Section 3 - Security Engineering & Cryptography Flashcards

1
Q

What describes the suite of policies and technology tools designed to enable centralized management and control of mobile devices in a corporate setting?

A

Enterprise Mobility Management (EMM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the difference between Trust and User Specific Certificates

A

Trust are used to globally identify trusted devices within an organization using a single certificate pushed to multiple devices which is different then specific user based rolled out by a MDM to uniquely identify for granular control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a firmware update delivered on a cellular data connection

A

Over the Air (OTA)

can be exploited - evil base station

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What encryption standard does WPA2 use and what does it replace

A

Advanced Encryption Standard with 128 bit keys

replaced WPA where replacing RC4 and Cipher Block Chaining Message Authentication Code Protocol (CCMP) replacing TKIP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the main features of WPA 3

A

Simultaneous Authentication of Equals (SAE) which was introduced to address vulnerabilities in the WPA-PSK method.
Enterprise authentication uses 192-bit AES while personal uses 128-bit

Updated Cryptographic Protocols - replaced AES CCMP with AES Galois Counter Mode Protocol (GCMP) - high performance mode of operation for symmetric encryption and provided a special characteristic called Authentication Encryption with associated data (AEAD)

Protection Frames to prvent against recovery ttacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is WPA3 also called and and what standard is it

A

Wi-Fi 6 and 802.11ax

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a standard for peer-to-peer (2-way) radio communications over a very short distance is

A

Near Field Communication and around 4”

most common application is for contactless payments

Not encrypted so vulnerable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a recent attack against Bluetooth

A

BlueBorne

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the security control that enforces a virtual boundary based on real world geography

A

Geofencing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Is DNS communications secure?

A

No and DNS over HTTPS (DoH) was developed as a response to incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the terms for obtaining root privileges in both IOS and Android

A

Jailbreaking for IOS
Rooting for Android

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Is Android or IOS more secure?

A

IOS and Android allows sideloading to install and app without using an app store

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the access control that is based on the idea of security clearance

A

Mandatory Access Control (MAC)
Labels objects and subjects and not changeable by user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the process of determining what additional software may be needed installed on a client or server beyond its baseline and what OS is a good example of this

A

Execution Control
Using a Linux Security Module (LSM)
SELinux
AppArmor - used by Ubuntu
SUSE Linux

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which version of Android is based on Security Enhanced LInux

A

SEAAndroid
Use MAC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Describe the differences between BIOS (Basic Input/Output System) and UEFI (unified Extensible Firmware Interface)

A

Both are firmware designed to assist a computer/device boot an OS. BIOS uses a Master Boot Record whereas UEFI used a GUID Partition table. UEFI is more advanced and has more security features such as Secure boot or measure boot.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is an appliance for generating and storing cryptographic keys

A

Hardware Security Module (HSM)

FIPS 140-2 provided accreditation for cryptographically strong products

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

T or F Key management and key use can be incorporated into the same function and cloud location

A

False - should use a KMS that is being generated separately from cloud provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is serverless computing billed on and does this paradigm have risks?

A

Execution time rather than hourly charges. This is commonly called Function as a Service (FaaS)

New Paradigm and use cases and best practices are not mature
Depends heavily on event-drive orchestration to facilitate operations

AWS Lambda
Google Cloud Functions
Azure Functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the term for provisioning architecture in which deployment of resources is performed by scripted automation and orchestration

A

Infrastructure as a Code (IaC)

Used for Software Defined Networking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is an enterprise management system software designed to mediate access to cloud services by users across all types of devices

A

Cloud Access Security Broker (CASB)

Enable SSO
Scan for Malware, rogue and non-compliant devices
Monitor and audit user and resource activity
Mitigate data exfiltration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the 3 implmentation methods of CASB

A

Forward Proxy - security appliance/host positioned at the client network edge that forwards traffic to the cloud network. users can evade and connect directly

Reverse Proxy - at network edge and can direct traffic in policy is in compliance and does not require configuration on user device but does require cloud application support

API - this is between the cloud service and cloud consumer. works best for post security incidents where inline interception is not possible/desirable. Not in real time such as the above proxy options

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the name of the practice of splitting encrypted data output into multiple parts which are subsequently stored in disparate locations

A

Bit or Cryptographic Splitting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are some examples of Microcontrollers that perform sequential operations from a dedicated instruction set

