The flashcards below were created by user Whit1323 on FreezingBlue Flashcards.

  1. Cryptography
    Provides confidentiality by encrypting data
  2. Confidentiality
    Ensures that data is only viewable by authorized users.  If there is a risk of sensitive data falling into the wrong hands, it should be encrypted to make it unreadable.  Any data should be protected with access controls to enforce confidentiality.
  3. MAC (Message Authentication Code)
    Can be used instead of hash to verify integrity
  4. Integrity
    Integrity is used to verify data has not been modified.  Loss of integrity can occur through unauthorized or unintended changes.  Hashing algorithms such as MD5, HMAC, or SHA1 can calculate hashes to verify integrity.
  5. Hashing / Hash
    A hash is simply a number created by applying the algorithm to a file or message at different times. Hashing algorithms such as MD5, HMAC, or SHA1 can calculate hashes to verify integrity
  6. SPOF
    Single Points of Failure
  7. Availability
    Availability ensures that systems are up and operational when needed, and often addresses single points of failure (SPOF).  You can increase availability be adding fault tolerance and redundancies such as RAID, clustering, backups, and generators.  HVAC systems can also help.
  8. Non-repudation
    Is used to prevent entities from denying they took an action.  Digitally signed emails prevents individuals from later denying they sent it.  An audit log provides non-repudiation because it gives, who, what the action was, where, and when
  9. Defense in Depth
    employs multiple layers of security to make it harder for attacks to explot a system or network.  Security is never done!  Constantly monitor, update, add to and improve.
  10. Implicit Deny
    Unless something is explicity allowed, it is denied (e.g. Access Control Lists - ACLs - use this on routers/firewalls)
  11. Risk
    The likelihood that a threat will exploit a vulnerability.  Risk mitigation reduces the chances that a threat will exploit a vulnerability by implementing controls.
  12. Identification, Authentication
    Identification occurs when a user claims an identity.  Authentication occurs when the user proves the identity (e.g. password) and the credentials are verified.  Authorization is granted to resources based on a proven identity
  13. Identity Proofing
    is the process of verifying that people are who they claim to be.
  14. First factor of authentication: something you know
    The weakest factor (e.g. passwords).  Passwords should be strong, changed regularly, never shared, and stored in safe place if written down.  Technical means should be used to ensure that users change their passwords regularly and don't reuse passwords.
  15. Strong password requirements, what is "key space"
    Use a mix of character types with a minimum length such as 8 or 10 characters.  The key space of a password is calculated as C^N where C indicates the # of possible characters and N is password length.
  16. Password history is combined with a minimum password age to prevent users from reusing old passwords
  17. Second factor of authentication: something you have
    e.g. smart card, key fob, proximity card.  Commonly combined with "something you know".  Smart cards have embedded certificates issued by a public key infrastructure (PKI).  Both smart cards and key fobs provide a significant level of secure authentication, especially when used with another factor of authentication (multifactor authentication).
  18. CACs, PIVs
    Common Access Cards, Personal Identity Verification card : are specialized smart cards that include photo identification.  They are used to gain access into secure locations, and can also be used to log onto computer systems.
  19. Third factor of authentication: "Something you are"
    e.g. biometrics.  Considered the strongest method of authentication since it is the most difficult for an attacker to falsify.  Physical biometrics (fingerprints) and behavioral biometrics (voice recognition) can be used to authenticate individuals.
  20. What is Kerberos?
    Kerberos is a network authentication protocol within a Microsoft Windows Active Directory domain or a UNIX realm.  It uses a database of objects such as Active Directory and a KDC (Key Distribution Center) to issue time-stamped tickets that expire after a certain period.  Kerberos requires internal time synchronization and uses port 88.
  21. What is LDAP?
    Lightweight Directory Access Protocol.  Specifies formats and methods to query directories.  It provides a single point of management for objects, such as users and computers, in an active directory domain.  A common usage of LDAP is to provide single-sign-on.  Example: corporate e-mail directory
  22. Single sign-on
    Enhances security be requiring users to use and remember only one set of credentials for authentication.  SSO can provide central authentication against a federated DB for different operating systems.
  23. Remote Access Authentication: MS-CHAPv2, TACACS+, RADIUS
    MS-CHAPv2 is used to authenticate Microsoft clients and includes mutual authentication.  TACACS+ is used by Cisco for authentication and can use Kerberos, allowing it to interact with a Microsoft environment.  TACACS+ uses TCP, encrypts the entire authentication process, and uses multiple challenges and responses.  RADIUS uses UDP and encrypts just the password.
  24. Define threat
    A threat is any circumstance or event that has the potential to compromise confidentiality, integrity, or availability.
  25. Define vulnerability
    A vulnerability is a weakness.  It can be in hardware, software, configuration, or users.
  26. Name a feature of self service password systems
    Automate password recovery
  27. How do tokens/key fobs work?
    They display numbers on a small LCD screen synchronized with a server.  These numbers provide rolling one time passwords
  28. Remote access authentication is used when a user accesses a private network from a remote location.  Give some info on PAP, CHAP, MS-CHAP, MS-CHAPv2, RADIUS, TACACS, XTACACS, and TACACS+
    PAP: Password authentication protocol, is rarely used because passwords are sent in clear text

    CHAP: Challenge Handshake Authentication Protocol, uses a challenge response authentication process

    MS-CHAP + MS-CHAPv2 are Microsoft's improvement over CHAP.  CHAPv2 provides mutual authentication

    RADIUS provides central authentication for multiple remote access services.  Uses UDP and only encrypts password.  UDP is used instead of TCP when delivery of each packet is not necessary

    TACACS/XTACACS are two legacy protocols that are rarely used anymore.  TACACS is generic, defined by RFC 1492, and uses UDP port 49.  XTACACS is a Cisco systems proprietary improvement.

    TACACS+ uses TCP, encrypts the entire authentication process, and uses multiple challenges and responses.
  29. technical control
    A technical control is one that uses technology to reduce vulnerabilities.  The "principle of least privilege" is a technical control.
  30. Management controls
    Management controls are primarily administrative and include items such as risk and vulnerability assessments
  31. Operational controls
    Operational controls help ensure that day-to-day operations of an organization comply with their overall security plan.  Some examples include training, configuration management, and change management.
