Network Security
What is the function of the 802.1x security standard?
- Port-based network access control that provides the highest degree of port security by implementing port-based authentication.
- This protocol authenticates users on a per-switch port basis by permitting access to valid users but effectively disabling the port if authentication fails.
- This prevents an unauthenticated device from receiving any network traffic until its identity can be verified.
- It also strictly limits access to the device that provides the authentication to prevent attackers from reaching it.
What are the three main types of cryptography?
Symmetric, Asymmetric and Hash Fucntions
______ is a vulnerability where an application takes input from a user and doesn't vaildate that the user's input doesn't contain additional ____.
SQL Injection- attack consists of insertion or “injection” of a SQL query via the input data from the client to the application.
Ex:
<?php
$username = $_GET['username']; // kchung
$result = mysql_query("SELECT * FROM users WHERE username='$username'");
?>
Creating this bit-by-bit replica of a storage device (e.g., a hard drive or USB stick) ensures an exact, unaltered copy for analysis—even though the process can be time-consuming on large-capacity media.
Disk imaging-
snapshot of a storage device's structure and data typically stored in one or more computer files on another storage device.
Traditionally, disk images were bit-by-bit copies of every sector on a hard disk, often created for digital forensics. Still, it is now common to only copy allocated data to reduce storage space.
This widely used open-source network utility is celebrated for its ability to discover hosts and services, detect operating system versions, and run scripts to probe for vulnerabilities and is often serving as the first step in network reconnaissance.
Nmap- "network mapper" is an open-source network exploration tool that is often used for auditing and scanning networks.
Name at least three technical security controls.
- Firewall rules, ACLs, Cloud FW, RADIUS server, IPS, Encryption and disaster recovery software.
-All enforce CIA in the digital space.
What is the difference between a block cipher and a stream cipher?
A stream cipher encrypts data one bit or byte at a time, while a block cipher encrypts data in fixed-size blocks, meaning it processes a group of bits simultaneously; essentially, a stream cipher operates on a continuous stream of data, whereas a block cipher works on discrete chunks of data.
This is an attack on an authenticated user which uses a state session in order to perform state changing attacks like a purchase, a transfer of funds, or a change of email address
Cross Site Request Forgery or CSRF Attack, pronounced see surf.
This attack forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.
By tweaking the least significant bits (LSBs) of an image or audio file so that the changes remain imperceptible so that a hidden message can be embedded and transmitted undetected, illustrating this covert data-hiding technique.
Steganography is the practice of hiding data in plain sight. Steganography is often embedded in images or audio.
This open-source password recovery utility supports numerous cryptographic hash formats and advanced attack modes (e.g., dictionary, mask, and rule-based), leveraging both CPUs and GPUs to rapidly crack credentials.
Hashcat- password cracking tool that supports many hashing modes.
What are the three layers that comprise Software Defined Networking?
Infrastructure Layer (Data Plane)- Forwarding, tracking, encrypting, NAT
Control Layer (Control Plane)- Routing tables, session tables, NAT tables.
Application Layer (Management Plane)- SSH, browser, API
What is considered the most secure symmetric encryption?
Advanced Encryption Standard with a 256-bit key. (AES-256)
A classic example of this vulnerability occurs when a web application concatenates user-controlled input into a file path—such as "/var/www/html/" . $_GET['page']—allowing an attacker to submit ../../etc/passwd and read sensitive system files.
Directory Traversal- a vulnerability where an application takes in user input and uses it in a directory path.
Any kind of path controlled by user input that isn't properly sanitized or properly sandboxed could be vulnerable to directory traversal.
This powerful tool is often used to analyze raw memory dumps. It can identify a system’s OS version, list processes, dump their memory, and even reveal hidden or suspicious activity.
Volatility tool- analyzes the runtime state of a system using the data found in volatile storage (RAM).
Developed by the NSA, this open-source software suite offers advanced disassembly, decompilation, and collaborative features—enabling security researchers to reverse engineer various architectures efficiently and extend capabilities via plug-ins.
Ghidra- is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra extension components and/or scripts using Java or Python.
A technique used in enterprise networks, this system checks a client’s security posture (patch level, AV signatures, etc.) before granting or denying network access.
- Network Access Control (NAC)- uses rules, protocols, and processes to control access to network resources, including: Network routers, PCs, IoT devices, Virtual and software-defined resources, and Data transmitted through the network.
What symmetric encryption algorithms are considered weak or outdated?
Data Encryption Standard (DES)
Triple DES w/ short keys (3DES)
RC2 & RC4
Any encryption algorithm with insufficient key length (less than 128 bits).
In this XSS variant, an attacker’s malicious script is saved on the server—often inside a user-generated post or comment—and then served to every visitor who views that content, making it harder for browsers to detect or block.
Stored XSS
Stored XSS is different from reflected XSS in one key way. In reflected XSS, the exploit is provided through a GET parameter. But in stored XSS, the exploit is provided from the website itself.
Imagine a website that allows users to post comments. If a user can submit an XSS payload as a comment, and then have others view that malicious comment, it would be an example of stored XSS.
The reason being that the web site itself is serving up the XSS payload to other users. This makes it very difficult to detect from the browser's perspective and no browser is capable of generically preventing stored XSS from exploiting a user.
Reproducibility
Nicknamed the “Swiss Army Knife” for security and forensics, this user-friendly, web-based platform offers a drag-and-drop interface for encoding, decoding, encrypting, decrypting, and performing many other transformations on data—all in one place.
CyberChef- Web application
https://gchq.github.io/CyberChef/
Which of the following are often identified as the three main goals of security?
CIA Triad- Confidentiality, Integrity and Availability
To address the privacy and performance drawbacks of traditional certificate revocation checks, this technique allows a server to embed a time-stamped status response signed by the Certificate Authority directly into the TLS handshake, thus eliminating the need for a separate, real-time client query.
OCSP stapling
CRL (Certificate Revocation List)
OCSP (Online Certificate Status Protocol)
Balancing Real-Time Verification & Traffic
OCSP Stapling
By exploiting this vulnerability, an attacker can force a web application’s server to send crafted requests (e.g., to 127.0.0.1), potentially gaining access to internal services or performing unauthorized port scans—all while originating traffic from the server’s IP address instead of the attacker’s.
Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL to which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases or perform post requests towards internal services which are not intended to be exposed.
This specialized file system commonly used in digital forensics prevents any writes to the evidence drive by intercepting write commands at the kernel level.
A write blocker (or forensics write blocker)- allows investigators to examine media while preventing data writes from occurring on the subject media.
This popular browser extension identifies a website’s underlying technologies—ranging from CMS platforms and web frameworks to analytics services—thus providing quick insight into an organization’s tech stack.
Wappalyzer- "Find out what websites are built with."