Security Interview Questions1
Security Interview Questions
firewall troubleshooting scenarios
vpn troubleshooting scenarios
proxy server troubleshooting scenarios
router troubleshooting
switch troubleshooting
Proxy server
In computer networks, a proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers.[1] A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity. Proxies were invented to add structure and encapsulation to distributed systems.[2] Today, most proxies are web proxies, facilitating access to content on the World Wide Web and providing anonymity.
Types Proxy server
A proxy server may reside on the user's local computer, or at various points between the user's computer and destination servers on the Internet.
A proxy server that passes requests and responses unmodified is usually called a gateway or sometimes a tunneling proxy.
A forward proxy is an Internet-facing proxy used to retrieve from a wide range of sources (in most cases anywhere on the Internet).
A reverse proxy is usually an internal-facing proxy used as a front-end to control and protect access to a server on a private network. A reverse proxy commonly also performs tasks such as load-balancing, authentication, decryption or caching.
Open proxies[edit]
Diagram of proxy server connected to the Internet.
An open proxy forwarding requests from and to anywhere on the Internet.
Main article: Open proxy
An open proxy is a forwarding proxy server that is accessible by any Internet user. Gordon Lyon estimates there are "hundreds of thousands" of open proxies on the Internet.[3] An anonymous open proxy allows users to conceal their IP address while browsing the Web or using other Internet services. There are varying degrees of anonymity however, as well as a number of methods of 'tricking' the client into revealing itself regardless of the proxy being used.
Reverse proxies[edit]
A proxy server connecting the Internet to an internal network.
A reverse proxy taking requests from the Internet and forwarding them to servers in an internal network. Those making requests connect to the proxy and may not be aware of the internal network.
Main article: Reverse proxy
A reverse proxy (or surrogate) is a proxy server that appears to clients to be an ordinary server. Requests are forwarded to one or more proxy servers which handle the request. The response from the proxy server is returned as if it came directly from the original server, leaving the client no knowledge of the origin servers.[4] Reverse proxies are installed in the neighborhood of one or more web servers. All traffic coming from the Internet and with a destination of one of the neighborhood's web servers goes through the proxy server. The use of "reverse" originates in its counterpart "forward proxy" since the reverse proxy sits closer to the web server and serves only a restricted set of websites. There are several reasons for installing reverse proxy servers:
Encryption / SSL acceleration: when secure web sites are created, the Secure Sockets Layer (SSL) encryption is often not done by the web server itself, but by a reverse proxy that is equipped with SSL acceleration hardware. Furthermore, a host can provide a single "SSL proxy" to provide SSL encryption for an arbitrary number of hosts; removing the need for a separate SSL Server Certificate for each host, with the downside that all hosts behind the SSL proxy have to share a common DNS name or IP address for SSL connections. This problem can partly be overcome by using the SubjectAltName feature of X.509 certificates.
Load balancing: the reverse proxy can distribute the load to several web servers, each web server serving its own application area. In such a case, the reverse proxy may need to rewrite the URLs in each web page (translation from externally known URLs to the internal locations).
Serve/cache static content: A reverse proxy can offload the web servers by caching static content like pictures and other static graphical content.
Compression: the proxy server can optimize and compress the content to speed up the load time.
Spoon feeding: reduces resource usage caused by slow clients on the web servers by caching the content the web server sent and slowly "spoon feeding" it to the client. This especially benefits dynamically generated pages.
Security: the proxy server is an additional layer of defense and can protect against some OS and Web Server specific attacks. However, it does not provide any protection from attacks against the web application or service itself, which is generally considered the larger threat.
Extranet Publishing: a reverse proxy server facing the Internet can be used to communicate to a firewall server internal to an organization, providing extranet access to some functions while keeping the servers behind the firewalls. If used in this way, security measures should be considered to protect the rest of your infrastructure in case this server is compromised, as its web application is exposed to attack from the Internet.
Uses Proxy server
Monitoring and filtering
Content-control software
A content-filtering web proxy server provides administrative control over the content that may be relayed in one or both directions through the proxy. It is commonly used in both commercial and non-commercial organizations (especially schools) to ensure that Internet usage conforms to acceptable use policy.
A content filtering proxy will often support user authentication to control web access. It also usually produces logs, either to give detailed information about the URLs accessed by specific users, or to monitor bandwidth usage statistics. It may also communicate to daemon-based and/or ICAP-based antivirus software to provide security against virus and other malware by scanning incoming content in real time before it enters the network.
Many work places, schools and colleges restrict the web sites and online services that are accessible and available in their buildings. Governments also censor undesirable content. This is done either with a specialized proxy, called a content filter (both commercial and free products are available), or by using a cache-extension protocol such as ICAP, that allows plug-in extensions to an open caching architecture.
Proxy vs. NAT[edit]
Most of the time 'proxy' refers to a layer-7 application on the OSI reference model. However, another way of proxying is through layer-3 and is known as Network Address Translation (NAT). The difference between these two proxy technologies is the layer in which they operate, and the procedure to configuring the proxy clients and proxy servers.
In client configuration of layer-3 proxy (NAT), configuring the gateway is sufficient. However, for client configuration of a layer-7 proxy, the destination of the packets that the client generates must always be the proxy server (layer-7), then the proxy server reads each packet and finds out the true destination.
Because NAT operates at layer-3, it is less resource-intensive than the layer-7 proxy, but also less flexible. As we compare these two technologies, we might encounter a terminology known as 'transparent firewall'. Transparent firewall means that the layer-3 proxy uses the layer-7 proxy advantages without the knowledge of the client. The client presumes that the gateway is a NAT in layer-3, and it does not have any idea about the inside of the packet, but through this method the layer-3 packets are sent to the layer-7 proxy for investigation.
DNS proxy[edit]
A DNS proxy server takes DNS queries from a (usually local) network and forwards them to an Internet Domain Name Server. It may also cache DNS records.
1) What is data encapsulation?
Data Encapsulation is a process of hiding and protecting data from the outside users or interference. The sending and receiving of data from a source device to the destination device is possible with the help of networking protocols when data encapsulation is used. Protocol Data Units contain the control information attached to the data at each layer.
The information is attached to the data field’s header but can also be at the end of the data field or trailer.
PDUs are encapsulated by attaching them to the data at each OSI reference model layer.
Encapsulation Protocol and Network Layer Settings
Setting Description
Cisco (EtherType) Ethernet frame format used by many routers as their proprietary, default encapsulation protocol. It has similar capabilities to bridged Ethernet or Token Ring, but is more efficient.1
Ethernet (bridged) Ethernet frame format used by bridges and bridging routers. Can carry any network layer protocol supported by Ethernet.
Frame Relay (Auto) (Frame Relay only) Either RFC1490 or EtherType encapsulation protocol based on the frames themselves. This is the best choice to use with Frame Relay because it works with both of the most common encapsulation techniques.
None - IP only A network-layer protocol that directs the ASE to analyze data assuming it is IP protocol.2
None - SNA only A network-layer protocol that directs the ASE to analyze data assuming that it is SNA protocol.2
None - Vines only A network-layer protocol that directs the ASE to analyze data assuming that it is Banyan VINES protocol.2
None - DECnet IV only A network-layer protocol that directs the ASE to analyze data assuming it is DECnet IV protocol.2
Point-to-Point (PPP) The standard point-to-point protocol used mainly on point-to-point links analyzed by the HDLC ASE, but can be used by Frame Relay ASEs.
RFC 1490 (IETF) (Frame Relay only) Standard Frame Relay Multi protocol encapsulation. This is the most versatile and common encapsulation protocol used with Frame Relay.
Router (proprietary) (HDLC only) An encapsulation protocol that decodes proprietary framing used by routers on point-to-point links.
Token Ring (bridged) Token Ring frame format used by bridges and bridging routers. Can carry any network layer protocol supported by Token Ring networks.
Spanning Tree Protocol (STP) is a Layer 2 protocol that runs on bridges and switches. The specification for STP is IEEE 802.1D. The main purpose of STP is to ensure that you do not create loops when you have redundant paths in your network. Loops are deadly to a network
Multiple Spanning Tree Protocol. Multiple Spanning Tree Protocol (MSTP) was first specified in IEEE 802.1s and is standardized in IEEE 802.1Q. MSTP enables multiple VLANs to be mapped to the same spanning-tree instance, reducing the number of spanning-tree instances needed to support a large number of VLANs.
http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24248-147.html
Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.
You can easily customize the network configuration for your Amazon Virtual Private Cloud. For example, you can create a public-facing subnet for your webservers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.
Additionally, you can create a Hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.
Get Started with AWS for Free
Create a Free Account
Or Sign In to the Console
Receive twelve months of access to the AWS Free Tier and enjoy AWS Basic Support features including, 24x7x365 customer service, support forums, and more.
Please note that Amazon VPC is not currently available on the AWS Free Tier.
Introducing NAT Gateway
You can now use Network Address Translation (NAT) Gateway, a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an AWS VPC. Learn More >>
Features and Benefits
Multiple Connectivity Options
A variety of connectivity options exist for your Amazon Virtual Private Cloud. You can connect your VPC to the Internet, to your datacenter, or other VPC's, based on the AWS resources that you want to expose publicly and those that you want to keep private.
Connect directly to the Internet (public subnets)– You can launch instances into a publicly accessible subnet where they can send and receive traffic from the Internet.
Connect to the Internet using Network Address Translation (private subnets)– Private subnets can be used for instances that you do not want to be directly addressable from the Internet. Instances in a private subnet can access the Internet without exposing their private IP address by routing their traffic through a Network Address Translation (NAT) gateway in a public subnet.
Connect securely to your corporate datacenter– All traffic to and from instances in your VPC can be routed to your corporate datacenter over an industry standard, encrypted IPsec hardware VPN connection.
Connect privately to other VPCs- Peer VPCs together to share resources across multiple virtual networks owned by your or other AWS accounts.
Connect to Amazon S3 without using an internet gateway or NAT, and control what buckets, requests, users, or groups are allowed through a VPC Endpoint for S3.
Combine connectivity methods to match the needs of your application– You can connect your VPC to both the Internet and your corporate datacenter and configure Amazon VPC route tables to direct all traffic to its proper destination.
Secure
Amazon VPC provides advanced security features such as security groups and network access control lists to enable inbound and outbound filtering at the instance level and subnet level. In addition, you can store data in Amazon S3 and restrict access so that it’s only accessible from instances in your VPC. Optionally, you can also choose to launch Dedicated Instances which run on hardware dedicated to a single customer for additional isolation.
Symantec Endpoint Protection, developed by Symantec Corporation, is an antivirus and personal firewall software for centrally managed corporate environments providing security for both servers and workstations.
Endpoint security or Endpoint Protection is a technology that takes an upper hand to protect computer networks that are remotely bridged to users' devices. The use of laptops, tablets, mobile devices and other wireless gadgets connected with corporate networks creates vulnerability paths for security threats.[1][2] Endpoint security attempts to ensure that such devices follow a definite level of compliance and standards.[3]
There are many types of computer security threats in this world. Some are pretty harmful while some are totally harmless although annoying. There are also some which does not do any damage to your computer, but has the capability to empty the numbers in your bank account.
If you are really interested to find out these threats, I have 28 of them here and do get yourself a cup of coffee before you start.
The types of computer security threats
1. Trojan. Trojan is one of the most complicated threats among all. Most of the popular banking threats come from the Trojan family such as Zeus and SpyEye. It has the ability to hide itself from antivirus detection and steal important banking data to compromise your bank account. If the Trojan is really powerful, it can take over your entire security system as well. As a result, a Trojan can cause many types of damage starting from your own computer to your online account.
2. Virus. Looking at the technology 10 years back, Virus is something really popular. It is a malicious program where it replicates itself and aim to only destroy a computer. The ultimate goal of a virus is to ensure that the victim’s computer will never be able to operate properly or even at all. It is not so popular today because Malware today is designed to earn money over destruction. As a result, Virus is only available for people who want to use it for some sort of revenge purpose.
3. Worms. One of the most harmless threats where it is program designed only to spread. It does not alter your system to cause you to have a nightmare with your computer, but it can spread from one computer to another computer within a network or even the internet. The computer security risk here is, it will use up your computer hard disk space due to the replication and took up most of your bandwidth due to the spread.
4. Spyware. Is a Malware which is designed to spy on the victim’s computer. If you are infected with it, probably your daily activity or certain activity will be spied by the spyware and it will find itself a way to contact the host of this malware. Mostly, the use of this spyware is to know what your daily activity is so that the attacker can make use of your information. Such as if you browse on sex toys for a week every day, the attacker will try to come out with a sex toy scam to cheat on your money.
5. Scareware. Scareware is something that plant into your system and immediately inform you that you have hundreds of infections which you don’t have. The idea here is to trick you into purchasing a bogus anti-malware where it claims to remove those threats. It is all about cheating your money but the approach is a little different here because it scares you so that you will buy.
6. Keylogger. Something that keeps a record of every keystroke you made on your keyboard. Keylogger is a very powerful threat to steal people’s login credential such as username and password. It is also usually a sub-function of a powerful Trojan.
7. Adware. Is a form of threat where your computer will start popping out a lot of advertisement. It can be from non-adult materials to adult materials because any ads will make the host some money. It is not really harmful threat but can be pretty annoying.
8. Backdoor. Backdoor is not really a Malware, but it is a form of method where once a system is vulnerable to this method, attacker will be able to bypass all the regular authentication service. It is usually installed before any virus or Trojan infection because having a backdoor installed will ease the transfer effort of those threats.
9. Wabbits. Is another a self-replicating threat but it does not work like a Virus or Worms. It does not harm your system like a Virus and it does not replicate via your LAN network like a Worms. An example of Wabbit’s attack is the fork bomb, a form of DDoS attack.
10. Exploit. Exploit is a form of software which is programmed specifically to attack certain vulnerability. For instance if your web browser is vulnerable to some out-dated vulnerable flash plugin, an exploit will work only on your web browser and plugin. The way to avoid hitting into exploit is to always patch your stuff because software patches are there to fix vulnerabilities.
[How to remove virus]
11. Botnet. Botnet is something which is installed by a BotMaster to take control of all the computer bots via the Botnet infection. It mostly infects through drive-by downloads or even Trojan infection. The result of this threat is the victim’s computer, which is the bot will be used for a large scale attack like DDoS.
12. Dialer. This threat is no longer popular today but looking at the technology 10 years back or more where we still access the internet using a dial-up modem, it is quite a popular threat. What it does is it will make use of your internet modem to dial international numbers which are pretty costly. Today, this type of threat is more popular on Android because it can make use of the phone call to send SMS to premium numbers.
13. Dropper. Looking at the name, a Dropper is designed to drop into a computer and install something useful to the attacker such as Malware or Backdoor. There are two types of Dropper where one is to immediately drop and install to avoid Antivirus detection. Another type of Dropper is it will only drop a small file where this small file will auto trigger a download process to download the Malware.
14. Fake AV. Fake Antivirus threat is a very popular threat among Mac user about 10 months ago. Due to the reason that Mac user seldom faces a virus infection, scaring them with message which tells them that their computer is infected with virus is pretty useful where it results them into purchasing a bogus antivirus which does nothing.
15. Phishing. A fake website which is designed to look almost like the actual website is a form of phishing attack. The idea of this attack is to trick the user into entering their username and password into the fake login form which serves the purpose of stealing the identity of the victim. Every form sent out from the phishing site will not go to the actual server, but the attacker controlled server.
16. Cookies.Cookies is not really a Malware. It is just something used by most websites to store something into your computer. It is here because it has the ability to store things into your computer and track your activities within the site. If you really don’t like the existence of cookies, you can choose to reject using cookies for some of the sites which you do not know.
17. Bluesnarfing. Bluesnarfing is all about having an unauthorized access to a specific mobile phones, laptop, or PDA via Bluetooth connection. By having such unauthorized access, personal stuff such as photos, calender, contacts and SMS will all be revealed and probably even stolen.
18. Bluejacking. Bluejacking is also uses the Bluetooth technology but it is not as serious as Bluesnarfing. What it does is it will connect to your Bluetooth device and send some message to another Bluetooth device. It is not something damaging to your privacy or device system compared to the Bluesnarfing threat.
19. DDoS. One of the most famous thing done by Anonymous, which is to send millions of traffic to a single server to cause the system to down with certain security feature disable so that they can do their data stealing. This kind of trick which is to send a lot of traffic to a machine is known as Distributed Denial of Service, also known as DDoS.
[10 Symptoms of a Computer Infected with Malware]
20. Boot Sector Virus. It is a virus that places its own codes into computer DOS boot sector or also known as the Master Boot Record. It will only start if there it is injected during the boot up period where the damage is high but difficult to infect. All the victim need to do if they realize there is a boot sector virus is to remove all the bootable drive so that this particular virus will not be able to boot.
21. Browser Hijackers. A browser hijacker uses the Trojan Malware to take control of the victim’s web browsing session. It is extremely dangerous especially when the victim is trying to send some money via online banking because that is the best time for the hijacker to alter the destination of the bank account and even amount.
22. Chain Letters. When I was small, I got tricked with chain letters written by my friend. But chain letters does not stop at that era. It brings to adult life as well where people like to send chain letter such as Facebook account delete letter. It usually says if you don’t forward that particular message or email to 20 people or more, your account will be deleted and people really believe that.
23. Virus Document. Virus today can be spread through document file as well especially PDF documents. Last time, people will only advice you not to simply execute an EXE file but in today’s world with today’s technology, document file should also be avoided. It is best if you use an online virus scanner to scan first before opening any single file which you feel it is suspicious.
24. Mousetrapping. I am not too sure whether you had encountered a Mousetrapping Malware before where what it does is it will trap your web browser to a particular website only. If you try to type another website, it will automatically redirect you back. If you try clicking forward/backward of the navigation button, it will also redirect you back. If you try to close your browser and re-open it, it will set the homepage to that website and you can never get out of this threat unless you remove it.
25. Obfuscated Spam. To be really honest, obfuscated Spam is a spam mail. It is obfuscated in the way that it does not look like any spamming message so that it can trick the potential victim into clicking it. Spam mail today looks very genuine and if you are not careful, you might just fall for what they are offering.
26. Pharming. Pharming works more or less like phishing but it is a little tricky here. There are two types of pharming where one of it is DNS poisoning where your DNS is being compromised and all your traffic will be redirected to the attacker’s DNS. The other type of pharming is to edit your HOST file where even if you typed www.google.com on your web browser, it will still redirect you to another site. One thing similar is that both are equally dangerous.
27. Crimeware. Crimeware is a form of Malware where it takes control of your computer to commit a computer crime. Instead of the hacker himself committing the crime, it plants a Trojan or whatever the Malware is called to order you to commit a crime instead. This will make the hacker himself clean from whatever crime that he had done.
28. SQL Injection. SQL injection does not infect the end users directly. It is more towards infecting a website which is vulnerable to this attack. What it does is it will gain unauthorized access to the database and the attacker can retrieve all the valuable information stored in the database.
To know what can threat your data you should know what malicious programs (Malware) exist and how they function. Malware can be subdivided in the following types:
Viruses: programs that infect other programs by adding to them a virus code to get access at an infected file start-up. This simple definition discovers the main action of a virus – infection. The spreading speed of viruses is lower than that of worms.
Worms: this type of Malware uses network resources for spreading. This class was called worms because of its peculiar feature to “creep” from computer to computer using network, mail and other informational channels. Thanks to it spreading speed of worms is very high.
Worms intrude your computer, calculate network addresses of other computers and send to these addresses its copies. Besides network addresses, the data of the mail clients' address books is used as well. Representatives of this Malware type sometimes create working files on system discs, but may not deploy computer resources (except the operating memory).
Trojans: programs that execute on infected computers unauthorized by user actions; i.e. depending on the conditions delete information on discs, make the system freeze, steal personal information, etc. this Malware type is not a virus in traditional understanding (i.e. does not infect other programs or data): Trojans cannot intrude the PC by themselves and are spread by violators as “useful” and necessary software. And still harm caused by Trojans is higher than of traditional virus attack.
Spyware: software that allows to collect data about a specific user or organization, who are not aware of it. You may not even guess about having spyware on your computer. As a rule the aim of spyware is to:
Trace user's actions on computer
Collect information about hard drive contents; it often means scanning some folders and system registry to make a list of software installed on the computer.
Collect information about quality of connection, way of connecting, modem speed, etc.
Collecting information is not the main function of these programs, they also threat security. Minimum two known programs – Gator and eZula – allow violator not only collect information but also control the computer. Another example of spyware are programs embedded in the browser installed on the computer and retransfer traffic. You have definitely come across such programs, when inquiring one address of a web-site, another web-site was opened. One of the spyware is phishing- delivery.
Phishing is a mail delivery whose aim is to get from the user confidential financial information as a rule. Phishing is a form of a social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The messages contain link to a deliberately false site where user is suggested to enter number of his/her credit card and other confidential information.
Adware: program code embedded to the software without user being aware of it to show advertising. As a rule adware is embedded in the software that is distributed free. Advertisement is in the working interface. Adware often gathers and transfer to its distributor personal information of the user.
Riskware: this software is not a virus, but contains in itself potential threat. By some conditions presence of such riskware on your PC puts your data at risk. To this software refer utilities of remote administration, programs that use Dial Up-connection and some others to connect with pay-per-minute internet sites.
Jokes: software that does not harm your computer but displays messages that this harm has already been caused, or is going to be caused on some conditions. This software often warns user about not existing danger, e.g. display messages about hard disc formatting (though no formatting is really happening), detect viruses in not infected files and etc.
Rootkit: these are utilities used to conceal malicious activity. They disguise Malware, to prevent from being detected by the antivirus applications. Rootkits can also modify operating system on the computer and substitute its main functions to disguise its presence and actions that violator makes on the infected computer.
Other malware: different programs that have been developed to create other Malware, organizing DoS-attacks on remote servers, intruding other computers, etc. Hack Tools, virus constructors and other refer to such programs.
Spam: anonymous, mass undesirable mail correspondence. Spam is political and propaganda delivery, mails that ask to help somebody. Another category of spam are messages suggesting you to cash a great sum of money or inviting you to financial pyramids, and mails that steal passwords and credit card number, messages suggesting to send them to your friends (me
10 Strategies To Fight Anonymous DDoS Attacks
Preventing distributed denial of service attacks may be impossible. But with advance planning, they can be mitigated and stopped. Learn where to begin.
1. Know you're vulnerable.
One lesson from the use of DDoS by Anonymous--as well as its sister hacktivist group LulzSec--is that any site is at risk. That's not meant to sound alarmist, but rather simply to acknowledge that the hacktivist agenda can seem random, at best. Indeed, after Anonymous came along, "the financial sector, which had not really considered itself as a prime target, was hit and urgently forced to confront threatening situations," according to the Radware report. "Government sites had been targeted before, but 2011 saw a dramatic increase in frequency, and neutral governments that felt themselves exempt, like New Zealand, were attacked."
2. DDoS attacks are cheap to launch, tough to stop.
As the recent Anonymous retaliation for the Megaupload takedown shows, hacktivists can quickly crowdsource "5,600 DDoS zealots blasting at once," as Anonymous boasted on Twitter, to take down the websites of everyone from the FBI and the Justice Department to the Motion Picture Association of America and Recording Industry Association of America. "DDoS is to the Internet what the billy club is to gang warfare: simple, cheap, unsophisticated, and effective," said Rob Rachwald, director of security strategy of Imperva, via email.
