Domain 3 continued Flashcards
system (NIDS)/network-based intrusion prevention system (NIPS)Network-based intrusion detection systems (NIDSs) are designed to detect, log, and respond to unauthorized network or host use, both in real time and after the fact
(NIPS) has all the same characteristics as a NIDS but, unlike a NIDS, can automatically respond to certain events (for example, by resetting a TCP connection) without operator intervention
Network-based intrusion detection/prevention
What systems work by matching signatures in the network traffic stream to defined patterns stored in the system
The weakness of signature-based systems is that they rely on having accurate signature definitions beforehand, and as the number of signatures expand, this creates an issue in scalability.
Signature-based
The behavioral model relies on a collected set of “normal behavior”—what should happen on the network and is considered “normal” or “acceptable” traffic
This model can potentially detect zero-day or unpublished attacks but carries a high false-positive rate because any new traffic pattern can be labeled as “suspect
Heuristic/behavior
The IDS is first taught what “normal” traffic looks like and then looks for deviations from those “normal” patterns
An _____ is a deviation from an expected pattern or behavior
Anomaly
In-band solutions work great for protecting network segments that have high-value systems and a limited number of traffic types
An out-of-band system relies on a _____ sensor, or set of _____ sensors, and has the advantage of greater flexibility in detection across a wider range of traffic types-band solutions work great for protecting network segments that have high-value systems and a limited number of traffic types
An out-of-band system relies on a passive sensor, or set of passive sensors, and has the advantage of greater flexibility in detection across a wider range of traffic types
Inline vs. passive
is a device used to manage or store encryption keys. It can also assist in cryptographic operations such as encryption, hashing, or the application of digital signatures
A hardware security module (HSM)
are devices that capture data and act upon it. There are multiple kinds of sensors and various placement scenarios
Each type of sensor is different, and no single type of sensor can sense everything
Sensors
are sensors, or concentrators that combine multiple sensors, that collect data for processing by other systems
________ are subject to the same placement rules and limitations as sensor
Collectors
An _________ is a device that takes multiple inputs and combines them to a single output
These traffic management devices are located based on network layout topologies to limit unnecessary router usage
Aggregator
The heart of a ________ is the set of security policies that it enforces
Management determines what is allowed in the form of network traffic between devices, and these policies are used to build rulesets for the firewall devices used to filter network traffic across the network
Firewalls
is a device that performs restrictions based on rules associated with HTTP/HTTPS traffic
web application firewall (WAF)
can keep track of the state associated with a communication, and they can filter based on behaviors that are not properly associated with the state of the communication
Next-generation firewalls NGF
A ____ packet inspection firewall can act upon the state condition of a conversation
Stateful
The typical network firewall operates on IP addresses and ports, in essence a statelessinteraction with the traffic
The most basic firewalls simply shut off either ports or IP addresses, dropping those packets upon arrival
Stateless
is a marketing term used to describe all-in-one devices employed in network securityUTM devices typically provide a wide range of services, including switching, firewall, IDS/IPS, anti-malware, anti-spam, content filtering, and traffic shaping
Unified threat management (UTM)
To compensate for this lack of available IP address space, organizations use ____________ (NAT), which translates private (nonroutable) IP addresses into public (routable) IP addresse
Network address translation (NAT) gateway
_______ firewalls are exemplified by iptables, a built-in functionality in Linux system
Open-source vs. proprietary
Firewalls can be physical devices, hardware, or a set of software services running on a system.
Hardware vs. software
Firewalls can be located on a host, either as a separate application or part of the operating system itselfIn software-defined networking (SDN) networks, firewalls can be instantiated as virtual network functions, providing all of the features under a virtual software solution
Appliance vs. host-based vs. virtual
What lists provide the system information as to what objects are permitted which actions. ACLs can control who gets to change the network parameters via configurations, who gets to pass specific firewalls, and a host of other decisions
Access control list (ACL)Access controls
Depending on where the source and destination are with respect to each other, the route a packet takes can be wideranging, from simple and short to complex and long
Route security
is the use of specific technologies on a network to guarantee its ability to manage traffic based on a variety of indicators
Quality of service (QoS)
has many implications for secure network designs—some good, some problematic. ____ enables end-to-end encryption, which is great for communication security
Implications of IPv6
What can have issues when traffic levels get heavy as the aggregate SPAN traffic can exceed the throughput of the device
Port spanning/port mirroring
A test access point (TAP) is a passive signal-copying mechanism installed between two points on the network The TAP can copy all packets it receives, rebuilding a copy of all messages
Port taps
(NSM) is the process of collecting and analyzing network data to detect unauthorized activity
NSM is not a way to prevent intrusions, but when deployed inside a network, it can detect where other defenses have failed
Monitoring services/Network security monitoring
are a series of internal processes that can validate the integrity of OS and application filesThere are OS utilities that can be automated to do this as well as applications to manage this critical task
File Integrity Monitors
uses Advanced Encryption Standard (AES) as the encryption protocol
_____ uses the AES block cipher, a significant improvement over WEP and WPA’s use of the RC4 stream cipher
WiFi Protected Access 2 (WPA2)
improves the security of the encryption by using Simultaneous Authentication of Equals (SAE) in place of the PSK authentication method used in prior WPA versions
Forward secrecy is only provided by _____ WPA2 uses pre-shared keys; _____ does not
WiFi Protected Access 3 (WPA3)WPA3
_____ is a data encapsulation encryption mechanism designed for wireless use
_____ is the mode in which the AES cipher is used to provide message integrity
Counter-mode/CBC-MAC Protocol (CCMP)
is a password-based key exchange method developed for mesh networks
As a peer-to-peer protocol, it does not rely on other parties, so it is an alternative to using certificates or a centralized authority for authentication
Simultaneous Authentication of Equals (SAE)
is a protocol for wireless networks that expands on authentication methods used by the Point-to-Point Protocol (PPP)
EAP can support multiple authentication mechanisms, including tokens, smart cards, certificates, one-time passwords, and public key encryption authentication
Extensible Authentication Protocol (EAP)
What was developed to protect EAP communication by encapsulating it with Transport Layer Security (TLS)
Which authentication is widely supported by vendors for use over wireless networks?
