3.0 Implementation Flashcards
(237 cards)
1
Q
What is Remote Access ?
A
Remote access refers to the user’s device connecting over or through an intermediate network, usually a public Wide Area Network (WAN). It does not make a direct cabled or wireless connection to the network.
2
Q
What is Internet Protocol Security (IPSec)
A
Internet Protocol Security (IPSec) is a set of open, non-proprietary standards that you can use to secure data as it travels across the network or the Internet.
3
Q
What is does the Authentication Header (AH) protocol perform?
What else?
What is that called and where does add it? and where ? for what?
A
The Authentication Header (AH) protocol performs a cryptographic hash on the packet plus a shared secret key (known only to the communicating hosts) and adds this Hashed Message Authentication Code (HMAC) in its header as an Integrity Check Value (ICV)
4
Q
What is Tunnel mode?
A
The tunnel mode is used by IPsec to provide encrypted communication by encrypting the entire network packet. This method is used mostly in unsecured networks.
5
Q
What port does DNSSec use?
A
DNS traffic uses port 53. However, given that most DNSSEC packets can be larger than 512 bytes, which is the limit for UDP packets,
DNSSEC uses TCP port 53.
6
Q
What is TCP and UDP port 88 are used for?
A
TCP and UDP port 88 are used by Microsoft’s Kerberos. It is an authentication service that is based on a time-sensitive, ticket-granting system beneficial for single sign-on requirements.
7
Q
What is UDP port 389 is used for?
A
UDP port 389 is used by Lightweight Directory Access Protocol. It is a network protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.
8
Q
What is The transport mode?
A
Transport mode secures communications between hosts on a private network (an end-to-end implementation). AH and ESP running transport mode provides confidentiality, integrity, and authentication for internal secure communication.
The transport mode is used by IPsec to provide encrypted communication by only encrypting the payload. This method is used mostly in private networks.
9
Q
What is a cipher?
A
A cipher is the process (or algorithm) used to encrypt and decrypt a message. A cipher mode refers to the cryptographic product processes multiple blocks. ECB or Electronic Code Book is the simplest mode of cipher operation.
10
Q
What is a counter mode?
A
A counter mode is a type of cipher mode of operation.
11
Q
What is Secure Shell (SSH)?
What are 2 main uses for SSH?
What port does it use?
A
Secure Shell (SSH) is the principal means of obtaining secure remote access to a UNIX or Linux server. The main uses of SSH are for remote administration and Secure File Transfer (SFTP).
Supports VPNs by using port forwarding and runs on TCP port 22
12
Q
What is Telnet?
A
Telnet is terminal emulation software to support a remote connection to another computer. It does not support file transfer directly.
13
Q
What is Remote Desktop Protocol (RDP)?
A
Remote Desktop Protocol (RDP) is Microsoft’s protocol for operating remote connections to a Windows machine.
14
Q
What is a Virtual Private Network (VPN) is utilized for?
A
A Virtual Private Network (VPN) is utilized to connect to a network and the user needs to connect to a single host to complete the file transfer.
15
Q
What is Secure/Multipurpose Internet Mail Extensions (S/MIME)?
A
Secure/Multipurpose Internet Mail Extensions (S/MIME) is a widely accepted method for sending digitally signed and encrypted messages. It allows the sender to encrypt the emails and digitally sign them
16
Q
What is a characteristic of The Session Initiation Protocol (SIP) ?
A
The Session Initiation Protocol (SIP) is one of the most widely used session control protocols.
17
Q
Security Actions to consider when deploying a new Web Server?
A
- The guest account must be secured so that it cannot be used to modify any data on the server.
- A secure means of uploading files and configuration changes needs to be used, such as Secure Shell (SSH).
- Web servers should be deployed using configuration templates where possible. This will assist the administrator with hardening the system.
- The location of the server should be carefully considered as a way to not expose the private network to attack from the public. This can be achieved by placing a firewall between the web server and the local network.
18
Q
How can Transport Layer Security (TLS) be used to provide encrypted communication of services?
A
File transfer services can use the Transport Layer Security (TLS) protocol to encrypt communication such as File Transfer Protocol Secure (FTPS). A TLS tunnel is negotiated before the exchange of any FTP commands.
Directory services can encrypt traffic, for example, using the Lightweight Directory Authentication Protocol Secure (LDAPS). Credentials are encrypted when in transit to a directory service like Windows Active Directory.
Web services use TLS to encrypt traffic between users and a bank’s web site, for example. The latest TLS version 1.3 is approved as of 2018
19
Q
What is Network Time Security (NTS)?
What does it secure?
How does it do it?
A
Network Time Security (NTS) is a long-developed solution to securing the Network Time Protocol (NTP). TLS can be used to provide an authenticated channel.
20
Q
What is Secure real-time transport protocol (SRTP)?
A
Secure real-time transport protocol (SRTP) encrypts actual real-time data, like voice and video. It provides confidentiality for the actual call data.
21
Q
What does the Session initiation protocol (SIP) do?
A
Session initiation protocol (SIP) provides session management features between SIP endpoints and/or gateways.
22
Q
What is Quality of service (QoS)?
A
Quality of service (QoS) provides information about the connection to a QoS system, which in turn ensures that voice or video communications are free from problems, such as dropped packets, delay, or jitter.
23
Q
What is The Encapsulation Security Payload (ESP) protocol?
A
The Encapsulation Security Payload (ESP) protocol provides confidentiality and/or authentication and integrity. It encrypts the data payload.
ESP is used with Internet Protocol Security (IPSec) over layer 3 of the Open Systems Interconnection (OSI) model.
24
Q
What does Simple Network Management Protocol (SNMP) v3 supports?
A
Simple Network Management Protocol (SNMP) v3 supports encryption and strong user-based authentication. Instead of community names, the agent is configured with a list of usernames and access permissions.
25
What does SNMPv1 use?
SNMPv1 uses community names that are sent in plaintext and should not be transmitted over the network if there is any risk they could be intercepted.
26
What does SNMPv2c use?
SNMPv2c also uses community names that are sent in plaintext and should not be transmitted over the network, if there is any risk they could be intercepted. Like SNMPv1, this protocol does not support strong user-based authentication.
27
what is the Management Information Base (MIB)?
Where does it run?
Management Information Base (MIB) is the database that the SNMP agent uses. The agent is a process that runs on a switch, router, server, or SNMP compatible network device
28
What port does the Lightweight Directory Access Protocol Secure (LDAPS) use?
Lightweight Directory Access Protocol Secure (LDAPS) uses port 636 to set up a secure channel to a directory service using a digital certificate.