  32. Preventative controls
    Preventative controls attempt to prevent an incident from occurring. Examples include change management plans, security guards, account disablement policies, and user training.
  33. Detective controls
    Detective controls can detect when a vulnerability has been exploited.  Examples include security audits, such as a periodic review of user rights, and a CCTV (closed circuit TV) system that can record and provide proof of a person's actions, such as theft of resources.
  34. Corrective controls
    Corrective controls attempt to reverse the impact of an incident or problem after it has occurred. Examples include active intrusion detection systems, backups, and system recovery plans.
  35. Role based access control (RBAC) model
    Uses roles (often implemented as groups) to grant access by placing users into roles based on their assigned jobs, functions, or tasks.  Roles/groups simplify administration.  RBAC supports the use of user templates to enforce least privilege.
  36. Rule based access control (RBAC)
    Based on a set of approved instructions, such as access control list rules in a firewall.
  37. Discretionary Access Control (DAC)
    Every object has an owner.  The.  The owner has explicit access and establishes access for any other user.  Microsoft's NTFS users the DAC model, with every object having a Discretionary Access Control List (DACL).  The DACL identifies who has access and what access they are granted.  A major flaw of the DAC model is its susceptibility to Trojan horses.
  38. Mandatory access control (MAC)
    Uses security or sensitivity labels to identify objects (what you'll secure) and subjects (users).  The administrator etablishes access based on predefined security labels that are typically defined with a lattice to specify the upper and lower security boundaries.  When labels matched, permission granted.  SELinux uses this model.
  39. Three examples of physical security for doors
    Cipher locks, proximity cards, security guards.  In the event of a fire, they should allow personnel to exit the building without authentication.  Datacenters and server rooms should have only a single entrance and exit.  Security guards are a preventative physical security control.
  40. Proximity card
    Electronically unlock a door and helps prevent unauthorized personnel from entering a secure area.  It is "something you have".  If users swap cards, it results in authorization verification without authentication.
  41. Tailgating (piggybacking)
    Occurs when one user follows closely behind another user without using credentials.  A mantrap can prevent tailgating.  Security guards should be especially vigilant to watch for tailgating in high traffic areas.
  42. The most basic form of physical security
    Locks on doors and cabinets, can prevent theft of unused resources.  Cable locks secure mobile computers.
  43. What is the principle of least privilege?
    technical control that uses access controls.  It specifies that individuals or processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more.
  44. What is "group policy"?
    Group policy manages users and computers in a domain, and it is implemented on a domain controller within a domain.  Administrators use it to create password policies, lock down the GUI, configure host-based firewalls, and much more.
  45. Password policies provide a technical means to ensure users employ secure password practices, some examples?
    Minimum password length

    password history-remembers past passwords so users don't reuse

    Minimum password age - used with password history to prevent users from repeatedly changing pw back to original

    Maximum password age - forces users to change pw periodically
  46. Account Disablement Policy
    Ensures that inactive accounts are disabled.  Accounts for employees that either resign or are terminated should be disabled.  Temporary accounts should be set to automatically disable.
  47. Time restrictions
    Prevents users from logging in or accessing network resources during specific hours
  48. Account logon events
    include when a user logs on locally, or accesses a resource such as a server over the network.
  49. Change management strategy
    Can prevent outages by ensuring that configuration changes aren't as needed/ad hoc, but examined prior to making the change.  This is a preventative control.
  50. What are cipher locks?
    Locks on doors that control access with a keypad
  51. Name some encryption protocols
    • SSH - Secure Shell
    • FTPS - File Transfer Protocol Secure
    • SFTP - Secure File Transfer Protocol
    • SCP - Secure Copy
    • IPsec - Internet Protocol Security
    • SSL - Secure Sockets Layer
    • TLS - Transport Layer Security
  52. IPsec
    Used to secure IP communications by authenticating and encrypting each IP packet. Includes ESP (Encapsulating Security Protocol) and AH (Authentication Header). ESP provides payload encryption, AH provides authentication and integrity. IPsec is built into IPv6, but can also work with IPv4.

    AH guarantees connectionless integrity and data origin authentication of IP packets. Further, it can optionally protect against replay attacks by using the sliding windowtechnique and discarding old packets

    ESP provides origin authenticity, integrity and confidentiality
  53. FTP - File Transfer Protocol
    Used to upload and download files.  It can be secured with SFTP (uses SSH on port 22) or FTPS (uses SSL).  FTP uses port 20 for data and port 21 for control.  FTP uses TCP, while TFTP (Trivial File Transfer Protocol) uses UDP on port 69.
  54. What is SNMP?
    Simple Network Management Protocol is used to monitor and configure network devices and uses notification messages known as traps.  Uses port 161.
  55. What port does Telnet use?  When encrypted?
    Port 23.  When encrypted with SSH, port 22.
  56. What port does HTTP use?
  57. What port does HTTPS use?
  58. What ports does NetBIOS use?
  59. What is SMTP and what port?
    Simple Mail Transfer Protocol is used to send e-mail, uses port 25
  60. What port does SQL Server use?
    Port 1433
  61. What port does remote desktop services (terminal services) use?
  62. What is IPv6?
    Internet Protocol version 6 is the latest revision of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. Uses 128 bit addresses and is displayed as eight groups of four hexadecimal characters. IPsec is a mandatory component for IPv6.
  63. What is a port scanner?
    Scans systems for open ports and attempts to discover what services and protocols are running.  They typically take further steps to verify the port is open.
  64. What is ICMP and why is it sometimes blocked?
    Internet Control Message Protocol, it is commonly used in DoS (Denial of Service) attacks.  Commonly blocked at firewalls and routers.  If ping fails, but other connectivity to server succeeds, ICMP is blocked.
  65. What is SSH?
    Secure Shell, an encryption protocol.  Encrypts a wide variety of traffic and uses port 22 in each implementation.  It encrypts FTP traffic (as SFTP) using port 22, encrypts Telnet traffic on port 22, and is used with SCP to copy encrypted files over a network.
  66. Give info on HTTP and HTTPS
    Use ports 80 and 443, and transmit data over the internet in unencrypted and encrypted formats, respectively.
