Archive for the ‘InfoSec’ Category
Information Security Interview Questions
Posted: May 8, 2013 in InfoSecTags: interview question and answers, web application security
The number of Information Security related jobs are growing extensively…. There is a huge requirement for skilled InfoSec professionals across the globe.. the jobs positions are available for freshers, experienced guys and top management (typically CISO etc)… This post is my attempt to collect typical InfoSec interview question and answers to help those looking out opportunities in this field… I’ll keep on updating the questions regularly.. You can also share/contribute any questions you might have faced during your InfoSec interviews….
Category I: General Security Concepts / Network Security / OS Security
1) Is there any difference between Information Security and IT Security? If yes, please explain the difference.
Ans– Yes. Information Security and IT Security are both different terms often used interchangeably. IT Security focuses on purely technical controls (like implementing antivirus, firewall, hardening systems etc) while Information Security is more wider term which implies securing “information” as an asset be it in any form. (ex shredding of paper documents to prevent dumpster driving etc). So IT security can be considered as a subset of Information Security.
2) What is the difference between Encoding, Encryption and Hashing?
Ans– At a very high level, all these 3 terms might appear to be similar and people often confuse between them. But each of the technique is distinct and has different use case. The purpose of encoding is to transform data so that it can be properly (and safely) consumed by a different type of system, e.g. binary data being sent over email, or viewing special characters on a web page. The goal is not to keep information secret, but rather to ensure that it’s able to be properly consumed. It does not require a key as the only thing required to decode it is the algorithm that was used to encode it. Examples: ASCII, Unicode, URL Encoding, Base64. The purpose of encryption is to transform data in order to keep it secret from others. It uses a key, which is kept secret, in conjunction with the plaintext and the algorithm, in order to perform the encryption operation. Examples: AES, Blowfish, RSA. The purpose of hashing is to take arbitrary input and produce a fixed-length string that has the following attributes:
- The same input will always produce the same output.
- Multiple disparate inputs should not produce the same output.
- It should not be possible to go from the output to the input.
- Any modification of a given input should result in drastic change to the hash.
Examples- MD5, SHA1, SHA2 etc. Hashing is often used in computer forensics to verify integrity of the digital evidence.
3) What is the difference between proxy, firewall, IDS and IPS?
A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity. Firewall is basically meant for network traffic control/filtering mainly at layer-3. It allows/denies packets and connections based on certain pre-defined rules. IDS- Intrusion Detection System is an application which tries to detect intrusion attempts based on attack signature database it has. IPS- Intrusion Prevention System detects the intrusion (like IDS) and goes one step ahead to prevent it as well. It simply drops the packet it thinks suspicious (based on rules)
Examples:
- proxy – Squid
- Firewall- IPTables, CISCO Pix, ZoneAlarm
- IDS- SNORT
- IPS- IBM Proventia
4) How does asymmetric encryption work?
5) How does SSL work? Are you aware about some of the latest vulnerabilities that were found in SSL implementation?
6) What is port scanning? What are the countermeasures to prevent it?
7) What is Man in Middle attack? Can it be prevented?
8) What is the difference between false positive and false negative?
9) Explain the term ‘Defense in depth’.
10) What do you mean by stateful inspection by a firewall?
11) What is DMZ? Which systems should be placed in DMZ? What are common security precautions for DMZ systems?
12) What is DLP? How does it work?
13) In what scenario, AD authentication should be used?
14) Is SSH completely secured? If not, can it be hardened more?
15) What is Virtualization? What are the security risks in it?
16) What do you mean by ‘BYOD’ ? Explain security concerns related with it.
17) What are the different layers of OSI model? Can you list 1 vulnerability corresponding to each of the OSI layer?
18) What are honeypots?
19) Tell about any of the major security incident that happened recently.
20) How do you keep yourself updated with latest trends in Information Security?
Ans: I refer to various security news sites , blogs etc (Like thehackernews, Rapid7 blog etc) Also I am subscribed to various online security magazines like Pentest magazine, HackInsight etc and I surf through the archives of various security conferences held worldwide.
21) Which OS do you feel is more secure? Linux or Windows?
Ans: No OS is secured unless and until its administrator is smart enough to secure it. Though Windows has more publicly found security issues, it can still be hardened appropriately. Its all about perception and having right sense of security. Linux definitely provides robust security, however a mis-configured Linux box could really pose a big threat to security.
