General Security Concepts part 2

Question 1

Change management

Answer 1

Making sure changes to software or applications are completed properly.

• Upgrade software
  -Patch an application
  -Change firewall configuration
  -Modify switch ports

Question 2

Change approval process

Answer 2

• Complete the request forms
  -Determine the purpose of the change
  -Identify the scope of the change.
  -Schedule a date and time of the change
  -Determine affected systems and the impact
  -Analyse the risk associated with the change
  -Get approval from the change control board
  -Get end-user acceptance after the change is complete

Question 3

What is the role of an owner in the change control process.

Answer 3

Own the process
Don’t perform the change
Process updates are provided to the owner as they oversee/manage the process.
IT team handles the change

Question 4

Importance of Stakeholders in the chance control process

Answer 4

Who will be impacted by the change
Might not be so obvious

Question 5

Change control Impact Analysis

Answer 5

Determine a risk value
Fixes can potentially break something else
Operating system failures
Data corruptions
Risk of NOT making the change (Security vulnerability)

Question 6

How can you rest the results of a change

Answer 6

Test before implementing change.
Sandbox testing environment (Technological safe space)
Sandbox we can load a duplicate of the software and try the upgrade, apply the patch, test and confirm before deployment.

Question 7

Back out plan

Answer 7

Ability to revert your changes back to a configuration which was proven to have worked in the past.

Some changes are difficult to revert. Need good backups and ideas of how to revert back to original configuration.

Question 8

Maintenance window (change control)

Answer 8

When is the change happening?
Potential downtime would affect a large part of production
Challenging for 24-hour productions schedules.

Question 9

Technical Change management examples:

Answer 9

Change to allow/deny list
Allow list (Nothing runs unless it has been approved - very restrictive)
Deny list (Nothing on the deny list can be executed (Anti-virus, Anti-malware)

Question 10

Downtime

Answer 10

Services will eventually be unavailable
-The change process can be disruptive
-Usually scheduled during non-production hours
-If Possible, prevent any downtime

Question 11

Restarts

Answer 11

Some changes require physical restarts
Services - stop and restart the service
Application - close the application completely. Launch a new application instance.

Question 12

Legacy Application (old)

Answer 12

Legacy applications run for very long time. No longer supported by the developer. Hard to make changes to to these systems.
Become the expert in this system as may not be as complicated as you may think

Question 13

Dependancies

Answer 13

A service will not start without other active services.
Modifying one component may require changing or restarting other components
Dependencies may occur across systems.

Question 14

Documentation

Answer 14

it can be challenging to keep up with changes. Documents required with the change management process
Updating diagrams (Modification to network configurations,

Question 15

Version control

Answer 15

Track changes to a file or configuration date over time

Question 16

Public Key Infrastructure

Answer 16

Policies, procedures, hardware, software responsible for creating distributing, managing, storing and revoking digital certificates.

Question 17

Symmetric encryption

Answer 17

A single, shared key which is used for encryption and decryption. (A shared secret)

This does not scale very well.

Very fast to use, has less overhead than asymmetric encryption. Often combined with asymmetric encryption

Question 18

Asymmetric Encryption

Answer 18

Two keys are mathematically related. One is the private key and one is the public key.

The private key is the only key that can decrypt data encrypted with the public key.

You cannot derive the publc key from the private key and vise versa. (Cannot reverse engineer)

Question 19

Examples of stored data

Answer 19

-SSD, Hard drive, USB drive, Cloud storage.
-Full-disk volume encryption - BitLocker, FileVault
-File level encryption - Third party utilities

Question 20

Database Encryption

Answer 20

• Transparent encryption, Encrypt all database information with a symmetric key
  -Record-level encryption, use symmetric keys for each column on a table for example. Some is displayed in plain text but sensitive information is encrypted

Question 21

Transport Encryption

Answer 21

Protect data traversing the network.
HTTP: Example of encrypting data in the application
VPN (Virtual Private Network)
-Encrypts all data transmitted over the network, regardless of the application. Creates encrypted tunnel.
-Client based VPNs encrypted via SSL/TLS
-Site to site VPN is encrypted using Ipsec

Question 22

Encryption Algorithms

Answer 22

The formula used to encrypt and decrypt data. Both sides to decide on the algorithm before encrypting the data.
There are advantages and disadvantages between algorithms. Security level, speed, complexity of implementation

Question 23

What are the two types of encryption algorithms

Answer 23

DES Encryption Algorithm (More complex)
AES Encryption Algorithm

Question 24

Key Stretching

Answer 24

Creating a hash of a password and then making a hash of that hash, then making a hash of that hash

Question 25

Key Exchange - How to do this successfully?