3. Plan ahead.
Stopping DDoS attacks requires preparation. If attacked, "folks that don't take active measures to ensure the resilience of their networks are going to get knocked over," said Roland Dobbins, Asia-Pacific solutions architect for Arbor Networks, via phone. "They need to do everything they can to increase resiliency and availability." Accordingly, he recommends implementing "all of the industry best and current practices for their network infrastructure, as well as applications, critical supporting services, including DNS."
4. Secure potential bottlenecks.
Which parts of the corporate network can become a bottleneck or weak link in a DDoS attack? A survey by Radware of 135 people with information security expertise--including IT managers as well as CIOs and CISOs--found that the bottlenecks they'd experienced included the server under attack (for 30%), their Internet pipe (27%), a firewall (24%), an intrusion prevention or detection system (8%), a SQL server (5%), or a load balancer (4%). For example, Sergey Shekyan, a Web application vulnerability scanner developer at Qualys, reported that he was able to DDoS a Squid proxy server using the free slowhttptest tool with slow read DDoS attack support. That's because while the server was theoretically able to handle 60,000 concurrent connections per minute, it had been misconfigured to only allow 1,024 open file descriptors at a time.
5. Watch what's happening on the network.
If prevention--including securing infrastructure and making sure it can reasonably scale to handle sharp increases in packet traffic--is the first step, the second is actively monitoring the network. "If the enterprise doesn't have visibility into their network traffic so they can exert control over the traffic, then they have a problem," said Dobbins.
6. Look beyond large attacks.
Historically, the most popular type of DDoS attack--and the one most used by Anonymous--has been a packet flood. The concept is simple: direct so many packets at a website that its servers buckle under the pressure. But not all effective DDoS attacks unload untold numbers of packets. Notably, a study by Radware of 40 DDoS attacks from 2011 found that only 9% involved more than 10 Gbps of bandwidth, while 76% involved less than 1 Gbps.
7. Beware application-layer attacks.
Attacks that eschew packet quantity for taking out a switch or application can unfortunately be quite difficult to detect. According to Radware's report, "it is much easier to detect and block a network flood attack--which is about sending a large volume of irrelevant traffic such as UDP floods, SYN floods, and TCP floods, typically spoofed--rather than an application flood attack where the attackers are using real IP addresses from real machines and running complete application transactions."
8. Watch for blended attacks.
Detection can get even trickier when attackers start targeting more than one application at a time, perhaps together with a packet flood. "Attackers are often likely to combine both packet flooding attacks with application-layer DDoS, to increase their odds of success," according to the Radware report. "The majority of organizations, which are targeted by sub-1-Gbps attacks, are targeted with a mix of network and application flood attacks."
9. Make upstream friends.
Large attacks can overwhelm even the largest enterprise network. "Work very closely with [your] Internet service provider--or for multinationals, providers--to successfully deal with these attacks," said Arbor's Dobbins. Build relationships and lines of communication in advance. "At 4 a.m., if there is a DDoS attack, it's not the time you want to be scrambling around trying to reconfigure your infrastructure, and finding who call at your ISP," he said.
10. Consider countermeasures.
While the legality of certain types of attack countermeasures is an open question, Radware said that network gear may be able to automatically mitigate suspected DDoS attacks. For example, it can silently drop questionable packets, or send a TCP reply to the attacker that advertises "window size equals 0," which says that for the time being, no new data can be received. "Legitimate clients generally respect this and will suspend their communication for the time being," according to Radware's report. "It seems that some attackers also honor this message and suspend the attack until a new, larger window size is advertised, which of course the site being attacked has no intention of doing."
It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)
Encryption Algorithms
Encryption Algorithms
Encryption algorithm, or cipher, is a mathematical function used in the encryption and decryption process - series of steps that mathematically transforms plaintext or other readable information into unintelligible ciphertext. A cryptographic algorithm works in combination with a key (a number, word, or phrase) to encrypt and decrypt data. To encrypt, the algorithm mathematically combines the information to be protected with a supplied key. The result of this combination is the encrypted data. To decrypt, the algorithm performs a calculation combining the encrypted data with a supplied key. The result of this combination is the decrypted data. If either the key or the data is modified, the algorithm produces a different result. The goal of every encryption algorithm is to make it as difficult as possible to decrypt the generated ciphertext without using the key.
Each algorithm uses a string of bits known as a "key" to perform the calculations. The larger the key (the more bits), the greater the number of potential patterns can be created, thus making it harder to break the code and descramble the contents. Most encryption algorithms use the block cipher method, which codes fixed blocks of input that are typically from 64 to 128 bits in length. Some use the stream method, which works with the continuous stream of input.
Some cryptographic methods rely on the secrecy of the encryption algorithms; such algorithms are only of historical interest and are not adequate for real-world needs. Instead of the secrecy of the method itself, all modern algorithms base their security on the usage of a key; a message can be decrypted only if the key used for decryption matches the key used for encryption.
Types of encryption algorithms
There are two kinds of key-based encryption algorithms, symmetric encryption algorithms (secret key algorithms) and asymmetric encryption algorithms (or public key algorithms). The difference is that symmetric encryption algorithms use the same key for encryption and decryption (or the decryption key is easily derived from the encryption key), whereas asymmetric encryption algorithms use a different key for encryption and decryption, and the decryption key cannot be derived from the encryption key.
Symmetric encryption algorithms
Symmetric encryption algorithms can be divided into stream ciphers and block ciphers. Stream ciphers encrypt a single bit of plaintext at a time, whereas block ciphers take a number of bits (typically 64 bits in modern ciphers), and encrypt them as a single unit.
Some examples of popular symmetric encryption algorithms:
AES/Rijndael
Blowfish
CAST5
DES
IDEA
RC2
RC4
RC6
Serpent
Triple DES
Twofish
AES encryption algorithm
AES stands for Advanced Encryption Standard. AES is a symmetric key encryption technique which will replace the commonly used Data Encryption Standard (DES). It was the result of a worldwide call for submissions of encryption algorithms issued by the US Government's National Institute of Standards and Technology (NIST) in 1997 and completed in 2000.
In response to the growing feasibility of attacks against DES, NIST launched a call for proposals for an official successor that meets 21st century security needs. This successor is called the Advanced Encryption Standard (AES).
Five algorithms were selected into the second round, from which Rijndael was selected to be the final standard. NIST gave as its reasons for selecting Rijndael that it performs very well in hardware and software across a wide range of environments in all possible modes. It has excellent key setup time and has low memory requirements, in addition its operations are easy to defend against power and timing attacks. NIST stated that all five finalists had adequate security and that there was nothing wrong with the other four ciphers.
The winning algorithm, Rijndael, was developed by two Belgian cryptologists, Vincent Rijmen and Joan Daemen.
AES provides strong encryption and was selected by NIST as a Federal Information Processing Standard in November 2001 (FIPS-197).
Rijndael follows the tradition of square ciphers. AES algorithm uses three key sizes: a 128-, 192-, or 256-bit encryption key. Each encryption key size causes the algorithm to behave slightly differently, so the increasing key sizes not only offer a larger number of bits with which you can scramble the data, but also increase the complexity of the cipher algorithm.
Blowfish encryption algorithm
Blowfish is a symmetric encryption algorithm designed in 1993 by Bruce Schneier as an alternative to existing encryption algorithms.
Blowfish has a 64-bit block size and a variable key length - from 32 bits to 448 bits. It is a 16-round Feistel cipher and uses large key-dependent S-boxes. While doing key scheduling, it generates large pseudo-random lookup tables by doing several encryptions. The tables depend on the user supplied key in a very complex way. This approach has been proven to be highly resistant against many attacks such as differential and linear cryptanalysis. Unfortunately, this also means that it is not the algorithm of choice for environments where a large memory space is not available. Blowfish is similar in structure to CAST-128, which uses fixed S-boxes.
Since then Blowfish has been analyzed considerably, and is gaining acceptance as a strong encryption algorithm.
Blowfish was designed in 1993 by Bruce Schneier as a fast, free alternative to existing encryption algorithms. Since then it has been analyzed considerably, and it is slowly gaining acceptance as a strong encryption algorithm. Blowfish is unpatented and license-free, and is available free for all uses.
The only known attacks against Blowfish are based on its weak key classes.
CAST
CAST stands for Carlisle Adams and Stafford Tavares, the inventors of CAST. CAST is a popular 64-bit block cipher which belongs to the class of encryption algorithms known as Feistel ciphers.
CAST-128 is a DES-like Substitution-Permutation Network (SPN) cryptosystem. It has the Feistel structure and utilizes eight fixed S-boxes. CAST-128 supports variable key lenghts between 40 and 128 bits.
CAST-128 is resistant to both linear and differential cryptanalysis. Currently, there is no known way of breaking CAST short of brute force. CAST is now the default cipher in PGP.
Data Encryption Standard (DES)
Digital Encryption Standard (DES) is a symmetric block cipher with 64-bit block size that uses using a 56-bit key.
In 1977 the Data Encryption Standard (DES), a symmetric algorithm, was adopted in the United States as a federal standard.
DES encrypts and decrypts data in 64-bit blocks, using a 56-bit key. It takes a 64-bit block of plaintext as input and outputs a 64-bit block of ciphertext. Since it always operates on blocks of equal size and it uses both permutations and substitutions in the algorithm. DES has 16 rounds, meaning the main algorithm is repeated 16 times to produce the ciphertext. It has been found that the number of rounds is exponentially proportional to the amount of time required to find a key using a brute-force attack. So as the number of rounds increases, the security of the algorithm increases exponentially.
For many years, DES-enciphered data were safe because few organizations possessed the computing power to crack it. But in July 1998 a team of cryptographers cracked a DES-enciphered message in 3 days, and in 1999 a network of 10,000 desktop PCs cracked a DES-enciphered message in less than a day. DES was clearly no longer invulnerable and since then Triple DES (3DES) has emerged as a stronger method.
Triple DES encrypts data three times and uses a different key for at least one of the three passes giving it a cumulative key size of 112-168 bits. That should produce an expected strength of something like 112 bits, which is more than enough to defeat brute force attacks. Triple DES is much stronger than (single) DES, however, it is rather slow compared to some new block ciphers. However, cryptographers have determined that triple DES is unsatisfactory as a long-term solution, and in 1997, the National Institute of Standards and Technology (NIST) solicited proposals for a cipher to replace DES entirely, the Advanced Encryption Standard (AES).
IDEA encryption algorithm
IDEA stands for International Data Encryption Algorithm. IDEA is a symmetric encryption algorithm that was developed by Dr. X. Lai and Prof. J. Massey to replace the DES standard. Unlike DES though it uses a 128 bit key. This key length makes it impossible to break by simply trying every key. It has been one of the best publicly known algorithms for some time. It has been around now for several years, and no practical attacks on it have been published despite of numerous attempts to analyze it.
IDEA is resistant to both linear and differential analysis.
RC2
RC2 is a variable-key-length cipher. It was invented by Ron Rivest for RSA Data Security, Inc. Its details have not been published.
RC4
RC4 was developed by Ron Rivest in 1987. It is a variable-key-size stream cipher. It is a cipher with a key size of up to 2048 bits (256 bytes). The algorithm is very fast. Its security is unknown, but breaking it does not seem trivial either. Because of its speed, it may have uses in certain applications. It accepts keys of arbitrary length. RC4 is essentially a pseudo random number generator, and the output of the generator is exclusive-ored with the data stream. For this reason, it is very important that the same RC4 key never be used to encrypt two different data streams.
RC6
RC6 is a symmetric key block cipher derived from RC5. It was designed by Ron Rivest, Matt Robshaw, Ray Sidney, and Yiqun Lisa Yin to meet the requirements of the Advanced Encryption Standard (AES) competition. RC6 encryption algorithm was selected among the other finalists to become the new federal Advanced Encryption Standard (AES).
SEED
SEED is a block cipher developed by the Korea Information Security Agency since 1998. Both the block and key size of SEED are 128 bits and it has a Feistel Network structure which is iterated 16 times. It has been designed to resist differential and linear cryptanalysis as well as related key attacks. SEED uses two 8x8 S-boxes and mixes the XOR operation with modular addition. SEED has been adopted as an ISO/IEC standard (ISO/IEC 18033-3), an IETF RFC, RFC 4269 as well as an industrial association standard of Korea (TTAS.KO-12.0004/0025).
Serpent
Serpent is a very fast and reasonably secure block cipher developed by Ross Anderson, Eli Biham and Lars Knudsen. Serpent can work with different combinations of key lengths. Serpent was also selected among other five finalists to become the new federal Advanced Encryption Standard (AES).
TEA
Tiny Encryption Algorithm is a very fast and moderately secure cipher produced by David Wheeler and Roger Needham of Cambridge Computer Laboratory. There is a known weakness in the key schedule, so it is not recommended if utmost security is required. TEA is provided in 16 and 32 round versions. The more rounds (iterations), the more secure, but slower.
Triple DES
Triple DES is a variation of Data Encryption Standard (DES). It uses a 64-bit key consisting of 56 effective key bits and 8 parity bits. The size of the block for Triple-DES is 8 bytes. Triple-DES encrypts the data in 8-byte chunks. The idea behind Triple DES is to improve the security of DES by applying DES encryption three times using three different keys. Triple DES algorithm is very secure (major banks use it to protect valuable transactions), but it is also very slow.
Twofish
Twofish is a symmetric block cipher. Twofish has a block size of 128 bits and accepts keys of any length up to 256 bits.Twofish has key dependent S-boxes like Blowfish.
Twofish encryption algorithm was designed by Bruce Schneier, John Kelsey, Chris Hall, Niels Ferguson, David Wagner and Doug Whiting. The National Institute of Standards and Technology (NIST) investigated Twofish as one of the candidates for the replacement of the DES encryption algorithm.
Asymmetric encryption algorithms
Asymmetric encryption algorithms (public key algorithms) use different keys for encryption and decryption, and the decryption key cannot (practically) be derived from the encryption key. Public key methods are important because they can be used for transmitting encryption keys or other data securely even when the parties have no opportunity to agree on a secret key in private.
Types of Asymmetric encryption algorithms (public key algorithms):
RSA encryption algorithm
Diffie-Hellman
Digital Signature Algorithm
ElGamal
ECDSA
XTR
RSA encryption algorithm
Rivest-Shamir-Adleman is the most commonly used public key encryption algorithm. It can be used both for encryption and for digital signatures. The security of RSA is generally considered equivalent to factoring, although this has not been proved.
RSA computation occurs with integers modulo n = p * q, for two large secret primes p, q. To encrypt a message m, it is exponentiated with a small public exponent e. For decryption, the recipient of the ciphertext c = me (mod n) computes the multiplicative reverse d = e-1 (mod (p-1)*(q-1)) (we require that e is selected suitably for it to exist) and obtains cd = m e * d = m (mod n). The private key consists of n, p, q, e, d (where p and q can be omitted); the public key contains only n and e. The problem for the attacker is that computing the reverse d of e is assumed to be no easier than factorizing n.
The key size should be greater than 1024 bits for a reasonable level of security. Keys of size, say, 2048 bits should allow security for decades.
There are actually multiple incarnations of this algorithm; RC5 is one of the most common in use, and RC6 was a finalist algorithm for AES.
Diffie-Hellman
Diffie-Hellman is the first public key encryption algorithm, invented in 1976, using discrete logarithms in a finite field. Allows two users to exchange a secret key over an insecure medium without any prior secrets.
Diffie-Hellman (DH) is a widely used key exchange algorithm. In many cryptographical protocols, two parties wish to begin communicating. However, let's assume they do not initially possess any common secret and thus cannot use secret key cryptosystems. The key exchange by Diffie-Hellman protocol remedies this situation by allowing the construction of a common secret key over an insecure communication channel. It is based on a problem related to discrete logarithms, namely the Diffie-Hellman problem. This problem is considered hard, and it is in some instances as hard as the discrete logarithm problem.
The Diffie-Hellman protocol is generally considered to be secure when an appropriate mathematical group is used. In particular, the generator element used in the exponentiations should have a large period (i.e. order). Usually, Diffie-Hellman is not implemented on hardware.
Digital Signature Algorithm
Digital Signature Algorithm (DSA) is a United States Federal Government standard or FIPS for digital signatures. It was proposed by the National Institute of Standards and Technology (NIST) in August 1991 for use in their Digital Signature Algorithm (DSA), specified in FIPS 186 [1], adopted in 1993. A minor revision was issued in 1996 as FIPS 186-1 [2], and the standard was expanded further in 2000 as FIPS 186-2 [3]. Digital Signature Algorithm (DSA) is similar to the one used by ElGamal signature algorithm. It is fairly efficient though not as efficient as RSA for signature verification. The standard defines DSS to use the SHA-1 hash function exclusively to compute message digests.
The main problem with DSA is the fixed subgroup size (the order of the generator element), which limits the security to around only 80 bits. Hardware attacks can be menacing to some implementations of DSS. However, it is widely used and accepted as a good algorithm.
ElGamal
The ElGamal is a public key cipher - an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie-Hellman key agreement. ElGamal is the predecessor of DSA.
ECDSA
Elliptic Curve DSA (ECDSA) is a variant of the Digital Signature Algorithm (DSA) which operates on elliptic curve groups. As with Elliptic Curve Cryptography in general, the bit size of the public key believed to be needed for ECDSA is about twice the size of the security level, in bits.
XTR
XTR is an encryption algorithm for public-key encryption. XTR is a novel method that makes use of traces to represent and calculate powers of elements of a subgroup of a finite field. It is based on the primitive underlying the very first public key cryptosystem, the Diffie-Hellman key agreement protocol.
From a security point of view, XTR security relies on the difficulty of solving discrete logarithm related problems in the multiplicative group of a finite field. Some advantages of XTR are its fast key generation (much faster than RSA), small key sizes (much smaller than RSA, comparable with ECC for current security settings), and speed (overall comparable with ECC for current security settings).
Differences between symmetric and asymmetric encryption algorithms
Symmetric encryption algorithms encrypt and decrypt with the same key. Main advantages of symmetric encryption algorithms are its security and high speed. Asymmetric encryption algorithms encrypt and decrypt with different keys. Data is encrypted with a public key, and decrypted with a private key. Asymmetric encryption algorithms (also known as public-key algorithms) need at least a 3,000-bit key to achieve the same level of security of a 128-bit symmetric algorithm. Asymmetric algorithms are incredibly slow and it is impractical to use them to encrypt large amounts of data. Generally, symmetric encryption algorithms are much faster to execute on a computer than asymmetric ones. In practice they are often used together, so that a public-key algorithm is used to encrypt a randomly generated encryption key, and the random key is used to encrypt the actual message using a symmetric algorithm. This is sometimes called hybrid encryption.
Strength of Encryption Algorithms
Strong encryption algorithms should always be designed so that they are as difficult to break as possible. In theory, any encryption algorithm with a key can be broken by trying all possible keys in sequence. If using brute force to try all keys is the only option, the required computing power increases exponentially with the length of the key. A 32-bit key takes 232 (about 109) steps. This is something anyone can do on his/her home computer. An encryption algorithm with 56-bit keys, such as DES, requires a substantial effort, but using massive distributed systems requires only hours of computing. In 1999, a brute-force search using a specially designed supercomputer and a worldwide network of nearly 100,000 PCs on the Internet, found a DES key in 22 hours and 15 minutes. It is currently believed that keys with at least 128 bits (as in AES, for example) will be sufficient against brute-force attacks into the foreseeable future.
However, key length is not the only relevant issue. Many encryption algorithms can be broken without trying all possible keys. In general, it is very difficult to design ciphers that could not be broken more effectively using other methods.
The keys used in public-key encryption algorithms are usually much longer than those used in symmetric encryption algorithms. This is caused by the extra structure that is available to the cryptanalyst. There the problem is not that of guessing the right key, but deriving the matching private key from the public key. In the case of RSA encryption algorithm, this could be done by factoring a large integer that has two large prime factors. In the case of some other cryptosystems, it is equivalent to computing the discrete logarithm modulo a large integer (which is believed to be roughly comparable to factoring when the moduli is a large prime number).
This article describes the functions and properties of the various cryptographic key types used for securing digital communications. Recommended crypto-periods are also discussed.
Classification of cryptographic keys in accordance with functions & properties of various key types used for securing digital communications.
Categories and types of cryptographic keys
Just as there are different types of household keys for the car, front door of the house, garage door, etc., keys also serve different functions in the world of digital communications. One should get an understanding of these different key functions are before any meaningful work can be done with cryptographic key management.
In general, cryptographic keys are categorized according to their properties and usage. A key may have one of three properties: Symmetric, Public or Private. Keys can be grouped as Asymmetric key pairs, which consist of one private and one public key.
Difference between Asymmetric and Symmetric keys
Algorithms for symmetric keys use a single key for both encryption and decryption. Algorithms for asymmetric keys use different keys for encryption and decryption. Symmetric key algorithms have the advantage in that they are much faster than asymmetric algorithms, and can handle thousands of keys with very little computing overhead. The main disadvantage is that at least one key has to be transmitted to the receiving end, which means there is a possibility of it being intercepted and tampered with. This problem is solved by using asymmetric keys, as a message can be sent or received with a public key, while the other end (sender or receiver) uses a personal private key, depending on the key's purpose, such as assuring confidentiality, authentication, tamper detection, etc.
Using asymmetric keys for confidentiality
For example, to maintain confidentiality, a message can be encrypted with a public key as it is sent, which means that anyone can intercept it and analyze its contents. But only the intended receiver with a private key that corresponds to the public key can decode the message. While the public key can be sent back and forth among recipients, the private key is fixed to one location, and won’t be sent anywhere.
Using asymmetric keys for authentication
To maintain authentication, the sender encrypts his/her identity on a message with a personal private key as it is sent, which acts as a signature, to verify the source of the message. In this case, the receiving end uses a public key to check the message, and find out who sent it. Since the decryption is done with a public key, anyone can check who sent the message.
Cryptographic keys for long term or single usage
Keys can also have the property that they can be static (designed for long term usage) or ephemeral (designed to be used only for a single session or management transaction). This distinction is mainly applies to the Ephemeral Key Agreement Key (explained below) since the other key types are generally designed for long crypto-periods (usually 1 -2 years). Some key types that may need shorter crypto-periods (from a few days to a few weeks) are Symmetric authentication keys, Data Encryption keys, Key-Wrapping keys, Private Key-Transport keys, RNG keys, and Authorization keys.
Description of the 10 basic types of cryptographic keys
Cryptographic keys can be classified in 10 different categories, as outlined below. Each key is designed for one specific purpose, and shouldn’t be mistaken for other key types. The cryptographic algorithms for each key type are described according to their properties (Symmetric, Public or Private):
Authentication Key (Symmetric, Public or Private)
Symmetric authentication keys are used with symmetric key algorithms to provide assurance of the integrity and source of messages, communication sessions, documents, or stored data.
A private (or public) authentication key is the private (or public) key of an asymmetric key pair that is used with a public-key algorithm to provide assurance as to the integrity and source of information and the identity of the originating entity when executing an authentication mechanism or when establishing an authenticated communication session.
Authorization Key (Symmetric, Public or Private)
Symmetric authorization keys are used to provide privileges to an entity using a symmetric cryptographic method. The same authorization key is used by the entity responsible for monitoring and granting access privileges for authorized entities and by the entity seeking access to resources.
A private authorization key is the private key of an asymmetric key pair that is used to provide privileges to an entity.
A public authorization key is the public key of an asymmetric key pair that is used to verify privileges for an entity that knows the associated private authorization key.
RNG Key (Symmetric, Public or Private)
RNG stands for “Random Number Generation”, and these keys are keys used to generate random numbers.
