Memorize-y stuff!

Question 1

STRIDE

Answer 1

Spoofing (authenticity), Tampering (integrity), Repudiation (accountability), Info Disclosure (confidentiality), escalation of privilege (authorization)

Question 2

ACL

Answer 2

Access Capability List: answers the question: “what SUBJECTS have access to a specific object” (think: VIP list)

Question 3

Capability

Answer 3

A row in Access control matrix. Answers the question: “What OBJECTS does a singular subject have access to” (think: what is in my backpack)

Question 4

What are the 3 reference monitor requirements?

Answer 4

1) Always-invoked
2) Tamper-proof
3) verifiable (simple design + easy to analyze)

Question 5

RC4

Answer 5

Ron’s Cipher 4. Created in 1987- INSECURE

Question 6

ChaCha20

Answer 6

Standard cipher algorithm used. SECURE

Question 7

HMAC-SHA2

Answer 7

Standard SECURE MAC function used

Question 8

AES-CBC-MAC

Answer 8

Somewhat standard MAC funciton used, but bug prone.

Question 9

AES (what are its 3 main modes)

Answer 9

Advanced Encryption Standard (a block-cipher). It has 3 modes: GCM= authenticated encyrption (gold standard). ECB= broken mode, CTR&CBC= not broken, but no integrity

Question 10

MD5

Answer 10

Very broken Hash function

Question 11

SHA-1

Answer 11

Another very broken hash function (not as broken as MD5)

Question 12

SHA2, SHA3

Answer 12

standard hash functions! SECURE

Question 13

RSA

Answer 13

Way to generate PK and SK (uses a lot of special math!)

Question 14

MAC Address

Answer 14

48 bits, permenantly installed in hardware, used to network on L2 (datalink layer), made for local networks to be addressable

Question 15

IP Address

Answer 15

32-bits, operates on layer3 (network layer). Prefix = network, suffix = host

Question 16

Private vs Public IP Address

Answer 16

Private is used for local network communication (starts with 192 or 176), can be duplicated if they are in different local networks. Public is for outside of local network. They cannot be duplicated

Question 17

CIDR

Answer 17

Classless InterDomain Routing: standard for IP address to have a custom prefix length for their network. Depending on how many hosts are using that network, it might be good to have a larger or smaller mask. Denoted with IPadd xx.xx/26 <- /number = network mask

Question 18

WEP

Answer 18

Broken form of Wi-Fi encryption (due to reusing nonces). Not used anymore

Question 19

WPA

Answer 19

Vulnerable form of wi-fi encryption. Not the standard anymore

Question 20

WPA2 or WPA3

Answer 20

Both secure forms of wifi encryption

Question 21

Hierarchy of IP Address allocation

Answer 21

Starts with ICANN -> regional internet registeries (like ARIN) -> Large institutions (ISPs, like Qwest) -> smaller institutions (like UChicago) -> individuals

Question 22

DHCP

Answer 22

Dynamic Host Configuration Protocol: THe way to connect to network to get an IP address

Question 23

What important components are contained in the IP header?

Answer 23

length in bytes, TTL, protocol, source address, destination address

Question 24

What is contained in the IP datagram?

Answer 24

IP header - TCP/UDP header - TCP/UDP payload

Question 25

AS

Answer 25

Autonomous System: A collection of IP prefixes that are under the control of a single entity (like Qwest, AT&T, etc)

Question 26

Intra-AS routing

Answer 26

All under the same AS domain- uses Link State protocol to take care of all routing

Question 27

Inter-AS routing

Answer 27

How we route across various AS’s- privacy between each AS. Uses BGP (a type of path vector/distance vector protocol) to route

Question 28

Link State Routing

Answer 28

Every single node knows the entire network topology of the network. Each node uses Dijkstra’s algorithm to compute the best path towards each node

Question 29

Distance Vector (Path vector/BDG)

Answer 29

Each node only knows its own neighbors’ closest distances. Sends these tables to their neighbors and updates their own table with information given from their neighbors.

Question 30

TCP

Answer 30

Transmission Control Protocol: The standard protocol for sending packets back and forth between networks

Question 31

What are some of the important components in the TCP header?

