ISO 27000 Series

The title firstly chosen forISO-27000-Series this post was: What areas does ISO 27001 and 27002 cover? corresponding to question 100 of our 300  infosec interview questions. But while working on this subject , I realized that I could  talk more with ISO 27000 series with more details for  27001 and 27002  .

Also Known as ISMS Family of Standards or ISO 27K for short, it  is published jointly by International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) ; hence the jointed name ISO/IEC 27000 Series. ISO 27000 series of standards have been specifically reserved by ISO for informations security matters.

The Series provide best practices recommendations on informations security management, risks  and controls within the context of an overall Informations Security Management Systems -ISMS , similar in design to to management systems for quality assurance (ISO 9000 Series) and environmental protection ( ISO 14000 Series).

The series is populated by a range of individuals standards and  documents . A number of theses have been published for others and others are scheduled for publication .

The following standards already published  reflects the current known position for the major operational standards in the series.

  • ISO 27001 : This is the specification for an information security management system-ISMS, which replaced the old BS7799-2 standard.The objective of the standard itself is to “provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS)”. Regarding its adoption, this should be a strategic decision. Further, “The design and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives, security requirements, the organizational processes used and the size and structure of the organization”.

    The 2005 version of the standard heavily employed the PDCA, Plan-Do-Check-Act model to structure the processes, and reflect the principles set out in the OECG guidelines (see oecd.org). However, the latest, 2013 version, places more emphasis on measuring and evaluating how well an organisation’s ISMS is performing. A section on outsourcing was also added with this release, and additional attention was paid to the organisational context of information security.

    The content sections of the standard are:

    • Context Of The Organization
    • Information Security Leadership
    • Planning An ISMS
    • Support
    • Operation
    • Performance Evaluation
    • Improvement
    • Annex A – List of controls and their objectives

  • ISO 27002 : This is the 2700 series standard number of what was originally ISO 17799 standard , itself was formerly known as BS7799-1.The standard “established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization”. The actual controls listed in the standard are intended to address the specific requirements identified via a formal risk assessment. The standard is also intended to provide a guide for the development of “organizational security standards and effective security management practices and to help build confidence in inter-organizational activities”.

    The basis of the standard was originally a document published by the UK government, which became a standard ‘proper’ in 1995, when it was re-published by BSI as BS7799. In 2000 it was again re-published, this time by ISO ,as ISO 17799. A new version of this appeared in 2005, along with a new publication, ISO 27001. These two documents are intended to be used together, with one complimenting the other.

    In 2013 the current version was published. ISO 27002:2013 contains 114 controls, as opposed to the 133 documented within the 2005 version. However for additional granularity, these are presented in fourteen sections, rather than the original eleven.

    Finally, it should be noted that over the years a number of industry specific versions of ISO 27002 have been developed, or are under development, (for example: health sector, manufacturing, and so on).

    The content sections are:

    • Structure
    • Security Policy
    • Organization of Information Security
    • Human Resources Security
    • Asset Management
    • Access Control
    • Cryptography
    • Physical And Environmental Security
    • Operations security
    • Communications Security
    • Information Systems Acquisition, Development, Maintenance
    • Supplier Relationships
    • Information Security Incident management
    • Information Security Aspects of Business Continuity
    • Compliance

  • ISO 27003 : This will be the official number of a new standard intended to ffer guidance for the implementation of an ISMS – IS Management System
  • ISO 27004 : This standard covers information security system management measurement and metrics , including suggested ISO27002 aligned controls.
  • ISO 27005 : This is the methodology independent ISO standard for information security risk management.
  • ISO 27006: This standard provides guidelines for the accreditation of organizations offering ISMS certification.

