Security

Question 1

CIA triad

Answer 1

Applies to data, usually requiring balancing tradeoffs:
_ confidentiality
_ integrity
_ availability

Question 2

InfoSec

Answer 2

_ information security

Question 3

SecOps

Answer 3

_ security operations

_ discipline within IT responsible for protecting assets by reducing the risk of attacks

Question 4

asset

Answer 4

_ person, device, location, or information that SecOps aims to protect from attack

Question 5

attack

Answer 5

_ action taken by a threat that exploits a vulnerability

Question 6

risk

Answer 6

_ potential of a threat to exploit a vulnerability via an attack

Question 7

threat

Answer 7

_ something or someone that can exploit a vulnerability

_ person, software, or natural disaster

Question 8

vulnerability

Answer 8

_ a weakness in software, hardware, facilities, or humans that a threat can exploit

Question 9

Advanced persistent threat (APT)

Answer 9

_ when malware remains undetected for a long time waiting for the right time to attack
_ by remaining idle, it infects backups too

Question 10

zero-day

Answer 10

_ when a vulnerability or exploit is not yet public

_ likely no patch for it

Question 11

Intrusion prevention system (IPS)

Answer 11

_ can look for suspicious patterns of code, block it immediately, and send it for analysis

Question 12

Blue, red, white, and purple teams

Answer 12

_ red team attempts to compromise security
_ blue team attempts to defined security
_ white team may observer and referee
_ “purple team” is when red and blue teams come together to debrief and cross-train

Question 13

White hat, black hat, gray hat hackers

Answer 13

_ white hat - perform attacks when authorized in order to find vulnerabilities
_ black hat - criminals
_ gray hat - no malicious intent, but may not have obtained permission, could be breaking law

Question 14

Script kiddie

Answer 14

_ copycat criminals
_ hack for curiosity or entertainment
_ unsophisticated
_ may not realize the consequences

Question 15

wiretapping

Answer 15

_ eavesdropping between communicating people or computers
_ might use a packet sniffer or attach to hardware
_ might use an EMF listener; a reason to use fiber optics
_ ethernet switches make this hard

Question 16

Vulnerability scanner

Answer 16

_ examines specific ports, so use a port scanner first

Question 17

NX-bit

Answer 17

_ no-execute bit
_ flags memory for either storage or execution
_ reduces change of buffer overflow vulnerabilities
_ only available in special CPUs

Question 18

spoofing

Answer 18

_ pretending to be something else in order to gain access
_ man-in-the middle attack - pretending to be client to the actual server and server to the actual client
_ ARP poisoning - causes an Ethernet switch to flood all traffic to every port (including the attacker’s computer)

Question 19

DoS

Answer 19

_ Denial-of-Service
_ may use features of ICMP, such as ping
_ attacker can make the echo replies go to another computer rather than their computer, minimizing stress on attacker’s computer
_ ping-of-death = obsolete vulnerability whereby server would crash for a malformed ICMP packet
_ ping flood attack = overwhelms computer with pings having randomized source addresses
_ smurf attack = (1) a DDoS, thousands of computers bombard the victim; (2) the attacker sends a forged ICMP echo-request packet to the broadcast address of a large IP subnet so all of the computers on the subnet receive the message; (3) the attacker specifies the victim’s address as the source address
_ SSL attack = wastes computer resources setting up and tearing down SSL encryption sessions

Question 20

honeypot

Answer 20

_ server designed to look authentic
_ contains fictitious data
_ intended to draw hackers
_ can be used to collect data on the attacker
_ “tar pit” variation is designed to slow the attacker so that the intrusion detection system can do a trace

Question 21

Rootkit attack

Answer 21

_ software designed to give a user root or admin access and full control over the computer

Question 22

Backdoor attack

Answer 22

_ means of bypassing authentication or encryption

Question 23

Trojan horse

Answer 23

_ misleads users into installing

Question 24

confidentiality

Answer 24

_ part of the CIA triad
_ limits access to information (at odds with availability)
_ goal is to prevent an unauthorized user from accessing, copying, or transmitting information
_ need-to-know policy (aka least privilege policy)
_ reduce exposure by destroying unneeded copies

