$$$$$$$$How do you change your DNS settings in Linux/Windows?

Windows = netsh interface ip set dns name="Local Area Connection" source=static

addr=none
netsh interface ip add dns name="Local Area Connection" addr=8.8.4.4 ind
ex=1
Linux = nameserver {IP-OF-THE-DNS-1}

$$$$$$$$$$$$$$$Whats the difference between encoding, encryption, and hashing? =

Encoding is designed to protect the integrity of data as it crosses networks and
systems, i.e. to keep its original message upon arriving, and it isnt primarily
a security function. It is easily reversible because the system for encoding is
almost necessarily and by definition in wide use. Encryption is designed purely
for confidentiality and is reversible only if you have the appropriate key/keys.
With hashing the operation is one-way (non-reversible), and the output is of a
fixed length that is usually much smaller than the input.

$$$$$$$$$$$$$$$$$$$Whats more secure, SSL or HTTPS?

TLS is the new name for SSL. Namely, SSL protocol got to version 3.0; TLS 1.0 is
"SSL 3.1". TLS versions currently defined include TLS 1.1 and 1.2. Each new ver
sion adds a few features and modifies some internal details. We sometimes say "S
SL/TLS".
HTTPS is HTTP-within-SSL/TLS. SSL (TLS) establishes a secured, bidirectional tun
nel for arbitrary binary data between two hosts. HTTP is a protocol for sending
requests and receiving answers, each request and answer consisting of detailed h
eaders and (possibly) some content. HTTP is meant to run over a bidirectional tu
nnel for arbitrary binary data; when that tunnel is an SSL/TLS connection, then
the whole is called "HTTPS".
To explain the acronyms:
"SSL" means "Secure Sockets Layer". This was coined by the inventors of the firs
t versions of the protocol, Netscape (the company was later bought by AOL).
"TLS" means "Transport Layer Security". The name was changed to avoid any legal
issues with Netscape so that the protocol could be "open and free" (and publishe
d as a RFC). It also hints at the idea that the protocol works over any bidirect
ional stream of bytes, not just Internet-based sockets.
"HTTPS" is supposed to mean "HyperText Transfer Protocol Secure", which is gramm
atically unsound. Nobody, except the terminally bored pedantic, ever uses the tr
anslation; "HTTPS" is better thought of as "HTTP with an S that means SSL". Othe
r protocol acronyms have been built the same way, e.g. SMTPS, IMAPS, FTPS... all
of them being a bare protocol that "got secured" by running it within some SSL/
TLS.

$$$$$$$$$$$$$$$$$$$$$$Can you describe rainbow tables?

The algorithm is:
Look for the hash in the list of final hashes, if it is there break out of the l
oop.
If it isn t there reduce the hash into another plaintext, and hash the new plain
text.
Goto the start.
If the hash matches one of the final hashes, the chain for which the hash matche
s the final hash contains the original hash.
A chain in a rainbow table starts with an arbitrary plaintext, hashes it, reduc
es the hash to another plaintext, hashes the new plaintext, and so on. The table
only stores the starting plaintext, and the final hash you choose to end with,
and so a chain "containing" millions of hashes can be represented with only a si
ngle starting plaintext, and a single finishing hash.
A rainbow table is a large list of pre-computed hashes for commonly used passwo
rds. For a password file without salts, an attacker can go through each entry an
d look up the hashed password in the rainbow table

$$$$$$$$$$$$$$$$$$$$$$$$$$$What is salting, and why is it used?