A

Application-specific integrated circuits (ASICs) - used for ethernet switching

Field Programmable Gate Array (FPGA) - a processor that can be programmed to perform a specific function by customer than at the time of manufacture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What is the system that practically integrates all components (CPU, RAM, Storage, etc.) into one
System on a Chip (SoC)
26
Name the components of an Industrial Control Systems
Human Machine Interfaces (HMI) - input/output controls on a PLC allowing users to configure and monitor Supervisory Contral and Data Acquisition - manages large scale, multi-site devices and equipment spreach over geographically large areas Programmable Logic Controller (PLC) - form of a digital computer and interact with a wide range of sensors HVAC
27
Name the common protocols used by ICS
Controller Area Network - serial network designed to allow communication between embedded PLC - cars are susceptible to attack due to this design using wireless or direct connection Modbus - component of an ICS and is described as an OT and its protocol It uses Common Industrial Protocol (CIP) and Distributed network Protocol (DNP3) Data Distribution Services (DDS) - enables interrogability for connected machines and facilitates scalability, performance, and QoS Safety Instrumented Systems (SIS) - comprised of sensors, logic solvres and final control elements - horns, flashing lights, and sirens.
28
What is the function that converts an arbitrary length string to a fixed string output called
Hashing 1. Output is of fixed length regardless of input size 2. Same input to a hashing algorithm will generate the same output every time is hashed 3. Output of the hashing function cannot be used to recreate the input in any way referred to as one-way function
29
Name some common hurdles in Hashing
Being certain that the hash value is properly represented. Older hash algorithms are susceptible to collisions where two different plaintext inputs produce the same ciphertext output
30
Name two popular hasing algorithms th
Message Digest Algorithm (MD5) - produces a 128 bit output and due to short outputs can be easily brute-forced Secure Hash Algorithm (SHA) - was created to address weaknesses in MD5 SHA-1 generates a 160-bit output while SHA-256 (widely used for bitcoin) Per NIST they developed SHA-3 to and SHA-1 should not longer be used.
31
What is RIPEMND
RACE Integrity Primitives Evaluation Message Digest - devleoped around the same time as SHA-1 to produce longer outputs than MD5 and is also the bitcoin standard
32
What is the method used to verify both the integrity and authenticity of a message by combining a cryptographic hash with a secret key
Hash-based message authentication code (HMAC) when a MAC is constructed through eh use of hashing then it is a HMAC HMAC-SHA
33
What is the MAC that is used on older iphone/ipad devices that do not include AES hardware
Poly1305
34
What is a "key" difference between hashing and encryption
Unlike hashing encryption algorithm can be used to regenerate the input so it is regarded as a two way function. Symmetrical Algorithms has one key to lock and unlock and do not provide message integrity or authentication
35
T or F Cypher is another term for an algorithm
True
36
Name the two types of Symmetric Encryption
Stream Cypher - stream of plaintext bits or bytes with pseudorandom stream initialized by a secret key. Best for encrypting communications where the total length is not known. Examples: RC4 - old and vulnerable Salsa20 - well regarded ChaCha - variant of salsa and adopted by Google and uses in devices lacking AES hardware acceleration Used Initialization Vector - technique used in cryptography to generate random numbers to be used along with a secret key to provide data encryption Block Cypher - encrypts one block at a time often in 64-bit block. More secure than steam but slower. Uses Output Feedbak (OFB) for the first round of encryption and combines the ouput of all previous rounds as input. 3DES - replaced by AES which is based on the Rijndael algorithm.
37
What are modes of operations that are used with symmetrical block cyphers
These are techniques or methods by which symmetrical encryption can be performed. Cipher Block Chaining (CBC) - very simple and susceptible to the padding-oracle attack Electronic Codebook (ECB) simple and also susceptible to attack Galois/Counter Mode (GCM) widely adopted.
38
In Asymmetric encryption what is known only to the holder and is linked to, but derivable from, a public key distributed to those with which the holder wants to communicate securely
Private Key Can be used to prove identity Does involve more overhead that symmetrical and not ideal for large amounts of data. used mainly for authentication and non-repudiation.
39
What is the differences in key agreements between symmetrical and asymmetrical
Symmetrical derives the key while asymmetrical is transmitted.
40
Name the two common Key Agreements
Diffie-Hellman (DH) - used complicated modulus math based on common secret Elliptic-Curve Diffie-Hellman (ECDH) - similar to DH but used math based on elliptical curves instead of discrete logs
41
What is the process when a user creates a digest of a message, using a pre-agreed hash algorithm such as SHA 256 and then encrypts the digest using a private key
Digital Signature Rivest, Shamir and Adleman (RSA) - asymmetrical algorithm that is based on factoring large prime numbers Digital Signature Algorithm - similar to RSA but uses logarithmic and modulus math. Faster at generating digital signatures but slower at verifying Elliptic-Curve Digital Signature Algorithm (EDCS) - similar but smaller keys
42
What was the protocol developed by Netscape in the 90's to protect traffic and what was it replaced by
Secure Sockets Layer (SSL) to protect traffic for HTTPS and version 2.0 and 3.0 should no longer be used Transport Layer Security (TLS) only version 1.2 or higher should be used This is applied at the OSI Application Layer
43
What is the algorithm supported by both the client and server to perform the different encryption and hashing operations by the protocol