Answer 25

Out of band key exchange. Telephone, courier, in person

In-band Key change.
-Protect the key with additional encryption. Often you could use asymmetric encryption to deliver a symmetric key.

Question 26

Key Exchange algorithm

Answer 26

two separate pairs of a public key and private key are combined to create a symmetric key which can be used to decrypt data.

Question 27

Trusted platform module

Answer 27

Hardware designed to provide cryptographic functions for that computer.

Question 28

Features of TPM

Answer 28

Cryptographic Processor - Random Number generator, key generators
Persistent Memory
Versatile Memory
-Storage keys, Hardware configuration information
- Securely store BitLocker Keys
-Password protected (No way to use brute force).

Question 29

Hardware Security Module

Answer 29

Used in Large environments
-Used in large environments, clusters, redundant power,
-Securely store thousands of cryptographic keys.

High end cryptographic hardware. Plug-in Card or separate hardware device.

Key Backup. Secure in hardware

Cryptographic accelerators - Offload that CPU overhead from other devices.

Question 30

Key Management System

Answer 30

Manage all keys from a centralised manager.

Question 31

Keeping data private. How?

Answer 31

Secure Enclave - Implemented as a hardware processor, Isolated from the main processor,

Provides extensive security features
Has its own boot ROM
Monitor the system boot process
True random number generator.
Real time memory encryption
Root Cryptographic Keys
Perform AES encryption in hardware.

Question 32

Obfuscation

Answer 32

The process of making something unclear - making something much more difficult to understand.

Hide information within an image - Steganograhy

Question 33

Common Steganography techniques

Answer 33

• Network based (Embed messages in TCP packets)

-Use an image - Embed the message in the image itself

-Invisible watermarks - Yellow dots on printers

-Video Staganograhy

• Tokenisation - Replace sensitive data with a non sensitive placeholder

Question 34

Data Masking

Answer 34

Hiding part of the data with **

Question 35

Hashing

Answer 35

Represent data as a short string of text

Question 36

Blockchain

Answer 36

A distributed ledger
A ledger which is is available for everyone to see and keeps track of transactions.
Records and replicates to anyone and everyone.

Question 37

Practical Applications of the blockchain

Answer 37

• Payment processing
  -Digital Identification
  -Supply chain monitoring
  -Digital voting

Question 38

What does a digital certificate include

Answer 38

• A digital signature
• A public key

Question 39

How does a digital signature add trust?

Answer 39

PKI uses certificate authorities for additional trust.
Web of trust adds other users for additional trust

Question 39

Is a certificate authority required?

Answer 39

No. Certificates can be built into the Operating System. Part of the windows domain services.

Many 3rd Party options for certificate creation.

Question 40

Whats in a digital certificate and what is the standard format ?

Answer 40

X.509 - Formate
Certificate details:
Serial Number
Version
Signature algorithm
Issuer
Name of the cert holder
Public key
Extensions

Question 41

Certificate signing request.

Answer 41

• Create a digital certificate using the public key with the applicant identifying information to create a certificate signing request. (CSR)

-CSR sent to the Certificate authority who validates the request.

-CA signs the digital certificate with their private key and returns the digitally signed certificate back to the applicant.

Question 42

Wildcard Certificates

Answer 42

Allows you to put the name of the domain and the device name associated with it.

Can make a single certificate to be distributed across all devices.

Question 43

Certificate Revocation list

Answer 43

List of all of the certificates which have been revoked. Maintained by the certificate authority.

Question 44

OCSP Stapling ?

Answer 44

OCSP Status is stapled into the SSL/TSL handshake. Digitally signed by the CA.