Then we get to salting. Salting means adding some fairly long random piece of te
xt, called the salt, to the user provided password. The salt usually isn t a clo
sely guarded secret. Sure it s not in plain sight on the website or anything but
it is assumed that the attacker will have the salt if they manage to get the pa
sswords too. And the salt is commonly stored without any kind of encryption in t
he same database as the password hashes. What the salt does is effectively make
the password much longer. The user doesn t need to know about the salt, it just
silently gets added to the password they give on the server. Making rainbow tabl
es becomes infeasible as the table would have to be incredibly huge to cover all
the possible salts.

$$$$$$$$$$$$$$$$$$$$$$$$$$$$If you had to both encrypt and compress data during

transmission, which would you do first, and why?
Compress then encrypt. If you encrypt first youll have nothing but random data to
work with, which will destroy any potential benefit from compression.

$$$$$$$$$$$$$$$$$$$$$$$$$Whats the difference between symmetric and public-key cr

yptography
Symmetric key encryption involves using a single key to encrypt and decrypt data
. For example, suppose that you took a document and placed it in a file cabinet
and then locked the cabinet with a key. For you or anyone else to access the doc
ument, you d need the key to the file cabinet. Generally speaking, symmetric key
encryption is fast and secure. On the other hand, symmetric key encryption work
s well locally, it doesn t work very well across networks. In order for the rece
iver of the encrypted packets to be able to decrypt the packets, they must use t
he key. Needless to say, this means that you must send them that key along with

the message. The other problem is that the physical medium you re sending the pa
ckets across is insecure. If it were secure, there would be no reason to encrypt
the message in the first place. Anyone who might be monitoring the network coul
d steal the encrypted packets and the key necessary for decrypting them.
Public key encryption on the other hand uses a pair of keys: a public key that s
sent along with the message and a private key which is always in the possession
of the recipient. The private key is based on a derivative of the public key an
d only the two keys working together can decrypt the packets. Because the privat
e key is never sent across the network, it remains secure. The down side of publ
ic key encryption is that it tends to be very slow and resource intensive. This
makes it difficult to send large amounts of data using public key encryption

$$$$$$$$$$$$$$$$$$$$$$In public-key cryptography you have a public and a private

key, and you often perform both encryption and signing functions. Which key is
used for which function?
You encrypt with the other persons public key, and you sign with your own private
.

$$$$$$$$$$$$$$$$$$$$$What are the advantages offered by bug bounty programs over

normal testing practices?
bug bounty programs is a program thats open to the public to find vunlerablities
within the network.
Bug bounty programs, however, aren t easy programs to run: Skilled staff members
need to be available to examine all the bug reports that are submitted, validat
e the bugs and decide how critical they are. There is also an administrative bur
den in setting up the program and arranging the payment of bounties.
hitfield says that the problem with traditional penetration tests is that they a
re carried out by a small number of people, so the company is reliant on their i
ndividual skills. "We have found that different penetration testers find differe
nt problems, sometimes problems that have been there for several years and misse
d in previous tests," he says. "With the bug bounty program we got a hundred and
twenty pairs of eyeballs on our system for a week instead of just one or two pa
irs for a week."
After the company s most recent program, almost forty new bugs were discovered,
he says. Compared to last penetration test, only twelve were discovered, he says
.
There s little doubt that penetration testing and code auditing will continue to
be an important part of many companies security effortseven if only for regulat
ory compliance purposes. But thanks to bug bounty-as-a-service offerings, compan
ies like POLi Payments and Bigcommerce can also subject their systems to attack
from a large number of hackers in a relatively controlled manner.
"This is definitely now my preferred method of security testing," says POLi Paym

ents McAlister.
You should hear coverage of many testers vs. one, incentivization, focus on rare
bugs, etc.

$$$$$$$$$$$$$$$$$$$$$$$$What are your first three steps when securing a Linux se

rver?
installation of system with expert mode, only packages that I need
hand written firewall with default policy on iptables input: drop, permitting ac
cess to SSH, HTTP or whatever else given server is running
Fail2Ban for SSH [ and sometimes FTP / HTTP / other - depending on context ]
disable root logins, force using normal user and sudo
custom kernel [ just old habit ]
scheduled system upgrade
Depending on level of paranoia additionally:
drop policy on output except a couple of allowed destinations / ports
integrit for checking if some parts of file system ware not modified [with check
sum kept outside of the machine], for example Tripwire
scheduled scan at least with nmap of system from the outside
automated log checking for unknown patterns [but that s mostly to detect hardwar
e malfunction or some minor crashes]
scheduled run of chkrootkit
immutable attribute for /etc/passwd so adding new users is slightly more difficu
lt
/tmp mounted with noexec
port knocker or other non-standard way of opening SSH ports [e.g. visiting secr
et web page on web server allows incoming SSH connection for a limited period o
f time from an IP address that viewed the page. If you get connected, -m state -satete ESTABLISHED takes care of allowing packet flow as long as you use a sing
le SSH session]