Question 25

integrity

Answer 25

_ helps determine the trustworthiness of information
_ includes verification
_ ensures accuracy of the data
_ where information came from
_ whether information was changed en route
_ encryption helps with integrity
_ digital signatures or one-way hashes (e.g. SHA-3) can provide integrity
_ version control can provide integrity
_ e.g. a man-in-the-middle attack violates integrity, intentional or accidental deletion or modification of data, equipment malfunctions, natural phenomena such as EMP

Question 26

availability

Answer 26

_ ensuring data is always accessible to authorized users
_ includes making server highly available
_ includes minimizing downtime
_ have a disaster recovery plan
_ back up data off site
_ e.g. DoS attacks, unplanned downtime, accidental changes to access controls incorrectly removing authorized users

Question 27

Packet filter

Answer 27

_ a firewall that operates at layers 3 and 4
_ checks the protocol and the source and destination IP addresses and ports
_ only concerned with the packet address label (header)
_ no filtering on payload

Question 28

Circuit-level gateway

Answer 28

_ a middleman firewall that helps conceal identity of client and server from each other
_ may change IP address and port numbers
_ uses Network Address Translation (NAT)
_ uses Port address Translation (PAT)

Question 29

Stateful inspection

Answer 29

_ state of the connection between two computers
_ can identify traffic as “conversational” and automatically create temporary firewall rules that permit two-way traffic for the duration of the connection
_ minimizes the number of rules otherwise needed by a packet filter

Question 30

Application-aware firewall

Answer 30

_ aka layer-7 firewall
_ a proxy server
_ act as middlemen reading packet application payloads

Question 31

Intrusion detection systems (IDS) and intrusion prevention systems (IPS)

Answer 31

_ based on a DB of known behaviors and payload signatures
_ IDS monitors to detect threats
_ IPS intercepts and blocks threats
_ both have a “tap mode”, where they only listen to a network, which suffices for IDS
_ “in line mode” = positioned to intercept and block traffic
_ IPS supports many network ports that operate as input/output pairs
_ some IPS devices block based on file type, such as to exclude .EXE files
_ either software or physical devices

Question 32

OSI layer 1 security

Answer 32

_ security varies by physical medium (e.g. CAT6 cabling can be monitored for EMF, but fiber optic cabling can’t)
_ includes locks on doors, equipment
_ radio jamming

Question 33

OSI layer 2 security

Answer 33

_ e.g. capturing a WAP encrypted password for decryption
_ e.g. ARP poisoning - attacker sends special Ethernet frames that overwhelm the switch’s “forwarding information base (FIB)” database, forcing the switch to send traffic to everyone, including someone’s packet sniffer
_ e.g. VLAN hopping attack, taking advantage of an Ethernet switch configured in trunk mode (aka tagging mode), allowing computers to send/receive traffic on any VLAN
_ e.g. spoofing that impersonates another computers MAC

Question 34

OSI layer 3 security

Answer 34

_ e.g. ping DoS attacks
_ e.g. pinging to find available computers
_ e.g. spoofing that impersonates another computer’s IP
_ intrusion prevention systems can prevent these attacks

Question 35

OSI layer 4 security

Answer 35

_ e.g. port scanner to find open ports

_ a packet filtering firewall can defend against attacks

Question 36

OSI layer 5 security

Answer 36

_ e.g. RPC attacks

Question 37

OSI layer 6 security

Answer 37

_ e.g. man-in-the-middle attacks where attacker fools victim into accepting a false security certificate
_ can be mitigated using an application-layer proxy or an IPS
_ important to train users about fake security certificates

Question 38

OSI layer 7 security

Answer 38

_ every app has its own vulnerabilities
_ e.g. injection attacks, buffer overrun attacks
_ vulnerability scanners can find known problems
_ a reverse proxy or IPS can scan packet payloads

Question 39

ciphertext

Answer 39

Encrypted data

Question 40

Symmetric key encryption

Answer 40

_ aka private key encryption
_ send and receiver must have the same cipher key
_ exchange of key is point of greatest vulnerability
_ the German Enigma machine used a symmetric key cipher that took years to break
_ much faster to encrypt and decrypt than asymmetric ciphers

Question 41

Asymmetric key encryption

Answer 41

_ e.g. public key infrastructure (PKI)
_ anyone can use the public key to encrypt data
_ only the private key can decrypt the data
_ the public key can can decrypt data encrypted with the private key to verify the source of the data, providing a digital signature
_ no need to share a private key first and risk exposure
_ lots of computation required for large blocks of data
_ the public key gets transferred in the form of a certificate issued by a certificate authority (CA)

