General Flashcards
(129 cards)
1
Q
What is in CIA triad
A
Confidentially
Integrity
Availability
2
Q
List 6 step incident response
A
Prepare
Detection and analysis
Containment
Eradication
Recovery
Post incident activity or lessons learned
3
Q
What are the triple AAA
A
Stands for accounting, authentication, and authorization
4
Q
What is MITREs model for post attack techniques called
A
ATT&CK
adversial tactics , techniques, and common knowledge
5
Q
List 7 steps of kill chain attack
A
Recon
Weaponization
Delivery
Exploitation
Installation
Command and control
Actions on objectives
6
Q
What are the general 5 steps to hacking
A
Recon
Scanning
Gaining access
maintaining access
Covering tracks
7
Q
What are 5 steps of pen test
A
Planning
Scanning
Gaining access
Maintaining access
Analysis & reporting
8
Q
List examples of substitution ciphers
A
Rot13, Caesar cipher, and keyword cipher
9
Q
What is one time pad
A
It’s unbreakable if properly used. Each person would get copy of pad to encrypt message which was the key
10
Q
What is symmetric crypto
A
Uses one key to encrypt and decrypt
11
Q
Symmetric key crypto uses what two ciphers and how do they encrypt
A
Block and stream
Block is by bytes while stream is bit at a time
12
Q
List some symmetric key algorithms
A
Des,3des, and aes
13
Q
List popular stream ciphers
A
RC4, seal, and ORYX
14
Q
What two keys does asymmetric crypto use
A
Public and private
15
Q
List common asymmetric algorithms
A
RSA, ECC, ECDSA, DSS, el gamal, and diffie hellman
16
Q
List common hash algorithms
A
Sha, md5, and RACE
17
Q
How does a digital signature get made using PKI
A
First hashed
Encrypted using private key
Receiver uses public key to decrypt
18
Q
Ocsp versus crl
A
CRL is list download and checked
While online certificate services protocol checks certificate online to see if valid
19
Q
What is ocsp stapling
A
Instead of web browser reaching out to ca. Web server caches response from oscp, and then staples response to certificate sent to client
20
Q
What are the 5 threat intelligence lifecycle steps
A
Planning & requirements
Collection and processing
Analysis
Dissemination
Feedback
21
Q
What are pkcs
A
Public key cryptographic standards for different uses in PKI infrastructure
22
Q
What is pkcs 7 used for
A
Sign or encrypt messages
23
Q
What is pkcs 10 used for
A
It’s standard to be used to request certificate from CA
24
Q
What is pkcs 12 or pfx
A
File that stores private key, certificate chain, and certificate can be protected by password
25
What are 2 use cases of pkcs 7
Store certificates or CRL lists
26
What does windows event logon type 2 mean
It was an interactive login
27
What does windows event log type 3 mean
It was network login such as connection to shared drive
28
What does windows event logon type 10 mean?
Remote interactive such as rdp or terminal services
29
What trust model does full disk encryption use
Hardware root of trust
30
What are standard operating procedures
Step by step instructions on how to carry out a task
31
What are the iso 27000 standards
Series of standards that provide framework for info sec management practices
32
What is iso 27001
Framework and standards for information security management systems
33
What is operational technology?
It is systems that are used to monitor and manage manufacturing or industrial process assets
34
What is an ics and scada system
industrial control systems
Supervisory control and data acquisition systems
35
What vulnerabilities do legacy industrial systems like modbus possess
Don't always support authentication, confidentiality, and replay protection
36
What are the 7 logging facility levels in syslog
1 Alert
2 Critical
3 Error
4 Warning
5 Notice
6 Informational
7 Debug
37
What is ntp and what port does it use?
Network time protocol
Uses udp port 123
38
What is log normalization
Converting log data into particular data representation and categorizing consistently
39
Why should logs use UTC time
It's universal can easily convert to whatever time zone analyst is working in
40
What are the 4 areas in diamond model
Adversary
Capabilities
Infrastructure
Victim
41
What are 2 examples of hardware root of trust devices
TPM and HSM hardware security module
42
What do physical controls do?
Mitigate risks to physical security and also include technical controls
43
What do administrative/managerial controls do?
