Cyber Security Review
How exactly does traceroute/tracert work at the protocol level?
...
What makes a strong password?
...A strong password: Is at least eight characters long. Does not contain your user name, real name, or company name. Does not contain a complete word. Is significantly different from previous passwords. Contains characters from each of the following four categories:
How can I avoid computer viruses?
...Beware of unusual emails from companies you do business with. Install an anti-virus program Use a firewall.
What exactly is Cross Site Scripting?
...Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
What port does ping work over?
...No ports required for Ping as it uses icmp packets It needs to allow icmp 'echo-request' (type 8) packets out and icmp 'echo-reply' (type 0) packets in.
What is snmp
a network protocol that allows you to collect and exchange information between devices on a networ
What is a SQL injection attack?
...SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).[1] SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
What are the common defenses against XSS?
...Specifying a charset. First of all, ensure that your web page specifies the UTF-8 charset in the headers or in the very beginning of the head element HTML encode all inputs to prevent a UTF-7 attack in Internet Explorer (and older versions of Firefox) despite other efforts to prevent XSS. HTML escaping. Keep in mind that you need to HTML-escape all user input. This includes replacing < with <, > with >, & with & and " with ". If you will ever use single-quoted HTML attributes, you need to replace ' with ' as well. Typical server-side scripting languages such as PHP provide functions to do this, and I encourage you to expand on these by creating standard functions to insert HTML elements rather than inserting them in an ad-hoc manner. Other types of escaping. You still, however, need to be careful to never insert user input as an unquoted attribute or an attribute interpreted as JavaScript (e.g. onload or onmouseover). Obviously, this also applies to script elements unless the input is properly JavaScript-escaped, which is different from HTML escaping. Another special type of escaping is URL escaping for URL parameters (do it before the HTML escaping to properly include a parameter in a link). Validating URLs and CSS values. The same goes for URLs of links and images (without validating based on approved prefixes) because of the javascript: URL scheme, and also CSS stylesheet URLs and data within style attributes. (Internet Explorer allows inserting JavaScript expressions as CSS values, and Firefox is similarly problematic with its XBL support.) If you must include a CSS value from an untrusted source, you should safely and strictly validate or CSS escape it. Not allowing user-provided HTML. Do not allow user-provided HTML if you have the option. That is an easy way to end up with an XSS problem, and so is writing a "parser" for your own markup language based on simple regex substitutions. I would only allow formatted text if the HTML output were generated in an obviously safe manner by a real parser that escapes any text from the input using the standard escaping functions and individually builds the HTML elements. If you have no choice over the matter, use a validator/sanitizer such as AntiSamy. Preventing DOM-based XSS. Do not include user input in JavaScript-generated HTML code and insert it into the document. Instead, use the proper DOM methods to ensure that it is processed as text, not HTML.
What's the difference between a threat, vulnerability, and a risk?
...Threat - Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. A threat is what we're trying to protect against. Vulnerability - Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. A vulnerability is a weakness or gap in our protection efforts. Risk - The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability.
What's the difference between HTTP and HTML?
...While they may be similar-sounding acronyms, HTTP and HTML actually fulfill very different roles in the workings of the Internet. Hypertext transfer protocol (HTTP) is the system that tells Web data how to go from one place to another, while hypertext markup language (HTML) is the language in which Web pages are written -- it tells your browser what to display and how to display it.
How do you disconnect from a TCP hand shake?
...that device sends a FIN message to tell the other device that it wants to end the connection, which is acknowledged. When the responding device is ready, it too sends a FIN that is acknowledged; after waiting a period of time for the ACK to be received, the session is closed.
NAme 8 TCP ports
443 HTTPS 143 Imap 80 HTTP 23 Telnet 25 SMTP 53 DNS 20 FTP Data 21 FTP Control 110 POP3
What is TCP three way handshake?
A TCP Handshake happens whenever a TCP connection is used. A TCP Handshake provides a small bit of security and is used to increase the reliability of IP communication.A client and server going through a TCP Handshake looks like this: Client: SYN Server: ACK/SYN Client: ACK
What is a Buffer Overflow?
A buffer overflow can take place when too much data is accepted as an input to an application of a operating system.
What is a switch
A switch is similar to a hub. Every user that is connected to a switch as full bandwidth. A switch can also be used to join network segments.
What is ARP?
Address Resolution Protocol. Defined in RFC 826, a protocol used on LANs so that an IP host can discover the MAC address of another device that is using a particular IP address.
What is a Router
An intelligent layer 3 connecting device that examines each packet of data it receives and then decides which way to send it onward toward its destination
In public-key cryptography you have a public and a private key, and you often perform both encryption and signing functions. Which key is used for which function?
You encrypt with the other person's public key, and you sign with your own private.
What is UDP
CONNECTIONLESS. User Datagram Protocol. UDP is a host-to-host protocol like TCP. However, it does not include mechanisms for ensuring timely and accurate delivery. Because it has less overhead, it offers fast communications, but at the expense of possible errors or data loss.