22) Explain in brief, Multi Factor authentication.
23) Explain in short how Kerberos works.
24) How to harden a Windows Machine?
25) How to harden a Linux Machine?
26) How can you prevent DOS/DDOS attack?
27) What is a 0-Day Vulnerability? Can it be prevented?
28) What is the biggest difference between Windows OS and Linux OS?
29) Can an IDS be used to prevent intrusions? (Ans is yes, ex- SNORT, one of the open source IDS if configured in in-line mode in conjunction with IPTables, it can act as IPS)
30) Explain any type of Wi-Fi Attack and how to prevent it.
31) What is SIEM? Why it is useful?
32) What is rainbow attack? Is there a way to prevent it?
33) Explain the difference between hub, switch and router.
34) What do you mean by reverse shell in Linux?
35) Explain file ACL’s (permissions) in Linux. What is the use of sticky bit?
36) What is NAT and PAT? Explain difference between them and how do they work.
37) Comment on security concerns in Cloud Computing.
38) What is the use of ‘salt’ in reference to passwords? Are there any limitations of using it?
39) What is single sign-on? What are security risks with it?
Category II: VA/PT
1) What is the difference between Vulnerability Assessment and Penetration Testing? Which one needs to be performed first?
2) What are the steps to perform VA/PT?
3) What precautions are required to be taken while performing VA/PT?
4) With whom would you share the findings of VA/PT and how would you convey the risk of the findings effectively so that mitigation can be initiated immediately?
5) What tools do you normally use for VA and PT? Which tool you find the best and why?
6) What all should be included in report of VA/PT assessment?
7) Is it possible to hack into a system without using any tool? If yes, how would you do it? (Manually?)
8) How can you identify whether a remote machine is a Windows Machine or Linux Machine?
9) What is the difference between active and passive information gathering? (give 1 example of each)
10) How does sniffing works? Explain how can you sniff into a network. Can sniffing attack be prevented and how?
11) What would you do if nmap port scans are blocked by network security administrator? How would you gather host information in such case?
12) What are the different components of metasploit? Explain client side exploits/attacks.
Category III: Web Application Security
1) Why is Web Application Security Important?
2) “Making the website HTTPS would make it secure” share your comments on this.
3) What are cookies? What security threat do they pose?
4) What is SQL Injection attack? What are its types?
5) What are the ways to prevent SQL Injection?
6) What is XSS attack? What are its types?
7) What are the ways to prevent XSS attacks?
8) What is CSRF? How to prevent it?
9) What are the top 5 Web Application Vulnerabilities you know?
10) Explain any case wherein you found some critical web application vulnerability and you also provided solution to fix the same.
11) How would you mitigate vulnerabilities in a legacy application where much of code change is not feasible?
12) What tools do you use for performing Web Application security testing?
13) What are common security threats in Web Services and how do you test them?
14) What is the difference between White Box Application Security testing and Blackbox Application Security testing?
15) Do you have hands on knowledge of source code review? Give any example of vulnerability/bug you found during source code review.
16) What standards do you refer for Web Application Security and related vulnerabilities?
17) What are the most important steps you would recommend to secure your new web server?
18) Will L-3 firewall be useful in protecting the web application against common attacks? If yes, then to what extent?
19) What is Directory Listing? What is its impact? How to prevent it?
20) Can you explain any 2 vulnerabilities occurring due to poor session management?
21) Where should be the Web Server and Database server placed in network for optimal security?
21) Is there any risk when conducting Application Security testing on production instance?
Ans: Ideally, Application Security testing should never be performed on production instance. Automated scanners can insert, modify or even delete data from the target application. This could be a big risk. So the testing should be carried out on test instance which should contain exact replica of the application code running on production instance. If at all you have to test on production instance, its owner must take responsibility (in writing) of any data loss that may occur after testing.
22) How would you investigate or trace any security incident which occurred due to exploitation of some vulnerability in your web application?
23) Please explain how would you test a mobile application for security vulnerabilities?
24) Explain about Database Security. What are common controls for securing Databases.
25) How would you convince the developer to fix the vulnerabilities you found in the Web Application?
Ans: It is a normal human mentality not to accept our mistakes. Same applies in this case. No developer would easily accept that code written by him has serious security bugs. So, you have to demonstrate him the vulnerability you discovered with proper PoC. And explain him the severity and impact if the vulnerability gets exploited. You have to be polite while explaining and not get into arguments.
