CIA Triad

CIA triad is a widely recognized model for information security, consisting of three core principles:
confidentiality, integrity, and availability.

Confidentiality:
• Confidentiality ensures that only authorized individuals or systems can access sensitive information.
• Confidentiality achieved through the use of access controls, encryption, and other security measures.

Integrity:
• Data integrity ensures that information is not modified or tampered with in an unauthorized manner.
• Integrity achieved through the use of checksums, digital signatures, and other security measures.

Availability:
• Availability ensures that information and systems are accessible and functional when required.
• Availability achieved through redundancy, fault tolerance, and other resilience measures.
 What is Encryption& Decryption? Types of it

Encryption : Encryption is the process of converting plaintext (unencrypted data) into ciphertext
Decryption: Decryption is the process of converting ciphertext (encrypted data) back into plaintext
(unencrypted data) using a decryption key

Types:
Symmetric encryption:
• In symmetric encryption, the same key is used to both encrypt and decrypt data.
• Examples of symmetric encryption algorithms include Advanced Encryption Standard (AES),
• Blowfish, and DES.

Asymmetric encryption:
• In asymmetric encryption, also known as public-key encryption, two keys are used –
a public key and a private key (Secret key)
• The public key is used to encrypt the data, while the private key is used to decrypt it.
 What is Hashing

Hashing:
• Converts plaintext data of any length into a fixed-length string of characters, called a hash value or message digest
• To ensure the integrity of data, the hash value of the data is calculated and compared to a known hash value. If the hash values match, it can
be assumed that the data has not been tampered with. If the hash values do not match, it indicates that the data has been modified, and the
integrity of the data has been compromised.
• Some common hashing algorithms include MD5, SHA-1, SHA-2, and SHA-3 and SHA-256
 Difference between Encoding, Encryption and
Hashing
Encryption Encoding Hashing

Encryption is a security technique used to protect Encoding is a process used to convert data from one Hashing is a one-way cryptographic technique used
data confidentiality by converting plaintext (readable format to another for the purpose of data integrity to generate a fixed-length string of characters (hash
data) into ciphertext (unreadable data) using an and transmission. value or digest) from any input data of arbitrary size
encryption algorithm and a secret key.

The primary goal of encryption is to ensure that only It is not primarily a security measure but rather a
authorized parties can decrypt and access the method to represent data in a different, more The primary purpose of hashing is data integrity
original data.. suitable format for storage or transmission (e.g., verification and fast data retrieval, such as in data
converting special characters to their HTML entities indexing
in web pages).

Appropriate Keys are used in the Encryption. No Keys are used in Hashing.
No Keys are used in Encoding.

Encoding can be reversed back to its original form.

Encryption can be reversed back to its original form The hashed one cannot be reversed back to its
by using appropriate keys. original form.

Example: AES Algorithm, RSA Algorithm, Diffie

Example: BASE64, UNICODE, ASCII, URL Encoding. Example: MD5, SHA256, SHA – 3.
Hellman
 Types of Hackers
1. White hat hackers: Also known as ethical hackers, they are hired by organizations to identify and fix security vulnerabilities in their systems.

2. Black hat hackers: They are hackers who exploit security vulnerabilities in systems for their own gain, usually for financial or personal reasons.

3. Grey hat hackers: They are hackers who use their skills to find vulnerabilities in systems but do not intend to cause any harm. They may notify
the system owner of the vulnerability, but they may also use it to gain unauthorized access.

4. Hacktivists: They are hackers who use their skills to promote a social or political cause. They often target organizations or government
agencies to raise awareness or to protest against their policies.

5. Script kiddies: They are individuals who use pre-packaged tools and scripts to launch attacks without necessarily understanding the
underlying technology.

6. State-sponsored hackers: They are hackers who work for or on behalf of a government or a state agency to carry out cyber espionage or
other malicious activities.
 What is Malware and Types
Malware, short for "malicious software," refers to any software designed to cause harm or damage to a computer system or network.
Malware can be created for various purposes, including stealing sensitive data, gaining unauthorized access, and disrupting normal computer operations.

