3.0 - Implementation Flashcards

Question

What is this another name for? Fuzzing

Answer 1

• A colloquial term for Dynamic Analysis • May also be referred to as: • Fault-injecting • Robustness testing • Syntax testing • Negative testing

Answer 2

• A type of attack on applications, where random input is sent • Attacker is looking for vulnerabilities, application crashes, buffer overflows, exceptions, etc. • "Fuzzers" are tools to perform this. • Very time and processor resource heavy, but often designed to perform high-probability tests first.

Answer 3

• Cookies are used for tracking, personalization, and session management • Generally should not be a security risk, unless someone gains access to them. • Secure Cookies have an attribute set that requires they will only be sent over HTTPS • Sensitive information ought never to be stored in a cookie

Answer 4

• A way for the web server to restrict the capabilities of a browser from performing certain functions • Useful when an application is being used on your web server, but you aren't certain of that application’s security • For example, can be used to: ○ enforce HTTPS ○ only allow scripts, stylesheets, or images from the local site (preventing XSS attacks) ○ prevent data from loading in an iframe

Answer 5

• Application code can be digitally signed by the developer, confirming that the code has not been modified • Asymmetric encryption: ○ A trusted CA signs the developer's public key ○ And the developer signs the code with their private key

Answer 6

• Allow lists and deny lists can be made to control what applications may run on a system • Lists may be based on, for example: ○ Application's hash ○ A certificate, for digitally signed applications ○ The application's path, allowing applications to only run in certain folders ○ The application's network zone

Answer 7

• Static Application Security Testing • A tool to perform automated analysis on source code to identify security flaws • Findings and recommendations are reported, and would still need to be manually verified and applied • Not all flaws can be identified this way, such as authentication security issues and insecure cryptography

Answer 8

• Self-Encrypting Drive • Hardware-based full disk encryption • No operating system software needed • Follows the "Opal storage specification"

Answer 9

• Primary function it to manage the load across multiple servers • May also perform any of the following: ○ TCP offload (handles some TCP traffic rather than the servers) ○ SSL offload (encryption/decryption, so that comm. between balancer and servers is in-the-clear) ○ Caching (keeps copy of common responses on balancer, so it can respond quickly on behalf of servers) ○ Prioritization / QoS ○ Content switching (application-centric balancing, directing different functions to different servers)

Answer 10

• Scheduling is the method of determining which server a load balancer will direct traffic to • Example Active/Active methods: ○ Round-Robin (each server selected in turn) ○ Weighted Round-Robin (prioritizing some servers over others, rather than equal) ○ Dynamic Round-Robin (distribute traffic to server with lowest current load) • Active/Passive scheduling will only route traffic to "passive" servers if an active server fails (making the passive server become active)

Answer 11

• In Load Balancing, Affinity connects users to specific servers, so that whenever they reconnect, they will be directed to the same server as previously • Often based on IP address / port number or session ID • Used when an application requires communication to the same instance

Answer 12

• Similar in structure to a DMZ, but usually requires additional authentication to access, rather than allowing any public access • Often used for partners, vendors, suppliers, etc. to gain access to internal resources

Answer 13

• Traffic between devices in the same data center • Includes traffic between separate customers within the same data center

Answer 14

• A term for a data center's Ingres/egress traffic to and from an outside device • Usually requires a stricter security posture than east-west traffic

Answer 15

• The device that performs encryption and decryption for a VPN connection • Often integrated into a firewall, but can also be a standalone device

Answer 16

• Uses the common SSL/TLS protocol (tcp 443) • Therefore, usually does not run into any firewall issues • can authenticate users • Doesn't require digital certificates or shared passwords • Can be run from within a browser or a light VPN client, but often doesn't require a VPN client

Answer 17

• HTML5 includes API support with web cryptography API • Allows for the creation of a VPN tunnel in a browser without any VPN application

Answer 18

• Layer 2 Tunneling Protocol • Connecting sites over a layer 3 network as though they were connected at layer 2 • Commonly implemented with IPsec (L2TP for the tunnel, IPsec for the encryption) ○ Sometimes referred to as L2TP over IPsec or L2TP/IPsec

Answer 19

• IPsec modes of operation • in Transport mode, only the Data portion of the IP packet is encrypted • In Tunnel mode, both the IP Header and the Data are encrypted, and a new IP header is added, which directs the packet to the VPN concentrator on the other side of the tunnel.

