CISSP Domain 5 - Flashcards

Question

IAAA - Authentication - Factors - Single Factor Authentication

Answer 1

Using one of the 3 factors

Answer 2

* aka Strong Authentication | * Requires at least 2 factors

Answer 3

* Balance needs to be reached - Stringent policies - Usability

Answer 4

* Definition: Having multiple systems update passwords at the same time * Goal: To avoid supporting multiple sets of credentials per user * Upside: If the password remains constant, the user is able to memorize a stronger password * Downside: By stealing one set of credentials, an attacker can have access multiple systems

Answer 5

* Goal: To avoid manual reset process which results in resource drain * 3-step process 1) The user provides an alternative means of authentication 2) An e-mail is sent with a link. The link contains a random globally-unique identifier (GUID) that is tied to the password reset request 3) The link is clicked. The system allows the user to enter a new password

Answer 6

1) The user interacts with a helpdesk person 2) The helpdesk agent enters the answers to the security questions into an application 3) A new password is generated known to both the helpdesk person and the user 4) When the user logs in the next time, the system requires a new valid password to be provided before access will be granted

Answer 7

* Keeps all passwords the same across multiple systems * Provides a single infrastructure to manage credentials that all system leverage * Thin clients: - Can take advantage of SSO - On boot up the device prompts the user for credentials, which are then authenticated using SSO to a central server or mainframe - This allows the thin client to use multiple services with a single authentication step visible to the user * Issues - Can be very expensive - Single point of failure - Possible bottleneck - An attacker can access multiple systems with a single set of credentials

Answer 8

* Process of creating, modifying and decommissioning user accounts on all appropriate systems * Automated process -Required to effectively manage this activity - Benefits - Reduces errors caused by manual data entry - Each step in the process is tracked and logged (accountability) - Ensures the appropriate amount of privileges are assigned - Eliminates orphaned user accounts when employees leave the company - Makes auditors happy - Downside - Very expensive to implement

Answer 9

* Definition: The act of creating user objects and attributes * User account: Includes other metadata * User: Simply represents the object * Profile: - Created to accompany a user account - Contains data as * Addresses * Phone numbers

Answer 10

Act of verifying an individual's identity based on physiological or behavioral attributes

Answer 11

* Physical attributes that are unique to the individual * What you are * Examples - Fingerprints - Voice print

Answer 12

* What you do * Examples - Handwriting signature - Height

Answer 13

* Type 1 error - Rejects an authorized individual - False Rejection Rate (FRR) * Type 2 error - Accepts an unauthorized individual - False Acceptance Rate (FAR) - Much more concerning * Crossover Error Rate (CER) - Measures the point at which the FRR equals the FAR - Is expressed as a percentage

Answer 14

* Fingerprints: A complete record of ridges and valley on a finger * Finger scan: Certain features of a fingerprint * Palm scan: Fingerprint and the creases, ridges and grooves of the palm * Hand geometry: The shape, length and width of hand and fingers * Retina scan: Blood-vessel patterns on the back of an eyeball. Most invasive * Iris scan: The colored portion surrounding the pupil. Most accurate * Signature Dynamics: The speed and movements produced when signing a name * Keystroke dynamics: The speed and pauses between each keypress as a password is typed * Voice print: - A number of words are recorded during enrollment - During authentication the words are jumbled - The user repeats them to prevent a recording from being played * Facial scan: Bone structure, nose ridge, eye widths, forehead size and chin shape * Hand topography: A side camera captures the contour of the palm and fingers; not unique enough to be sued alone but can often be used with hand geometry

Answer 15

* User acceptance * Enrollment timeframe: The enrollment phase may take a long time * Throughput: Acceptable elapsed time: 5 to 10 seconds * Accuracy over time

Answer 16

* Electronic monitoring * Password file * Brute-force attack * Dictionary attack * Rainbow table: Use all likely passwords in a table already hashed * Social engineering

Answer 17

* After login, for the prior successful login attempt show - Date/time - How many unsuccessful attempts were made - Location of the login * Set clipping level * Password aging: Limit the lifetime of a password * Password history: The last 5-10 passwords should be stored