29
What port does the Hypertext Transfer Protocol Secure (HTTPS) use?
Hypertext Transfer Protocol Secure (HTTPS) uses port 443 to connect clients to a web server or service using digital certificates. HTTPS is commonly secured using the transport layer security (TLS).
30
What is Fingerprinting?
Fingerprinting is when a port scanner uses a tool such as Nmap that can reveal the presence of a router and which dynamic routing and management protocols it is running.
31
What is a Route injection?
Route injection means that traffic is misdirected to a monitoring port (sniffing), sent to a blackhole (non-existent address), or continuously looped around the network, causing DoS.
32
What is Trivial File Transfer Protocol (TFTP)?
Trivial File Transfer Protocol (TFTP) is a connectionless protocol that provides file transfer services but does not provide guaranteed delivery.
33
Explain Explicit FTP over SSL (FTPES)?
What command does it use?
What does it do?
What is it preferred over?
What port does it use?
Explicit FTP over SSL (FTPES) uses the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one. This negotiates a SSL/TLS tunnel explicitly and is preferred over FTPS.
34
What is File Transfer Protocol over SSL (FTPS)? What port does it use?
File Transfer Protocol over SSL (FTPS) implicitly negotiates a Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel before the exchange of any File Transfer Protocol (FTP) commands. This mode uses the secure port 990 for the control connection.
35
What does Provisioning single sign on (SSO) access on a feed do?
Provisioning single sign on (SSO) access on the feed will provide access to logged in users as soon as the feed is configured on their email application or Intranet portal.
36
What is Configuring Really Simple Syndication (RSS) feeds?
Configuring Really Simple Syndication (RSS) feeds is the first step to starting a subscription. RSS feeds push updated articles or news items to the client or browser.
37
Name 3 protocols or ways to provide IP Header integrity and encrypted data payload?
The Authentication Header (AH) protocol performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts) and adds this HMAC in its header as an Integrity Check Value (ICV).
Transport mode secures communications between hosts on a private network (an end-to-end implementation). AH and ESP running transport mode provides confidentiality, integrity, and authentication for internal secure communication.
The Encapsulation Security Payload (ESP) protocol provides confidentiality and/or authentication and integrity. It encrypts the data payload.
38
What is the primary difference between TLS 1.1 and TLS 1.2?
Transport Layer Security (TLS) 1.2 added support for the strong Secure Hash Algorithm (SHA)-256 cipher. That is the primary difference between TLS 1.1 and TLS 1.2.
39
What does a whitelist do ?
Execution control to prevent the use of unauthorized software can be implemented as a whitelist. This control means that nothing can run if it is not on the approved whitelist.
40
What does Blacklist do?
Blacklist is another method of blocking application. This control means that anything not on the prohibited blacklist can run.
41
What is application hardening?
Application hardening is the process of securing an application with settings like changing the default port of service or removing default administrative accounts.
42
What is a trusted, or measured, boot process?
A trusted, or measured, boot process uses the trusted platform module (TPM) at each stage in the boot process to check hashes of key system state data, which then uses an attestation process to verify if the system has not been tampered with.
43
What is Host intrusion prevention systems (HIPS)?
Host intrusion prevention systems (HIPS) provide threat detection and prevent those threats based on signature values, heuristic behaviors, and security policies.
Host Intrusion Prevention System (HIPS) is software located on the host system and has an active response to threats. In the example of an unknown IP range trying to gain access to a server, the HIPS at the server level will block the connection
44
What are Secure Cookies?
Secure cookies help to prevent the session hijacking and data exposure attack vector found in unsecure cookies. It uses a SetCookie header for increased security.
45
What is an endpoint detection and response (EDR) product?
An endpoint detection and response (EDR) product provides real-time and historical visibility into the compromise, contains the malware, and facilitates remediation of the host to its original state.
46
What is Unified Extensible Firmware Interface (UEFI)? What does it do?
What is it a replacement for?
Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer's firmware to its operating system. UEFI is the replacement for Basic Input/Output System (BIOS) and has many advancements to include provisions for secure booting.
47
What is The Basic Input/Output System (BIOS)
The Basic Input/Output System (BIOS) is firmware used to manipulate settings on a system. It provides basic instructions on how a system should start up. It does not support secure boot.
48
What is a hardware root of trust?
A hardware root of trust is a known secure starting point by embedding a private key in the system. The key remains private until the public key is matched.
49
What is Attestation?
Attestation is the process of checking and validating system files during a boot process.
It is not a part of Secure DevOps.
50
How can a Data Loss Prevention (DLP) allow the use of a certain kind of USBs?
Information, like a vendor ID, product ID, or device instance ID, can be added to the "excluded drives" definition. Doing so will prevent all drives, except the specified USB IDs.
51
What does Removing the rule that blocks USB drives do?
Removing the rule that blocks USB drives will allow the use of USB drives. The goal is to allow specific USB drives access, not to allow all USB drives.
52
What is Host Intrusion Detection System (HIDS)?
Host Intrusion Detection System (HIDS) is also software located on the host system. It can log and notify admins or users about intrusion attempts without an active response, like denying or blocking.
can detect attacks on a host and protect critical files.
53
What is Network Intrusion Detection System (NIDS) ?
Network Intrusion Detection System (NIDS) is an appliance at the network level. The logs revealed, in this case, came from a NIDS. This device is generally non-intrusive.
54
What are Network Intrusion Prevention System (NIPS)?
Network Intrusion Prevention System (NIPS) is like a NIDS but uses intrusive means to protect the network.
55
What is A Hardware Security Module (HSM)? What does it do?
A Hardware Security Module (HSM) is a device used to generate, maintain and store cryptographic keys. It is an external device and can easily be added to a system
A hardware security module (HSM) is a network appliance designed to perform centralized PKI management for a network of devices. This means that it can act as an archive or escrow for keys in case of loss or damage.
56
What is a Secure Sockets Layer (SSL) decryptor?
Where would it be placed?
A Secure Sockets Layer (SSL) decryptor provides protection from malicious threats over secure connections.
It would be placed in the demilitarized zone of a network.
57
What is Sandboxing?
What step is it in system hardening?
Sandboxing a system is the placement in an isolated area for test and development purposes. Disabling default configurations, such as usernames and passwords, is the first line of security in hardening a system.
58
What is Code signing
Code signing verifies application code has not been modified by the use of digital signatures. The certificate provided with the signature identifies the author of the application and the code's authenticity.
59
What is an immutable system?
An immutable system is the ability to create a secure image and test it in a controlled DevOps environment.