Cipher Suites ECDHE - RSA - AES128 - GCM - SHA256 Key Exchange - Signature - Bulk Encryption - Message Authentication - Elliptic Curve
44
What type of attack tries to force the use of a weak cipher suite and SSL/TLS Version
Downgrade Attack recommended to disallow "export cipher suites"
45
What is the email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications
S/MIME
46
What two types of key pairs does SSH Use
Host Key Pair - revealed by server User Key pair for a client to login to an SSH Server. Sony Hack was based on SSH mismanaged key.
47
What is the framework for negotiating authentication mechanisms rather than the details of the mechanisms themselves?
Extensible Authentication Protocol EAP-TLS - one of the strongest and widely supported. requires PKI and more complex and costly to manage Protected EAP (PEAP) - encrypted tunnel is established between the supplicant and authentication server. Simpler than EAP with only server side certs. EAP-TTLS) - also only server side certs EAP-FAST - designed by Cisco and instead of using a certificate to setup tunnel it uses a Protected Access Credential - requires out of band delivery .
48
What is the network protocol used to secure through an authentication and encryption as data travels through the network
Internet Protocol Security (IPSec) Layer 3 - networking
49
What are the two core protocols for IPSec
Authentication Header - form of cryptographic hash on whole packet including IP header, plus a shared secret and does not support nat gateways so not often used. Does not provide confidentiality Encapsulation Security Payload (ESP) provides confidentiality, authentication, and integrity.
50
What is the modern successor to RSA
Elliptic Curve Cryptography (ECC) no known shortcuts for cracking P256 no longer recommended by NSA
51
How do you mitigate the risk of RSA Key Exchange
Perfect Forward Secrecy (PFS) - uses Diffie-Hellman to create ephemeral session keys without using servers private keys.
52
What is the form of encryption that in addition to confidentiality provides integrity and authenticity
Authenticated Encryption with Associated Data (AEAD)
53
What is the technique that strengthen potentially weak input for cryptographic key generation
Key Stretching for passwords created by people against brute force attacks Password-Based Key Derivation Function 2 (PBKDF2) widely used for WPA, IoS, Cisco, LastPass. Bcrypt - Adds additional variations to the key called a salt
54
What does Code Signing Provide
Proof of Origin
55
What mechanisms can be used to encrypt data while in use
Trusted Execution Environments such as Intel Software Guard Extensions
56
What is a public assertion of identify and who validates that
Digital Certificate and validate by Certificate Authority (CA)
57
What is the specialized card containing cryptographic information to achieve authentication
Smart Card Authentication has secure processing chip that stores users digital certificate, the private key, and a pin to activate the card.
58
What is the purpose of a bridge CA
allows for interoperability and shared trust between multiple, otherwise independent PKIs.
59
Who is the entity responsible for issuing and guaranteeing certificates
Certificate Authority (CA)
60
What is the method of validating a certificate by tracing each CA that signs the certificate up through the hierarchy to the root CA
Certificate Chaining or chain of trust even with a root CA that is offline most CA activities are handled by intermediate CA servers
61
What is a component of PKI when __________ is generated on the device that needs a certificate and contains information that the CA needs in order to create a the certificate
Certificate Signing Request (CSR) A Base64 ASCII file that is sent to CA Uses key fields Common Name (CN) - FQDN Subject Alternative Name (SAN) - multiple host names on same certificate - feature is called multi-domain certificates Origination (O) - legal name OU - division or dept City/Locality (L) State/County/Region (S) Country C) Public Key that will be included Information about key type and length
62
In the creation of Digital Certificates what are common methods of validation
General Purpose or Domain Validation (DV) - email or modifying a DNS text record. Extended Validation (EV) - maintained by CA/Browser forum. major drawback is that they cannot be issued for wildcard domain. Also use same process as standard ones and not necessarily better protection
63
A ___________ is a hash that is then encrypted using a private key
Digital Signature
64
What describes when a certificate is used to establish a trust relationship between two different CAs
Cross Certification for two organizations or migrations
65
What describes the set of root CAs that are trusted to validate identity
Trusted Providers Organizations that build their own PKI infrastructure their root CA must be added to the list of trusted providers
66
What do CAs need to maintain a list of certificates that were revoked before their expiration date?
Certification Revocation List (CRL) Coded based on reason such as: Unspecified, Key Compromise, CA Compromise, Superseded or Cessation of Operation, Revoked Certificates cannot be reinstated
67
What is a another means of providing up to date information on certificate status
Online Certificate Status Protocol (OCSP) Allows real time status request to check if there is revocation
68
Describe the differences between Certificate Pinning and Stapling during a transport protocol such as SSL/TLS
Pinning is the technique when a client inspects the certificate presented by a server or a code-signed application bypassing the CA hierarchy. Pinning has many vulnerabilities Stapling resolves these issues by having the SSL/TLS server periodically obtain time-stamped OCSP response from the CA.
69
What can be configured as a response header on a web server and notifies a browser to connect to the requested site as HTTPS
HTTPS Strict Transport Security (HSTS) Prevents downgrade attacks
70
What is another term to describe the requirement for both client and server devices to use certificates to verify identity
Mutual authentication
71
What would cause a website to display your connection is not private when accessing
The website is configured to use a weak signing algorithm
72