Answer 18

Tool that checks the strength of passwords

Answer 19

Tool that tries to crack passwords using one or more attack techniques

Answer 20

* Forces a person to enter information about a graphical image that is very difficult for computers to process * This proves that a real person is entering information instead of a computer- based automated process

Answer 21

* Good for a one-time use only * Types - Synchronous - Asynchronous * Formats - Physical - Smartphone app - Text message * Synchronous Token device - Hand-held password generator with small screen and sometimes a keyboard - Synchronized device: Both generate the same passwords simultaneously - Counter-Synchronized Device: Requires the user to push a button * Asynchronous Token device - Uses a challenge/response scheme - The authentication service sends a random value called a nonce to the user - The user enters the nonce into the token device, which encrypts the nonce with a secret key - The user then sends the encrypted nonce to the authentication service, which attempts to decrypt it with the shared secret key - If the original and encrypted nonce result in the same value, the user is authenticated

Answer 22

* Highly secure way to authenticate * Sequence 1) The authentication service provides a nonce 2) The user encrypts the nonce with their private key 3) The user sends the encrypted nonce and his digital certificate to the authentication service 4) The authentication service decrypts the nonce using the public key from the digital certificate

Answer 23

* Made up of multiple words - Reduced down via hashing or encryption into a simpler form - Longer than a password - Easier to remember

Answer 24

* Only stores data * Examples - Older ATM cards - Older credit cards * Risks: If the data contents of the memory card are not properly encrypted: Easy to read the PIN

Answer 25

* Memory Card with a tiny computer (chip) * Examples: - Credit cards containing on-board chips - ATM cards containing on-board chips

Answer 26

* PIN number: Can be required before data can be read * Chip: - Does the processing - Doesn't need an external system to perform validation * If tampering is detected: Some smartcards will erase its information

Answer 27

More expensive than memory cards

Answer 28

* Contact cards - The reader - Provides power to the cheap - Establishes a 2-way communication path - Contactless cards - Have an antenna running the entire perimeter - When the antenna comes very near an electromagnetic field, the field provides power and a communication path - It's an example of Radio Frequency Identification (RFID) - May or may not employ encryption - Combi cards: One chip that supports both methods - Hybrid cards: Two chips. One for each method

Answer 29

* Non-Invasive - Side-channel attacks - Differential power analysis: Watch the power emissions during processing - Electromagnetic analysis: Watch the frequencies emitted - Timing: Watch how long a process takes - Software attacks: Provide instructions that exploit a vulnerability * Invasive - Fault generation - Fault generation 1) Change the environment of the card - Voltage - Temperature - Clock rate 2) Watch for differences - Microprobing: Access the internal circuitry directly

Answer 30

* ISO 14443-1: Physical attributes * ISO 14443-2: Initialization and anti-collision * ISO 14443-3: Transmission protocol

Answer 31

Figuring if the authenticated subject is allowed to carry out the action he's requesting

Answer 32

* Role-Based: Based on the tasks a subject or group might need to perform * Physical Location Restriction: Restricting access to a device * Logical Location Restriction: Might be based on an IP address * Time of Day Restriction: Perhaps certain functions are accessible only during business hours or week days * Temporal Restriction: Allow access based on an absolute date or time * Transaction-Type Restriction: Limit access to features or data depending on the activity that the subject is engaged in

Answer 33

* All access control mechanisms should built upon it * Disadvantage: It will take more work to properly configure the system for the first time * Advantage: Significant drop in the number of accidental security holes * Need-to-Know: Focused on permissions and ability to access information * Least Privilege: Focused on privileges * Authorization Creep: - Tendency for an employee to gain more and more access over time as he changes positions - Even if the old levels of access are no longer needed - Typically, result of the lack of well-defined tasks and roles - Solution - As an employee changes roles, he should be removed from the current role/group and assigned to a new one that matches his new responsibilities - Sarbanes-Oxley (SOX): Law that requires review of this process yearly

Answer 34

* Need-to-Know: Focused on permissions and ability to access information * Least Privilege: Focused on privileges They help provide protection for valuable assets by limiting access to these assets