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$Three steps for windows server

tep 1. Patches and Updates
Update your server with the latest service packs and patches. You must update an
d patch all of the Web server components including Windows 2000 or Windows Serve
r 2003 (and IIS), the .NET Framework, and Microsoft Data Access Components (MDAC
).
During this step, you:
Detect and install the required patches and updates.
Update the .NET Framework.
Detect and Install Patches and Updates
Use the Microsoft Baseline Security Analyzer (MBSA) to detect the patches and up
dates that may be missing from your current installation. MBSA compares your ins
tallation to a list of currently available updates maintained in an XML file. MB
SA can download the XML file when it scans your server or you can manually downl
oad the file to the server or make it available on a network server.
Step 2. IISLockdown

The IISLockdown tool helps you to automate certain security steps. IISLockdown g
reatly reduces the vulnerability of a Windows 2000 Web server. It allows you to
pick a specific type of server role, and then use custom templates to improve se
curity for that particular server. The templates either disable or secure variou
s features. In addition, IISLockdown installs the URLScan ISAPI filter. URLScan
allows Web site administrators to restrict the kind of HTTP requests that the se
rver can process, based on a set of rules that the administrator controls. By bl
ocking specific HTTP requests, the URLScan filter prevents potentially harmful r
equests from reaching the server and causing damage.
Note By default, IIS 6.0 has security-related configuration settings similar t
o those made by the IIS Lockdown Tool. Therefore you do not need to run the IIS
Lockdown Tool on Web servers running IIS 6.0. However, if you are upgrading from
a previous version of IIS (5.0 or lower) to IIS 6.0, it is recommended that you
run the IIS Lockdown Tool to enhance the security of your Web server.
During this step, you:
Install and run IISLockdown.
Install and configure URLScan.
Step 3. Services
Services that do not authenticate clients, services that use insecure protocols,
or services that run with too much privilege are risks. If you do not need them
, do not run them. By disabling unnecessary services you quickly and easily redu
ce the attack surface .You also reduce your overhead in terms of maintenance (pa
tches, service accounts, and so on.)
If you run a service, make sure that it is secure and maintained. To do so, run
the service using a least privilege account, and keep the service current by app
lying patches.
During this step, you:
Disable unnecessary services.
Disable FTP, SMTP, and NNTP unless you require them.
Disable the ASP.NET State service unless you require it.
Disable Unnecessary Services
Windows services are vulnerable to attackers who can exploit the service s privi
leges and capabilities and gain access to local and remote system resources. As
a defensive measure, disable Windows services that your systems and applications
do not require. You can disable Windows services by using the Services MMC snap
-in located in the Administrative Tools programs group.

$$$$$$$$$$$$$$$$$$$$$$$$$$Why is DNS monitoring important?

If theyre familiar with infosec shops of any size, theyll know that DNS requests a
re a treasure when it comes to malware indicators.
riminals will exploit any Internet service or protocol when given the opportunit
y, and this includes the DNS. They register disposable domain names for spam cam
paigns and botnet administration, and they use compromised domains to host phish
ing or malware downloads. They inject malicious queries to exploit name servers
or disrupt name resolution. They inject crafty responses to poison resolver cach
es or amplify denial of service attacks. They even use DNS as a covert channel f
or data exfiltration or malware updates.
Malformed DNS queries may be symptomatic of a vulnerability exploitation attack
against the name server or resolver identified by the destination IP address. Th
ey may also indicate that you have incorrectly operating devices on your network
. The causes for problems of these kinds may be malware or unsuccessful attempts
to remove malware.