Protected Extensible Authentication Protocol (PEAP)PEAP, or Protected EAP,
lightweight tunneling protocol to enable authentication
The distinguishing characteristic is the passing of a Protected Access Credential (PAC) that is used to establish a TLS tunnel through which client credentials are verified
EAP-FASTA
What protocol is for mutual authentication requires client and server certificates
This is still considered one of the most secure implementations, primarily because common implementations employ client-side certificates
EAP-TLS
is a variant of the EAP-TLS protocolThe authentication process is protected by the tunnel from man-in-the-middle attacks, and is easier to set up than EAP-TLS to clients without certificate
EAP-TTLS (which stands for EAP–Tunneled TLS)
________ is an authentication standard that supports port-based authentication services between a user and an authorization device, such as an edge router
________ is commonly used on wireless access points as a port-based authentication service prior to admission to the wireless network
IEEE 802.1X
What allows users to use their normal credentials across trusted networks
This allows users in one organization to authenticate and access resources on another trusted organization’s network using one set of credentials
Federation Remote Authentication Dial-in User Service (RADIUS)
________ is a secret that’s shared between users
A ___ is typically entered as a passphrase of up to 63 characters and must be securely shared between users
Pre-shared key (PSK)
In ________ mode, the devices use IEEE 802.1X and a RADIUS authentication server to enable a connection
This method allows the use of usernames and passwords
Enterprise
____ uses an eight-digit PIN to configure wireless devices
____ consists of a series of EAP messages and has been shown to be susceptible to a brute force attack
Open WiFi Protected Setup (WPS)
refers to a specific technique of using an HTTP client to handle authentication on a wireless network Frequently employed in public hotspots, a ______ ______ opens a web browser to an authentication page
Captive portal
Wireless networks are dependent on radio signals to functionAntenna type, placement, and site surveys are used to ensure proper coverage of a site, including areas blocked by walls, interfering signals, and echoes
Installation considerations
involves several steps: mapping the floor plan, testing for RF interference, testing for RF coverage, and analyzing material via software
Site surveys
A Wi-Fi _____ map is a map of wireless signal coverage and strength Typically, a ______ map shows a layout of a room, floor, or facility overlaid by a graphical representation of a wireless sign
Heat maps
can determine if the Wi-Fi signal strength is sufficient, and if there are competing devices on a particular channel
This enables an engineer to allocate signals both in strength and channel to improve Wi-Fi performance
WiFi analyzers
Wi-Fi radio signals exist at specific frequencies: 2.4 GHz and 5.0 GHzEach of these signals is broken into a series of channels, and the actual data transmissions occur acrossthese channels
Channel overlaps
For security reasons, you should be aware that Wi-Fi signals go through walls, so placing access points where they produce large areas of coverage outside a facility may lead to outsiders accessing your system
Protecting the access point from physical access is also important
Wireless access point (WAP) placement
What proper provisions include both physical and logical security precautionsThe physical devices and network connections should be placed in a location that is not readily accessible to an attacker
Controller and access point security
refers to the radio communication methods developed under the _____ Alliance
These systems exist on 2.4-and 5-GHz frequency spectrums, and networks are constructed by both the enterprise you are associated with and third parties
Wifi
is a short-to-medium range, low-power wireless protocol that transmits in the 2.4-GHz band, which is the same band used for 802.11
Bluetooth
is a set of wireless technologies that enables smartphones and other devices to establish radio communication when they are within close proximity to each other—typically a distance of 10 cm (3.9 in) or less
NFC Near field communication (NFC)
(IR) is a band of electromagnetic energy just beyond the red end of the visible color spectrum
IR cannot penetrate walls but instead bounces off them
Nor can it penetrate other solid objects
Infrared
has become the ubiquitous standard for connecting devices with cables
Mobile phones can transfer data and charge their battery via USB
Laptops, desktops, even servers have USB ports for a variety of data connection needs
USB Universal Serial Bus (USB)
What communications are defined as communications with one endpoint on each end—a single transmitter talking to a single receiver
A communications channel between two entities in isolation is referred to as ______ to ______
Point-to-point
What communications have multiple receivers for a transmitted signalWhen a message is sent in broadcast mode, it has multiple receivers and is called a _______ to _______ communication
Point-to-multipoint
is a series of satellites that provide nearly global coverage of highly precise time signals that, when multiple signals are combined, can produce precise positional data in all three dimensions
Global Positioning System (GPS)
What tags are used in a wide range of use cases
From tracking devices to tracking keys, the unique serialization of these remotely sensible devices has made them useful in a wide range of application