Answer 35

* One of the most common implementations for SSO | * Developed in the 80's

Answer 36

* Key Distribution Center (KDC) * Authentication Server (AS): Authenticates a principal * Ticket Granting Service (TGS): Creates a ticket for a principal * Principals: Users, Applications, Network services * Realm - Set of principals - A KDC can be responsible for one or more realms * Tickets: Proof of identity passed from principal to principal * Authenticator: A packet of data containing: - A principal's information - The principal's IP address - A timestamp - A sequence number - Timestamp and seq number help protect against replay attacks

Answer 37

0) Bob wants to log in and send something to a printer 1) Bob logs into his workstation 2) Bob's desktop send his username to the KDC's AS. AS encrypts the password, generates a random session key and encrypts it with Bob's password and sends it back. This is an AS ticket 3) Bob's desktop will decrypt the session key using the password Bob entered. Now the KDC and Bob's desktop share a session key 4) Bob sends something to a printer 5) Bob's desktop sends the AS ticket obtained during login to the KDC's TGS and asks for a ticket allowing it to print to the printer 6) The KDC validates Bob's AS ticket 7) The KDC's TGS generates a new random session key and sends back two copies to Bob's Desktop and an authenticator and sends the print ticket to the printer - One encrypted with Bob's secret key - One encrypted with the printer's secret key 8) Bob's desktop receives this new print ticket, decrypts the session key using Bob's password, adds its own authenticator and sends the print ticket to the printer 9) The printer receives the ticket and decrypts the session key and the KDC's authenticator using its secret key. If the decryption succeeds, it knows the ticket came from the KDC. If the decrypted authenticator matches Bob's desktop authenticator, it knows Bob's machine sent the message 10) The printer prints

Answer 38

After the first system authenticates, it will use a ticket from then on to represent the user’s identity and authentication. As the user moves from system to system, all we have to do is to pass the ticket along, and the authentication session will move with it

Answer 39

* The KDC can be a SPOF: Solution: provide failover * The KDC can be a bottleneck: Solution: provide sufficient hardware * Both secret and shared keys are temporarily stored on machines acting on behalf of the principal and could be stolen. Solution: normal security precautions * Is susceptible to password guessing. Solution: OS * Data not in tickets are not encrypted. Solution: ensure network traffic is encrypted * Short keys can be susceptible to brute-force attacks. Solution: enforce long keys by policy and configuration * Kerberos requires all server and client clocks to be synchronized. Solution: normal network administration

Answer 40

* Definition: Logical groupings of resources that are managed by the same security policy and the same group who manages them (The same "security umbrella") * Usually segmented by the level of trust that subjects within that domain need * Often arranged hierarchically

Answer 41

* Federated Identity: Portable identity (along with any access rights) that can be used across organizational boundaries * Different than SSO, which is constrained to be used within an organization's own boundaries * Requires two organizations to enter into a partnership to share information in real-time * Web portal: - Made up of portlets: Browser-based plug-ins that are self-contained buckets of functionality usually served up by different organizations - For all of the portlets to work correctly, they must all share the identity of the authenticated user and there must be a high level of trust between all owners of the portlets

Answer 42

* Generalized Markup Language (GML): Back in the 80's * Standard Generalized Markup Language (SGML): Created from GML * Hypertext Markup Language (HTML): The standard on which all browsers operate * Extensible Markup Language (XML): Later gathered together all of the previous ones

Answer 43

* Service Provisioning Markup Language (SMPL): - Provides a vehicle for automated configuration of users and entitlements - 3 main entities * Requesting Authority (RA): Software sending a change request to a PSP * Provisioning Service Provider (PSP): Software that will validate and distribute the change request to one or more PSTs * Provisioning Service Target (PST): The system acting on the change request * Security Assertion Markup Language (SAML): If a user wants to authenticate with Party 1 using Party 2's credentials, SAML is used to carry out this request using the browser as the middle man * Extensible Access Control Markup Language (XACML): Standardized way of communicating access rights and security policies

