SEC-250
Describe AAA
Authentication is how you identity yourself with something you know(a password), something you have(a key card or smart card) or something you are(your fingerprint or retina). Authorization is making sure that only the people that need to have and see certain information are authorized to do so whereas people who shouldn't have access to it, can't. Accounting is keeping of logs and records of things like smart card swipes.
List stages of attack and what is done in each stage
Enumeration - At this stage, you gain all the knowledge you can about the target you are attacking and you build a profile on them. One common questions you might answer during this stage is what kind of antivirus software are they running. Attack the System - This step is when you gain access to they system and do things like run arbitrary code. Maintain Access - To maintain access you can plant a rootkit or trojans for a backdoor so you can get back into the system. You could also create a user account to get back into the system at a later time. Cover Tracks - In order to cover your tracks, you can delete log files, alter log files or delete certain entries from the log files
Describe firewall gateways
Firewall runs set of proxy programs Proxies filter incoming, outgoing packets All incoming traffic directed to firewall All outgoing traffic appears to come from firewall Policy embedded in proxy programs Application-level gateways/proxies ▪Tailored to http, ftp, smtp, etc.
Name reasons to attack a system
Fun Disgruntled employees Steal data or information Financial gain Test the security of an application or system Hacktivism (political or social cause) Cyberwarfare (Nation State)
How does "fuzzing" during the development process help create more secure web applications?
Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. If vulnerabilities are discovered before a program is released, developers can prevent their software from being exploited in the wild.
What is google hacking?
Google hacking refers to google searches that sometimes reveal sensitive information. For example, if a Web Server is not configured properly, you may be able to find files containing usernames and passwords that are in plaintext or passwords in hashes.
Application level filtering
Has full access to protocol user requests service from proxy proxy validates request as legal then actions request and returns result to user Need separate proxies for each service E.g., SMTP (E-Mail) DNS (Domain Name System) NTP (Network Time Protocol) custom services generally need specific support
Why is it a big deal if a Certificate Authority has their private key stolen?
If a private key is stolen, the person/people who stole the private key can use the public and private key to access everything that is encrypted by the person who lost the private key.
"I'm sure they (the IT team) knows what they're doing"
Is there a written security plan, and policies? • If half the IT team were replaced tomorrow, would it be possible to effectively hand over essential information, usernames, passwords, etc? • Are the policies actually being followed? (IT staff included)
Firewalls aren't perfect
Useless against attacks from the inside Evildoer exists on inside Malicious code is executed on an internal machine, creates connection to external site Organizations with greater insider threat Banks and Military Cannot protect against transfer of all virus infected programs or files because of huge range of O/S & file types
Describe AES
Uses Rijndael cipher Block cipher Current widely used key size: AES-256Bit
What does it mean to say that a Certificate Authority "signs" another party's digital certificate?
When a certificate authority signs another party's digital certificate, they are saying that they trust that party, therefore creating a web of trust. The CA performs a mathematical function involving their private key to generate a public key for the applicant
Which wireless 2.4Ghz Channels are used in North America?
Wireless channels 1-11 are used in North America. Channels 1, 6 and 11 don't overlap
What is a Cross Site Scripting attack?
XSS attacks web Bad code. If the text inputted by the user is reflected back and has not been data validated (or sanitized) the browser will interpret the inputted script as part of the mark up and execute the code accordingly. An XSS attack consists of an attacker taking advantage of this.
"I thought <Fill in the blank Vendor name>'s technology would update itself."
You can't believe everything someone tells you including a sales person and you should check automated processes to make sure they are still doing their job.
Name three sources you can use to find more information about known vulnerabilities:
NVD, CVE, Microsoft Security Advisories
What does non-repudiation mean? How are digital signatures used in repudiation disputes?
Non-repudiation is 'an authentication that can be asserted to be genuine with high assurance', meaning we can believe beyond a reasonable doubt that an individual did something and they are unable to deny it. By digitally signing a document, others can use our public key to verify beyond a reasonable doubt that we created the document.
How do we defend against ARP spoofing?
On individual hosts, disable gratuitous ARP In Windows, use built-in Firewall (or configure via Group Policy) Monitoring software (installed on Server, or run on an IPS) Like any other security practice, a balance is struck between convenience and prudence If you are truly paranoid, employ static ARP tables on all hosts
Describe the different types of viruses
Polymorphic Virus - Changes to avoid signature detection Resident Virus - Lives in RAM, executes some function after certain action is performed (infect certain filetypes, execute arbitrary code, log action) Boot sector Virus - lives in Boot Sector File infector - bury malicious code in carrier file (.exe, .vbs, .pdf) Macro virus - Exploits macro functionality. Affects office docs, etc
What does the term "port scanning" refer to?
Port Scanning scans specific ports to see if they are open. You can use this to test for security and hackers can use it to see what services are running on a host.
What is address spoofing?
Altering packet header information to provide a forged source address
Define an Advanced Persistent Threat.
An Advanced Persistent Threat is a threat from a group of people, like the government who can persistently have a reason to threaten another group of people or person.
Describe a SQL injection attack
An SQL injection attack is when a hacker tries to get information from a database by using a web form. You can run SQL commands to get certain information.
How does one typically transport data between an air gap network and another network?
An air gap network is a network that is physically separated from all other networks. Any data that is transported to an air gap network from another network has to be carefully examined before it can enter.
How does a DNS amplification attack work?
An attacker sends a small request to a public DNS server soliciting a large amount of data in response. The attacker supplies a sources address of its victim so that the size-amplified reply packets are sent to the victim, possibly creating a Denial of Service condition.
