Section 3 - Security Engineering & Cryptography

Question 1

What describes the suite of policies and technology tools designed to enable centralized management and control of mobile devices in a corporate setting?

Answer 1

Enterprise Mobility Management (EMM)

Question 2

What are the difference between Trust and User Specific Certificates

Answer 2

Trust are used to globally identify trusted devices within an organization using a single certificate pushed to multiple devices which is different then specific user based rolled out by a MDM to uniquely identify for granular control

Question 3

What is a firmware update delivered on a cellular data connection

Answer 3

Over the Air (OTA)

can be exploited - evil base station

Question 4

What encryption standard does WPA2 use and what does it replace

Answer 4

Advanced Encryption Standard with 128 bit keys

replaced WPA where replacing RC4 and Cipher Block Chaining Message Authentication Code Protocol (CCMP) replacing TKIP

Question 5

What are the main features of WPA 3

Answer 5

Simultaneous Authentication of Equals (SAE) which was introduced to address vulnerabilities in the WPA-PSK method.
Enterprise authentication uses 192-bit AES while personal uses 128-bit

Updated Cryptographic Protocols - replaced AES CCMP with AES Galois Counter Mode Protocol (GCMP) - high performance mode of operation for symmetric encryption and provided a special characteristic called Authentication Encryption with associated data (AEAD)

Protection Frames to prvent against recovery ttacks

Question 6

What is WPA3 also called and and what standard is it

Answer 6

Wi-Fi 6 and 802.11ax

Question 7

What is a standard for peer-to-peer (2-way) radio communications over a very short distance is

Answer 7

Near Field Communication and around 4”

most common application is for contactless payments

Not encrypted so vulnerable

Question 8

What is a recent attack against Bluetooth

Answer 8

BlueBorne

Question 9

What is the security control that enforces a virtual boundary based on real world geography

Answer 9

Geofencing

Question 10

Is DNS communications secure?

Answer 10

No and DNS over HTTPS (DoH) was developed as a response to incidents.

Question 11

What is the terms for obtaining root privileges in both IOS and Android

Answer 11

Jailbreaking for IOS
Rooting for Android

Question 12

Is Android or IOS more secure?

Answer 12

IOS and Android allows sideloading to install and app without using an app store

Question 13

What is the access control that is based on the idea of security clearance

Answer 13

Mandatory Access Control (MAC)
Labels objects and subjects and not changeable by user

Question 14

What is the process of determining what additional software may be needed installed on a client or server beyond its baseline and what OS is a good example of this

Answer 14

Execution Control
Using a Linux Security Module (LSM)
SELinux
AppArmor - used by Ubuntu
SUSE Linux

Question 15

Which version of Android is based on Security Enhanced LInux

Answer 15

SEAAndroid
Use MAC

Question 16

Describe the differences between BIOS (Basic Input/Output System) and UEFI (unified Extensible Firmware Interface)

Answer 16

Both are firmware designed to assist a computer/device boot an OS. BIOS uses a Master Boot Record whereas UEFI used a GUID Partition table. UEFI is more advanced and has more security features such as Secure boot or measure boot.

Question 17

What is an appliance for generating and storing cryptographic keys

Answer 17

Hardware Security Module (HSM)

FIPS 140-2 provided accreditation for cryptographically strong products

Question 18

T or F Key management and key use can be incorporated into the same function and cloud location

Answer 18

False - should use a KMS that is being generated separately from cloud provider

Question 19

What is serverless computing billed on and does this paradigm have risks?

Answer 19

Execution time rather than hourly charges. This is commonly called Function as a Service (FaaS)

New Paradigm and use cases and best practices are not mature
Depends heavily on event-drive orchestration to facilitate operations

AWS Lambda
Google Cloud Functions
Azure Functions

Question 20

What is the term for provisioning architecture in which deployment of resources is performed by scripted automation and orchestration

Answer 20

Infrastructure as a Code (IaC)

Used for Software Defined Networking

Question 21

What is an enterprise management system software designed to mediate access to cloud services by users across all types of devices

Answer 21

Cloud Access Security Broker (CASB)

Enable SSO
Scan for Malware, rogue and non-compliant devices
Monitor and audit user and resource activity
Mitigate data exfiltration

