Cryptography and Mitigation (Ch. 10,11)

Question 1

PKI

Answer 1

_ public key infrastructure

Question 2

Symmetric vs asymmetric encryption

Answer 2

_ same key to encrypt and decrypt vs different keys
_ asymmetric requires PKI for certificates
_ asymmetric is much more resource intensive (so mainly only used to exchange symmetric keys)

Question 3

Stream cipher

Answer 3

_ encrypts one bit or one byte at a time
_ more efficient with unknown or variable length data

Question 4

Block cipher

Answer 4

_ encrypts data in blocks
_ more efficient with known-length data

Question 5

ECC

Answer 5

_ elliptic curve cryptography
_ minimal overhead
_ useful in mobile devices

Question 6

steganography

Answer 6

_ hides data within other files
_ e.g. embed data within whitespace of an image

Question 7

Digital signature for email

Answer 7

_ has of email encrypted with private key

Question 8

Benefits of a digital signature

Answer 8

_ authentication
_ non-repudiation
_ integrity

Question 9

MD5

Answer 9

_ message digest 5
_ hashing algorithm producing 128-bit hash
_ has vulnerabilities, so now used as a checksum
_ susceptible to has collisions, making it unsuitable as a cryptographic hash (e.g. for hashing passwords)

Question 10

SHA

Answer 10

_ secure hashing algorithm
_ can be used to verify integrity

Question 11

SHA-2

Answer 11

_ created by NSA
_ SHA-256 creates 256-bit hashes
_ SHA-512 creates 512-bit hashes
_ SHA-224 truncates SHA-256
_ SHA-384 truncates SHA-512

Question 12

SHA-3

Answer 12

_ created in a non-Nsa public competition
_ alternative to SHA-2 (making same sizes available)

Question 13

HMAC

Answer 13

_ hash-based message authentication code
_ fixed-length string requiring a shared secret to create and validate
_ encrypts MD5 hash
_ provides both integrity and authenticity
_ used in IPsec and TLS
_ (if hash is transmitted with message, attacker could revise hash for a revised message, but not with HMAC)

Question 14

sha256sum

Answer 14

_ calculates SHA-256 of a file

Question 15

Password spraying attack

Answer 15

_ a kind of brute force attack
_ loops over many accounts for each attempted password
_ increases time between attempts on any given account, helping to avoid password lockout

Question 16

Pass the hash attack

Answer 16

_ attacker first somehow acquires a hash for a password
_ attacker then uses that hash in authentication

Question 17

Birthday attack

Answer 17

_ named for the mathematical “birthday paradox”
_ in any group of 23 people, there is a 50% chance 2 of them were born on the same day of their birth year
_ attack guesses the hash (which has collisions)

Question 18

Rainbow table attack

Answer 18

_ attempts to discover a password from a hash
_ rainbow table is a DB of hashes for passwords (e.g. hashes for every possible 9-digit password)
_ hashes are time-consuming to produce, but rainbow tables can be so huge that they save time

Question 19

Key stretching

Answer 19

_ applies cryptographic stretching to a salted password to make the effort of guessing hashes much more time consuming
_ Bcrypt, PBKDF2, and Argon2 also key stretch

Question 20

Bcrypt

Answer 20

_ salts password prior to encrypting
_ repeats process up to 60 times to make computationally expensive
_ 60-character string

Question 21

pepper

Answer 21

_ a second random salt number

Question 22

PBKDF2

Answer 22

_ 64+ bit salt with HMAC
_ can (but need not) repeat process many times to make computationally expensive

Question 23

AES

Answer 23

_ advanced encryption standard
_ symmetric key algorithm
_ encrypts into 128-bit blocks
_ key sizes 128, 192, or 256 bits
_ fast, efficient, strong

Question 24

3DES

Answer 24

_ “triple DES” (Data Encryption Standard)
_ improves on DES
_ encrypts in 3 passes with 3 different keys
_ more resource intensive than AES
_ used when hardware doesn’t support AES