60
What does Security Automation to?
As new code is introduced to an application, security testing is important to check for bugs and vulnerabilities. Automating security testing in a DevOps environment ensures defects are not introduced in systems.
61
What does Tokenization means?
How are tokens stored with?
Where are they stored?
Tokenization means that all or part of the data in a field is replaced with a randomly generated token or number. The token is stored with the original value on a token server or token vault, separate to the production database.
62
What does Hashing do?
Hashing produces a fixed-length string from arbitrary-length plaintext data using an algorithm such as Secure Hash Algorithm (SHA).
63
How does Full disk encryption (FDE) work? What's an example of FDE tool?
Full disk encryption (FDE) uses a trusted platform module (TPM) to store keys that will be used to unencrypt or unlock an encrypted disk. Windows BitLocker is an example of an FDE tool.
64
What is Fuzzing?
Fuzzing is a dynamic analysis technique that checks code as it is running. When using fuzzing, the system is attacked with random data to check for code vulnerabilities.
65
what does A static code analyzer do?
A static code analyzer examines code quality and effectiveness without executing the code. An analyzer can be used in conjunction with development for continued code quality checks, or once the code is in its finalization stages.
66
What is Stress testing?
Stress testing attempts to simulate a production environment and focuses on the objective and threshold that an application can handle while maintaining performance.
67
What is Dynamic analysis? What is a common technique?
Dynamic analysis inspects code as it is running for code quality and vulnerabilities. Fuzzing is a common technique used.
68
What is Model verification?
Model verification is the process of ensuring software meets its intended purpose and specifications.
69
what is a A self-encrypting drive (SED) ?
A self-encrypting drive (SED) includes both the hardware and software to encrypt data on a drive. Keys are securely stored within for decryption. SED requires credentials to be entered for decryption.
70
What is Electromagnetic interference (EMI)? How Can it be avoided?
Electromagnetic interference (EMI) are radio frequencies emitted by external sources, such as power lines that disturb signals. EMI can be avoided by the use of shielding.
71
What is The Trusted Platform Module (TPM)?
The Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system and provides secure key storage for full disk encryption. A TPM keeps hard drives locked until proper authentication occurs.
72
What is Transport Layer Security (TLS)?
What is it used for?
Transport Layer Security (TLS) is a security protocol designed to provide communications security over a computer network.
73
What is a Virtual Local Area Network (VLAN)?
A Virtual Local Area Network (VLAN) is a logical group of network devices on the same LAN, despite their geographical distribution. It can divide the devices logically on the data link layer, and group users according to departments. A proxy is a device that acts on behalf of another service.
74
What does a proxy do?
A proxy examines the data and makes rule-based decisions about whether the request should be forwarded or refused.
75
What does creating an airgap do?
Creating an airgap would physically isolate a system and its resources from other systems.
76
What is Signature-based (or pattern-matching) detection?
Signature-based (or pattern-matching) detection uses a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident.
77
What is anomaly-based detection?
Anomaly-based detection uses an engine that looks for irregularities in the use of protocols. For example, the engine may check packet headers or the exchange of packets in a session against RFC standards and generate an alert, if they deviate from strict RFC compliance.
78
What is Heuristic-based detection?
Heuristic-based detection learns from experience to detect differences from the baseline. This type of detection is the same as behavioral-based detection.
79
What is Behavioral-based (statistical or profile-based) detection?
Behavioral-based (statistical or profile-based) detection uses an engine to recognize baseline "normal" traffic or events. Any deviation from the baseline (outside a defined level of tolerance) generates an incident.
80
What does a Hypertext Markup Language 5 (HTML5) Virtual Private Network (VPN) do ?
Hypertext Markup Language 5 (HTML5) Virtual Private Network (VPN) uses modern web browsers to access and manage a desktop with relatively little lag. This is also known as a clientless remote desktop gateway.
81
What is Layer 2 Tunneling Protocol (L2TP) used for?
Layer 2 Tunneling Protocol (L2TP) is used with IP Security (IPSec) to provide a VPN tunnel. This will require installing a VPN agent at the client.
82
What's a common use of an access control list (ACL)?
An access control list (ACL) can be used to restrict communications between two network segments or two switches connected to a router.
is used by firewalls. The list of rules defines the type of data packet and the appropriate action to take when it exits or enters a network or system. The actions are to deny or accept.
83
Explainm
| What is a Virtual IP (VIP) address?
Each server node has its own IP address, but externally a load-balanced service is advertising a Virtual IP (VIP) address. Clients go to an IP address or FQDN (fully qualified domain name) and will be routed accordingly between the servers in the cluster.
84
What is Gateway Load Balancing Protocol (GLBP)?
Gateway Load Balancing Protocol (GLBP) is Cisco's proprietary service to providing a load-balanced service with a VIP. The infrastructure is Cisco-based, so this service will most likely be implemented.
85
What is the Common Address Redundancy Protocol (CARP)?
What is it comparable to?
Common Address Redundancy Protocol (CARP) is another commonly used network protocol that works in the same way as GLBP.
86
What is Spanning Tree Protocol (STP) is principally designed for?
Spanning Tree Protocol (STP) is principally designed to prevent broadcast storms.
These storms occur when a bridged network contains a loop and broadcast traffic is amplified by the other switches. This can disrupt the network services.
87
What is Dynamic Host Configuration Protocol (DHCP) snooping?
Dynamic Host Configuration Protocol (DHCP) snooping is a network setting that inspects traffic on access ports to ensure that a host is not trying to spoof its MAC address.
88
What does Media Access Control (MAC) filtering protect against?
Media Access Control (MAC) filtering guards against MAC flooding attacks. It sets a limit on permitted MAC addresses on a port and disables when the limit is reached.
89
What does a Bridge Protocol Data Unit (BPDU) guard prevents?
Where are the settings applied to?
What does it cause?
A Bridge Protocol Data Unit (BPDU) guard prevents BPDUs from communicating network topology information on access ports. This protects against misconfiguration or a possible malicious attack.
A Bridge Protocol Data Unit (BPDU) guard setting is applied to switches.
This causes a portfast-configured port that receives a BPDU to become disabled
90
What is a split-tunnel VPN?
In a split-tunnel VPN, administrators decide where traffic is routed. A split tunnel can decipher whether traffic goes to a private network or not.
91
What is an extranet?
An extranet is a zone created to allow authorized users access to company assets separate from the intranet.
92
What do Sensors do in Networking?
Where do Sensors send the data?
Sensors gather information to determine if the data being passed is malicious or not. The Internet facing sensor will see all traffic and determine its Intent. The sensor behind the firewall will only see filtered traffic. The sensors send findings to the NIDS console.