Question 22

What are the 3 implmentation methods of CASB

Answer 22

Forward Proxy - security appliance/host positioned at the client network edge that forwards traffic to the cloud network. users can evade and connect directly

Reverse Proxy - at network edge and can direct traffic in policy is in compliance and does not require configuration on user device but does require cloud application support

API - this is between the cloud service and cloud consumer. works best for post security incidents where inline interception is not possible/desirable. Not in real time such as the above proxy options

Question 23

What is the name of the practice of splitting encrypted data output into multiple parts which are subsequently stored in disparate locations

Answer 23

Bit or Cryptographic Splitting

Question 24

What are some examples of Microcontrollers that perform sequential operations from a dedicated instruction set

Answer 24

Application-specific integrated circuits (ASICs) - used for ethernet switching

Field Programmable Gate Array (FPGA) - a processor that can be programmed to perform a specific function by customer than at the time of manufacture

Question 25

What is the system that practically integrates all components (CPU, RAM, Storage, etc.) into one

Answer 25

System on a Chip (SoC)

Question 26

Name the components of an Industrial Control Systems

Answer 26

Human Machine Interfaces (HMI) - input/output controls on a PLC allowing users to configure and monitor

Supervisory Contral and Data Acquisition - manages large scale, multi-site devices and equipment spreach over geographically large areas

Programmable Logic Controller (PLC) - form of a digital computer and interact with a wide range of sensors

HVAC

Question 27

Name the common protocols used by ICS

Answer 27

Controller Area Network - serial network designed to allow communication between embedded PLC - cars are susceptible to attack due to this design using wireless or direct connection

Modbus - component of an ICS and is described as an OT and its protocol
It uses Common Industrial Protocol (CIP) and Distributed network Protocol (DNP3)

Data Distribution Services (DDS) - enables interrogability for connected machines and facilitates scalability, performance, and QoS

Safety Instrumented Systems (SIS) - comprised of sensors, logic solvres and final control elements - horns, flashing lights, and sirens.

Question 28

What is the function that converts an arbitrary length string to a fixed string output called

Answer 28

Hashing
1. Output is of fixed length regardless of input size

2. Same input to a hashing algorithm will generate the same output every time is hashed
3. Output of the hashing function cannot be used to recreate the input in any way referred to as one-way function

Question 29

Name some common hurdles in Hashing

Answer 29

Being certain that the hash value is properly represented.

Older hash algorithms are susceptible to collisions where two different plaintext inputs produce the same ciphertext output

Question 30

Name two popular hasing algorithms th

Answer 30

Message Digest Algorithm (MD5) - produces a 128 bit output and due to short outputs can be easily brute-forced

Secure Hash Algorithm (SHA) - was created to address weaknesses in MD5
SHA-1 generates a 160-bit output while SHA-256 (widely used for bitcoin)
Per NIST they developed SHA-3 to and SHA-1 should not longer be used.

Question 31

What is RIPEMND

Answer 31

RACE Integrity Primitives Evaluation Message Digest - devleoped around the same time as SHA-1 to produce longer outputs than MD5 and is also the bitcoin standard

Question 32

What is the method used to verify both the integrity and authenticity of a message by combining a cryptographic hash with a secret key

Answer 32

Hash-based message authentication code (HMAC)

when a MAC is constructed through eh use of hashing then it is a HMAC

HMAC-SHA

Question 33

What is the MAC that is used on older iphone/ipad devices that do not include AES hardware

Answer 33

Poly1305

Question 34

What is a “key” difference between hashing and encryption

Answer 34

Unlike hashing encryption algorithm can be used to regenerate the input so it is regarded as a two way function.

Symmetrical Algorithms has one key to lock and unlock and do not provide message integrity or authentication

Question 35

T or F Cypher is another term for an algorithm

Answer 35

True

Question 36

Name the two types of Symmetric Encryption

Answer 36

Stream Cypher - stream of plaintext bits or bytes with pseudorandom stream initialized by a secret key. Best for encrypting communications where the total length is not known.
Examples: RC4 - old and vulnerable
Salsa20 - well regarded
ChaCha - variant of salsa and adopted by Google and uses in devices lacking AES hardware acceleration

Used Initialization Vector - technique used in cryptography to generate random numbers to be used along with a secret key to provide data encryption

Block Cypher - encrypts one block at a time often in 64-bit block. More secure than steam but slower. Uses Output Feedbak (OFB) for the first round of encryption and combines the ouput of all previous rounds as input.

