Qns

Question 1

Explain what is a security assessment.

Answer 1

It is a joint collaboration between sech arch team, pentest and sadly team to identify security risks at the start of creating an application and verify if it complies with visa’s security standards

Question 2

As a security accessor, explain how you will approach a security assessment?
Si

Answer 2

Scoping - identify the scope of the change in the application
Ensure that the application aligns with visa security standards.

break down the change into diff parts, find out where the data is being stored. What kind of data i need to protect, PII PAN, how do i break it down into components, what part of the network is being exposed.

Question 3

What are the stages in a Cyber Security Incident Response.

Answer 3

identify protect prepare detect respond recover (+review)

Question 4

DLP

Answer 4

Data loss prevention - prevent unauthorised data loss or leakage - one is at host level, one is at network level - if you are sending anything out illegal on the network level

Question 5

WAF

Answer 5

Web application firewall (cloudflare)- monitor filter and block http traffic between web application and internet
- http payload inspection - tls stripping, get payload, contains private keys of visa to extract and read the payload
- whitelist IP

Question 6

IAM

Answer 6

Identity and access management - people who provision accounts and permissions

Question 7

Application Layer

Answer 7

7: Interfaces with the user and provides network services.
Eg: HTTP, FTP, SMTP, DNS

Controls: - Application firewalls- Input validation- Authentication mechanisms- Data encryption

Question 8

Presentation Layer

Answer 8

6: Translates data formats, encrypts/decrypts, and compresses data.
Eg: JPEG, SSL/TLS, ASCII

Controls: - Strong encryption protocols (e.g., TLS)- Data format validation- Secure coding practices

Question 9

Session Layer

Answer 9

5: Manages sessions and controls dialogs between systems.
NetBIOS, PPTP, RPC

Controls: - Session encryption- Secure session management (e.g., session timeouts)- Multi-factor authentication

Question 10

Transport Layer

Answer 10

4: Provides end-to-end communication and error recovery.
TCP, UDP

Controls: - Transport Layer Security (TLS)- Port filtering- Anti-DDoS measures

Question 11

network layer

Answer 11

3: Routes data packets between devices across different networks.
IP, ICMP, ARP, OSPF

Controls: - Firewall rules- Network segmentation- Intrusion Detection Systems (IDS)

Question 12

Data link layer

Answer 12

2: Handles data transfer between nodes and error detection.
Ethernet, PPP, MAC

Controls: - MAC address filtering- VLANs (Virtual LANs)- ARP inspection

Question 13

Physical layer

Answer 13

Concerned with physical hardware connections and signaling.
Cables, switches, NIC

Controls: - Physical security (locks, surveillance)- Secure hardware (e.g., tamper-proof devices)- Regular hardware audits

Question 14

MAC vs IP, which layer, description

Answer 14

Mac: layer 2 (data), identifying devices on the same network, (local)
on layer 2, devices use mac address to deliver frames to correct destination
48bit hexadecimal format
Ip: layer3 (network), identify devices across networks
Routes data packets across networks. Used for internet routing - global
IPv4 (32) / IPv6 (128)

Question 15

STRIDE S

Answer 15

Impersonation of a trusted entity, such as a user or system.

Unauthorized access to systems or data

• Use strong authentication (e.g., MFA). - Implement identity verification mechanisms. - Use secure protocols (e.g., HTTPS, TLS).

Question 16

STRIDE T

Answer 16

Unauthorized modification of data in transit or at rest.

Data corruption, loss of integrity

• Use cryptographic techniques like hashing and digital signatures. - Encrypt data in transit and at rest. - Implement checksums and audits.

Question 17

STRIDE R

Answer 17

Lack of evidence or logging to prove an action occurred, allowing denial of actions.

Fraud, accountability issues - Implement logging and auditing mechanisms.

• Use tamper-proof logs (e.g., immutable logs with cryptographic hashes). - Employ digital receipts.

Question 18

STRIDE I

Answer 18

Unauthorized access to or exposure of sensitive information.

Data leaks, privacy violations

• Use data encryption (e.g., AES). - Implement access controls and data masking. - Apply secure coding practices to prevent data exposure.

Question 19

STRIDE D

Answer 19

Disruption of service availability through resource exhaustion or targeted attacks.

Service downtime, loss of availability

• Use rate limiting and throttling. - Deploy DDoS protection (e.g., cloud-based services like AWS Shield). - Implement resource allocation limits.

