# Security Engineering Fundamentals Knowledge Map ### πŸ” **Encryption, Authentication & Access** **1. What is a three-way handshake?**\ A process (SYN β†’ SYN-ACK β†’ ACK) used by TCP to establish a reliable connection between two devices before data transfer. **2. How do cookies work?**\ Cookies are small pieces of data stored in your browser to remember information like login sessions or preferences. **3. How do sessions work?**\ Sessions temporarily store user data on the server to maintain state across multiple requests (e.g., staying logged in). **4. Explain how OAuth works.**\ OAuth allows a user to grant limited access to their resources on one site to another app β€” without sharing passwords. **5. Explain how JWT works.**\ JWT (JSON Web Token) is a compact, signed token used to securely transmit identity information between systems. **6. What is a PKI flow?**\ Public Key Infrastructure manages digital certificates and keys for secure communication β€” using a Certificate Authority (CA) to verify identities. **7. Synchronous vs Asynchronous encryption?** * **Symmetric (synchronous):** Same key for encryption and decryption. * **Asymmetric (asynchronous):** Uses public and private key pairs. **8. Describe the SSL handshake.**\ It’s the process where a client and server exchange certificates and keys to establish an encrypted HTTPS connection. **9. How does HMAC work?**\ It combines a secret key with a message and hashes them to verify data integrity and authenticity. **10. Why is HMAC designed that way?**\ To ensure messages are authentic and haven’t been tampered with, even if the attacker sees the message. **11. Authentication vs Authorization?** * **Authentication:** Verifies who you are. * **Authorization:** Determines what you can access. **12. Diffie-Hellman vs RSA?** * **Diffie-Hellman:** Used for key exchange. * **RSA:** Used for both encryption and digital signatures. **13. How does Kerberos work?**\ Uses a trusted third party (KDC) to issue time-limited tickets, allowing secure authentication without repeatedly sending passwords. **14. Compress then encrypt or encrypt then compress?**\ Always compress first, then encrypt. Encryption randomizes data, making compression ineffective afterward. **15. How do I authenticate you and know you sent the message?**\ Through digital signatures or message authentication codes (MAC/HMAC). **16. Should you encrypt all data at rest?**\ Yes β€” especially sensitive or regulated data β€” to prevent unauthorized access. **17. What is Perfect Forward Secrecy (PFS)?**\ A property ensuring that past encrypted sessions remain secure even if long-term keys are later compromised. ### 🌐 **Network Security, Protocols & Logging** **18. Common security-related ports and risks:** * 22 (SSH) – brute-force attacks β†’ use key pairs * 80 (HTTP) – unencrypted β†’ use HTTPS * 443 (HTTPS) – encrypted web traffic * 53 (DNS) – spoofing β†’ use DNSSEC **19. Which port is used for DNS?**\ Port 53 (UDP/TCP). **20. Describe HTTPS.**\ It’s HTTP over TLS/SSL β€” providing encrypted communication between browser and server. **21. Difference between HTTPS and SSL?**\ SSL/TLS is the encryption protocol; HTTPS is HTTP that uses it for secure communication. **22. How does threat modeling work?**\ Identifies possible threats, attack paths, and mitigations for a system before deployment. **23. What is a subnet and why useful?**\ A subnet divides a large network into smaller segments for better security and performance. **24. What is a subnet mask?**\ Defines which portion of an IP address identifies the network vs the host. **25. What is traceroute?**\ A diagnostic tool showing the path packets take to reach a destination and where delays occur. **26. Network troubleshooting scenario:**\ Visualize routers, switches, and firewalls, then use ping/traceroute/logs to identify where communication fails. **27. Cisco ASA firewall config:**\ ACLs (Access Control Lists) define which IPs and ports are allowed, denied, or logged. **28. Explain TCP/IP concepts.**\ TCP ensures reliable delivery; IP handles addressing and routing between hosts. **29. What is the OSI model?**\ A 7-layer conceptual model explaining how data moves (Physical β†’ Application layer). **30. Router vs Switch?** * **Router:** Connects multiple networks. * **Switch:** Connects devices within one network. **31. Risk Management Framework (RMF):**\ A structured process to categorize, assess, authorize, and monitor system risks. **32. How does a packet travel on same network?**\ Through ARP (Address Resolution Protocol) β€” finding MAC address and sending data directly. **33. TCP vs UDP β€” which is more secure?