Mitigate risks by implementing certain processes and procedures
44
What do technical controls do?
Manage risk using technical measures such as antivirus or firewall
45
What are key and compensating controls
Key are ones that are primary and can affect an entire process if they fail
Compensating replace impracticable or unfeasible key controls
46
What is nist sp 800-53
Security and privacy controls for info systems
47
What 2 frameworks are common for cyber security
Iso 2700 series and nist sp 800-37 risk management and sp 800-35 security and privacy controls
48
What is iaas, paas, and saas
Iaas is cloud stuff like vps
Paas platform with some control like azure and
Saas is little to no control like office 365
49
What else are counter measures called in risk management?
Security controls
50
What is user acceptance testing
Where users test stuff like beta testing
51
What is regression testing ?
re-running functional and non-functional tests to ensure that previously developed and tested software still performs as expected after a change
52
What can regression testing help with in security ?
Make sure any new changes don't introduce new security vulnerabilities
53
What is machine code
Compiled form like a pe file
54
What is assembly code
low-level programming language with a very strong correspondence between the instructions in the language and the architecture's machine code instructions
55
What is high level code
At a human readable level for humans
56
What is a disassembler
Coverts compiled to assembly
57
What is a decompiler
Converts compiled back into human readable output
58
Do debuggers do dynamic or static analysis
Dynamic
59
What are the 5 stages of threat intelligence
Planning & requirements
Collection & processing
Analysis
Dissemination
Feedback
60
What are the 4 categories in threat intel
Strategic
Tactical
Operational
Technical
61
What is in strategic threat intel category
High level for non technical audiences
62
What is in tactical threat intel category
Details of tactics techniques and procedures TTPs
63
What is in operational Intel category
Actionable info about incoming attacks
64
What is in technical Intel category
Technical threat indicators like hash or C2 IP address
65
What are the 3 ways to assess threat intel sources
Timeliness
Relevancy
Accuracy
66
What is an ISAC
Information sharing and analysis centers
67
Why are ISACs good to use?
They tend to be focused for certain industries like healthcare
68
What are the two benefits of PAM?
Higher level privileges are temporarily given
Auditing is done to monitor what is done
69
What is IAM versus PAM
Identity access management is 5 Ws of access to resources. Also management of passwords and user lifecycle
Privileged access management is subset of IAM. Identifies accounts needing privileged access, and specifies policies that apply to them
70
What is Microsoft's PIM
Provides time based and approval based privileged access. Some vendors include this in their PAM product they sell
71
What is JIT PAm
Just in time which refers to given privileged access only for a certain time period to do the jobs or tasks that require it
72
What is a sla
Service level agreement between provider and client about metrics, responsiveness, and responsibilities
73
What is an SLO
Service level objective is an agreement about a specific metric or response time
74
What is an SLI
Service level indicator is used to measure compliance with a SLO and SLA
75
What are operational controls
Executed by company personnel during day to day operations
76
3 examples of operational security controls
Change management
Security awareness training
Business continuity plan
77
What are deterrent controls
Includes some preventative controls like guard dog. Meant to deter someone like cctv or warning sign
78
What are detective controls
Used to investigate an incident examples are log files and CCTV
79
What are Corrective/responsive controls
Actions you take to recover from incident like restore from back up tape. Or a fire suppression system
80
What are preventative controls
In place to deter an attack like security guard with dog. Disabling user accounts and OS hardening
81
What is DAC
Discretionary access control based on user and permission to objects such as NTFS full control
82
What is mandatory access control?
Based on classification level of data such as top secret, secret, and confidential
83
In Linux permissions what are these area -r-srwxr-x
Left part is type such as d for folder, l for link, and - for normal file
The next 3 parts are permissions left is owner,group, and all others
s means a setuid has been set and regular user will execute it with privileges of owner
84
What is useful about sticky bit in Linux
Has t means anyone can write but only owner can delete files
85
What is time offset
Regional time of where data was collected
86
What is Time synchronization ?
Evidence from multiple time zones put in one time such as UTC. Also a protocol like NTP used so all devices have correct time
87
What port does ntp use
Port 123
88
What is STIX
It's a standard for sharing information about cyber threats and to share cyber threat intel. Version 2 is json
89
What is a Stix domain object ?