Answer 20

• A security feature for switches • Limits the number of broadcasts per second • Often also used to control multicast and unknown unicast traffic • Can be managed either by specific values, percentages, or deviations baseline behavior

Answer 21

• Bridge Protocol Data Unit • The primary protocol used by Spanning Tree Protocol

Answer 22

• If a BPDU frame is seen on a PortFast configured interface, the interface will shutdown • This is because PortFast interfaces are only supposed to connect to endpoints, which would never send BPDUs

Answer 23

• Cisco's term for the feature of bypassing the STP listening and learning steps when a device is plugged in • Configured for ports that are known to only be needed to connect to endpoints, so STP is not needed since it won't create a loop. • STP takes 20-30 seconds to determine how to handle a new connection, so bypassing it saves time

Answer 24

• Limiting access to the network based on MAC address Allow Lists • Security through obscurity • Not very secure since Allowed MACs on the network can be easily discovered and spoofed

Answer 25

• No need for NAT • Some attack types no longer apply (such as ARP spoofing, since there is no ARP) • But some new attack types apply, such as Neighbor Cache Exhaustion • It is not necessarily more or less secure than IPv4, it's just different

Answer 26

• An IPv6 attack which fills up the neighbor cache on devices • Can make a system unable to communicate with other devices on the network

Answer 27

• Switched Port ANalyzer • Cisco's name for port mirroring to a software-based tap

Answer 28

• File Integrity Monitoring • Monitoring changes to files that should never change • Notifies when changes occur

Answer 29

• Tripwire: Real-time FIM tool for Linux • SFC (System File Checker) - On-demand FIM for Windows

Answer 30

• Older style of firewall that does not keep track of traffic flows • Packets coming into the network will need access rules to get in, even if it is in response to requests originating from the firewall's internal network • Access rules are required for both directions of a session's traffic • Security concerns since rules require that external traffic will gain entry even if it is unsolicited

Answer 31

• Unified Threat Management • An all-in-one security appliance • Firewall, Content filter, anti-malware, spam filter, IDS/IPS, VPN endpoint, etc. • A precursor to NGWF

Answer 32

• Web Application Firewall • Applies rules to HTTP/HTTPS conversations • Instead of looking at ports and IPs, it allows or denies based on expected input.

Answer 33

• Implicit denies are not logged. Creating a rule means an attempted access will generate a log.

Answer 34

• Since it runs on your local machine, it can view traffic from an encrypted communication (HTTPS, etc.), since it is decrypted locally.

Answer 35

• Used for Network Access Control • For running health checks and posture assessment on devices on / connecting to the network • No installation required • Runs during the assessment, and terminates when no longer required

Answer 36

• Used for Network Access Control • For running health checks and posture assessment on devices on / connecting to the network • Integrated with Active Directory • Checks are made during login and logoff • Only runs at those times; cannot be scheduled

Answer 37

• Keeping a local cache of information • Access Control • URL Filtering • Content Scanning • A Reverse Proxy, which examines incoming requests from the Internet before sending them to a web server

Answer 38

• A proxy server on a network, where endpoints don't need to be explicitly configured to use it, and aren't aware of it.