Here are some common types of malware:

1. Virus: A virus is a program that can replicate itself and spread from one computer to another by attaching itself to a host file.
2. Trojan: A Trojan is a program that appears to be legitimate but actually contains malicious code that can be used to steal data or gain unauthorized
access.
3. Worm: A worm is a self-replicating program that can spread through a network, often consuming large amounts of bandwidth and causing damage to
the network.
4. Ransomware: Ransomware is a type of malware that encrypts files on a system, making them unusable, and demands payment in exchange for the
decryption key.
5. Adware: Adware is a type of malware that displays unwanted advertisements on a user's computer, often in the form of pop-ups or browser redirects.
6. Spyware: Spyware is a type of malware that can track a user's online activity, steal sensitive data, and transmit it back to a third party.
7. Rootkit: A rootkit is a type of malware that can hide its presence on a system by modifying the operating system or other software components.
 Difference Between Virus, Worm &Trojan
VIRUS WORM Trojan Horse
Behavior: A Trojan is a type of malware that disguises
Behavior: A virus is a type of malware that attaches Behavior: A worm is a self-replicating malware that itself as a legitimate program or file to deceive users.
itself to a legitimate program or file and replicates by spreads across networks and systems without Once installed or executed, it may perform malicious
infecting other programs or files.. needing human intervention actions on the victim's system without their
knowledge.
Infection Method: Viruses rely on users executing Infection Method: Trojans typically do not self-
infected files or programs to spread. They can also They can spread rapidly through the internet or local replicate like viruses or worms. Instead, they rely on
spread through infected email attachments, networks without any human intervention. social engineering to trick users into installing them,
removable media (e.g., USB drives), or infected often through fake software downloads or email
downloads. attachments.

Payload: Viruses often have a harmful payload that Payload: Worms may or may not have a destructive Payload: Trojans can have a wide range of payloads,
can damage or alter the infected system or files. payload. Their primary objective is to spread and including stealing data, providing remote access to an
Their primary goal is to replicate and spread. infect as many systems as possible. attacker, and more. Their primary goal is to remain
hidden while carrying out malicious activities.

Example: The Zeus Trojan (Zbot) is a well-known

Example: The "ILOVEYOU" virus is a famous Example: The "Blaster" worm (also known as example that targeted online banking users,
example of a computer virus that spread MSBlast or MS32.Blaster) targeted a Windows capturing their login credentials and financial
through email attachaments and caused vulnerability and spread quickly through the information.
extensive damage. internet in 2003.
 What is Threat, Vulnerability and Risk
Threat: A potential danger or risk to a system or organization.
Examples: Malwares..
Vulnerability: A weakness in a system that can be exploited by a threat actor.
Risk: A risk is the likelihood of a threat exploiting a vulnerability and causing harm or
damage to a system or organization

What is Zero day Attack

Zero day: A vulnerability that is unknown to the software vendor or security community, and
for which no patch or mitigation strategy is available

What is Exploit and payload

Exploit: A piece of software or code that takes advantage of a vulnerability to gain
unauthorized access to a system or data.
Payload :A payload is software used by an attacker to reach the attack objectives. Depending
on the attack objectives, the payload contain malicious software that would allow the
attacker to access sensitive data or cause harm to the organization.
 What is Event, Alert and Incident
Event: Event refers to Activity that takes place in a system, network, or application that can be logged or detected by security monitoring tools.
Event Example :
A user logs into a system with valid credentials. This is a normal and benign event that is logged for auditing purposes.
Event Example:
A user attempts to log into a system with invalid credentials multiple times. This event may trigger an alert, as it could indicate a brute-force attack or a
credential-stuffing attack

Alert: Alert is generated when the event is appears to suspicious or anomalous.

Alert Example: A security monitoring tool detects a suspicious network connection from an IP address in a high-risk country.

Incident: An incident is a confirmed or suspected security breach or threat that has been identified and requires immediate response and remediation
Example: A user's account is compromised, and sensitive data is stolen. This is a confirmed security breach that requires immediate response and remediation
Example: A ransomware attack encrypts critical files on a company's network. This is a confirmed security incident that requires immediate response and
remediation
 What is TP, FP,TN and FN
c
True Positive (TP):
when an alert or event is correctly identified as a security incident or threat.
For example, if an intrusion detection system alerts the SOC to an attempted breach, and the alert is confirmed as a genuine attack, this is a True Positive.

False Positive (FP):

when an alert or event is triggered, but it is not actually a security incident or threat.
For example, if a security system identifies an authorized user as an attacker and generates an alert, this would be a False Positive.

True Negative (TN):

when an event or activity is correctly identified as benign and not a security incident or threat.
For example, if a security system logs a legitimate user accessing a system with valid credentials, and no threat or attack is detected, this is a True Negative.

False Negative (FN):

When a security incident or threat goes undetected or unreported.
For example, if an attacker successfully compromises a system or network, and the security system does not generate an alert or event, this would be a False
Negative.

Note : In summary, True Positives and True Negatives in a SOC indicate effective threat detection and response, while False Positives and False Negatives indicate
room for improvement in the security systems or processes
 What is IOC and IOA ?
IOC: c
IOC stands for "Indicators of Compromise."
IOCs are pieces of evidence that suggest a security breach has occurred or is currently ongoing.
IOCs can include IP addresses, domain names, file hashes, URLs, and other forensic artifacts that indicate malicious activity.

