Security

Question 1

What’s the purpose of a Access Control Vestibule/mantrap?

Answer 1

Provides high physical security by controlling the flow of people through a building.

Only allows authorised individual into a secure area via biometric/badge/pin authentication.

When one door opens all others lock.

May log access to know who was where any given time.

Question 2

What is the purpose of bollards outside a building/secure data center?

Answer 2

To allow people through but prevent vehicles entering the area.

Question 3

What is a Magnetometer?

Answer 3

A metal detector/scanner like at an airport.

Question 4

What does BYOD stand for?

Answer 4

Bring Your Own Device

Question 5

What’s MDM?

Answer 5

Mobile Device Management - Centralised management of mobile devices, enforce security measures and control/monitor devices remotely.

Question 6

What is meant by the “least privilege principle”?

Answer 6

Setting the access, rights and permissions of user accounts to the bare minimum of what they need to do their job. Assigning anything beyond this increases security risks and potential problems for no reward/gain.

Least Privilege Principle - limits the scope of malicious intent (e.g. of disgruntled employees)

Question 7

What is an ACL?

Answer 7

Access Control List is a list of users that can or cannot access/join a particular network, (use a specific router) or view a particular file/data on a system.

ACL’s evaluate users based on Source IP address, Destination IP address, Port Numbers, ICMP.

Used for NAT, QoS.

Question 8

Benefits of Email filtering?

Answer 8

Can scan and block any malicious emails (like phishing attacks) before they reach users by stopping Unsolicited emails at the gateway. Either on-site or cloud-based.

Question 9

Which version of WPA wireless encryption uses CCMP block cipher mode?

Answer 9

WPA2 uses CCMP block cipher mode to encrypt blocks of data before transmitting them across a wireless network.

This includes AES (Advanced Encryption Standard) encryption and Message Integrity Check (MIC) for data integrity.

Question 10

What is Message Integrity Check (MIC) used for?

Answer 10

To verify that received data over a wireless network is the same as what is sent.

Data integrity check.

Question 11

Which block cipher mode does WPA3 use?

Answer 11

GCMP block cipher mode - WPA3 uses:
AES
MIC + Galois Message Authentication Code (GMAC)

Question 12

In wireless security what is a PSK?

Answer 12

Pre-Shared Key (PSK) - a key/shared secret/password used to encrypt/decrypt messages sent via secure connection between two parties. Both parties know the secret/password and is used to authenticate/login to the wireless network.

The PSK is hashed (garbled by an algorithm). But WPA2 PSK has a brute-force vulnerability/security issue in which the hashed (garbled) PSK is captured by someone listening in to the 4 step handshake. The hash can then be brute-forced/try every combo until the PSK is cracked.

Question 13

What is the vulnerability of WPA2?

Answer 13

WPA2 PSK has a brute-force hash vulnerability/security issue in which the PSK hashing algorithm is captured by someone listening in to the 4 step handshake. The hash can then be brute-forced/try every combo until the PSK is cracked.

Question 14

What versions of WPA use PSK’s? What are the differences in the PSK authentication process between them and why?

Answer 14

WPA2 is the only version that uses PSK’s authentication process - hashed secret password/shared secret used to establish a secure connection between two wireless devices via a 4 step handshake.

Someone can listen in to the handshake (while data/etc is in transit/wireless transmission) and capture the hash (hashed password).

They can then brute force/crack the hash to reveal the password and connect to the wireless network with it and do all sorts of damage!

WPA3 uses a different authentication process SAE:
Doesn’t send/share the hashed PSK across the network
No four-way handshakes.
Each device has a different session key.

Question 15

How many steps are involved in the WPA2 authentication handshake?

Answer 15

WPA2 uses a 4 way authentication handshake that involves sharing a hashed PSK over the wireless network (can be captured by pirates and hashed to break into the network!).

Question 16

What is the role of an authentication server on a network?

Answer 16

To manage logins to all devices on the network.

