CPSA UPDATED TESTED QUESTIONS AND ANSWERS
GUARANTEE A+
✔✔B9) Linux vs Windows RPC - ✔✔1) ONC/RPC (Open Network Computing RPC) is
primarily used in Linux/Unix. vs DCE/RPC (Distributed Computing Environment RPC) is
primarily used in Windows. 2) Unix Portmapper is on TCP/111 and UDP/111 vs
Windows Portmapper is on TCP/135. (Also uses 136 — 139)
✔✔B10) What is the point of filtering and firewalling? - ✔✔Without it you could conenct
to any address on any port. Filtering limits IP traffic (usually on Layer 3 and 4)
✔✔B10) How does IP filtering work? - ✔✔Filtering limits IP traffic (usually on layer 3 and
4). Filtering by source and destination IP address (Network Layer). Filtering by
destination port (Transport Layer). Filtering by protocol (Network Layer).
✔✔B10) Host based firewall? (3) - ✔✔1) Host-based firewall is where the host protects
itself only. Host-based firewall is useful for second-line defense. Windows Firewall is an
example of a host-based system. 2) Most have static filtering. 3) Windows Firewall has
IP Filtering (which is static). Linux Firewall uses IP tables (which is dynamic).
✔✔B10) IPsec? (3) - ✔✔1) Internet Protocol Security is a secure network protocol suite
that authenticates and encrypts the packets of data to provide secure encrypted
communication between two computers over an Internet Protocol network. It is used in
virtual private networks. 2) IPSec contains IP filtering. It can drop, allow in the clear,
allow encrypted traffic. 3) IPSec uses a policy database. It has better control than
Windows.
✔✔B10) Stateful packet inspection? - ✔✔Also known as Dynamic Packet Filtering, it
aims to monitor active connections on a network. They keep track of each connection
and constantly check if they are valid, which is why it offers a better protection than
static packet filtering. Static only checks the headers of the packet in order to determine
whether they should be allowed through a firewall. Can open up a dynamic rule for 60
seconds etc
✔✔B10) Static filtering syntax (2) - ✔✔For TCP, format: ALLOW tcp src dest port.
ALLOW tcp ANY 192.193.194.195 eq 25 (syn all - allows all traffic in). eq means equal
to.2) For UDP: ALLOW udp 192.193.194.0 ANY eq 53. ALLOW udp ANY 192.193.194.0
gt 1023. Problem DNS server sends data back on port about 1023. Rule should allow
any UDP port above 1023.
✔✔B10) TCP Wrapper - ✔✔1)TCP wrapper is a host-based Networking ACL system,
used to filter network access to Internet only seen in Unix/Linux. It is implemented at
application layer, not in kernel. 2) They control access to network services via inetd
command followed by the service name. 3) access is controlled by 2 files
/etc/hosts.allow and /etc/host.deny
,✔✔B10) Clean up rule - ✔✔Rule 20 shows the cleanup rule. Usually this is the last rule
as a catch all for any items that are not covered by rulebase. Ideally there should be a
cleanup rule due to the unpredictable nature of default cleanup action of each firewall:
20 ANY ANY ANY DROP YES (No SRC DST SERVICE ACTION LOG)
✔✔B10) Firewall/NAC logging best practices (3) - ✔✔1) Everything should be logged.
(see rule 9). Except for 'noisy' protocols that broadcast every second. This will fill up log
quickly. (see rule 10). 2) Every ACCEPT must be logged. DENY should be logged, i.e.
the cleanup rule. (see rule 20). 3) If not logged there is no audit trail. Firewall is the only
log trusted, for example, a HTTP log can be modified if compromised. Firewall cannot.
✔✔B11) Encryption vs Encoding - ✔✔1) Encoding is not really encryption, it is
converting data by use of a code. Encryption is the process of changing plaintext into
ciphertext using a cryptographic algorith and key. Ciphertext should be indistinguishable
from random data.