3DES - replaced by AES which is based on the Rijndael algorithm.

Question 37

What are modes of operations that are used with symmetrical block cyphers

Answer 37

These are techniques or methods by which symmetrical encryption can be performed.

Cipher Block Chaining (CBC) - very simple and susceptible to the padding-oracle attack

Electronic Codebook (ECB) simple and also susceptible to attack

Galois/Counter Mode (GCM) widely adopted.

Question 38

In Asymmetric encryption what is known only to the holder and is linked to, but derivable from, a public key distributed to those with which the holder wants to communicate securely

Answer 38

Private Key

Can be used to prove identity
Does involve more overhead that symmetrical and not ideal for large amounts of data.

used mainly for authentication and non-repudiation.

Question 39

What is the differences in key agreements between symmetrical and asymmetrical

Answer 39

Symmetrical derives the key while asymmetrical is transmitted.

Question 40

Name the two common Key Agreements

Answer 40

Diffie-Hellman (DH) - used complicated modulus math based on common secret

Elliptic-Curve Diffie-Hellman (ECDH) - similar to DH but used math based on elliptical curves instead of discrete logs

Question 41

What is the process when a user creates a digest of a message, using a pre-agreed hash algorithm such as SHA 256 and then encrypts the digest using a private key

Answer 41

Digital Signature

Rivest, Shamir and Adleman (RSA) - asymmetrical algorithm that is based on factoring large prime numbers

Digital Signature Algorithm - similar to RSA but uses logarithmic and modulus math. Faster at generating digital signatures but slower at verifying

Elliptic-Curve Digital Signature Algorithm (EDCS) - similar but smaller keys

Question 42

What was the protocol developed by Netscape in the 90’s to protect traffic and what was it replaced by

Answer 42

Secure Sockets Layer (SSL) to protect traffic for HTTPS and version 2.0 and 3.0 should no longer be used

Transport Layer Security (TLS) only version 1.2 or higher should be used

This is applied at the OSI Application Layer

Question 43

What is the algorithm supported by both the client and server to perform the different encryption and hashing operations by the protocol

Answer 43

Cipher Suites

ECDHE - RSA - AES128 - GCM - SHA256
Key Exchange - Signature - Bulk Encryption - Message Authentication - Elliptic Curve

Question 44

What type of attack tries to force the use of a weak cipher suite and SSL/TLS Version

Answer 44

Downgrade Attack

recommended to disallow “export cipher suites”

Question 45

What is the email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications

Answer 45

S/MIME

Question 46

What two types of key pairs does SSH Use

Answer 46

Host Key Pair - revealed by server
User Key pair for a client to login to an SSH Server.

Sony Hack was based on SSH mismanaged key.

Question 47

What is the framework for negotiating authentication mechanisms rather than the details of the mechanisms themselves?

Answer 47

Extensible Authentication Protocol

EAP-TLS - one of the strongest and widely supported. requires PKI and more complex and costly to manage

Protected EAP (PEAP) - encrypted tunnel is established between the supplicant and authentication server. Simpler than EAP with only server side certs.

EAP-TTLS) - also only server side certs

EAP-FAST - designed by Cisco and instead of using a certificate to setup tunnel it uses a Protected Access Credential - requires out of band delivery .

Question 48

What is the network protocol used to secure through an authentication and encryption as data travels through the network

Answer 48

Internet Protocol Security (IPSec)

Layer 3 - networking

Question 49

What are the two core protocols for IPSec

Answer 49

Authentication Header - form of cryptographic hash on whole packet including IP header, plus a shared secret and does not support nat gateways so not often used. Does not provide confidentiality

Encapsulation Security Payload (ESP) provides confidentiality, authentication, and integrity.

Question 50

What is the modern successor to RSA

Answer 50

Elliptic Curve Cryptography (ECC)

no known shortcuts for cracking
P256 no longer recommended by NSA

Question 51

How do you mitigate the risk of RSA Key Exchange

Answer 51

Perfect Forward Secrecy (PFS) - uses Diffie-Hellman to create ephemeral session keys without using servers private keys.

