Security

Question 1

CIA triad

Answer 1

Applies to data, usually requiring balancing tradeoffs:
_ confidentiality
_ integrity
_ availability

Question 2

InfoSec

Answer 2

_ information security

Question 3

SecOps

Answer 3

_ security operations

_ discipline within IT responsible for protecting assets by reducing the risk of attacks

Question 4

asset

Answer 4

_ person, device, location, or information that SecOps aims to protect from attack

Question 5

attack

Answer 5

_ action taken by a threat that exploits a vulnerability

Question 6

risk

Answer 6

_ potential of a threat to exploit a vulnerability via an attack

Question 7

threat

Answer 7

_ something or someone that can exploit a vulnerability

_ person, software, or natural disaster

Question 8

vulnerability

Answer 8

_ a weakness in software, hardware, facilities, or humans that a threat can exploit

Question 9

Advanced persistent threat (APT)

Answer 9

_ when malware remains undetected for a long time waiting for the right time to attack
_ by remaining idle, it infects backups too

Question 10

zero-day

Answer 10

_ when a vulnerability or exploit is not yet public

_ likely no patch for it

Question 11

Intrusion prevention system (IPS)

Answer 11

_ can look for suspicious patterns of code, block it immediately, and send it for analysis

Question 12

Blue, red, white, and purple teams

Answer 12

_ red team attempts to compromise security
_ blue team attempts to defined security
_ white team may observer and referee
_ “purple team” is when red and blue teams come together to debrief and cross-train

Question 13

White hat, black hat, gray hat hackers

Answer 13

_ white hat - perform attacks when authorized in order to find vulnerabilities
_ black hat - criminals
_ gray hat - no malicious intent, but may not have obtained permission, could be breaking law

Question 14

Script kiddie

Answer 14

_ copycat criminals
_ hack for curiosity or entertainment
_ unsophisticated
_ may not realize the consequences

Question 15

wiretapping

Answer 15

_ eavesdropping between communicating people or computers
_ might use a packet sniffer or attach to hardware
_ might use an EMF listener; a reason to use fiber optics
_ ethernet switches make this hard

Question 16

Vulnerability scanner

Answer 16

_ examines specific ports, so use a port scanner first

Question 17

NX-bit

Answer 17

_ no-execute bit
_ flags memory for either storage or execution
_ reduces change of buffer overflow vulnerabilities
_ only available in special CPUs

Question 18

spoofing

Answer 18

_ pretending to be something else in order to gain access
_ man-in-the middle attack - pretending to be client to the actual server and server to the actual client
_ ARP poisoning - causes an Ethernet switch to flood all traffic to every port (including the attacker’s computer)

Question 19

DoS

Answer 19

_ Denial-of-Service
_ may use features of ICMP, such as ping
_ attacker can make the echo replies go to another computer rather than their computer, minimizing stress on attacker’s computer
_ ping-of-death = obsolete vulnerability whereby server would crash for a malformed ICMP packet
_ ping flood attack = overwhelms computer with pings having randomized source addresses
_ smurf attack = (1) a DDoS, thousands of computers bombard the victim; (2) the attacker sends a forged ICMP echo-request packet to the broadcast address of a large IP subnet so all of the computers on the subnet receive the message; (3) the attacker specifies the victim’s address as the source address
_ SSL attack = wastes computer resources setting up and tearing down SSL encryption sessions

Question 20

honeypot

Answer 20

_ server designed to look authentic
_ contains fictitious data
_ intended to draw hackers
_ can be used to collect data on the attacker
_ “tar pit” variation is designed to slow the attacker so that the intrusion detection system can do a trace

Question 21

Rootkit attack

Answer 21

_ software designed to give a user root or admin access and full control over the computer

Question 22

Backdoor attack

Answer 22

_ means of bypassing authentication or encryption

Question 23

Trojan horse

Answer 23

_ misleads users into installing

Question 24

confidentiality

Answer 24

_ part of the CIA triad
_ limits access to information (at odds with availability)
_ goal is to prevent an unauthorized user from accessing, copying, or transmitting information
_ need-to-know policy (aka least privilege policy)
_ reduce exposure by destroying unneeded copies