26) How does HTTP handles state?
Ans: HTTP is a stateless protocol.
27) How do you identify that an application is vulnerable to blind SQL Injection attack?
28) What is clickjacking and how do you prevent it?
29) What are the top 5 Mobile Application security threats?
30) At which stage of SDLC should the security controls be applied?
Category IV: Risk Management/ Compliance/ Security Frameworks
1) What is Risk Assessment and Risk Management? Are they same?
2) What are the standards available for Risk Management?
3) What are the types of Risks?
4) What are the possible ways to treat the risk?
5) What is the difference between threat, vulnerability , exploit and risk?
5) What is residual risk? Can it be eliminated?
6) What is ISO 27001? Why an organization should adopt it?
7) What is the difference between ISO 27001 and ISO 27002?
8) What is PCI-DSS? Is there any similarity between PCI-DSS and ISO27001?
9) What type of organizations are required to be compliant with PCI-DSS?
10) What is the difference between a standard, policy, procedure?
11) What would you do to make security program / initiative successful in the organization?
12) How would you convince the senior management to invest in certain security initiative?
13) How much would you ideally spend on securing a Windows Server? (This is a very generic question, but would really test whether the candidate is clear with the basics like asset value, impact analysis etc)
14) What is the difference between technical controls and procedural controls? (give 1 example of each)
15) Explain high level steps for initiating and implementing ISO27001.
Category V: Strategic / Scenario Based Questions
1) Please comment: Which one would be more securely built? Open Source software or Commercial/Proprietary software?
2) Whom do you get inspired from in the field of Information Security?
3) How many packets would travel from a laptop if a user initiates a traceroute to facebook.com?
4) Consider a scenario, the network has become extremely slow, there are many escalations coming to service desk, what would you do a as security professional? Do you see a possibility of any security threat in this? How would you face this situation?
5) Suppose business team wants to launch an application or urgent basis, but you know its vulnerable to some critical attacks, what would you do in such case? Should business requirement be given priority or security should be the priority?
6) What are the latest trends in Information Security?
7) Is Internet Banking really safe and secure? What are your views on this?
8) Where do you see yourself (in which role/position) after 3-4 years?
9) Should social networking websites (like facebook) be allowed or blocked? Justify with proper reason.
10) Anonymous hackers are hacking into some critical infrastructure around the world. Can you comment on how would they be doing this?
11) Have you heard about stuxnet? Explain your views on it and how could it have been prevented?
Category VI: Computer Forensics/Laws
1) What do you mean by checksum? What are the popular algorithms for calculating checksums? What is its significance in computer forensics?
2) Describe steganography, its types and how to detect it?
3) What do you mean by file carving?
4) What is meant by bit stream image? Why it is important in forensics?
5) What is swap space? What is its relevance in forensics? What is page file?
6) Explain high level steps for seizing a live computer system.
7) What are the main challenges in computer forensics?
8) What is file shredding?
Ans: File Shredding is a technique used to securely erase/wipe or destroy the file (logical or physical) in such a way that it cannot be re-constructed to derive its original meaning.
9) Can data be recovered after shredding is performed?
10) What are the famous tools used in computer forensics?
11) What hardware is necessary for performing computer forensics?
12) What care should be taken while packaging the seized evidence?
13) What is slack space?
14) List few situations wherein lost data cannot be recovered.
Ans: If the data is stored on magnetic media, and that media comes in contact with very strong magnetic field then it may result in permanent loss of data. If data is on the disk is over-written more then 30 times, it may get in unrecoverable state. If the media is physically destroyed like completely burnt or turned into fine powder then it won’t be possible to recover the data.
15) How would you traced a spoofed email sent from spoofed IP address?
Enough has already been said and written over security but it really doesn’t matter unless an untill there is sufficient individual awareness…. Its all about developing the thought process and aligning it with the security goals.. Well its really not that complicated 🙂
I just thought I would share some of the mis-conceptions about security that I observed at times…..
1) I have a Firewall , my network is secured!
No Firewall in world alone can secure your network completely… firewall works mechanically as per the pre-defined rules…. so if your network gets attacked inspite of using firewall, don’t blame the firewall… blame your firewall administrator! The firewall administrator must be smart enough to place the firewall in right position and configure the rules correctly…. Also a typical firewall will just work at L3 and won’t be able to prevent L7 (application) attacks…
2) I have Anti Virus, my PC is secured!
