Skip to content

Opsec Mistakes

← Back to all decks

16 cards — 🟢 4 easy | 🟡 7 medium | 🔴 5 hard

🟢 Easy (4)

1. Why is deleting a file containing a secret in the next git commit insufficient?

Show answer Git stores full history. The secret remains accessible via git log -p or by checking out older commits. The secret must be rotated immediately, and history rewritten with git filter-repo if needed.

2. Why are shared credentials an operational security problem?

Show answer Shared credentials eliminate individual accountability (who made the change?), cannot be revoked for one person without rotating for everyone, and get weaker as they spread. Compliance frameworks require individual identities.

3. What is the risk of leaving default configurations in production?

Show answer Default passwords (e.g., admin/admin), services bound to 0.0.0.0, and unauthenticated data stores are the first things attackers check. Defaults are publicly documented and trivially exploitable.

4. What tools can prevent secrets from being committed to a git repository?

Show answer Pre-commit hooks using tools like git-secrets, detect-secrets, or truffleHog scan staged changes for high-entropy strings, known key patterns (AWS keys, private keys), and custom regex rules. Install as a pre-commit hook so every commit is checked before it reaches the repo.

🟡 Medium (7)

1. What is the Principle of Least Privilege, and what is a common violation?

Show answer Grant only the minimum permissions needed for the task, for the shortest duration. A common violation is IAM policies with Action: * and Resource: * or Kubernetes ClusterRoleBindings granting cluster-admin to developer groups.

2. Why are unpatched systems the number one entry point for attackers?

Show answer Known CVEs have public exploits within days of disclosure. Unpatched systems present known vulnerabilities with tested attack paths. A patching SLA (critical within 48h, high within 1 week) is essential.

3. What is wrong with running containers as root, and how do you fix it?

Show answer Root inside a container maps to root on the host in many configurations, enabling container escape. Fix by adding a USER directive in the Dockerfile to run as a non-root user (e.g., USER appuser).

4. What is the security risk of a security group rule allowing inbound traffic from 0.0.0.0/0 on all ports?

Show answer It exposes every port on the instance to the entire internet, allowing any attacker to probe and exploit any running service. Rules should restrict to specific ports and source CIDR blocks.

5. What is a software supply chain attack, and how do you defend against it?

Show answer An attacker compromises a dependency (library, container base image, CI plugin) to inject malicious code into your build. Defend with: dependency scanning (Dependabot, Snyk, Trivy), pinning versions with checksums, reviewing dependency updates, using signed images, and auditing CI pipeline plugins.

6. Why are environment variables a poor choice for storing secrets in production?

Show answer Environment variables are visible via /proc//environ, docker inspect, ps eww, and crash dumps. They leak into child processes, logging, and debug output. Use a secrets manager (Vault, AWS Secrets Manager, SOPS) that injects secrets at runtime via mounted files or direct API calls with short-lived tokens.

7. What are CIS Benchmarks, and how do you use them to harden systems?

Show answer CIS Benchmarks are prescriptive security configuration guides for OSes, cloud providers, databases, and containers. Use automated scanners (CIS-CAT, Lunar, kube-bench for Kubernetes) to audit systems against the benchmark, then remediate failures. Run scans on every new AMI/image build and periodically in production.

🔴 Hard (5)

1. What are the correct remediation steps when a secret is accidentally committed to git?

Show answer 1) Rotate the secret immediately (assume compromised). 2) Rewrite git history with git filter-repo (only after rotation). 3) Force-push the cleaned branch. 4) Invalidate cached copies in CI caches, container images, and artifacts.

2. What are the minimum security events you should monitor and alert on?

Show answer Authentication successes and failures, privilege escalation events, configuration changes on critical systems, network connection anomalies, and file integrity changes on sensitive paths (e.g., /etc/passwd, /etc/shadow).

3. What container security anti-patterns beyond running as root should you avoid?

Show answer Using the :latest tag (no reproducibility), running privileged containers, not scanning images for CVEs, mounting the Docker socket into containers (gives full host control), and storing secrets in environment variables visible via docker inspect.

4. What is a secret rotation SLA, and what are reasonable targets?

Show answer A secret rotation SLA defines the maximum time a credential can live before mandatory rotation. Reasonable targets: API keys and tokens — 90 days, database passwords — 90 days, service account keys — 180 days, emergency/break-glass credentials — after every use. Automate rotation or enforce via expiry policies.

5. How do you detect credential exfiltration from a compromised host?

Show answer Monitor for: unusual outbound DNS queries (data tunneling), unexpected API calls from the host's identity, access from new IP ranges or geolocations, credential use outside normal hours, and secrets accessed that the service does not normally use. Tools: CloudTrail anomaly detection, SIEM correlation rules, canary tokens (honeypot credentials that alert on use).