✔✔B11) Symmetric vs Asymmetric Encryption - ✔✔Symmetric = Secret Key (Same key
used to decrypt/encrypt) vs Asymmetric = Private/Public Key (Encrypt with one /
Decrypt with another). Key Length for symmetric is 56-256 bits vs Key Length for
asymmetric is 512-4096 bits
✔✔B11) Symmetric vs Asymmetric Example Ciphers - ✔✔Symmetric = DES, 3DES,
AES, RC4 vs Asymmetric = RSA
✔✔B11) What is a cipher? - ✔✔Cipher is encrypted text. P ---E---> C {encyption}. C ---
D---> P {decryption}. Without E (Encryption), it is difficult to workout C (Cipher). Stream
Cipher e.g. RC4
✔✔B11) Stream Cipher vs Block Cipher - ✔✔The main difference between Block cipher
and Stream cipher is that block cipher converts Converts the plain text into cipher text
by taking plain text's block at a time. While stream cipher Converts the plain text into
cipher text by taking 1 byte of plain text at a time
✔✔B11) Windows Password Hashes (2) - ✔✔1) LANMAN Hash. Used in older versions
of Windows. Uses sets of 7 characters and is UPPERCASE only 2) NTLM. NT
LANMAN Hash uses unsalted MD4 hash, is mixed case and is not split up into groups
of 7 characters.
✔✔B11) What is Cisco Type 7 - ✔✔Cisco Type 7 is a weak fixed key. It is easily
reversible. It uses the vigenere cipher. A strong cipher in the 16th century.
✔✔B11) HMAC? - ✔✔Message Authentication Codes. Designed to stop interference
with encrypted messages in transit. Normally built in to the cipher appended to every
message, using a secret key to generate a hash of the message that comes before it
,✔✔B12) Uses of cryptography? (3) - ✔✔1) Authentication: One-time Passwords and
Certificates. 2) Encryption: Ciphertext unreadable to those without keys. 3) Integrity
Checking: Protects against noise/malicious tampering. Hash and Message
Authentication Code (MAC).
✔✔B12) SSL/TLS version flaws - ✔✔SSLv2 was a proprietary version formed in 1994.
SSLv2 has known security vulnerabilities.
✔✔B12) SSL server vs client auth? - ✔✔SSL always performs server authentication but
rarely performs client authentication. This is done using a certificate. C ——>[S] —
Server has to verify to client that it is who it says it. Server must have a certificate
✔✔B12) Weak ciphersuites - ✔✔RC2, DES, NULL
✔✔B12) SecurID - ✔✔6-digit value that changes every 60 seconds and is based on
clock synchronisation. It is two-factor authentication where a 4-digit PIN is entered,
followed by the key fob value. Server has serial # of the client. Hence it requires, a PIN,
token value and some details about the client. It doesn't eliminate MitM.
✔✔B12) What is IPSec? - ✔✔A suite of protocols. Internet Key Exchange (IKE) runs
over UDP/500. Encapsulating Security Payload (ESP) uses IP/50. Authentication
Header (AH) uses IP/51. IPSec is a network layer (layer 3) protocol. App: SMTP, Tra:
TCP, Net: IPSEC/IP, DL: Ethernet, Phy: (Cable)
✔✔B12) PGP - ✔✔PGP is a data encryption and decryption computer program that
provides cryptographic privacy and authentication. PGP often used for signing,
encrypting and decrypting texts, e-mails, files, directories and whole disk partitions to
increase the security of e-mail communications.
✔✔B12) Wireless Encryption Importance - ✔✔Wireless should have encryption. Very
easy to sniff over the air. The wireless signal has a range. Wireless standard is 802.11.
✔✔B12) WEP - ✔✔Wireless Equivalent Privacy (WEP) WEP (Wireless Equivalent
Privacy) introduced in 1997. For encryption used RC4 (Stream Cipher). RC4 encryption
should not reuse the key as XOR the key itself gives the cipher text. WEP has two
methods of authentication: 'Shared' and 'Open System': 'Open System' does not require
authentication per se. The keys must be right to encrypt data frames. 'Shared' uses a
configure WEP key to encrypt a challenge back to the server. At least WEP is better
than no encryption
✔✔B12) TKIP - ✔✔Temporal Key Integrity Protection (TKIP) . TKIP uses RC4 (128-bit)
and this is used in most wireless hardware
, ✔✔B12) WPA - ✔✔Wi-Fi Protected Access (WPA). WPA-TKIP has weakness that
allows attackers to decrypt data packets for a keystream
✔✔B13) What is the Unix security model? - ✔✔Everything is a file. e.g. files, devices,
etc. File protection is the key security point. /dev is a device. /proc is a file with system
config/process. 2 classes of users: 'users' and superuser'. All users have an ID, 'uid'.
'Users' have uid!=0. Superuser have uid=0. 'root' is default superuser and convention.
