Areas of Struggle Flashcards
These are the areas that you tended to struggle with understanding the most. Make sure you get these down-pat (71 cards)
1
Q
What is TLS?
A
TLS is a cryptographic protocol designed to provide secure communication over a computer network.
2
Q
What fundamental areas of Security does TLS ensure, and how?
A
Confidentiality - Via Encryption
Integrity - Via Message authentication codes (MACs)
Authentication - Typically through certificates
3
Q
What two phases/layers does TLS consist of?
A
- Handshake Phase/Layer
- Record Phase/Layer
4
Q
How does the Handshake Layer/Phase function in TLS?
A
- Client sends a message to the server, indicating supported cipher suites and a random number
- Server responds with chosen cipher suite, a certificate and its own random number.
- Performs key exchange using chosen cipher suite
- Client verifies server’s certificate
- Both parties compute a master secret from exchanged values and derive symmetric keys
- Both sides send a hash of previous messages encrypted with the session key to confirm integrity
5
Q
How does the Record Phase/Layer work in TLS?
A
- Using the symmetric keys, all further communication is encrypted and authenticated
- Data is then split into records and secured using AEAD (Authenticated Encryption with Associated Data)
6
Q
What are some advantages of using TLS?
A
- Confidentiality, Authentication and Integrity are integrated into the solution
- Forward Secrecy: If a server’s private key is compromised in later sessions, past sessions are still secure
7
Q
What are some limitations of TLS?
A
- If a user trust a certificate from a CA, then all other certificates they’ve issues are also trusted. If it’s compromised, then there will be future problems
- Revocation problems: Certificates can be revoked, but clients don’t tend to check this reliably (OCSP inconsistencies)
- TLS is only as strong as its implementation. If implemented wrong, it could cause large issues
8
Q
What are some vulnerabilities of TLS?
A
- TLS is vulnerable to Man-in-the-middle attacks
- Protocol downgrade attacks can be a concern if servers allow weak cipher suites to be used
9
Q
What is PKI?
A
Public Key Infrastructure - Framework that enables secure exchange of information using public key cryptography.
10
Q
How does PKI work?
A
- An entity generates a public-private key pair
- Entity submits a Certificate Signing Request (CSR) to a Certificate Authority (CA), including public key and identity information
- CA verifies the identity
- If verification passes, then the CA digitally signs the certificate using its private key
- Entity installs the certificate on its server, and clients accessing the sever retrieve this certificate
- Client checks the validity period, and verifies the CA’s signature using the CA’s public key, and ensures the certificate chains back to a trusted Root CA
11
Q
What are the advantages of PKI?
A
- Includes Confidentiality and Integrity through encryption and authenticity of message/s
- Non-repudiation - Digital signatures can be used to verify the origin of messages
12
Q
What are the limitations of PKI?
A
- If a CA is compromised or makes a mistake, the whole trust model is endangered
- Mechanisms like Certificate Revocation lists are not always checked or enforced
- Each platform has its own list of trusted root CAs, which can vary.
13
Q
How do clients verify the digital signature on a certificate?
A
Clients use the public key of the CA to verify the digital signature on the certificate
14
Q
What alternatives are there to PKI CAs?
A
- Public CAs
- Self-signed
- Private CA
15
Q
What do Internet Threat Models assume?
A
Internet Threat Models assume:
- Attacker has no control over the victim’s OS or machine
- Attacks occur via web content, URLs or browser features
16
Q
What 4 types of cookies are there, and how are they different from each other?
A
Session - Deleted on browser close
Persistent - Expire at a set time
- Secure - Sent only over HTTPS
HttpOnly - Inaccessible via JavaScript, mitigating some attacks
17
Q
What are third-party cookies?
A
They are set by domains other than the one the user is visiting, and are commonly used by advertisers to track user behaviour across sites
18
Q
What are the two vulnerabilities in regards to cookies?
A
Cookie stealing/hijacking - Intercepting or accessing session identifiers to impersonate a user
Cookie Poisoning - Modifying cookies to inject malicious code or data
19
Q
How does Cross-Site Scripting (XSS) work?
A
Injection attack, similar to SQL injection
Uses HTML structures and injects them into the content of a website, where the browser will execute them.
