Explore topic-wise InterviewSolutions in .

Secure Sockets Layer protocol or SSL is USED to make secure CONNECTION between client and computers.

Below are the component used in SSL:

• SSL Recorded protocol
• Handshake protocol
• Change Cipher SPEC
• Encryption algorithms

Secure Sockets Layer protocol or SSL is used to make secure connection between client and computers.

Below are the component used in SSL:

Following are the three classes of intruders:

1. Masquerader: It can be defined as an INDIVIDUAL who is not authorized on the computer but hack the system’s ACCESS control and get the access of authenticated USER’s ACCOUNT.
2. Misfeasor: In this case user is authenticated to use the system resources but he miss USES his access on the system.
3. Clandestine user It can be defined as an individual who hacks the control system of the system and bypasses the system security system.

Following are the three classes of intruders:

URL manipulation is a type of attack in which hackers manipulate the WEBSITE URL to get the critical information. The information is passed in the parameters in the QUERY string via HTTP GET method between client and server. Hackers can alter the information between these parameters and get the authentication on the servers and steal the critical data.

In order to avoid this kind of attacks security testing of URL manipulation should be done. Testers themselves can TRY to manipulate the URL and check for POSSIBLE attacks and if found they can prevent these kinds of attacks.

URL manipulation is a type of attack in which hackers manipulate the website URL to get the critical information. The information is passed in the parameters in the query string via HTTP GET method between client and server. Hackers can alter the information between these parameters and get the authentication on the servers and steal the critical data.

In order to avoid this kind of attacks security testing of URL manipulation should be done. Testers themselves can try to manipulate the URL and check for possible attacks and if found they can prevent these kinds of attacks.

Following are the PARTICIPANTS:

• Cardholder
• Merchant
• ISSUER
• Acquirer
• Payment GATEWAY
• CERTIFICATION authority

Following are the participants:

There are three benefits of an intrusion DETECTION system.

1. NIDS or NETWORK Intrusion Detection
2. NNIDS or Network Node Intrusion detection system
3. HIDS or Host Intrusion Detection System

There are three benefits of an intrusion detection system.

This kind of attack uses the FORCEFUL browsing with the URL manipulation attack. Hackers can manipulate the PARAMETERS in url string and can GET the critical data which generally not open for PUBLIC such as achieved data, OLD version or data which in under development.

This kind of attack uses the forceful browsing with the URL manipulation attack. Hackers can manipulate the parameters in url string and can get the critical data which generally not open for public such as achieved data, old version or data which in under development.

The parameters that define an SSL SESSION CONNECTION are:

• Server and client random
• Server WRITE MACsecret
• Client write MACsecret
• Server write KEY
• Client write key
• Initialization vectors
• Sequence numbers

The parameters that define an SSL session connection are:

The seven main types of security testing as per Open Source Security Testing methodology manual are:

Vulnerability Scanning: Automated software scans a system against known vulnerabilities.

Security Scanning:Manual or automated technique to identify network and system weaknesses.

Penetration testing: Penetration testing is on the security testing which helps in IDENTIFYING vulnerabilities in a system.

Risk Assessment: It INVOLVES analysis of possible risk in the system. RISKS are classified as Low, Medium and High.

Security Auditing:Complete inspection of systems and applications to detect vulnerabilities.

Ethical hacking:Hacking done on a system to detect flaws in it rather than personal benefits.

Posture Assessment:This combines Security scanning, Ethical Hacking and Risk Assessments to show an OVERALL security posture of an organization.

The seven main types of security testing as per Open Source Security Testing methodology manual are:

Vulnerability Scanning: Automated software scans a system against known vulnerabilities.

Security Scanning:Manual or automated technique to identify network and system weaknesses.

Penetration testing: Penetration testing is on the security testing which helps in identifying vulnerabilities in a system.

Risk Assessment: It involves analysis of possible risk in the system. Risks are classified as Low, Medium and High.

Security Auditing:Complete inspection of systems and applications to detect vulnerabilities.

Ethical hacking:Hacking done on a system to detect flaws in it rather than personal benefits.

Posture Assessment:This combines Security scanning, Ethical Hacking and Risk Assessments to show an overall security posture of an organization.

METHODOLOGIES in Security testing are:

White Box- All the INFORMATION are provided to the testers.

BLACK Box- No information is provided to the testers and they can test the system in real world scenario.

GREY Box- Partial information is with the testers and REST they have to rest on their own.

Methodologies in Security testing are:

White Box- All the information are provided to the testers.

Black Box- No information is provided to the testers and they can test the system in real world scenario.

Grey Box- Partial information is with the testers and rest they have to rest on their own.

Factors causing vulnerabilities are:

1. Design flaws – If there are loop holes in the SYSTEM that can ALLOW hackers to attack the system easily.
2. Passwords – If passwords are known to hackers they can get the information very easily. Password policy should be followed rigorously to minimize the RISK of password steal.
3. Complexity – Complex software can OPEN the doors on vulnerabilities.
4. Human Error – Human error is a significant source of security vulnerabilities.
5. Management – POOR management of the data can lead to the vulnerabilities in the system.