For others 

  • ISO/IEC 27007 — Guidelines for information security management systems auditing (focused on the management system)
  • ISO/IEC TR 27008 — Guidance for auditors on ISMS controls (focused on the information security controls)
  • ISO/IEC 27010 — Information security management for inter-sector and inter-organizational communications
  • ISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
  • ISO/IEC 27013 — Guideline on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
  • ISO/IEC 27014 — Information security governance.  Mahncke assessed this standard in the context of Australian e-health.
  • ISO/IEC TR 27015 — Information security management guidelines for financial services
  • ISO/IEC 27018 — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
  • ISO/IEC 27031 — Guidelines for information and communication technology readiness for business continuity
  • ISO/IEC 27032 — Guideline for cybersecurity
  • ISO/IEC 27033-1 — Network security – Part 1: Overview and concepts
  • ISO/IEC 27033-2 — Network security – Part 2: Guidelines for the design and implementation of network security
  • ISO/IEC 27033-3 — Network security – Part 3: Reference networking scenarios – Threats, design techniques and control issues
  • ISO/IEC 27033-5 — Network security – Part 5: Securing communications across networks using Virtual Private Networks (VPNs)
  • ISO/IEC 27034-1 — Application security – Part 1: Guideline for application security
  • ISO/IEC 27035 — Information security incident management
  • ISO/IEC 27036-3 — Information security for supplier relationships – Part 3: Guidelines for information and communication technology supply chain security
  • ISO/IEC 27037 — Guidelines for identification, collection, acquisition and preservation of digital evidence
  • ISO 27799 — Information security management in health using ISO/IEC 27002. The purpose of ISO 27799 is to provide guidance to health organizations and other holders of personal health information on how to protect such information via implementation of ISO/IEC 27002.

Scheduled for publication:

  • ISO/IEC 27017 — Information security management for cloud systems
  • ISO/IEC 27019 — Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry
  • ISO/IEC 27033 — IT network security, a multi-part standard based on ISO/IEC 18028:2006 (parts 1-3 are published already)
  • ISO/IEC 27036 — Guidelines for security in supplier relationships
  • ISO/IEC 27038 — Specification for redaction of digital documents
  • ISO/IEC 27039 — Intrusion detection and protection systems
  • ISO/IEC 27040 — Guideline on storage security
  • ISO/IEC 27041 — Assurance for digital evidence investigation methods
  • ISO/IEC 27042 — Analysis and interpretation of digital evidence
  • ISO/IEC 27043 — Digital evidence investigation principles and processes

src: http://www.27000.org

Question 93 : What’s the difference between stored and reflected XSS?

I have a question ...
I have a question …

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. For more details on the different types of XSS flaws, see: Types of Cross-Site Scripting.

XSS attacks can generally be categorized into two categories: stored and reflected. There is a third, much less well known type of XSS attack called DOM Based XSS that is discussed seperately here.

Stored XSS Attacks

Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS.

Reflected XSS Attacks

Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web site. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a “trusted” server. Reflected XSS is also sometimes referred to as Non-Persistent or Type-II XSS.

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on “normal” pages returned to other users in the course of regular browsing, without proper HTML escaping.

The non-persistent (or reflected) cross-site scripting vulnerability is by far the most common type.[10] These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the request

Question 37 : What is DNS Hijacking and How it works ?

I have a question ...

DNS hijacking is a process in which an individual redirects queries to a domain name server (DNS). It may be accomplished through the use of malicious software or unauthorized modification of a server. Once the individual has control of the DNS, they can direct others who access it to a web page that looks the same, but contains extra content such as advertisements. They may also direct users to pages containing malware or a third-party search engine.

ISP hijacking

DNS hijacking is also done by some Internet service providers, such as Comcast, so that they can link users to their own search pages when they visit a web page that no longer exists. Many claim this is to improve the users experience; however, this can also be another great source of extra revenue since they control the site and get paid off any advertisement clicks. Currently, there are no laws against an ISP doing this to its users.

How DNS Hijacking Works?

As mentioned before, DNS is the one that is responsible for mapping the user friendly domain names to their corresponding IP addresses. This DNS server is owned and maintained by your Internet service provider (ISP) and many other private business organizations. By default, your computer is configured to use the DNS server from the ISP. In some cases, your computer may even be using the DNS services of other reputed organizations such as Google. In this case, you are said to be safe and everything seems to work normally.