Answer 44

* Web Services: - Services only accessible over the web - Can be used by SAML and XACML - Primary technologies - Representative State Transfer (REST) * Very simple format * Low overhead * Low security - Simple Object Access Protocol (SOAP) * Heavy format * Considerable security built-in * Service Oriented Approach (SOA): Pattern for creating independent services across business domains that can work together

Answer 45

SAML is wrapped in SOAP/REST, which is transmitted over HTTP

Answer 46

* Similar communication method to SAML * 3 entities - End User - Resource Party - OpenID Provider * Example * Facebook based authentication to web sites - Facebook: OpenID Provider - You: The end user - The site: Resource Party

Answer 47

* OAuth - Works with OpenID - Provides OpenID Authorization mechanisms * OAuth2 - Replaces OpenID - Provides Authentication and Authorization

Answer 48

* Identity as a Service (IaaS) - Offers: SSO, Federated IdM, Password-management services Drawbacks: - The provider may not be able to meet all regulatory requirements. Some regulated industries may be non-compliant - IdM: Among the most sensitive data a company maintains. This model moves this info out of the company's control - Integration of legacy applications: Not always straightforward or possible * Objectives - Connectivity * All connection points must be encrypted and monitored via IDS/IPS * Only IdM traffic should pass through these connection points * Firewalls and PKI must be properly configured - Incremental Rollout * Implement a portion and test before continuing * This will uncover unforeseen issues and help isolate where a problem is occurring

Answer 49

Defines rules and how they are applied to subjects and objects

Answer 50

* You can adjust access at your own discretion * Allows each user to control access to anything that user owns * Rights can be given to either named users or groups * Very flexible and not very secure * Most common desktop OS's use it

Answer 51

* Foundational part of a DAC * An ACL for an object contains - A list of subjects who may access the object - The permissions available for that subject * Inheritance - An ACL for a parent is automatically applied to children as they are added - Can be overridden. It's commonly not, though

Answer 52

aka Nondiscretionary Access Control (NDAC) Users have absolutely no ability to change the level of access granted to other users Commonplace in government systems

Answer 53

* Security Label - Attached to every subject and object - Contains: * A single classification (clearance level) * One or more categories * Classifications - Hierarchical - The level above is more trusted than the level below * Multilevel Security System (MLS) - Allows a subject to access an object at a different classification - A subject can access an object if the subject’s security clearance dominates the object's classification * Examples - SELinux - Trusted Solaris

Answer 54

* Middle ground between DAC and MAC * Takes away ACLs * Only allows centrally managed groups * Role - Task within the organization - Users are assigned a role * Rights are assigned directly to a role

Answer 55

* Core RBAC - When a user logs in - Gathers all possible roles and permissions granted via those roles and make them available for access decisions * Hierarchical RBAC - Allows the administrator to model the roles based on the actual organizational structure - Benefit: Makes management even easier with inheritance - Flavors: * Limited hierarchies: Inheritance only once * General hierarchies: Inheritance is allowed for multiple levels simultaneously

Answer 56

* Important security tool to prevent fraud * Hierarchical RBAC can help - Static separation of duty (SSD): Constrains the combination of privileges - Dynamic separation of duty (DSD): Constrains the combination of privileges that can be active within the same session

Answer 57

* Non-RBAC - No roles - Users: Mapped directly to applications * Limited RBAC - Roles + No roles - Users: Mapped to multiple roles as well as being mapped to application that do not have role-based support * Hybrid RBAC - Pseudo Roles - Users: Mapped to roles for multiple applications with only selected rights assigned * Full RBAC - Enterprise roles - Users: Mapped to enterprise roles

Answer 58

* Built right on top of RBAC * Extends its capabilities to include if…then coding * Anti-spam and firewall filters operate using rule-based decisions every day

Answer 59

* The user interface that can limit a user's ability to access data or functionality * Primary methods - Menus: Limit the options the user can chose from - Shells: Limit the commands available on a shell - Database views: Limit the data that can be viewed by creating a virtual view of the data - Physical constraints: Limit the physical controls the user can access such as keys or touch-screen buttons