Answer 31

Source port, desintation port, SEQ #, ACK #, flags

Question 32

FIN, SYN, RST, ACK

Answer 32

Flags sent in the TCP header. Finish (done sending data), SYN (synchronize), ACK (acknowledge), RST (reset - terminates port connection)

Question 33

What are the corresponding TCP default port #s for these: SSH, DNS, HTTP, HTTPS

Answer 33

22, 52, 80, 443

Question 34

3-way handshake (and what happens afterwards)

Answer 34

1) Client sends SYN with c-seq = x
2) Server sends SYN-ACK with s-seq = y, ack = x + 1
3) Client sends ACK with ack = y + 1, seq = x + 1

After, data is sent between them with the seq# being the number of len of bytes sent over

Question 35

DNS

Answer 35

Domain Name System:How we map from IP addr -> real name

Question 36

nslookup

Answer 36

A command in the terminal to see the IP address of a domain

Question 37

ICANN

Answer 37

Internet Corperation for Assigned Names and Numbers: A non-profit org that controls + gives the assignments of IP addresses and domain names

Question 38

Resource Records (3 main types)

Answer 38

A = Address (IP address)
NS = Name Server (a DNS server)
MX = Mail exchanger (names of mail servers)

Question 39

Ping of Death

Answer 39

An attack on availability. (in the past) you could send a huge ping larger than the max size to cause a buffer overflow to the server. (server is supposed to respond with a PONG) but instead crashes the server

Question 40

traceroute

Answer 40

A terminal command to find scan the route that packets would take between your IP address and the target domain. Sends repeated ICMP requests with increasing TTL

Question 41

Nmap

Answer 41

Not necessarily an attack? but it is a terminal command to discover the various devices/services running on a network.

Question 42

SYN scan

Answer 42

Attack adjacent: send a SYN and figure out some stuff based on a response:

SYN-ACK = port is open
RST = port is closed
— (nothing) = filtered (ex: firewall)

Question 43

Side Channels (2 main ones)

Answer 43

Under TLS you can still patch together information about packets sent over network. These are namely the size of packets (# bytes sent over) and research has been done to show that timing is also a somewhat feasible side channel

Question 44

Blind Spoofing

Answer 44

Attack: Sending a SYN with a spoofed src IP address. Server will respond with a SYN-ACK to this separate IP address and in order to open up the forged connection, you have to guess the server’s SEQ number in return to send an appropriate ACK number in response.

Question 45

RST Hijacking

Answer 45

Attack: Spoofing a src IP address and sending a RST flag at a certain port to close the connection at the port. Used for censorship

Question 46

BGP Prefix Hijacking (2 main goals from this)

Answer 46

Attack: Falsely advertising a BGP network route as “more desireable” to purposefully direct traffic through that route.

1- route the traffic through a specific route with networks that you control to snoop on the traffic
2- an attack on availability (DoS) by sending a ton of traffic to a specific person

Question 47

S-BGP or BGPsec

Answer 47

Defense: A way to defend against BGP prefix hijacking by including digital signatures on the BGP prefixes. Not widly adopted because it’s costly

Question 48

DNS Cache Posioning

Answer 48

Attack: An attacker can give a local DNS server a falsely mapped IP address to map a user to a malicious site

Question 49

QID

Answer 49

Query ID: A QID is sent in the DNS packet header. This QID must match when the DNS server returns an IP address. Randomizing the QIDs is a way to defend against DNS cache poisoning, but you can also brute force try to guess the QID (it is 16 bits)

Question 50

Kaminsky Attack (2008)

Answer 50

You can spoof an entire xxx.domain.com zone by making a ton of DNS queries to the subdomains and trying to guess the QIDs. If any one of these QIDs is correctly guessed, you poison the DNS cache for the entire .bank.com domain.

Question 51

DNSSEC

Answer 51

Defense: A defense for trying to get DNS responses signed. Hard to adpot (costly and slow)

Question 52

DDoS

Answer 52

Distributed Denial of Service (attack): Many botnets or volunteers create a DoS attack by overloading one specific server.

Question 53

SYN Flood

Answer 53

Attack: DDoS attack that sends a ton of SYN packets. Whenever a server recieves a SYN, it needs to open a corresponding TCB (tranmission control block) on the kernel memory. If you flood the victim with SYN packets, you will crash the OS by exhausting kernel memry.