Static Key Agreement Key (Symmetric, Public or Private)
Symmetric Key Agreement Keys are used to establish other keys (e.g., Key-Wrapping keys, data-encryption keys, or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors) using a symmetric key-Agreement algorithm.
Private (public) static key agreement keys are the private (public) keys of asymmetric key pairs that are used to establish other keys (e.g., key wrapping keys, data encryption keys, or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors).
Ephemeral Key Agreement Key (Public or Private)
Private (or public) ephemeral Key-Agreement keys are the private (or public) keys of asymmetric key pairs that are used only once in a transaction to establish one or more keys (e.g., key-Wrapping keys, data-encryption keys, or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors).
Signature Key (Public or Private)
A public Signature-Verification key is the public key of an asymmetric key pair that is used by a public-Key algorithm to verify digital signatures that are intended to provide source authentication, integrity protection of data, and non-repudiation of messages, documents or stored data.
Private signature keys are the private keys of asymmetric (public) key pairs that are used by public-Key algorithms to generate digital signatures with possible long-term implications. When properly handled, private signature keys can be used to provide source authentication, integrity protection and non-repudiation of messages, documents or stored data
Key Transport Keys (Public or Private)
Private Key-Transport keys are the private keys of asymmetric key pairs that are used to decrypt keys that have been encrypted with the associated public key using a public-Key algorithm.
Public Key-transport keys are the public keys of asymmetric key pairs that are used to encrypt keys using a Public-key algorithm.
Key Transport keys are usually used to establish other keys (e.g., key-Wrapping keys, data-encryption keys or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors).
The symmetric form of a Transport Key is KEK (Key encrypting key) for Wrapping Keys.
Data Encryption/Decryption Key (Symmetric)
A symmetric data encryption/decryption keys are used to protect stored data, messages or communications sessions. These keys are primarily used with symmetric key algorithms to apply confidentiality protection to information.
Key Wrapping Key (Symmetric)
Symmetric Key-wrapping keys are used to encrypt other keys using symmetric-key algorithms. Key-wrapping keys are also known as key-encrypting keys.
Master Key (Symmetric)
A symmetric master key is used to derive other symmetric keys (e.g., data encryption keys, key wrapping keys, or authentication keys) using symmetric cryptographic methods.
In summary
One should be cautious that each cryptographic key is used for the particular purpose it is designed for. If the same key is used for other purposes (which often occurs), much damage or loss of security may result. Although there are instances when one key can be used for multiple services. For example, one digital signature can provide assurance of the identity of the originating entity, non-repudiation, source authentication, and integrity protection.
In a key management system, each cryptographic key should be labeled with one of the listed categories (or types).
CRYPTO KEY MANAGEMENT SYSTEM
Across all industries the requirements for managing cryptographic keys are becoming ever-more complex. Ensuring that the right key is in the right place at the right time is mandated by many organisations, i.e. major card payment scheme providers. This is a complicated requirement as most businesses need to manage an ever-increasing number of keys, while reducing the risk of internal and external fraud, as well as keeping costs at a minimum.
The Crypto Key Management System (CKMS) streamlines administration and reduces costs associated with traditional key management. Through its flexible and automated protocols, CKMS gives users the flexibility to manage a very large number of keys - throughout their entire life cycle - without drowning in work. Using Cryptomathic CKMS, administrators can uniformly and centrally manage the life cycle of all cryptographic keys across a range of encryption platforms.
Key Management Functions of Cryptomathic CKMS
Generation / back up / restore / update
Distribution - automated or in key shares
Import or export in key shares
Enforce security controls
Encryption using Key Encryption Keys (KEKs) / Zone Master Keys (ZMKs)
Certification (e.g. using X.509 or EMV certificates)
Key Life Cycle
CKMS manages all aspects of cryptographic keys during their life cycle
Keys can be securely generated and pushed to any key distribution target as and when required, and key custodians can use asynchronous log-on to projects for adding components securely - reducing the need for manual key ceremonies, while vastly improving workflows.
Based on industry standards, CKMS ensures compliance and simplifies internal and external audits.
CKMS Features
At your desk key ceremonies
Automated key distribution and updating
Centralised life cycle key manage
PKI is short for Public key Infrastructure and is basically a scheme for establishing and using trust for mass communication. PKI consists of a variety of components from a certification authority over policies to users credentials.
PKI is based on solid standards, predominantly x.509, PKIX and others, which ensure that interfacing back-end systems cause little or no hassle.
PKI is actually simple
Many PKI vendors make PKI sound complicated and quite a few potential customers believe that to be the case. PKI is in fact rather simple, especially if there is a clearly defined business case. The business case should fit with a need for secure mass communication benefitting from cost efficiency and user transparency.
The are a variety of business areas where PKI is highly applicable, which include:
Identification, e.g. ePassport
Content protection, e.g. DRM (Digital Rights Management)
Payment, e.g. EMV payment cards
Trusted devices, e.g. mobiles or chips, e.g. Trust Platform Modules
Cryptomathic's PKI product range includes all the applications needed to set up and maintain a 'trusted community' based on PKI. Our PKI products can be used as stand alone or in conjunction with other PKI products (from Cryptomathic or third parties) and include key functionality, such as:
Certification Authority (CA), including registration and validation authorities
Time stamping
Online Certificate Status Protocol (OCSP)
Key generation (when self signed certificates are not practical)
Cryptomathic PKI customers range from small to medium enterprises issuing certificates in the thousands to large technology organisations issuing billions of certificates every year.
2) What is VPN?
A virtual private network (VPN) is a technology that offers secure, reliable connectivity over a shared public network infrastructure such as the Internet. VPNs maintain the same security and management policies as a private network. They are the most cost effective method of establishing a virtual point-to-point connection between remote users and an enterprise customer's network.
3) Briefly describe NAT.
Network Address Translation (NAT) is designed for IP address conservation. It enables private IP networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses, before packets are forwarded to another network. Also, NAT can be configured to advertise only one address for the entire network to the outside world. This provides additional security by effectively hiding the entire internal network behind that address. NAT offers the dual functions of security and address conservation and is typically implemented in remote-access environments.
4) What is the job of the Network Layer under the OSI reference model?
Network layer is third layer in the OSI Model, it handle routing and prepare data for transmission. Primary functions are communication with the Transport/ data link layer ; Encapsulation of Transport data into Network layer Protocol Data Unit; Management of connectivity and routing between hosts or networks.
5) What are proxy servers and how do they protect computer networks?
Proxy server is a server may be a computer system or an application that acts as an intermediary for requests from clients seeking resources from other servers and client connects to the proxy server, requesting some service, such as a file, connection, web page or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity. A proxy can keep the internal network structure of a company secret by using network address translation, which can help the security of the internal network and this makes requests from machines and users on the local network anonymous
6) What is the function of the OSI Session Layer?
In OSI model, the session layer is the fifth layer, which controls the connections between multiple computers. The session layer tracks the dialogs between computers, which are also called sessions. This layer establishes, controls and ends the sessions between local and remote applications. session layer software products are more sets of tools than specific protocols. These session-layer tools are normally provided to higher layer protocols through command sets often called application program interfaces or APIs. Common APIs include NetBIOS, TCP/IP Sockets and Remote Procedure Calls (RPCs). They allow an application to accomplish certain high-level communications over the network easily, by using a standardized set of services. Most of these session-layer tools are of primary interest to the developers of application software. The programmers use the APIs to write software that is able to communicate using TCP/IP without having to know the implementation details of how TCP/IP works.
7) What is DoS?
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses. Sometimes the attacker can inject and execute arbitrary code while performing a DoS attack in order to access critical information or execute commands on the server. Denial-of-service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.
8) What is OSI and what role does it play in computer networks?
The OSI (Open Systems Interconnection) serves as a reference model for data communication. It is made up of 7 layers, with each layer defining a particular aspect on how network devices connect and communicate with one another. Upper layers of the OSI model represent software that implements network services like encryption and connection management. Lower layers of the OSI model implement more hardware-oriented functions like routing, addressing, and flow control.
9) What is the main purpose of OSPF?
The OSPF (Open Shortest Path First) protocol The OSPF protocol is a link-state routing protocol which means that the routers exchange topology information with their nearest neighbours. The topology information is flooded throughout the Autonomous System, so that every router within the Autonomous System has a complete picture of the topology of the Autonomous System. This is then used to calculate end-to-end paths through the Autonomous System, normally using a variant of the Dijkstra algorithm. Therefore, in a link-state routing protocol, the next hop address to which data is forwarded is determined by choosing the best end-to-end path to the eventual destination.
10) What is the main job of the ARP?
Address Resolution Protocol (ARP) feature to translate physical addresses to internet protocol (IP) addresses. A physical address can be the MAC (Media Access Control) address of a network card inside of a computer. The information about which hardware address is associated with which IP address is usually stored in a table on each computer, the so-called ARP table.
Network Security: 30 Questions Every Manager/Executive Must Answer in Order to Track and Validate the Security of Their Organization
1. What does your network/security architecture diagram look like? The first thing you need to know to protect your network and systems is what you are protecting. You must know: • The physical topologies • Logical topologies (Ethernet, ATM, 802.11, VoIP, etc.) • Types of operating systems • Perimeter protection measures (firewall and IDS placement, etc.) • Types of devices used (routers, switches, etc.) • Location of DMZs • IP address ranges and subnets • Use of NAT In addition, you must know where the diagram is stored and that it is regularly updated as changes are made.
2. 2. What resources are located on your DMZ? Only systems that are semi-public should be kept on the DMZ. This includes external web servers, external mail servers, and external DNS. A split-architecture may be used where internal web, mail, and D
3. NS are also located on the internal network. 3. What resources are located on your internal network? In addition to internal web, mail, and DNS servers, your internal network could also include databases, application servers, and test and development servers.
4. Where is your organization’s security policy posted and what is in it? There should be an overall policy that establishes the direction of the organization and its security mission as well as roles and responsibilities. There can also be system-specific policies to address for individual systems. Most importantly, the policies should address the appropriate use of computing resources. In addition, policies can address a number of security controls from passwords and backups to proprietary information. There should be clear procedures and processes to follow for each policy. These policies should be included in the employee handbook and posted on a readily accessible intranet site.
5. What is your organization’s password policy? A password policy should require that a password: • Be at least 8 characters long • Contain both alphanumeric and special characters • Change every 60 days • Cannot be reused after every five cycles • Is locked out after 3 failed attempts In addition, you should be performing regular password auditing to check the strength of passwords; this should also be documented in the password policy.
6. What applications and services are specifically denied by your organization’s security policy? Your organization’s security policy should specify applications, services, and activities that are prohibited. These can include, among others: • Viewing inappropriate material • Spam • Peer-to-peer file sharing • Instant messaging • Unauthorized wireless devices • Use of unencrypted remote connections such as Telnet and FTP
7. What types of IDSs does your organization use? To provide the best level of detection, an organization should use a combination of both signature-based and anomaly-based intrusion detection systems. This allows both known and unknown attacks to be detected. The IDSs should be distributed throughout the network, including areas such as the Internet connection, the DMZ, and internal networks.
8. Besides default rulesets, what activities are actively monitored by your IDS? IDSs come with default rulesets to look for common attacks. These rulesets must also be customized and augmented to look for traffic and activities specific to your organization’s security policy. For example, if your organization’s security policy prohibits peer-to-peer communications, then a rule should be created to watch for that type of activity. In addition, outbound traffic should be watched for potential Trojans and backdoors.
9. What type of remote access is allowed? Remote access should be tightly controlled, monitored, and audited. It should only be provided over a secure communication channel that uses encryption and strong authentication, such as an IPSEC VPN. Desktop modems (including applications such as PCAnywhere), unsecured wireless access points, and other vulnerable methods of remote access should be prohibited.
10. What is your wireless infrastructure? Part of knowing your network architecture includes knowing the location of wireless networks since they create another possible entry point for an attacker. You must also confirm whether they are being used for sensitive data and are they secured as best as possible.
11. How is your wireless infrastructure secured? Wireless access must at least use WEP with 128-bit encryption. Although this provides some security, it is not very robust, which is why your wireless network should not be used for sensitive data. Consider moving to the 802.11i standard with AES encryption when it is finalized.
12. What desktop protections are used? Desktops should have a combination of anti-virus software, personal firewall, and host-based intrusion detection. Each of these software packages must be regularly updated as new signatures are deployed. They must also be centrally managed and controlled.
13. Where, when, and what type of encryption is used? VPNs should be used for remote access and other sensitive communication. IPSEC is a great choice for this purpose. Strong encryption protocols such as 3DES and AES should be used whenever possible. Web access to sensitive or proprietary information should be protected with 128-bit SSL. Remote system administration should use SSH. Sometimes file system encryption is also used to protect stored data.
14. What is your backup policy? A good backup policy includes weekly full backups with incremental backups performed daily. This includes all critical systems. In addition, the backups should be stored at an offsite location. Since backups include very valuable, easily accessible information, only trusted individuals should be performing them and have access to them. An organization should also encourage users to perform local backups as well.
Hard copies of sensitive information should be destroyed by pulping, shredding, or incinerating. Sensitive information on hard drives and disks should be completely erased using special software, or the disks destroyed. Simply deleting a file is not sufficient to prevent attackers from undeleting the file later. If you are disposing of a computer system, be sure to erase all sensitive files from the hard drive by using a wipeout utility.
16. What is included in your disaster recovery plan? Your disaster recovery plan (DRP) should include recovery of data centers and recovery of business operations. It should also include recovery of the accrual physical business location and recovery of the business processes necessary to resume normal operations. In addition, the DRP should address alternate operating sites.
17. How often is your disaster recovery plan tested? The plan is no good unless it is tested at least once a year. These tests will iron out problems in the plan and make it more efficient and successful if/when it is needed. Testing can include walkthroughs, simulation, or a full out implementation. 18. What types of attacks are you seeing? Typically an organization sees a constant stream of port scan attacks. These are a regular occurrence on the Internet as a result of attackers and worms. An organization should not be seeing many substantial attacks such as compromises, backdoors, or exploits on systems. This would indicate that the security defenses are weak, patching may not be occurring, or other vulnerabilities exist.
19. How often are logs reviewed? Logs should be reviewed every day. This includes IDS logs, system logs, management station logs, etc. Not reviewing the logs is one of the biggest mistakes an organization can make. Events of interest should be investigated daily. It can be a very tedious task for a single person to do this job as their only assignment (unless they really enjoy it). It is better to have a log review rotation system amongst the security team.
20. How often are you performing vulnerability scanning? An organization should be performing vulnerability scanning as often as possible, depending on the size of the network. The scanning should be scheduled to allow adequate time to review the reports, discover anything that has changed, and mitigate the vulnerability.
21. What physical security controls are in place in your organization? Physical security is a large area that must be addressed by an organization. Examples of physical controls includes physical access controls (signs, locks, security guards, badges/PINs, bag search/scanning, metal detectors), CCTV, motion detectors, smoke and water detectors, and backup power generators.
22. What are your critical business systems and processes? Identifying your critical business systems and processes is the first step an organization should take in order to implement the appropriate security protections. Knowing what to protect helps determine the necessary security controls. Knowing the critical systems and processes helps determine the business continuity plan and disaster recovery plan process. Critical business systems and processes may include an e commerce site, customer database information, employee database information, the ability to answer phone calls, the ability to respond to Internet queries, etc.
23. What are the specific threats to your organization? In addition to identifying the critical business systems and processes, it is important to identify the possible threats to those systems as well as the organization as a whole. You should consider both external and internal threats and attacks using various entry points (wireless, malicious code, subverting the firewall, etc.). Once again, this will assist in implementing the appropriate security protections and creating business continuity and disaster recovery plans.
24. What are the tolerable levels of impact your systems can have? An organization must understand how an outage could impact the ability to continue operations. For example, you must determine how long systems can be down, the impact on cash flow, the impact on service level agreements, and the key resources that must be kept running.
25. Are you performing content level inspections? In addition to the content level inspection performed by the IDS, specific content inspections should also be performed on web server traffic and other application traffic. Some attacks evade detection by containing themselves in the payload of packets, or by altering the packet in some way, such as fragmentation. Content level inspection at the web server or application server will protect against attacks such as those that are tunneled in legitimate communications, attacks with malicious data, and unauthorized application usage.
26. How often are your systems patched? Systems should be patched every time a new patch is released. Many organizations don’t patch regularly and tend to not patch critical systems because they don’t want to risk downtime. However, critical systems are the most important to patch. You must schedule regular maintenance downtime to patch systems. As vulnerabilities are discovered, attackers often release exploits even before system patches are available. Therefore, it is imperative to patch systems as soon as possible.
27. How are you protecting against social engineering and phishing attacks? The best way to protect against social engineering and phishing attacks is to educate the users. Employees should attend security awareness training that explains these types of attacks, what to expect, and how to respond. There should also be a publicly posted incidents email address to report suspicious activity.
28. What security measures are in place for in-house developed applications? Any development that is taking place in house should include security from the beginning of the development process. Security needs to be a part of standard requirements and testing procedures. Code reviews should be conducted by a test team to look for vulnerabilities such as buffer overflows and backdoors. For security reasons, it is not a good idea to subcontract development work to third parties.
29. What type of traffic are you denying at the firewall? There should be a default deny rule on all firewalls to disallow anything that is not explicitly permitted. This is more secure than explicitly denying certain traffic because that can create holes and oversights on some potentially malicious traffic.
30. How are you monitoring for Trojans and backdoors? In addition to periodic vulnerability scanning, outgoing traffic should be inspected before it leaves the network, looking for potentially compromised systems. Organizations often focus on traffic and attacks coming into the network and forget about monitoring outgoing traffic. Not only will this detect compromised systems with Trojans and backdoors, but it will also detect potentially malicious or inappropriate insider activity.
Information Security Interview Questions
Home » Study » Information Security Interview Questions
infosec
Before You Start
General Questions
Network Security
Application Security
Corporate/Risk
The Onion Model
The Role-playing Model
Innovation Questions
[ For overall InfoSec career advice, be sure to check out my new article titled: How to Build a Successful Information Security Career ]
What follows is a list of questions for use in vetting candidates for positions in Information Security. Many of the questions are designed to get the candidate to think, and to articulate that thought process in a scenario where preparation was not possible. Observing these types of responses is often as important as the actual answers.
I’ve mixed technical questions with those that are more theory and opinion-based, and they are also mixed in terms of difficulty. They are also generally separated into categories, and a number of trick questions are included. The goal of such questions is to expose glaring technical weakness that will manifest later in the workplace, not to be cute. I also include with each question a few words on expected/common responses.
Before You Start
It’s been shown fairly conclusively, by Google and others, that fancy technical questions—especially those of the “how many jellybeans fit in a car” type—do not predict employee success.
Read that part again.
They don’t predict success. Google showed this by going back over years of interview data and mapping it to how those employees ended up doing on the job. The result? People who aced those types of questions didn’t do any better than those who did poorly on them.
In sum, these types of pet questions tend to make interviewers feel smart, and little else. I rely on the data more than my anecdotes, but as someone who’s given many, many technical interviews, I can tell you that this is consistent with my experience.
We have people who are absolute rockstars that effectively failed at these questions, and we have people who crushed them and floundered on the job. The lesson here is not to avoid any sort of especially technical questions: It’s that you need to be cautious of the tendency to fetishize certain questions or certain types of questions. It will only hurt you.
Now, onto the questions.
General
Are open-source projects more or less secure than proprietary ones?
The answer to this question is often very telling about a given candidate. It shows 1) whether or not they know what they’re talking about in terms of development, and 2) it really illustrates the maturity of the individual (a common theme among my questions). My main goal here is to get them to show me pros and cons for each. If I just get the “many eyes” regurgitation then I’ll know he’s read Slashdot and not much else. And if I just get the “people in China can put anything in the kernel” routine then I’ll know he’s not so good at looking at the complete picture.
The ideal answer involves the size of the project, how many developers are working on it (and what their backgrounds are), and most importantly — quality control. In short, there’s no way to tell the quality of a project simply by knowing that it’s either open-source or proprietary. There are many examples of horribly insecure applications that came from both camps.
How do you change your DNS settings in Linux/Windows?
Here you’re looking for a quick comeback for any position that will involve system administration (see system security). If they don’t know how to change their DNS server in the two most popular operating systems in the world, then you’re likely working with someone very junior or otherwise highly abstracted from the real world.
What’s the difference between encoding, encryption, and hashing?
Encoding is designed to protect the integrity of data as it crosses networks and systems, i.e. to keep its original message upon arriving, and it isn’t primarily a security function. It is easily reversible because the system for encoding is almost necessarily and by definition in wide use. Encryption is designed purely for confidentiality and is reversible only if you have the appropriate key/keys. With hashing the operation is one-way (non-reversible), and the output is of a fixed length that is usually much smaller than the input.
What’s more secure, SSL or HTTPS?
Trick question: these are not mutually exclusive. Look for a smile like they caught you in the cookie jar. If they’re confused, then this should be for an extremely junior position.
Can you describe rainbow tables?
Look for a thorough answer regarding overall password attacks and how rainbow tables make them faster.
What is salting, and why is it used?
You purposely want to give the question without context. If they know what salting is just by name, they’ve either studied well or have actually been exposed to this stuff for a while.
Who do you look up to within the field of Information Security? Why?
A standard question type. All we’re looking for here is to see if they pay attention to the industry leaders, and to possibly glean some more insight into how they approach security. If they name a bunch of hackers/criminals that’ll tell you one thing, and if they name a few of the pioneers that’ll say another. If they don’t know anyone in Security, we’ll consider closely what position you’re hiring them for. Hopefully it isn’t a junior position.
Where do you get your security news from?
Here I’m looking to see how in tune they are with the security community. Answers I’m looking for include things like Team Cymru, Reddit, Twitter, etc. The exact sources don’t really matter. What does matter is that he doesn’t respond with, “I go to the CNET website.”, or, “I wait until someone tells me about events.”. It’s these types of answers that will tell you he’s likely not on top of things.
If you had to both encrypt and compress data during transmission, which would you do first, and why?
If they don’t know the answer immediately it’s ok. The key is how they react. Do they panic, or do they enjoy the challenge and think through it? I was asked this question during an interview at Cisco. I told the interviewer that I didn’t know the answer but that I needed just a few seconds to figure it out. I thought out loud and within 10 seconds gave him my answer: “Compress then encrypt. If you encrypt first you’ll have nothing but random data to work with, which will destroy any potential benefit from compression.
What’s the difference between symmetric and public-key cryptography
Standard stuff here: single key vs. two keys, etc, etc.
In public-key cryptography you have a public and a private key, and you often perform both encryption and signing functions. Which key is used for which function?
You encrypt with the other person’s public key, and you sign with your own private. If they confuse the two, don’t put them in charge of your PKI project.
What kind of network do you have at home?
Good answers here are anything that shows you he’s a computer/technology/security enthusiast and not just someone looking for a paycheck. So if he’s got multiple systems running multiple operating systems you’re probably in good shape. What you don’t want to hear is, “I get enough computers when I’m at work…” I’ve yet to meet a serious security guy who doesn’t have a considerable home network–or at least access to one, even if it’s not at home.
What are the advantages offered by bug bounty programs over normal testing practices?
You should hear coverage of many testers vs. one, incentivization, focus on rare bugs, etc.
What are your first three steps when securing a Linux server?
Their list isn’t key here (unless it’s bad); the key is to not get panic.
What are your first three steps when securing a Windows server?
Their list isn’t key here (unless it’s bad); the key is to not get panic.