20
Q
What are the two types of XSS attack?
A
- Reflected XSS
- Persistent XSS
21
Q
How does Reflected XSS work?
A
The attack vector is in the URL or query string e.g. a malicious script in a URL echoed by a 404 page
22
Q
How does Persistent XSS work?
A
The malicious script is stored on the server through the use of areas with user input e.g. blog comments
This script is then automatically executed when users visit the affected page
23
Q
How do you prevent XSS attacks?
A
Websites must aggressively escape HTML characters from any user input/output, by locating all positions in which a website handles untrusted data.
24
Q
How does Cross-Site Request Forgery (CSRF) work?
A
If a user logged into a site and then visits a malicious site afterwards, then the latter site can send a POST request to the previous site using the user’s existing session cookie.
25
How do you prevent Cross-Site Request Forgery (CSRF) attacks?
- Use synchroniser tokens, which are random one-time-use tokens embedded in forms that match what the server expects
- Mitigate other forms of XSS which can help prevent this type of attack
26
What are Packet Filters?
Packet filters are a type of firewall which specifies which packets should be allowed or dropped. They evaluate headers of each packet, which specify IP address, ports and protocols.
27
What are the two types of rules that could be implemented in Packet Filters?
Stateless: Each packet is checked in isolation
Stateful: Connection state is tracked, allows related responses to pass through
28
What are Packet Filters not able to do?
- Prevent attacks that employ application-specific vulnerabilities
- Do not support higher-level authentication schemes
29
What are Connection Tables?
Connection Tables map source/destination IPs and ports with the session status. They ensure only valid responses to existing connections are allowed
30
What are Application-Level Gateways?
Application-Gateways filter traffic based on application-layer protocols like HTTP or FTP. They allow more sophisticated rules compared to packet filters.
31
What are Proxy Servers?
Proxy Servers act on a client's behalf to fetch data.
32
What are Proxy servers capable of?
They can filter content, cache responses and inspect traffic
33
What are some issues with Proxy Servers?
- High overhead per connection
- More expensive than packet filtering
- Configuration is complex
- A separate server is required for each service
34
What is NAT, and what does it do?
Network Address Translation - Allows many devices to share one public IP
35
How does NAT work?
It translates internal IPs to a public-facing IP, and hides the internal structure by dropping unsolicited external requests unless they are explicitly forwarded.
36
What are some issues with firewalls?
- Cannot block application-specific exploits
- Do not authenticate users or handle application-layer security
- Can't stop malware in transferred files
- Bypassing techniques include tunnelling or insider threats
37
What are some common threats to WiFi Security?
- Packet sniffing/eavesdropping
- Rogue Access Point
- Password Cracking on older WPA versions
- KRACK
38
What are some additional measures you can employ for increased WiFi Security?
- Turn off WiFi Protected Setup (WPS)
- Enable MAC filtering
- Segment IoT devices into separate VLANs
39
How do you protect DNS resolvers from becoming part of a DoS Amplification Attack?
Use an authorised list of requesters
Egress Filtering
40
What are the two types of IPSec protocols?
- Authentication Header (AH): Handles Authentication only
- Encapsulation Security Payload (ESP): Handles Authentication + Encryption
41
What are the two types of modes for Encapsulation Security Payload?
- Transport Mode
- Tunnel Mode
42
What primary features does Transport Mode have in ESP?
- Encrypts payload only, doesn't prevent manipulation of the header
- Original IP header remains visible
- Used for host-to-host encryption
43
What primary features does Tunnel mode have in ESP?
- Encrypts entire packet, including the original IP header
- Offers better privacy and hides metadata
- Completely protects manipulation of the payload in a packet
44
How does ARP Cache Poisoning work?
Attacker sends unsolicited ARP replies to a machine in order to alter MAC-IP mapping in another host's cache
45
How do you defend against ARP Cache Poisoning attacks?
- Ignore unsolicited replies
- Monitor MAC-IP mappings
- Use IDS (Intrusion Detection System)
46
What is DNS Spoofing?
Attacker poisons a DNS cache to redirect users to malicious IPs
47
How is a DNS Spoofing attack carried out?