  67. What is Telnet used for?
    To connect to network devices, such as routers, to make configuration changes.  It uses port 23 and sends data in clear text.  You can encrypt Telnet traffic with SSH on port 22.
  68. What port does IPsec use for VPN connections?
  69. What is the only part of the authentication process that RADIUS encrypts?
  70. How do identify the subnet of IP addresses?
    Convert the subnet mask and IP addresses to binary.  Add leading zeros so each is 8 bits.  Look at the spots that have "1's" in subnet in the IP addresses.  Take those digits, and if they are the same for different IP's, they are on the same subnet.  

    For instance if subnet is, binary for 192 is "1100 0000", so only looking at the first 2 digits of the ip conversions.  For our example, only converting last number to binary of IP, and if any of the first 2 digits are the same, they are on the same subnet
  71. Ports are commonly used to allow or block traffic on routers and firewalls.  By blocking a port at a network firewall, it blocks all traffic into the network using this port.  There are 1024 well known ports
  72. What is the FTP data port?
  73. What is the FTP control port?
  74. SFTP port (using SSH)
  75. SSH, SCP port
  76. Telnet port
  77. SMTP port
  78. TACACS/TACACS+ port
  79. DNS port
  80. TFTP port
  81. HTTP port
  82. Kerberos port
  83. POP3 port
  84. NetBIOS ports
  85. IMAP4 port
  86. SNMP port
  87. HTTPS port
  88. LDAP port
  89. IPsec port (for VPN with IKE)
  90. LDAP/TLS port
  91. LDAP/SSL port
  92. L2TP port
  93. PPTP port
  94. Terminal Services/Remote Desktop port
  95. What are switches used for?
    Used for network connectivity and map MAC addresses to ports
  96. What is "loop protection" used for?
    Protects against switching loop problems, such as when a user connects two switch ports together with a cable.  STP (Spanning Tree Protocol) and RSTP (Rapid STP) are commonly enabled on switches to protect against switching loops
  97. What are some common thing to do to increase port security?
    Limiting the number of MAC addresses per port and disabling unused ports.  You can also manually map each port to a specific MAC address or group of addresses.
  98. What is a VLAN?
    A Virtual Local Area Network can logically separate computers or logically group computers regardless of physical location.
  99. host based vs network based firewall
    Host based protects a single system from intrusions, while a network based controls traffic going in and out of an entire network.
  100. How does a firewall or router control traffic?
    Controls traffic between networks using rules within an ACL (Access Control List).  The ACL can block traffic based on ports, IP addresses, subnets, and some protocols
  101. Implicit deny (for a firewall)
    All traffic not explicity allowed is blocked.  This can be implemented with a "deny all" or "deny any any" rule at the end of the ACL.
  102. Purpose of a web security gateway (or all-in-one security applicance)
    Perform content filtering, including filtering for malicious attachments, malicious code, blocked URLs, and more.  These provide a unified security solution.
  103. Load balancer
    Optimize and distribute data loads across multiple computers
  104. DMZ
    A DMZ is a buffer zone between the internet and an internal network.  It allows access to services while segmenting access to the internal network.  In other words, Internet clients can access the services hosted on servers in the DMZ, but the DMZ provides a layer of protection for the internal network
  105. NAT (Network Address Translation)
    Translates public IP addresses to private IP addresses, and private IP addresses back to public.  It also hides addresses on the internal network.
  106. Proxy server
    A proxy server forwards requests for services from a client.  It provides caching to improve performance and reduce Internet bandwidth usage.  Proxy servers can filter content based on URLs and can log sites visited by any users.
  107. TCP
    Transmission Control Protocol provides connection oriented traffic guaranteed delivery.  Core protocol in IP suite.  Uses a 3 way handshake.  (A SYN Flood attack does 2 parts of handshake, which leaves several open connections - DoS attack)
  108. UDP
    User Datagram Protocol provides connectionless sessions.  Used when less reliability is needed.  All TCP/IP traffic is either connection oriented TCP or connectionless UDP.
  109. IP
    the Internet Protocol identifies hosts in a TCP/IP network and delivers traffic from one host to another using IP addresses.
  110. ARP
    Address Resolution Protocol resolves IP addresses to media access control (MAC) addresses.  MACs are also called physical/hardware addresses.  TCP/IP uses the IP address to get a packet to a destination network, but once it arrives, it uses the MAC address to get it to the correct host.
  111. ICMP
    Internet Control Message Protocol is used for testing basic connectivity and includes tools such as ping, pathping, and tracert.  Many DoS attacks use ICMP, so it has become common to block ICMP at firewalls and routers.
  112. SSH
    Secure Shell can be used to encrypt a wide variety of traffic, such as Telnet, Secure Copy (SCP), and Secure File Transfer Protocol (SFTP).  Unix and Linux admins often use SSH to remotely administer these systems.
  113. SCP
    Secure Copy is based on SSH.  Users can use SCP to copy encrypted files over a network. Uses port 22.
  114. SSL
    Secure Sockets Layer protocol secures HTTP traffic as HTTPS.  Can also encrypt other types of traffic as LDAP.  Uses port 443 when encrypting HTTP and port 636 when encrypting LDAP/SSL (LDAPS)
  115. TLS
    Transport Layer Security protocol is the designated replacement for SSL.  You can use TLS instead of SSL in just about any application.  Encypts HTTP on port 443 and LDAPS on 636
  116. IPsec
    Internet Protocol security is used to encrypt IP traffic.  It is native to IPv6 but also works with IPv4.  IPsec encapsulates and encrypts IP packet payloads and uses tunnel mode to protect virtual private network (VPN) traffic.  IPsec includes 2 components: Authentication header (AH) provides integrity and authentication, identified by protocol ID #51 and Encapsulating Security Payload (ESP) provides confidentiality, integrity, and authentication, identified by protocol ID #50.
  117. HTTP
    Hypertext Transfer Protocol is used for web traffic.  Web servers use HTTP to transmit web pages to client's web browsers.  Uses port 80.
  118. HTTPS
    HTTPS secures web traffic by transmitting it in an encrypted format.  HTTPS is encrypted with either SSL or TLS and uses port 443.