Factors causing vulnerabilities are:

Abbreviations related to software security are:

1. IPsec – Internet Protocol Security is a suite of protocols for securing Internet
2. OSI – Open Systems Interconnection
3. ISDN Integrated Services Digital Network
4. GOSIP- Government Open Systems Interconnection Profile
5. FTP – File Transfer Protocol
6. DBA – Dynamic Bandwidth Allocation
7. DDS – Digital Data System
8. DES – Data -Encryption Standard
9. CHAP – Challenge HANDSHAKE Authentication Protocol
10. BONDING – Bandwidth On Demand Interoperability Group
11. SSH – The SECURE Shell
12. COPS Common Open Policy Service
13. ISAKMP – Internet Security Association and Key Management Protocol
14. USM – User-based Security MODEL
15. TLS – The Transport LAYER Security

Abbreviations related to software security are:

Penetration TESTING is important because:

Security breaches and loop holes in the systems can be very costly as threat of attack is always possible and HACKERS can steal the important data or even CRASH the system.

It is impossible to protect all the information all the time. Hackers always come with new techniques to steal the important data and its necessary for testers as well to perform the testing periodically to DETECT the possible attacks.

Penetration testing identifies and protects a system by above mentioned attacks and HELPS organizations to keep their data safe.

Penetration testing is important because:

Security breaches and loop holes in the systems can be very costly as threat of attack is always possible and hackers can steal the important data or even crash the system.

It is impossible to protect all the information all the time. Hackers always come with new techniques to steal the important data and its necessary for testers as well to perform the testing periodically to detect the possible attacks.

Penetration testing identifies and protects a system by above mentioned attacks and helps organizations to keep their data safe.

PENETRATION testing is on the SECURITY testing which helps in identifying vulnerabilities in a system. Penetration test is an attempt to evaluate the security of a system by manual or automated techniques and if any vulnerability found testers uses that vulnerability to get deeper access to the system and found more vulnerabilities. The main PURPOSE of this testing to prevent a system from any possible attacks.

Penetration testing can be done by two WAYS –White Box testing and Black box testing.

In white box testing all the information is available with the testers whereas in black box testing testers don’t have any information and they test the system in real world SCENARIO to find out the vulnerabilities.

Penetration testing is on the security testing which helps in identifying vulnerabilities in a system. Penetration test is an attempt to evaluate the security of a system by manual or automated techniques and if any vulnerability found testers uses that vulnerability to get deeper access to the system and found more vulnerabilities. The main purpose of this testing to prevent a system from any possible attacks.

Penetration testing can be done by two ways –White Box testing and Black box testing.

In white box testing all the information is available with the testers whereas in black box testing testers don’t have any information and they test the system in real world scenario to find out the vulnerabilities.

XSS or cross SITE scripting is type of vulnerability that hackers used to attack WEB applications.

It allows hackers to inject HTML or JAVASCRIPT code into a web page which can steal the confidential information from the cookies and RETURNS to the hackers. It is one of the most critical and common TECHNIQUE which needs to be prevented.

XSS or cross site scripting is type of vulnerability that hackers used to attack web applications.

It allows hackers to inject HTML or JAVASCRIPT code into a web page which can steal the confidential information from the cookies and returns to the hackers. It is one of the most critical and common technique which needs to be prevented.

There are following seven ATTRIBUTES of Security TESTING:

• Authentication
• Authorization
• Confidentiality
• AVAILABILITY
• Integrity
• Non-repudiation
• RESILIENCE

There are following seven attributes of Security Testing:

SQL Injection is one of the common attacking techniques used by hackers to get the critical data.

Hackers check for any loop hole in the system through which they can pass SQL queries which by passed the security checks and RETURN back the critical data. This is known as SQL injection. It can allow hackers to steal the critical data or even crash a system.

SQL injections are very critical and needs to be avoided. Periodic security TESTING can prevent these kind of attacks. SQL database security needs to be define correctly and input BOXES and SPECIAL characters should be handled properly.

SQL Injection is one of the common attacking techniques used by hackers to get the critical data.

Hackers check for any loop hole in the system through which they can pass SQL queries which by passed the security checks and return back the critical data. This is known as SQL injection. It can allow hackers to steal the critical data or even crash a system.

SQL injections are very critical and needs to be avoided. Periodic security testing can prevent these kind of attacks. SQL database security needs to be define correctly and input boxes and special characters should be handled properly.

Intrusion detection is a system which helps in determining possible attacks and deal with it. Intrusion detection includes collecting information from many systems and sources, analysis of the information and FIND out the possible ways of attack on the system.

Intrusion detection check FOLLOWING:

• Possible attacks
• Any abnormal activity
• Auditing the system data
• Analysis of DIFFERENT collected data etc.

Intrusion detection is a system which helps in determining possible attacks and deal with it. Intrusion detection includes collecting information from many systems and sources, analysis of the information and find out the possible ways of attack on the system.

Intrusion detection check following:

The Vulnerability can be defined as weakness of any SYSTEM through which intruders or bugs can attack on the system.

If SECURITY testing has not been performed rigorously on the system then CHANCES of vulnerabilities get increase. Time to time patches or fixes requires PREVENTING a system from the vulnerabilities.

The Vulnerability can be defined as weakness of any system through which intruders or bugs can attack on the system.

If security testing has not been performed rigorously on the system then chances of vulnerabilities get increase. Time to time patches or fixes requires preventing a system from the vulnerabilities.