Who’s more dangerous to an organization, insiders or outsiders?
Ideally you’ll hear inquiry into what’s meant by “dangerous”. Does that mean more likely to attack you, or more dangerous when they do?
Why is DNS monitoring important?
If they’re familiar with infosec shops of any size, they’ll know that DNS requests are a treasure when it comes to malware indicators.
Network Security
What port does ping work over?
A trick question, to be sure, but an important one. If he starts throwing out port numbers you may want to immediately move to the next candidate. Hint: ICMP is a layer 3 protocol (it doesn’t work over a port) A good variation of this question is to ask whether ping uses TCP or UDP. An answer of either is a fail, as those are layer 4 protocols.
Do you prefer filtered ports or closed ports on your firewall?
Look for a discussion of security by obscurity and the pros and cons of being visible vs. not. There can be many signs of maturity or immaturity in this answer.
How exactly does traceroute/tracert work at the protocol level?
This is a fairly technical question but it’s an important concept to understand. It’s not natively a “security” question really, but it shows you whether or not they like to understand how things work, which is crucial for an Infosec professional. If they get it right you can lighten up and offer extra credit for the difference between Linux and Windows versions.
The key point people usually miss is that each packet that’s sent out doesn’t go to a different place. Many people think that it first sends a packet to the first hop, gets a time. Then it sends a packet to the second hop, gets a time, and keeps going until it gets done. That’s incorrect. It actually keeps sending packets to the final destination; the only change is the TTL that’s used. The extra credit is the fact that Windows uses ICMP by default while Linux uses UDP.
What are Linux’s strengths and weaknesses vs. Windows?
Look for biases. Does he absolutely hate Windows and refuse to work with it? This is a sign of an immature hobbyist who will cause you problems in the future. Is he a Windows fanboy who hates Linux with a passion? If so just thank him for his time and show him out. Linux is everywhere in the security world.
Cryptographically speaking, what is the main method of building a shared secret over a public medium?
Diffie-Hellman. And if they get that right you can follow-up with the next one.
What’s the difference between Diffie-Hellman and RSA?
Diffie-Hellman is a key-exchange protocol, and RSA is an encryption/signing protocol. If they get that far, make sure they can elaborate on the actual difference, which is that one requires you to have key material beforehand (RSA), while the other does not (DH). Blank stares are undesirable.
What kind of attack is a standard Diffie-Hellman exchange vulnerable to?
Man-in-the-middle, as neither side is authenticated.
Application Security
Describe the last program or script that you wrote. What problem did it solve?
All we want to see here is if the color drains from the guy’s face. If he panics then we not only know he’s not a programmer (not necessarily bad), but that he’s afraid of programming (bad). I know it’s controversial, but I think that any high-level security guy needs some programming skills. They don’t need to be a God at it, but they need to understand the concepts and at least be able to muddle through some scripting when required.
How would you implement a secure login field on a high traffic website where performance is a consideration?
We’re looking for a basic understanding of the issue of wanting to serve the front page in HTTP, while needing to present the login form via HTTPs, and how they’d recommend doing that. A key piece of the answer should center around avoidance of the MiTM threat posed by pure HTTP. Blank stares here mean that they’ve never seen or heard of this problem, which means they’re not likely to be anything near pro level.
What are the various ways to handle account brute forcing?
Look for discussion of account lockouts, IP restrictions, fail2ban, etc.
What is Cross-Site Request Forgery?
Not knowing this is more forgivable than not knowing what XSS is, but only for junior positions. Desired answer: when an attacker gets a victim’s browser to make requests, ideally with their credentials included, without their knowing. A solid example of this is when an IMG tag points to a URL associated with an action, e.g. http://foo.com/logout/. A victim just loading that page could potentially get logged out from foo.com, and their browser would have made the action, not them (since browsers load all IMG tags automatically).
How does one defend against CSRF?
Nonces required by the server for each page or each request is an accepted, albeit not foolproof, method. Again, we’re looking for recognition and basic understanding here–not a full, expert level dissertation on the subject. Adjust expectations according to the position you’re hiring for.
If you were a site administrator looking for incoming CSRF attacks, what would you look for?
This is a fun one, as it requires them to set some ground rules. Desired answers are things like, “Did we already implement nonces?”, or, “That depends on whether we already have controls in place…” Undesired answers are things like checking referrer headers, or wild panic.
What’s the difference between HTTP and HTML?
Obviously the answer is that one is the networking/application protocol and the other is the markup language, but again, the main thing you’re looking for is for him not to panic.
How does HTTP handle state?
It doesn’t, of course. Not natively. Good answers are things like “cookies”, but the best answer is that cookies are a hack to make up for the fact that HTTP doesn’t do it itself.
What exactly is Cross Site Scripting?
You’d be amazed at how many security people don’t know even the basics of this immensely important topic. We’re looking for them to say anything regarding an attacker getting a victim to run script content (usually JavaScript) within their browser.
What’s the difference between stored and reflected XSS?
Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim’s browser when the results are returned from the site.
What are the common defenses against XSS?
Input Validation/Output Sanitization, with focus on the latter.
Corporate/Risk
What is the primary reason most companies haven’t fixed their vulnerabilities?
This is a bit of a pet question for me, and I look for people to realize that companies don’t actually care as much about security as they claim to–otherwise we’d have a very good remediation percentage. Instead we have a ton of unfixed things and more tests being performed.
Look for people who get this, and are ok with the challenge.
What’s the goal of information security within an organization?
This is a big one. What I look for is one of two approaches; the first is the über-lockdown approach, i.e. “To control access to information as much as possible, sir!” While admirable, this again shows a bit of immaturity. Not really in a bad way, just not quite what I’m looking for. A much better answer in my view is something along the lines of, “To help the organization succeed.”
This type of response shows that the individual understands that business is there to make money, and that we are there to help them do that. It is this sort of perspective that I think represents the highest level of security understanding—-a realization that security is there for the company and not the other way around.
What’s the difference between a threat, vulnerability, and a risk?
As weak as the CISSP is as a security certification it does teach some good concepts. Knowing basics like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a security professional. Ask as many of these as you’d like, but keep in mind that there are a few differing schools on this. Just look for solid answers that are self-consistent.
If you were to start a job as head engineer or CSO at a Fortune 500 company due to the previous guy being fired for incompetence, what would your priorities be? [Imagine you start on day one with no knowledge of the environment]
We don’t need a list here; we’re looking for the basics. Where is the important data? Who interacts with it? Network diagrams. Visibility touch points. Ingress and egress filtering. Previous vulnerability assessments. What’s being logged an audited? Etc. The key is to see that they could quickly prioritize, in just a few seconds, what would be the most important things to learn in an unknown situation.
As a corporate Information Security professional, what’s more important to focus on: threats or vulnerabilities?
This one is opinion-based, and we all have opinions. Focus on the quality of the argument put forth rather than whether or not they they chose the same as you, necessarily. My answer to this is that vulnerabilities should usually be the main focus since we in the corporate world usually have little control over the threats.
Another way to take that, however, is to say that the threats (in terms of vectors) will always remain the same, and that the vulnerabilities we are fixing are only the known ones. Therefore we should be applying defense-in-depth based on threat modeling in addition to just keeping ourselves up to date.
Both are true, of course; the key is to hear what they have to say on the matter.
The Onion Model
The questions above are fairly straightforward. They are, generally, negative filters, i.e. they’re designed to excluded candidates for having glaring weaknesses. If you are dealing with a more advanced candidate then one approach I recommend taking is that of the onion model.
The Onion Model of interviewing starts at the surface level and then dives deeper and deeper—often to a point that the candidate cannot go. This is terrifically revealing, as it shows not only where a candidate’s knowledge stops, but also how they deal with not knowing something.
One component of this cannot be overstated: Using this method allows you to dive into the onion in different ways, so even candidates who have read this list, for example, will not have perfect answers even if you ask the same question.
An example of this would be starting with:
How does traceroute work?
They get this right, so you go to the next level.
What protocol does it use?
This is a trick question, as it can use lots of options, depending on the tool. Then you move on.
Describe a Unix traceroute hitting google.com at all seven layers of the OSI model.
Etc. It’s deeper and deeper exploration of a single question. Here’s a similar option for the end-phase of such a question.
If I’m on my laptop, here inside my company, and I have just plugged in my network cable. How many packets must leave my NIC in order to complete a traceroute to twitter.com?
The key here is that they need to factor in all layers: Ethernet, IP, DNS, ICMP/UDP, etc. And they need to consider round-trip times. What you’re looking for is a realization that this is the way to approach it, and an attempt to knock it out. A bad answer is the look of WTF on the fact of the interviewee.
This could be asked as a final phase of a multi-step protocol question that perhaps starts with the famous, “What happens when I go to Google.com?”
How would you build the ultimate botnet?
Answers here can vary widely; you want to see them cover the basics: encryption, DNS rotation, the use of common protocols, obscuring the heartbeat, the mechanism for providing updates, etc. Again, poor answers are things like, “I don’t make them; I stop them.”
Role-Playing as an Alternative to the Onion Model
Another option for going to increasing depth, is to role-play with the candidate. You present them a problem, and they have to troubleshoot. I had one of these during an interview and it was quite valuable.
You would tell them, for example, that they’ve been called in to help a client who’s received a call from their ISP stating that one or more computers on their network have been compromised. And it’s their job to fix it. They are now at the client site and are free to talk to you as the client (interviewing them), or to ask you as the controller of the environment, e.g. “I sniff the external connection using tcpdump on port 80. Do I see any connections to IP 8.8.8.8.” And you can then say yes or no, etc.
From there they continue to troubleshooting/investigating until they solve the problem or you discontinue the exercise due to frustration or pity.
Innovation Questions
At the top tier of technical security roles you may want someone who is capable of designing as well as understanding. In these cases you can also ask questions about design flaws, how they would improve a given protocol, etc.
These questions separate good technical people from top technical people, and I imagine less than 1% of those in infosec would even attempt to answer any of these.
Here are a few examples:
What are the primary design flaws in HTTP, and how would you improve it?
If you could re-design TCP, what would you fix?
What is the one feature you would add to DNS to improve it the most?
What is likely to be the primary protocol used for the Internet of Things in 10 years?
If you had to get rid of a layer of the OSI model, which would it be?
[ NOTE: You can ask infinite variations of these, of course. Asking for three options instead of one, or asking them to rank the results, etc. ]
It’s important to note with these questions that you could have a superstar analyst who knows nothing about these matters while someone who is at this level would make a poor forensic expert. It’s all about matching skills to roles.
Conclusion
For more on hiring overall, I recommend doing a good amount of research. Most important to learn, as I talked about above, is the limitations of interviews. Use other data available to you whenever possible, and above everything else: Be extremely cautious of anyone who thinks they can spot “the one” because they’re good at it..
Bias is a major problem in interviewing, and it’s likely that someone with a steadfast belief in his or her interview brilliance is doing harm to your organization by introducing bad candidates. When possible, do what Google did: Explore the data. Look at how candidates did in interviews relative to how they did on the job. Wherever you have mismatches you have a problem with your process.
Feel free to contact me if you have any comments on the questions, or if you have an ideas for additions.
[ Updated: June 2014 ]
Notes
Here is an article about Google revealing the ineffectiveness of their brainteaser questions.
As a hiring organization, be cautious of any interviewer that has an ego or attitude. The odds of you getting any good data from them is low. The name of the game is reducing bias, and that type has a lot of it.
Always try to combine any interview with a work sample, and/or great reference data.
I have had these questions asked to me on numerous interviews. It’s quite humorous when they find out they’re reading from my website.
What is an Exploit?
•The security functionality triangle
•The attacker's process
•Passive reconnaissance
•Active reconnaissance
•Types of attacks
•Categories of exploits
Footprinting
•What is Footprinting
•Steps for gathering information
Enumeration
•What is Enumeration
•NetBios Null Sessions
•Null Session Countermeasures
•NetBIOS Enumeration
System Hacking
•Administrator Password Guessing
•Performing Automated Password Guessing
Trojans and Backdoors
•What is a Trojan Horse?
Sniffers
•What is a Sniffer?
•Passive Sniffing
•Active Sniffing
•Hacking Tool: EtherFlood
•How ARP Works?
Denial of Service
•What is Denial of Service Attack?
•Types of DoS Attacks
•How DoS Work?
•What is DDoS?
Social Engineering
•What is Social Engineering?
•Art of Manipulation
Session Hijacking
•What is Session Hijacking?
•Session Hijacking Steps
Hacking Web Servers
•Apache Vulnerability
•Attacks against IIS
Web Application Vulnerabilities
•Documenting the Application Structure
•Manually Inspecting Applications
Web Based Password Cracking Techniques
•Basic Authentication
•Message Digest Authentication
SQL Injection
•What is SQL Injection Vulnerability?
•SQL Insertion Discovery
Hacking Wireless Networks
•802.11 Standards
Virus and Worms
Novell Hacking
•Common accounts and passwords
•Accessing password files
Linux Hacking
•Why Linux ?
•Linux Basics
IDS, Firewalls and Honeypots
•Intrusion Detection System
•System Integrity Verifiers
•How are Intrusions Detected?
•What is a Buffer Overflow?
Cryptography
•What is PKI?
•Digital Certificates
1) Explain what is the role of information security analyst?
From small to large companies role of information security analyst includes
Implementing security measures to protect computer systems, data and networks
Keep himself up-to-date with on the latest intelligence which includes hackers techniques as well
Preventing data loss and service interruptions
Testing of data processing system and performing risk assessments
Installing various security software like firewalls, data encryption and other security measures
Recommending security enhancements and purchases
Planning, testing and implementing network disaster plans
Staff training on information and network security procedures
2) Mention what is data leakage? What are the factors that can cause data leakage?
The separation or departing of IP from its intended place of storage is known as data leakage. The factors that are responsible for data leakage can be
Copy of the IP to a less secure system or their personal computer
Human error
Technology mishaps
System misconfiguration
A system breach from a hacker
A home-grown application developed to interface to the public
Inadequate security control for shared documents or drives
Corrupt hard-drive
Back up are stored in an insecure place
3) List out the steps to successful data loss prevention controls?
Create an information risk profile
Create an impact severity and response chart
Based on severity and channel determine incident response
Create an incident workflow diagram
Assign roles and responsibilities to the technical administrator, incident analyst, auditor and forensic investigator
Develop the technical framework
Expand the coverage of DLP controls
Append the DLP controls into the rest of the organization
Monitor the results of risk reduction
4) Explain what is the 80/20 rule of networking?
80/20 is a thumb rule used for describing IP networks, in which 80% of all traffic should remain local while 20% is routed towards a remote network.
5) Mention what are personal traits you should consider protecting data?
Install anti-virus on your system
Ensure that your operating system receives an automatic update
By downloading latest security updates and cover vulnerabilities
Share the password only to the staff to do their job
Encrypt any personal data held electronically that would cause damage if it were stolen or lost
On a regular interval take back-ups of the information on your computer and store them in a separate place
Before disposing off old computers, remove or save all personal information to a secure drive
Install anti-spyware tool
SecurityAnalyst1
6) Mention what is WEP cracking? What are the types of WEP cracking?
WEP cracking is the method of exploiting security vulnerabilities in wireless networks and gaining unauthorized access. There are basically two types of cracks
Active cracking: Until the WEP security has been cracked this type of cracking has no effect on the network traffic.
Passive cracking: It is easy to detect compared to passive cracking. This type of attack has increased load effect on the network traffic.
7) List out various WEP cracking tools?
Various tools used for WEP cracking are
Aircrack
WEPCrack
Kismet
WebDecrypt
8) Explain what is phishing? How it can be prevented?
Phishing is a technique that deceit people to obtain data from users. The social engineer tries to impersonate genuine website webpage like yahoo or face-book and will ask the user to enter their password and account ID.
It can be prevented by
Having a guard against spam
Communicating personal information through secure websites only
Download files or attachments in emails from unknown senders
Never e-mail financial information
Beware of links in e-mails that ask for personal information
Ignore entering personal information in a pop-up screen
9) Mention what are web server vulnerabilities?
The common weakness or vulnerabilities that the web server can take an advantage of are
Default settings
Misconfiguration
Bugs in operating system and web servers
10) List out the techniques used to prevent web server attacks?
Patch Management
Secure installation and configuration of the O.S
Safe installation and configuration of the web server software
Scanning system vulnerability
Anti-virus and firewalls
Remote administration disabling
Removing of unused and default account
Changing of default ports and settings to customs port and settings
11) For security analyst what are the useful certification?
Useful certification for security analyst are
Security Essentials (GSEC): It declares that candidate is expert in handling basic security issues- it is the basic certification in security
Certified Security Leadership: It declares the certification of management abilities and the skills that is required to lead the security team
Certified Forensic Analyst: It certifies the ability of an individual to conduct formal incident investigation and manage advanced incident handling scenarios including external and internal data breach intrusions
Certified Firewall Analyst: It declares that the individual has proficiency in skills and abilities to design, monitor and configure routers, firewalls and perimeter defense systems
12) How can an institute or a company can safeguard himself from SQL injection?
An organization can rely on following methods to guard themselves against SQL injection
Sanitize user input: User input should be never trusted it must be sanitized before it is used
Stored procedures: These can encapsulate the SQL statements and treat all input as parameters
Regular expressions: Detecting and dumping harmful code before executing SQL statements
Database connection user access rights: Only necessary and limited access right should be given to accounts used to connect to the database
Error messages: Error message should not be specific telling where exactly the error occurred it should be more generalized.
101 IT Security Interview Questions
posted by John Spacey, January 11, 2013
The following IT security interview questions are at the architectural level. They may be of use for interviewing:
☑ Security Architects
☑ Security Specialists (e.g. Network Security Administrators)
☑ IT Executives
☑ Enterprise Architects
☑ IT Managers
☑ Solution Architects
The questions range greatly in difficulty and should be tailored to each role.
Basic Concepts
1. What is information security and how is it achieved?
2. What are the core principles of information security?
3. What is non-repudiation (as it applies to IT security)?
4. What is the relationship between information security and data availability?
5. What is a security policy and why do we need one?
6. What is the difference between logical and physical security? Can you give an example of both?
7. Is there an acceptable level of risk?
8. How do you measure risk? Can you give an example of a specific metric that measures information security risk?
9. Can you give me an example of risk trade-offs (e.g. risk vs cost)?
10. What are the most common types of attack that threaten enterprise data security?
11. What is the difference between a threat and a vulnerability?
12. Can you give me an example of common security vulnerabilities?
13. Are you familiar with any security management frameworks such as ISO/IEC 27002?
14. Can you briefly discuss the role of information security in each phase of the software development lifecycle?
15. Can you describe the role of security operations in the enterprise?
16. What is incident management?
17. What is business continuity management? How does it relate to security?
18. What is a security control?
19. What are the different types of security control?
20. Can you describe the information lifecycle? How do you ensure information security at each phase?
21. What is Information Security Governance?
22. What are your professional values? Why are professional ethics important in the information security field?
Security Audits and Testing
23. What is an IT security audit?
24. How do you test information security?
25. What is the difference between black box and white box penetration testing?
26. What is a vulnerability scan?
27. What is captured in a security assessment plan (security test plan)?
Access Control
28. What is the difference between authentication and authorization?
29. What types of information can be used for authentication?
30. What is role-based access control?
31. What is meant by the term "least privilege"?
32. What is two-factor authentication? Does it require special hardware?
Security Architecture
33. Why are open standards important to security solutions?
34. How do you balance demands from different stakeholders who have conflicting requirements?
35. What is layered security architecture? Is it a good approach? Why?
36. Have you designed security measures that span overlapping information domains? Can you give me a brief overview of the solution?
37. How do you ensure that a design anticipates human error?
38. How do you ensure that a design achieves regulatory compliance?
39. What is capability-based security? Have you incorporated this pattern into your designs? How?
40. Can you give me a few examples of security architecture requirements?
41. Who typically owns security architecture requirements and what stakeholders contribute?
42. What special security challenges does SOA present?
43. What security challenges do unified communications present?
44. Do you take a different approach to security architecture for a COTS vs a custom solution?
45. Have you architected a security solution that involved SaaS components? What challenges did you face?
46. Have you worked on a project in which stakeholders choose to accept identified security risks that worried you? How did you handle the situation?
Network
47. What is a firewall?
48. Besides firewalls, what other devices are used to enforce network boundaries?
49. What is the role of network boundaries in information security?
50. What does a intrusion detection system do? How does it do it?
51. What is a honeypot? What type of attack does it defend against?
52. What technologies and approaches are used to secure information and services deployed on cloud computing infrastructure?
53. What information security challenges are faced in a cloud computing environment?
54. How does packet filtering work?
55. Can you give me an overview of IP multicast?
56. Can you explain the difference between a packet filtering firewall and a application layer firewall?
57. What are the layers of the OSI model?
Security Leadership
58. How do you ensure that solution architects develop secure solutions?
59. What training do solution architects need to have in regards to IT security? What about developers?
60. How do you sell the value of IT security initiatives to executive management?
61. How do you ensure that a solution continues to be resilient in the face of evolving threats?
62. How do you avoid implementing overly complex or unnecessary security mechanisms?
63. Have you been involved with the governance of information security? What was your role? What did you accomplish?
64. Can you describe the laws and regulations that have a significant impact to information security at our organization?
65. What is the relationship between information security and privacy laws?
66. What is security level management?
67. How do you ensure that security management is transparent and measurable?
68. Can you outline the typical responsibilities of a Chief Security Officer (CSO)?
69. Can you give me an example of some emerging trends in information security that you're keeping an eye on?
Experience
70. Have you developed an incident response plan?
71. Have you been involved in supporting incident investigations? What was your role? What was the outcome?
72. Have you performed a risk analysis and evaluation? How did you go about it? What stakeholders did you involve?
73. Have you performed a threat assessment? What factors did you consider?
74. Have you performed a vulnerability assessment? What types of vulnerabilities are most difficult to identify?
75. In the context of a vulnerability assessment, how do you calculate the probability that a vulnerability will be exploited?
76. Can you give me an example of a time you identified and implemented controls to mitigate a risk? How did you evaluate the controls?
77. How do you stay up-to-date with technology? For example, how do you keep up with new information security threats?
Cryptography
78. How does the SSL Protocol work?
79. What is the difference between symmetric-key cryptography and public-key cryptography?
80. Can you give me an overview of how public-key cryptography works?
81. What is the difference between the encryption standards AES and DES?
82. What is the role of digital certificates in encryption?
83. What encryption mechanisms would you recommend to an organization that wants to encrypt its outgoing emails?
84. Can you give me an overview of IPsec? What is its purpose?
85. Does IPsec replace the need for SSL?
Security Incident Management
86. What are the components of ITIL incident management?
87. If our organization experienced a major security incident, what steps should we take to manage the incident?
88. Can you describe the responsibilities of an incident manager?
Threats
89. In your opinion, what are the top five information security threats facing an organization such as ours?
90. What is a man-in-the-middle attack?
91. Can you give me an example of cross-site scripting?
92. What is SQL injection? How is it prevented?
93. What is a buffer overflow?
94. What is clickjacking?
Vulnerabilities
95. What is a insecure direct object reference? Why is it a problem?
96. Why is it important to validate redirects and forwards?
97. What are some common security vulnerabilities at the information storage level?
98. What are some common security vulnerabilities at the transport level?
99. How can improper error handling expose security vulnerabilities? How?
Physical Security Integration
100. Can you give me a few examples of physical security integration?
101. What is social engineering? How common is it?
102. How would you secure an office environment? What about a data center?
firewall troubleshooting scenarios
vpn troubleshooting scenarios
proxy server troubleshooting scenarios
router troubleshooting
switch troubleshooting
Proxy server
In computer networks, a proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers.[1] A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity. Proxies were invented to add structure and encapsulation to distributed systems.[2] Today, most proxies are web proxies, facilitating access to content on the World Wide Web and providing anonymity.