  119. FTP
    File Transfer Protocol uploads and downloads files to and from an FTP server.  By default it transmits in clear text, making it easy for an attacker to capture and read FTP data with a sniffer or protocol analyzer.  FTP active mode uses port 20 for data and 21 for control signals.  FTP passive mode uses port 21 for control signals, and a random port for data.  FTP uses TCP.
  120. SFTP
    Secure FTP uses SSH to transmit files in an encrypted format.  Uses port 22.
  121. FTPS
    FTP Secure is an extension of FTP and uses SSL/TLS to encrypt FTP traffic.  Uses ports 989 and 990.
  122. TFTP
    Trivial File Transfer Protocol uses UDP and is used to transfer smaller amounts of data, such as when communicating with network devices.  TFTP uses UDP port 69.
  123. Telnet
    Telnet is frequently used to connect to remote systems or network devices over a network.   Has a command line interface, and many administrators use Telnet to connect to routers and make configuration changes.  Clear text, but can encrypt with SSH.  Uses port 23, 22 when encrypted.
  124. SNMP
    Simple Network Management Protocol is used to monitor and manage network devices such as routers or switches.  This includes using SNMP to modify the configuration of the devices or have network devices report status back to a central network management system.  SNMP agents installed on devices send info to SNMP manager via notifications known as traps.  Uses port 161.
  125. DNS
    Domain Name System is a service that resolves host names to IP addresses on the Internet.  DNS servers host the DNS service and respond to DNS queries.  DNS uses port 53.
  126. NetBIOS
    Network Basic Input/Output System is a name resolution service for NetBIOS names on internal networks.  In contrast, DNS resolves host names on the Internet AND internal networks.  NetBIOS includes TCP and UDP communication and uses ports 137-139.
  127. LDAP
    Lightweight Directory Access Protocol is the language to communicate with directories such as Microsoft's Active Directory or Novell's Netware Directory Services (NDS).  LDAP provides a single location for object management and uses port 389.  Can be encrypted with TLS or SSL, which uses port 636.
  128. Kerberos
    authentication protocol used in Windows domains and some UNIX environments.  Uses port 88
  129. Microsoft SQL Server
    Hosts databases, uses port 1433
  130. Remote Admin / Terminal Services / Desktop Services
    port 3389
  131. SMTP
    Simple Mail Transport Protocol transfers email between clients and SMTP servers.  Uses port 25
  132. POP3
    Post Office Protocol v3 transfers emails from servers down to clients.  Uses port 110
  133. IMAP4
    Internet Message Access Protocol is used to store e-mail on an e-mail server.  Allows user to organize and manage e-mail in folders on the server.  Uses port 143
  134. PPP
    Point-to-Point Protocol is used to create dial-up connections between a dial-up client and a remote access server/ISP.
  135. Can IPsec be used to encrypt traffic? How?
    Can be used as a remote access tunneling protocol to encrypt traffic.  Uses Internet Key Exchange (IKE) over port 500
  136. PPTP
    Point-to-Point Tunneling Protocol is a tunneling protocol used with VPNs that has some known vulnerabilities.  Uses TCP port 1723
  137. L2TP
    Layer 2 Tunneling Protocol combines the strengths of Layer 2 Forwarding (L2F) and PPTP
  138. RADIUS
    Remote Authentication Dial-In User Service provides central authentication to remote access clients.  Only encrypts passwords
  139. TACACS (generic) and XTACACS (Cisco)
    older network authentication protocols.  Use UDP port 49
  140. TACACS+
    used as alternative over RADIUS.  Encrypts the entire authentication process.  Uses multiple challenge responses.  Uses TCP.
  141. Content Filter
    Feature of proxy server that filters internet traffic based on content (URLs)
  142. IDS
    an Intrusion Detection System is a detective control that attempts to detect attacks after they occur.  In contrast, a firewall is a preventative control that attempts to prevent the attacks before they occur.
  143. IPS
    an Intrusion Prevention System is a preventative control that will stop an attack in progress.  It is placed in line with traffic (so they can immediately block detected intrusions), and can actively monitor data streams and detect malicious content.
  144. HIDS
    a host-based IDS is additional software on a workstation or server.  It can detect attacks on the local system.  The HIDS protects local resources on the host such as the operating system files.
  145. NIDS
    A network-based IDS is installed on network devices, such as routers or firewalls, to monitor network traffic.  It can detect network-based attacks such as smurf attacks.  A NIDS cannot monitor encrypted traffic and cannot monitor traffic on individual hosts.
  146. Signature-based IDS (or definition based)
    Use a database of predefined traffic patterns.  IDS vendors regularly release signature file updates as they learn about and document new attack patterns.  A signature based IDS is the most basic form of detection and the easiest to implement.
  147. Anomaly-based IDS (or behavior based)
    Start with a performance baseline of normal behavior.  The IDS compares network traffic against the baseline, and  when traffic differs significantly outside the expected boundaries, the IDS will give an alert.  If the network environment is updated or changed, the IDS requires a new baseline to identify the new normal.
  148. What is a honeypot used for?
    A honeypot is used to divert an attacker from a live network and/or allow IT administrators an opportunity to observe methodologies used in an attack.  Honeypots can be useful to observe zero day exploits (previously unknown attacks)
  149. What does increasing the power level of a WAP (Wireless Access Point) do?
    Increases the wireless coverage.
  150. WEP
    Wired Equivalent Privacy is a weak security algorithm for wireless networks, and should not be used.  It has several problems including the misuse of encryption keys with the otherwise secure RC4 symmetric encryption protocol.  In an IV (initialization vector) attack, the attacker uses packet injection, increasing the number of packets to analyze, and discovers the encryption key.
  151. WPA
    Wi-Fi Protected Access is a wireless security algorithm that provided an immediate replacement for WEP, without requiring the replacement of hardware.
  152. WPA2
    WPA2 is a permanent replacement of WEP and is recommended for use instead of WEP or WPA.  WPA2 supports CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) which is based on AES (Advanced Encryption Standard).  CCMP is much stronger than the older WEP protocol and TKIP (Temporary Key Integrity Protocol) used by WPA.
  153. Personal Mode (WPA-PSK or WPA2-PSK)
    Uses a preshared key and does not provide individual authentication.  WPA/WPA2 Enterprise mode is more secure than personal mode, and provides strong authentication.  Enterprise mode uses an 802.1X server (implemented as RADIUS server) to add authentication.