'root' can be renamed but causes problems. 'root' has control of most of the OS. Look to
root' a system
✔✔B13) Unix File Protection - ✔✔Every file has meta-data associated. Meta data is
admin-useful data. A file has an 'OWNER', a 'GROUP' and a 'MODE'. The 3 bits
represents permissions. For normal files, bit 0 represents execute', bit 1 represents
'write' and bit 2 reprsents 'read'. For special permissions, bit 0 represents the 'sticky bit',
bit 1 represents 'SGID' and bit 2 represents 'SUID'. SUID can set UID/GUID.
✔✔B13) File vs Directory UNIX perms - ✔✔File = R | Read Data, W | Write Data, X |
Execute Program. Directory = R | List Contents (ls), W | Add, Delete, Rename Files in
directory, X | Traverse Directory
✔✔B13) Normal UNIX permissions for files, programs and directories? - ✔✔Text Files
usually have permissions of 640. Programs usually have permissions of 750. Directories
usually have permissions of 755
✔✔B13) CRON - ✔✔CRON runs scheduled tasks. CRON is a program that runs every
minute. Configuration files are stored in a CRONTAB.
✔✔B13) Linux Priv Esc (3) - ✔✔1. Writable SUID executable files. (e.g. root 4777).
Note: Writing to the file drops the setuid bit in most OS. 2. Writable files that are
executed/processed by root. (e.g. crontab) 3. Files in a writable directory executed by
root. (e.g. can change files in a writable directory).
✔✔B13) Privileges when creating files - ✔✔1) Programs can control permissions set
when files are created while running program. e.g. 0666 and 0777. 2) umask can be set
at the system login and in the user profile. Unix uses umask as a template on what
default permissions a file should have. Windows uses inheritance. umask set to 0002
prevents world-write access to the file.3) 000 => No restriction 777 => No access
✔✔B14) Listing processes on Unix (4) - ✔✔1)ps, PID, process ID is a number. PPID,
parent PID. 'Terminal' column can be any device. 2) "pstree" lists process as a tree. 3)
"top" — gives the memory dump in memory. 4) "lsof" — lists open files
✔✔B14) What does netstat do? - ✔✔Displays network sockets (listener/active). netstat
works on Linux, Solaris and Windows. Interested in TCP Sockets and UDP Sockets.
UNIX domain sockets are also displayed.
GUARANTEE A+
✔✔B9) Linux vs Windows RPC - ✔✔1) ONC/RPC (Open Network Computing RPC) is
primarily used in Linux/Unix. vs DCE/RPC (Distributed Computing Environment RPC) is
primarily used in Windows. 2) Unix Portmapper is on TCP/111 and UDP/111 vs
Windows Portmapper is on TCP/135. (Also uses 136 — 139)
✔✔B10) What is the point of filtering and firewalling? - ✔✔Without it you could conenct
to any address on any port. Filtering limits IP traffic (usually on Layer 3 and 4)
✔✔B10) How does IP filtering work? - ✔✔Filtering limits IP traffic (usually on layer 3 and
4). Filtering by source and destination IP address (Network Layer). Filtering by
destination port (Transport Layer). Filtering by protocol (Network Layer).
✔✔B10) Host based firewall? (3) - ✔✔1) Host-based firewall is where the host protects
itself only. Host-based firewall is useful for second-line defense. Windows Firewall is an
example of a host-based system. 2) Most have static filtering. 3) Windows Firewall has
IP Filtering (which is static). Linux Firewall uses IP tables (which is dynamic).
✔✔B10) IPsec? (3) - ✔✔1) Internet Protocol Security is a secure network protocol suite
that authenticates and encrypts the packets of data to provide secure encrypted
communication between two computers over an Internet Protocol network. It is used in
virtual private networks. 2) IPSec contains IP filtering. It can drop, allow in the clear,
allow encrypted traffic. 3) IPSec uses a policy database. It has better control than
Windows.
✔✔B10) Stateful packet inspection? - ✔✔Also known as Dynamic Packet Filtering, it
aims to monitor active connections on a network. They keep track of each connection
and constantly check if they are valid, which is why it offers a better protection than
static packet filtering. Static only checks the headers of the packet in order to determine
whether they should be allowed through a firewall. Can open up a dynamic rule for 60
seconds etc
✔✔B10) Static filtering syntax (2) - ✔✔For TCP, format: ALLOW tcp src dest port.