Answer 60

* Table of subjects and objects on opposite axis * The intersection of each row and column dictates the level of access a subject has to the object * Normally used with DAC systems * Matrix types - Capability Table * Specifies the rights a subject has to a specific object * A capability can take the form of a token, ticket or key * Used by Kerberos - ACL: For a given object, a list of all subjects and their corresponding rights

Answer 61

* Control access based on the content of an object * Drawback: The technique has no context on which to base decisions * Examples - E-mail filters - Web filters

Answer 62

* Is able to dig deeper to understand the context in which information is being used * Stateful firewalls use this technique to determine if a SYN attack is underway

Answer 63

Requires that a single individual or department controls all access to resources

Answer 64

* Well-established network protocol * Provides authentication and authorization services to remote clients * Normally used in conjunction with an access server that communicates directly with a client desiring remote connectivity

Answer 65

1) Remote client contacts the access server via PPP and provides credentials 2) The access server forwards the credentials to the RADUIS server using the RADIUS protocol 3) After the RADIUS server authenticates and authorizes the client, the access server an IP address to the client

Answer 66

* Uses UDP for communication: It must contain a considerable amount of overhead to ensure proper delivery of data over a connectionless protocol * Encryption: - RADIUS encrypts passwords between AS and server - All other data is sent in clear text: Invitation to replay attacks * Only the PPP protocol is supported * It's implemented in a client/server architecture: Only the client can initiate communication * Does not support a very large number of AVP'S (Attribute Value Pairs): It's not useful for very granular rights

Answer 67

Doesn't address the issues that RADIUS has

Answer 68

Separates authentication and authorization steps: Better than TACACS and RADIUS

Answer 69

* Not backwards compatible with TACACS or XTACACS * Advantages - Uses TCP instead of UDP - Encryption: Everything is encrypted, not just the password - Supports a very large number of AVP's: Very granular rights are possible - Supports not only PPP. Appletalk, NetBIOS, IPX... - Supports * 2-factor authorization * One-time (dynamic) passwords - Design limitations: Implemented in a client/server architecture. Same as TACACS and XTACACS

Answer 70

* Meant to replace RADIUS * Has all of the advantages of TACACS+ * Based on a peer-to-peer model * Provides upgrade path for RADIUS and TACACS+ * Adds error handling: Much better stability

Answer 71

* Base protocol - Secure communication between Diameter entities - Feature discovery - Version negotiation - Header formats - Security options - A list of commands - A large number of AVPs * Extensions - Authentication * PAP, CHAP, EAP * End-to-end encryption * Replay attack protection - Authorization * Supports redirects, secure proxies, relays, and brokers * Reauthorization on-demand * Unsolicited disconnects * State reconciliation - Auditing * Reporting, roaming operations (ROAMOPS) accounting, monitoring

Answer 72

* Technology that allows a mobile device to move from network to network without changing its IP address * Supported by assigning a quasi-permanent home IP address to the mobile device that all traffic can be sent to * The Mobile IP server tracks the current address of the mobile device, called the care-of address, and forwards all traffic sent to the home IP address to the care-of address in real-time

Answer 73

* Introduction - Data owners: Take care of managing access to data - I own some data, so shouldn't I know best who has need to access the data? * Advantage: Removes potential bottlenecks and bureaucracy * Disadvantages: For larger organizations, significantly increase the likelihood that employees will gain unneeded access

Answer 74

* Senior management - Responsible for providing the security goals - But delegates the actual implementation - Indicate the personnel controls that should be used - Specify how testing of the controls are to be carried out

Answer 75

* Existence of appropriate policies and procedures * Well-documented * Kept up-to-date

Answer 76

* Covers the hiring, promotion, move, suspension, and termination of employees * Addresses - How employees should interact with the various security mechanisms - What will happen if an employee does not follow the policies

Answer 77

* Ensures - Every employee has a supervisor - That the supervisor is responsible for the employee's actions

Answer 78

* People are the weakest link * So employees need to understand - The proper use of security controls - Why they exist - The consequences of bypassing them

Answer 79

* Defines how often periodic testing will be carried out * Examples - Drills - Physical disruptions - Pentesting - Quizzing employees to vet policy knowledge - Required review of procedures to ensure relevancy