Answer 39

• Network-based Intrusion Detection System

Answer 40

• Network-based Intrusion Prevention System

Answer 41

• When a passive IPS (not in-line with traffic) identifies malicious traffic and sends an TCP RST (reset) frame to prevent further traffic • It does not prevent the original packet from going through, but disrupts the traffic flow and prevents further communication • The reset frame is part of the TCP protocol; this response does not work with UDP traffic

Answer 42

• Signature-based: Must match exactly • Anomaly-based: Create a baseline of what's normal to detect unusual activity • Behavior-based: Programmed to know what certain malicious activities might look like • Heuristics: use artificial intelligence and big data

Answer 43

• A system that you connect to in order to access other internal systems • Must be highly-secured, hardened, and monitored

Answer 44

• Hardware Security Module • A dedicated server for handling cryptographic functions, storing keys, certificates, etc. • Used in very large environments with many devices that need cryptographic keys • Usually installed in clusters with lots of redundancy • Built with specialized hardware designed for cryptography • Can act as a proxy to offload encrypted communication for webservers, and forward the traffic to the webservers in the clear

Answer 45

• Message Integrity Check

Answer 46

• Stands for: Counter/CBC-MAC Protocol • A block cipher mode • The type of encryption used with WPA2 • Uses AES for confidentiality • Uses CBC-MAC for MIC

Answer 47

• Cipher Block Chaining Message Authentication Code Protocol • A form of MIC (Message Integrity Check)

Answer 48

• Galois/Counter Mode Protocol • A block cipher mode • The type of encryption used in WPA3 • Uses AES for confidentiality • Uses GMAC for MIC

Answer 49

• Galois Message Authentication Code • A form of MIC

Answer 50

• WPA2 is susceptible to brute force attacks. Once the passphrase is known, an attacker can read all communication of all devices • WAP3 uses: ○ mutual authentication ○ creates a shared session key without sending that key across the network ○ perfect forward secrecy ○ SAE

Answer 51

• A session key is created for each session, and disposed of when the session is over • New sessions would create a new key • Used, among other places, in WPA3

Answer 52

• Simultaneous Authentication of Equals • A Diffie-Hellman derived key exchange (same process), but adds an authentication component • An IEEE standard • sometimes called the dragonfly handshake • Used, among other places, in WPA3

Answer 53

• Best practice is to disable it • If it does not have brute-force protection built in, it is extremely easy to brute force • Only 11,000 possible combinations need to be tried to gain access • Brute-force lockouts are now the norm, but most devices out there don't have it.

Answer 54

• a PIN (which is easily brute-forced) • A physical button to push on the WAP • NFC

Answer 55

• 802.1X

Answer 56

• A type of network access control that requires authentication to access the network, whether wired or wireless • Typically uses a central authentication database such as RADIUS, LDAP, TACACS+, etc. • The authenticator (the device that provides network access) communicates to an authentication server on behalf of the supplicant (client)

Answer 57

• Port-based Network Access Control • A name for 802.1X

Answer 58

• Extensible Authentication Protocol • The authentication protocol used by 802.1X, as well as many other types of authentication for wireless networks • Supports multiple types of authentication • Manufacturers can build their own EAP methods

Answer 59

• EAP Flexible Authentication via Secure Tunneling • Ensures that the authentication server and supplicant can communicate with each other over a secure tunnel. • The server provides a protected access credential (PAC), i.e. a shared secret, to the supplicant, they mutually authenticate and negotiate a TLS tunnel, and user authentication occurs over the TLS tunnel.

Answer 60

• Protected Access Credential • A shared secret, used in EAP-FAST

Answer 61

• The acronym used for the Authentication Server in EAP

Answer 62

• Protected EAP (Extensible Authentication Protocol) • Created by Cisco, Microsoft, and RSA Security • Similar to EAP-FAST, but instead of a PAC (Private Access Credential), the AS uses a digital certificate. • (As with a web server, the client does not need its own certificate, only the server) • User can authenticate using MSCHAPv2 for Microsoft services, or GTC

Answer 63

• Microsoft Challenge Handshake Authentication Protocol version 2

Answer 64

• Generic Token Card

Answer 65

• EAP with TLS • Similar to PEAP, but requires a digital certificate on the client as well as the AS, so they can mutually authenticate • Once devices have authenticated to each other, the TLS tunnel is built for the user authentication process • Complex implementation as it requires all network devices to have certificates • May not be suitable, as not all devices can support the use of digital certificates,

Answer 66

• EAP Tunneled TLS • Similar to PEAP, builds a TLS tunnel using the digital certificate of the AS • (Does not require the supplicant to have a certificate) • Can use any authentication method inside the TLS tunnel, including other EAPs, MSCHAPv2, or anything else.