Question 25

integrity

Answer 25

_ helps determine the trustworthiness of information _ includes verification _ ensures accuracy of the data _ where information came from _ whether information was changed en route _ encryption helps with integrity _ digital signatures or one-way hashes (e.g. SHA-3) can provide integrity _ version control can provide integrity _ e.g. a man-in-the-middle attack violates integrity, intentional or accidental deletion or modification of data, equipment malfunctions, natural phenomena such as EMP

Question 26

availability

Answer 26

_ ensuring data is always accessible to authorized users _ includes making server highly available _ includes minimizing downtime _ have a disaster recovery plan _ back up data off site _ e.g. DoS attacks, unplanned downtime, accidental changes to access controls incorrectly removing authorized users

Question 27

Packet filter

Answer 27

_ a firewall that operates at layers 3 and 4 _ checks the protocol and the source and destination IP addresses and ports _ only concerned with the packet address label (header) _ no filtering on payload

Question 28

Circuit-level gateway

Answer 28

_ a middleman firewall that helps conceal identity of client and server from each other _ may change IP address and port numbers _ uses Network Address Translation (NAT) _ uses Port address Translation (PAT)

Question 29

Stateful inspection

Answer 29

_ state of the connection between two computers _ can identify traffic as “conversational” and automatically create temporary firewall rules that permit two-way traffic for the duration of the connection _ minimizes the number of rules otherwise needed by a packet filter

Question 30

Application-aware firewall

Answer 30

_ aka layer-7 firewall _ a proxy server _ act as middlemen reading packet application payloads

Question 31

Intrusion detection systems (IDS) and intrusion prevention systems (IPS)

Answer 31

_ based on a DB of known behaviors and payload signatures _ IDS monitors to detect threats _ IPS intercepts and blocks threats _ both have a “tap mode”, where they only listen to a network, which suffices for IDS _ “in line mode” = positioned to intercept and block traffic _ IPS supports many network ports that operate as input/output pairs _ some IPS devices block based on file type, such as to exclude .EXE files _ either software or physical devices

Question 32

OSI layer 1 security

Answer 32

_ security varies by physical medium (e.g. CAT6 cabling can be monitored for EMF, but fiber optic cabling can’t) _ includes locks on doors, equipment _ radio jamming

Question 33

OSI layer 2 security

Answer 33

_ e.g. capturing a WAP encrypted password for decryption _ e.g. ARP poisoning - attacker sends special Ethernet frames that overwhelm the switch’s “forwarding information base (FIB)” database, forcing the switch to send traffic to everyone, including someone’s packet sniffer _ e.g. VLAN hopping attack, taking advantage of an Ethernet switch configured in trunk mode (aka tagging mode), allowing computers to send/receive traffic on any VLAN _ e.g. spoofing that impersonates another computers MAC

Question 34

OSI layer 3 security

Answer 34

_ e.g. ping DoS attacks _ e.g. pinging to find available computers _ e.g. spoofing that impersonates another computer’s IP _ intrusion prevention systems can prevent these attacks

Question 35

OSI layer 4 security

Answer 35

_ e.g. port scanner to find open ports | _ a packet filtering firewall can defend against attacks

Question 36

OSI layer 5 security

Answer 36

_ e.g. RPC attacks

Question 37

OSI layer 6 security

Answer 37

_ e.g. man-in-the-middle attacks where attacker fools victim into accepting a false security certificate _ can be mitigated using an application-layer proxy or an IPS _ important to train users about fake security certificates

Question 38

OSI layer 7 security

Answer 38

_ every app has its own vulnerabilities _ e.g. injection attacks, buffer overrun attacks _ vulnerability scanners can find known problems _ a reverse proxy or IPS can scan packet payloads

Question 39

ciphertext

Answer 39

Encrypted data

Question 40

Symmetric key encryption

Answer 40

_ aka private key encryption _ send and receiver must have the same cipher key _ exchange of key is point of greatest vulnerability _ the German Enigma machine used a symmetric key cipher that took years to break _ much faster to encrypt and decrypt than asymmetric ciphers