DNS Hijacking

But, imagine a situation where a hacker or a malware program gains unauthorized access to your computer and changes the DNS settings, so that your computer now uses one of the rogue DNS servers that is owned and maintained by the hacker. When this happens, the rogue DNS server may translate domain names of desirable websites (such as banks, search engines, social networking sites etc.) to IP addresses of malicious websites. As a result, when you type the URL of a website in the address bar, you may be taken to a fake website instead of the one you are intending for. Sometimes, this can put you in deep trouble!

Src: gohacking, Computer Hope 

Question 132 : What’s the difference between Diffie-Hellman and RSA

téléchargementRSA encryption  is an asymmetric cryptography algorithm, widely used in electronic commerce and more generally to exchange confidential data on the Internet. Ron Rivest, Adi Shamir, and Leonard Adleman developed RSA, and it is named from the first letters of their last names (RSA). This algorithm was described in 1977 and has been patented by the Massachusetts Institute of Technology (MIT) in 1983 in the United States. The patent expired on 21 September 2000: This description responds to the fifth question our list of ” 300 infoSec Questions”:Question 5 What does RSA stand for ?

I do not know about you, but I thought in my head: they are still alive? when I saw Adi Shamir, Ronald Rivest, Whitfield Diffie, in the cryptographers’ Panel  at the RSA Conference 2015. Not that I wish they are no longer of this world, but instead, it’s just that when you have learned from books inventions and scope, subconsciously you think that inventors are certainly no longer alive, I do not know why but there is the impression we have. So I wish long life to these Gents !

Going back to our definition ; RSA is a cryptosystem for public-key encryption , and it is widely used on the internet and elsewhere due to its strong security . Asymmetric encryption methods use RSA : For example, e-mail applications often use RSA to privately share a symmetric key between two systems. The application uses the recipient’s public key to encrypt a symmetric key, and the recipient’s private key decrypts it.

Diffie–Hellman  (Whitfield Diffie – Martin Hellman ) key exchange is based on the premise that two correspondents, Alice and Bob, wish to communicate a secret number, but must do so on an insecure channel. An unauthorized user, Eve, is trying to intercept the message over the unsafe channel. If Eve obtains the message containing the key, all integrity and confidentiality is lost. This issue is resolved by masking the key using modular arithmetic. Diffie – Hellman is used to generate a shared secret in public for later symmetric (“private-key”) encryption.

 Remember this

RSA is an asymmetric algorithm used to encrypt data and digitally sign transmissions.. RSA is widely used to protect Internet traffic, including e-mail. RSA relies on the mathematical properties of prime numbers when creating public and private keys.These keys are commonly used with asymmetric encryption to privately share a symmetric key .Diffie-Hellman addresses key management and provides another method to privately share a symmetric key between two parties.

Dig Deeper  

(Those who knows Insanity Workout with Shaun T. knows what’s Dig deeper mean …so instead to dig deep in our body’s resources we have to Dig deep in our brain !!! 😉 )

RSA udownloadses the mathematical properties of prime numbers to generate secure public and private keys. Specifically, RSA relies on the fact that the product of two large prime numbers can’t be easily factored. The strength of the RSA depends on the difficulty of the prime number factorization. For applications with high-level security, the number of the decryption key bits should be greater than 512 bits.  The math is complex and intriguing to mathematicians, but you don’t have to understand the math to understand that RSA is secure.

For example, researchers published a paper in 2010 identifying how long it took to factor a 232-digit number (768 bits). They wrote that it took them about two and a half years using hundreds of systems. They estimated that if a single 2.2 GHz computer was used, it would take fifteen hundred years to complete. RSA is used on the Internet as one of the protections for credit card transactions. It’s safe to say that today’s credit card information won’t be of much value in fifteen hundred years.

RSA uses at least 1024-bit keys today. RSA Security (a company that frequently tests the security of RSA) recommends using key sizes of at least 2048 bits long, and 3072-bit keys are on the horizon.