No way this statement holds true…. Just installing any antivirus just for sake of peace of mind is not going to save u against those nasty bugs…. Choice of anti virus if of utmost important… I have seen some enterprise level AV’s not detecting simple viruses (ridiculous!!!) So u need to do some research before u spend ur bugs to fight against the e-bugs…. And again its not all over here… u have to make sure that ur AV gets updated frequently. An updated good AV will certainly protect u against common viral infections but no AV can guarantee 100% protection for sure….
3) I have a nice strong password, No can steal and hack it!
Wrong again….. Its not just about password being complicated there are lot other things which count in keeping your passwords safe… May your password be long complex alpha numeric but just imagine you keyed in your password from a cyber cafe wherein some keylogger was installed… what’s the use of the strong password then? all in vain!!! Or what if you got a phishing mail and u submitted your long password to fake website? So the point is being alert from security perspective all the time might help u keep your passwords and keys safe…its all dependent on human behavior how humans would react to different situations specially created by hackers and crackers all around….So beware while using ur password…and yes a simple technique of using on-screen keyboard would certainly reduce the risks of passwords getting compromised by keyloggers!! Good Luck 🙂
4) I have 1XXXXX $ Budget for IT security, Now my network and assets would be 100% safe!!
Its not about how much u spend on security, spending on correct security controls is important…. And “Human Link is the weakest link in security” so spending only on technical controls won’t help unless people using the technology are aware of the risks associated with it. Remember will always behave and perform the way it has been configured but same cannot be assured about a person…people can always be manipulated ….for eye opening live case studies on how people can be manipulated to break the security please go through “Art of Intrusion” by Kevin Metnick. So if people are well aware of technology, risks and there mitigating controls it would really be much easier to defend against many of the cyber attacks!!!
5) My Web Site is HTTPS enabled and my Server is in DMZ so no one can hack into my Web Site!!
This is very common perception for many of the IT architects and application developers. Both of these things have very less to do with actual core security of your website. Enabling HTTPS facilitates encrypting the data at transport layer and but if some one sniffs data at application layer, HTTPS is of no use!!! And DMZ is used so that the application can be accessed over internet… well for those who don’t know, DMZ stands for de-militarized zone which is transitional area between local intranet and internet. It has nothing to do with application level vulnerabilities. So there is no way you could prevent cross site scripting or SQL injection just by enabling HTTPS and placing the server in DMZ…. A security strategy designed for all layers would certainly help but its better to stay away from such mis-conceptions!!!
GateOne Beta – Terminal emulator for HTML5 web browsers
Posted: February 8, 2012 in InfoSecTags: authentication technologies, ssh tunnel
The software makes use of WebSockets to connect a server backend written in Python and a frontend written for modern browsers in JavaScript, HTML5 and CSS. The frontend doesn’t require any browser plug-ins to be installed.Gate One also supports HTTP over SSL (https) secure connections from the browser to the server and authentication technologies such as Kerberos. It has its own internal plug-in system (plug-ins can be written in Python, JavaScript and CSS); currently available plug-ins for Gate One include SSH client connections, session recording and playback, and a bookmark manager for storing terminal sessions.
Top features:
* No browser plugins required!
* Supports multiple simultaneous terminal sessions. As many as your hardware can handle.
* Users can re-connect to their running terminals whenever they like from anywhere.
* Can be embedded into other applications. Add a terminal–running whatever application(s) you want–to your web app! Would be vastly superior to say, a Java-based serial console applet (hint hint).
* Includes powerful plugin system that supports plugins written in Python, JavaScript, and even CSS (yes, you can write a CSS-only plugin).
* The Gate One server can be stopped & started without users losing their running terminal applications (even SSH sessions stay connected!). In essence, worry-free upgrades!
* The SSH plugin allows users to duplicate sessions without having to re-enter their username and password (it re-uses the existing SSH tunnel).
* Provides users with the ability to play back and save/share their terminal sessions via a self-contained HTML playback file.
* Similarly, supports server-side logging, recording, and video-like playback of user sessions. It can even log to syslog to support whatever centralized logging system you want.