  154. Wireless access points and wireless routers have default administrator accounts and default passwords.  The default pw should be changed as soon as it is place in service
  155. What is "MAC filtering"?
    It can restrict access to a wireless network to specific clients.  However, an attacker can use a sniffer to discover allowed MAC addresses and circumvent this for of network access control.  It's relatively simple for an attacker to spoof a MAC address.
  156. SSID
    The service set identifier(SSID) identifies the name of the wireless network.  You should change the SSID from the default name.  Disabling SSID broadcast can hide the network from casual users, but an attacker can easily discover it with a wireless sniffer.
  157. What is "war driving"?
    practice of looking for a wireless network
  158. What things should you do during a wireless audit?
    War driving, check wireless signal footprint, power levels, antenna placement, and encryption of wireless traffic.  Wireless audits using war driving can detect rogue access points and identify unauthorized users.
  159. What is an "evil twin"?
    A rogue access point using the same SSID as a legitimate access point.  A secure WAP will block unauthorized users, but a rogue access point provides access to them.
  160. Why is the "isolation mode" feature of access points used?
    To prevent clients from connecting to each other.  Public networks sometimes use this to protect wireless clients.
  161. What is "bluesnarfing"?
    the unauthorized access to or theft of information from a Bluetooth device
  162. What is "bluejacking"?
    the unauthorized sending of text messages from a Bluetooth device
  163. What are some examples of smartphone security?
    device encryption to protect data, password protection, remote wipe capabilities.
  164. What is a VPN concentrator?
    VPN concentrators are a hardware device that encrypts/decrypts data.  They provide strong security and support large numbers of VPN clients.
  165. Name some tunneling protocols, and associated ports
    • IPsec using port 500 for IKE
    • PPTP (point-to-point tunneling protocol) on port 1723
    • L2TP (layer 2 tunneling protocol) on port 1701
    • SSTP (secure socket tunneling protocol) on port 443
  166. Network access control (NAC)
    Includes methods, such as health agents, to inspect clients for health.  NAC can restrict access of unhealthy clients to a remediation network.  You can use NAC for VPN clients and for internal clients.  MAC filtering is a form of NAC
  167. Disabling unused services is a key step in protecting systems from attacks such as zero day attacks, malware, or risks associated with open ports.  This is an important step for both operating system hardening and application hardening.
  168. How to standardize system configuration and security settings?
    Group Policy and security templates - these methods allow you to enforce strict company guidelines when deploying computers and reapply security settings to multiple computers.
  169. What is a configuration baseline?
    Records system configuration and should be updated when the system is updated.  This includes after installing new software, deploying service packs, or modifying any system configuration settings.
  170. What is baseline reporting? What is it used for?
    It records normal system performance.  Administrators can compare current performance against a baseline to determine abnormal activity.
  171. What are some benefits of standardized images?
    They can include mandatory security configurations, ensuring the system starts in a secure state and reduces overall cost.  There is no difference in the security requirements for images deployed to physical computers vs. virtual systems.
  172. What are some benefits of virtualization?
    Reduces the footprint of an organization's server room or datacenter, and helps eliminate wasted resources.  It also helps reduce the amount of physical equipment, reducing overall physical security requirements.
  173. How could a security professional do research on threats?
    Set up a isolated virtual environment, which prevents risk of contamination to the production environment.
  174. What is "VM escape"?
    An attack that allows an attacker to access the host system from within the virtual system.  If successful, it allows the attacker to control the physical host server and all other virtual servers on the physical server.  Keeping both virtual and physical systems up to date with current patches protects them against known vulnerabilities, including VM escape.
  175. Why is "patch management" important?
    Most efficient methods of reducing known operating system and application vulnerabilities.  It includes testing, deploying, and verifying changes made by patches
  176. How would you test a patch?
    In a test environment that mirrors the production environment.  You would also use regression testing to verify that a patch has not introduced new errors.
  177. What is included in "change management"?
    Defines the process and accounting structure for handling modifications and upgrades.  The goals are to reduce unintended outages and provide documentation for all changes.
  178. How to protect individual folders or files?
    Can encrypt them.  Can be useful to protect data against users with elevated permissions and to protect individual sensitive files.
  179. Advantages of hardware encryption vs software encryption
    Hardware encryption is much quicker than software encryption.  However, hardware-based drive encryption is slower to deploy due to a lack of management software.
  180. Name two common methods of hardware encryption
    Trusted Platform Module (TPM) and Hardware Security Module (HSM).  Both store RSA keys used with asymmetric encryption
  181. What is TPM?
    Trusted Platform Module is a hardware chip on the motherboard included on many newer laptops.  A TPM includes a unique RSA asymmetric key, and it can generate and store other keys used for encryption, decryption, and authentication.  TPM provides full disk encryption.  ** No additional hardware!
  182. What is HSM?
    A Hardware security module is a removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption.  High volume e-commerce sites use HSMs to increase the performance of SSL sessions.  High-availability clusters needing encryption services use clustered HSMs
  183. What does a network-based Data Loss Prevention (DLP) system do?
    Examines and analyzes network traffic.  It can detect if confidential company data or any PII data is included in email and reduce the risk of internal users e-mailing sensitive data outside the organization.
  184. What is cloud computing most useful for?
    Its very useful for heavily utilized systems and networks.
  185. What is SaaS, IaaS, PaaS?
    Software as a Service is used for web-based applications.  Infrastructure as a Service is also known as Hardware as a Service.   Platform as a Service provides easy to configure operating systems.
  186. Example of SaaS?
    Applications such as web-based email provided over the internet.  Internet users access SaaS applications with a web browser.  One security concern is data hosted in a cloud - no physical control.
  187. Why use IaaS?
    Organizations can limit their hardware footprint and personnel costs by renting access to hardware such as servers.  The IaaS provider maintains the server.
  188. Why use PaaS?
    Provides cloud computing customers with an easy to configure operating system, combined with on-demand computing.
  189. What is a worm?
    Standalone malware computer program that replicates itself in order to spread to other computers.  They can travel through a network without user interaction.  In comparison, viruses must be executed.