Question 54

Smurf Attack

Answer 54

DDos Attack: attacker sends many ping requests with spoofed victim IP address. PONG gets sent back to this victim many times over

Question 55

Smurf Attack Amp Factor

Answer 55

Defined as the total response size/request size. The larger response size compared to the request size the attacker needs to send will increase attack’s strength

Question 56

DNS Reflection Attack

Answer 56

A type of DDos attack: Spoof DNS requests to a ton of DNS resolvers. Will overwhelm the victim IP address with responses of DNS.

Question 57

CDNs

Answer 57

Content Delivery Networks: these are sort of intermediate servers that are connected to the root server. Is a nice defence against DDoS because now each large domain will have multiple servers without access to the master server.

Question 58

BotNets

Answer 58

These are specific attack machines that are used/created specifically by attackers. They have unique IP addresses. They are even monotized.

Question 59

DOM

Answer 59

Document Object Model: How a webpage is defined. Built up of various HTML components.

Question 60

HTTP

Answer 60

Hypertext Transfer Protocol: Message sent by a client to a server asking for a specific resource or action.

Question 61

HTTPS

Answer 61

HTTP request but sent over TLS (request and response are encrypted)

Question 62

Same-Origin Policy (SOP)

Answer 62

Web defense: prevents malicious DOM access. Only the origin who loaded the script can access the DOM. (not where the script comes from , but where it LOADS from)

Question 63

Iframes

Answer 63

Inline frames: allow you to embed a webpage inside another webpage.

Question 64

CORS

Answer 64

Cross Origin Resource Sharing: relaxes SOP- basically a set of rules you can put in the header that will specify when other origins can violate SOP on your origin. Include crossorigin=”” in the script header

Question 65

CSRF

Answer 65

Attack- Cross-Site Request Forgery: When a user is validly logged on, trick them into doing something (like sending a request).

Question 66

CRSF Token

Answer 66

Defense against CRSF: A random input value “token” is known to the main website (not to the attacker). It is inserted into a hidden field in any forms that get sent. In order for any HTTP request to be valid, the CRSF token must be sent over.

Question 67

XSS

Answer 67

Attack: Cross-Site Scripting: You can inject javascript into another page to make them run something without their knowing

Question 68

Reflected XSS

Answer 68

A type of XSS where the javascript is only there temporarily- the user gets tricked into clicking the link or navigating to the script

Question 69

Stored XSS

Answer 69

A type of XSS where the Javascript is there for everyone all the time (like the comments section of a page)

Question 70

CSP

Answer 70

Content Security Policies: A defense against XSS attack. It specifies where certain content is allowed to be loaded from

Question 71

Prepared Statements

Answer 71

A defense against SQL injection. It separates the data from the SQL query itself.

Question 72

CMS

Answer 72

Content Management System: Softwares used to create/publish websites without too much technical knowledge (ex: wordpress, drupal, etc)

Question 73

First-Party Tracking

Answer 73

Tracking via the site you currently on (on search engines or shopping sites). Can use cookies, javascript or URL parameters to do the tracking. Examples: website analytics, session data

Question 74

Third-party tracking

Answer 74

As a result of your visiting a certain page, other sites (origins) are contacted as a result. (Ex: 3rd party ads that show up)

Question 75

Browser Fingerprinting

Answer 75

A way to track users without using cookies. Identifies features of the browswer that are unique to the user’s machine (fonts, user-agent string- NOT IP address)

Question 76

FLoC

Answer 76

Federated Learning of Cohorts: A privacy focused proposal from Google. It tried to replace third-party cookies by instead using a sort of browser-fingerprinting (but via clusters of cohorts)

Question 77

Topics API

Answer 77

An alternative by Google from their FLoC initiative to try and walk away from third-party cookies. Addresses criticisms of FLoC

Question 78

“Enterprise”

Answer 78

A company/organization/instituation. (Ex: Google, Microsoft, American Red Cross, University of Chicago)

Question 79

“Enterprise Security”

Answer 79

Large scale security systems to protect enterprises. Specifically- corporate machines/devices, money/trade secrets, specific datasets

Question 80

Enterprise Network

Answer 80

Set of all devices + assets under an enterprise (devices, cloud services, datasets, etc)

Question 81

Border Firewalls

Answer 81

Any connections that are from external IP (not inside of enterprise network) must go through firewall- sort of like a filter.