RSA is used to come up with a public/private key pair for asymmetric (“public-key”) encryption:

RSA:

  • Used to perform “true” public-key cryptography
  • Key identity: (me)d = m   (mod n)   (lets you recover the encrypted message)
  • Where:
    • n = prime1 × prime2    (n is publicly used for encryption)
    • φ = (prime1 – 1) × (prime2 – 1)   (Euler’s totient function)
    • e is such that 1 < e < φ, and (e, φ) are coprime    (e is publicly used for encryption)
    • d × e = 1   (mod φ)    (the modular inverse d is privately used for decryption)

Diffie-Hellman is a key exchange algorithm used to privately share a symmetric key between two parties. Once the two parties know the symmetric key, they use symmetric encryption to encrypt the data.

The Diffie–Hellman key exchange is based on the premise that two correspondents, Alice and Bob, wish to communicate a secret number, but must do so on an insecure channel. An unauthorized user, Eve, is trying to intercept the message over the unsafe channel. If Eve obtains the message containing the key, all integrity and confidentiality is lost. This issue is resolved by masking the key using modular arithmetic. Alice and Bob achieve secrecy by agreeing on a large prime number, p, and a base number, n. Alice will choose a personal, private value, a, which remains unknown to Bob.94224Bob will generate a secret value only known to himself, b. It is important that a and b are less than p. Alice and Bob’s respective secret keys should be relatively prime to n, meaning that neither shares common factors with n. Alice’s public value is na mod p and Bob’s is nb mod p. The two correspondents exchange their public values, so that both parties now know both. Alice will compute nab = (nb)a mod p. Bob will compute nba = (na)b mod p. Once both algorithms are computed, each party will have the same number. Alice and Bob are now able to privately communicate on the insecure network.

Diffie-Hellman is used to generate a shared secret in public for later symmetric (“private-key”) encryption:

Diffie-Hellman:

  • Creates a shared secret between two (or more) parties, for subsequent symmetric encryption
  • Key identity: (gens1)s2 = (gens2)s1 = shared secret   (mod prime)
  • Where:
    • gen is an integer whose powers generate all integer in [1, prime)   (mod prime)
    • s1 and s2 are the individuals’ “secrets”, only used to generate the symmetric key

Remember this:

RSA is used to come up with a public/private key pair for asymmetric (“public-key”) encryption.Diffie-Hellman is used to generate a shared secret in public for later symmetric (“private-key”) encryption.

Src: Security+ Study Guide -Darril Gibson ;  Information Security Fundamentals – Peltier, Thomas R.

Question 71. What’s the difference between a threat, vulnerability, and a risk?

There’s a direct relationship between threats, vulnerabilities, and risks within the context of security. You can’t fully understand one without understanding the others.

1-Threat  téléchargementis a potential danger. It’s any circumstance or event that can compromise the confidentiality, integrity, or availability of data or a system.

Example of Threat

  • Malicious Insider Threat: is anyone that has legitimate access to an organization’s internal resources, but exploits this access for personal gain or damage against the company. This person’s actions can compromise confidentiality, integrity, and availability. Because of this, most organizations implement basic controls to prevent potential problems. For example, the principle of least privilege ensures that employees have only the rights and permissions to perform their assigned tasks and functions, but no more. Other policies such as job rotation, separation of duties, and mandatory vacations combined, help prevent damage from malicious insiders.

Some organizations implement

  • Threat Modelling : It ‘s a process that helps an organization identify and categorize threats. It attempts to predict the threats against a system or application along with the likelihood and potential impact from these threats. Once the organization identifies and prioritizes threats, it identifies security controls to protect against the most serious threats.  Organizations have limited resources so it’s not possible to protect against all threats. However, threat modeling improves the security posture of any system or application by ensuring that the resources aren’t squandered on low-priority threats.

2-Vulnerability  is a flaw or weakness in software or hardware, or a weakness in a process that could be exploited, resulting in a security breach. Just because a vulnerability exists doesn’t mean it will be exploited, only that it can be exploited.