IOA:

IOA stands for "Indicators of Attack."

IOAs are patterns of activity that suggest an attacker is attempting to compromise a system or network.
Unlike IOCs, which are specific pieces of evidence, IOAs are more abstract and focus on identifying malicious behavior or actions.

Example of an IOA:

Scanning for vulnerable web servers using tools like Nmap or Shodan.
Attempting to upload a web shell or other malicious code to the target system.
 What is Data Leakage ?
c
Data leakage means the unauthorized transmission of data from an organization to an external recipient.
This can occur through intentional or unintentional means, such as:
Accidental leakage: The authorized entity sends data to an unauthorized entity accidentally.
Malicious insiders: The authorized entity intentionally sends data to an unauthorized entity.
Electronic communication: Hackers make use of hacking tools to intrude the system.
Social engineering: Attackers may use social engineering tactics, such as phishing or pretexting, to trick employees into revealing sensitive data or
granting access to systems or networks.

What is BOT and BOTNET ?

BOT: c
Bot (short for "robot") refers to a software program that is designed to perform automated tasks on the internet.
Bots can be used for legitimate purposes, such as web crawling and data analysis.
Bots can also be used for malicious activities such as DDoS attacks.

BOTNET:
Botnet is a network of compromised computers, also known as "zombies," that are under the control of a remote attacker.
Attacker can use this BOTNET to carry out a variety of malicious activities which includes DDoS attacks, Cryptocurrency mining etc..
 Please Explain SSL/TLS handshake
c
The user or Client Computer starts the handshake process by sending a “Hello” message.
This message contains the TLS type and cipher suites that the user supports. It also includes
a string of arbitrary bytes, called “client random.”

In its reply, the server sends the text with its SSL certificate. The text also contains the cipher
suite chosen for this process and a string of random bytes generated by the server referred
to as “server random.”

The user’s browser authenticates the SSL certificate provided by the server and the
certificate authority that has issued it. This proves that the server is who it states to be, and
the client is interacting with the license holder.

The client sends another message (premaster secret) encoded with the SSL certificate’s
public key that can only be decoded by the private key, which is held by the server.

The server reads the message using its private key.

After this, a session key is created using client random, server random, and the premaster
secret.

Both server and client send a “finished” message, encoded with the session key.
The SSL handshake is completed successfully, and both parties continue communicating
safely, using the session keys.
 What are differences between SSL and TLS?

SSL (Secure Sockets Layer) TLS (Transport Layer Security)

TLS is the upgraded version of SSL. TLS has moved through versions 1.0, 1.1, 1.2,
SSL is now replaced with TLS. SSL moved through versions 1.0, 2.0, and 3.0.
and 1.3.

Due to its vulnerabilities, many modern systems and browsers have deprecated
TLS versions 1.2 and 1.3 are actively used.
support for SSL.

SSL has known vulnerabilities, especially in its earlier versions (SSL 2.0 and SSL TLS is the successor to SSL and incorporates security improvements. Newer
3.0). Due to these weaknesses, it is no longer considered secure, and its usage is versions of TLS continue to address vulnerabilities and enhance security. TLS 1.3 is
strongly discouraged. the latest version as of my knowledge..
SL uses a weak and vulnerable method called "fall-back" negotiation, which can TLS uses a more secure mechanism called "explicit negotiation" for cipher suite
be exploited. selection. This helps prevent certain downgrade attacks.

SSL has only two types of alert messages. Alert messages are unencrypted. TLS alert messages are encrypted and more diverse.

An SSL handshake is complex and slow. A TLS handshake has fewer steps and a faster connection.
 What is File-Based Malware and Fileless Malware :

File-Based Malware:

• In a file-based attack, threat actors use specific file formats, often presenting themselves as documents with extensions
such as .DOCX and .PDF, to prompt users to open these files.
• Detection involves scanning files for known patterns

Fileless Malware:

• Fileless malware is a type of malicious activity that uses native, legitimate tools built into a system to execute a cyber
attack. Unlike traditional malware, fileless malware does not require an attacker to install any code on a target’s
system, making it hard to detect.
• This fileless technique of using native tools to conduct a malicious attack is sometimes referred to as living off the
land or LOLbins
 Explain CVE and CVSS
• CVE: CVE or Common Vulnerabilities and Exposures, is a system that uniquely identifies and tracks publicly
disclosed information security vulnerabilities. Each vulnerability is assigned a unique CVE ID

• CVSS is a system that scores the severity of security vulnerabilities with a number.