Describe and name all the class Addresses
Class A addresses always have the first bit of their IP addresses set to "0". Since Class A networks have an 8-bit network mask, the use of a leading zero leaves only 7 bits for the network portion of the address, allowing for a maximum of 128 possible network numbers, ranging from 0.0.0.0 - 127.0.0.0. Number 127.x.x.x is reserved for loopback, used for internal testing on the local machine. Class B addresses always have the first bit set to "1" and their second bit set to "0". Since Class B addresses have a 16-bit network mask, the use of a leading "10" bit-pattern leaves 14 bits for the network portion of the address, allowing for a maximum of 16,384 networks, ranging from 128.0.0.0 - 181.255.0.0. Class C addresses have their first two bits set to "1" and their third bit set to "0". Since Class C addresses have a 24-bit network mask, this leaves 21 bits for the network portion of the address, allowing for a maximum of 2,097,152 network addresses, ranging from 192.0.0.0 - 223.255.255.0. Class D addresses are used for multicasting applications. Class D addresses have their first three bits set to "1" and their fourth bit set to "0". Class D addresses are 32-bit network addresses, meaning that all the values within the range of 224.0.0.0 - 239.255.255.255 are used to uniquely identify multicast groups. There are no host addresses within the Class D address space, since all the hosts within a group share the group's IP address for receiver purposes. Class E addresses are defined as experimental and are reserved for future testing purposes. They have never been documented or utilized in a standard way.
If you had to both encrypt and compress data during transmission, which would you do first, and why?
Compress first. Once you encrypt the file you will generate a stream of random data, which will be not be compressible. The compression process depends on finding compressible patterns in the data.
What is Cross-Site Request Forgery?
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser
NAme 5 UDP ports
DNS-53 for DNS queries DHCP-67&68 TFTP- 69 NetBios- 137 & 138 SNMP- 161
What is DNS?
Domain Name System. Helps translate domain names to IP addresses
What's the difference between encoding, encryption, and hashing?
Encoding is for maintaining data usability and can be reversed by employing the same algorithm that encoded the content, i.e. no key is used. Encryption is for maintaining data confidentiality and requires the use of a key (kept secret) in order to return to plaintext. Hashing is for validating the integrity of content by detecting all modification thereof via obvious changes to the hash output
How does the internet work?
Every computer connected to the web is assigned a unique Internet Protocol (IP) address. When using a computer, one can point-and-click on a website link, at which point the browser sends out a request that is addressed to the website that houses the desired content. Routers along the way read the data packet's address and relay it along the best route available. When the data packet arrives at the website, the server reads the request and sends the requested page back to the computer via a return address in the data packet: this is the computer's IP address. The data packet is routed back to the computer in several data packages, and the browser interprets the content and displays the page on the screen. In essence, the world wide web is akin to a highway filled with rushing data packets versus cars.
What is FTP, TFPT and SFtP
File Transfer Protocol (FTP) is a standard network protocol used to transfer files from one host to another host over a TCP-based network, such as the Internet. .Explicit FTPS is an extension to the FTP standard that allows clients to request that the FTP session be encrypted. This is done by sending the "AUTH TLS" command. The server has the option of allowing or denying connections that do not request TLS. SFTP, the "SSH File Transfer Protocol", is not related to FTP except that it also transfers files and has a similar command set for users. SFTP, or secure FTP, is a program that uses Secure Shell (SSH) to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted openly over the network. It is functionally similar to FTP, but because it uses a different protocol, standard FTP clients cannot be used to talk to an SFTP server, nor can one connect to an FTP server with a client that supports only SFTP.
What are cookies?
Files deposited on your computer by Web sites to save preferences such as login information
If you were a site administrator looking for incoming CSRF attacks, what would you look for?
From A JS Injection On The Target Site From A Man-In-The-Middle Attack: From A Replay Attack:
What is Triple DES?
In cryptography, Triple DES is the common name for the Triple Data Encryption Algorithm (TDEA or Triple DEA) symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. The original DES cipher's key size of 56 bits was generally sufficient when that algorithm was designed, but the availability of increasing computational power made brute-force attacks feasible. Triple DES provides a relatively simple method of increasing the key size of DES to protect against such attacks, without the need to design a completely new block cipher algorithm
What is ICMP
Internet Connection Messaging Protocol sends control and error messages throught the IP network
What is an IP Address
It is a unique number that identifies the computer connected to the internet.
What layer is TCP and UDP on?
Layer 4
What are the 7 layers of the OSI model?