  190. What is a Trojan (horse)?
    It appears to be something useful but instead is something malicious.  Users may download pirated software, rogueware, or games that include a Trojan and infects your system.  Trojans also infect systems via USB drives.
  191. What is a logic bomb?
    piece of code that executes in response to an event, such as when a specific application is executed or a specific time arrives.  Malicious insiders often plant logic bombs.
  192. What is a rootkit?
    Rootkits have system level or kernel access and can modify system files and system access. Rootkits hide their running processes to avoid detection with hooking techniques.  A file integrity checker can detect files modified by a rootkit and an inspection of RAM can discover hooked processes.
  193. What does a spam filter do?
    Block unsolicited e-mails.  Network-based spam filters reduce spam entering a network, and end-user spam filters further restrict spam.  Traveling employees benefit from spam filters on mobile systems in addition to antivirus software and host-based firewalls.
  194. What is spyware?
    Software that can access a user's private data and result in a loss of confidentiality.  Spyware often results in a system running slower.  Dedicated anti-spyware software is available, and some antivirus software protects against spyware.
  195. Antivirus software detects and removes malware such as viruses, Trojans, and worms. What are the two kinds?
    Signature-based detects known malware based on signature definitions.  Heuristic-based software detects previously unknown malware based on behavior.
  196. Name an operating system that can prevent malicious code from executing on a computer
    SELinux: is a Linux kernel security module that provides the mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls(MAC).
  197. What is rogueware/scareware?
    It uses social engineering tactics to trick users into installing Trojan horse malware onto their systems.
  198. What is phishing?
    The practice of sending e-mail to users with the purpose of tricking them into revealing sensitive or personal information or clicking on a link.  Links within e-mail can also lead unsuspecting users to install malware.
  199. What is spear phishing?
    Attempts to target specific groups of users, or even a single user.  It could target employees within a company or customers of a company.  Whaling targets high-level executives.
  200. What is vishing?
    Vishing is a form of phishing that uses the phone system or VoIP.  The user is encouraged to call a number and an automated recording prompts the user to provide personal and financial information.
  201. What are "dumpster divers"?
    They search through trash looking for information.  Shredding papers instead of throwing them away mitigates this threat.
  202. What is "shoulder surfing"?
    A person gathering unauthorized information just by looking over someone's shoulder.  You can mitigate shoulder surfing with privacy screens and password masking.
  203. What is a DoS attack?
    a denial-of-service attack is from a single source and attempts to disrupt the services provided by another system.  Examples include SYN flood, smurf, and some buffer overflow attacks.
  204. What is a "SYN flood" attack?
    It disrupts the TCP initiation process by withholding the third packet of the TCP three-way handshake.  Flood guards protect against SYN flood attacks.
  205. What is a DDoS attack?
    A distributed denial-of-service attack includes multiple computers attacking a single target.  DDoS attacks typically include sustained, abnormally high network traffic.  A performance baseline helps administrators detect a DDoS.
  206. What is a botnet?
    A botnet is a group of computers called zombies controlled through a command and control server.  Attackers use malware to join computers to botnets.  Zombies regularly check in with the command and control server and can launch DDoS attacks against other victims.  Botnet activity often includes hundreds of outbound connections.  Some botnets use Internet Relay Chat (IRC) channels.
  207. What is a man-in-the-middle attack?
    It is a form of active interception allowing an attacker to intercept traffic and insert malicious code sent to other clients.  Kerberos provides mutual authentication and helps prevent man-in-the-middle attacks.
  208. What does an attacker need for a session hijacking attack?
    the user's session ID
  209. What can an attacker do using cross-site scripting attacks?
    Read cookies
  210. What is a "header manipulation" attack?
    Header manipulation attacks modify flags and other data within packets.
  211. How does a session hijacking attack work?
    It uses header manipulation to insert session ID's into a packet and impersonate a user.
  212. How do cross-site scripting attacks (or cross-site request forgery - XSRF) work?
    They use header manipulation to steal cookies
  213. What is ARP poisoning?
    Address Resolution Protocol poisoning can redirect traffic through an attacker's system by sending false MAC address updates.  VLAN segregation helps prevent the scope of ARP poisoning attacks within a network.
  214. What is domain name kiting?
    It is a tactic used to reserve domain names without paying for them.  Attackers sometimes use several small companies to repeatedly reserve domain names without paying for them.
  215. What is application hardening?
    Includes hardening the server hosting the application, using standard hardening practices such as disabling unnecessary services, disabling default accounts, and changing passwords.  Vendor documentation is often the best source for steps to harden an application.
  216. What is the most effective method of testing software?
    Third-party black box testing
  217. How often should "secure code reviews" be done in software development?
    At multiple stages of development.
  218. What is "input validation"?
    Verifies the validity of inputted data before using it.  It uses error-handling routines to prevent improper input from crashing an application and providing information to attackers.  The lack of input validation is one of the most common security issues on web-based applications.  When input validation is not used, web applications are more susceptible to buffer overflow, SQL injection, and cross-site scripting attacks.
  219. What is buffer overflow?
    It occurs when an application receives unexpected data, exposing system memory.  A buffer overflow attack often writes a large number of NOOP (no operation) instructions as a NOOP sled into memory, followed with malicious code.  Attacks can be from data manually entered into an application or from a script, such as JavaScript.  Using input validation and keeping a system up to date are two primary prevention methods against buffer overflow attacks.
  220. What is SQL injection?
    Can be done on unprotected web pages to access databases.  SQL queries provide the attacker with information about the database and allow the attacker to read and modify the data.  Input validation and stored procedures reduce the risk of SQL injection attacks.
  221. What is cross-site scripting?
    It allows an attacker to redirect users to malicious websites and steal cookies.  E-mail can include an embedded HTML image object or a JavaScript image tag as part of a malicious cross-site scripting attack.  Websites prevent cross-site scripting attacks with input validation to detect and block input that include HTML and JavaScript tags.  Many sites prevent the use of ">" and "<" to block cross-site scripting.
  222. What is cross-site request forgery?
    Causes users to perform actions on websites without their knowledge.  In some cases it allows an attacker to steal cookies and harvest passwords.
  223. What is "command injection"?
    Attacks that attempt to run operating system commands from within an application.  Directory traversal is a specific type of command that attempts to access files on a system.