Types Proxy server
A proxy server may reside on the user's local computer, or at various points between the user's computer and destination servers on the Internet.
A proxy server that passes requests and responses unmodified is usually called a gateway or sometimes a tunneling proxy.
A forward proxy is an Internet-facing proxy used to retrieve from a wide range of sources (in most cases anywhere on the Internet).
A reverse proxy is usually an internal-facing proxy used as a front-end to control and protect access to a server on a private network. A reverse proxy commonly also performs tasks such as load-balancing, authentication, decryption or caching.
Open proxies[edit]
Diagram of proxy server connected to the Internet.
An open proxy forwarding requests from and to anywhere on the Internet.
Main article: Open proxy
An open proxy is a forwarding proxy server that is accessible by any Internet user. Gordon Lyon estimates there are "hundreds of thousands" of open proxies on the Internet.[3] An anonymous open proxy allows users to conceal their IP address while browsing the Web or using other Internet services. There are varying degrees of anonymity however, as well as a number of methods of 'tricking' the client into revealing itself regardless of the proxy being used.
Reverse proxies[edit]
A proxy server connecting the Internet to an internal network.
A reverse proxy taking requests from the Internet and forwarding them to servers in an internal network. Those making requests connect to the proxy and may not be aware of the internal network.
Main article: Reverse proxy
A reverse proxy (or surrogate) is a proxy server that appears to clients to be an ordinary server. Requests are forwarded to one or more proxy servers which handle the request. The response from the proxy server is returned as if it came directly from the original server, leaving the client no knowledge of the origin servers.[4] Reverse proxies are installed in the neighborhood of one or more web servers. All traffic coming from the Internet and with a destination of one of the neighborhood's web servers goes through the proxy server. The use of "reverse" originates in its counterpart "forward proxy" since the reverse proxy sits closer to the web server and serves only a restricted set of websites. There are several reasons for installing reverse proxy servers:
Encryption / SSL acceleration: when secure web sites are created, the Secure Sockets Layer (SSL) encryption is often not done by the web server itself, but by a reverse proxy that is equipped with SSL acceleration hardware. Furthermore, a host can provide a single "SSL proxy" to provide SSL encryption for an arbitrary number of hosts; removing the need for a separate SSL Server Certificate for each host, with the downside that all hosts behind the SSL proxy have to share a common DNS name or IP address for SSL connections. This problem can partly be overcome by using the SubjectAltName feature of X.509 certificates.
Load balancing: the reverse proxy can distribute the load to several web servers, each web server serving its own application area. In such a case, the reverse proxy may need to rewrite the URLs in each web page (translation from externally known URLs to the internal locations).
Serve/cache static content: A reverse proxy can offload the web servers by caching static content like pictures and other static graphical content.
Compression: the proxy server can optimize and compress the content to speed up the load time.
Spoon feeding: reduces resource usage caused by slow clients on the web servers by caching the content the web server sent and slowly "spoon feeding" it to the client. This especially benefits dynamically generated pages.
Security: the proxy server is an additional layer of defense and can protect against some OS and Web Server specific attacks. However, it does not provide any protection from attacks against the web application or service itself, which is generally considered the larger threat.
Extranet Publishing: a reverse proxy server facing the Internet can be used to communicate to a firewall server internal to an organization, providing extranet access to some functions while keeping the servers behind the firewalls. If used in this way, security measures should be considered to protect the rest of your infrastructure in case this server is compromised, as its web application is exposed to attack from the Internet.
Uses Proxy server
Monitoring and filtering
Content-control software
A content-filtering web proxy server provides administrative control over the content that may be relayed in one or both directions through the proxy. It is commonly used in both commercial and non-commercial organizations (especially schools) to ensure that Internet usage conforms to acceptable use policy.
A content filtering proxy will often support user authentication to control web access. It also usually produces logs, either to give detailed information about the URLs accessed by specific users, or to monitor bandwidth usage statistics. It may also communicate to daemon-based and/or ICAP-based antivirus software to provide security against virus and other malware by scanning incoming content in real time before it enters the network.
Many work places, schools and colleges restrict the web sites and online services that are accessible and available in their buildings. Governments also censor undesirable content. This is done either with a specialized proxy, called a content filter (both commercial and free products are available), or by using a cache-extension protocol such as ICAP, that allows plug-in extensions to an open caching architecture.
Proxy vs. NAT[edit]
Most of the time 'proxy' refers to a layer-7 application on the OSI reference model. However, another way of proxying is through layer-3 and is known as Network Address Translation (NAT). The difference between these two proxy technologies is the layer in which they operate, and the procedure to configuring the proxy clients and proxy servers.
In client configuration of layer-3 proxy (NAT), configuring the gateway is sufficient. However, for client configuration of a layer-7 proxy, the destination of the packets that the client generates must always be the proxy server (layer-7), then the proxy server reads each packet and finds out the true destination.
Because NAT operates at layer-3, it is less resource-intensive than the layer-7 proxy, but also less flexible. As we compare these two technologies, we might encounter a terminology known as 'transparent firewall'. Transparent firewall means that the layer-3 proxy uses the layer-7 proxy advantages without the knowledge of the client. The client presumes that the gateway is a NAT in layer-3, and it does not have any idea about the inside of the packet, but through this method the layer-3 packets are sent to the layer-7 proxy for investigation.
DNS proxy[edit]
A DNS proxy server takes DNS queries from a (usually local) network and forwards them to an Internet Domain Name Server. It may also cache DNS records.
1) What is data encapsulation?
Data Encapsulation is a process of hiding and protecting data from the outside users or interference. The sending and receiving of data from a source device to the destination device is possible with the help of networking protocols when data encapsulation is used. Protocol Data Units contain the control information attached to the data at each layer.
The information is attached to the data field’s header but can also be at the end of the data field or trailer.
PDUs are encapsulated by attaching them to the data at each OSI reference model layer.
Encapsulation Protocol and Network Layer Settings
Setting Description
Cisco (EtherType) Ethernet frame format used by many routers as their proprietary, default encapsulation protocol. It has similar capabilities to bridged Ethernet or Token Ring, but is more efficient.1
Ethernet (bridged) Ethernet frame format used by bridges and bridging routers. Can carry any network layer protocol supported by Ethernet.
Frame Relay (Auto) (Frame Relay only) Either RFC1490 or EtherType encapsulation protocol based on the frames themselves. This is the best choice to use with Frame Relay because it works with both of the most common encapsulation techniques.
None - IP only A network-layer protocol that directs the ASE to analyze data assuming it is IP protocol.2
None - SNA only A network-layer protocol that directs the ASE to analyze data assuming that it is SNA protocol.2
None - Vines only A network-layer protocol that directs the ASE to analyze data assuming that it is Banyan VINES protocol.2
None - DECnet IV only A network-layer protocol that directs the ASE to analyze data assuming it is DECnet IV protocol.2
Point-to-Point (PPP) The standard point-to-point protocol used mainly on point-to-point links analyzed by the HDLC ASE, but can be used by Frame Relay ASEs.
RFC 1490 (IETF) (Frame Relay only) Standard Frame Relay Multi protocol encapsulation. This is the most versatile and common encapsulation protocol used with Frame Relay.
Router (proprietary) (HDLC only) An encapsulation protocol that decodes proprietary framing used by routers on point-to-point links.
Token Ring (bridged) Token Ring frame format used by bridges and bridging routers. Can carry any network layer protocol supported by Token Ring networks.
Spanning Tree Protocol (STP) is a Layer 2 protocol that runs on bridges and switches. The specification for STP is IEEE 802.1D. The main purpose of STP is to ensure that you do not create loops when you have redundant paths in your network. Loops are deadly to a network
Multiple Spanning Tree Protocol. Multiple Spanning Tree Protocol (MSTP) was first specified in IEEE 802.1s and is standardized in IEEE 802.1Q. MSTP enables multiple VLANs to be mapped to the same spanning-tree instance, reducing the number of spanning-tree instances needed to support a large number of VLANs.
http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24248-147.html
Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.
You can easily customize the network configuration for your Amazon Virtual Private Cloud. For example, you can create a public-facing subnet for your webservers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.
Additionally, you can create a Hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.
Get Started with AWS for Free
Create a Free Account
Or Sign In to the Console
Receive twelve months of access to the AWS Free Tier and enjoy AWS Basic Support features including, 24x7x365 customer service, support forums, and more.
Please note that Amazon VPC is not currently available on the AWS Free Tier.
Introducing NAT Gateway
You can now use Network Address Translation (NAT) Gateway, a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an AWS VPC. Learn More >>
Features and Benefits
Multiple Connectivity Options
A variety of connectivity options exist for your Amazon Virtual Private Cloud. You can connect your VPC to the Internet, to your datacenter, or other VPC's, based on the AWS resources that you want to expose publicly and those that you want to keep private.
Connect directly to the Internet (public subnets)– You can launch instances into a publicly accessible subnet where they can send and receive traffic from the Internet.
Connect to the Internet using Network Address Translation (private subnets)– Private subnets can be used for instances that you do not want to be directly addressable from the Internet. Instances in a private subnet can access the Internet without exposing their private IP address by routing their traffic through a Network Address Translation (NAT) gateway in a public subnet.
Connect securely to your corporate datacenter– All traffic to and from instances in your VPC can be routed to your corporate datacenter over an industry standard, encrypted IPsec hardware VPN connection.
Connect privately to other VPCs- Peer VPCs together to share resources across multiple virtual networks owned by your or other AWS accounts.
Connect to Amazon S3 without using an internet gateway or NAT, and control what buckets, requests, users, or groups are allowed through a VPC Endpoint for S3.
Combine connectivity methods to match the needs of your application– You can connect your VPC to both the Internet and your corporate datacenter and configure Amazon VPC route tables to direct all traffic to its proper destination.
Secure
Amazon VPC provides advanced security features such as security groups and network access control lists to enable inbound and outbound filtering at the instance level and subnet level. In addition, you can store data in Amazon S3 and restrict access so that it’s only accessible from instances in your VPC. Optionally, you can also choose to launch Dedicated Instances which run on hardware dedicated to a single customer for additional isolation.
Symantec Endpoint Protection, developed by Symantec Corporation, is an antivirus and personal firewall software for centrally managed corporate environments providing security for both servers and workstations.
Endpoint security or Endpoint Protection is a technology that takes an upper hand to protect computer networks that are remotely bridged to users' devices. The use of laptops, tablets, mobile devices and other wireless gadgets connected with corporate networks creates vulnerability paths for security threats.[1][2] Endpoint security attempts to ensure that such devices follow a definite level of compliance and standards.[3]
There are many types of computer security threats in this world. Some are pretty harmful while some are totally harmless although annoying. There are also some which does not do any damage to your computer, but has the capability to empty the numbers in your bank account.
If you are really interested to find out these threats, I have 28 of them here and do get yourself a cup of coffee before you start.
The types of computer security threats
1. Trojan. Trojan is one of the most complicated threats among all. Most of the popular banking threats come from the Trojan family such as Zeus and SpyEye. It has the ability to hide itself from antivirus detection and steal important banking data to compromise your bank account. If the Trojan is really powerful, it can take over your entire security system as well. As a result, a Trojan can cause many types of damage starting from your own computer to your online account.
2. Virus. Looking at the technology 10 years back, Virus is something really popular. It is a malicious program where it replicates itself and aim to only destroy a computer. The ultimate goal of a virus is to ensure that the victim’s computer will never be able to operate properly or even at all. It is not so popular today because Malware today is designed to earn money over destruction. As a result, Virus is only available for people who want to use it for some sort of revenge purpose.
3. Worms. One of the most harmless threats where it is program designed only to spread. It does not alter your system to cause you to have a nightmare with your computer, but it can spread from one computer to another computer within a network or even the internet. The computer security risk here is, it will use up your computer hard disk space due to the replication and took up most of your bandwidth due to the spread.
4. Spyware. Is a Malware which is designed to spy on the victim’s computer. If you are infected with it, probably your daily activity or certain activity will be spied by the spyware and it will find itself a way to contact the host of this malware. Mostly, the use of this spyware is to know what your daily activity is so that the attacker can make use of your information. Such as if you browse on sex toys for a week every day, the attacker will try to come out with a sex toy scam to cheat on your money.
5. Scareware. Scareware is something that plant into your system and immediately inform you that you have hundreds of infections which you don’t have. The idea here is to trick you into purchasing a bogus anti-malware where it claims to remove those threats. It is all about cheating your money but the approach is a little different here because it scares you so that you will buy.
6. Keylogger. Something that keeps a record of every keystroke you made on your keyboard. Keylogger is a very powerful threat to steal people’s login credential such as username and password. It is also usually a sub-function of a powerful Trojan.
7. Adware. Is a form of threat where your computer will start popping out a lot of advertisement. It can be from non-adult materials to adult materials because any ads will make the host some money. It is not really harmful threat but can be pretty annoying.
8. Backdoor. Backdoor is not really a Malware, but it is a form of method where once a system is vulnerable to this method, attacker will be able to bypass all the regular authentication service. It is usually installed before any virus or Trojan infection because having a backdoor installed will ease the transfer effort of those threats.
9. Wabbits. Is another a self-replicating threat but it does not work like a Virus or Worms. It does not harm your system like a Virus and it does not replicate via your LAN network like a Worms. An example of Wabbit’s attack is the fork bomb, a form of DDoS attack.
10. Exploit. Exploit is a form of software which is programmed specifically to attack certain vulnerability. For instance if your web browser is vulnerable to some out-dated vulnerable flash plugin, an exploit will work only on your web browser and plugin. The way to avoid hitting into exploit is to always patch your stuff because software patches are there to fix vulnerabilities.
[How to remove virus]
11. Botnet. Botnet is something which is installed by a BotMaster to take control of all the computer bots via the Botnet infection. It mostly infects through drive-by downloads or even Trojan infection. The result of this threat is the victim’s computer, which is the bot will be used for a large scale attack like DDoS.
12. Dialer. This threat is no longer popular today but looking at the technology 10 years back or more where we still access the internet using a dial-up modem, it is quite a popular threat. What it does is it will make use of your internet modem to dial international numbers which are pretty costly. Today, this type of threat is more popular on Android because it can make use of the phone call to send SMS to premium numbers.
13. Dropper. Looking at the name, a Dropper is designed to drop into a computer and install something useful to the attacker such as Malware or Backdoor. There are two types of Dropper where one is to immediately drop and install to avoid Antivirus detection. Another type of Dropper is it will only drop a small file where this small file will auto trigger a download process to download the Malware.
14. Fake AV. Fake Antivirus threat is a very popular threat among Mac user about 10 months ago. Due to the reason that Mac user seldom faces a virus infection, scaring them with message which tells them that their computer is infected with virus is pretty useful where it results them into purchasing a bogus antivirus which does nothing.
15. Phishing. A fake website which is designed to look almost like the actual website is a form of phishing attack. The idea of this attack is to trick the user into entering their username and password into the fake login form which serves the purpose of stealing the identity of the victim. Every form sent out from the phishing site will not go to the actual server, but the attacker controlled server.
16. Cookies.Cookies is not really a Malware. It is just something used by most websites to store something into your computer. It is here because it has the ability to store things into your computer and track your activities within the site. If you really don’t like the existence of cookies, you can choose to reject using cookies for some of the sites which you do not know.
17. Bluesnarfing. Bluesnarfing is all about having an unauthorized access to a specific mobile phones, laptop, or PDA via Bluetooth connection. By having such unauthorized access, personal stuff such as photos, calender, contacts and SMS will all be revealed and probably even stolen.
18. Bluejacking. Bluejacking is also uses the Bluetooth technology but it is not as serious as Bluesnarfing. What it does is it will connect to your Bluetooth device and send some message to another Bluetooth device. It is not something damaging to your privacy or device system compared to the Bluesnarfing threat.
19. DDoS. One of the most famous thing done by Anonymous, which is to send millions of traffic to a single server to cause the system to down with certain security feature disable so that they can do their data stealing. This kind of trick which is to send a lot of traffic to a machine is known as Distributed Denial of Service, also known as DDoS.
[10 Symptoms of a Computer Infected with Malware]
20. Boot Sector Virus. It is a virus that places its own codes into computer DOS boot sector or also known as the Master Boot Record. It will only start if there it is injected during the boot up period where the damage is high but difficult to infect. All the victim need to do if they realize there is a boot sector virus is to remove all the bootable drive so that this particular virus will not be able to boot.
21. Browser Hijackers. A browser hijacker uses the Trojan Malware to take control of the victim’s web browsing session. It is extremely dangerous especially when the victim is trying to send some money via online banking because that is the best time for the hijacker to alter the destination of the bank account and even amount.
22. Chain Letters. When I was small, I got tricked with chain letters written by my friend. But chain letters does not stop at that era. It brings to adult life as well where people like to send chain letter such as Facebook account delete letter. It usually says if you don’t forward that particular message or email to 20 people or more, your account will be deleted and people really believe that.
23. Virus Document. Virus today can be spread through document file as well especially PDF documents. Last time, people will only advice you not to simply execute an EXE file but in today’s world with today’s technology, document file should also be avoided. It is best if you use an online virus scanner to scan first before opening any single file which you feel it is suspicious.
24. Mousetrapping. I am not too sure whether you had encountered a Mousetrapping Malware before where what it does is it will trap your web browser to a particular website only. If you try to type another website, it will automatically redirect you back. If you try clicking forward/backward of the navigation button, it will also redirect you back. If you try to close your browser and re-open it, it will set the homepage to that website and you can never get out of this threat unless you remove it.
25. Obfuscated Spam. To be really honest, obfuscated Spam is a spam mail. It is obfuscated in the way that it does not look like any spamming message so that it can trick the potential victim into clicking it. Spam mail today looks very genuine and if you are not careful, you might just fall for what they are offering.
26. Pharming. Pharming works more or less like phishing but it is a little tricky here. There are two types of pharming where one of it is DNS poisoning where your DNS is being compromised and all your traffic will be redirected to the attacker’s DNS. The other type of pharming is to edit your HOST file where even if you typed www.google.com on your web browser, it will still redirect you to another site. One thing similar is that both are equally dangerous.
27. Crimeware. Crimeware is a form of Malware where it takes control of your computer to commit a computer crime. Instead of the hacker himself committing the crime, it plants a Trojan or whatever the Malware is called to order you to commit a crime instead. This will make the hacker himself clean from whatever crime that he had done.
28. SQL Injection. SQL injection does not infect the end users directly. It is more towards infecting a website which is vulnerable to this attack. What it does is it will gain unauthorized access to the database and the attacker can retrieve all the valuable information stored in the database.
To know what can threat your data you should know what malicious programs (Malware) exist and how they function. Malware can be subdivided in the following types:
Viruses: programs that infect other programs by adding to them a virus code to get access at an infected file start-up. This simple definition discovers the main action of a virus – infection. The spreading speed of viruses is lower than that of worms.
Worms: this type of Malware uses network resources for spreading. This class was called worms because of its peculiar feature to “creep” from computer to computer using network, mail and other informational channels. Thanks to it spreading speed of worms is very high.
Worms intrude your computer, calculate network addresses of other computers and send to these addresses its copies. Besides network addresses, the data of the mail clients' address books is used as well. Representatives of this Malware type sometimes create working files on system discs, but may not deploy computer resources (except the operating memory).
Trojans: programs that execute on infected computers unauthorized by user actions; i.e. depending on the conditions delete information on discs, make the system freeze, steal personal information, etc. this Malware type is not a virus in traditional understanding (i.e. does not infect other programs or data): Trojans cannot intrude the PC by themselves and are spread by violators as “useful” and necessary software. And still harm caused by Trojans is higher than of traditional virus attack.
Spyware: software that allows to collect data about a specific user or organization, who are not aware of it. You may not even guess about having spyware on your computer. As a rule the aim of spyware is to:
Trace user's actions on computer
Collect information about hard drive contents; it often means scanning some folders and system registry to make a list of software installed on the computer.
Collect information about quality of connection, way of connecting, modem speed, etc.
Collecting information is not the main function of these programs, they also threat security. Minimum two known programs – Gator and eZula – allow violator not only collect information but also control the computer. Another example of spyware are programs embedded in the browser installed on the computer and retransfer traffic. You have definitely come across such programs, when inquiring one address of a web-site, another web-site was opened. One of the spyware is phishing- delivery.
Phishing is a mail delivery whose aim is to get from the user confidential financial information as a rule. Phishing is a form of a social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The messages contain link to a deliberately false site where user is suggested to enter number of his/her credit card and other confidential information.
Adware: program code embedded to the software without user being aware of it to show advertising. As a rule adware is embedded in the software that is distributed free. Advertisement is in the working interface. Adware often gathers and transfer to its distributor personal information of the user.
Riskware: this software is not a virus, but contains in itself potential threat. By some conditions presence of such riskware on your PC puts your data at risk. To this software refer utilities of remote administration, programs that use Dial Up-connection and some others to connect with pay-per-minute internet sites.
Jokes: software that does not harm your computer but displays messages that this harm has already been caused, or is going to be caused on some conditions. This software often warns user about not existing danger, e.g. display messages about hard disc formatting (though no formatting is really happening), detect viruses in not infected files and etc.
Rootkit: these are utilities used to conceal malicious activity. They disguise Malware, to prevent from being detected by the antivirus applications. Rootkits can also modify operating system on the computer and substitute its main functions to disguise its presence and actions that violator makes on the infected computer.
Other malware: different programs that have been developed to create other Malware, organizing DoS-attacks on remote servers, intruding other computers, etc. Hack Tools, virus constructors and other refer to such programs.
Spam: anonymous, mass undesirable mail correspondence. Spam is political and propaganda delivery, mails that ask to help somebody. Another category of spam are messages suggesting you to cash a great sum of money or inviting you to financial pyramids, and mails that steal passwords and credit card number, messages suggesting to send them to your friends (me
10 Strategies To Fight Anonymous DDoS Attacks
Preventing distributed denial of service attacks may be impossible. But with advance planning, they can be mitigated and stopped. Learn where to begin.
1. Know you're vulnerable.
One lesson from the use of DDoS by Anonymous--as well as its sister hacktivist group LulzSec--is that any site is at risk. That's not meant to sound alarmist, but rather simply to acknowledge that the hacktivist agenda can seem random, at best. Indeed, after Anonymous came along, "the financial sector, which had not really considered itself as a prime target, was hit and urgently forced to confront threatening situations," according to the Radware report. "Government sites had been targeted before, but 2011 saw a dramatic increase in frequency, and neutral governments that felt themselves exempt, like New Zealand, were attacked."
2. DDoS attacks are cheap to launch, tough to stop.
As the recent Anonymous retaliation for the Megaupload takedown shows, hacktivists can quickly crowdsource "5,600 DDoS zealots blasting at once," as Anonymous boasted on Twitter, to take down the websites of everyone from the FBI and the Justice Department to the Motion Picture Association of America and Recording Industry Association of America. "DDoS is to the Internet what the billy club is to gang warfare: simple, cheap, unsophisticated, and effective," said Rob Rachwald, director of security strategy of Imperva, via email.