RFID Radio frequency identification (RFID)
(MDM) is a marketing term for a collective set of commonly employed protection elements associated with mobile devicesIn enterprise environments, _____ allows device enrollment, provisioning, updating, tracking, policy enforcement, and app management capabilities
Mobile device management (MDM)
What is the method of installing, updating, and managing the applications is done though a system referred to as software
Application management
What is the set of actions used to control content issues, including what content is available and to what apps, on mobile devices
Most organizations have a data ownership policy that clearly establishes their ownership rights over data, regardless of whether the data is stored on a device owned by the organization or a device owned by the employee
Content management
What mobile device typically removes data stored on the device and resets the device to factory settings
Remote wipe
is the use of the Global Positioning System (GPS) and/or radio frequency identification (RFID) technology to create a virtual fence around a particular location and detect when mobile devices cross the fence
Geofencing
Most phones have GPS built in; this enables apps and the phone to track its geographic location
Geolocation
What are used to keep data on phones safe, especially in the event of a lost or stolen phone this is often automatically deployed after a period of inactivity, such as 5 minutes
These are a key security option you should use across all phones
Screen locks
__________ is the use *** information—who the user is, what resource they are requesting, what machine they are using, how they are connected, and so on—to make the authentication decision as to whether to permit the user access to the requested resource
Context-aware authentication
on mobile devices refers to dividing the device into a series of containers—one container holding work-related materials, the other personal
Containerization
This segmentation is like containerization, but this segmentation focuses strictly on segmenting _______
Containerization and ________ segmentation are technologies to keep personal data separate from corporate data on devices
Storage segmentation
What is the encryption of the entire disk In such scenarios, you are required to unlock the encryption upon reboot, typically with a passcode or passphrase
Full device encryption
A __________ is a hardware security module in a Micro
SD form factor
This device allows you a portable means of secure storage for a wide range of cryptographic keys
MicroSD hardware security module (HSM)
MDM software is an application that runs on a mobile device and, when activated, can manage aspects of the device, including connectivity and functions
is an enterprise-level endpoint management solution that can cover all endpoints, from PCs to laptops, from phones to other mobile devices, tablets, and even some wearables
MDM/Unified Endpoint Management (UEM)
Unified endpoint management (UEM)
The deployment, updating, and configuration of applications on devices requires an enterprise solution that is scalable and provides for the installation, updating, and management of in-house applications across a set of mobile devices
Mobile application management (MAM)
is a mobile version of the Security Enhanced Linux (SELinux) distribution that enforces mandatory access control (MAC) over all processes, even processes running with root/superuser privileges
Security Enhanced Android (SEAndroid)
Many mobile devices have manufacturer-associated app stores from which apps can be downloaded to their respective devices These app stores are considered by an enterprise to be ____________ stores, as the contents they offer come from neither the user nor the enterprise
Third-party application stores
_________ is used to bypass OS controls on Android, and __________is used to escalate privileges and do the same on iOS devices
Both processes stop OS controls from inhibiting user behaviors
Rooting/jailbreaking
_____________ is the process of adding apps to a mobile device without using the authorized store associated with the device
_____________ is an alternative means of instantiating an app on the device without having to have it hosted on the requisite app store
Side Loading
________ is firmware for a device that has been altered from the original factory settings
This firmware can bring added functionality, but it can also result in security holes
Custom firmware
_______ __________ is the process of programming the device to sever itself from the carrier
This is usually done through the inputting of a special key sequence that unlocks the device
Carrier unlocking
updates You can connect to an app store and update the device firmware All major device manufacturers support this model because it is the only real workable solution
Firmware over-the-air (OTA)
Many mobile devices include on-board cameras, and the photos/videos they take can divulge informationThis information can be associated with anything the camera can image—whiteboards, documents, and even the location of the device when the photo/ video was taken via geo-tagging
Camera use
are standard protocols used to send messages, including multimedia content in the case of MMS, to and from mobile devices over a cellular networkRich Communication Services (RCS) is a protocol that is currently used alongside SMS and MMS
SMS/Multimedia Messaging Service (MMS)/Rich Communication Services. (RCS)