93
What is an aggregation switch?
An aggregation switch can connect multiple subnets to reduce the number of active ports. When aggregating subnets, the subnets are connected to the switch versus the router.
94
What is a correlation engine?
What uses it?
A correlation engine is part of a Security Information and Event Manager (SIEM). It captures and examines logged events to alert administrators of potential threats on a network.
95
Whats does an active/active cluster do?
An active/active cluster provides Enterprise services to clients from both virtual servers. All services will transparently transfer to the other server if one virtual host goes offline.
96
What is an active/passive cluster?
An active/passive cluster provides Enterprise services to clients from only one virtual server. The other server comes online only when the currently active server goes offline.
97
What scenario uses is a "session affinity setting"
What is it known as?
What else is it?
A session affinity setting is used in load balancing scenarios. This is also known as source IP and is a layer 4 approach to handling user sessions.
98
How is round-robin setting is used in load balancing scenarios?
A round-robin setting is used in load balancing scenarios. New client sessions are established with the next server in the group. Round robin and affinity provide stateless fault tolerance.
99
What is The Unified Threat Management (UTM)?
The Unified Threat Management (UTM) is an all-in-one security appliance that combines the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, Data Loss Prevention, content filtering, and many more.
100
What is An Intrusion Detection System (IDS)?
An Intrusion Detection System (IDS) by itself out-of-the-box will be able to notice a user visiting a bad website, and may do passive or non-intrusive notification, but nothing active will occur.
101
What is a firewall?
A firewall is a software or hardware device that protects a system or network by blocking unwanted network traffic. It is not designed to scan for malware.
102
What is a collector in network security?
Who does it do it for?
A collector combines multiple sensors to collect internet traffic for processing by an Intrusion Detection Systems (IDS) and other systems. Depending on where the collector is placed determines the type of traffic analyzed.
103
what is Network Addressing Protocol (NAT)?
Network Addressing Protocol (NAT) translates public IP addresses to private and vice versa. By using the NAT protocol on the firewall, a company can hide assets from the public internet.
104
What does a Reverse proxies do?
Reverse proxies can publish specific applications from the corporate network to the Internet by listening for specific client requests. This will ensure other intranet services are not exposed.
105
What is East-west traffic?
East-west traffic describes the network and platform configurations that support cloud and other Internet services where most traffic is actually between servers within the data center.
106
What is Zero trust?
Zero trust uses systems such as continuous authentication and conditional access to mitigate privilege escalation and account compromise. It can use micro-segmentation to apply security policies to single node like it was in its own zone.
107
What is scheduling in load balancing?
The scheduling algorithm is the code and metrics that determine which node is selected for processing each incoming request. The simplest scheduling is round robin; this just means picking the next node.
108
What are Always on Virtual Private Networks (VPNs)?
Always on Virtual Private Networks (VPNs) allow for a continued connection between the geographically separated servers and the employee.
109
What is a VPN concentrator?
A VPN concentrator incorporates the most advanced encryption and authentication techniques and includes all of the items necessary to create a VPN.
110
What is a site-to-site Virtual Private Network (VPN)?
A site-to-site Virtual Private Network (VPN) connects multiple networks versus one. Remote users can access both locations as if they were onsite without noticing the location separation.
111
what is a Remote access VPN?
Remote access VPNs allow an authorized user to connect to an internal network from a remote location. Tunneling protocols encapsulate and encrypt traffic for data protection and integrity.
112
What is a jump server?
A jump server runs only necessary administrative applications to securely access a web server, for example, in the DMZ. This minimizes any inherit risks when connecting to the DMZ from a secure zone.
113
What is a forward proxy?
A forward proxy provides protocol-specific outbound traffic. For example, you might deploy a web proxy that enables clients from the LAN to connect to websites on the Internet.
114
What does "Inline" mean (NIDS)?
Network intrusion detection systems are "inline" with the network meaning that all traffic passes through them. Passive detection systems do not have an IP Address and use packet sniffers to capture data packets.
115
What support agentless health or posture assessment?
What's a disadvantage?
An agentless health or posture assessment supports a wide range of devices, such as smartphones and tablets, but less detailed information about the client is available.
116
What is a non-persistent or dissolvable agent?
A non-persistent or dissolvable agent is loaded into memory and never installed on the system. This option still requires an agent that may not be compatible with mobile devices.
117
What is a quarantine network?
A quarantine network is a restricted network that uncompliant devices are redirected to, only after it has been assessed. A policy for mobile devices must be in place for proper remediation to take place.
118
What is the 802.1p header used for?
Switches that support quality of service uses the 802.1p header to prioritize frames. This will improve video conferences and make efficient use of the overall network bandwidth.
119
What is a A web application firewall (WAF) designed to protect?
from what ?
A web application firewall (WAF) is designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks.
120
What is Out-of-band (OOB) management?
Out-of-band (OOB) management is a means of remote management of a system; a term commonly used when managing network devices. For example, a console connection to a router.
121
What is a wireless controller?
Enterprise wireless solutions implement wireless controllers for:
centralized management and monitoring.
A controller can be a hardware appliance or a software application run on a server.
122
What is Remote Authentication Dial-In User Service (RADIUS)?
Remote Authentication Dial-In User Service (RADIUS) provides authentication, authorization, and accounting services for wireless clients.
Users can use their personal accounts to gain wireless network access.
Think Enterprise Access Points.
123
What can you say about WPA2-Enterprise?
Wi-Fi Protected Access (WPA)-Personal setting is a security setting that does not use enterprise methods for authentication with a RADIUS server, for example. WPA2-Enterprise should be used instead.
124
What does the Institute of Electrical and Electronics Engineers (IEEE) 802.1X wireless security standard define?
802. 1X defines the use of Extensible Authentication Protocol over Wireless (EAPoW) to allow an access point to forward authentication data without allowing any other type of network access. Same as EAP ?
802. 1x is configured by selecting the Wi-Fi Protected Access (WPA) setting for WPA2-Enterprise or WPA3-Enterprise as the security method on the access depending on the wireless router model type.
802. 1x does not define the security standard for using a service set identifier (SSID) on a wireless router.
125
What is a Federation ? Radius Federation?
Remote Authentication Dial-in User Service (RADIUS) federation means that multiple organizations allow access to one another's users by joining their RADIUS servers into a RADIUS hierarchy or mesh.
126
What is Terminal Access Controller Access-Control System Plus (TACACS+)?
What is it used for?
Who would use it?