Examples of vulnerabilities include:

  • Lack of updates. If systems aren’t kept up to date with patches, hotfixes, and service packs, they are  vulnerable to bugs and flaws in the software.
  • Default configurations. If defaults aren’t changed in hardware and software configurations, they are  susceptible to attacks. Similarly, default usernames and passwords are susceptible to attacks if they  aren’t changed.
  • Lack of malware protection or updated definitions. If antivirus and anti-spyware protection  isn’t used and kept up to  date, systems are vulnerable to malware  attacks.
  • No firewall. If personal and network firewalls aren’t enabled or configured properly, systems are more   vulnerable to network and Internet-based attacks.
  • Lack of organizational policies. If job separation, mandatory vacations, and job rotation policies aren’t implemented, an organization may be  more susceptible to fraud and collusion from   employees.

Not all vulnerabilities are exploited. For example, a user may install a wireless router using the defaults. It is highly vulnerable to an attack, but that doesn’t mean that an attacker will discover it and attack. In other words, just because the wireless router has never been attacked, it doesn’t mean that it isn’t vulnerable

3-Risk  is the likelihood that a threat will exploit a vulnerability. The result is a negative impact on the organization. Impact refers to the magnitude of harm that can be caused if a threat exercises a vulnerability.

For example, a system without up-to-date antivirus software is vulnerable to malware. Malware written by malicious attackers is the threat. The likelihood that the malware will reach a vulnerable system represents the risk. Depending on what the malware does, the impact may be an unbootable computer, loss of data, or a remote-controlled computer that has joined a botnet.

However the likelihood of a risk occurring isn’t 100 percent. An isolated system without Internet access, network connectivity, or USB ports has a low likelihood of malware infection. The likelihood will significantly increase for an Internet-connected system, and it will increase even more if a user visits risky websites and downloads and installs unverified files.

An organization can avoid a risk by not providing a service or not participating in a risky activity. Insurance transfers the risk to another entity. You can mitigate risk by implementing controls. When the cost of the controls exceeds the cost of the risk, many organizations accept the risk.

Remember this : A Risk is the likelihood that a threat will exploit a vulnerability. A vulnerability is a weakness, not all vulnerabilities are exploited, and a threat is a potential danger. It’s not possible to eliminate risk, but you can take steps to manage it. 

src: Security+ Study Guide,Darril Gibson.

Question 253 : What’s the difference between encoding, encryption, and hashing?

1-Encoding is the process of téléchargementconverting data into a format required for a number of information processing needs, including:

  • Program compiling and execution
  • Data transmission, storage and compression/decompression
  • Application data processing, such as file conversion

In computer technology, encoding is the process of applying a specific code, such as letters, symbols and numbers, to data for conversion into an equivalent cipher.

For example Encoding is used to reduce the size of audio and video files. Each audio and video file format has a corresponding coder-decoder (codec) program that is used to code it into the appropriate format and then decodes for playback

2-Encryption provides confidentiality and prevents unauthorized disclosure of data. Encrypted data is in a cipher text format that is unreadable. Attackers can’t read encrypted traffic sent over a network, or encrypted data stored on a system. In contrast, if data is sent in clear text, an attacker can capture and read the data using a protocol analyzer.

The two primary encryption methods are symmetric  and asymmetric. Symmetric encryption(ex: DES , 3DES, AES) encrypts and decrypts data with the same key. Asymmetric encryption (ex: RSA )  encrypts and decrypts data using a matched key pair of a public key and a private key.

These encryption methods include two elements:

  • Algorithm. The algorithm performs mathematical calculations on data. The algorithm is always the same.
  • Key. The key is a number that provides variability for the encryption. It is either kept private and/or changed frequently

3-Hashing is an algorithm performed on data such as a file or message to produce a number called a hash (sometimes called a checksum). The hash is used to verify that data is not modified, tampered with, or corrupted. In other words, you can verify the data has maintained integrity.

A key point about a hash is that no matter how many times you execute the hashing algorithm against the data, the hash will always be the same as long as the data is the same.