Question 42

non-repudiation

Answer 42

_ inability to deny the source of data

Question 43

Elliptic curve cryptography (ECC)

Answer 43

_ uses algebraic elliptic curves to create keys that a smaller than traditional keys but more difficult to crack

Question 44

End-to-end encryption

Answer 44

_ when data is stored both in transit and at rest

_ data is never stored or transmitted in the clear

Question 45

SSL/TLS handshake

Answer 45

_ client encrypts a token with the server’s public key
_ server decrypts the token using its private key
_ the token is then used as the private key in a symmetric key cipher for data exchange

Question 46

IPSec

Answer 46

_ internet protocol security
_ a way to encrypt IP traffic at layer 3
_ common in VPN tunnels (PPTP - point-to-point tunneling)
_ tunneling = “encapsulation” within an untrusted network
_ also used in site-to-site encryption such as between devices such as firewalls or routers
_ devices can offload the encryption processing from computers
_ uses the Authentication Header (AH) protocol for data integrity, the encapsulating security payload (ESP) for encryption, and the security associations (SA) for key exchange.
_ often used with internet key exchange (IKE and IKEv2)
_ can be used with pre-shared symmetric keys

Question 47

Advanced Encryption Standard (AES)

Answer 47

_ the current most secure algorithm for storing and encrypting data at rest
_ symmetric key cipher
_ uses different key and block sizes
_ up to 14 transformations on data
_ AES-128, AES-192, AES-256 (latter used in banking) – different key lengths
_ most devices use AES-256 today

Question 48

AES-NI

Answer 48

_ AES new instructions
_ hardware acceleration supporting AES encryption
_ up to 10 GB/sec
_ particularly useful on wireless devices

Question 49

Retention policy

Answer 49

_ policy on how long a piece of data should be available, whether accessible or archived
_ regulations may dictate
_ regulations may also indicate the governmental district in which the data must reside

Question 50

DEK

Answer 50

_ data encryption key

_ key used to encrypt and decrypt data at rest

Question 51

Protecting DEKs

Answer 51

_ rotate/change DEKs regularly to limit time available for an attacker to use a stolen key
_ use a method that does not require disclosing the key: encrypt the DEK using a KEK and only temporarily decrypt the DEK

Question 52

KEK

Answer 52

_ Key encryption key
_ asymmetric key
_ used to protect DEKs
_ stored in a KMS

Question 53

KMS

Answer 53

_ key management system
_ stores DEKs encrypted with KEKs
_ grants access to keys based on the provided KEK
_ app decrypts DEKs for temporary use, but does not store decrypted DEKs
_ the system itself does the encryption and decryption, so the keys are never revealed
_ controlled by a master key, which must be protected
_ protect the master key by encrypting it, and then protect that encrypted key by encrypting it again; each encryption requires effort to break, so little need for more than 3 or 4 key encryptions

Question 54

Federated identity management

Answer 54

_ allows internet users to authenticate to your app via federated identity servers at Google, Facebook, Twitter
_ a federated identity server creates a token that is unique to the user for your app so the app can base identity on this token, without disclosing private information
_ your app therefore does not need a unique username and password for the user

Question 55

IAM

Answer 55

_ identity and access management

_ provides identity and access control services

Question 56

Multifactor identification

Answer 56

_ aka “MFA” or “2-factor” or “2FA”
_ use of multiple authentication requirements
_ second could be providing information only you know, using your biometrics, or using a physical device you have (e.g. cell phone)
_ text and email are NOT considered strong MFA
_ virtual MFA apps (to generate a code) or physical tokens are better

Question 57

Service account authentication

Answer 57

_ typically does not use username and password

_ uses API keys

Question 58

Wireless encryption standards, weakest to strongest

Answer 58

_ WEP
_ WPA
_ WPA2
_ WPA3

Question 59

3DES

Answer 59

_ “triple DES”
_ symmetric algorithm that uses obsolete DES algorithm 3 times to encrypt data
_ uses 3 keys
_ 56-bit encryption
_ modern hardware can crack it by brute force in less than a day
_ most organizations have phased it out