ALLOW tcp ANY 192.193.194.195 eq 25 (syn all - allows all traffic in). eq means equal
to.2) For UDP: ALLOW udp 192.193.194.0 ANY eq 53. ALLOW udp ANY 192.193.194.0
gt 1023. Problem DNS server sends data back on port about 1023. Rule should allow
any UDP port above 1023.
✔✔B10) TCP Wrapper - ✔✔1)TCP wrapper is a host-based Networking ACL system,
used to filter network access to Internet only seen in Unix/Linux. It is implemented at
application layer, not in kernel. 2) They control access to network services via inetd
command followed by the service name. 3) access is controlled by 2 files
/etc/hosts.allow and /etc/host.deny
,✔✔B10) Clean up rule - ✔✔Rule 20 shows the cleanup rule. Usually this is the last rule
as a catch all for any items that are not covered by rulebase. Ideally there should be a
cleanup rule due to the unpredictable nature of default cleanup action of each firewall:
20 ANY ANY ANY DROP YES (No SRC DST SERVICE ACTION LOG)
✔✔B10) Firewall/NAC logging best practices (3) - ✔✔1) Everything should be logged.
(see rule 9). Except for 'noisy' protocols that broadcast every second. This will fill up log
quickly. (see rule 10). 2) Every ACCEPT must be logged. DENY should be logged, i.e.
the cleanup rule. (see rule 20). 3) If not logged there is no audit trail. Firewall is the only
log trusted, for example, a HTTP log can be modified if compromised. Firewall cannot.
✔✔B11) Encryption vs Encoding - ✔✔1) Encoding is not really encryption, it is
converting data by use of a code. Encryption is the process of changing plaintext into
ciphertext using a cryptographic algorith and key. Ciphertext should be indistinguishable
from random data.
✔✔B11) Symmetric vs Asymmetric Encryption - ✔✔Symmetric = Secret Key (Same key
used to decrypt/encrypt) vs Asymmetric = Private/Public Key (Encrypt with one /
Decrypt with another). Key Length for symmetric is 56-256 bits vs Key Length for
asymmetric is 512-4096 bits
✔✔B11) Symmetric vs Asymmetric Example Ciphers - ✔✔Symmetric = DES, 3DES,
AES, RC4 vs Asymmetric = RSA
✔✔B11) What is a cipher? - ✔✔Cipher is encrypted text. P ---E---> C {encyption}. C ---
D---> P {decryption}. Without E (Encryption), it is difficult to workout C (Cipher). Stream
Cipher e.g. RC4
✔✔B11) Stream Cipher vs Block Cipher - ✔✔The main difference between Block cipher
and Stream cipher is that block cipher converts Converts the plain text into cipher text
by taking plain text's block at a time. While stream cipher Converts the plain text into
cipher text by taking 1 byte of plain text at a time
✔✔B11) Windows Password Hashes (2) - ✔✔1) LANMAN Hash. Used in older versions
of Windows. Uses sets of 7 characters and is UPPERCASE only 2) NTLM. NT
LANMAN Hash uses unsalted MD4 hash, is mixed case and is not split up into groups
of 7 characters.
✔✔B11) What is Cisco Type 7 - ✔✔Cisco Type 7 is a weak fixed key. It is easily
reversible. It uses the vigenere cipher. A strong cipher in the 16th century.
✔✔B11) HMAC? - ✔✔Message Authentication Codes. Designed to stop interference
with encrypted messages in transit. Normally built in to the cipher appended to every
message, using a secret key to generate a hash of the message that comes before it
,✔✔B12) Uses of cryptography? (3) - ✔✔1) Authentication: One-time Passwords and
Certificates. 2) Encryption: Ciphertext unreadable to those without keys. 3) Integrity
Checking: Protects against noise/malicious tampering. Hash and Message
Authentication Code (MAC).
✔✔B12) SSL/TLS version flaws - ✔✔SSLv2 was a proprietary version formed in 1994.
SSLv2 has known security vulnerabilities.
✔✔B12) SSL server vs client auth? - ✔✔SSL always performs server authentication but
rarely performs client authentication. This is done using a certificate. C ——>[S] —
Server has to verify to client that it is who it says it. Server must have a certificate
✔✔B12) Weak ciphersuites - ✔✔RC2, DES, NULL
✔✔B12) SecurID - ✔✔6-digit value that changes every 60 seconds and is based on
clock synchronisation. It is two-factor authentication where a 4-digit PIN is entered,
followed by the key fob value. Server has serial # of the client. Hence it requires, a PIN,
token value and some details about the client. It doesn't eliminate MitM.