3. Plan ahead.
Stopping DDoS attacks requires preparation. If attacked, "folks that don't take active measures to ensure the resilience of their networks are going to get knocked over," said Roland Dobbins, Asia-Pacific solutions architect for Arbor Networks, via phone. "They need to do everything they can to increase resiliency and availability." Accordingly, he recommends implementing "all of the industry best and current practices for their network infrastructure, as well as applications, critical supporting services, including DNS."
4. Secure potential bottlenecks.
Which parts of the corporate network can become a bottleneck or weak link in a DDoS attack? A survey by Radware of 135 people with information security expertise--including IT managers as well as CIOs and CISOs--found that the bottlenecks they'd experienced included the server under attack (for 30%), their Internet pipe (27%), a firewall (24%), an intrusion prevention or detection system (8%), a SQL server (5%), or a load balancer (4%). For example, Sergey Shekyan, a Web application vulnerability scanner developer at Qualys, reported that he was able to DDoS a Squid proxy server using the free slowhttptest tool with slow read DDoS attack support. That's because while the server was theoretically able to handle 60,000 concurrent connections per minute, it had been misconfigured to only allow 1,024 open file descriptors at a time.
5. Watch what's happening on the network.
If prevention--including securing infrastructure and making sure it can reasonably scale to handle sharp increases in packet traffic--is the first step, the second is actively monitoring the network. "If the enterprise doesn't have visibility into their network traffic so they can exert control over the traffic, then they have a problem," said Dobbins.
6. Look beyond large attacks.
Historically, the most popular type of DDoS attack--and the one most used by Anonymous--has been a packet flood. The concept is simple: direct so many packets at a website that its servers buckle under the pressure. But not all effective DDoS attacks unload untold numbers of packets. Notably, a study by Radware of 40 DDoS attacks from 2011 found that only 9% involved more than 10 Gbps of bandwidth, while 76% involved less than 1 Gbps.
7. Beware application-layer attacks.
Attacks that eschew packet quantity for taking out a switch or application can unfortunately be quite difficult to detect. According to Radware's report, "it is much easier to detect and block a network flood attack--which is about sending a large volume of irrelevant traffic such as UDP floods, SYN floods, and TCP floods, typically spoofed--rather than an application flood attack where the attackers are using real IP addresses from real machines and running complete application transactions."
8. Watch for blended attacks.
Detection can get even trickier when attackers start targeting more than one application at a time, perhaps together with a packet flood. "Attackers are often likely to combine both packet flooding attacks with application-layer DDoS, to increase their odds of success," according to the Radware report. "The majority of organizations, which are targeted by sub-1-Gbps attacks, are targeted with a mix of network and application flood attacks."
9. Make upstream friends.
Large attacks can overwhelm even the largest enterprise network. "Work very closely with [your] Internet service provider--or for multinationals, providers--to successfully deal with these attacks," said Arbor's Dobbins. Build relationships and lines of communication in advance. "At 4 a.m., if there is a DDoS attack, it's not the time you want to be scrambling around trying to reconfigure your infrastructure, and finding who call at your ISP," he said.
10. Consider countermeasures.
While the legality of certain types of attack countermeasures is an open question, Radware said that network gear may be able to automatically mitigate suspected DDoS attacks. For example, it can silently drop questionable packets, or send a TCP reply to the attacker that advertises "window size equals 0," which says that for the time being, no new data can be received. "Legitimate clients generally respect this and will suspend their communication for the time being," according to Radware's report. "It seems that some attackers also honor this message and suspend the attack until a new, larger window size is advertised, which of course the site being attacked has no intention of doing."
It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)
Encryption Algorithms
Encryption Algorithms
Encryption algorithm, or cipher, is a mathematical function used in the encryption and decryption process - series of steps that mathematically transforms plaintext or other readable information into unintelligible ciphertext. A cryptographic algorithm works in combination with a key (a number, word, or phrase) to encrypt and decrypt data. To encrypt, the algorithm mathematically combines the information to be protected with a supplied key. The result of this combination is the encrypted data. To decrypt, the algorithm performs a calculation combining the encrypted data with a supplied key. The result of this combination is the decrypted data. If either the key or the data is modified, the algorithm produces a different result. The goal of every encryption algorithm is to make it as difficult as possible to decrypt the generated ciphertext without using the key.
Each algorithm uses a string of bits known as a "key" to perform the calculations. The larger the key (the more bits), the greater the number of potential patterns can be created, thus making it harder to break the code and descramble the contents. Most encryption algorithms use the block cipher method, which codes fixed blocks of input that are typically from 64 to 128 bits in length. Some use the stream method, which works with the continuous stream of input.
Some cryptographic methods rely on the secrecy of the encryption algorithms; such algorithms are only of historical interest and are not adequate for real-world needs. Instead of the secrecy of the method itself, all modern algorithms base their security on the usage of a key; a message can be decrypted only if the key used for decryption matches the key used for encryption.
Types of encryption algorithms
There are two kinds of key-based encryption algorithms, symmetric encryption algorithms (secret key algorithms) and asymmetric encryption algorithms (or public key algorithms). The difference is that symmetric encryption algorithms use the same key for encryption and decryption (or the decryption key is easily derived from the encryption key), whereas asymmetric encryption algorithms use a different key for encryption and decryption, and the decryption key cannot be derived from the encryption key.
Symmetric encryption algorithms
Symmetric encryption algorithms can be divided into stream ciphers and block ciphers. Stream ciphers encrypt a single bit of plaintext at a time, whereas block ciphers take a number of bits (typically 64 bits in modern ciphers), and encrypt them as a single unit.
Some examples of popular symmetric encryption algorithms:
AES/Rijndael
Blowfish
CAST5
DES
IDEA
RC2
RC4
RC6
Serpent
Triple DES
Twofish
AES encryption algorithm
AES stands for Advanced Encryption Standard. AES is a symmetric key encryption technique which will replace the commonly used Data Encryption Standard (DES). It was the result of a worldwide call for submissions of encryption algorithms issued by the US Government's National Institute of Standards and Technology (NIST) in 1997 and completed in 2000.
In response to the growing feasibility of attacks against DES, NIST launched a call for proposals for an official successor that meets 21st century security needs. This successor is called the Advanced Encryption Standard (AES).
Five algorithms were selected into the second round, from which Rijndael was selected to be the final standard. NIST gave as its reasons for selecting Rijndael that it performs very well in hardware and software across a wide range of environments in all possible modes. It has excellent key setup time and has low memory requirements, in addition its operations are easy to defend against power and timing attacks. NIST stated that all five finalists had adequate security and that there was nothing wrong with the other four ciphers.
The winning algorithm, Rijndael, was developed by two Belgian cryptologists, Vincent Rijmen and Joan Daemen.
AES provides strong encryption and was selected by NIST as a Federal Information Processing Standard in November 2001 (FIPS-197).
Rijndael follows the tradition of square ciphers. AES algorithm uses three key sizes: a 128-, 192-, or 256-bit encryption key. Each encryption key size causes the algorithm to behave slightly differently, so the increasing key sizes not only offer a larger number of bits with which you can scramble the data, but also increase the complexity of the cipher algorithm.
Blowfish encryption algorithm
Blowfish is a symmetric encryption algorithm designed in 1993 by Bruce Schneier as an alternative to existing encryption algorithms.
Blowfish has a 64-bit block size and a variable key length - from 32 bits to 448 bits. It is a 16-round Feistel cipher and uses large key-dependent S-boxes. While doing key scheduling, it generates large pseudo-random lookup tables by doing several encryptions. The tables depend on the user supplied key in a very complex way. This approach has been proven to be highly resistant against many attacks such as differential and linear cryptanalysis. Unfortunately, this also means that it is not the algorithm of choice for environments where a large memory space is not available. Blowfish is similar in structure to CAST-128, which uses fixed S-boxes.
Since then Blowfish has been analyzed considerably, and is gaining acceptance as a strong encryption algorithm.
Blowfish was designed in 1993 by Bruce Schneier as a fast, free alternative to existing encryption algorithms. Since then it has been analyzed considerably, and it is slowly gaining acceptance as a strong encryption algorithm. Blowfish is unpatented and license-free, and is available free for all uses.
The only known attacks against Blowfish are based on its weak key classes.
CAST
CAST stands for Carlisle Adams and Stafford Tavares, the inventors of CAST. CAST is a popular 64-bit block cipher which belongs to the class of encryption algorithms known as Feistel ciphers.
CAST-128 is a DES-like Substitution-Permutation Network (SPN) cryptosystem. It has the Feistel structure and utilizes eight fixed S-boxes. CAST-128 supports variable key lenghts between 40 and 128 bits.
CAST-128 is resistant to both linear and differential cryptanalysis. Currently, there is no known way of breaking CAST short of brute force. CAST is now the default cipher in PGP.
Data Encryption Standard (DES)
Digital Encryption Standard (DES) is a symmetric block cipher with 64-bit block size that uses using a 56-bit key.
In 1977 the Data Encryption Standard (DES), a symmetric algorithm, was adopted in the United States as a federal standard.
DES encrypts and decrypts data in 64-bit blocks, using a 56-bit key. It takes a 64-bit block of plaintext as input and outputs a 64-bit block of ciphertext. Since it always operates on blocks of equal size and it uses both permutations and substitutions in the algorithm. DES has 16 rounds, meaning the main algorithm is repeated 16 times to produce the ciphertext. It has been found that the number of rounds is exponentially proportional to the amount of time required to find a key using a brute-force attack. So as the number of rounds increases, the security of the algorithm increases exponentially.
For many years, DES-enciphered data were safe because few organizations possessed the computing power to crack it. But in July 1998 a team of cryptographers cracked a DES-enciphered message in 3 days, and in 1999 a network of 10,000 desktop PCs cracked a DES-enciphered message in less than a day. DES was clearly no longer invulnerable and since then Triple DES (3DES) has emerged as a stronger method.
Triple DES encrypts data three times and uses a different key for at least one of the three passes giving it a cumulative key size of 112-168 bits. That should produce an expected strength of something like 112 bits, which is more than enough to defeat brute force attacks. Triple DES is much stronger than (single) DES, however, it is rather slow compared to some new block ciphers. However, cryptographers have determined that triple DES is unsatisfactory as a long-term solution, and in 1997, the National Institute of Standards and Technology (NIST) solicited proposals for a cipher to replace DES entirely, the Advanced Encryption Standard (AES).
IDEA encryption algorithm
IDEA stands for International Data Encryption Algorithm. IDEA is a symmetric encryption algorithm that was developed by Dr. X. Lai and Prof. J. Massey to replace the DES standard. Unlike DES though it uses a 128 bit key. This key length makes it impossible to break by simply trying every key. It has been one of the best publicly known algorithms for some time. It has been around now for several years, and no practical attacks on it have been published despite of numerous attempts to analyze it.
IDEA is resistant to both linear and differential analysis.
RC2
RC2 is a variable-key-length cipher. It was invented by Ron Rivest for RSA Data Security, Inc. Its details have not been published.
RC4
RC4 was developed by Ron Rivest in 1987. It is a variable-key-size stream cipher. It is a cipher with a key size of up to 2048 bits (256 bytes). The algorithm is very fast. Its security is unknown, but breaking it does not seem trivial either. Because of its speed, it may have uses in certain applications. It accepts keys of arbitrary length. RC4 is essentially a pseudo random number generator, and the output of the generator is exclusive-ored with the data stream. For this reason, it is very important that the same RC4 key never be used to encrypt two different data streams.
RC6
RC6 is a symmetric key block cipher derived from RC5. It was designed by Ron Rivest, Matt Robshaw, Ray Sidney, and Yiqun Lisa Yin to meet the requirements of the Advanced Encryption Standard (AES) competition. RC6 encryption algorithm was selected among the other finalists to become the new federal Advanced Encryption Standard (AES).
SEED
SEED is a block cipher developed by the Korea Information Security Agency since 1998. Both the block and key size of SEED are 128 bits and it has a Feistel Network structure which is iterated 16 times. It has been designed to resist differential and linear cryptanalysis as well as related key attacks. SEED uses two 8x8 S-boxes and mixes the XOR operation with modular addition. SEED has been adopted as an ISO/IEC standard (ISO/IEC 18033-3), an IETF RFC, RFC 4269 as well as an industrial association standard of Korea (TTAS.KO-12.0004/0025).
Serpent
Serpent is a very fast and reasonably secure block cipher developed by Ross Anderson, Eli Biham and Lars Knudsen. Serpent can work with different combinations of key lengths. Serpent was also selected among other five finalists to become the new federal Advanced Encryption Standard (AES).
TEA
Tiny Encryption Algorithm is a very fast and moderately secure cipher produced by David Wheeler and Roger Needham of Cambridge Computer Laboratory. There is a known weakness in the key schedule, so it is not recommended if utmost security is required. TEA is provided in 16 and 32 round versions. The more rounds (iterations), the more secure, but slower.
Triple DES
Triple DES is a variation of Data Encryption Standard (DES). It uses a 64-bit key consisting of 56 effective key bits and 8 parity bits. The size of the block for Triple-DES is 8 bytes. Triple-DES encrypts the data in 8-byte chunks. The idea behind Triple DES is to improve the security of DES by applying DES encryption three times using three different keys. Triple DES algorithm is very secure (major banks use it to protect valuable transactions), but it is also very slow.
Twofish
Twofish is a symmetric block cipher. Twofish has a block size of 128 bits and accepts keys of any length up to 256 bits.Twofish has key dependent S-boxes like Blowfish.
Twofish encryption algorithm was designed by Bruce Schneier, John Kelsey, Chris Hall, Niels Ferguson, David Wagner and Doug Whiting. The National Institute of Standards and Technology (NIST) investigated Twofish as one of the candidates for the replacement of the DES encryption algorithm.
Asymmetric encryption algorithms
Asymmetric encryption algorithms (public key algorithms) use different keys for encryption and decryption, and the decryption key cannot (practically) be derived from the encryption key. Public key methods are important because they can be used for transmitting encryption keys or other data securely even when the parties have no opportunity to agree on a secret key in private.
Types of Asymmetric encryption algorithms (public key algorithms):
RSA encryption algorithm
Diffie-Hellman
Digital Signature Algorithm
ElGamal
ECDSA
XTR
RSA encryption algorithm
Rivest-Shamir-Adleman is the most commonly used public key encryption algorithm. It can be used both for encryption and for digital signatures. The security of RSA is generally considered equivalent to factoring, although this has not been proved.
RSA computation occurs with integers modulo n = p * q, for two large secret primes p, q. To encrypt a message m, it is exponentiated with a small public exponent e. For decryption, the recipient of the ciphertext c = me (mod n) computes the multiplicative reverse d = e-1 (mod (p-1)*(q-1)) (we require that e is selected suitably for it to exist) and obtains cd = m e * d = m (mod n). The private key consists of n, p, q, e, d (where p and q can be omitted); the public key contains only n and e. The problem for the attacker is that computing the reverse d of e is assumed to be no easier than factorizing n.
The key size should be greater than 1024 bits for a reasonable level of security. Keys of size, say, 2048 bits should allow security for decades.
There are actually multiple incarnations of this algorithm; RC5 is one of the most common in use, and RC6 was a finalist algorithm for AES.
Diffie-Hellman
Diffie-Hellman is the first public key encryption algorithm, invented in 1976, using discrete logarithms in a finite field. Allows two users to exchange a secret key over an insecure medium without any prior secrets.
Diffie-Hellman (DH) is a widely used key exchange algorithm. In many cryptographical protocols, two parties wish to begin communicating. However, let's assume they do not initially possess any common secret and thus cannot use secret key cryptosystems. The key exchange by Diffie-Hellman protocol remedies this situation by allowing the construction of a common secret key over an insecure communication channel. It is based on a problem related to discrete logarithms, namely the Diffie-Hellman problem. This problem is considered hard, and it is in some instances as hard as the discrete logarithm problem.
The Diffie-Hellman protocol is generally considered to be secure when an appropriate mathematical group is used. In particular, the generator element used in the exponentiations should have a large period (i.e. order). Usually, Diffie-Hellman is not implemented on hardware.
Digital Signature Algorithm
Digital Signature Algorithm (DSA) is a United States Federal Government standard or FIPS for digital signatures. It was proposed by the National Institute of Standards and Technology (NIST) in August 1991 for use in their Digital Signature Algorithm (DSA), specified in FIPS 186 [1], adopted in 1993. A minor revision was issued in 1996 as FIPS 186-1 [2], and the standard was expanded further in 2000 as FIPS 186-2 [3]. Digital Signature Algorithm (DSA) is similar to the one used by ElGamal signature algorithm. It is fairly efficient though not as efficient as RSA for signature verification. The standard defines DSS to use the SHA-1 hash function exclusively to compute message digests.
The main problem with DSA is the fixed subgroup size (the order of the generator element), which limits the security to around only 80 bits. Hardware attacks can be menacing to some implementations of DSS. However, it is widely used and accepted as a good algorithm.
ElGamal
The ElGamal is a public key cipher - an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie-Hellman key agreement. ElGamal is the predecessor of DSA.
ECDSA
Elliptic Curve DSA (ECDSA) is a variant of the Digital Signature Algorithm (DSA) which operates on elliptic curve groups. As with Elliptic Curve Cryptography in general, the bit size of the public key believed to be needed for ECDSA is about twice the size of the security level, in bits.
XTR
XTR is an encryption algorithm for public-key encryption. XTR is a novel method that makes use of traces to represent and calculate powers of elements of a subgroup of a finite field. It is based on the primitive underlying the very first public key cryptosystem, the Diffie-Hellman key agreement protocol.
From a security point of view, XTR security relies on the difficulty of solving discrete logarithm related problems in the multiplicative group of a finite field. Some advantages of XTR are its fast key generation (much faster than RSA), small key sizes (much smaller than RSA, comparable with ECC for current security settings), and speed (overall comparable with ECC for current security settings).
Differences between symmetric and asymmetric encryption algorithms
Symmetric encryption algorithms encrypt and decrypt with the same key. Main advantages of symmetric encryption algorithms are its security and high speed. Asymmetric encryption algorithms encrypt and decrypt with different keys. Data is encrypted with a public key, and decrypted with a private key. Asymmetric encryption algorithms (also known as public-key algorithms) need at least a 3,000-bit key to achieve the same level of security of a 128-bit symmetric algorithm. Asymmetric algorithms are incredibly slow and it is impractical to use them to encrypt large amounts of data. Generally, symmetric encryption algorithms are much faster to execute on a computer than asymmetric ones. In practice they are often used together, so that a public-key algorithm is used to encrypt a randomly generated encryption key, and the random key is used to encrypt the actual message using a symmetric algorithm. This is sometimes called hybrid encryption.
Strength of Encryption Algorithms
Strong encryption algorithms should always be designed so that they are as difficult to break as possible. In theory, any encryption algorithm with a key can be broken by trying all possible keys in sequence. If using brute force to try all keys is the only option, the required computing power increases exponentially with the length of the key. A 32-bit key takes 232 (about 109) steps. This is something anyone can do on his/her home computer. An encryption algorithm with 56-bit keys, such as DES, requires a substantial effort, but using massive distributed systems requires only hours of computing. In 1999, a brute-force search using a specially designed supercomputer and a worldwide network of nearly 100,000 PCs on the Internet, found a DES key in 22 hours and 15 minutes. It is currently believed that keys with at least 128 bits (as in AES, for example) will be sufficient against brute-force attacks into the foreseeable future.
However, key length is not the only relevant issue. Many encryption algorithms can be broken without trying all possible keys. In general, it is very difficult to design ciphers that could not be broken more effectively using other methods.
The keys used in public-key encryption algorithms are usually much longer than those used in symmetric encryption algorithms. This is caused by the extra structure that is available to the cryptanalyst. There the problem is not that of guessing the right key, but deriving the matching private key from the public key. In the case of RSA encryption algorithm, this could be done by factoring a large integer that has two large prime factors. In the case of some other cryptosystems, it is equivalent to computing the discrete logarithm modulo a large integer (which is believed to be roughly comparable to factoring when the moduli is a large prime number).
This article describes the functions and properties of the various cryptographic key types used for securing digital communications. Recommended crypto-periods are also discussed.
Classification of cryptographic keys in accordance with functions & properties of various key types used for securing digital communications.
Categories and types of cryptographic keys
Just as there are different types of household keys for the car, front door of the house, garage door, etc., keys also serve different functions in the world of digital communications. One should get an understanding of these different key functions are before any meaningful work can be done with cryptographic key management.
In general, cryptographic keys are categorized according to their properties and usage. A key may have one of three properties: Symmetric, Public or Private. Keys can be grouped as Asymmetric key pairs, which consist of one private and one public key.
Difference between Asymmetric and Symmetric keys
Algorithms for symmetric keys use a single key for both encryption and decryption. Algorithms for asymmetric keys use different keys for encryption and decryption. Symmetric key algorithms have the advantage in that they are much faster than asymmetric algorithms, and can handle thousands of keys with very little computing overhead. The main disadvantage is that at least one key has to be transmitted to the receiving end, which means there is a possibility of it being intercepted and tampered with. This problem is solved by using asymmetric keys, as a message can be sent or received with a public key, while the other end (sender or receiver) uses a personal private key, depending on the key's purpose, such as assuring confidentiality, authentication, tamper detection, etc.
Using asymmetric keys for confidentiality
For example, to maintain confidentiality, a message can be encrypted with a public key as it is sent, which means that anyone can intercept it and analyze its contents. But only the intended receiver with a private key that corresponds to the public key can decode the message. While the public key can be sent back and forth among recipients, the private key is fixed to one location, and won’t be sent anywhere.
Using asymmetric keys for authentication
To maintain authentication, the sender encrypts his/her identity on a message with a personal private key as it is sent, which acts as a signature, to verify the source of the message. In this case, the receiving end uses a public key to check the message, and find out who sent it. Since the decryption is done with a public key, anyone can check who sent the message.
Cryptographic keys for long term or single usage
Keys can also have the property that they can be static (designed for long term usage) or ephemeral (designed to be used only for a single session or management transaction). This distinction is mainly applies to the Ephemeral Key Agreement Key (explained below) since the other key types are generally designed for long crypto-periods (usually 1 -2 years). Some key types that may need shorter crypto-periods (from a few days to a few weeks) are Symmetric authentication keys, Data Encryption keys, Key-Wrapping keys, Private Key-Transport keys, RNG keys, and Authorization keys.
Description of the 10 basic types of cryptographic keys
Cryptographic keys can be classified in 10 different categories, as outlined below. Each key is designed for one specific purpose, and shouldn’t be mistaken for other key types. The cryptographic algorithms for each key type are described according to their properties (Symmetric, Public or Private):
Authentication Key (Symmetric, Public or Private)
Symmetric authentication keys are used with symmetric key algorithms to provide assurance of the integrity and source of messages, communication sessions, documents, or stored data.
A private (or public) authentication key is the private (or public) key of an asymmetric key pair that is used with a public-key algorithm to provide assurance as to the integrity and source of information and the identity of the originating entity when executing an authentication mechanism or when establishing an authenticated communication session.
Authorization Key (Symmetric, Public or Private)
Symmetric authorization keys are used to provide privileges to an entity using a symmetric cryptographic method. The same authorization key is used by the entity responsible for monitoring and granting access privileges for authorized entities and by the entity seeking access to resources.
A private authorization key is the private key of an asymmetric key pair that is used to provide privileges to an entity.
A public authorization key is the public key of an asymmetric key pair that is used to verify privileges for an entity that knows the associated private authorization key.
RNG Key (Symmetric, Public or Private)
RNG stands for “Random Number Generation”, and these keys are keys used to generate random numbers.