E.g. if you want to login to a password protected printer on a network the printer forwards your REQUEST (containing your username and password) to the centralised Authentication Server which checks it against a list of stored passwords/usernames and if it matches the server sends a message back to the printer telling it to let you access it as you have passed the security check.

Question 17

What does AAA stand for in reference to network security?

Answer 17

Authentication
Authorisation
Accounting
E.g. an AAA protocol is any protocol that communicates with an Authentication Server

Question 18

What is the difference between TACACS and TACACS+ (Authentication Server communication protocol versions)?

Answer 18

TACACS is an older protocol that uses UDP and is largely obsolete - less secure
TACACS+ is a new version of TACACS that uses TCP and is widely used today.

Commonly associated with CISCO devices.

Question 19

What OS uses Kerberos for network authentication?

Answer 19

Windows uses Kerberos - provides you a ticket on successful login to the Kerberos system which grants you automatic access to all other devices on the network without having to login again. (You are a trusted user/single sign on/SSO).

Question 20

Which AAA protocol supports single-sign-on/SSO (whereby once you are logged into to the system you don’t have to login to other devices on the network (you are kept logged in)?

Answer 20

Kerberos - Windows - supports single/one-time sign-on, which lets you access/connect to all devices within a network whilst only needing to login once.

Question 21

What is meant by MFA?

Answer 21

Multi-Factor Authentication is a security measure in which you provide multiple types of evidence (factors) to prove your identity.

Using any 2+ of the following types of evidence to login is called MFA:
Something you Are
Something you Have
Something you Know
Something you Do
SomeWhere you Are

Question 22

What’s the main difference between 2FA and MFA?

Answer 22

2FA is limited to 2 factors specifically.

Question 23

What’s a worm?

Answer 23

Malicious software (Malware) that clones itself and spreads to other systems, generally across a network by exploiting network vulnerabilities.

Doesn’t need to attach to a host program.

Question 24

What’s a Trojan Horse?

Answer 24

Malware that appears as something it’s not. E.g. as a free game. This allows it to bypass a lot of security as you are willingly trying to install it!

Question 25

What’s a rootkit?

Answer 25

Very deep-rooted/embedded malware that modifies the core system files/kernel. As such it’s invisible to the OS/Antivirus software and therefore very hard to remove!

If you can identify the specific rootkit (via spotting unusual things happening/running) then you may be able to remove (uproot) it by using a specific removal tool designed for that rootkit.

Question 26

What type of malware would running UEFI BIOS Secure Boot most likely remove?

Answer 26

Rootkits and Boot Sector Viruses. Secure Boot verifies all core kernel/system files of your OS thereby highlighting and removing any malicious core files like a rootkit.

Question 27

What’s the difference between a virus and a worm?

Answer 27

A virus is a program based code that requires the user to run/execute it to spread/work. - attached to a host file

A worm doesn’t need to be run or be attached to a host file!

Both can replicate and spread between systems.

Question 28

What type of malware is a keylogger?

Answer 28

Spyware.
Keyloggers are a type of spyware that is often installed as a trojan horse (disguised as another program that the user wants).

Question 29

What do keyloggers do?

Answer 29

Track/clone your keystrokes and input such as passwords, bank details and send them to attackers.

Question 30

All files have been encrypted on your system and a demand for money to unencrypt them has been sent to your email. What type of malware has your system been infected by?

Answer 30

Malware. Ransomware.

Question 31

What is crypto mining malware?

Answer 31

Malicious code that uses your CPU resources to mine for crypto currency and send the profits (proof of work) to the attacker.

Question 32

What’s the last resort to remove malware from a Windows system?

Answer 32

Windows Recovery Environment (Command Line Interface/CLI) - full control (edit/remove) of OS files BEFORE the system starts/OS boots.

Enable/disable service/device start-up
Repair the file system boot sector or MBR (Master Boot Record)

Shift + Click restart to open it on reboot or Settings/Update and Security/Recovery/Advanced Startup

Question 33

What’s the difference between anti-malware and anti-virus software?