  224. What is fuzzing?
    Sends random strings of data to applications looking for vulnerabilities.  Attackers use fuzz testing to detect strings of data that can be used in a buffer overflow attack.
  225. What is DNS poisoning?
    Attacks that attempt to corrupt cached DNS data, including both forward and reverse lookup results.  A pharming attack redirects a website's traffic to another website.
  226. What does a quantitative risk assessment do?
    Uses specific monetary amounts to identify cost and asset values
  227. What does a qualitative risk assessment do?
    Uses judgment to categorize risks based on probability and impact.
  228. What is an Xmas attack, and what tools can be used to accomplish it?
    Specific type of port scan that analyzes the returned packets to determine the operating system and other details about the scanned system.  Vulnerability tools such as Nmap, Netcat, Nessus can do this.
  229. Risk assessments help an organization evaluate threats and vulnerabilities against new and existing systems.  Risk assessment results should be protected and only accessible to management and security professionals
  230. What is privilege escalation?
    Privilege escalation gives attackers elevated rights and permissions to access data.  Often leads to data exfiltration attack.
  231. What is a vulnerability scan used for?
    Tool to identify systems that are susceptible to attack.  Will passively test security controls to identify vulnerabilities, a lack of security controls, and common misconfigurations.  It does not attempt to exploit vulnerabilities.
  232. What is a penetration test?
    Active test that can assess deployed security controls, identify the ability of employees to respond, and determine the impact of a threat.  It starts with a vulnerability scan and then tries to exploit vulnerabilities by actually attacking or simulating an attack.
  233. What is a black box tester vs a white box tester?
    Black box testers have zero prior knowledge of the system prior to a penetration test.  White box testers have full knowledge, and gray box testers have some knowledge.  Black box testers often use fuzzing.
  234. What should you do before a penetration test?
    Get consent of system owner because it could cause system instability. Also, create a rules of engagement document that identifies limits of the test.
  235. What does a protocol analyzer do?
    Capture, display, and analyze packets sent over a network.  You can view unencrypted network traffic, such as passwords sent in clear text, and examine IP headers.
  236. Routine audits help an organization ensure they are following their policies.  A user rights and permissions review ensures that inactive accounts are either disabled or deleted.  It also ensures that users have only the access they need and no more.
  237. How do attackers crack weak passwords?
    Rainbow tables
  238. What can you use to check the security of a password-protected file?
    Password-cracking tools
  239. What do windows logs do?
    Continuously records information that can be useful in troubleshooting and gaining information on attacks.  The security log records auditable events such as when a user logs on or off, or when a user accesses a resource.  The system log includes system events such as when services start and stop.  Logs stored in a central location provide protection against attacks.
  240. What is a SPOF?  And what can prevent it?
    A single point of failure is any component whose failure results in the failure of an entire system.  RAID, failover clustering, UPS, and generators remove many single points of failure.  Single points of failure are often overlooked until a disaster occurs.
  241. What do RAID subsystems do?  RAID-1 and RAID-5?
    Provide increased availability.  RAID-1 uses two disks as a mirror.  RAID-5 uses three or more disks using striping with parity.
  242. What is a failover cluster?
    A cluster is a set of independent computers that work together to  increase the availability of services and applications. The clustered servers (called nodes) are connected by physical cables and by software.  If one of the nodes fails, another node begins to provide service through a process known as failover.  They increase availability and can remove a server as a SPOF.
  243. What is a UPS?
    An uninterruptible power supply provides fault tolerance for power and can protect against power fluctuations.  UPS provides short-term power.  Generators provide long-term power in extended outages.
  244. What backup strategy provides the fastest recovery time?  What if time or resources are limited.
    Full backup.  Full/differential and full/incremental strategies reduce the amount of time and resources needed.
  245. What is the best way to test the integrity of a company's backup data?
    Test restores.  It verifies that a backup can be recovered in its entirety by performing a full restore as a test.  You can verify that individual files can be restored by restoring just the target files.
  246. What are some best practices for backups?
    Storing a copy off-site, labeling the media, performing test restores, and destroying the media when it is no longer usable.
  247. What is a BIA?
    A Business Impact Analysis identifies critical business or mission requirements.  The BIA includes elements such as Recovery Time Objectives and Recovery Point Objectives, but it doesn't identify solutions.  Information in the BIA helps an organization develop the BCP (Business Continuity Plan) and drives decisions to create redundancies such as failover clusters or alternate sites.
  248. What is a recovery time objective?
    The maximum amount of time it can take to restore a system after an outage. Should be in BIA
  249. What is a recovery point objective?
    The point in time where data loss is acceptable.  Should be in BIA.
  250. What is a COOP site?
    A Continuity of Operations Plan site provides an alternate location for operations after a critical outage.  The most common sites are hot, cold, and warm.
  251. What is the different between hot, warm, and cold sites?
    A hot site includes personnel, equipment, software, and communications capabilities with all the data up to date.  Can take over for a failed primary site within an hour, and is the most effective and expensive recovery solution.  A cold site will have power and connectivity, but little else.  Warm site is a compromise.
  252. What is a DRP?
    A disaster recovery plan includes a hierarchical list of critical systems and often prioritizes services to restore after an outage.  Testing validates the plan.  Recovered systems are tested before returning them to operation, and this can include a comparison to baselines.  The final phase of disaster recovery includes a review to identify any lessons learned and an update of the plan.
  253. You can validate business continuity plans and disaster recovery plans through testing.  Plans are tested regularly, such as once a year or quarter.  A disaster recovery exercise can check the steps to restore a server, activate an alternate site, or any other element of the plan.
  254. How can HVAC systems increase availability?
    They regulate airflow within datacenters and server rooms.  Hot and cold aisles are a method used to regulate the cooling.  Temperature control systems use thermostats to ensure a relatively constant temperature.  Humidity controls reduce the potential for static discharges, and damage from condensation.  HVAC systems should be integrated with the fire alarm and either have dampers or the ability to be turned off in the event of a fire.
  255. If availability is more important than security, what state should the system fail in?
  256. What is EMI shielding?
    A way to prevent someone from capturing network traffic.  It prevents outside sources from corrupting data and prevents data from emanating outside the cable.