Question 20

STRIDE E

Answer 20

Exploiting vulnerabilities to gain unauthorized privileges or permissions.

Unauthorized actions, full system compromise

• Enforce least privilege principles. - Regularly patch vulnerabilities. - Use privilege separation and role-based access controls (RBAC).

Question 21

Dmz

Answer 21

physical and logical subnet that seperates local area network (LAN) and other untrusted networks. Provides network segmentation to protect corporate network
Attackers need to pass through firewall before getting into dmz, > dmz > internal firewall. And these actions shd have set off alarms to prevent attacks from happening

Question 22

How to identify threats early in the DMZ

Answer 22

Network Traffic Monitoring: Analyze traffic to and from the DMZ for abnormal patterns (e.g., high traffic volumes, unauthorized access attempts).

Intrusion Detection Systems (IDS) Deploy IDS tools in the DMZ to detect suspicious activities like scanning, brute force attempts, or unusual traffic patterns.

Vulnerability Scanning Regularly scan DMZ systems for unpatched vulnerabilities or misconfigurations.

Question 23

TLS Process

Answer 23

Client verify server
1. Client Hello
2. Server hello - send out cert to prove identity
3. Cert validation - client check if valid CA (asymmetric)
4. Key Exchange - shared session key using either RSA or Diffie Hellman methods
5. Secure communication using shared session key (symmetric key to encrypt data)

Question 24

How would you secure an API

Answer 24

1. Access to API
   1. VPVP / VDP are of API Gateway
   2. Authentiation —> API Key + Shared Secret, mTLS OR LDAP
   3. Authorization —> AD Groups (LDAP), Client ID
2. JWT Token / API Token (Keberos)
   1. First you authenticate
   2. You recieve 15min timeout, you can use token to gain access to in scope systems
   3. When you present the token, they will validate the token and then check if its still applicable.
   4. JWT MUST BE SIGNED

Question 25

What is mTLS

Answer 25

1. TLS —> Client verifying the Server 2. mTLS —> Client Verifying Server, Server verifying clients 3. MTLS is exchanging certificates. 4. Provides TLS and Authentication of both sides

Question 26

What is OAuth

Answer 26

OAuth (Open Authorization) is a token based authentication tool that allows for Third party applications to authenticate users without exposing user credentials OAuth provides secure, token-based authentication and authorization.

Question 27

Explain the difference between a public and private key?

Answer 27

1. What are the private algorithms and strength (just say AES-GCM-256 or AES-CBC-256) GCM for CI and CBC for C only 2. What are the public key algorithms: 1. Most common ECC, RSA (Prime Number Factorization) or PGP (EMAIL) 2. And Diffie Hellman (Logarithmic challenge for co-primes) for Key Exchange

Question 28

Hash vs hmac vs password stretching

Answer 28

HASH (One way irreversible algorithm - no secret and provide integrity), HMAC (Hash with a Secret Key - integrity + authenticity + some include timestamps, SHA256 ) and Pasword Stretching algorithms like PBKDF or bcrypt(PROVIDES CONFIDENTIALITY - Password storing algorithm - use to store a user password in hash form. Salted —> Adding a random string before hashing. Password Stretching Algorithm, A cryptographic function is applied to the password multiple times This process is repeated thousands or millions of times

Question 29

Burp suite

Answer 29

Burp Suite is a widely used tool for web application penetration testing. It acts as an intercepting proxy that allows testers to capture, analyze, and manipulate HTTP and HTTPS traffic between the client and server. Its primary use is to identify and exploit vulnerabilities in web applications. Key uses include: 1. Intercepting Traffic: Capturing and modifying requests and responses to test for vulnerabilities. 2. Automated Scanning: Identifying issues like SQL injection, XSS, and CSRF using its scanner (in the Professional Edition). 3. Manual Testing: Tools like Repeater and Intruder allow custom payload testing and parameter manipulation. 4. Crawling Applications: Mapping the structure of an application using the Spider. 5. Token Analysis: Assessing session randomness and security through the Sequencer. 6. Extensibility: Using extensions to enhance functionality and integrate with other tools. In short, Burp Suite is an essential tool for finding security flaws and ensuring the overall security of web applications.”