Question 25

Key exchange

Answer 25

_ asymmetric keys are used to secretly exchange a symmetric key _ the symmetric key is then used for encryption and decryption because it’s much more efficient

Question 26

Digital certificate

Answer 26

_ means by which public keys are shared _ includes a public key _ describes owner of the certificate _ serial number _ certificate authority issuer _ validity dates _ valid usage (encryption, authentication, etc.) _ CN _ sent to clients in response to an HTTPS request

Question 27

CA

Answer 27

_ certificate authority _ issues and manages digital certificates _ provides trust in certificates

Question 28

Ephemeral key

Answer 28

_ lasts only the duration of a session

Question 29

RSA key lengths

Answer 29

_ 1024, 2048, 4096 bits _ 1024 no longer considered secure

Question 30

tokenization

Answer 30

_ obfuscation technique that replaces sensitive data with non-sensitive placeholders (i.e. tokens) _ tokens have to be looked up within a database to retrieve what they represent _ reduces exposure when one of the datasets is compromised

Question 31

masking

Answer 31

_ showing asterisks instead of a typed value

Question 32

Encryption with private key

Answer 32

_ for making digital signatures _ not used to encrypt web traffic; that’s done with an ephemeral symmetric key

Question 33

DSA

Answer 33

_ digital signature algorithm _ encrypted hash of a message, using sender’s private key _ authenticates the sender _ sender can’t repudiate that they sent the message _ ensures message integrity, as the hash was included _ encrypting the message would do the same but take far more resources

Question 34

S/MIME

Answer 34

_ secure/multipurpose internet mail extensions _ used for digitally signing and encrypting/decrypting email

Question 35

HTTPS TLS handshake

Answer 35

_ client requests an HTTPS session (but TLS is not restricted to HTTP) _ server responds with certificate containing its public key _ client creates a symmetric key _ client encrypts symmetric key with server’s public key _ client sends encrypted symmetric key to server _ server decrypts symmetric key with server’s private key _ data is thereafter encrypted with the symmetric key

Question 36

Downgrade attack

Answer 36

_ forces system to downgrade its security _ attacker then exploits the lesser security _ e.g. if SSL is enabled and client says it doesn’t support TLS, server might allow SSL _ e.g. if server supports a weak cipher suite, client might force it to downgrade to that

Question 37

blockchain

Answer 37

_ distributed, decentralized public ledger

Question 38

Blockchain block

Answer 38

Contains: _ info about the transaction _ info about the parties involved (digital signatures rather than names) _ a hash that uniquely identifies the block

Question 39

Blockchain block creation process

Answer 39

_ transaction occurs _ networked computers verify transaction _ transaction is recorded in a block _ block is assigned a hash _ block is added to the blockchain (referencing the prior block’s hash)

Question 40

entropy

Answer 40

_ randomness of a cryptographic algorithm _ greater randomness provides greater security

Question 41

Plaintext attack

Answer 41

_ attacker has plaintext and its associated ciphertext _ can then determine the encryption method _ can then decrypt any ciphertext

Question 42

Chosen-plaintext attack

Answer 42

_ attacker has part of the text associated with some ciphertext _ can be used to find the encryption method

Question 43

Root certificate

Answer 43

_ certificate that identifies the CA _ goes in Os or browser’s root certificate store _ browsers often ship with root certificates _ can be used to sign certificates of other CAs to convey trust to those CAs, making CAs hierarchical _ leaf node CAS of this hierarchy are used in apps and services _ may be kept offline to prevent compromise, enabling it to re-issue certs for compromised certs

Question 44

Certificate chain/path

Answer 44

_ chain of all certs from root to any given cert

Question 45

CSR

Answer 45

_ certificate signing request _ includes purpose of certificate, a public key, and info about the owner of the public key _ CA receives CSR, validates owner’s identity, and issues a certificate containing the public key _ validation process depends on declared purpose

Question 46

RA

Answer 46

_ registration authority _ assists with registration process _ doesn’t issue certificates _ used by large organizations