Layer 7, Application: The Application layer provides services to the software through which the user requests network services. Layer 6, Presentation: This layer is concerned with data representation and code formatting. Layer 5, Session: The Session layer establishes, maintains, and manages the communication session between computers. Layer 4, Transport: The functions defined in this layer provide for the reliable transmission of data segments, as well as the disassembly and assembly of the data before and after transmission. Layer 3, Network: This is the layer on which routing takes place, and, as a result.The Network layer defines the processes used to route data across the network and the structure and use of logical addressing. Layer 2, Data Link: As its name suggests, this layer is concerned with the linkages and mechanisms used to move data about the network, including the topology, such as Ethernet or Token Ring, and deals with the ways in which data is reliably transmitted. Layer 1, Physical: The Physical layer's name says it all. This layer defines the electrical and physical specifications for the networking media that carry the data bits across a network.
What is LDAP
Lightweight Directory Access Protocol. Specifies formats and methods to query directories. It provides a single point of management for objects, such as users and computers, in an Active Directory domain
What are Linux's strengths and weaknesses vs. Windows?
Linux weaknesses New targets One of the biggest security disadvantages for Linux is that hasn't benefited from the years of attacks that Windows platforms have weathered.
What kind of attack is a standard Diffie-Hellman exchange vulnerable to?
Man in the middle attacks
What is Http and Https?
Most web addresses begin with "HTTP," which is an acronym for "Hyper Text Transfer Protocol." It's the protocol used to allow you to communicate with web sites. "HTTPS" stands for "Hyper Text Transfer Protocol Secure." It means that information exchanged between you and a web site is encrypted and cannot be hijacked by someone who might want to electronically eavesdrop when you type a credit card number, a password, a social security number, or any other person information.
What is Netbios?
NetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network
How does one defend against CSRF?
Ok let's take that concept of changing the token, to changing it for every request. We can do that by using a random number generator to generate the token. Then we can store the token in the user's session data, and invalidate it when we see it next. This makes the token a nonce (a number used once). This protects us against replay attacks (since the number is only valid on the first submission), and it protects us against future attacks (compromising one nonce gives nothing for future nonces).
What are IDA and/or Olly?
OllyDbg is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries.
What's the difference between symmetric and public-key cryptography?
Public key uses 2 different keys - a public key for encryption and a private key for decryption. Using this encryption system, the public key can be distributed in a non-secure way. The private key is never transmitted and is only available at the recipient's side. As the keys are different, the decryption of the chipertext computationally is assumed to be not feasible without the private key. Symmetric key cryptography systems use the same key for both to encrypt the plaintext and to decrypt the ciphertext. Symmetric key systems have the advantage of being simple and fast. However, the important factor to be considered is that the parties involved must exchange the key in a secured way.
What's the difference between Diffie-Hellman and RSA?
RSA is an algorithm for public-key cryptography that is based on the presumed difficulty of factoring large integers, the factoring problem. RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman Diffie-Hellman key exchange (D-H)[nb 1] is a specific method of exchanging cryptographic keys. It is one of the earliest practical examples of key exchange implemented within the field of cryptography. The Diffie-Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure
What is DNS Hijacking?
Rogue DNS server responds to legitimate request with IP addresses for malicious websites.
Describe STMP, POP3,IMAP?
SMTP SMTP stands for Simple Mail Transfer Protocol. SMTP is used when email is delivered from an email client, such as Outlook Express, to an email server or when email is delivered from one email server to another. SMTP uses port 25. POP3 POP3 stands for Post Office Protocol. POP3 allows an email client to download an email from an email server. The POP3 protocol is simple and does not offer many features except for download. Its design assumes that the email client downloads all available email from the server, deletes them from the server and then disconnects. POP3 normally uses port 110. IMAP IMAP stands for Internet Message Access Protocol. IMAP shares many similar features with POP3. It, too, is a protocol that an email client can use to download email from an email server. However, IMAP includes many more features than POP3. The IMAP protocol is designed to let users keep their email on the server. IMAP requires more disk space on the server and more CPU resources than POP3, as all emails are stored on the server. IMAP normally uses port 143. Here is more information about IMAP. Examples
What are SYN, ACK/SYN, ACK?
SYNchronize and ACKnowledge
What is WireShark?
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
What is a hub
The device used to link several computers together
What's the difference between stored and reflected XSS?
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. The non-persistent (or reflected) cross-site scripting vulnerability is by far the most common type.[10] These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the request.[11]
What is TCP?
Transmission Control Protocol. Connection oriented. No packet left behind.
what is the difference of pen testing and vulnerability assessment?
Vulnerability Assessment Customer Maturity Level: Low to Medium. Usually requested by customers who already know they have issues, and need help getting started. Goal: Attain a prioritized list of vulnerabilities in the environment so that remediation can occur. Focus: Breadth over depth. Penetration Test Customer Maturity Level: High. The client believes their defenses to be strong, and wants to test that assertion. Goal: Determine whether a mature security posture can withstand an intrusion attempt from an advanced attacker with a specific goal. Focus: Depth over breadth.
What are rainbow tables?
hashes of plain text passwords
Where do you get your security news from?
http://blog.malwarebytes.org/ http://www.net-security.org