates itself once they are all updated
  • Lead elect - if master is not avaialble follower nodes elect a new leader
  • Reliable due to replication
  • In case of K8S needs to be properly secured and moved away from cluster itself
  • better to use with KMS (hashicorp etc)
  • if multiregional cluster - latency will increase as leader waits for the value propagation on majority of systems
43
Q

Jenkins

A

Free and open source automation server widely used in CI/CD workflow (building, testing, and deploying, facilitating continuous integration and continuous delivery. )

44
Q

REST(ful)

A

Representational state transfer (REST) is a software architectural style that defines a set of constraints to be used for creating Web services. Web services that conform to the REST architectural style, called RESTful Web services, provide interoperability between computer systems on the internet. RESTful Web services allow the requesting systems to access and manipulate textual representations of Web resources by using a uniform and predefined set of stateless operations. Other kinds of Web services, such as SOAP Web services, expose their own arbitrary sets of operations.[1]

45
Q

Horizontal/ vertical scalability

A
  • Horizontal - more smaller nodes

- Vertical - pump up the main node perf

46
Q

Statelessness

A

The constraint of storing application state on the client rather than on the server makes the communication stateless.

47
Q

ACID

A

Atomicity, consistency, isolation, durability

48
Q

Kafka (topics)

A

pubsub apache opensource. You subscribe to topic

49
Q

IDE

A

Integrated development environment

50
Q

AuthN vs AuthZ

A

Authentication / Authorization

51
Q

Authentification architecture

A

Latency is the key!!! should be < 0.2 ms

  • portability is key (libs in all languages)
  • IOR (Identity, Operation, Resource)
  • Aggregator / passes data to ->
  • Distributor / is used by
  • Authorization agent

OPA - open policy agent / dev in GO/ resource agnostic / unit testing

https://www.youtube.com/watch?v=R6tUNpRpdnY&ab_channel=CNCF%5BCloudNativeComputingFoundation%5D

52
Q

SPLUNK

A

and analyzing machine-generated big data via a Web-style interface.

53
Q

Server hardening

A
  • cis benchmarks
  • nmap + nmap vulners repo
  • pen test
  • least privileges for users
  • up to date packages
  • only used services
  • only used ports
  • proper remote control authentification
  • proper firewall rules
  • logging and audits (where it streams logs, what triggers log audit)

In the different context we can look at it from organizational point of view

  • there should be well described policies concerning this server
  • its assets should be registered
54
Q

ECDSA

A

Elliptic Curve DSA

Digital Signature Algorithm (DSA) is a Federal Information Processing Standard for digital signatures, bas

55
Q

JWE

A

Json Web encryption

56
Q

JWT token

A

“JAT”
JSON Web Token - is an Internet standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims.

Header.
Payload.
Signature

57
Q

Authentication recommendations

A
  • Zero trust everywhere
  • TLS for data in-transit
  • do not build own - delegate
  • mandate 2-fa!
  • ensure correct token validation
  • sign message on message queues
  • ensure strong cryptographic algo (ECDSA)
    Possible bypass: change “alg” to HMAC for symmetric key and use public key ;)
58
Q

SAML

A

Security Assertion Markup Language (XML based)

Single Sign on protocol

Three actors:
User Agent
Identity Provider
Service Provider

SAML is possible only on one security domain and cross domain interactions are troubling.
Therefore OpenID was created.

59
Q

Delegated authorization

A

when third party authorizes you

60
Q

OAuth 2.0

+ OpenID

A
  • Front channel (less secure) e.g. between browser and and authorization server
  • Back channel (highly secure) e.g. between code and backend servers
  • Authorization code: received through front channel (in callback)
  • Access token: received through back channel using Authorization code
  • OAuth wasn’t build for AuthN, it’s more for delegated AuthZ
  • OpenID was implemented for AuthN
    • ID token
    • Userinfo endpoint for extra info on the user
    • to use openid “scope” is changed to openid, response type “id_token”
Token types:
By reference:
- contains only a unique reference and the values are not exposes
By value:
- contains the values
Token translation:
reference token -> value token

Refresh token:
sent to Oauth AS to extend access token expiration

61
Q

Questions SNAP sec?

A

Where do you see your team in 3-5 years?
How stuffed you are right now?
What are the current challenges?
Which of them can I overcome? What are the expectations?
What is the day look like?
How frequent do you have incidents required unusual handling?

62
Q

ISTIO/ Service Mesh / envoy proxy

A

Service Mesh:

  • is a way to control how different parts of an application share data with one another.
  • is a way to comprise a large number of discrete services into a functional application.
  • a dedicated infrastructure layer built right into an app
  • individual proxies that make up a service mesh are sometimes called “sidecars,” since they run alongside each service, rather than within them.
  • ISTIO features:
  • load balancing
  • fine grain control
  • access control
  • visibility (logging/graphing)
  • mutually encrypted traffic
  • telemetry
  • envoy proxy: is a modern, high performance, small footprint edge and service proxy. Developed by lyft.
    • runs in the same pod as a microservice
      https: //www.redhat.com/en/topics/microservices/what-is-a-service-mesh
      https: //www.youtube.com/watch?v=6zDrLvpfCK4&ab_channel=IBMCloud
63
Q

OKTA

A
  • doesn’t have GCP provisionning
64
Q

Bubble sort

A

compares two elements and swaps them. Fills the right part of an array with the biggest values with each cycle.

65
Q

insertion sort

A

Moving from left to right sorting the elements on the left side (swaping them)

66
Q

selection sort

A

run through array to find a minimum and swap it to the left element. Take the next element and repeat.

67
Q

Golang advantages

A
  • native parallel computing (for multiple core processing) - Multithreading And Concurrency
  • ease of programming
  • simpler code -> more secure
  • compiled language (not interpreted)
  • created by titans
  • highest growing
  • efficient compilation
  • efficient execution

good for web services/ crypto/ image processing

68
Q

Data minimization

A

have as little data as possible. Only the required data.

69
Q

CRUD

A

Create -> HTTP POST
Read -> HTTP GET
Update -> HTTP PUT
Delete -> HTTP DELETE

70
Q

Positive Security / Negative security

A

A “positive security” model is one that allows only known behavior and identities, while rejecting everything else. “negative security” allows everything except for requests coming from problematic IPs, ASNs, countries or requests with problematic signatures (SQL injection attempts, etc.).

71
Q

BLOB

A

Binary Large Object

72
Q

SDLC

A

Software Development Lifecycle

1) Plan
2) Analyse
3) Design
4) Implement
5) Test & integration
6) Maintenance