Question 47

Reasons to revoke a cert

Answer 47

_ private key compromise _ CA compromise _ change of affiliation _ superseded by another cert _ cease of operation _ certificate hold _ certificate holder’s request

Question 48

CRL

Answer 48

_ certificate revocation list _ publicly available _ often downloaded and cached, so it might not be up-to-date

Question 49

OCSP

Answer 49

_ online certificate status protocol _ API for determining whether a cert has been revoked _ signs the response (+ timestamp) so that response can be reused by others with trust (aka “stapling”)

Question 50

Validating a cert

Answer 50

_ check whether expired _ check whether issued by a trusted CA (i.e. whether it’s in the certificate authorities store) _ check whether revoked (requiring that the client request the CRL from the CA or use OCSP) _ if the site provides a “stapled” OCSP response, the client can verify this response and need not perform the above checks, reducing traffic to the OCSP and CA

Question 51

Certificate pinning

Answer 51

_ HTTPS response includes a header listing hashes derived from public keys that the site uses _ each hash also has a max-age telling the client when to expire the hash _ when clients reconnect to a website, they recalculate the hashes and compare with the returned values _ matching hashes indicate a return to an already-verified website

Question 52

Key escrow

Answer 52

_ process of placing coy of a key in a safe environment for recovery purposes

Question 53

KMS

Answer 53

_ key management system _ manages entire life cycle of cryptographic keys (generation, storage, distro, rotation, retirement/revocation/destruction)

Question 54

Common cert types

Answer 54

_ machine/computer - identifies the device within a domain _ user - for encryption or authentication _ email - encryption and signing _ code signing - signing software and scripts _ self-signed - privately used certs, not CA-backed _ root - root cert of a CA _ wildcard - starts with an asterisk, applying to all subdomains of a given domain _ subject alternative name (SAN) - applies to different domains owned by the same org _ domain validation - asserts an org owns a domain

Question 55

Cert filename extensions

Answer 55

_ there are many cert file formats _ e.g. .crt, .cer, .pem, .p7b, .p7c, .p7s, .pfx, .p12 _ file may have a format different from that indicated by its extension

Question 56

CER

Answer 56

_ ASCII format cert

Question 57

DER

Answer 57

_ binary format cert

Question 58

PEM

Answer 58

_ privacy-enhanced email (cert format) _ certs can be used for purposes other than email _ very common format

Question 59

P7B

Answer 59

_ cert format often used to share public keys

Question 60

P12 and PFX

Answer 60

_ cert formats used to hold private keys

Question 61

Perfect forward secrecy

Answer 61

_ generates a new random public key for each session _ generates key non-deterministically (given same input, generates a different public key) _ keys therefore are not reused _ past compromised keys can’t be used in a later attack

Question 62

Backout plan

Answer 62

_ steps to follow if a change goes wrong _ restores system to a previous operational state ASAP

Question 63

wiping

Answer 63

_ erases data from disks by overwriting various patterns multiple times _ does not apply to SSDs, which require a special erase process; SSDs are usually therefore destroyed

Question 64

degaussing

Answer 64

_ a powerful magnet renders data on tapes and disk drives unreadable _ not effective on SSDs

Question 65

COD

Answer 65

_ certification of (device or drive) destruction

Question 66

Incident response plan

Answer 66

_ formal plan of how to respond to an incident _ defines incident types (distinguishing events from incidents) _ response team _ roles and responsibilities _ communication plan

Question 67

Incident communication plan

Answer 67

_ first responders should know who to contact under what conditions _ further internal communication plans with others _ reporting requirements with external entities _ constraints on external communication _ plan for communicating with the customer

Question 68

SOC

Answer 68

_ security operations center

Question 69

Incident response process

Answer 69

_ preparation before an incident, including establishing procedure to prevent incidents _ detection processes and operations _ analysis to determine whether an event is an incident _ containment of incident (e.g. isolating or unplugging system) _ eradication of the components of the attack (and forensic analysis) _ recovery, returning systems to normal _ lessons learned