Question 41

Asymmetric key encryption

Answer 41

_ e.g. public key infrastructure (PKI) _ anyone can use the public key to encrypt data _ only the private key can decrypt the data _ the public key can can decrypt data encrypted with the private key to verify the source of the data, providing a digital signature _ no need to share a private key first and risk exposure _ lots of computation required for large blocks of data _ the public key gets transferred in the form of a certificate issued by a certificate authority (CA)

Question 42

non-repudiation

Answer 42

_ inability to deny the source of data

Question 43

Elliptic curve cryptography (ECC)

Answer 43

_ uses algebraic elliptic curves to create keys that a smaller than traditional keys but more difficult to crack

Question 44

End-to-end encryption

Answer 44

_ when data is stored both in transit and at rest | _ data is never stored or transmitted in the clear

Question 45

SSL/TLS handshake

Answer 45

_ client encrypts a token with the server’s public key _ server decrypts the token using its private key _ the token is then used as the private key in a symmetric key cipher for data exchange

Question 46

IPSec

Answer 46

_ internet protocol security _ a way to encrypt IP traffic at layer 3 _ common in VPN tunnels (PPTP - point-to-point tunneling) _ tunneling = “encapsulation” within an untrusted network _ also used in site-to-site encryption such as between devices such as firewalls or routers _ devices can offload the encryption processing from computers _ uses the Authentication Header (AH) protocol for data integrity, the encapsulating security payload (ESP) for encryption, and the security associations (SA) for key exchange. _ often used with internet key exchange (IKE and IKEv2) _ can be used with pre-shared symmetric keys

Question 47

Advanced Encryption Standard (AES)

Answer 47

_ the current most secure algorithm for storing and encrypting data at rest _ symmetric key cipher _ uses different key and block sizes _ up to 14 transformations on data _ AES-128, AES-192, AES-256 (latter used in banking) -- different key lengths _ most devices use AES-256 today

Question 48

AES-NI

Answer 48

_ AES new instructions _ hardware acceleration supporting AES encryption _ up to 10 GB/sec _ particularly useful on wireless devices

Question 49

Retention policy

Answer 49

_ policy on how long a piece of data should be available, whether accessible or archived _ regulations may dictate _ regulations may also indicate the governmental district in which the data must reside

Question 50

DEK

Answer 50

_ data encryption key | _ key used to encrypt and decrypt data at rest

Question 51

Protecting DEKs

Answer 51

_ rotate/change DEKs regularly to limit time available for an attacker to use a stolen key _ use a method that does not require disclosing the key: encrypt the DEK using a KEK and only temporarily decrypt the DEK

Question 52

KEK

Answer 52

_ Key encryption key _ asymmetric key _ used to protect DEKs _ stored in a KMS

Question 53

KMS

Answer 53

_ key management system _ stores DEKs encrypted with KEKs _ grants access to keys based on the provided KEK _ app decrypts DEKs for temporary use, but does not store decrypted DEKs _ the system itself does the encryption and decryption, so the keys are never revealed _ controlled by a master key, which must be protected _ protect the master key by encrypting it, and then protect that encrypted key by encrypting it again; each encryption requires effort to break, so little need for more than 3 or 4 key encryptions

Question 54

Federated identity management

Answer 54

_ allows internet users to authenticate to your app via federated identity servers at Google, Facebook, Twitter _ a federated identity server creates a token that is unique to the user for your app so the app can base identity on this token, without disclosing private information _ your app therefore does not need a unique username and password for the user

Question 55

IAM

Answer 55

_ identity and access management | _ provides identity and access control services

Question 56

Multifactor identification

Answer 56

_ aka “MFA” or “2-factor” or “2FA” _ use of multiple authentication requirements _ second could be providing information only you know, using your biometrics, or using a physical device you have (e.g. cell phone) _ text and email are NOT considered strong MFA _ virtual MFA apps (to generate a code) or physical tokens are better

Question 57

Service account authentication

Answer 57

_ typically does not use username and password | _ uses API keys

Question 58

Wireless encryption standards, weakest to strongest

Answer 58

_ WEP _ WPA _ WPA2 _ WPA3

Question 59

3DES

Answer 59

_ “triple DES” _ symmetric algorithm that uses obsolete DES algorithm 3 times to encrypt data _ uses 3 keys _ 56-bit encryption _ modern hardware can crack it by brute force in less than a day _ most organizations have phased it out