Static Key Agreement Key (Symmetric, Public or Private)
Symmetric Key Agreement Keys are used to establish other keys (e.g., Key-Wrapping keys, data-encryption keys, or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors) using a symmetric key-Agreement algorithm.
Private (public) static key agreement keys are the private (public) keys of asymmetric key pairs that are used to establish other keys (e.g., key wrapping keys, data encryption keys, or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors).
Ephemeral Key Agreement Key (Public or Private)
Private (or public) ephemeral Key-Agreement keys are the private (or public) keys of asymmetric key pairs that are used only once in a transaction to establish one or more keys (e.g., key-Wrapping keys, data-encryption keys, or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors).
Signature Key (Public or Private)
A public Signature-Verification key is the public key of an asymmetric key pair that is used by a public-Key algorithm to verify digital signatures that are intended to provide source authentication, integrity protection of data, and non-repudiation of messages, documents or stored data.
Private signature keys are the private keys of asymmetric (public) key pairs that are used by public-Key algorithms to generate digital signatures with possible long-term implications. When properly handled, private signature keys can be used to provide source authentication, integrity protection and non-repudiation of messages, documents or stored data
Key Transport Keys (Public or Private)
Private Key-Transport keys are the private keys of asymmetric key pairs that are used to decrypt keys that have been encrypted with the associated public key using a public-Key algorithm.
Public Key-transport keys are the public keys of asymmetric key pairs that are used to encrypt keys using a Public-key algorithm.
Key Transport keys are usually used to establish other keys (e.g., key-Wrapping keys, data-encryption keys or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors).
The symmetric form of a Transport Key is KEK (Key encrypting key) for Wrapping Keys.
Data Encryption/Decryption Key (Symmetric)
A symmetric data encryption/decryption keys are used to protect stored data, messages or communications sessions. These keys are primarily used with symmetric key algorithms to apply confidentiality protection to information.
Key Wrapping Key (Symmetric)
Symmetric Key-wrapping keys are used to encrypt other keys using symmetric-key algorithms. Key-wrapping keys are also known as key-encrypting keys.
Master Key (Symmetric)
A symmetric master key is used to derive other symmetric keys (e.g., data encryption keys, key wrapping keys, or authentication keys) using symmetric cryptographic methods.
In summary
One should be cautious that each cryptographic key is used for the particular purpose it is designed for. If the same key is used for other purposes (which often occurs), much damage or loss of security may result. Although there are instances when one key can be used for multiple services. For example, one digital signature can provide assurance of the identity of the originating entity, non-repudiation, source authentication, and integrity protection.
In a key management system, each cryptographic key should be labeled with one of the listed categories (or types).
CRYPTO KEY MANAGEMENT SYSTEM
Across all industries the requirements for managing cryptographic keys are becoming ever-more complex. Ensuring that the right key is in the right place at the right time is mandated by many organisations, i.e. major card payment scheme providers. This is a complicated requirement as most businesses need to manage an ever-increasing number of keys, while reducing the risk of internal and external fraud, as well as keeping costs at a minimum.
The Crypto Key Management System (CKMS) streamlines administration and reduces costs associated with traditional key management. Through its flexible and automated protocols, CKMS gives users the flexibility to manage a very large number of keys - throughout their entire life cycle - without drowning in work. Using Cryptomathic CKMS, administrators can uniformly and centrally manage the life cycle of all cryptographic keys across a range of encryption platforms.
Key Management Functions of Cryptomathic CKMS
Generation / back up / restore / update
Distribution - automated or in key shares
Import or export in key shares
Enforce security controls
Encryption using Key Encryption Keys (KEKs) / Zone Master Keys (ZMKs)
Certification (e.g. using X.509 or EMV certificates)
Key Life Cycle
CKMS manages all aspects of cryptographic keys during their life cycle
Keys can be securely generated and pushed to any key distribution target as and when required, and key custodians can use asynchronous log-on to projects for adding components securely - reducing the need for manual key ceremonies, while vastly improving workflows.
Based on industry standards, CKMS ensures compliance and simplifies internal and external audits.
CKMS Features
At your desk key ceremonies
Automated key distribution and updating
Centralised life cycle key manage
PKI is short for Public key Infrastructure and is basically a scheme for establishing and using trust for mass communication. PKI consists of a variety of components from a certification authority over policies to users credentials.
PKI is based on solid standards, predominantly x.509, PKIX and others, which ensure that interfacing back-end systems cause little or no hassle.
PKI is actually simple
Many PKI vendors make PKI sound complicated and quite a few potential customers believe that to be the case. PKI is in fact rather simple, especially if there is a clearly defined business case. The business case should fit with a need for secure mass communication benefitting from cost efficiency and user transparency.
The are a variety of business areas where PKI is highly applicable, which include:
Identification, e.g. ePassport
Content protection, e.g. DRM (Digital Rights Management)
Payment, e.g. EMV payment cards
Trusted devices, e.g. mobiles or chips, e.g. Trust Platform Modules
Cryptomathic's PKI product range includes all the applications needed to set up and maintain a 'trusted community' based on PKI. Our PKI products can be used as stand alone or in conjunction with other PKI products (from Cryptomathic or third parties) and include key functionality, such as:
Certification Authority (CA), including registration and validation authorities
Time stamping
Online Certificate Status Protocol (OCSP)
Key generation (when self signed certificates are not practical)
Cryptomathic PKI customers range from small to medium enterprises issuing certificates in the thousands to large technology organisations issuing billions of certificates every year.
2) What is VPN?
A virtual private network (VPN) is a technology that offers secure, reliable connectivity over a shared public network infrastructure such as the Internet. VPNs maintain the same security and management policies as a private network. They are the most cost effective method of establishing a virtual point-to-point connection between remote users and an enterprise customer's network.
3) Briefly describe NAT.
Network Address Translation (NAT) is designed for IP address conservation. It enables private IP networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses, before packets are forwarded to another network. Also, NAT can be configured to advertise only one address for the entire network to the outside world. This provides additional security by effectively hiding the entire internal network behind that address. NAT offers the dual functions of security and address conservation and is typically implemented in remote-access environments.
4) What is the job of the Network Layer under the OSI reference model?
Network layer is third layer in the OSI Model, it handle routing and prepare data for transmission. Primary functions are communication with the Transport/ data link layer ; Encapsulation of Transport data into Network layer Protocol Data Unit; Management of connectivity and routing between hosts or networks.
5) What are proxy servers and how do they protect computer networks?
Proxy server is a server may be a computer system or an application that acts as an intermediary for requests from clients seeking resources from other servers and client connects to the proxy server, requesting some service, such as a file, connection, web page or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity. A proxy can keep the internal network structure of a company secret by using network address translation, which can help the security of the internal network and this makes requests from machines and users on the local network anonymous
6) What is the function of the OSI Session Layer?
In OSI model, the session layer is the fifth layer, which controls the connections between multiple computers. The session layer tracks the dialogs between computers, which are also called sessions. This layer establishes, controls and ends the sessions between local and remote applications. session layer software products are more sets of tools than specific protocols. These session-layer tools are normally provided to higher layer protocols through command sets often called application program interfaces or APIs. Common APIs include NetBIOS, TCP/IP Sockets and Remote Procedure Calls (RPCs). They allow an application to accomplish certain high-level communications over the network easily, by using a standardized set of services. Most of these session-layer tools are of primary interest to the developers of application software. The programmers use the APIs to write software that is able to communicate using TCP/IP without having to know the implementation details of how TCP/IP works.
7) What is DoS?
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses. Sometimes the attacker can inject and execute arbitrary code while performing a DoS attack in order to access critical information or execute commands on the server. Denial-of-service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.
8) What is OSI and what role does it play in computer networks?
The OSI (Open Systems Interconnection) serves as a reference model for data communication. It is made up of 7 layers, with each layer defining a particular aspect on how network devices connect and communicate with one another. Upper layers of the OSI model represent software that implements network services like encryption and connection management. Lower layers of the OSI model implement more hardware-oriented functions like routing, addressing, and flow control.
9) What is the main purpose of OSPF?
The OSPF (Open Shortest Path First) protocol The OSPF protocol is a link-state routing protocol which means that the routers exchange topology information with their nearest neighbours. The topology information is flooded throughout the Autonomous System, so that every router within the Autonomous System has a complete picture of the topology of the Autonomous System. This is then used to calculate end-to-end paths through the Autonomous System, normally using a variant of the Dijkstra algorithm. Therefore, in a link-state routing protocol, the next hop address to which data is forwarded is determined by choosing the best end-to-end path to the eventual destination.
10) What is the main job of the ARP?
Address Resolution Protocol (ARP) feature to translate physical addresses to internet protocol (IP) addresses. A physical address can be the MAC (Media Access Control) address of a network card inside of a computer. The information about which hardware address is associated with which IP address is usually stored in a table on each computer, the so-called ARP table.
Network Security: 30 Questions Every Manager/Executive Must Answer in Order to Track and Validate the Security of Their Organization
1. What does your network/security architecture diagram look like? The first thing you need to know to protect your network and systems is what you are protecting. You must know: • The physical topologies • Logical topologies (Ethernet, ATM, 802.11, VoIP, etc.) • Types of operating systems • Perimeter protection measures (firewall and IDS placement, etc.) • Types of devices used (routers, switches, etc.) • Location of DMZs • IP address ranges and subnets • Use of NAT In addition, you must know where the diagram is stored and that it is regularly updated as changes are made.
2. 2. What resources are located on your DMZ? Only systems that are semi-public should be kept on the DMZ. This includes external web servers, external mail servers, and external DNS. A split-architecture may be used where internal web, mail, and D
3. NS are also located on the internal network. 3. What resources are located on your internal network? In addition to internal web, mail, and DNS servers, your internal network could also include databases, application servers, and test and development servers.
4. Where is your organization’s security policy posted and what is in it? There should be an overall policy that establishes the direction of the organization and its security mission as well as roles and responsibilities. There can also be system-specific policies to address for individual systems. Most importantly, the policies should address the appropriate use of computing resources. In addition, policies can address a number of security controls from passwords and backups to proprietary information. There should be clear procedures and processes to follow for each policy. These policies should be included in the employee handbook and posted on a readily accessible intranet site.
5. What is your organization’s password policy? A password policy should require that a password: • Be at least 8 characters long • Contain both alphanumeric and special characters • Change every 60 days • Cannot be reused after every five cycles • Is locked out after 3 failed attempts In addition, you should be performing regular password auditing to check the strength of passwords; this should also be documented in the password policy.
6. What applications and services are specifically denied by your organization’s security policy? Your organization’s security policy should specify applications, services, and activities that are prohibited. These can include, among others: • Viewing inappropriate material • Spam • Peer-to-peer file sharing • Instant messaging • Unauthorized wireless devices • Use of unencrypted remote connections such as Telnet and FTP
7. What types of IDSs does your organization use? To provide the best level of detection, an organization should use a combination of both signature-based and anomaly-based intrusion detection systems. This allows both known and unknown attacks to be detected. The IDSs should be distributed throughout the network, including areas such as the Internet connection, the DMZ, and internal networks.
8. Besides default rulesets, what activities are actively monitored by your IDS? IDSs come with default rulesets to look for common attacks. These rulesets must also be customized and augmented to look for traffic and activities specific to your organization’s security policy. For example, if your organization’s security policy prohibits peer-to-peer communications, then a rule should be created to watch for that type of activity. In addition, outbound traffic should be watched for potential Trojans and backdoors.
9. What type of remote access is allowed? Remote access should be tightly controlled, monitored, and audited. It should only be provided over a secure communication channel that uses encryption and strong authentication, such as an IPSEC VPN. Desktop modems (including applications such as PCAnywhere), unsecured wireless access points, and other vulnerable methods of remote access should be prohibited.
10. What is your wireless infrastructure? Part of knowing your network architecture includes knowing the location of wireless networks since they create another possible entry point for an attacker. You must also confirm whether they are being used for sensitive data and are they secured as best as possible.
11. How is your wireless infrastructure secured? Wireless access must at least use WEP with 128-bit encryption. Although this provides some security, it is not very robust, which is why your wireless network should not be used for sensitive data. Consider moving to the 802.11i standard with AES encryption when it is finalized.
12. What desktop protections are used? Desktops should have a combination of anti-virus software, personal firewall, and host-based intrusion detection. Each of these software packages must be regularly updated as new signatures are deployed. They must also be centrally managed and controlled.
13. Where, when, and what type of encryption is used? VPNs should be used for remote access and other sensitive communication. IPSEC is a great choice for this purpose. Strong encryption protocols such as 3DES and AES should be used whenever possible. Web access to sensitive or proprietary information should be protected with 128-bit SSL. Remote system administration should use SSH. Sometimes file system encryption is also used to protect stored data.
14. What is your backup policy? A good backup policy includes weekly full backups with incremental backups performed daily. This includes all critical systems. In addition, the backups should be stored at an offsite location. Since backups include very valuable, easily accessible information, only trusted individuals should be performing them and have access to them. An organization should also encourage users to perform local backups as well.
Hard copies of sensitive information should be destroyed by pulping, shredding, or incinerating. Sensitive information on hard drives and disks should be completely erased using special software, or the disks destroyed. Simply deleting a file is not sufficient to prevent attackers from undeleting the file later. If you are disposing of a computer system, be sure to erase all sensitive files from the hard drive by using a wipeout utility.
16. What is included in your disaster recovery plan? Your disaster recovery plan (DRP) should include recovery of data centers and recovery of business operations. It should also include recovery of the accrual physical business location and recovery of the business processes necessary to resume normal operations. In addition, the DRP should address alternate operating sites.
17. How often is your disaster recovery plan tested? The plan is no good unless it is tested at least once a year. These tests will iron out problems in the plan and make it more efficient and successful if/when it is needed. Testing can include walkthroughs, simulation, or a full out implementation. 18. What types of attacks are you seeing? Typically an organization sees a constant stream of port scan attacks. These are a regular occurrence on the Internet as a result of attackers and worms. An organization should not be seeing many substantial attacks such as compromises, backdoors, or exploits on systems. This would indicate that the security defenses are weak, patching may not be occurring, or other vulnerabilities exist.
19. How often are logs reviewed? Logs should be reviewed every day. This includes IDS logs, system logs, management station logs, etc. Not reviewing the logs is one of the biggest mistakes an organization can make. Events of interest should be investigated daily. It can be a very tedious task for a single person to do this job as their only assignment (unless they really enjoy it). It is better to have a log review rotation system amongst the security team.
20. How often are you performing vulnerability scanning? An organization should be performing vulnerability scanning as often as possible, depending on the size of the network. The scanning should be scheduled to allow adequate time to review the reports, discover anything that has changed, and mitigate the vulnerability.
21. What physical security controls are in place in your organization? Physical security is a large area that must be addressed by an organization. Examples of physical controls includes physical access controls (signs, locks, security guards, badges/PINs, bag search/scanning, metal detectors), CCTV, motion detectors, smoke and water detectors, and backup power generators.
22. What are your critical business systems and processes? Identifying your critical business systems and processes is the first step an organization should take in order to implement the appropriate security protections. Knowing what to protect helps determine the necessary security controls. Knowing the critical systems and processes helps determine the business continuity plan and disaster recovery plan process. Critical business systems and processes may include an e commerce site, customer database information, employee database information, the ability to answer phone calls, the ability to respond to Internet queries, etc.
23. What are the specific threats to your organization? In addition to identifying the critical business systems and processes, it is important to identify the possible threats to those systems as well as the organization as a whole. You should consider both external and internal threats and attacks using various entry points (wireless, malicious code, subverting the firewall, etc.). Once again, this will assist in implementing the appropriate security protections and creating business continuity and disaster recovery plans.
24. What are the tolerable levels of impact your systems can have? An organization must understand how an outage could impact the ability to continue operations. For example, you must determine how long systems can be down, the impact on cash flow, the impact on service level agreements, and the key resources that must be kept running.
25. Are you performing content level inspections? In addition to the content level inspection performed by the IDS, specific content inspections should also be performed on web server traffic and other application traffic. Some attacks evade detection by containing themselves in the payload of packets, or by altering the packet in some way, such as fragmentation. Content level inspection at the web server or application server will protect against attacks such as those that are tunneled in legitimate communications, attacks with malicious data, and unauthorized application usage.
26. How often are your systems patched? Systems should be patched every time a new patch is released. Many organizations don’t patch regularly and tend to not patch critical systems because they don’t want to risk downtime. However, critical systems are the most important to patch. You must schedule regular maintenance downtime to patch systems. As vulnerabilities are discovered, attackers often release exploits even before system patches are available. Therefore, it is imperative to patch systems as soon as possible.
27. How are you protecting against social engineering and phishing attacks? The best way to protect against social engineering and phishing attacks is to educate the users. Employees should attend security awareness training that explains these types of attacks, what to expect, and how to respond. There should also be a publicly posted incidents email address to report suspicious activity.
28. What security measures are in place for in-house developed applications? Any development that is taking place in house should include security from the beginning of the development process. Security needs to be a part of standard requirements and testing procedures. Code reviews should be conducted by a test team to look for vulnerabilities such as buffer overflows and backdoors. For security reasons, it is not a good idea to subcontract development work to third parties.
29. What type of traffic are you denying at the firewall? There should be a default deny rule on all firewalls to disallow anything that is not explicitly permitted. This is more secure than explicitly denying certain traffic because that can create holes and oversights on some potentially malicious traffic.
30. How are you monitoring for Trojans and backdoors? In addition to periodic vulnerability scanning, outgoing traffic should be inspected before it leaves the network, looking for potentially compromised systems. Organizations often focus on traffic and attacks coming into the network and forget about monitoring outgoing traffic. Not only will this detect compromised systems with Trojans and backdoors, but it will also detect potentially malicious or inappropriate insider activity.
Information Security Interview Questions
Home » Study » Information Security Interview Questions
infosec
Before You Start
General Questions
Network Security
Application Security
Corporate/Risk
The Onion Model
The Role-playing Model
Innovation Questions
[ For overall InfoSec career advice, be sure to check out my new article titled: How to Build a Successful Information Security Career ]
What follows is a list of questions for use in vetting candidates for positions in Information Security. Many of the questions are designed to get the candidate to think, and to articulate that thought process in a scenario where preparation was not possible. Observing these types of responses is often as important as the actual answers.
I’ve mixed technical questions with those that are more theory and opinion-based, and they are also mixed in terms of difficulty. They are also generally separated into categories, and a number of trick questions are included. The goal of such questions is to expose glaring technical weakness that will manifest later in the workplace, not to be cute. I also include with each question a few words on expected/common responses.
Before You Start
It’s been shown fairly conclusively, by Google and others, that fancy technical questions—especially those of the “how many jellybeans fit in a car” type—do not predict employee success.
Read that part again.
They don’t predict success. Google showed this by going back over years of interview data and mapping it to how those employees ended up doing on the job. The result? People who aced those types of questions didn’t do any better than those who did poorly on them.
In sum, these types of pet questions tend to make interviewers feel smart, and little else. I rely on the data more than my anecdotes, but as someone who’s given many, many technical interviews, I can tell you that this is consistent with my experience.
We have people who are absolute rockstars that effectively failed at these questions, and we have people who crushed them and floundered on the job. The lesson here is not to avoid any sort of especially technical questions: It’s that you need to be cautious of the tendency to fetishize certain questions or certain types of questions. It will only hurt you.
Now, onto the questions.
General
Are open-source projects more or less secure than proprietary ones?
The answer to this question is often very telling about a given candidate. It shows 1) whether or not they know what they’re talking about in terms of development, and 2) it really illustrates the maturity of the individual (a common theme among my questions). My main goal here is to get them to show me pros and cons for each. If I just get the “many eyes” regurgitation then I’ll know he’s read Slashdot and not much else. And if I just get the “people in China can put anything in the kernel” routine then I’ll know he’s not so good at looking at the complete picture.
The ideal answer involves the size of the project, how many developers are working on it (and what their backgrounds are), and most importantly — quality control. In short, there’s no way to tell the quality of a project simply by knowing that it’s either open-source or proprietary. There are many examples of horribly insecure applications that came from both camps.
How do you change your DNS settings in Linux/Windows?
Here you’re looking for a quick comeback for any position that will involve system administration (see system security). If they don’t know how to change their DNS server in the two most popular operating systems in the world, then you’re likely working with someone very junior or otherwise highly abstracted from the real world.
What’s the difference between encoding, encryption, and hashing?
Encoding is designed to protect the integrity of data as it crosses networks and systems, i.e. to keep its original message upon arriving, and it isn’t primarily a security function. It is easily reversible because the system for encoding is almost necessarily and by definition in wide use. Encryption is designed purely for confidentiality and is reversible only if you have the appropriate key/keys. With hashing the operation is one-way (non-reversible), and the output is of a fixed length that is usually much smaller than the input.
What’s more secure, SSL or HTTPS?
Trick question: these are not mutually exclusive. Look for a smile like they caught you in the cookie jar. If they’re confused, then this should be for an extremely junior position.
Can you describe rainbow tables?
Look for a thorough answer regarding overall password attacks and how rainbow tables make them faster.
What is salting, and why is it used?
You purposely want to give the question without context. If they know what salting is just by name, they’ve either studied well or have actually been exposed to this stuff for a while.
Who do you look up to within the field of Information Security? Why?
A standard question type. All we’re looking for here is to see if they pay attention to the industry leaders, and to possibly glean some more insight into how they approach security. If they name a bunch of hackers/criminals that’ll tell you one thing, and if they name a few of the pioneers that’ll say another. If they don’t know anyone in Security, we’ll consider closely what position you’re hiring them for. Hopefully it isn’t a junior position.
Where do you get your security news from?
Here I’m looking to see how in tune they are with the security community. Answers I’m looking for include things like Team Cymru, Reddit, Twitter, etc. The exact sources don’t really matter. What does matter is that he doesn’t respond with, “I go to the CNET website.”, or, “I wait until someone tells me about events.”. It’s these types of answers that will tell you he’s likely not on top of things.
If you had to both encrypt and compress data during transmission, which would you do first, and why?
If they don’t know the answer immediately it’s ok. The key is how they react. Do they panic, or do they enjoy the challenge and think through it? I was asked this question during an interview at Cisco. I told the interviewer that I didn’t know the answer but that I needed just a few seconds to figure it out. I thought out loud and within 10 seconds gave him my answer: “Compress then encrypt. If you encrypt first you’ll have nothing but random data to work with, which will destroy any potential benefit from compression.
What’s the difference between symmetric and public-key cryptography
Standard stuff here: single key vs. two keys, etc, etc.
In public-key cryptography you have a public and a private key, and you often perform both encryption and signing functions. Which key is used for which function?
You encrypt with the other person’s public key, and you sign with your own private. If they confuse the two, don’t put them in charge of your PKI project.
What kind of network do you have at home?
Good answers here are anything that shows you he’s a computer/technology/security enthusiast and not just someone looking for a paycheck. So if he’s got multiple systems running multiple operating systems you’re probably in good shape. What you don’t want to hear is, “I get enough computers when I’m at work…” I’ve yet to meet a serious security guy who doesn’t have a considerable home network–or at least access to one, even if it’s not at home.
What are the advantages offered by bug bounty programs over normal testing practices?
You should hear coverage of many testers vs. one, incentivization, focus on rare bugs, etc.
What are your first three steps when securing a Linux server?
Their list isn’t key here (unless it’s bad); the key is to not get panic.
What are your first three steps when securing a Windows server?
Their list isn’t key here (unless it’s bad); the key is to not get panic.
Who’s more dangerous to an organization, insiders or outsiders?