Hashes are created at least twice so that they can be compared. For example, you can create a hash on a message at the source before sending it, and then again at the destination. If the hashes are the same, you know that the message has not lost integrity. Message Digest 5 (MD5) and the Secure Hash Algorithm (SHA) family are popular hashing algorithms.

Remember this : Encoding involves the use of a code to change original data into a form that can be used by an external process so it  should not be confused with encryption, which hides content and Hashing is an algorithm used to verify data integrity.

src: Security+ Study Guide,Darril Gibson.

300 InfoSec Interview Questions

It’s amimages5azing how one can be under pressure during an interview.

I recently had an interview for an infosec position. Although those in front of me were very friendly, however I stammered when asked to describe the steps involved in Incidence Response.

In fact when  they  finished asking the question, I thought that is easy for me to answer, but as soon as I started to answer, it was like the fog in my head.  I was so surprised to not be  able to clearly answer the question. Which was normal because on my resume, Incidence Response  appears as key competences 😦  .

So to save face, I started explain informally the procedure, instead of clearly list the steps as requested. It was not wrong what I said, but I would preferred better answer.

The more frustrating is when you walk out the door of the company after the interview, that’s when you suddenly come the answers. certainly because of the fresh air of lake right in front 😉 😀mySuperLamePic_218bb67e89ba45ff0ffd1968a924a843

This experience made me think about the file 300 InfoSec Interview questions certainly known by some infosec professionals. I downloaded it  a few months ago on piratebay . I amuse myself to give some answers , some questions are basics and others more subtle.

Let’s Go !!!

Question  253 :  What’s the difference between encoding, encryption, and hashing?

1-Encoding is the process of converting data into a format required for a number of information processing needs, including:

  • Program compiling and execution
  • Data transmission, storage and compression/decompression
  • Application data processing, such as file conversion

In computer technology, encoding is the process of applying a specific code, such as letters, symbols and numbers, to data for conversion into an equivalent cipher.

For example Encoding is used to reduce the size of audio and video files. Each audio and video file format has a corresponding coder-decoder (codec) program that is used to code it into the appropriate format and then decodes for playback

2-Encryption provides confidentiality and prevents unauthorized disclosure of data. Encrypted data is in a cipher text format that is unreadable. Attackers can’t read encrypted traffic sent over a network, or encrypted data stored on a system. In contrast, if data is sent in clear text, an attacker can capture and read the data using a protocol analyzer.

The two primary encryption methods are symmetric and asymmetric. Symmetric encryption encrypts and decrypts data with the same key. Asymmetric encryption encrypts and decrypts data using a matched key pair of a public key and a private key.

These encryption methods include two elements:

  •        Algorithm. The algorithm performs mathematical calculations on data. The algorithm is always the same.
  •       Key. The key is a number that provides variability for the encryption. It is either kept private and/or changed frequently

3-Hashing is an algorithm performed on data such as a file or message to produce a number called a hash (sometimes called a checksum). The hash is used to verify that data is not modified, tampered with, or corrupted. In other words, you can verify the data has maintained integrity.

A key point about a hash is that no matter how many times you execute the hashing algorithm against the data, the hash will always be the same as long as the data is the same.

Hashes are created at least twice so that they can be compared. For example, you can create a hash on a message at the source before sending it, and then again at the destination. If the hashes are the same, you know that the message has not lost integrity. Message Digest 5 (MD5) and the Secure Hash Algorithm (SHA) family are popular hashing algorithms.

Remember this : Encoding involves the use of a code to change original data into a form that can be used by an external process so it  should not be confused with encryption, which hides content and Hashing is an algorithm used to verify data integrity.

Question 71. What’s the difference between a threat, vulnerability, and a risk?

Question 101. Cryptographically speaking, what is the main method of building a shared secret over a public medium?

Question 132. What’s the difference between Diffie-Hellman and RSA?

Question 162. What kind of attack is a standard Diffie-Hellman exchange vulnerable to?

Question 164. Take me through the process of pen testing a system.