Answer 33

Anti-virus is focused only on detecting and removing viruses (one type of Malware that requires execution by a User before it can replicate and spread).

Anti-malware - is designed to detect and remove ALL types of malware (trojans, worms, viruses, spyware (e.g. keyloggers)

Question 34

What’s a software firewall?

Answer 34

A firewall that blocks/allows network traffic both inbound and outbound of the system based on preconfigured security rules.

Microsoft Defender Firewall is an example of a software firewall.

Question 35

What’s the only way to be sure all malware has been removed from a system?

Answer 35

By deleting EVERYTHING and performing a clean/full reinstallation of the OS.

Question 36

What is Social Engineering?

Answer 36

Psychologically manipulating people to give out passwords or other sensitive information or installing malicious programs by misrepresenting them as safe.

Question 37

What’s shoulder surfing?

Answer 37

Looking over people’s shoulder to see information on their display. E.g. on a flight, at an office, webcam monitoring, etc. Industrial espionage.

Question 37

What’s phishing?

Answer 37

Pretending to be a legitimate source sending you emails with dangerous links and getting you to divulge sensitive information like passwords.

Vishing is just phishing done over the phone. May use fake caller ID to appear like a trusted source.

Question 38

How to prevent shoulder surfing?

Answer 38

Be aware of your surroundings.
Add privacy filters to your device/s.
Keep your monitor away from overlooking windows etc.

Question 39

What is meant by Spear Phishing?

Answer 39

Targeted phishing attack at an individual that has a certain level of access, information.

E.g. getting the passwords of users that definitely have the information the attackers want?

Question 40

What’s the difference between Spear Phishing and Whaling?

Answer 40

Whaling is targeting only the absolute top level access users of a company (CFO, CEO) whereas Spear Phishing is a more generalised to employees, anyone with the info attack.

Question 41

What are tailgating and piggybacking and what’s the difference?

Answer 41

They both refer to someone following an authorised person into a restricted access area either by tailgating them (walking right behind them) or catching a locking door before it’s fully shut.

Tailgating is where the authorised person is unaware of the attacker following them in.

Piggybacking is where the authorised person intentionally breaks protocol by letting them through. “E.g. saying my hands are full can you hold the door” when they aren’t cleared for access.

Access Control Vestibules/Airlocks prevent these from happening by only allowing one person through at a time.

Question 42

What is Dumpster Diving?

Answer 42

Going through corporate physical bins for useful information. Can use the information to impersonate someone in the company and gain more information.

Question 43

What’s impersonation?

Answer 43

Pretending to be someone you’re not.

E.g. pretending to be a branch manager to pressure an employee into giving you confidential information.

Question 44

What’s a Wireless Evil Twin?

Answer 44

A malicious WiFi network that mirrors an existing one, tricking users to connect to the twin (same SSID and settings) with their real network usernames and passwords.

Or letting them connect and then copying all the data they enter etc.

Question 45

What is a DDoS attack?

Answer 45

Distributed Denial of Service (DDoS) attack is where a distributed/geographically spread out group of devices target a specific service to overload it and deny service to it’s clients or at least massively slow it down.

This allows competing services to obtain a lot more clients thus costing the company a lot of money!

A botnet of unknowingly malware infected PC’s is often used by attackers to conduct a coordinated attack.

Question 46

What’s a common type of on-path/man in the middle attack?

Answer 46

ARP (Address Resolution Protocol) Poisoning/Spoofing is a common type of on-path attack where an attacker

ARP cache - is a list of IP addresses mapped to MAC addresses that populates as devices on the network connect to router and vice versa (router connects to them and links MAC address to IP).

An attacker connected to the network/on the same subnet can pretend/spoof to be the IP address of another device on the network when there is an ARP broadcast and thereby traffic redirected to them with neither the device or router knowing. The attacker can also do this to the router so it thinks it’s sending data to an authorised client on the network. Thereby the attacker sits in the middle of the network path intercepting both sent and received packets.