It's an authentication protocol. TACACS+ are usually implemented to manage switches and routers.
Terminal Access Controller Access-Control System Plus (TACACS+) is specifically designed for network administration of routers. TACACS+ data packets are encrypted and make it easier for network admins to work with multiple routers simultaneously.
127
What are the benefits of using Wi-Fi heat maps for wireless networks? (Select all that apply.)
Determine where to place access points.
Determine which channels overlap.
Find location of strong signals.
Survey a site for signal strength.
128
How does Wi-Fi protected access (WPS) work?
Wi-Fi protected access (WPS) works with applicable devices that compatible. WPS is dependent on the type of wireless interface card (NIC) on the printer or laptop.
Use can connect to the wireless router without WPS using a passphrase or PIN that is printed on the router device. User selects the wireless router in the laptop’s desktop, and enters the passphrase or PIN when prompted.
WPS is for consumers, not enterprises.
129
Which authentication protocol requires both a server and client-side public certificate?
Extensible Authentication Protocol with Transport Layer Security (EAP-TLS)
requires a server and client-side public key certificate. An encrypted TLS tunnel is established between the supplicant and authentication server using this method.
130
What is Simultaneous Authentication of Equals (SAE)?
What is it used by?
What does it replace?
What does it replace it with?
Simultaneous Authentication of Equals (SAE) is a secure password-based authentication and key agreement method used in Wireless Protected Access version 3 (WPAv3).
Simultaneous Authentication of Equals (SAE) is a feature of WPA3 that replaces WPA's 4-way handshake authentication and association mechanism with a protocol based on the Diffie-Hellman key agreement.
131
What is a Protected Extensible Authentication Protocol (PEAP)?
What kind of key certificate does it require?
What does it work with?
Protected Extensible Authentication Protocol (PEAP) only requires a server-side public certificate public key certificate.
Protected Extensible Authentication Protocol (PEAP) enables a client and server to establish a secure connection without mandating a client-side certificate. The user authentication method (also referred to as the "inner" method) works with the Microsoft Challenge Handshake Protocol (MS-CHAP).
132
What does EAP with Flexible Authentication via Secure Tunneling (EAP-FAST ) use for authentication? What does it not use?
EAP with Flexible Authentication via Secure Tunneling (EAP-FAST) does not use certificates but a Protected Access Credential (PAC), which is generated for each user from the authentication server's master key.
133
What is Lightweight Extensible Authentication Protocol (LEAP) ? What is it vulnerable to?
Lightweight Extensible Authentication Protocol (LEAP) is Cisco Systems' proprietary EAP implementation. It is vulnerable to password cracking attacks.
134
What is a Protected Access Credential (PAC)?
What was it supposed to replace?
Protected Access Credential (PAC) is utilized by Cisco's EAP Flexible Authentication via Secure Tunneling (EAP-FAST). It was created to replace LEAP, but PEAP is the industry standard.
135
How much MHz do Channel Space have how much does Wifi Require?
Channels have ~5 MHz spacing, but Wi-Fi requires 20 MHz of channel space. Providing adequate spacing ensures maximum network bandwidth and minimum interference.
136
What can you say about Wi-Fi Protected Access version 3 (WPA3) Enterprise?
Wi-Fi Protected Access version 3 (WPA3) with enterprise security allows users to log in to a wireless access point using their own credentials.
This passes authentication to a RADIUS server, for example, before allowing the user access.
WPA3 uses an updated cryptographical protocol called Advanced Encryption Standard (AES) Galois Counter Mode Protocol (GCMP) mode of operation.
Enterprise authentication methods must use 192-bit AES.
137
Describe a Wireless heat map
A heat map shows where a signal is strong (red) or weak (green/blue) and which channels are used and which channels are overlapping. Place wireless access points (WAPs) in the red areas.
138
What is Extensible Authentication Protocol with Transport Layer Security (EAP-TLS) ?
What does it do?
What kind of certificate(s) does it require?
Extensible Authentication Protocol with Transport Layer Security (EAP-TLS) requires a server and client-side public key certificate.
An encrypted TLS tunnel is established between the supplicant and authentication server using this method.
139
What is a Pre-shared Key (PSK)? What's an example?
Pre-shared Key (PSK) is the password needed to gain access to a WAP (Wireless Access Point).
An example is a WPA2 enabled PSK. Using a personal password will not work.
Pre-Shared key can be described as passphrase. is supported in WPA and WPA2
140
what is a Wi-Fi analyzer?
A Wi-Fi analyzer is a software tool that can scan for wireless signals in the area. With a wireless device, like a smartphone, the surveyor can move to catch rogue access point signals in range.
141
What is a site survey?
A site survey is an architectural map of the site, with marked features like solid walls, reflective surfaces, motors, and microwave ovens that could interfere with an access point signal.
142
How is a heatmap generated?
A heat map is generated with data from a site survey and Wi-Fi analyzer to show where a signal is strong (red) or weak (green/blue), which channels are used, and which channels are overlapping.
143
Where is Advanced Encryption Standard-Counter Mode with Cipher Block Chaining Message Authentication Code Protocol used (AES-CCMP)?
Advanced Encryption Standard-Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP) is a standard encryption algorithm compatible with WPA2.
144
What is Enhanced open? Regarding WPA
Which WPA uses it?
Enhanced open is a feature of WPA version 3 that enables encryption for the open authentication method.
145
What encryption standard does WPA3 uses?
WPA3 uses an updated cryptographical protocol called Advanced Encryption Standard (AES) Galois Counter Mode Protocol (GCMP) mode of operation.
Enterprise authentication methods must use 192-bit AES.
146
What uses RC4 Stream Cipher?
What does it add?
The first version of Wi-Fi Protected Access (WPA) uses the RC4 stream cipher but adds Temporal Key Integrity Protocol (TKIP) to make it stronger.
147
What is Extensible authentication protocol (EAP)?
802.1x, which is the Port-based Network Access Control framework, establishes several ways for devices and users to be securely authenticated before they are permitted full network access.
Extensible authentication protocol (EAP) is the actual authentication mechanism.
148
What is Rivest-Shamir-Adleman (RSA)?
What is it used for?
Rivest-Shamir-Adleman (RSA) is a public key cryptography that is widely deployed as a solution for creating digital signatures and key exchange. RSA can also be used to encrypt only short messages.
149
What is Advanced Encryption Standard (AES)?
Where is it used?
Advanced Encryption Standard (AES) is a symmetric 128, 192, or 256-bit block cipher. Wi-Fi Protected Access 2 (WPA2) uses AES to provide higher security encryption for wireless network access than WPA.
