Implementation Flashcards

Question

What is this another name for? Fuzzing

Answer 1

* A colloquial term for Dynamic Analysis * May also be referred to as: * Fault-injecting * Robustness testing * Syntax testing * Negative testing

Answer 2

* A type of attack on applications, where random input is sent * Attacker is looking for vulnerabilities, application crashes, buffer overflows, exceptions, etc. * "Fuzzers" are tools to perform this. * Very time and processor resource heavy, but often designed to perform high-probability tests first.

Answer 3

* Cookies are used for tracking, personalization, and session management * Generally should not be a security risk, unless someone gains access to them. * Secure Cookies have an attribute set that requires they will only be sent over HTTPS * Sensitive information ought never to be stored in a cookie

Answer 4

* A way for the web server to restrict the capabilities of a browser from performing certain functions * Useful when an application is being used on your web server, but you aren't certain of that application’s security * For example, can be used to: ○ enforce HTTPS ○ only allow scripts, stylesheets, or images from the local site (preventing XSS attacks) ○ prevent data from loading in an iframe

Answer 5

* Application code can be digitally signed by the developer, confirming that the code has not been modified * Asymmetric encryption: ○ A trusted CA signs the developer's public key ○ And the developer signs the code with their private key

Answer 6

* Allow lists and deny lists can be made to control what applications may run on a system * Lists may be based on, for example: ○ Application's hash ○ A certificate, for digitally signed applications ○ The application's path, allowing applications to only run in certain folders ○ The application's network zone

Answer 7

* Static Application Security Testing * A tool to perform automated analysis on source code to identify security flaws * Findings and recommendations are reported, and would still need to be manually verified and applied * Not all flaws can be identified this way, such as authentication security issues and insecure cryptography

Answer 8

* Self-Encrypting Drive * Hardware-based full disk encryption * No operating system software needed * Follows the "Opal storage specification"

Answer 9

* Primary function it to manage the load across multiple servers * May also perform any of the following: ○ TCP offload (handles some TCP traffic rather than the servers) ○ SSL offload (encryption/decryption, so that comm. between balancer and servers is in-the-clear) ○ Caching (keeps copy of common responses on balancer, so it can respond quickly on behalf of servers) ○ Prioritization / QoS ○ Content switching (application-centric balancing, directing different functions to different servers)

Answer 10

* Scheduling is the method of determining which server a load balancer will direct traffic to * Example Active/Active methods: ○ Round-Robin (each server selected in turn) ○ Weighted Round-Robin (prioritizing some servers over others, rather than equal) ○ Dynamic Round-Robin (distribute traffic to server with lowest current load) • Active/Passive scheduling will only route traffic to "passive" servers if an active server fails (making the passive server become active)

Answer 11

* In Load Balancing, Affinity connects users to specific servers, so that whenever they reconnect, they will be directed to the same server as previously * Often based on IP address / port number or session ID * Used when an application requires communication to the same instance

Answer 12

* Similar in structure to a DMZ, but usually requires additional authentication to access, rather than allowing any public access * Often used for partners, vendors, suppliers, etc. to gain access to internal resources

Answer 13

* Traffic between devices in the same data center | * Includes traffic between separate customers within the same data center

Answer 14

* A term for a data center's Ingres/egress traffic to and from an outside device * Usually requires a stricter security posture than east-west traffic

Answer 15

* The device that performs encryption and decryption for a VPN connection * Often integrated into a firewall, but can also be a standalone device

Answer 16

* Uses the common SSL/TLS protocol (tcp 443) * Therefore, usually does not run into any firewall issues * can authenticate users * Doesn't require digital certificates or shared passwords * Can be run from within a browser or a light VPN client, but often doesn't require a VPN client

Answer 17

* HTML5 includes API support with web cryptography API | * Allows for the creation of a VPN tunnel in a browser without any VPN application

Answer 18

* Layer 2 Tunneling Protocol * Connecting sites over a layer 3 network as though they were connected at layer 2 * Does not inherently include encryption, but is commonly implemented with IPsec (L2TP for the tunnel, IPsec for the encryption) ○ (This is sometimes referred to as L2TP over IPsec or L2TP/IPsec

Answer 19

* IPsec modes of operation * in Transport mode, only the Data portion of the IP packet is encrypted * In Tunnel mode, both the IP Header and the Data are encrypted, and a new IP header is added, which directs the packet to the VPN concentrator on the other side of the tunnel.