Ideally you’ll hear inquiry into what’s meant by “dangerous”. Does that mean more likely to attack you, or more dangerous when they do?
Why is DNS monitoring important?
If they’re familiar with infosec shops of any size, they’ll know that DNS requests are a treasure when it comes to malware indicators.
Network Security
What port does ping work over?
A trick question, to be sure, but an important one. If he starts throwing out port numbers you may want to immediately move to the next candidate. Hint: ICMP is a layer 3 protocol (it doesn’t work over a port) A good variation of this question is to ask whether ping uses TCP or UDP. An answer of either is a fail, as those are layer 4 protocols.
Do you prefer filtered ports or closed ports on your firewall?
Look for a discussion of security by obscurity and the pros and cons of being visible vs. not. There can be many signs of maturity or immaturity in this answer.
How exactly does traceroute/tracert work at the protocol level?
This is a fairly technical question but it’s an important concept to understand. It’s not natively a “security” question really, but it shows you whether or not they like to understand how things work, which is crucial for an Infosec professional. If they get it right you can lighten up and offer extra credit for the difference between Linux and Windows versions.
The key point people usually miss is that each packet that’s sent out doesn’t go to a different place. Many people think that it first sends a packet to the first hop, gets a time. Then it sends a packet to the second hop, gets a time, and keeps going until it gets done. That’s incorrect. It actually keeps sending packets to the final destination; the only change is the TTL that’s used. The extra credit is the fact that Windows uses ICMP by default while Linux uses UDP.
What are Linux’s strengths and weaknesses vs. Windows?
Look for biases. Does he absolutely hate Windows and refuse to work with it? This is a sign of an immature hobbyist who will cause you problems in the future. Is he a Windows fanboy who hates Linux with a passion? If so just thank him for his time and show him out. Linux is everywhere in the security world.
Cryptographically speaking, what is the main method of building a shared secret over a public medium?
Diffie-Hellman. And if they get that right you can follow-up with the next one.
What’s the difference between Diffie-Hellman and RSA?
Diffie-Hellman is a key-exchange protocol, and RSA is an encryption/signing protocol. If they get that far, make sure they can elaborate on the actual difference, which is that one requires you to have key material beforehand (RSA), while the other does not (DH). Blank stares are undesirable.
What kind of attack is a standard Diffie-Hellman exchange vulnerable to?
Man-in-the-middle, as neither side is authenticated.
Application Security
Describe the last program or script that you wrote. What problem did it solve?
All we want to see here is if the color drains from the guy’s face. If he panics then we not only know he’s not a programmer (not necessarily bad), but that he’s afraid of programming (bad). I know it’s controversial, but I think that any high-level security guy needs some programming skills. They don’t need to be a God at it, but they need to understand the concepts and at least be able to muddle through some scripting when required.
How would you implement a secure login field on a high traffic website where performance is a consideration?
We’re looking for a basic understanding of the issue of wanting to serve the front page in HTTP, while needing to present the login form via HTTPs, and how they’d recommend doing that. A key piece of the answer should center around avoidance of the MiTM threat posed by pure HTTP. Blank stares here mean that they’ve never seen or heard of this problem, which means they’re not likely to be anything near pro level.
What are the various ways to handle account brute forcing?
Look for discussion of account lockouts, IP restrictions, fail2ban, etc.
What is Cross-Site Request Forgery?
Not knowing this is more forgivable than not knowing what XSS is, but only for junior positions. Desired answer: when an attacker gets a victim’s browser to make requests, ideally with their credentials included, without their knowing. A solid example of this is when an IMG tag points to a URL associated with an action, e.g. http://foo.com/logout/. A victim just loading that page could potentially get logged out from foo.com, and their browser would have made the action, not them (since browsers load all IMG tags automatically).
How does one defend against CSRF?
Nonces required by the server for each page or each request is an accepted, albeit not foolproof, method. Again, we’re looking for recognition and basic understanding here–not a full, expert level dissertation on the subject. Adjust expectations according to the position you’re hiring for.
If you were a site administrator looking for incoming CSRF attacks, what would you look for?
This is a fun one, as it requires them to set some ground rules. Desired answers are things like, “Did we already implement nonces?”, or, “That depends on whether we already have controls in place…” Undesired answers are things like checking referrer headers, or wild panic.
What’s the difference between HTTP and HTML?
Obviously the answer is that one is the networking/application protocol and the other is the markup language, but again, the main thing you’re looking for is for him not to panic.
How does HTTP handle state?
It doesn’t, of course. Not natively. Good answers are things like “cookies”, but the best answer is that cookies are a hack to make up for the fact that HTTP doesn’t do it itself.
What exactly is Cross Site Scripting?
You’d be amazed at how many security people don’t know even the basics of this immensely important topic. We’re looking for them to say anything regarding an attacker getting a victim to run script content (usually JavaScript) within their browser.
What’s the difference between stored and reflected XSS?
Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim’s browser when the results are returned from the site.
What are the common defenses against XSS?
Input Validation/Output Sanitization, with focus on the latter.
Corporate/Risk
What is the primary reason most companies haven’t fixed their vulnerabilities?
This is a bit of a pet question for me, and I look for people to realize that companies don’t actually care as much about security as they claim to–otherwise we’d have a very good remediation percentage. Instead we have a ton of unfixed things and more tests being performed.
Look for people who get this, and are ok with the challenge.
What’s the goal of information security within an organization?
This is a big one. What I look for is one of two approaches; the first is the über-lockdown approach, i.e. “To control access to information as much as possible, sir!” While admirable, this again shows a bit of immaturity. Not really in a bad way, just not quite what I’m looking for. A much better answer in my view is something along the lines of, “To help the organization succeed.”
This type of response shows that the individual understands that business is there to make money, and that we are there to help them do that. It is this sort of perspective that I think represents the highest level of security understanding—-a realization that security is there for the company and not the other way around.
What’s the difference between a threat, vulnerability, and a risk?
As weak as the CISSP is as a security certification it does teach some good concepts. Knowing basics like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a security professional. Ask as many of these as you’d like, but keep in mind that there are a few differing schools on this. Just look for solid answers that are self-consistent.
If you were to start a job as head engineer or CSO at a Fortune 500 company due to the previous guy being fired for incompetence, what would your priorities be? [Imagine you start on day one with no knowledge of the environment]
We don’t need a list here; we’re looking for the basics. Where is the important data? Who interacts with it? Network diagrams. Visibility touch points. Ingress and egress filtering. Previous vulnerability assessments. What’s being logged an audited? Etc. The key is to see that they could quickly prioritize, in just a few seconds, what would be the most important things to learn in an unknown situation.
As a corporate Information Security professional, what’s more important to focus on: threats or vulnerabilities?
This one is opinion-based, and we all have opinions. Focus on the quality of the argument put forth rather than whether or not they they chose the same as you, necessarily. My answer to this is that vulnerabilities should usually be the main focus since we in the corporate world usually have little control over the threats.
Another way to take that, however, is to say that the threats (in terms of vectors) will always remain the same, and that the vulnerabilities we are fixing are only the known ones. Therefore we should be applying defense-in-depth based on threat modeling in addition to just keeping ourselves up to date.
Both are true, of course; the key is to hear what they have to say on the matter.
The Onion Model
The questions above are fairly straightforward. They are, generally, negative filters, i.e. they’re designed to excluded candidates for having glaring weaknesses. If you are dealing with a more advanced candidate then one approach I recommend taking is that of the onion model.
The Onion Model of interviewing starts at the surface level and then dives deeper and deeper—often to a point that the candidate cannot go. This is terrifically revealing, as it shows not only where a candidate’s knowledge stops, but also how they deal with not knowing something.
One component of this cannot be overstated: Using this method allows you to dive into the onion in different ways, so even candidates who have read this list, for example, will not have perfect answers even if you ask the same question.
An example of this would be starting with:
How does traceroute work?
They get this right, so you go to the next level.
What protocol does it use?
This is a trick question, as it can use lots of options, depending on the tool. Then you move on.
Describe a Unix traceroute hitting google.com at all seven layers of the OSI model.
Etc. It’s deeper and deeper exploration of a single question. Here’s a similar option for the end-phase of such a question.
If I’m on my laptop, here inside my company, and I have just plugged in my network cable. How many packets must leave my NIC in order to complete a traceroute to twitter.com?
The key here is that they need to factor in all layers: Ethernet, IP, DNS, ICMP/UDP, etc. And they need to consider round-trip times. What you’re looking for is a realization that this is the way to approach it, and an attempt to knock it out. A bad answer is the look of WTF on the fact of the interviewee.
This could be asked as a final phase of a multi-step protocol question that perhaps starts with the famous, “What happens when I go to Google.com?”
How would you build the ultimate botnet?
Answers here can vary widely; you want to see them cover the basics: encryption, DNS rotation, the use of common protocols, obscuring the heartbeat, the mechanism for providing updates, etc. Again, poor answers are things like, “I don’t make them; I stop them.”
Role-Playing as an Alternative to the Onion Model
Another option for going to increasing depth, is to role-play with the candidate. You present them a problem, and they have to troubleshoot. I had one of these during an interview and it was quite valuable.
You would tell them, for example, that they’ve been called in to help a client who’s received a call from their ISP stating that one or more computers on their network have been compromised. And it’s their job to fix it. They are now at the client site and are free to talk to you as the client (interviewing them), or to ask you as the controller of the environment, e.g. “I sniff the external connection using tcpdump on port 80. Do I see any connections to IP 8.8.8.8.” And you can then say yes or no, etc.
From there they continue to troubleshooting/investigating until they solve the problem or you discontinue the exercise due to frustration or pity.
Innovation Questions
At the top tier of technical security roles you may want someone who is capable of designing as well as understanding. In these cases you can also ask questions about design flaws, how they would improve a given protocol, etc.
These questions separate good technical people from top technical people, and I imagine less than 1% of those in infosec would even attempt to answer any of these.
Here are a few examples:
What are the primary design flaws in HTTP, and how would you improve it?
If you could re-design TCP, what would you fix?
What is the one feature you would add to DNS to improve it the most?
What is likely to be the primary protocol used for the Internet of Things in 10 years?
If you had to get rid of a layer of the OSI model, which would it be?
[ NOTE: You can ask infinite variations of these, of course. Asking for three options instead of one, or asking them to rank the results, etc. ]
It’s important to note with these questions that you could have a superstar analyst who knows nothing about these matters while someone who is at this level would make a poor forensic expert. It’s all about matching skills to roles.
Conclusion
For more on hiring overall, I recommend doing a good amount of research. Most important to learn, as I talked about above, is the limitations of interviews. Use other data available to you whenever possible, and above everything else: Be extremely cautious of anyone who thinks they can spot “the one” because they’re good at it..
Bias is a major problem in interviewing, and it’s likely that someone with a steadfast belief in his or her interview brilliance is doing harm to your organization by introducing bad candidates. When possible, do what Google did: Explore the data. Look at how candidates did in interviews relative to how they did on the job. Wherever you have mismatches you have a problem with your process.
Feel free to contact me if you have any comments on the questions, or if you have an ideas for additions.
[ Updated: June 2014 ]
Notes
Here is an article about Google revealing the ineffectiveness of their brainteaser questions.
As a hiring organization, be cautious of any interviewer that has an ego or attitude. The odds of you getting any good data from them is low. The name of the game is reducing bias, and that type has a lot of it.
Always try to combine any interview with a work sample, and/or great reference data.
I have had these questions asked to me on numerous interviews. It’s quite humorous when they find out they’re reading from my website.
What is an Exploit?
•The security functionality triangle
•The attacker's process
•Passive reconnaissance
•Active reconnaissance
•Types of attacks
•Categories of exploits
Footprinting
•What is Footprinting
•Steps for gathering information
Enumeration
•What is Enumeration
•NetBios Null Sessions
•Null Session Countermeasures
•NetBIOS Enumeration
System Hacking
•Administrator Password Guessing
•Performing Automated Password Guessing
Trojans and Backdoors
•What is a Trojan Horse?
Sniffers
•What is a Sniffer?
•Passive Sniffing
•Active Sniffing
•Hacking Tool: EtherFlood
•How ARP Works?
Denial of Service
•What is Denial of Service Attack?
•Types of DoS Attacks
•How DoS Work?
•What is DDoS?
Social Engineering
•What is Social Engineering?
•Art of Manipulation
Session Hijacking
•What is Session Hijacking?
•Session Hijacking Steps
Hacking Web Servers
•Apache Vulnerability
•Attacks against IIS
Web Application Vulnerabilities
•Documenting the Application Structure
•Manually Inspecting Applications
Web Based Password Cracking Techniques
•Basic Authentication
•Message Digest Authentication
SQL Injection
•What is SQL Injection Vulnerability?
•SQL Insertion Discovery
Hacking Wireless Networks
•802.11 Standards
Virus and Worms
Novell Hacking
•Common accounts and passwords
•Accessing password files
Linux Hacking
•Why Linux ?
•Linux Basics
IDS, Firewalls and Honeypots
•Intrusion Detection System
•System Integrity Verifiers
•How are Intrusions Detected?
•What is a Buffer Overflow?
Cryptography
•What is PKI?
•Digital Certificates
1) Explain what is the role of information security analyst?
From small to large companies role of information security analyst includes
Implementing security measures to protect computer systems, data and networks
Keep himself up-to-date with on the latest intelligence which includes hackers techniques as well
Preventing data loss and service interruptions
Testing of data processing system and performing risk assessments
Installing various security software like firewalls, data encryption and other security measures
Recommending security enhancements and purchases
Planning, testing and implementing network disaster plans
Staff training on information and network security procedures
2) Mention what is data leakage? What are the factors that can cause data leakage?
The separation or departing of IP from its intended place of storage is known as data leakage. The factors that are responsible for data leakage can be
Copy of the IP to a less secure system or their personal computer
Human error
Technology mishaps
System misconfiguration
A system breach from a hacker
A home-grown application developed to interface to the public
Inadequate security control for shared documents or drives
Corrupt hard-drive
Back up are stored in an insecure place
3) List out the steps to successful data loss prevention controls?
Create an information risk profile
Create an impact severity and response chart
Based on severity and channel determine incident response
Create an incident workflow diagram
Assign roles and responsibilities to the technical administrator, incident analyst, auditor and forensic investigator
Develop the technical framework
Expand the coverage of DLP controls
Append the DLP controls into the rest of the organization
Monitor the results of risk reduction
4) Explain what is the 80/20 rule of networking?
80/20 is a thumb rule used for describing IP networks, in which 80% of all traffic should remain local while 20% is routed towards a remote network.
5) Mention what are personal traits you should consider protecting data?
Install anti-virus on your system
Ensure that your operating system receives an automatic update
By downloading latest security updates and cover vulnerabilities
Share the password only to the staff to do their job
Encrypt any personal data held electronically that would cause damage if it were stolen or lost
On a regular interval take back-ups of the information on your computer and store them in a separate place
Before disposing off old computers, remove or save all personal information to a secure drive
Install anti-spyware tool
SecurityAnalyst1
6) Mention what is WEP cracking? What are the types of WEP cracking?
WEP cracking is the method of exploiting security vulnerabilities in wireless networks and gaining unauthorized access. There are basically two types of cracks
Active cracking: Until the WEP security has been cracked this type of cracking has no effect on the network traffic.
Passive cracking: It is easy to detect compared to passive cracking. This type of attack has increased load effect on the network traffic.
7) List out various WEP cracking tools?
Various tools used for WEP cracking are
Aircrack
WEPCrack
Kismet
WebDecrypt
8) Explain what is phishing? How it can be prevented?
Phishing is a technique that deceit people to obtain data from users. The social engineer tries to impersonate genuine website webpage like yahoo or face-book and will ask the user to enter their password and account ID.
It can be prevented by
Having a guard against spam
Communicating personal information through secure websites only
Download files or attachments in emails from unknown senders
Never e-mail financial information
Beware of links in e-mails that ask for personal information
Ignore entering personal information in a pop-up screen
9) Mention what are web server vulnerabilities?
The common weakness or vulnerabilities that the web server can take an advantage of are
Default settings
Misconfiguration
Bugs in operating system and web servers
10) List out the techniques used to prevent web server attacks?
Patch Management
Secure installation and configuration of the O.S
Safe installation and configuration of the web server software
Scanning system vulnerability
Anti-virus and firewalls
Remote administration disabling
Removing of unused and default account
Changing of default ports and settings to customs port and settings
11) For security analyst what are the useful certification?
Useful certification for security analyst are
Security Essentials (GSEC): It declares that candidate is expert in handling basic security issues- it is the basic certification in security
Certified Security Leadership: It declares the certification of management abilities and the skills that is required to lead the security team
Certified Forensic Analyst: It certifies the ability of an individual to conduct formal incident investigation and manage advanced incident handling scenarios including external and internal data breach intrusions
Certified Firewall Analyst: It declares that the individual has proficiency in skills and abilities to design, monitor and configure routers, firewalls and perimeter defense systems
12) How can an institute or a company can safeguard himself from SQL injection?
An organization can rely on following methods to guard themselves against SQL injection
Sanitize user input: User input should be never trusted it must be sanitized before it is used
Stored procedures: These can encapsulate the SQL statements and treat all input as parameters
Regular expressions: Detecting and dumping harmful code before executing SQL statements
Database connection user access rights: Only necessary and limited access right should be given to accounts used to connect to the database
Error messages: Error message should not be specific telling where exactly the error occurred it should be more generalized.
101 IT Security Interview Questions
posted by John Spacey, January 11, 2013
The following IT security interview questions are at the architectural level. They may be of use for interviewing:
☑ Security Architects
☑ Security Specialists (e.g. Network Security Administrators)
☑ IT Executives
☑ Enterprise Architects
☑ IT Managers
☑ Solution Architects
The questions range greatly in difficulty and should be tailored to each role.
Basic Concepts
1. What is information security and how is it achieved?
2. What are the core principles of information security?
3. What is non-repudiation (as it applies to IT security)?
4. What is the relationship between information security and data availability?
5. What is a security policy and why do we need one?
6. What is the difference between logical and physical security? Can you give an example of both?
7. Is there an acceptable level of risk?
8. How do you measure risk? Can you give an example of a specific metric that measures information security risk?
9. Can you give me an example of risk trade-offs (e.g. risk vs cost)?
10. What are the most common types of attack that threaten enterprise data security?
11. What is the difference between a threat and a vulnerability?
12. Can you give me an example of common security vulnerabilities?
13. Are you familiar with any security management frameworks such as ISO/IEC 27002?
14. Can you briefly discuss the role of information security in each phase of the software development lifecycle?
15. Can you describe the role of security operations in the enterprise?
16. What is incident management?
17. What is business continuity management? How does it relate to security?
18. What is a security control?
19. What are the different types of security control?
20. Can you describe the information lifecycle? How do you ensure information security at each phase?
21. What is Information Security Governance?
22. What are your professional values? Why are professional ethics important in the information security field?
Security Audits and Testing
23. What is an IT security audit?
24. How do you test information security?
25. What is the difference between black box and white box penetration testing?
26. What is a vulnerability scan?
27. What is captured in a security assessment plan (security test plan)?
Access Control
28. What is the difference between authentication and authorization?
29. What types of information can be used for authentication?
30. What is role-based access control?
31. What is meant by the term "least privilege"?
32. What is two-factor authentication? Does it require special hardware?
Security Architecture
33. Why are open standards important to security solutions?
34. How do you balance demands from different stakeholders who have conflicting requirements?
35. What is layered security architecture? Is it a good approach? Why?
36. Have you designed security measures that span overlapping information domains? Can you give me a brief overview of the solution?
37. How do you ensure that a design anticipates human error?
38. How do you ensure that a design achieves regulatory compliance?
39. What is capability-based security? Have you incorporated this pattern into your designs? How?
40. Can you give me a few examples of security architecture requirements?
41. Who typically owns security architecture requirements and what stakeholders contribute?
42. What special security challenges does SOA present?
43. What security challenges do unified communications present?
44. Do you take a different approach to security architecture for a COTS vs a custom solution?
45. Have you architected a security solution that involved SaaS components? What challenges did you face?
46. Have you worked on a project in which stakeholders choose to accept identified security risks that worried you? How did you handle the situation?
Network
47. What is a firewall?
48. Besides firewalls, what other devices are used to enforce network boundaries?
49. What is the role of network boundaries in information security?
50. What does a intrusion detection system do? How does it do it?
51. What is a honeypot? What type of attack does it defend against?
52. What technologies and approaches are used to secure information and services deployed on cloud computing infrastructure?
53. What information security challenges are faced in a cloud computing environment?
54. How does packet filtering work?
55. Can you give me an overview of IP multicast?
56. Can you explain the difference between a packet filtering firewall and a application layer firewall?
57. What are the layers of the OSI model?
Security Leadership
58. How do you ensure that solution architects develop secure solutions?
59. What training do solution architects need to have in regards to IT security? What about developers?
60. How do you sell the value of IT security initiatives to executive management?
61. How do you ensure that a solution continues to be resilient in the face of evolving threats?
62. How do you avoid implementing overly complex or unnecessary security mechanisms?
63. Have you been involved with the governance of information security? What was your role? What did you accomplish?
64. Can you describe the laws and regulations that have a significant impact to information security at our organization?
65. What is the relationship between information security and privacy laws?
66. What is security level management?
67. How do you ensure that security management is transparent and measurable?
68. Can you outline the typical responsibilities of a Chief Security Officer (CSO)?
69. Can you give me an example of some emerging trends in information security that you're keeping an eye on?
Experience
70. Have you developed an incident response plan?
71. Have you been involved in supporting incident investigations? What was your role? What was the outcome?
72. Have you performed a risk analysis and evaluation? How did you go about it? What stakeholders did you involve?
73. Have you performed a threat assessment? What factors did you consider?
74. Have you performed a vulnerability assessment? What types of vulnerabilities are most difficult to identify?
75. In the context of a vulnerability assessment, how do you calculate the probability that a vulnerability will be exploited?
76. Can you give me an example of a time you identified and implemented controls to mitigate a risk? How did you evaluate the controls?
77. How do you stay up-to-date with technology? For example, how do you keep up with new information security threats?
Cryptography
78. How does the SSL Protocol work?
79. What is the difference between symmetric-key cryptography and public-key cryptography?
80. Can you give me an overview of how public-key cryptography works?
81. What is the difference between the encryption standards AES and DES?
82. What is the role of digital certificates in encryption?
83. What encryption mechanisms would you recommend to an organization that wants to encrypt its outgoing emails?
84. Can you give me an overview of IPsec? What is its purpose?
85. Does IPsec replace the need for SSL?
Security Incident Management
86. What are the components of ITIL incident management?
87. If our organization experienced a major security incident, what steps should we take to manage the incident?
88. Can you describe the responsibilities of an incident manager?
Threats
89. In your opinion, what are the top five information security threats facing an organization such as ours?
90. What is a man-in-the-middle attack?
91. Can you give me an example of cross-site scripting?
92. What is SQL injection? How is it prevented?
93. What is a buffer overflow?
94. What is clickjacking?
Vulnerabilities
95. What is a insecure direct object reference? Why is it a problem?
96. Why is it important to validate redirects and forwards?
97. What are some common security vulnerabilities at the information storage level?
98. What are some common security vulnerabilities at the transport level?
99. How can improper error handling expose security vulnerabilities? How?
Physical Security Integration
100. Can you give me a few examples of physical security integration?
101. What is social engineering? How common is it?
102. How would you secure an office environment? What about a data center?
0 Response to "Security Interview Questions1"
Post a Comment