Sdo's allow you to categorize each piece of info with specific attributes
90
What is a STIX relationship object?
Way to link data there are 2 relationship and sighting
91
What is TAXII
A protocol to share threat intelligence data
92
What is the diamond model usually used for?
Use threads to show how an attacker behaves during attack. Can be mapped to kill chain
93
What is threat modeling ?
Proactive way they uncover threats and how they are doing it
94
What is the open source testing methodology manual OSSTMM?
Provides a guide on performing a security test or audit
95
What is the owasp testing guide?
Provides a guide to testing web applications
96
5 steps part of risk assessment
Gather info about what assets are there, applications, and IT systems
Define and classify assets
Explore potential vulnerabilities
Explore potential threats
Create mitigation strategies
97
What is passive scanning
Using sources such as OSINT, and traffic captures. No direct interaction with host
98
What is active scanning
Provides more details like updates installed on machine
Port scanning is another example
99
What is device fingerprinting
Uniquely identifies assets on device such as what OS they are running
100
What is a map scan?
Wide scan that shows all assets on a network such as LAN
101
Why is credentialed scanning better than non credentialed
Provides more detail non credential may not have all permissions
102
Agent versus non agent vulnerability scanning ?
Credentialed by default, doesn't use as much bandwidth, increased management over head
Agentless less overhead,can be credentialed or not, won't always provide all information without configuration changes
103
What is a cpe in vulnerability scanning?
Way to show info about os,hardware and software such as OS running
104
What is the point of a CVSS score?
Metric for comparing and prioritizing vulnerabilities
105
What is a true positive
Legit attack detected
106
What is a false positive
Alert when there was no attack
107
False negative
No alarm raised but attack happened
108
True negative
No alert given when legit activity occured
109
What are the CVE score levels
From 0 none
0.1-3.9 Low
4.0-6.9 medium
7-8.9 High
9-10 critical
110
What is the attack vector metric in CVSS
Reflects context by which vulnerability is exploitable
111
What are the 3 metrics in CVSS score
Base required
Temporal
112
What are the 4 attack vectors?
Network, adjacent, local, and physical
113
In CVSS score what is the attack complexity?
Measure conditions beyond attackers control there are two low and high
114
In CVSS score what are privileges required
Describes privileges attacker must have none,low,and high
115
In CVSS score what is user interaction
Metric measures if a other user is required to participate in successful compromise. None or required like phishing link
116
What does dynamic ARP inspection do?
It checks a database such as the DHCP snooping database to prevent arp spoofing.
117
What does DHCP snooping do?
Builds a database of Mac and DHCP leases. Which helps DAI against arp spoofing. Also prevents rogue DHCP servers and DHCP starvation attacks
118
What is a kerberoasting attack?
119
What is an XXE web attack and what is the typical field used?
An attack that allows one to interfere with an applications processing of xml data. Typically the external entities field is used which loads stuff from outside xml file
120
What are the 4 types of XXE attacks?
Exploiting to retrieve files
Used to perform SSRF
Blind XXE to exfiltrate data out of bound
Blind XXE to retrieve data via error messages
121
What is a local file inclusion web vulnerability?
Attacker tricks website into running or exposing files
122
What is a remote file inclusion web vulnerability?
An attacker forces webserver to include code and run code form remote url.
123
What is cross site scripting XSS?
Allows an attacker to manipulate web server to run malicious code for other users
124
What is a reflected XSS attack?
Malicious script comes from HTTP request
125
What is a stored XSS attack and what is one example?
When an app receives data from untrusted source and includes it in later http responses
An example is a comment on a web server page that will run malicious code
126
What are DOM based cross site scripting
An app contains client side JavaScript that processes data from untrusted source in malicious way
127
What is a cross site request forgery CSRF web attack?
An attacker exploits web app to make users do action they didn't intend to do
128
How do you prevent cross site request forgery attacks?
Use same site cookies
And or a unique CSRF token
129
What is a server side request forgery?
Web app attacked to make vulnerable backend server run malicious code