✔✔B12) What is IPSec? - ✔✔A suite of protocols. Internet Key Exchange (IKE) runs
over UDP/500. Encapsulating Security Payload (ESP) uses IP/50. Authentication
Header (AH) uses IP/51. IPSec is a network layer (layer 3) protocol. App: SMTP, Tra:
TCP, Net: IPSEC/IP, DL: Ethernet, Phy: (Cable)
✔✔B12) PGP - ✔✔PGP is a data encryption and decryption computer program that
provides cryptographic privacy and authentication. PGP often used for signing,
encrypting and decrypting texts, e-mails, files, directories and whole disk partitions to
increase the security of e-mail communications.
✔✔B12) Wireless Encryption Importance - ✔✔Wireless should have encryption. Very
easy to sniff over the air. The wireless signal has a range. Wireless standard is 802.11.
✔✔B12) WEP - ✔✔Wireless Equivalent Privacy (WEP) WEP (Wireless Equivalent
Privacy) introduced in 1997. For encryption used RC4 (Stream Cipher). RC4 encryption
should not reuse the key as XOR the key itself gives the cipher text. WEP has two
methods of authentication: 'Shared' and 'Open System': 'Open System' does not require
authentication per se. The keys must be right to encrypt data frames. 'Shared' uses a
configure WEP key to encrypt a challenge back to the server. At least WEP is better
than no encryption
✔✔B12) TKIP - ✔✔Temporal Key Integrity Protection (TKIP) . TKIP uses RC4 (128-bit)
and this is used in most wireless hardware
, ✔✔B12) WPA - ✔✔Wi-Fi Protected Access (WPA). WPA-TKIP has weakness that
allows attackers to decrypt data packets for a keystream
✔✔B13) What is the Unix security model? - ✔✔Everything is a file. e.g. files, devices,
etc. File protection is the key security point. /dev is a device. /proc is a file with system
config/process. 2 classes of users: 'users' and superuser'. All users have an ID, 'uid'.
'Users' have uid!=0. Superuser have uid=0. 'root' is default superuser and convention.
'root' can be renamed but causes problems. 'root' has control of most of the OS. Look to
root' a system
✔✔B13) Unix File Protection - ✔✔Every file has meta-data associated. Meta data is
admin-useful data. A file has an 'OWNER', a 'GROUP' and a 'MODE'. The 3 bits
represents permissions. For normal files, bit 0 represents execute', bit 1 represents
'write' and bit 2 reprsents 'read'. For special permissions, bit 0 represents the 'sticky bit',
bit 1 represents 'SGID' and bit 2 represents 'SUID'. SUID can set UID/GUID.
✔✔B13) File vs Directory UNIX perms - ✔✔File = R | Read Data, W | Write Data, X |
Execute Program. Directory = R | List Contents (ls), W | Add, Delete, Rename Files in
directory, X | Traverse Directory
✔✔B13) Normal UNIX permissions for files, programs and directories? - ✔✔Text Files
usually have permissions of 640. Programs usually have permissions of 750. Directories
usually have permissions of 755
✔✔B13) CRON - ✔✔CRON runs scheduled tasks. CRON is a program that runs every
minute. Configuration files are stored in a CRONTAB.
✔✔B13) Linux Priv Esc (3) - ✔✔1. Writable SUID executable files. (e.g. root 4777).
Note: Writing to the file drops the setuid bit in most OS. 2. Writable files that are
executed/processed by root. (e.g. crontab) 3. Files in a writable directory executed by
root. (e.g. can change files in a writable directory).
✔✔B13) Privileges when creating files - ✔✔1) Programs can control permissions set
when files are created while running program. e.g. 0666 and 0777. 2) umask can be set
at the system login and in the user profile. Unix uses umask as a template on what
default permissions a file should have. Windows uses inheritance. umask set to 0002
prevents world-write access to the file.3) 000 => No restriction 777 => No access
✔✔B14) Listing processes on Unix (4) - ✔✔1)ps, PID, process ID is a number. PPID,
parent PID. 'Terminal' column can be any device. 2) "pstree" lists process as a tree. 3)
"top" — gives the memory dump in memory. 4) "lsof" — lists open files
✔✔B14) What does netstat do? - ✔✔Displays network sockets (listener/active). netstat
works on Linux, Solaris and Windows. Interested in TCP Sockets and UDP Sockets.
UNIX domain sockets are also displayed.