  257. What is hashing?  Why is it used?
    Hashing provides integrity for data such as e-mail, downloaded files, and files stored on a disk.  A hash is a number created with a hashing algorithm.  Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) family are popular hashing algorithms.
  258. Hashing algorithms always provide a fixed size bit string regardless of the size of the hashed data.  By comparing hashes at two different times, you can verify the integrity of the data.
  259. What is the purpose of the LANMAN (LAN Manager) protocol?
    It stores passwords using an LM hash of the password.  It first divides the password into two seven character blocks, and then converts all the lower case letters to upper case.
  260. What are the two basic components of encryption?
    Algorithms and keys
  261. What is symmetric encryption?
    Symmetric encryption uses the same key to encrypt and decrypt data.  For example, when transmitting encrypted data, symmetric encryption algorithms use the same key to encrypt and decrypt data at both ends of the transmission media.  Symmetric encryption is much more efficient at encrypting large amounts of data than asymmetric encryption.
  262. What is AES?  What is DES?
    Advanced Encryption Standard is a strong symmetric algorithm that uses 128 bit, 192 bit, or 256 bit keys.  Data Encryption Standard uses only 56 bit keys and should NOT be used today.
  263. What is 3DES?
    Symmetric encryption that was originally designed as a replacement for DES.  It uses multiple keys and multiple passes, and is not as efficient as AES.  However, 3DES is still used in some applications, such as when hardware doesn't support AES.
  264. What is a "one time pad"?
    Hardcopy printouts of keys in a pad of paper.  Keys are distributed in these printed pads and keys are destroyed after a single use.
  265. What is public key cryptography or asymmetric cryptography?
    Uses two separate keys: a private and public key.  Only a private key can decrypt information encrypted with a matching public key.  Only a public key can decrypt information encrypted with a matching private key.
  266. What is the certificates role in asymmetric encryption?
    Certificates include public keys along with details on the owner of the certificate and the CA (certificate authority) that issued the certificate.  Certificate owners share their public key by sharing a copy of their certificate.
  267. What is RSA?
    A widely used asymmetric encryption technique.  It is used to protect internet traffic, including e-mail.  It relies on the mathematical properties of prime numbers when creating public and private keys.  These keys are commonly used with asymmetric encryption to privately share a symmetric key.
  268. What is Diffie-Hellman?
    It addresses key management, and provides another method to privately share a symmetric key between two parties.
  269. What is elliptic curve cryptography?
    Uses smaller key sizes and requires less processing power than many other encryption methods.  Commonly used with small wireless devices.
  270. What is steganography?
    The practice of hiding data within data, such as hiding data within a file or reducing the size of a font so that the data looks like a dot or dash.  Security professionals use hashing to detect changes in files that may indicate the use of steganography
  271. How do TLS and SSL use certificates?
    Both require certificates issued by certificate authorities (CAs).  PEAP-TLS (Protected Extensible Authentication Protocol) uses TLS to encrypt the authentication process and requires a CA to issue certificates.  HTTPS uses a combination of symmetric and asymmetric encryption to encrypt HTTPS sessions.
  272. If a private key is encrypting, what is it being used for?
    A digital signature.
  273. What is a digital signature?
    An encrypted hash of a message.  The sender's private key encrypts the hash of the message to create the digital signature.  The recipient decrypts the hash with the sender's public key, and, if successful, it provides authentication, non-repudiation, and integrity.  Authentication identifies the sender. Integrity verifies the message has not been modified.  Non-repudiation is used with online transactions and prevents the sender from later denying they sent the email.
  274. How does the encryption of email work?  Whose key encrypts? Private or public?
    The recipient's public key encrypts e-mail messages.  The recipient uses the recipient's private key to decrypt an encrypted email message.  In most cases the public key doesn't actually encrypt the message, but instead encrypts a symmetric key used to encrypt the email.  The recipient then uses the private key to decrypt the symmetric key, and then uses the symmetric key to decrypt the email.
  275. What do S/MIME and PGP do? How?
    Secure email with encryption and keys.  "Secure/Multipurpose Internet Mail Extensions" and "Pretty Good Privacy" both use the RSA algorithm, and use public and private keys for encryption and decryption.  They depend on a Public Key Infrastructure (PKI) for certificates.  They can digitally sign and encrypt email, including the encryption of email at rest (stored on a drive) or in transit (sent over network)
  276. When encrypting website traffic with SSL or TLS, what keys are used?
    • -Website's public key encrypts a symmetric key
    • -Website's private key decrypts the symmetric key
    • -Symmetric key encrypts data in the session
  277. What are PKI's used for?
    a PKI includes all the components required for certificates.  It allows two entities to privately share symmetric keys without any prior communication
  278. What does a CA (certificate authority) do?
    a CA issues, manages, validates, and revokes certificates.  Root certificates of trusted CAs are stored in the trusted root certification authority store.  All certificates issued by trusted CAs are trusted.  Web browsers display errors when a site uses an untrusted certificate.
  279. When do CAs revoke certificates?
    When the key is compromised or the CA is compromised.  The certificate revocation list (CRL) includes a list of revoked certificates and is publically available.
  280. What does a key escrow do?
    Maintains a copy of a private key for recovering in the event the original is lost.  An organization often uses key escrow if loss of encrypted data is unacceptable.  Even if users lose access to their original private key, the organization will still be able to access the encrypted data using a key from key escrow.
  281. What are some examples of PII?
    Full name, birthdate, biometric data, and identifying numbers such as SSN.
  282. What is one common method of hard drive sanitation?
    Bit level erasure, and overwriting the drive with a series of ones and zeroes multiple times.
  283. What does a chain of custody do?
    Assures evidence has been controlled and handled properly after collection.  It documents who handled the evidence and when.
  284. What is the sequence of events when a user attempts to go to a website with SSL/TLS?
    When a client connects to a secure HTTPS site, the web server sends a certificate to the web browser to establishits identity.  If the browser accepts the certificate and finds no validation issues with the certificate, SSL is activated between the server and client.  No other communication can occur between the server and client until the certificate is validated and accepted
  285. In what order would experts collect evidence?
    In the order of volatility
Card Set
Flashcards used for studying for Sec+ test
Show Answers