150
What is Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling (EAP-FAST)
Flexible Authentication via Secure Tunneling (EAP-FAST) is Cisco's replacement for LEAP. It addresses LEAP vulnerabilities using Transport Layer Security (TLS) with Protected Access Credential (PAC) instead of certificates.
151
What is EAP-MD5?
is a secure hash of a password sent to the authenticating server. By itself, this does not provide mutual authentication from the client to the supplicant.
152
What can an infrared (IR) signal do and a cellphone do?
An infrared (IR) signal such as an IR blaster on a capable smartphone can interact with the IR receiver on a television set to manipulate the current channel viewing.
153
What is An ad hoc network used for?
An ad hoc network is commonly used to connect two wireless clients (e.g., two laptops) establishing a temporary peer-to-peer connection.
154
Whats the use of Custom firmware on a mobile device?
Custom firmware on a mobile device is essentially deploying a new image (or rooting). This can be used to enhance its features or compromise a target's device.
155
Benefits of Airwatch
Full drive encryption
Containerization
Application management
No remote Wipe
156
Name NFC Vulnerabilities
Radio Frequecy (RF) Evesdrop from a distance
Skim information with a NFC Reader
Corrupt Data through Dos Attack with RF Signal Flooding.
(No Credit Card data is passed, but rather a token)
157
Features of MDM
Enable / Disable Camera
Enable / Diable Microphone.
prevents transfer or corporate data to personal apps.
158
What is MAM?
MAM is a solution that configures an enterprise-managed container or workspace on the mobile device.
159
What does Jailbreaking do?
This gives users the ability to obtain root privileges, sideload apps, change or add carriers, and customize the interface.
It is accomplished by booting the device with a patched kernel and can be done when the device is attached to a computer when it boots.
160
What is Rooting?
Rooting is a term associated with Android devices.
One method of rooting is to exploit a vulnerability.
Another is to use a custom firmware.
161
What is The difference between Choose Your Own Device (CYOD) and company-issued, personally-enabled (COPE)?
The difference between Choose Your Own Device (CYOD) and company-issued, personally-enabled (COPE) is that CYOD allows the employee to select a device from a list provided by the company.
162
Define COPE? company-issued, personally-enabled (COPE)
COPE refers to a device that is chosen and supplied by the company and remains its property. The employee may use it to access personal email, social media accounts, and personal web browsing (subject to the company's acceptable use policies).
163
What is Geofencing?
Geofencing is the practice of creating a virtual boundary based on real-world geography. An organization may use geofencing to create a perimeter around its office property.
164
Name a few BLuetooth Vulnerabilities
Device Discovery
Authentication and authorization
Authentication and authorization occur when devices authenticate using a simple passkey configured on both devices.
Malware
Malware occurs when there is proof-of-concept Bluetooth worms and application exploits, which can compromise any active and unpatched system, regardless of whether discovery is enabled and without requiring any user intervention.
165
Features of a cellular network?
A cellular network enables long-distance communication over the same system that supports mobile and smartphones. This is also called baseband radio.
166
Define Radio Frequency ID (RFID)?
Radio Frequency ID (RFID) is a means of encoding information into passive tags, which can be easily attached to devices, structures, clothing, or almost anything else.
167
What is Point-to-point (P2P) connection
Point-to-point (P2P) is a microwave that uses high gain antennas to link two sites. High gain means that the antenna is highly directional.
168
What is Point-to-Multipoint (P2M) connection?
Point-to-Multipoint (P2M) is a microwave that uses smaller sectoral antennas, each covering a separate quadrant. P2M links multiple sites or subscriber nodes to a single hub.
169
What is a Personal Area Network (PAN)?
Wi-Fi can be used to establish a Personal Area Network (PAN). These PANs are commonly created in an ad hoc configuration (peer-to-peer).
fairly secure.
170
Considerations to be taken about a Native cloud application-aware firewall?
Native cloud application-aware firewalls incur transaction costs, calculated on time deployed and traffic volume. The cost does not correlate with security findings if there are any.
171
What is Regional replication (also called zone-redundant storage)?
Regional replication (also called zone-redundant storage) replicates your data across multiple data centers within one or two regions.
172
What is Geo-redundant storage (GRS)?
Geo-redundant storage (GRS) replicates your data to a secondary region that is distant from the primary region. This safeguards data in the event of a regional outage or a disaster.
173
What is Next-generation secure web gateway (SWG)?
Next-generation secure web gateway (SWG) is a modern implementation of content filters that also performs threat analysis and other integrated services like data loss prevention (DLP).
174
What does using a wildcard or asterix Json Cloud storage policy mean?
Cloud resource policies configure read and write access to resources. Using a wildcard that allows all users to read/write, in this case, breaks the principle of least privilege and opens it up to a high risk of exploitation.
175
As a cloud administrator, what strong policies can you enforce to mitigate these risks associated with cloud services
Assigning secret keys is a part of proper cloud secrets management techniques.
Assigning secret keys to service accounts for use with programmatic access is ideal when working with application programming interfaces (APIs).
A third-party password manager can store account secrets keys, along with their regular account credentials so they are safe and rotated (or changed) on a regular basis.
176
What is Identity and Access Management (IAM)?
Identity and Access Management (IAM) is a common cloud interface to manage accounts and permissions to cloud services. Service accounts can be given explicit permissions from IAM
177
What does running Multiple virtual private clouds (VPCs) do?
Multiple virtual private clouds (VPCs) on the Amazon Web Services (AWS) platform, for example, allows for a greater degree of segmentation between instances rather than using subnets.
178
What is Cold storage?
Describe its limitations
Cold storage is a cheap class of cloud resource; however, it has limitations when retrieving data immediate restores. Backup data is readily available when stored on a standard or "hot" class of storage.
179
What is a Cloud Access Security Broker (CASB)?
What does it do?
What is it used by?
A Cloud Access Security Broker (CASB) is a part of security as a service that monitors network traffic between a company's network and cloud provider, enforcing security policies.
Used by Next-generation secure web gateway (NSWG)
180
What is Secrets management?
Secrets management is a term used to manage the keys, codes, or passwords for secure authentication and authorization of cloud application programming interfaces (API).
181
What is a virtual private cloud (VPC) endpoint?
A virtual private cloud (VPC) endpoint is a means of publishing a service that is accessible by instances in other VPCs using the AWS internal network and private IP addresses. An interface endpoint makes use of AWS's PrivateLink feature to allow private access.
182
What is a shared account?
A shared account is usually a privileged account that is shared for access to production servers or services.