Question 52

What is the form of encryption that in addition to confidentiality provides integrity and authenticity

Answer 52

Authenticated Encryption with Associated Data (AEAD)

Question 53

What is the technique that strengthen potentially weak input for cryptographic key generation

Answer 53

Key Stretching
for passwords created by people against brute force attacks

Password-Based Key Derivation Function 2 (PBKDF2) widely used for WPA, IoS, Cisco, LastPass.

Bcrypt - Adds additional variations to the key called a salt

Question 54

What does Code Signing Provide

Answer 54

Proof of Origin

Question 55

What mechanisms can be used to encrypt data while in use

Answer 55

Trusted Execution Environments such as Intel Software Guard Extensions

Question 56

What is a public assertion of identify and who validates that

Answer 56

Digital Certificate and validate by Certificate Authority (CA)

Question 57

What is the specialized card containing cryptographic information to achieve authentication

Answer 57

Smart Card Authentication

has secure processing chip that stores users digital certificate, the private key, and a pin to activate the card.

Question 58

What is the purpose of a bridge CA

Answer 58

allows for interoperability and shared trust between multiple, otherwise independent PKIs.

Question 59

Who is the entity responsible for issuing and guaranteeing certificates

Answer 59

Certificate Authority (CA)

Question 60

What is the method of validating a certificate by tracing each CA that signs the certificate up through the hierarchy to the root CA

Answer 60

Certificate Chaining or chain of trust
even with a root CA that is offline most CA activities are handled by intermediate CA servers

Question 61

What is a component of PKI when __________ is generated on the device that needs a certificate and contains information that the CA needs in order to create a the certificate

Answer 61

Certificate Signing Request (CSR)

A Base64 ASCII file that is sent to CA

Uses key fields
Common Name (CN) - FQDN
Subject Alternative Name (SAN) - multiple host names on same certificate - feature is called multi-domain certificates

Origination (O) - legal name
OU - division or dept
City/Locality (L)
State/County/Region (S)
Country C)

Public Key that will be included
Information about key type and length

Question 62

In the creation of Digital Certificates what are common methods of validation

Answer 62

General Purpose or Domain Validation (DV) - email or modifying a DNS text record.

Extended Validation (EV) - maintained by CA/Browser forum. major drawback is that they cannot be issued for wildcard domain. Also use same process as standard ones and not necessarily better protection

Question 63

A ___________ is a hash that is then encrypted using a private key

Answer 63

Digital Signature

Question 64

What describes when a certificate is used to establish a trust relationship between two different CAs

Answer 64

Cross Certification
for two organizations or migrations

Question 65

What describes the set of root CAs that are trusted to validate identity

Answer 65

Trusted Providers

Organizations that build their own PKI infrastructure their root CA must be added to the list of trusted providers

Question 66

What do CAs need to maintain a list of certificates that were revoked before their expiration date?

Answer 66

Certification Revocation List (CRL)

Coded based on reason such as:
Unspecified, Key Compromise, CA Compromise, Superseded or Cessation of Operation,

Revoked Certificates cannot be reinstated

Question 67

What is a another means of providing up to date information on certificate status

Answer 67

Online Certificate Status Protocol (OCSP)

Allows real time status request to check if there is revocation

Question 68

Describe the differences between Certificate Pinning and Stapling during a transport protocol such as SSL/TLS

Answer 68

Pinning is the technique when a client inspects the certificate presented by a server or a code-signed application bypassing the CA hierarchy. Pinning has many vulnerabilities

Stapling resolves these issues by having the SSL/TLS server periodically obtain time-stamped OCSP response from the CA.

Question 69

What can be configured as a response header on a web server and notifies a browser to connect to the requested site as HTTPS

Answer 69

HTTPS Strict Transport Security (HSTS)

Prevents downgrade attacks

Question 70

What is another term to describe the requirement for both client and server devices to use certificates to verify identity

Answer 70

Mutual authentication

Question 71

What would cause a website to display your connection is not private when accessing

Answer 71

The website is configured to use a weak signing algorithm