Answer 67

• A centralized management device for wireless access points • Allows management of system configuration, performance, updates, etc.

Answer 68

• Mobile Content Management • Controls for securing access to data and protecting it from outsiders • Managed from the mobile device manager (MDM) • May include controls for file sharing and viewing, as well as DLP and encryption requirements

Answer 69

• An emerging technology • Looks at multiple contexts to determine whether a login attempt is likely to be authentic • Contexts may include: ○ Device IP address ○ GPS information ○ Devices connected / Bluetooth paired to the device ○ more

Answer 70

• The separation of enterprise mobile apps and data from personal apps and data • Storage on a mobile device is segmented to keep business data in a contained area with restricted sharing • Makes offboarding much easier. Business data can be wiped without removing personal data.

Answer 71

• A small Hardware Security Module, in microSD card form • Provides security services to mobile devices, such as: ○ encryption ○ key generation ○ digital signatures ○ authentication

Answer 72

• Unified Endpoint Management • Similar to MDM, but also manages non-mobile devices • Allows users to change between devices, such as phone and laptop, and still have same security and access

Answer 73

• Mobile Application Management • Provision, update, and remove apps from your own enterprise app catalog • Monitor application use • Fine-grained control of wiping data

Answer 74

• Security Enhancements for Android • Puts SELinux functions into Android OS • Supports additional access control security policies • Enabled by default since Android version 4.3 in July 2013 • Developed by NSA

Answer 75

• Protects privileged access to Android system daemons • Changed Discretionary Access Control (DAC) to Mandatory Access Control (MAC) • Isolate and sandboxes Android apps • Centralized policy configuration

Answer 76

• Over the Air • A type of firmware update for mobile devices • Delivered wirelessly without needing to connect to any device

Answer 77

• Control firmware updates • Use an allow list or block list of approved / blocked apps • Control microphone/camera use to disable/enable either always or only in certainly locations • Control SMS/MMS usage by timeframe or location

Answer 78

• USB On-the-Go • A USB 2.0 Standard that allows supported devices to connect directly together • A mobile device can act as both a host and a device, acting as storage

Answer 79

• aka GPS Tagging • Adds location to file metadata • Can cause security concern, since investigating these files can create a path of a user • Can be disabled

Answer 80

• Corporate-Owned, Personally-Enabled • A mobile deployment model • Similar to BYOD, but the company buys the device and allows it to also be used for personal use • Company keeps full control of device

Answer 81

• Choose Your Own Device • Similar to COPE, but with the user's choice of device

Answer 82

• Virtual Mobile Infrastructure • Like thin clients, mobile phones can also connect to a cloud service where apps and data are stored • If the device is lost, no data is lost, no security concern • Allows for centralized app development, since you only need to write for a single VMI platform • No need to update all individual devices

Answer 83

• Availability Zone • Isolated locations with a cloud region (geographic location) • Each AZ is completely independent

Answer 84

High Availability Across (Availability) Zones • Highly Available applications can be aware of Availability Zones, and recognize an outage in a particular zone to adjust accordingly

Answer 85

• Identity and Access Management • Cloud resource security control to determine who gets access, and what they get access to • Maps job functions to roles • Granular policies control access by user group, IP, date and time, geolocation, etc.

Answer 86

• Virtual Private Cloud Endpoint • Allows private cloud subnets to communicate to other cloud services, even without an internet connection. • Facilitates connectivity between VPCs and cloud services such as storage.