DNS queries that request name resolution of known malicious domains or names wit
h characteristics common to domain generation algorithms (DGA) associated with c
riminal botnets and queries to resolvers that you did not authorize for use in m
any cases are dead giveaway indicators of infected hosts on your networks.
DNS responses also offer signs that suspicious or malicious data are being deliv
ered to hosts on your networks. For example,length or composition characteristic
s of DNS responses can reveal malicious or criminal intent. For example, the res
ponse messages are abnormally large (amplification attack) or the Answer or Addi
tional Sections of the response message are suspicious (cache poisoning, covert
channel).
DNS responses for your own portfolio of domains that are resolving to IP address
es that are different from what you published in your authoritative zones, respo
nses from name servers that you did not authorize to host your zone, and positiv
e responses to names in your zones that should resolve to name error (NXDOMAIN)
may indicate a domain name or registration account hijacking or DNS response mod
ification.
DNS responses from suspicious IP addresses, e.g., addresses from IP blocks alloc
ated to broadband access network, DNS traffic appearing on non standard port, un
usually high number of response messages that resolve domains with short Times t
o Live (TTL) or unusually high number of responses containing "name error" (NXDO
MAIN) are often indicators of botnet-controlled, infected hosts running malware.
You may not be able to keep pace with every new DNS exploitation but you can be
proactive by using firewalls, network IDS, or name resolvers to report certain i
ndicators of suspicious DNS activity.

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$What port does ping work over?

trick question, to be sure, but an important one. If he starts throwing out port
numbers you may want to immediately move to the next candidate. Hint: ICMP is a
layer 3 protocol (it doesnt work over a port) A good variation of this question
is to ask whether ping uses TCP or UDP. An answer of either is a fail, as those
are layer 4 protocols.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$Do you prefer filtered ports or clos
ed ports on your firewall?
Closed Port:
- If you send a SYN to a closed port, it will respond back with a RST.
Open Port:
- If you send a SYN to an open port, you should receive a SYN/ACK.
Filtered Port:
- The packet is simply dropped and you receive no response (not even a RST).
As far as from a security standpoint, to most hackers, when they see closed they
don t think of a firewall, they think the service is just not running. When I s
ee filtered, and its a port I want to get to, I instantly think, oh, ok, is ther
e some backdoor I can punch thru the firewall? Can I DOS the firewall? Can I rem
otely administer the firewall?

Showing a closed doesn t really alert an attacker to anything, however, there is

the advantage that by filtering, you just totally ignore the traffic, where as
in a closed port, you actually have to go thru sending out a RST... I would imag
ine that this could be leveraged in a DOS attack.

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$How exactly does traceroute/tracer

t work at the protocol level?
This is a fairly technical question but its an important concept to understand. I
ts not natively a security question really, but it shows you whether or not they li
ke to understand how things work, which is crucial for an Infosec professional.
If they get it right you can lighten up and offer extra credit for the differenc
e between Linux and Windows versions.
The key point people usually miss is that each packet thats sent out doesnt go to
a different place. Many people think that it first sends a packet to the first h
op, gets a time. Then it sends a packet to the second hop, gets a time, and keep
s going until it gets done. Thats incorrect. It actually keeps sending packets to
the final destination; the only change is the TTL thats used. The extra credit i
s the fact that Windows uses ICMP by default while Linux uses UDP.
A traceroute is a linux/unix based command has been using for tracing a networ
k/host.For windows, you should use tracert .
Traceroute gives you details about how many routers(It says hops) you need to ac
cross to reach that specific host/network.
The most important thing I want to mention is :
Traceroute and
me.