Question 82

Conti Ransomeware Attack on Ireland HSE

Answer 82

In 2021 there was a major 700 GB data breach ransomware attack (locked out the victim/encrypted their data and then demanded ransom for restored access) Steps:

1) Attacker was able to download malware on an employee’s machine via a suspiscious email attachment
2) Attacker got SSH key added to verified key, created SSH connection outside of the enterprise network

Question 83

Command and Control (C2)

Answer 83

Attacker needs to establish a C&C base inside of the enterprise network to allow the outside attacker from communicating inside. Attacker cannot communicate outisde in, the C2 base needs to innitiate communcation inside-out. Also, attacks take a long time- cannot just have a single network session open for a super long time.

Question 84

Beaconing

Answer 84

A C2 protocol where the infected machine conitnuously contacts the outside attacker for new instructions (since the outside attacker cannot initiate instructions on its own)

Question 85

Internal (local, active directory) Reconnaissance (reconn) + network scanning

Answer 85

In an enterprise attack, process of identifying other machines in the enterpriss.

Local: looking through the infected machine itself (browser/shell/app history etc)
Active Directory: queries to the central authentication + directory databases
Network scanning: probing IP addresses to ifnd machines + vulnerable services

Question 86

Cyber “Killchain” (4 steps)

Answer 86

A typical enterprise attack structure
1. Initial Reconn to find vulnerabilities
2. Initial access + foothold (access to C2 base inside)
3. Internal expansion (gain extra privileges, more reconn)
4. Complete mission (data encryption/stealing, launch ransomware… etc)

Question 87

Network Segmentation & Bastion hosts

Answer 87

A defense for enterprise security: Further internal firewalling to strengthen isolation. Certain similar machines are grouped together and protected with an aditional firewall

Question 88

Zero Trust Model

Answer 88

Enterprise security defense: requires every piece of data to be authetnicated. Minimum permissions needed. (2FA, time of request checks, checking network properties + requesting device, checking if the device has been recently anti-virus scan etc)

Question 89

Network Intrusion Detection (NIDS)

Answer 89

Enterprise security defese: A combination of software + hardware (in between firewall and enterprise network) to detect + terminate bad traffic

PROS

Question 90

HIDS/EDR (Host-Based Intrustion Detection)

Answer 90

Individual software installed on each enterprise machine to detect + terminate malicious seeming activity (basically Anti Virus, rebranded to be Endpoint Detection & Response)

Question 91

SIEM

Answer 91

Security Information and Event Management System: aggragate logs from NIDS and HIDS to analyze data to detect any trends etc (security purposes)

Question 92

Signature-based Detection

Answer 92

A way of determining if an activity is an attack by writing specfic rules about what is and is not attack

Question 93

Specification-Based Detection

Answer 93

Ways to determine if something is an attack via writing only rules on legitimate behavior. Anything else = attack

Question 94

Supervised Detection

Answer 94

Form of ML based detection: learn the characteristics of attacks + train model based on prior attacks

Question 95

Anomaly Detection

Answer 95

ML-Based Detection- training the model on BENIGN behavior. Everything else = attack

Question 96

Explicit Authentication

Answer 96

Either single-factor or multi-factor authentication (explicitly Y or N)

Question 97

Implicit Authentication

Answer 97

Continuously determining authentication based on behavior of the user.

Question 98

Risk-based Authentication

Answer 98

When you vary the authenticaiton requirments based on the estimated risk

Question 99

Phishing attack

Answer 99

Password-based attack: tricking the user into giving up their credentials, thinks that you are a legitimate, trusted system. Spear phishing is a subset of this where a specific user or target is pinpointed- these attacks are much more personalized

Question 100

Shoulder Surfing

Answer 100

An attack against passwords: simply physically observing someone entering their credentials

Question 101

bycrypt and scrypt

Answer 101

the best password hashing algorithms! takes forever to unhash them

Question 102

Salting

Answer 102

A defense against password attacks: passwords are hashed with a “salt” string to make it more difficult to unhash. These are stored alongside the password. Defends against rainbow tables. The more accounts in the database, the more difficult it becomes to crack the passwords with salting

Question 103

Pepper

Answer 103

A form of password salting where the salt is stored secretly and is the same for every single password. Not commonly seen

Question 104

Online Password Attack

Answer 104

An attacker will try to enter multiple passwords online. Rate-limited, not very effective

Question 105

Offline Password Attacks

Answer 105

Attacker obtains the password database of hashed passwords (maybe via SQL injection) + username combos and tries to crack them

Question 106

Shannon Entropy + a-guesswork

Answer 106

A statistical approach to measure passwords. Shannon entropy uses entropy of password- this does not consider real, human tendencies when creating passwords. Also requires a large sample in order for it to be accurate

Question 107

Parametaized Guessability

Answer 107

A way of analyzing password strength: given a particular cracking algorithm, how many guesses would it take to crack it?