Answer 87

• Use OSs that are designed specifically for containers • Group containers of similar type onto the same host, to limit the scope of any intrusion

Answer 88

• In the context of Cloud Computing: • Security Groups provide Layer 4 firewall services for all resources within a VPC (Virtual Private Cloud) • Not to be confused with Security Groups in Active Directory • Not sure why they're not just called "VPC Firewalls" or something.

Answer 89

• Discretionary Access Control / Mandatory Access Control • In DAC model, users have control over access to their own data or local computer resources • In MAC model, access permissions are set by administrators. Resources objects (such as files) are given security labels which assign a classification and category, which matches it to users' classifications and categories to determine access.

Answer 90

• Cloud Access Security Broker • May be installed as client software, run as a local network appliance, or a cloud service • Four functions: ○ Visibility into what apps are in use, what data is being transferred, etc. ○ Enforce compliance regulations ○ Prevent threats / disallowed blocked items ○ Data Security: Enforce DLP, Encryption, etc.

Answer 91

• Next-Gen Secure Web Gateway • Protects users and devices regardless of location and activity • Goes beyond just examing Layer 4 (TCP/UDP), URLs, and GET requests • Examines JSON strings and API requests, to allow or disallow very specific activities

Answer 92

• Identity Provider • A third-party providing identity control for another service. • Essentially "Authentication as a Service" • Commonly used by SSO applications

Answer 93

• The use of public/private cryptographic keys to authenticate in SSH instead of a username and password • Especially used for automation and scripts, since you won't be there to enter a password when the script is running • Key management is crticial, to centralize, control, and audit key use • Both open source and commercial SSH key managers are available

Answer 94

• ssh-keygen ○ the command in Linux or MacOS ○ Creates a public/private key pair for authentication • Copy the public key to the SSH server: ○ ssh-copy-id user@host • Copy the private key to any system that will need to login • You can now login with the following command, no password required: ○ ssh user@host

Answer 95

• Knowledge-Based Authenication • A form of "Something you know" • Static KBA: Pre-configured security questions, often used with account recovery. ○ Ex., what was your first car? • Dynamic KBA: Not pre-configured, but pulled from some other source, often an identity verification service. ○ Ex., Which of the following addresses did you live at in 1999?

Answer 96

• Password Authentication Protocol • An old, basic authentication method. • Rare today. Used only in legacy systems. • No encryption, designed for analog dialup connections. • When used today, the application may provide encryption, encapsulated within PAP, so it's not sent in the clear.

Answer 97

• Challenge-Handshake Authentication Protocol • Encrypted challenge sent over the network • A step up from PAP • Server sends a challenge based on the password, which verifies both sides have that password, without sending the password itself. • This challenge-response may continue to occur periodically during the connection, invisible to the user

Answer 98

• Microsoft's implementation of CHAP • MS-CHAP v2 is the most recent version • Both v1 and v2 are insecure and should not be used, because they use DES • DES is susceptible to brute force decryption of the hash

Answer 99

• Terminal Access Controller Access-Control System • A remote authentication protocol • Originally built when using analog dial-up lines • Created for access ARPANET

Answer 100

• Extended TACACS • Cisco proprietary version of TACACS • Has additional support for accounting and auditing

Answer 101

• The latest version of TACACS. released in 1993 • If using TACACS today, it is probably this version • Adds more authentication requests and response codes

Answer 102

• a Network authentication protocol • Authenticates once, then you are trusted by the system and don't need to re-authenticate to access resources • Server provides a "ticket" that your system uses to authenticate to other systems without entering password again • Mutual authentication, which protects against on-path or replay attacks • Standard since 1980s, Microsoft began using it in Windows 2000

Answer 103

• Can work with a variety, including: • RADIUS • LDAP • TACACS+

Answer 104

• Security Assertion Markup Language • An open standard for authentication and authorization • Authenticate through a third-party to gain access • Not designed to support mobile apps, so is likely to decline in usage as time goes on

Answer 105

• Client accesses resource server • Resource server sends signed/encrypted SAML request to client, and directs them to the authorization server • Client signs into the Authorization Server • Authorization Server provides SAML token • Client sends SAML token to resource server and gain access

Answer 106

Open Authorization • An authorization framework with significant industry support • Determines what resources a user can access • Does not authenticate, only authorizes • Often used to provide authorization between applications • Ex. "Datto wants permissions to your Microsoft 365 account for the following. Do you want to allow this?"