Answer 20

* A security feature for switches * Limits the number of broadcasts per second * Often also used to control multicast and unknown unicast traffic * Can be managed either by specific values, percentages, or deviations baseline behavior

Answer 21

* Bridge Protocol Data Unit | * The primary protocol used by Spanning Tree Protocol

Answer 22

* If a BPDU frame is seen on a PortFast configured interface, the interface will shutdown * This is because PortFast interfaces are only supposed to connect to endpoints, which would never send BPDUs

Answer 23

* Cisco's term for the feature of bypassing the STP listening and learning steps when a device is plugged in * Configured for ports that are known to only be needed to connect to endpoints, so STP is not needed since it won't create a loop. * STP takes 20-30 seconds to determine how to handle a new connection, so bypassing it saves time

Answer 24

* Limiting access to the network based on MAC address Allow Lists * Security through obscurity * Not very secure since Allowed MACs on the network can be easily discovered and spoofed

Answer 25

* No need for NAT * Some attack types no longer apply (such as ARP spoofing, since there is no ARP) * But some new attack types apply, such as Neighbor Cache Exhaustion * It is not necessarily more or less secure than IPv4, it's just different

Answer 26

* An IPv6 attack which fills up the neighbor cache on devices * Can make a system unable to communicate with other devices on the network

Answer 27

* Switched Port ANalyzer | * Cisco's name for port mirroring to a software-based tap

Answer 28

* File Integrity Monitoring * Monitoring changes to files that should never change * Notifies when changes occur

Answer 29

* Tripwire: Real-time FIM tool for Linux | * SFC (System File Checker) - On-demand FIM for Windows

Answer 30

* Older style of firewall that does not keep track of traffic flows * Packets coming into the network will need access rules to get in, even if it is in response to requests originating from the firewall's internal network * Access rules are required for both directions of a session's traffic * Security concerns since rules require that external traffic will gain entry even if it is unsolicited

Answer 31

* Unified Threat Management * An all-in-one security appliance * Firewall, Content filter, anti-malware, spam filter, IDS/IPS, VPN endpoint, etc. * A precursor to NGWF

Answer 32

* Web Application Firewall * Applies rules to HTTP/HTTPS conversations * Instead of looking at ports and IPs, it allows or denies based on expected input.

Answer 33

• Implicit denies are not logged. Creating a rule means an attempted access will generate a log.

Answer 34

• Since it runs on your local machine, it can view traffic from an encrypted communication (HTTPS, etc.), since it is decrypted locally.

Answer 35

* Used for Network Access Control * For running health checks and posture assessment on devices on / connecting to the network * No installation required * Runs during the assessment, and terminates when no longer required

Answer 36

* Used for Network Access Control * For running health checks and posture assessment on devices on / connecting to the network * Integrated with Active Directory * Checks are made during login and logoff * Only runs at those times; cannot be scheduled

Answer 37

* Keeping a local cache of information * Access Control * URL Filtering * Content Scanning * A Reverse Proxy, which examines incoming requests from the Internet before sending them to a web server

Answer 38

• A proxy server on a network, where endpoints don't need to be explicitly configured to use it, and aren't aware of it.

Answer 39

• Network-based Intrusion Detection System

Answer 40

• Network-based Intrusion Prevention System

Answer 41

* When a passive IPS (not in-line with traffic) identifies malicious traffic and sends an TCP RST (reset) frame to prevent further traffic * It does not prevent the original packet from going through, but disrupts the traffic flow and prevents further communication * The reset frame is part of the TCP protocol; this response does not work with UDP traffic

Answer 42

* Signature-based: Must match exactly * Anomaly-based: Create a baseline of what's normal to detect unusual activity * Behavior-based: Programmed to know what certain malicious activities might look like * Heuristics: use artificial intelligence and big data

Answer 43

* A system that you connect to in order to access other internal systems * Must be highly-secured, hardened, and monitored

Answer 44

* Hardware Security Module * A dedicated server for handling cryptographic functions, storing keys, certificates, etc. * Used in very large environments with many devices that need cryptographic keys * Usually installed in clusters with lots of redundancy * Built with specialized hardware designed for cryptography * Can act as a proxy to offload encrypted communication for webservers, and forward the traffic to the webservers in the clear

Answer 45

• Message Integrity Check

Answer 46

* Stands for: Counter/CBC-MAC Protocol * A block cipher mode * The type of encryption used with WPA2 * Uses AES for confidentiality * Uses CBC-MAC for MIC

Answer 47

* Cipher Block Chaining Message Authentication Code Protocol | * A form of MIC (Message Integrity Check)

Answer 48

* Galois/Counter Mode Protocol * A block cipher mode * The type of encryption used in WPA3 * Uses AES for confidentiality * Uses GMAC for MIC

Answer 49

* Galois Message Authentication Code | * A form of MIC

Answer 50

* WPA2 is susceptible to brute force attacks. Once the passphrase is known, an attacker can read all communication of all devices * WAP3 uses: ○ mutual authentication ○ creates a shared session key without sending that key across the network ○ perfect forward secrecy ○ SAE

Answer 51

* A session key is created for each session, and disposed of when the session is over * New sessions would create a new key * Used, among other places, in WPA3

Answer 52

* Simultaneous Authentication of Equals * A Diffie-Hellman derived key exchange (same process), but adds an authentication component * An IEEE standard * sometimes called the dragonfly handshake * Used, among other places, in WPA3

Answer 53

* Best practice is to disable it * If it does not have brute-force protection built in, it is extremely easy to brute force * Only 11,000 possible combinations need to be tried to gain access * Brute-force lockouts are now the norm, but most devices out there don't have it.