Question 70

Order of volatility

Answer 70

Order in which to collect evidence. Most to least volatile: _ cache _ RAM _ swap file or pagefile _ disk _ attached devices (e.g. USB drives) _ network

Question 71

dd

Answer 71

_ data duplicator command _ good for taking snapshots for forensic examination

Question 72

Legal hold

Answer 72

_ legal obligation to maintain different types of data as evidence

Question 73

eDiscovery

Answer 73

_ identification and collection of electronically stored data (for legal purposes)

Question 74

Chain of custody

Answer 74

_ process that assures that evidence has been properly controlled and handled _ in security, this is form that gets filled out indicating every person who was in possession of the asset _ control is the effort to ensure that the written chain of custody remains valid

Question 75

TTP

Answer 75

_ tactics, techniques, and procedures of an attack

Question 76

SOAR

Answer 76

_ security orchestration, automation, and response _ tools that respond to low-level security events automatically _ e.g. responding to phishing emails _ e.g. opening attachments in a sandbox to observe behavior _ uses playbooks and runbooks

Question 77

playbook

Answer 77

_ general guidelines _ e.g. what to check to detect a phishing email

Question 78

runbook

Answer 78

_ technical details for implementing playbook _ uses the tools of the organization _ either auto-handles the event or tasks an admin

Question 79

Security governance

Answer 79

_ responsibilities and processes established by an organization to manage its security efforts _ provides framework for making decisions _ sets strategic direction and goals _ indicates how to manage risk

Question 80

AUP

Answer 80

_ acceptable use policy _ of computer system or network

Question 81

Information security policy

Answer 81

_ protects data and information systems _ rules for managing, protecting, distributing information _ e.g. password complexity, handling of sensitive data

Question 82

Security guidelines

Answer 82

_ best practices (optional) _ unlike policies, standards, and procedures, which are mandatory

Question 83

Data governance

Answer 83

_ processes an organization uses to manage, process, and protect data _ helps ensure or improve quality of data

Question 84

Data roles

Answer 84

_ data owner - responsible for the data, including classifying it _ data steward - entity to whom owner delegates management of the data _ data custodian - does routine daily tasks like backup _ data controller - org that collects info from employees for payroll processing _ data processor - third-party org that works with data on behalf of the data controller

Question 85

EOSL

Answer 85

_ end of service life _ end of vendor support

Question 86

Right-to-audit clause

Answer 86

_ clause in cloud contracts giving customers right to hire an auditor to review cloud provider’s records and systems

Question 87

SLA

Answer 87

_ service level agreement _ stipulates performance expectation _ e.g. uptime/downtime levels _ may include a monetary penalty for failure to meet

Question 88

MOU

Answer 88

_ memorandum of understanding _ aka memorandum of agreement (MOA) _ expresses understanding between parties to work together toward a goal _ less formal than an SLA and no monetary penalties

Question 89

BPA

Answer 89

_ business partners agreement _ written agreement detailing relationship between business partners and obligations

Question 90

MSA

Answer 90

_ master services agreement _ structured agreement for vendors used repeatedly _ agreement applies across projects _ a work order (WO) or statement of work (SOW) is written per project

Question 91

Rules of engagement

Answer 91

_ what one is and is not allowed to do in security testing

Question 92

GLBA

Answer 92

_ Gramma-Leach Bliley Act _ aka Financial Services Modernization Act _ requires financial institutions to provide consumers with privacy notices

Question 93

GDPR

Answer 93

_ general data projection regulation _ an EU directive mandating privacy for EU individuals _ applies globally

Question 94

PCI DSS

Answer 94

_ payment card industry data security standard _ contractual relationship between banks that issue credit cards and merchants _ provides strict requirements for handling cardholder data

Question 95

Due diligence

Answer 95

_ actions taken to ensure organization is aware of all legal requirements

Question 96

Due care

Answer 96

_ continuous effort to ensure organization adhere to legal requirements and identifies non-compliance in a timely manner

Question 97

CBT

Answer 97

_ computer based training