Question 30

HSM

Answer 30

“An HSM (Hardware Security Module) securely store and manage cryptographic keys and perform sensitive operations like encryption, decryption, and digital signing. All cryptographic operations are done within the HSM to ensure the keys never leave the device in plaintext, providing maximum security. HSMs are used in applications like payment systems, PKI, digital signatures, and database encryption. They meet regulatory standards (e.g., FIPS 140-2) and are essential for secure and compliant cryptographic key management.”

Question 31

Explain Key Vault on Cloud systems

Answer 31

“A Key Vault in cloud systems is a managed service that securely stores and manages cryptographic keys, secrets (like API keys, passwords), and certificates. It provides centralized control, enabling encryption operations, key rotation, and access management through role-based access control (RBAC) and audit logging. Keys never leave the vault unencrypted, ensuring data security and compliance with standards. Examples include Azure Key Vault, AWS KMS, and Google Cloud KMS.”

Question 32

IDS and IPS

Answer 32

“IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) are security tools for monitoring network traffic. IDS detects and alerts on suspicious activity, while IPS actively blocks malicious traffic in real time. IDS is passive, focusing on alerting, whereas IPS is proactive, preventing threats. “IDS and IPS operate at the Network Layer (Layer 3) and Transport Layer (Layer 4) for analyzing IP packets and protocols (e.g., TCP/UDP).

Question 33

OWASP TOP 10

Answer 33

broken access control cryptographic failures - insufficient injection insecure design security misconfig vulnerable and outdated components Identification and Authentication Failures Software and Data Integrity Failures Security Logging and Monitoring Failures Server-Side Request Forgery (SSRF)

Question 34

RSA Algo

Answer 34

public key is embedded in private key and therefore public private key cannot be interchanged

Question 35

Integrity

Answer 35

before you send it and after you receive it package is exactly the same - no one has modified it without my knowledge

Question 36

non repudiation

Answer 36

someone cannot claim that they did not make that change

Question 37

authenticity

Answer 37

you are who you are

Question 38

Digital cert

Answer 38

authenticity is ensured Ensures secure communication, integrity and authentication Core componnets of PKI - public key infra Electronic credential issued by a trusted entity (certificate authority CA) Binds public key to entity Used to establish trust in secure communication like https

Question 39

Components of digital cert

Answer 39

Public key Subject info (entity cert is issued to) - eg domain name Issuer info - CA Validity period - start n expiry Signature - digital signature of CA - authenticity

Question 40

Digital signatures

Answer 40

Intergrity, authentication, non repudiation

Question 41

Ocsp (pnline certificate statue protocol)

Answer 41

- managing certs Check the revocation status of digital certs Real time Client sends request to Ocsp responder that is managed by CA with cert details Replies with good, revoked or unknown Allows for real time verification Caused reliance om availability of ocsp server

Question 42

Stapling

Answer 42

Query ocsp responder for cert status Done during TLS handshake Response from ocsp is stapled to TLS handshake Client verifies OCSP without contactive the server

Question 43

How to secure API

Answer 43

C - SSL/TLS I - A - rate limiting

Question 44

RAG

Answer 44

retrieveal augemnted generation - retrieve a chunk of data that u know is very similar then u use it to generate a response embedding the data and question, getting similarity score, get highest similarity takes data, ask question, replies in chatgpt: everything is represented in vectors / embedding - numerical representation of the message similarity comparison between vectors find the top 3 passages that are the most similar to the questions chatting functionality is the prompt engineering portion and

Question 45

langchain

Answer 45

if chatgpt needs context of everything from a previous scope, they need to send in the summary of the previous conversation along with the added on data from the current query

Question 46

A01: Broken Access Control

Answer 46

Unauthorized actions due to poor access checks. Enforce least privilege and RBAC, server-side checks, and access audits.

Question 47

A02: Cryptographic Failures

Answer 47

Sensitive data exposure via weak encryption. Use strong encryption (e.g., AES-256) and HTTPS; secure key management.

Question 48

A03: Injection

Answer 48

Exploiting input flaws (e.g., SQL Injection). Use parameterized queries and validate inputs.

Question 49

A04: Insecure Design

Answer 49

Poor architecture enabling vulnerabilities. Apply secure design patterns and threat modeling. And do security reviews during development

Question 50

A05: Security Misconfiguration

Answer 50

Weak or misconfigured systems or components. Automate configurations, enable security headers, and apply updates.