Answer 107

• Attribute-Based Access Control • Next-gen authorization model, aware of context • Combines and evalutes multiple parameters to determine access • Ex. IP address, time of day, desired action, etc.

Answer 108

• Privileged Access Management • Centralized management of administrative / superuser accounts • When an admin needs to perform administrative task or gain access, they make a request from the vault, and the privileged access they need is granted only temporarily. "Checked out." • Enables automation • manages access for each user • extensive tracking and auditing

Answer 109

• Certificate Revocation List • Maintained by the CA • Contains many revocations in a large file which changes all the time.

Answer 110

• Online Certificate Status Protocol • Allows a web browser to check revocation status of a single certificate • Requests are usually sent to an OCSP responder, managed by the CA, via HTTP • More efficient than downloading an entire CRL just to check one certificate • Most modern browsers support OSCP, but some older browsers and apps do not.

Answer 111

• Domain Validation Certificate • SSL Certificate that shows the owner of the certificate is control over the DNS domain • This is the most common certificate used by websites

Answer 112

• Extended Validation Certificate • Like a DV, but additional checks have verified the certificate owner's identity • Browsers will show a name in the address bar next to the padlock icon that indicates the SSL connection • Not common anymore, since SSL has become standard, there's not much point in promoting your use of it.

Answer 113

• The standard structure for digital certificates

Answer 114

• Distinguished Encoding Rules • A type of binary encoding format • Common and used across many platforms • perfect for an X.509 certificate

Answer 115

• Stands for "Privacy-Enhanced Mail" • An encoded X.509 certificate in ASCII format • Makes it easier to read and e-mail, rather than the binary form of DER • The most common format provided by CAs

Answer 116

• Public Key Cryptography Standards #12 • A container format for many certificates • Store multiple X.509 certs in a single .p12 or .pfx file • Often used to transfer a private and public key pair • The container can be password protected

Answer 117

• An X.509 file extension used primarily by Windows • Can be encoded either as binary DER or as ASCII PEM format • Usually only contains a public key; private keys would be transferred in the .pfx file format

Answer 118

• Public Key Cryptography Standards #7 • Contains certificates and chain certificates; but does not include private keys • .p7b file extension • ASCII format • Wide support across multiple OSs and platforms

Answer 119

• Instead of the CA needing to respond to all OCSP requests, the certificate holder can verify their own status • Status information is stored on the certificate holder's server • OCSP status is "stapled" into the SSL/TLS handshake, digitally signed by the CA

Answer 120

• To ensure that you're really communicating to the legitimate server, you can "pin" the expected certificate or public key to an application. • You then compare that pined certificate to what you see when actually communicating with the server. • The cert must be compiled into the app, or added at first run. • If the expected cert doesn't match the certificate the server presents, the application can either shut down, or show a message, or etc.

Answer 121

• Single CA • Hierachical (Single root CA with intermediate and leaf CAs) • Mesh (CAs that all certify each other; does not scale well) • Web-of-trust (alternative to traditional PKI) • Mutual Authentication (Server and client both authenticate to each other)

Answer 122

• When your private keys (decryption keys) are kept and controlled by a 3rd-party • Ex., A business might store employee information in encrypted form, and only be able to access that private info if it is validated by the 3rd party • Requires trust of the 3rd party and very specific and clear process and procedures for validating

Answer 123

• Full Disk Encryption

Answer 124

• Host-based Intrusion Detection System

3.0 - Implementation Flashcards

(149 cards)