What is NAT and how does it work?
The abbreviation for NAT is Network Address Translator. Private IP addresses are not globally recognized and should never be used on the internet and they are intended for the internal use in isolated networks, such as LANS, without internet access.
However, private addresses can be used in networks with Internet access, provided that they undergo an address translation before reaching the Internet. With address translation, private IP source addresses are removed from outgoing data packets by a device called a Network Address Translator(NAT) before the packets leave the network and are replaced with a global Internet IP address.
The NAT is generally a router that isolates transmissions on the private network from the Internet. Conversely, destination global addresses in data packets received from the Internet are converted to private addresses before being replaced on the local network. The NAT that performs the address translation is sometimes called a proxy server.
What is a SID (Security ID)?
In Windows NT and 2000 operating systems, the security identifier (SID) is a unique alphanumeric character string that identifies each operating system and each user in a network of NT/2000 systems.
What are some common attacks, and how can I protect my system against them?
Each site is a little different from every other in terms of what attacks are likely to be used against it. Some recurring themes do arise, though.
1. SMTP Server Hijacking (Unauthorized Relaying)
This is where a spammer will take many thousands of copies of a message and send it to a huge list of email addresses. Because these lists are often so bad, and in order to increase the speed of operation for the spammer, many have resorted to simply sending all of their mail to an SMTP server that will take care of actually delivering the mail.
Of course, all of the bounces, spam complaints, hate mail, and bad PR come for the site that was used as a relay. There is a very real cost associated with this, mostly in paying people to clean up the mess afterward.
The Mail Abuse Prevention System
1) Transport Security Initiative
2) Maintains a complete description of the problem, and how to configure about every mailer on the planet to protect against this attack.
2. Exploiting Bugs in Applications
Various versions of web servers, mail servers, and other Internet service software contain bugs that allow remote (Internet) users to do things ranging from gain control of the machine to making that application crash and just about everything in between.
The exposure to this risk can be reduced by running only necessary services, keeping up to date on patches, and using products that have been around a while.
3. Bugs in Operating Systems
Again, these are typically initiated by users remotely. Operating systems that are relatively new to IP networking tend to be more problematic, as more mature operating systems have had time to find and eliminate their bugs. An attacker can often make the target equipment continuously reboot, crash, lose the ability to talk to the network, or replace files on the machine.
Here, running as few operating system services as possible can help. Also, having a packet filter in front of the operating system can reduce the exposure to a large number of these types of attacks. And, of course, chosing a stable operating system will help here as well. When selecting an OS, don’t be fooled into believing that ”the pricier, the better”. Free operating systems are often much more robust than their commercial counterparts.
How do I know which application uses what port?
There are several lists outlining the “reserved” and “well known” ports, as well as “commonly used” ports, and the best one is: ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers. For those of you still reading RFC 1700 to find out what port number does what, STOP DOING IT. semantic database . It is horribly out of date, and it won’t be less so tomorrow.
Note: THERE IS NO WAY OF RELIABLY DETERMINING WHAT PORT DOES WHAT SIMPLY BY LOOKING IN A LIST.
What is an access token?
Each process has an associated access token which is used by the system to verify whether the process should be granted access to a particular object or not. The access token consists of a user SID, a list of group SIDs representing the groups the user belongs to, and a list of user rights (privileges) the user is blessed with.
What port does ping work over?
A trick question, to be sure, but an important one. Hint: ICMP is a layer 3 protocol (it doesn’t work over a port) A good variation of this question is to ask whether ping uses TCP or UDP. An answer of either is a fail, as those are layer 4 protocols.
What’s the difference between Diffie-Hellman and RSA?
Diffie-Hellman is a key-exchange protocol, and RSA is an encryption/signing protocol. If they get that far, make sure they can elaborate on the actual difference, which is that one requires you to have key material beforehand (RSA), while the other does not (DH). Blank stares are undesirable.
What kind of attack is a standard Diffie-Hellman exchange vulnerable to?
Man-in-the-middle, as neither side is authenticated.
What exactly is Cross Site Scripting?
What’s the difference between stored and reflected XSS?
Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim’s browser when the results are returned from the site.
If you had to both encrypt and compress data during transmission, which would you do first, and why?
If they don’t know the answer immediately it;s ok. The key is how they react. Do they panic, or do they enjoy the challenge and think through it? I was asked this question during an interview at Cisco. I told the interviewer that I didn’t know the answer but that I needed just a few seconds to figure it out. I thought out loud and within 10 seconds gave him my answer: Compress then encrypt. If you encrypt first you’ll have nothing but random data to work with, which will destroy any potential benefit from compression.
How exactly does traceroute/tracert work at the protocol level?
This is a fairly technical question but it’s an important concept to understand. It’s not natively a “security” question really, but it shows you whether or not they like to understand how things work, which is crucial for an Infosec professional. If they get it right you can lighten up and offer extra credit for the difference between Linux and Windows versions.
The key point people usually miss is that each packet that’s sent out doesn’t go to a different place. Many people think that it first sends a packet to the first hop, gets a time. Then it sends a packet to the second hop, gets a time, and keeps going until it gets done. That’s incorrect. It actually keeps sending packets to the final destination; the only change is the TTL that’s used. The extra credit is the fact that Windows uses ICMP by default while Linux uses UDP.
What is the difference between a threat, vulnerability, and a risk?
A threat is an event, natural or man-made, that can cause damage to your system. Threats include people trying to break into your network to steal information, fires, tornados, floods, social engineering, malicious employees, etc. Anything that can cause damage to your systems is basically a threat to those systems. Also remember that threat is usually rated as a probability, or a chance, of that threat coming to bear. An example would be the threat of exploit code being used against a particular vulnerability. If there is no known exploit code in the wild the threat is fairly low. But the second working exploit code hits the major mailing lists, your threat (chance) raises significantly.
A vulnerability is a weakness in a system. This one is pretty straight forward because vulnerabilities are commonly labeled as such in advisories and even in the media. Examples include the LSASS issue that let attackers take over systems, etc. When you apply a security patch to a system, you’re doing so to address a vulnerability.
Risk is perhaps the most important of all these definitions since the main mission of information security officers is to manage it. The simplest explanation is that risk is the chance of something bad happening.
Note: Stay tuned for more updates on Advance topics.