A Linux root account can be stored in a vault and shared by other admins if no other means of access to the server is possible.
183
What are Service accounts?
Service accounts are used by scheduled processes and application server software, such as databases. A service account follows the appropriate authentication mechanism of the application it is servicing.
184
What is a user account is defined by?
A user account is defined by a unique security identifier (SID), a name, and a credential. The account follows the standard authentication process of a network.
185
How does Smart-card authentication works?
What kind of authentication does it use?
Smart-card authentication means programming cryptographic information onto a card equipped with a secure processing chip. Smart-card logon works with Kerberos authentication.
186
What is Mandatory access control (MAC) ?
Mandatory access control (MAC) is based on the idea of security clearance levels. This is ideal for a "need to know” classification. Each object in this control system is labeled with a clearance level, and a user must possess the requisite clearance to access objects in this system.
187
What is Attribute-Based Access Control (ABAC)?
Attribute-Based Access Control (ABAC) is fine-grained, with the system making access decisions based on a number of attributes of both the user and the object.
188
What is Discretionary access control (DAC)?
What is it vulnerable to?
Discretionary access control (DAC) is based on the primacy of the resource owner. The owner is granted full control and can modify its access control list (ACL) to grant rights to others.
It's vulnerable to insider attacks and task heavy for the content creator.
189
What are Role-Based Access Control (RBAC) ?
Role-Based Access Control (RBAC) assigns users to roles and roles to permissions.
190
What is 802.1X Port-based Network Access Control (NAC) protocol?
802.1X Port-based Network Access Control (NAC) protocol provides the means of using an Extensible Authentication Protocol (EAP) method when a device connects to a switch port, wireless access point, or VPN gateway.
191
What is The Password Authentication Protocol (PAP)?
The Password Authentication Protocol (PAP) is an unsophisticated authentication method used as the basic authentication mechanism in HTTP. It relies on clear-text password exchange.
192
What 2 type of attacks do Kerberos authentication protect against?
Kerberos protects against replay attacks by timestamping the keys involved. (Replay is a low tier Man in the middle)
Kerberos protects against man-in-the-middle attacks by performing mutual authentication between the principal and the Application Server (AS).
193
What is Kerberos vulnerable to?
Kerberos is vulnerable to pass-the-hash attacks with credential dumping. The secret keys used to secure active directory Kerberos tickets are derived from NT hashes (from passwords), rather than using a random number generator. It is important to restrict the number of workstations that accept domain administrative privileges.
.
194
How does forcing a system application to run in sandbox mode overcome the weakness of Discretionary Access Control (DAC)?
Sandbox mode is an example of a rule-based access control measure, designed to protect computer and network systems founded on discretionary access from misconfigurations that can result from DAC. Running in "sandbox" mode prevents malicious scripts on a website from circumventing the security system by using the privileges of a logged-on user. The key is to restrict access based on a rule for privileges, rather than allocating permissions based on the user's identity.
Sandbox mode does not actively enforce the access control list or sift through the names of users; remember, it is based on the rule, not user identity.
195
What are Security Association Markup Language (SAML) authorizations or tokens ?
What type of signature do they use? What do they not use?
Security Association Markup Language (SAML) authorizations or tokens are written and signed with the eXtensible Markup Language (XML) signature specification; this digital signature allows the service provider to trust the identity provider.
Not using PKI !!!!encryption ...
XML !!!!
196
What are OpenID and OpenID Connect (OIDC)?
OpenID and OpenID Connect (OIDC) are examples of user-centric identity management protocols, whereas SAML implementations are controlled by the system, or enterprise controlled. These use JavaScript Object Notation (JSON) and JSON Web Tokens (JWT) rather than eXtensible Markup Language (XML).
197
What do SAML and OpenID have in common?
Do they Work together?
are both federated authentication standards, but they do not operate cooperatively.
198
What is OAuth and how is it different from OpenID Connect (OIDC)?
The "auth" in OAuth stands for "authorization," not authentication.
OAuth facilitates the transfer of information between sites with authentication delegated to the OAuth provider, not the OAuth consumer.
OIDC authenticates federated applications.
OAuth is an authorization mechanism that facilitates authentication but does not directly authenticate users, while OIDC provides authentication for federated applications.
199
What does Mutual authentication do?
For what?
Mutual authentication assures that the client and the server are authenticated to one another, and an attacker cannot intercept the communications exchanged between the two.
200
What is a Service Request in authentication?
A service request is the first part of the Kerberos authentication process.
this alone is insufficient to protect against such an attack until the principal and application server are authenticated to one another.
201
What are Privilege access management solutions?
Privilege access management solutions provide a platform for storing high-risk, role-based credentials (that are often shared) and auditing elevated privileges in general.
202
What is a trusted platform module (TPM)?
A trusted platform module (TPM) is a secure cryptoprocessor enclave implemented on a PC, laptop, smartphone, or network appliance. It is commonly used to store the keys to unlock an encrypted hard drive or solid-state drive.
203
What is a password key?
A password key is a USB token for connecting to PCs and smartphones. Some can use near field communications (NFC) or Bluetooth as well as physical connectivity.
204
What is Password Authentication Protocol (PAP)?
Password Authentication Protocol (PAP) is a weak, obsolete protocol. It is designed for use with dial-up connections and transfers password information in cleartext rather than over a secure connection.
205
What is Challenge Handshake Authentication Protocol (CHAP)?
What is it stronger than?
What was it designed to do?
What does it rely on to authenticate users?
Challenge Handshake Authentication Protocol (CHAP) is stronger than Password Authentication Protocol (PAP), as
CHAP was designed for authenticating remotely linked users.
CHAP relies on a three-way handshake method of challenge, response, and verification to authenticate users.
206
What is Kerberos?
What does it ustilize? (3 things)
What is it stronger than?
Kerberos is a strong authentication protocol, which utilizes service tickets, symmetric encryption, and mutual authentication. It is much stronger than Password Authentication Protocol (PAP).
207
Name Policies that can help prevent external threats from using stolen employee credentials.
Risky Login Policy
| Smart Card Policy
208
What is a Wildcard Certificate?
A wildcard certificate is issued to the parent domain and will be accepted as valid for all subdomains since all are listed in one. These will reduce management overhead.
209
What is a Self Signed certificate?
Self-signed certificates are generated by the user or computer itself. Self-signed certificates will be marked as untrusted by the client web browser, such as when a user tries to access a website.
210
What is a machine certificate?
Who is it normally issued to?
A machine certificate is generated by a certificate authority specifically for a specific machine. Machine certificates can be issued to domain controllers, member servers, or client workstations.