Tracert do not work in same way but their objective is the sa

Traceroute is a linux/Unix or some OS based.Traceroute uses specific port for it

s operation.
Traceroute uses UDP 33434 to33534 port for echo request(Type8)
Tracert uses ICMP.
For windows you can use another command "pathping
ops with detail information.

that will also show all the h

Windows / MS-DOS
c:\> tracert login.oscar.aol.com
Binky, running tracert on a Windows computer creates 3 ICMP echo (ICMP type 8 )
messages with the time to live in the IP Header set to 1 and addresses the pack
ets set to the destination computer s IP address (we ll call the destination com
puter clown).
Binky starts a timer.
Binky sends the three messages destined for clown out to the network.
Binky waits for a response. This response will be:
An ICMP Time Exceeded message - this means the host responding is not the destin
ation.
An ICMP Destination Unreachable - this means the host responding doesn t know ho
w to get to the destination IP address in the traceroute packets.
The computer on which the messages die because the time to live expired (somewhe
re between Binky and clown ) sends back ICMP Time Exceeded (ICMP Type 11 ) resp
onses. These messages indicate to Binky that the traceroute messages have not ye

t reached the destination clown.

Binky receives those Time Exceeded messages, notes the time they arrived, compar
es that to the time the ICMP Echo Request was sent and shows the results of that
round trip on the screen.
Binky increments the TTL in the IP Header by one, then repeats steps the previou
s six steps (creates 3 packets, sets the Time to Live to the next highest number
, starts a timer, transmits the packets, waits for a response). This process is
repeated until the packets reach the destination computer (clown) which Binky is
tracing the route to.
When the destination computer (clown) receives the packets, it sends back an ICM
P Reply (ICMP type 0 ) and the traceroute program stops.

UNIX, Linux, Cisco and BSD

traceroute

The *NIX process is a bit different because it uses the Van Jacobson modificatio
n of using a UDP port number and relying on port unreachable errors to signify t
he end of the traceroute.
Only the outbound packets are sent to UDP ports starting with 33434. The returni
ng packets are ICMP and the UDP port number on the outbound packet usually incre
ments upwards from UDP 33434 to match the TTL set in the IP Header. This is why
some firewalls block UNIX/Linux/BSD traceroute but let Windows traceroute throug
h.
Traceroute creates a UDP packet from the source to destination with a TTL(Time-t
o-live) = 1
The UDP packet reaches the first router where the router decrements the value of
TTL by 1, thus making our UDP packets TTL = 0 and hence the packet gets dropped.
Noticing that the packet got dropped, it sends an ICMP message (Time exceeded) b
ack to the source.
Traceroute makes a note of the routers address and the time taken for the round-t
rip.
It sends two more packets in the same way to get an average value of the round-t
rip time. Usually, the first round-trip takes longer than the other two due to t
he delay in ARP finding the physical address, the address stays in the ARP cache
during the second and the third time and hence the process speeds up.
The steps that have occurred uptil now, occur again and again until the destinat
ion has been reached. The only change that happens is that the TTL is incremente
d by 1 when the UDP packet is to be sent to next router/host.
Once the destination is reached, Time exceeded ICMP message is NOT sent back thi
s time because the destination has already been reached.
But, the UDP packet used by Traceroute specifies the destination port number to
be one that is not usually used for UDP. Hence, when the destination computer ve
rifies the headers of the UDP packet, the packet gets dropped due to improper po
rt being used and an ICMP message (this time Destination Unreachable) is sent ba
ck to the source.
When Traceroute encounters this message, it understands that the destination has
been reached. Even the destination is reached 3 times to get the average of the
round-trip time.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ What are Linuxs strength
s and weaknesses vs. Windows?
Windows weaknesses
Virii and Malware
Despite some valiant efforts, virii and malware plague the lives of Windows user

s who dare to use the Internet.