Answer 80

Require all hardware to be placed in a restricted areas behind secured doors, normally requiring access cards

Answer 81

* Protects - Individuals - Facilities - Components inside the facilities * Requiring - Identification badges - CCTV - Fences - Deterrent lighting - Motion detectors - Window and door sensors - Alarms - Indirect deterrent location and appearance of a building

Answer 82

* Protects computer hardware * Providing cover locks * Removal of USB and optical drives to prevent unauthorized copying * Dampening of electrical emissions to prevent wireless eavesdropping

Answer 83

Restricting physical access to a walled-off area to only a few authorized people

Answer 84

Providing a secure method for the transfer and storage of data backups

Answer 85

* Properly shielded: To prevent emissions and crosstalk | * Conceal: To prevent tampering and physical damage

Answer 86

Division of the physical facility into security zones with applicable access controls

Answer 87

* May have a hardware component * Always have a software component * Ensure CIA

Answer 88

* Access control models * Username/password mechanisms * Kerberos implementations * Biometrics devices * PKI * RADIUS/TACACS/Diameter servers

Answer 89

* Logically separating network components by using - Subnets - VLANs - DMZ's * Implementing IDS/IPS

Answer 90

* Methods implemented in - Routers - Switches - Firewalls - Gateways

Answer 91

* Preserve - Confidentiality - Integrity * Enforces specific paths for communication

Answer 92

* Tracking activity within - Network - Network device - Computer * Used to point out weaknesses to be fixed

Answer 93

Result of implementing audit tracking

Answer 94

* Detect intrusions * Track unauthorized activities back to the user * Reconstruct events and system conditions * Create problem reports * Provide material for legal actions

Answer 95

* User Actions - Logon attempts - Security violations - Resources and services used - Commands executed * Application Events - Error messages - Files modified - Security violations * System Activities - Performance - Logon attempts (ID, date/time) - Lockouts if users and terminals - Use of utilities - Files altered - Peripherals accessed

Answer 96

* Monitor the health of a system or application | * Reconstruct events that lead to a system crash

Answer 97

* Alert the administrator to suspicious activities to be investigated at a later time * After an attack has occurred - How long/far an attack went on - What damage may have been done

Answer 98

* What we are protecting against: Log scrubbing - Last step of carrying out an intrusion - The attacker will try and remove any information from log files that will alert an administrator to his presence or activity * Store on a remote host * No one should be able to view, modify or delete log files except for an administrator * Integrity must be ensured by using digital signatures, hashing and implementing proper access controls * Loss of the data must be prevented by secure storage and committing to write-once media (such as CD-ROM) * Any unauthorized attempt to access logs should be captured and reported * A chain of custody should be securely stored to prove who had access to audit logs and when for legal reasons * Implement simplex communication: Severing the "receive" pairs in an Ethernet cable to force one-way communication only to prevent retrieval of log information by the source who is writing the data * Replicate log files to ensure a backup in case of deletion of the primary copy * Implement cryptographic hash chaining: Each log entry contains the hash of the previous entry, allowing the removal or modification of previous entries to become detectable

Answer 99

* Applying the proper level of filtering, such that only important details are logged * Reduces the impact of logging on system/application performance * Keeps log file sizes down

Answer 100

* Event Oriented: Results from a disruption or security breach * Audit Trails: Periodic reviews to detect unusual behavior from users, applications or systems * Real-Time Analysis: An automated system correlates logs from various systems * Audit-Reduction Tool: - Discards irrelevant data to make reviews easier - Security Information and Event Management (SIEM): To automate the sifting and correlation of all logs - Situational awareness * Ability to make sense of the current state in spite of a large number of data points and complex relationships * Result of correct usage of a SIEM

Answer 101

* Captures each keystroke and records the resulting characters in a file * Unusual * Done in case an employee is suspected of wrong-doing * Usually done with care: It can constitute a violation of an employee's privacy if it has not been clearly spelled out in some type of employee training or an on-screen banner that monitoring of this type may take place * Attackers use this technique to capture credentials: Usually through a trojan horse