Question 51

A06: Vulnerable Components

Answer 51

Use of outdated/unsafe software dependencies. Patch regularly, track dependencies, and scan for vulnerabilities.

Question 52

A07: ID & Auth Failures

Answer 52

Weak authentication or session handling. Use MFA, strong password policies, and secure session management.

Question 53

A08: software and data Integrity Failures

Answer 53

Failure to validate software integrity: trusting unsigned code or unverified updates Use digital signatures to verify integrity and secure CI/CD pipelines.

Question 54

A09: Logging Failures

Answer 54

Lack of monitoring and logging to detect and respond to security incidents. Enable logging, centralized monitoring, and automated alerts.

Question 55

A10: Server-Side Request Forgery (SSRF)

Answer 55

Exploiting server requests to access resources. Validate inputs and restrict outbound network access.

Question 56

XSS

Answer 56

a type of web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. These scripts can execute in the victim's browser, enabling various malicious activities such as stealing cookies, session hijacking, or redirecting users to malicious websites.

Question 57

XSS Mitigation Strategy

Answer 57

Input Validation and Sanitization: whitelist of allowed characters. Content Security Policy (CSP): restrict the execution of scripts to trusted sources: script-src 'self'; HTTP-Only Cookies: prevent access via JavaScript: HttpOnly; Secure

Question 58

Cross-Site Request Forgery (CSRF)

Answer 58

1. The victim is logged into a legitimate website (e.g., a bank). 2. The attacker sends the victim a malicious link or embeds a request in a page (e.g., via an image tag or a hidden form). 3. If the victim clicks the link or visits the page, their browser sends a request to the legitimate website, including the session cookies. 4. The server processes the request, believing it’s from the authenticated user.

Question 59

CSRF Mitigation

Answer 59

1. CSRF Token: Generate a unique token for each session and validate it on the server for sensitive actions. 2. SameSite Cookies: SameSite=Strict; 3. User Authentication Verification, Avoid GET Requests for Sensitive Actions:Content Security Policy (CSP):Logout and Session Expiry:

Question 60

Dictionary Attacks

Answer 60

Password-Based Attacks: Systematic attempts using common words to crack passwords

Question 61

Rainbow Table Attacks

Answer 61

Using precomputed hash tables to reverse engineer password hashes

Question 62

Credential Stuffing

Answer 62

Reusing stolen credentials across multiple services

Question 63

Password Spraying

Answer 63

Testing common passwords against many accounts

Question 64

Viruses and Worms

Answer 64

Self-replicating malicious programs

Question 65

Ransomware

Answer 65

Encrypts files and demands payment for decryption

Question 66

Keyloggers

Answer 66

Records keystrokes to steal sensitive information

Question 67

Scareware

Answer 67

Tricks users into downloading fake security software

Question 68

Denial-of-Service (DoS)

Answer 68

Overwhelms systems to make them unavailable

Question 69

DNS Tunneling

Answer 69

Exploits DNS protocols to bypass security measure

Question 70

Botnet Attacks

Answer 70

Uses networks of compromised computers

Question 70

Phishing

Answer 70

Social engineering attacks to steal credentials

Question 71

Social Engineering

Answer 71

Manipulates users to reveal sensitive information

Question 72

Insider Threats

Answer 72

Malicious actions from within organizations

Question 73

Supply Chain Attacks

Answer 73

Targets vulnerabilities in third-party services

Question 74

Drive-by Download Attacks

Answer 74

Installs malware through compromised websites

Question 75

IDOR

Answer 75

Insecure Direct Object Reference When attacker manipulate object references (user ID) to access unauthorised data Proper auth checks, using UUID, rate limiting to prevent bruteforce

Question 77

How would you securely store and manage cryptographic keys in a distributed system?

Answer 77

Use Hardware Security Modules (HSMs) – To generate and store keys securely. • Implement Key Rotation Policies – Regularly update and retire keys to limit exposure. • Enforce Least Privilege Access – Only authorized services can access specific keys.

Question 78

What is an HSM (Hardware Security Module), and why is it important?

Answer 78

An HSM is a physical device that securely generates, stores, and manages cryptographic keys. It is important because: • Tamper-Resistant – Designed to resist physical and logical attacks. • Performance-Optimized – Handles encryption operations efficiently. • Regulatory Compliance – Meets standards like FIPS 140-2 and PCI-DSS.