**\ TCP, as it establishes a connection and ensures delivery. UDP is faster but unreliable. **34. TCP three-way handshake:**\ SYN β†’ SYN-ACK β†’ ACK β€” ensures both parties are ready before data exchange. ### 🧠 **System, Application & Cloud Security** **35. DNS poisoning:**\ Corrupting DNS cache so users are redirected to malicious sites. **36. ARP spoofing:**\ Attacker sends fake ARP messages to intercept network traffic. **37. Man-in-the-middle attack:**\ Intercepting and possibly altering communication between two systems. **38. IDS vs IPS:** * **IDS:** Detects suspicious traffic. * **IPS:** Detects and blocks it. **39. WAF (Web Application Firewall):**\ Filters and monitors web traffic to protect against attacks like SQL injection and XSS. **40. SQL injection:**\ Injecting malicious SQL commands into input fields to access or modify databases. **41. XSS (Cross-Site Scripting):**\ Injecting malicious scripts into web pages that run in users’ browsers. **42. CSRF (Cross-Site Request Forgery):**\ Tricking users into performing unintended actions (e.g., changing password) while authenticated. **43. Input validation:**\ Ensuring user inputs are correct and safe before processing. **44. Vulnerability vs Exploit vs Payload:** * **Vulnerability:** A weakness. * **Exploit:** The method to take advantage of it. * **Payload:** The malicious code executed after exploitation. **45. Patch management:**\ Regularly updating software to fix vulnerabilities. **46. Least privilege:**\ Users or systems get only the minimum access necessary. **47. Defense in depth:**\ Multiple security layers β€” if one fails, others protect the system. **48. Network segmentation:**\ Dividing networks into zones to reduce the impact of breaches. **49. Honeypot:**\ A decoy system used to detect or distract attackers. **50. Zero Trust:**\ No implicit trust; verify every user, device, and connection continuously. **51. MFA (Multi-Factor Authentication):**\ Requires two or more verification methods (password + token). **52. SSO (Single Sign-On):**\ One login grants access to multiple systems securely. **53. IAM (Identity and Access Management):**\ Framework for managing digital identities and their access rights. **54. Separation of duties:**\ Split responsibilities so no one person can misuse power alone. **55. Logging and monitoring:**\ Recording and reviewing system activities to detect suspicious events. **56. SIEM:**\ Security Information and Event Management β€” aggregates and analyzes logs across systems. **57. DDoS attack:**\ Flooding a server with traffic to make it unavailable. **58. DDoS prevention:**\ Rate limiting, load balancers, CDNs, and firewall filtering. **59. Vulnerability scan vs Pen test:** * **Scan:** Finds weaknesses automatically. * **Pen test:** Actively exploits them like a hacker would. **60. System hardening:**\ Reducing attack surface by disabling unused services and applying security settings. **61. Security baseline:**\ The minimum set of configurations required to secure systems. **62. Encryption in transit vs at rest:** * **Transit:** Protects data while moving. * **At rest:** Protects stored data. **63. Cloud shared responsibility model:**\ Cloud providers secure infrastructure; customers secure their data and configurations. **64. Container security:**\ Protecting applications running inside containers through image scanning and isolation. **65. Kubernetes:**\ Orchestrates and manages multiple containers for scaling and resilience. **66. Cloud misconfiguration:**\ Incorrect settings (like open S3 buckets) that expose data publicly. **67. IAM role vs policy:** * **Role:** Identity with permissions. * **Policy:** Set of rules defining what actions are allowed. **68. EDR/XDR:** * **EDR:** Endpoint detection and response. * **XDR:** Extended detection across endpoints, network, and cloud. **69. DLP (Data Loss Prevention):**\ Prevents sensitive data from being leaked or sent outside the organization. **70. Ransomware:**\ Malware that encrypts data and demands payment to unlock it. **71. Phishing:**\ Deceptive messages tricking users into revealing sensitive information. **72. Social engineering:**\ Manipulating people into giving access or information. **73. Insider threat:**\ An internal user misusing access intentionally or accidentally. **74. Supply chain attack:**\ Compromising a trusted vendor or software dependency to target victims. **75. Sandboxing:**\ Running code in an isolated environment to safely test or observe it. **76. Malware vs Virus vs Worm:** * **Malware:** Any malicious software. * **Virus:** Spreads by attaching to files. * **Worm:** Self-replicates over networks. **77. Hashing:**\ Converting data into a fixed-size string (hash) β€” used for integrity checks. **78. Salt in hashing:**\ Random value added to hashes to make them unique and resistant to precomputed attacks. **79. Digital signature:**\ Proves authenticity and integrity using cryptographic signing. **80. Certificate pinning:**\ Forcing an application to trust only a specific server certificate. **81. Lateral movement:**\ When attackers move within a network after gaining initial access. **82. Privilege escalation:**\ Gaining higher permissions than originally allowed. **83. Incident response:**\ Steps taken to detect, contain, and recover from a cyber incident. **84. Incident response phases:**\ Preparation β†’ Detection β†’ Containment β†’ Eradication β†’ Recovery β†’ Lessons learned. **85. DFIR:**\ Digital Forensics and Incident Response β€” investigates, analyzes, and responds to breaches. **86. Log correlation:**\ Linking related log events from multiple systems to identify incidents. **87. SOC (Security Operations Center):**\ A team and facility monitoring and managing security incidents. **88. Threat hunting:**\ Proactively searching for hidden or emerging threats. **89. MITRE ATT\&CK framework:**\ A knowledge base of adversary tactics and techniques used for threat analysis and defense planning. **90. Kill chain:**\ A model describing the stages of a cyberattack β€” from reconnaissance to data exfiltration.