From the end-user standpoint its hard to argue with the fact that Windows users a
re more impacted by malicious software than users of other operating systems, wh
ich is supported by the fact that Kaspersky Labs found that more than 99% of mal
ware threats in the first half of 2008 targeted Windows platforms.
Linux strengths
Architecture
One of the biggest advantages Linux has over Windows when it comes to security i
s its architecture.
The inherently multi-user architecture of Linux systems promotes a segregated hi
erarchy of trust that is fundamentally more secure than the single-user design o
f Windows systems past.
User Account Control (AUC) in Windows Vista, which means among other things that
user programs run with restricted permissions and require the privileges of a s
uper-user to perform sensitive actions, is a good step forward.
The poor security architecture of past versions of Windows continue to haunt cur
rent users in the form lf legacy software that fails to install or even run, in
many circumstances, without the elevated privileges that UAC seeks to enforce.
Windows 7 takes a step backwards by relaxing the restrictions enforced by UAC to
make installing and running legacy programs easier, but at the cost of security
.
Many Eyes Theory
The many eyes theory proposes that because anyone can access open source code, dev
elopers will find and fix more bugs than in traditional closed code bases.
Projects like the Department of Homeland Securitys project to identify and remedi
ate vulnerabilities in open source software and Fortify Softwares Fortify Open Re
view have demonstrated that community vulnerability identification efforts can e
ffectively identify security bugs in open source.
However, our research suggests that widely-used open source projects are woefull
y lacking when it comes to providing their users with access to security experti
se, implementing secure development lifecycles, and leveraging static analysis t
o identify widespread security vulnerabilities.
Linux weaknesses
New targets
One of the biggest security disadvantages for Linux is that hasnt benefited from
the years of attacks that Windows platforms have weathered.
Although their exploits are no fun for Windows users, the hordes of malware auth
ors have served as de facto security auditors and have led to the remediation of
piles of security bugs in Windows.
If Linux gains widespread adoption, theres no reason to think the crosshairs of m
alware authors might not increasingly follow. The question will then be whether
the eyes of the many developers that have contributed to Linux will stand the te
st of the highly motivated hackers poised to pull the trigger.

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$Cryptographically speaking, what is the main

method of building a shared secret over a public medium?

Diffie-Hellman
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$Whats the difference between Diffie-Hellman a
nd RSA?
Diffie-Hellman is a key-exchange protocol, and RSA is an encryption/signing prot
ocol. If they get that far, make sure they can elaborate on the actual differenc
e, which is that one requires you to have key material beforehand (RSA), while t
he other does not (DH). Blank stares are undesirable.
DH is used to generate a shared secret in public for later symmetric ("private-k
ey") encryption:
Diffie-Hellman:
Creates a shared secret between two (or more) parties, for subsequent symmetric
encryption
Key identity: (gens1)s2 = (gens2)s1 = shared secret (mod prime)
Where:
gen is an integer whose powers generate all integer in [1, prime) (mod prime)
s1 and s2 are the individuals "secrets", only used to generate the symmetric ke
y

RSA is used to come up with a public/private key pair for asymmetric ("public-ke
y") encryption:
RSA:
Used to perform "true" public-key cryptography
Key identity: (me)d = m (mod n) (lets you recover the encrypted message)
Where:
n = prime1 prime2
(n is publicly used for encryption)
= (prime1 - 1) (prime2 - 1) (Euler's totient
unction)
e is such that 1 < e < , and (e, ) are coprime
(e is publicly used
or encrypti
on)
d e = 1 (mod )
(the modular inverse d is privately used
or decryption)
It just so happens that -- in practice -- RSA's results are subsequently used to
generate a symmetric key.
Furthermore, it also happens that you can also modi
y DH to be used
or public-k
ey encryption.
But they are
undamentally di

erent, even though both o
them have "public" and
"private" components.

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$What kind o
attack is a standard Di

ie-Hellman exchange vulnerable to?
Man-in-the-middle, as neither side is authenticated.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$Describe the last program or script that you wro
te. What problem did it solve?