Man-in-the-browser attacks work the same but the attacker doesn’t need to already be on the subnet to spoof an IP because they have infected users’ device with a trojan/malware and can then sit between the user and browser viewing all the information the user sends and receives to/from the browser. This also means that the traffic they intercept isn’t encrypted!

Question 47

What is man-in-the-browser attack?

Answer 47

Man-in-the-browser attacks work the same as ARP spoofing but the attacker doesn’t need to already be on the subnet to spoof an IP because they have infected users’ device with a trojan/malware and can then sit between the user and browser viewing all the information the user sends and receives to/from the browser. This also means that the traffic they intercept isn’t encrypted!

Question 48

What is a hashed password?

Answer 48

Hashing is the process of using an algorithm/hashing function to transform a password into a fixed-length (no matter the pw length the hash length is always the same) hash value/code/text string.

Hashing can’t be reversed like encryption can be to reveal the original password.

Question 49

What is a brute force hashing attack?

Answer 49

Trying every single character combination to find a password.

Most auth services will automatically lock you out after X failed password attempts.

Hackers circumvent this by taking captured hashes offline and running them through their own software until it is cracked.

Question 50

What is the basis of dictionary attacks?

Answer 50

Using words from a dictionary/custom word list to crack user passwords quicker via brute-force. This works because most users use words or word combinations as their passwords and its a lot quicker to try all word combinations than purely random characters via brute-force.

Question 51

What is SQL injection?

Answer 51

SQL - Structured Query Language - code injection into a website/application.

This is an exploitable vulnerability found in poorly written code.

Always triple check and pen-test code where possible!

Question 52

If password has low entropy is it harder or easier to crack via brute force?

Answer 52

Easier - entropy is a measure of the unpredictability/randomness of a password - i.e. it’s complexity.

High entropy - hard to crack.
Low entropy - easy to crack/predictable.

Question 53

What is PII in security?

Answer 53

Personally Identifiable Information (PII) - is user information that could be used to help gain access in the wrong hands. Such as name, address, mother’s maiden name, town of birth, etc.

Must always keep PII secure where possible!

Question 54

What’s the point of screen privacy filters?

Answer 54

To reduce the viewing angle of your screen to prevent shoulder surfing/people seeing your screen content.

Question 55

IoT devices are often insecure and pose a high threat to the security of your network, what should you do to negate this?

Answer 55

Segregate all IoT devices onto an isolated subnet/VLAN.

Question 56

What’s degaussing?

Answer 56

Using a powerful magnetic field generated by a Degausser to scramble the data stored on a magnetic drive/magnetic storage media. Thus making it unreadable/unrecoverable.

A form of Physical Data Destruction.

Question 57

What are some methods of physical data destruction?

Answer 57

Degaussing (exposure to powerful magnetic field)
Drilling/hammering the drive
Incineration

Question 58

Is a DMZ/Screened Subnet behind the LAN firewall?

Answer 58

Yes, Screened Subnets are behind your firewall but are kept separate/isolated from the rest of your network.

Question 59

What’s port forwarding?

Answer 59

Automatically forwarding traffic received from an external facing port to another device inside your network via IP address with whatever specified port you configure.

Port Mapping is the same as Port Forwarding.

Question 60

What’s the only way to be 100% sure that malware is removed?

Answer 60

By deleting everything on a system and performing a Clean OS install.

Question 61

Very Quick Ducks Run Silently Every Evening?

Answer 61

1. Verify virus symptoms - slow performance, app crashes, security alerts
2. Quarantine the infected system from the network - take offline and remove and quarantine any media devices like USB drives
3. Disable system restore points
4. Remediate/remedy - run virus scans and removal tools, safe mode if needed
5. Schedule scans and updates to OS, Apps, Antivirus automatically
6. Enable the system protection and restore points again
7. Educate the end users - one on one, put posters up of best practices, document findings.

Question 62

What are the 7 steps of Malware removal?

Answer 62

Verify. Quarantine. Disable. Remediate. Schedule scans. Enable. Educate.