Question 60

WAP

Answer 60

_ wireless access port

Question 61

WEP

Answer 61

_ Wired Equivalent Privacy _ one of the first wireless standards, by IEEE in 1997 _ key either 10 or 26 hex digits (40 bits or 104 bits) _ modern computers can crack in under a day _ deprecated in 2004, replaced by WPA

Question 62

WPA

Answer 62

_ Wi-Fi protected access _ defined jointly by the Wi-Fi Alliance and the IEEE _ created as short-term solution, awaiting the more secure 802.11i standard _ based on the draft 802.11i standard at the time _ uses variable-length alphanumeric passphrase, 8-63 characters _ uses TKIP, which generates a new 128-bit encryption key for each packet sent _ but had security vulnerabilities

Question 63

WPA2

Answer 63

_ aka IEEE 802.11i _ published in 2004 by Wi-Fi Alliance and IEEE _ the wireless standard for 15 years _ mandatory support for CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol), which is part of AES, providing confidentiality, authentication, and access control to the network _ still had weaknesses

Question 64

WPA3

Answer 64

_ released in January 2018 _ minimum key strength is 192 bits for enterprise connections _ also has a personal mode with lower key strength _ no more passphrase: now uses SAE (simultaneous authentication of equals) to exchange the network key (part of the 802.11-2016 standard); eliminates the need to tell other people of the passphrase in personal mode _ implements PFS (perfect forward secrecy), ensuring that no more than one session can ever be compromised at a time _ uses encryption management frames of 802.11w

Question 65

Ad-hoc mode

Answer 65

_ wireless communication mode _ peer-to-peer _ does not use WAP _ mainly used for initially setting up devices instead of requiring connection with a physical cable _ also sometimes for transferring files between devices, such as a camera and a laptop _ does not require a wireless router or access point

Question 66

Wireless infrastructure

Answer 66

_ devices connect via a wireless router, which is a combined WAP and router _ router acts like an Ethernet switch

Question 67

802.1x

Answer 67

_ also 802.11x _ works wired or wireless _ clients (“supplicants”) connect to an “authenticator” to request access to the network; the authenticator may be a wireless device _ the authenticator delegates the decision to an authentication server, which indicates what ports the user can access; this server runs RADIUS (remote authentication dial-in user service) or EAP (extensible authentication protocol) _ authentication is either by username/password or by PKI certificates _ grants the user access only to authorized ports _ 802.1x clients can also check the versions of antivirus scanners to make sure they conform to corporate requirements

Question 68

Deauth attack

Answer 68

_ deauthentication attack on a wireless network _ a DoS attack that can force any or all clients off the network _ the attacker doesn’t even need to be on the network _ users can simply reconnect, but attacker may continue the attack or force users to reconnect through a false access point or to capture the 4-way handshake to gain info on the network _ WPA3 prevents this attack _ WPA2 makes it difficult for the attacker to read encrypted data

Question 69

Fake access point

Answer 69

_ attack on a wireless network _ attacker sets up a wireless network having no security _ attacker watches all data in the clear _ can redirect an unwitting user to a different location _ can modify data _ if you must use an unsecured network, create a VPN tunnel _ avoid using unsecured Wi-Fi hotspots

Question 70

AAA

Answer 70

_ authentication - verifying identity _ authorization - what user may access _ accounting (auditing) - verifies restrictions, providing a forensic trail; should be stored in a different location from the data being audited write-only to make it harder for the attacker to cover his tracks

Question 71

Device hardening

Answer 71

The process of: _ reviewing security settings _ updating device software _ testing security such as by attempting to breach defenses

Question 72

How to harden devices

Answer 72

_ change the default passwords _ remove unnecessary logins after periodic review _ enforce a strong password policy (enforce if possible) _ require users to change passwords frequently _ implement MFA _ remove unnecessary services _ keep patches up to date on all devices (manufacturers often patch 90 days before public disclosure of the vulnerability) _ limit physical access to the device _ only allow changes from a trusted network -- none from the public side; disallow changes to a WAP from other wireless devices _ require encryption on wireless networks (WPA2 or WPA3) _ audit all access (e.g. using Syslog); get alerts too _ back up and store a copy remotely