Answer 102

* Ensure that access criteria is well-defined and strict * Enforce need-to-know and least-privilege patterns * Reduce and monitor any type of unlimited access * Look for and remove redundant access rules, user accounts and roles * Audit user, application and system logs on a recurring basis * Protect audit logs properly * Only known and non-anonymous accounts should be given access * Limit and monitor usage by highly-privileged accounts * Enforce lockouts after unsuccessful login attempts * Never leave default passwords * Make sure that passwords are required to be changed periodically, only strong passwords are allowed, are not shared and are always encrypted both in-transit and at-rest * Ensure accounts are removed that are no longer after an employee leaves * Suspend inactive accounts after 30 to 60 days * Disable ports, feature and services that are not absolutely required

Answer 103

* Social engineering * Covert channels * Malicious code * Sniffing (wired, wireless) * Object reuse (not properly erasing previous contents) * Capturing electromagnetic emissions

Answer 104

* Standard created by DoD to combat the capturing of electromagnetic emissions * Limits electrical emissions by wrapping the product in a metal shield called a Faraday cage * Very expensive process

Answer 105

* White Noise - Random electrical signals are created across the entire communication band - An attacker is unable to distinguish valid signals from the background noise * Control Zones: Housing rooms or even buildings in a Faraday cage

Answer 106

* Detects intrusion attempts, which are the unauthorized use of, or attack upon, a network or devices attached to the network * Passive component that does not take any action other than generating alerts * It looks for passing traffic that is suspicious, or monitors logs in real-time, and any anomalous behavior can trigger an alarm

Answer 107

* Sensor: Collects information and sends it to the analyzer * Analyzer: Looks for suspicious activity and send alerts to the administration interface * Administration Interface: Processes alerts, which can result in - E-mail - Visual message - Text message - Phone call - SNMP alert

Answer 108

* Highlight vulnerabilities in a network * Expose techniques used by an attacker * Produce evidence for subsequent legal action

Answer 109

Watches network traffic

Answer 110

* Can be: Hardware devices or software in a server * Has to have a NIC that is in promiscuous mode * Sniffs packets as they pass by * Uses a protocol analyzer: To examine each packet based on the protocol the packet is using * Switching problem: - Most networks are switched, so not all traffic can be seen - To overcome this: Connect to a spanning port in the switch

Answer 111

* Sometimes: NIDS can be self-contained within a firewall or other dedicated device * Normally: Distributed solution with various sensors scattered across the network at strategic points * Good practices - A sensor in the DMZ - A sensor inside of the intranet - Sensors in sensitive entry points, such as a wireless AP connection - Resources requirements - Depends on how deep a sensor digs into each passing packet - Good idea: * Place multiple sensors in each location * Each sensor analyzing packets for a subset of signatures or patterns

Answer 112

* Definition: Can see anything that goes on inside of an operating system running on a "host" computer * High cost: Normally only installed in servers

Answer 113

* Have very intimate knowledge of the inner-workings of a given application * Are useful if the application uses encryption that would hide activity from NIDS or HIDS

Answer 114

* aka Knowledge-Based or Pattern-Matching * Most popular detection type * Requires that its "signatures" be constantly updated in order to remain effective * Cannot detect "zero-day" attacks * Compares traffic patterns in real-time to a list of patterns known to represent an attack * If a match is found it will generate an alert

Answer 115

* Upside: Very low false-positive rate | * Downside: High false-negative rate

Answer 116

* Land attack: Source and destination IP addresses are the same * Xmas attack: Sets all TCP header flags to 1

Answer 117

* Monitors the contents of memory on a host * Take continuous snapshots, called a state, of the contents of volatile and non-volatile memory within a host and compare it with the last captured state * The difference between the two states is then compared to a database and if the changes match a pattern, an alert is generated

Answer 118

* When an anomaly-based IDS is first installed, it is put into a learning mode for a while, where it watches all traffic passing by and assumes the traffic is "normal" * It then creates a database of these normal traffic patterns, and when it is taken out of learning mode, it will alert if the network traffic deviates from this baseline