Machine certificates may be issued to network appliances, such as routers, switches, and firewalls.
211
How does Email Certificate sign and encrypt messages? who cannot use it?
An email certificate typically uses a Secure/Multipurpose Internet Mail Extensions (S/MIME) or Pretty Good Privacy (PGP) to sign and encrypt email messages. It cannot be used by actual machines or servers.
212
What is the The common name (CN) attribute?
The common name (CN) attribute was used to identify the fully qualified domain name (FQDN) of which the server is accessed, such as www.comptia.org. This has been deprecated as a method of validating subject identity.
213
What is the subject alternate name (SAN) extension field used on?
What does it use? for what?
What is structured for?
Subject Alternative Name (SAN) is an extension field on a web server certificate using multiple subdomain labels to support the identification of the server.
The subject alternate name (SAN) extension field is structured to represent different types of identifiers, including domain names.
214
What is a certificate signing request (CSR)?
A certificate signing request (CSR) is a common practice of gathering information about a device to present to a certificate authority (CA) to request a signed certificate.
215
What is Certificate expiration?
Certificate expiration is part of a normal certificate lifecycle. Root certificates might have long expiration dates (10+ years), whereas web server and user certificates might be issued for 1 year only.
216
What is a Certificate Revocation List (CRL)?
A Certificate Revocation List (CRL) is a list of certificates revoked by the CA and are no longer valid nor trusted.
217
What is Online Certificate Status Protocol (OCSP)?
What does it respond to? What does it not?
What happens when you check the status of the untrusted certificate?
Online Certificate Status Protocol (OCSP) runs on a server to respond to queries of individual certificates rather than a whole Certificate Revocation List (CRL). Checking the status of the untrusted certificate will not produce results.
218
A root Certificate Authority (CA) and intermediate CAs are fully deployed. The system administrator turns off the root CA server. Why is the root CA powered-down?
A root Certificate Authority (CA) that is trusted by all other CAs and leaf certificates is a high-risk target. Powering off the root CA is a common security configuration for a hierarchy. This ensures the hierarchy is not entirely compromised if only one part of the hierarchy chain is compromised.
An offline CA cannot process anything. CRLs are processed by online CAs
219
What is Certificate pinning?
What is it not dependant on?
What does it prevent?
Certificate pinning refers to validating a website's certificate by checking public keys of previously known certificates in the chain. It is not dependent on an offline CA.
Can prevent Man in the middle attacks.
220
Describe The three-level Certificate Authority (CA) hierarchy.
The three-level Certificate Authority (CA) hierarchy can be described with a root server at the top-level, an intermediate or subordinate CA in the middle, and issuing CAs at the bottom that issue certificates.
221
What is A code signing certificate?
What does the publisher sign?
A code signing certificate is issued to a software publisher, following an identity check and validation process by the CA. The publisher then signs the executables or DLLs that make up the program to guarantee the validity of a software application or browser plug-in.
222
What are Self-signed certificates?
Self-signed certificates will be marked as untrusted by the operating system or browser, but an administrative user can choose to override this.
223
What are User certificates used for?
User certificates involve wide needs, such as standard users, administrators, smart card login/users, recovery agent users, and Exchange mail users (with separate templates for signature and encryption).
224
What is root certificate?
The root certificate identifies the CA itself.
225
What is a certification path?
The certification path, also known as "certificate chaining" or a "chain of trust," is a verifiable path of the leaf certificate to the root Certificate Authority (CA). Both web certificates must show the same path.
226
What do Public root certificates do?
Public root certificates allow users to trust a website using the chain of trust to the root authority. Private organizations must load employee web browsers with internal root certificates to verify internal websites.
227
What is the purpose of a Certificate Signing Request (CSR)?
A subject must complete a Certificate Signing Request (CSR) and submit it to the Certificate Authority (CA) to obtain a certificate. It is a Base64 ASCII file containing information about the requester including its public key.
The Certificate Signing Request's (CSR) purpose is to request a certificate not to issue one. Only a CA can issue a certificate
The Certificate Signing Request (CSR) does not create a public key, but it must be included with a CSR. The public key is created by an asymmetric algorithm like RS
When creating a key pair (private/public) with an asymmetric algorithm like RSA, the private key stays with the requester, while the public key is shared along with the Certificate Signing Request (CSR) to a Certificate Authority (CA).
228
What is Domain Validation (DV)?
Domain Validation (DV) is proving the ownership of a domain, which may be proved by responding to an email to the authorized point of contact. This process is highly vulnerable to compromise.
provides quick turn around time!
229
What are .pem files?
What can they be represented as?
What kind of encoding would it use?
What expwnsions do they support?
A DER-encoded binary file can be represented as ASCII characters using Base64 Privacy-enhanced Electronic Mail (PEM) encoding. PEM files support other extensions like .key, .cer, and .cert.
230
What are Distinguished Encoding Rules (DER)? .der files.
What encoding does it not use?
It's an encoding scheme used by All certificates to create a binary representation of the information in the certificate.
It does not use a Base64 encoding.
All certificates use an encoding scheme called Distinguished Encoding Rules (DER) to create a binary representation of the information in the certificate. It does not use a Base64 encoding.
231
What is a .pfx file?
The .pfx format allows the export of a certificate along with its private key. This would be used to archive or transport a private key.
232
What is a The .p12 file?
The .p12 file is also like the .pfx file. It is a password-protected container format that possibly contains private/public key pairs.
233
There are various formats for encoding a certificate as a digital file for exchange between different systems.
One difference is storing both public and private keys versus only storing a public key.
Which file type stores both public and private keys?
.PFX
.P12
This means they can be exported!
234
What is Key Escrow
Key escrow refers to the archiving of a key (or keys) with a third party. This is a useful solution for organizations that do not have the capability to store keys securely but are able to fully trust the third party.
235
What is Trust Model?
The trust model is a concept of the Public Key Infrastructure (PKI) to show how users and different Certificate Authorities (CA) can trust one another. This is detailed in a certificate's certification path leading back to the root CA.
236
What is HTTP Public Key Pinning (HPKP)?
What does it minimize?
How does it work?
HTTP Public Key Pinning (HPKP) is a method of trusting digital certificates to bypass the CA hierarchy and chain of trust and minimize MitM attacks.
The client stores a public key that belongs (or is pinned) to a web server. If visiting again and the key does not exist in the certificate chain, a warning is presented.
237
What is Online Certificate Status Protocol (OCSP)?
Instead of what?
Online Certificate Status Protocol (OCSP) checks the status of an individual certificate rather than the whole CRL.