Either through the use of ARP Cache Poisoning, or Forged DNS Replies
48
How do you defend against DNS Spoofing attacks?
DNSSEC - Authenticate the name server and provide integrity for the messages
Randomisation of query numbers and source port also help
49
How does TCP Session Hijacking work?
An attacker guesses the sequence number of a TCP stream to inject or hijack a session
50
How do you defend against TCP Session Hijacking?
- Randomise sequence numbers
- Encrypt communications
- Update firewall configurations
51
What are the main components of IDS?
- Sensors/Agents: Collect and collate data from multiple viewpoints on a network
- Analysers: See if an intrusion has taken place
- Reporting: Notify administrators via alerts on a console or graphical interface
52
Why use Views in Database Security?
- Flexible way of creating policies closer to the application requirements
- Simplify complex queries by restricting direct access to tables
- Data can be easily reclassified
53
Why wouldn't you use Views in Database Security?
- INSERT/UPDATE actions depend on the CHECK option, else might be blind inserts
- Completeness and consistency are not achieved automatically
- Can quickly become inefficient
54
What are further defence measures that could be used to prevent data inference on statistical queries in database security?
- Data swapping
- Noise Addition
- Table Splitting
- User Tracking
55
What is an SQL Injection Attack?
An attacker interferes with the queries an application makes to its database. It occurs when untrusted input is concatenated directly into SQL statements without proper sanitisation
56
How do you defend against an SQL Injection attack?
- Use of prepared statements: SQL commands are defined separately from input data
- Input validation and escaping: Ensure input conforms to expected formats
- Least Privileged Database Accounts: Application should only use accounts with the least permissions
57
What is the difference between a Blind SQL Injection attack, and an SQL Injection attack?
A Blind SQL Injection attack won't print any information to the screen, whereas a normal SQL Injection attack will
58
What is a Second Order SQL Injection Attack?
On the first pass, the exploit is stored. In the second pass, that exploit is then executed.
59
What is a Canary?
A canary is a small, known value placed on the stack, specifically just before the return address in a function's stack frame. It's purpose is to detect whether a buffer overflow has occurred before the function returns.
60
What are Access Control Matrices (ACMs)?
Access Control Matrix conceptually maps subjects to objects and permissions
61
What is an Access Control List?
It is a column of the Access Control Matrix, which defines what permissions each user has for that specific file.
62
What are Access Tokens?
An Access Token is issued upon successful logon and includes the user's SID, group memberships, user privileges and default settings for object creation.
63
What is User Account Control (UAC)?
It is the concept of two access tokens per user, one of which is heavily restricted and is mainly used for administrative purposes. The other token is a general use token with restricted privileges.
64
What is a Reference Monitor?
It is an abstract security concept that:
- Mediates all access from subjects to objects
- Enforces access control policies
65
What are some key properties of Reference Monitors?
Tamper-resistant - Must not be alterable by unauthorised users
Always-invoked - Must mediate every access attempt
Must be simple enough to be proven correct
66
What impact does Reference Monitor placement have on security and performance?
The lower the level of placement, the more secure and less attackable it is, but it is less context-aware
Higher-level monitors are easier to update, but are more easily bypassed.
67
What is Controlled Invocation?
It is the process of safely allowing user-mode programs to execute privileged operations such as memory management.
68
How does Controlled Invocation work?
- User application needs a privileged service
- It makes a system call, which causes the mode to switch from user-mode to kernel-mode (Ring 3 - Ring 0)
- Kernel executes the privileged operation
- Control is then returned to user mode after execution
69
What is Privilege Escalation?
Privilege Escalation occurs when a user or process gains higher access rights than intended, often by exploiting flaws in controlled invocation
70
How does Privilege Escalation occur?
- Exploiting a buffer overflow
- Taking advantage of incorrect permissions on executables or configuration files
- Exploiting kernel bugs to write or execute arbitrary code
71
How do you defend against Privilege Escalation?
- Enforce strict privilege boundaries via hardware and software
- Use secure system call interfaces with parameter checks
- Implement security modules like SELinux or AppArmor to add policy-based controls
- Apply patches regularly to close vulnerabilities