Answer 119

Advantage: It can detect new attacks Disadvantage: Any alert requires a very skilled engineer to analyze the data to determine if the anomaly is indeed an attack

Answer 120

* When the IDS detects patterns outside of the norm - It will assign a degree of irregularity to the pattern and continue to monitor it - If the pattern continues the assigned degree increases to the point at which it passes a given threshold, resulting in an alert * Because of this algorithm, anomaly-based IDSs can detect attacks that are designed to fly under the radar to avoid attention

Answer 121

* High number of false positives * Low number of false-negatives * Fine tuning the threshold is important to achieve a reliable ratio

Answer 122

* Understands the various protocols passing by: Allowing it to dig a little deeper and add some context to patterns * This is a very useful filter because most attacks happen at the protocol level * Attacks it can detect - ARP poisoning: * Data Link Layer attack * A rogue client pretends to own an IP it does not - Loki attacks * Network Layer attack * ICMP packets are used to hide data * Session Hijacking * Transport Layer attack * An attacker uses sequence numbers to jump in and take over a socket connection

Answer 123

* Watch for changes in relative patterns: Looks for acceptable patterns that do match the normal frequency or time range * Examples - Notices login activity in the middle of the night and generates an alert that would be ignored in the middle of a week day - Notices a significant increase in traffic that is considered to be normal, but decide that a DoS attack is underway

Answer 124

* aka Heuristic-Based IDS * It's an expert system * Components: - Facts: Data that comes in from a sensor or system that is being monitored - Knowledge Base: If...then rules that analyze facts and take action - Inference Engine: Uses artificial intelligence to infer relationships - Advantage: Improved levels of false-positives and false-negatives - Disadvantages: * Cannot detect new attacks * If the rules are overly complex: Excessive resource consumption

Answer 125

* Identify which IDS is in use and adapt to avoid discovery | * Flood the network with bogus data to distract the IDS

Answer 126

* Vendors allow malicious software to execute on a host and then gather the changes that were made to the system * Antimalware systems then can use this behavior to detect malicious activity

Answer 127

It's an IDS with a reactive behavior

Answer 128

* Introduction - A server that has purposefully been left vulnerable - Contains no data or services that is of value to the company - Not connected to any other systems except for the ability to let a network administrator know that it is being attacked * Reasons to use it - It distracts the attacker so that our real systems are left alone - It allows us to study the attack in real-time so that we can harden other areas on-the-fly based on the activities - It gives us time to discover the identity of the attacker - We can collect evidence from the attack for subsequent legal action * Entrapment - Tricking an attacker to encourage him to make the attack - It's illegal * Enticement - Redirecting the attacker's efforts that he has already determined to carry out - It's OK

Answer 129

* Definition - Carried out by a program that is fed a list of commonly used words or combinations of characters - The program will iterate through all possible combinations and attempt to guess the password * Countermeasures - Perform dictionary attacks to find weak passwords, and force the user to change it - Require strong passwords - Require passwords to be changed frequently - For attacks against a user interface * Use lockout thresholds * Use one-time password tokens * Use an IDS to detect this type of activity - For attacks directly against a file * Never store passwords in clear text * Protect password files

Answer 130

* Definition - aka Exhaustive attack - Iterates through every possible character until a match is found - Guaranteed to be 100% successful (With time) - Countermeasures: Same as Dictionary

Answer 131

* Automatically dialing through a list of phone numbers until a modem answers * Countermeasures - Perform brute-force attacks against all company phone number ranges to find hanging modems - Make sure only necessary phone numbers are public

Answer 132

* Combination of dictionary and brute-force attacks * Dictionary attack is used to discover at least a part of the password * Then a brute-force attack is used to discover the remaining portion

Answer 133

* Can be Dictionary or brute force * The hashes for all relevant values are pre-computed into a "rainbow table" * Only useful against files * User interface will be the limiting factor

Answer 134

* Requires a malicious program to be installed on a workstation or server * User attempts to login, the malicious program will prompt for credentials instead of the OS logon screen * The malicious program claims that credentials were invalid and immediately hands control over to OS * End result: The user never realizes that credentials were just stolen