Question 60

WAP

Answer 60

_ wireless access port

Question 61

WEP

Answer 61

_ Wired Equivalent Privacy
_ one of the first wireless standards, by IEEE in 1997
_ key either 10 or 26 hex digits (40 bits or 104 bits)
_ modern computers can crack in under a day
_ deprecated in 2004, replaced by WPA

Question 62

WPA

Answer 62

_ Wi-Fi protected access
_ defined jointly by the Wi-Fi Alliance and the IEEE
_ created as short-term solution, awaiting the more secure 802.11i standard
_ based on the draft 802.11i standard at the time
_ uses variable-length alphanumeric passphrase, 8-63 characters
_ uses TKIP, which generates a new 128-bit encryption key for each packet sent
_ but had security vulnerabilities

Question 63

WPA2

Answer 63

_ aka IEEE 802.11i
_ published in 2004 by Wi-Fi Alliance and IEEE
_ the wireless standard for 15 years
_ mandatory support for CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol), which is part of AES, providing confidentiality, authentication, and access control to the network
_ still had weaknesses

Question 64

WPA3

Answer 64

_ released in January 2018
_ minimum key strength is 192 bits for enterprise connections
_ also has a personal mode with lower key strength
_ no more passphrase: now uses SAE (simultaneous authentication of equals) to exchange the network key (part of the 802.11-2016 standard); eliminates the need to tell other people of the passphrase in personal mode
_ implements PFS (perfect forward secrecy), ensuring that no more than one session can ever be compromised at a time
_ uses encryption management frames of 802.11w

Question 65

Ad-hoc mode

Answer 65

_ wireless communication mode
_ peer-to-peer
_ does not use WAP
_ mainly used for initially setting up devices instead of requiring connection with a physical cable
_ also sometimes for transferring files between devices, such as a camera and a laptop
_ does not require a wireless router or access point

Question 66

Wireless infrastructure

Answer 66

_ devices connect via a wireless router, which is a combined WAP and router
_ router acts like an Ethernet switch

Question 67

802.1x

Answer 67

_ also 802.11x
_ works wired or wireless
_ clients (“supplicants”) connect to an “authenticator” to request access to the network; the authenticator may be a wireless device
_ the authenticator delegates the decision to an authentication server, which indicates what ports the user can access; this server runs RADIUS (remote authentication dial-in user service) or EAP (extensible authentication protocol)
_ authentication is either by username/password or by PKI certificates
_ grants the user access only to authorized ports
_ 802.1x clients can also check the versions of antivirus scanners to make sure they conform to corporate requirements

Question 68

Deauth attack

Answer 68

_ deauthentication attack on a wireless network
_ a DoS attack that can force any or all clients off the network
_ the attacker doesn’t even need to be on the network
_ users can simply reconnect, but attacker may continue the attack or force users to reconnect through a false access point or to capture the 4-way handshake to gain info on the network
_ WPA3 prevents this attack
_ WPA2 makes it difficult for the attacker to read encrypted data

Question 69

Fake access point

Answer 69

_ attack on a wireless network
_ attacker sets up a wireless network having no security
_ attacker watches all data in the clear
_ can redirect an unwitting user to a different location
_ can modify data
_ if you must use an unsecured network, create a VPN tunnel
_ avoid using unsecured Wi-Fi hotspots

Question 70

AAA

Answer 70

_ authentication - verifying identity
_ authorization - what user may access
_ accounting (auditing) - verifies restrictions, providing a forensic trail; should be stored in a different location from the data being audited write-only to make it harder for the attacker to cover his tracks

Question 71

Device hardening

Answer 71

The process of:
_ reviewing security settings
_ updating device software
_ testing security such as by attempting to breach defenses

Question 72

How to harden devices

Answer 72

_ change the default passwords
_ remove unnecessary logins after periodic review
_ enforce a strong password policy (enforce if possible)
_ require users to change passwords frequently
_ implement MFA
_ remove unnecessary services
_ keep patches up to date on all devices (manufacturers often patch 90 days before public disclosure of the vulnerability)
_ limit physical access to the device
_ only allow changes from a trusted network – none from the public side; disallow changes to a WAP from other wireless devices
_ require encryption on wireless networks (WPA2 or WPA3)
_ audit all access (e.g. using Syslog); get alerts too
_ back up and store a copy remotely