Fizz Bang script JS

or (var i=1; i <= 20; i++)

{
i
(i % 15 == 0)
console.log("FizzBuzz");
else i
(i % 3 == 0)
console.log("Fizz");
else i
(i % 5 == 0)
console.log("Buzz");
else
console.log(i);
}
Bash
#!/bin/bash

or i in {1..100}
do
v=""
i
[ $[$i % 3] == 0 ]; then v=${v}
izz;
i
i
[ $[$i % 5] == 0 ]; then v=${v}buzz;
i
i
[ "$v" == "" ]; then echo $i; else echo $v;
i
done
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$How would you implement a secure login
ield on a
high tra

ic website where per
ormance is a consideration?
Were looking for a basic understanding of the issue of wanting to serve the front
page in HTTP, while needing to present the login form via HTTPs, and how theyd r
ecommend doing that. A key piece of the answer should center around avoidance of
the MiTM threat posed by pure HTTP. Blank stares here mean that theyve never see
n or heard of this problem, which means theyre not likely to be anything near pro
level.
Whilst Fiddler is good for demonstration purposes, clearly an actual weaponised
attack would work differently but the principle is the same: When unencrypted tr
affic passes through a node on the network NIC, ethernet cable, router, proxy, I
SP, etc. it may be observed or manipulated by an attacker. This isnt theoretical,
there are many precedents such as the Tunisian government harvesting Facebook c
redentials en mass.
This is all a bit odd really, I mean these sites have gone to the effort of impl
ementing some SSL but then blown it by loading those login forms over HTTP. As w
e saw with Woolworths, posting over a secure connection is completely useless if
theres no integrity in the login form itself, an attacker may already have the c
redentials by then if the connection is compromised which is the very risk they
all implemented SSL to protect from in the first place!
$$$$$$$$$$$$$$$$$$$$$$$$$$$$What are the various ways to handle account brute fo
rcing?
What are the various ways to handle account brute forcing?
Look for discussion of account lockouts, IP restrictions, fail2ban, etc.
Fail2ban bans ips that have too many password failures seeking exploits etc.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$What is Cross-Site Request Forgery?

Not knowing this is more forgivable than not knowing what XSS is, but only for j
unior positions. Desired answer: when an attacker gets a victims browser to make
requests, ideally with their credentials included, without their knowing. A soli
d example of this is when an IMG tag points to a URL associated with an action,
e.g. http://foo.com/logout/. A victim just loading that page could potentially g
et logged out from foo.com, and their browser would have made the action, not th
em (since browsers load all IMG tags automatically).
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$How does one defend against CSRF?
Nonces required by the server for each page or each request is an accepted, albe
it not foolproof, method. Again, were looking for recognition and basic understan
ding herenot a full, expert level dissertation on the subject. Adjust expectation
s according to the position youre hiring for.

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$If you were a site administrator looking

for incoming CSRF attacks, what would you look for?
This is a fun one, as it requires them to set some ground rules. Desired answers
are things like, Did we already implement nonces?, or, That depends on whether we
already have controls in place Undesired answers are things like checking referrer
headers, or wild panic.
n security engineering, a nonce is an arbitrary number used only once in a crypt
ographic communication. It is similar in spirit to a nonce word, hence the name.
It is often a random or pseudo-random number issued in an authentication protoc
ol to ensure that old communications cannot be reused in replay attacks. For ins
tance, nonces are used in HTTP digest access authentication to calculate an MD5
digest of the password. The nonces are different each time the 401 authenticatio
n challenge response code is presented, thus making replay attacks virtually imp
ossible.

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$Whats the difference between HTTP and HTML?

Obviously the answer is that one is the networking/application protocol and the
other is the markup language, but again, the main thing youre looking for is for
him not to panic.

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$How does HTTP handle state?

It doesnt, of course. Not natively. Good answers are things like cookies, but the b
est answer is that cookies are a hack to make up for the fact that HTTP doesnt do
it itself.

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$What exactly is Cross Site Scripting?

Youd be amazed at how many security people dont know even the basics of this immen
sely important topic. Were looking for them to say anything regarding an attacker
getting a victim to run script content (usually JavaScript) within their browse
r.