What does an attacker do when they commit "ARP poisoning"?
An attacker will send a gratuitous ARP message with false information about MAC to IP address mappings.
Why would an organization use an application-level filter to inspect all outgoing mail as well as incoming?
An organization might want to look for incoming spam phishing attempts, scan incoming mail for viruses, or monitor outgoing mail to detect an infected mail server.
"Compliance means you are secure"
• Achieve and maintain compliance by implementing continuous monitoring • Compliance means you are meeting standards/abiding by policies
"The <Insert Application Name> was developed with 'security in mind'"
• All applications should, but this is just a phrase • "It uses SSL" • SSL itself is very difficult to break, but there are other ways • Keyloggers, Man-in-the-middle attacks
"I use Anti-virus and a Firewall, so I'm OK."
• Anti-virus is only as good as the definition files provided by the company • Zero-day attacks will still succeed against most systems • A firewall can block incoming connections, but malware (from another channel, like email) can still create outbound connections • Firewalls themselves can be compromised (Firmware update, software-specific malware)
"Since we paid <Insert Monetary Investment Value>, it should be secure."
• Even the giants have flaws • A well-known name- sometimes ubiquity makes for a better target
Describe NMAP
• Normal "Ping Sweep" sends echo request and TCP ACK to individual host or IP range • Designed to detect 'alive' hosts Think like an attacker- predict their methods, see what they might see • Defend against port scans- change firewall rules or reconfigure software to make attack surface as small as possible • Periodically port-scanning friendly systems can detect an infection • Checking for known vulnerabilities- if nmap reveals a vulnerable version of software on a public-facing server, other (nefarious) people probably know this too
"Since it's a government site, it can be trusted"
• Perhaps not such a common misconception anymore • Any site can still be vulnerable to Operating System- specific vulnerability • Being a government site increases exposure
Commonly a hacker's goal is to reach the point where they can execute 'arbitrary code' on a remote system. What exactly does 'arbitrary code' mean?
'Arbitrary code' refers to an attacker's ability to run any command they choose. This implies that they have root or administrator level access.
What makes DDoS attacks so difficult to mitigate?
A DDoS attack is a Distributed Denial of Service attack. It is an attack that comes from many computers at one time to try and stop legitimate use. They are so hard to mitigate because you don't know when they are coming and when they do come, they prevent use. They are also hard to track down who did it. An IPS might be able to detect and stop this kind of attack.
In regard to Web Server security, what is a Honey Pot?
A Honey Pot is a website that has information and is purposefully insecure in hopes that someone who has a new virus will use the virus on this website. That way, we can learn more about the virus before it attacks an actual website with real information.
What is a MITM attack
A Man-in-the-middle attack is an attack where data is intercepted that is meant for an external host. You can do this by misinforming the target that you are the gateway and by misinforming the destination that you are the target.
Describe the behavior/purpose of a trojan and a rootkit
A Trojan is a backdoor that is normally part of a larger attack and is done through remote access. A root kit hides malware and a file integrity check can be used to combat root kits.
What is a buffer overflow attack
A buffer overflow attack writes data in adjacent memory when it overflows
What is a logic bomb?
A logic bomb is any code that is set to execute when a certain condition or event transpires in the future. They are often employed by criminals to hide their tracks in the case that they're caught.
Describe the difference between a stateless and a stateful packet filter:
A stateless packet filter looks at incoming and outgoing packets and accepts or denies packets based on criteria like source and destination IP address, Protocol, or Port number. It does not compare packets to any previous packets that have traversed the firewall. A stateful packet filter can monitor a session between an internal host and an external server. It can allow response packets from external servers based on an pre-established session.
What is the difference between a virus and a worm?
A virus requires some sort of user interaction whereas a worm can self replicate and doesn't require user interaction.
How does a wireless deauth attack work?
A wireless deauth attack or deauthentication attack is an attack that sends disassociated packets to a client/s which are associated with an access point.
In reference to Wireless Networking, what is a BSSID? What is an ESSID?
BSSID stands for Basic Service Set Identifier which is a wireless access point that supports the connection within a limited area. And ESSID or Extended Service Set is a group of multiple BSSIDs that are connected through a Distribution System(DS).
Block vs Stream Cipher
Block cipher - Break text into relatively large chunks and encode each block separately. Stream cipher - partition the text into small blocks and let the encoding of each block depend on many previous blocks.
Why do web servers present an increased level of exposure?
By design web servers are always on, are always connected to the internet, must always have adequate available resources to serve clients, and must accept connections from any (unknown) client. This makes them a common target.
Give examples of Asymmetric Encryption
RSA Elgamal
Describe a firewall
Simplest of components, Uses transport-layer information only Example - DNS uses port 53
How is a MITM attack possible?
The client doesn't verify a Certificate against a list of Trusted CAs The Client trusts and untrustworthy CA (the company is not legit, or their key is stolen) An attacker has installed a forged CA into store of trusted root CAs The Server's private key has been stolen
What is the purpose of using TLS/SSL
The purpose of TLS/SSL is to ensure that the website you are on is secure and that any information you give to that site will be secure when being transmitted.
What is the purpose of a Certificate Authority?
The purpose of a Certificate Authority is to provide certificates and sign off on other certificates creating a web of trust. An example of a certificate authority is Go Daddy.
"I don't have anything anyone would want"
This is a common misconception because most cybercrimes are opportunistic and malware attacks may not be directly targeted at you.
Give examples of Symmetric Encryption
Twofish, Blowfish, Serpent, AES, IDEA, RC4, CAST