* Keberos-based Single Sign-on support is included. It even works with Active Directory. Other authentication options are available as well.Demo:
Application Security With Apache Shiro : Java security framework
Posted: February 8, 2012 in InfoSec
- Authentication – proving user identity, often called user ‘login’.
- Authorization – access control
- Cryptography – protecting or hiding data from prying eyes
- Session Management – per-user time-sensitive state
- Easy To Use – Ease of use is the project’s ultimate goal. Application security can be extremely confusing and frustrating and thought of as a ‘necessary evil’. If you make it so easy to use that novice programmers can start using it, it doesn’t have to be painful anymore.
- Comprehensive – There is no other security framework with the breadth of scope that Apache Shiro claims, so it can likely be your ‘one stop shop’ for your security needs.
- Flexible – Apache Shiro can work in any application environment. While it works in web, EJB, and IoC environments it does not require them. Nor does Shiro mandate any specification or even have many dependencies.
- Web Capable – Apache Shiro has fantastic web application support, allowing you to create flexible security policies based on application URLs and web protocols (e.g. REST), while also providing a set of JSP libraries to control page output.
- Pluggable – Shiro’s clean API and design patterns make it easy to integrate with many other frameworks and applications. You’ll see Shiro integrated seamlessly with frameworks like Spring, Grails, Wicket, Tapestry, Mule, Apache Camel, Vaadin, and many others.
- Supported – Apache Shiro is part of the Apache Software Foundation, an organization proven to act in the best interest of its community. The project development and user groups have friendly citizens ready to help.
Following the success of his debut documentary feature, Land of Confusion, award winning Pittsburgh filmmaker Jeremy Zerechak is already garnering early accolades for his newest project, CODE 2600. The film—a no-holds-barred look at the ramifications of the Information Technology era—has been selected from to have its world premiere at the 2012 CINEQUEST FILM FESTIVAL (February 28th – March 11th) in San Jose, CA. Appropriately located in the heart of silicon valley, CINEQUEST is one of the country’s top film festivals—a 13-day event of 200 international films with over 600+ film artists, technologists, and professionals from 44 countries in attendance.
$ cd glances-1.3.7
$ ./configure
$ make
$ sudo make install
Security Enhanced (SE) Android Released by National Security Agency (NSA)
Posted: January 25, 2012 in InfoSec
- Confine privileged daemons.
- Protect them from misuse.
- Limit the damage that can be done via them.
- Sandbox and isolate apps.
- Strongly separate apps from each other and from the system.
- Prevent privilege escalation by apps.
- Provide centralized, analyzable policy.
Distinctive features SE Android:
- Per-file security labeling support for yaffs2,
- Filesystem images (yaffs2 and ext4) labeled at build time,
- Kernel permission checks controlling Binder IPC,
- Labeling of service sockets and socket files created by init,
- Labeling of device nodes created by ueventd,
- Flexible, configurable labeling of apps and app data directories,
- Userspace permission checks controlling use of the Zygote socket commands,
- Minimal port of SELinux userspace,
- SELinux support for the Android toolbox,
- Small TE policy written from scratch for Android,
- Confined domains for system services and apps,
- Use of MLS categories to isolate apps.
What will happens if these threats are installed in your mobile devices?
It will attempts to send text messages containing the string “798657” to premium-rate numbers using the infected device’s current default SMS Center (SMSC) by exploiting the Permissions function (android.permission.SEND_SMS), Capable of sending an affected user’s GPS location via HTTP POST, Opens several ports and connects to specific URLs to receive and execute commands from a remote user, Gathers information like International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI) numbers from infected systems, which is then sent to a specific site and Secretly forwards all incoming text messages to a remote user.
- ANDROIDOS_DROIDSMS.A: Came disguised as Windows Media Player.
- ANDROIDOS_DROISNAKE.A: Came in the form of a game known as Tap Snake.
- ANDROIDOS_GEINIMI.A: Came in the form of Trojanized apps hosted in certain third-party app stores in China.
- ANDROIDOS_ADRD.A: Comes in the form of a Trojanized wallpaper app.
- ANDROIDOS_LOTOOR.A: Trend Micro’s detection for Trojanized versions of legitimate apps like “Falling Down”.
- ANDROIDOS_BGSERV.A: Trojanized version of Android Market Security Tool, which was released to address the modifications done by AndroidOS_LOTOOR.A.