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$Whats the difference between stored and reflected XS

S?
Stored is on a static page or pulled from a database and displayed to the user d
irectly. Reflected comes from the user in the form of a request (usually constru
cted by an attacker), and then gets run in the victims browser when the results a
re returned from the site.

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$What are the common defenses against XSS?

Input Validation/Output Sanitization, with focus on the latter.

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$What is the primary reason most companies hav

ent fixed their vulnerabilities?
This is a bit of a pet question for me, and I look for people to realize that co
mpanies dont actually care as much about security as they claim tootherwise wed hav
e a very good remediation percentage. Instead we have a ton of unfixed things an
d more tests being performed.
Look for people who get this, and are ok with the challenge.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$Whats the goal of information security with
in an organization.
This is a big one. What I look for is one of two approaches; the first is the ber
-lockdown approach, i.e. To control access to information as much as possible, si
r! While admirable, this again shows a bit of immaturity. Not really in a bad way
, just not quite what Im looking for. A much better answer in my view is somethin
g along the lines of, To help the organization succeed.
This type of response shows that the individual understands that business is the
re to make money, and that we are there to help them do that. It is this sort of

perspective that I think represents the highest level of security understandinga realization that security is there for the company and not the other way aroun
d.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$Whats the difference between a threat, vulnerab
ility, and a risk?
Asset People, property, and information. People may include employees and custo
mers along with other invited persons such as contractors or guests. Property a
ssets consist of both tangible and intangible items that can be assigned a value
. Intangible assets include reputation and proprietary information. Informatio
n may include databases, software code, critical company records, and many other
intangible items.
An asset is what were trying to protect.
Threat Anything that can exploit a vulnerability, intentionally or accidentally,
and obtain, damage, or destroy an asset.
A threat is what were trying to protect against.
Vulnerability Weaknesses or gaps in a security program that can be exploited by
threats to gain unauthorized access to an asset.
A vulnerability is a weakness or gap in our protection efforts.
Risk The potential for loss, damage or destruction of an asset as a result of a
threat exploiting a vulnerability.
Risk is the intersection of assets, threats, and vulnerabilities.
Why is it important to understand the difference between these terms? If you dont
understand the difference, youll never understand the true risk to assets. You
see, when conducting a risk assessment, the formula used to determine risk is.
A + T + V = R
That is, Asset + Threat + Vulnerability = Risk.
Risk is a function of threats exploiting vulnerabilities to obtain, damage or de
stroy assets. Thus, threats (actual, conceptual, or inherent) may exist, but if
there are no vulnerabilities then there is little/no risk. Similarly, you can ha
ve a vulnerability, but if you have no threat, then you have little/no risk.
Accurately assessing threats and identifying vulnerabilities is critical to unde
rstanding the risk to assets. Understanding the difference between threats, vul
nerabilities, and risk is the first step.

$$$$$$$$$$$$$$$$$$$$$$$$$$$If you were to start a job as head engineer or CSO at

a Fortune 500 company due to the previous guy being fired for incompetence, wha
t would your priorities be? [Imagine you start on day one with no knowledge of t
he environment]
We dont need a list here; were looking for the basics. Where is the important data
? Who interacts with it? Network diagrams. Visibility touch points. Ingress and
egress filtering. Previous vulnerability assessments. Whats being logged an audit

ed? Etc. The key is to see that they could quickly prioritize, in just a few sec
onds, what would be the most important things to learn in an unknown situation.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$If Im on my laptop, here inside my company, and I hav
e just plugged in my network cable. How many packets must leave my NIC in order
to complete a traceroute to twitter.com?
The key here is that they need to factor in all layers: Ethernet, IP, DNS, ICMP/
UDP, etc. And they need to consider round-trip times. What youre looking for is a
realization that this is the way to approach it, and an attempt to knock it out
. A bad answer is the look of WTF on the fact of the interviewee.
This could be asked as a final phase of a multi-step protocol question that perh
aps starts with the famous, What happens when I go to Google.com?