Question 108

Wordlist

Answer 108

Password cracking technique to simply hash a set of predetermined words to try and find matches

Question 109

Mangled Wordlist Attack

Answer 109

Password Cracking attack: Take a simple wordlist, then modify it using a rulelist (ex: replace a->4) for every combination

Question 110

John the Ripper

Answer 110

A password cracking software. Iterates each rule over the entire wordlist until the rules are exhausted

Question 111

Hashcat

Answer 111

A password cracking software: iterates each word over each rule until the words are exhausted

Question 112

Mask attack

Answer 112

A brute force password cracking attack that finds every single combination of characters that satisfy the mask.

Question 113

Markov Model

Answer 113

A password cracking model that predicts the next character of a password based on the probability it had from the entire password base

Question 114

Probabilistic Context Free Grammar

Answer 114

PCFG: a type of slow password cracking that uses grammatical rules to crack passwords

Question 115

Password Composition Rules

Answer 115

A method to get users to make better passwords: defines certain rules their passwords must comply to (ex: needs to have a number). In practice, this is pretty predictable though

Question 116

Single Sign-On: Shibboleth

Answer 116

A way to allow access to many types of domains when you are already signed in

Question 117

FIDO2

Answer 117

A passwordless authentication mechanism that uses public-key cyrpto.

Question 118

Passkeys

Answer 118

A FIDO2 / web Authn method that syncs your private key across your devices

Question 119

Out-of-order exectuion

Answer 119

The CPU will execute code instructions out of order compared to the code. This speeds up the process if you’re waiting on a certain value to be computed but can still sort of “multitask” with other instructions

Question 120

Speculative (predictive/eager) Execution

Answer 120

When at a conditional branch, instead of waiting to figure out which branch to take, just take it. Either: predictive (guess which one) or eager: taking both branches

Question 121

Spectre Attack

Answer 121

An attack that takes advantage of the CPU speculative exectuion. If an instruction was mistakenly, speculatively executed, it will be cached in the CPU no matter what. The most common way: reading data that is not typically allowed to be accessed. With speculative execution, a conditional branch might end up reading data from an array offset that is not typcially permitted, but the CPU will cache this data no matter what. You can measure the time it takes to input data into the cache (cannot actually read it) and slowly read memory byte by byte. Time-based attack. Can leak browser cache, session key, sensitive information.

Question 122

Meltdown Attack

Answer 122

You can attempt to access memory that is not allowed at a conditional branch. Due to speculative execution, the CPU will access this memory anyway and cache it. They can figure out what this memory is via a timing side channel- they will read each page of memory, and almost all of them will be slow. If one is slightly faster, it means it was cached!

Question 123

KAISER/KTPI

Answer 123

Kernel Page Table Isolation: A way to mitigate against meltdown attacks. It separates the kernal page tables from other parts of memory. This does impact performance though

Question 124

Heartbleed

Answer 124

A bug found in the OpenSSL code. Mainly a result of no code review/underfunded non profit projects

Question 125

Zoom Crypto Bug

From reading

Answer 125

It was found that zoom used AES-ECB which is a widly known AES method that has been deprecated because it is insecure. The cipher text reveals information about the plaintext in this mode

Question 126

Terrapin Attack

From reading

Answer 126

A MiTM attack on SSH channel that uses prefix truncation to intercept the very beginning of the SSH handshake

Question 127

Let’s Encrypt ACME Protocol

From the reading (also mentioned in slides though)

Answer 127

ACME protocol automates the process of obtaining a valid certificate. When a domain requests a certificate, Let’s Encrypt sends back a “challenge” request for the domain to prove themselves. Ie- this can be either in the form of a special DNS query or putting a certain piece of data on their server