Answer 54

* a PIN (which is easily brute-forced) * A physical button to push on the WAP * NFC

Answer 55

• 802.1X

Answer 56

* A type of network access control that requires authentication to access the network, whether wired or wireless * Typically uses a central authentication database such as RADIUS, LDAP, TACACS+, etc. * The authenticator (the device that provides network access) communicates to an authentication server on behalf of the supplicant (client)

Answer 57

* Port-based Network Access Control | * A name for 802.1X

Answer 58

* Extensible Authentication Protocol * The authentication protocol used by 802.1X, as well as many other types of authentication for wireless networks * Supports multiple types of authentication * Manufacturers can build their own EAP methods

Answer 59

* EAP Flexible Authentication via Secure Tunneling * Ensures that the authentication server and supplicant can communicate with each other over a secure tunnel. * The server provides a protected access credential (PAC), i.e. a shared secret, to the supplicant, they mutually authenticate and negotiate a TLS tunnel, and user authentication occurs over the TLS tunnel.

Answer 60

* Protected Access Credential | * A shared secret, used in EAP-FAST

Answer 61

• The acronym used for the Authentication Server in EAP

Answer 62

* Protected EAP (Extensible Authentication Protocol) * Created by Cisco, Microsoft, and RSA Security * Similar to EAP-FAST, but instead of a PAC (Private Access Credential), the AS uses a digital certificate. * (As with a web server, the client does not need its own certificate, only the server) * User can authenticate using MSCHAPv2 for Microsoft services, or GTC

Answer 63

• Microsoft Challenge Handshake Authentication Protocol version 2

Answer 64

• Generic Token Card

Answer 65

* EAP with TLS * Similar to PEAP, but requires a digital certificate on the client as well as the AS, so they can mutually authenticate * Once devices have authenticated to each other, the TLS tunnel is built for the user authentication process * Complex implementation as it requires all network devices to have certificates * May not be suitable, as not all devices can support the use of digital certificates,

Answer 66

* EAP Tunneled TLS * Similar to PEAP, builds a TLS tunnel using the digital certificate of the AS * (Does not require the supplicant to have a certificate) * Can use any authentication method inside the TLS tunnel, including other EAPs, MSCHAPv2, or anything else.

Answer 67

* A centralized management device for wireless access points | * Allows management of system configuration, performance, updates, etc.

Answer 68

* Mobile Content Management * Controls for securing access to data and protecting it from outsiders * Managed from the mobile device manager (MDM) * May include controls for file sharing and viewing, as well as DLP and encryption requirements

Answer 69

* An emerging technology * Looks at multiple contexts to determine whether a login attempt is likely to be authentic * Contexts may include: ○ Device IP address ○ GPS information ○ Devices connected / Bluetooth paired to the device ○ more

Answer 70

* The separation of enterprise mobile apps and data from personal apps and data * Storage on a mobile device is segmented to keep business data in a contained area with restricted sharing * Makes offboarding much easier. Business data can be wiped without removing personal data.

Answer 71

* A small Hardware Security Module, in microSD card form * Provides security services to mobile devices, such as: ○ encryption ○ key generation ○ digital signatures ○ authentication

Answer 72

* Unified Endpoint Management * Similar to MDM, but also manages non-mobile devices * Allows users to change between devices, such as phone and laptop, and still have same security and access

Answer 73

* Mobile Application Management * Provision, update, and remove apps from your own enterprise app catalog * Monitor application use * Fine-grained control of wiping data

Answer 74

* Security Enhancements for Android * Puts SELinux functions into Android OS * Supports additional access control security policies * Enabled by default since Android version 4.3 in July 2013 * Developed by NSA

Answer 75

* Protects privileged access to Android system daemons * Changed Discretionary Access Control (DAC) to Mandatory Access Control (MAC) * Isolate and sandboxes Android apps * Centralized policy configuration

Answer 76

* Over the Air * A type of firmware update for mobile devices * Delivered wirelessly without needing to connect to any device

Answer 77

* Control firmware updates * Use an allow list or block list of approved / blocked apps * Control microphone/camera use to disable/enable either always or only in certainly locations * Control SMS/MMS usage by timeframe or location

Answer 78

* USB On-the-Go * A USB 2.0 Standard that allows supported devices to connect directly together * A mobile device can act as both a host and a device, acting as storage

Answer 79

* aka GPS Tagging * Adds location to file metadata * Can cause security concern, since investigating these files can create a path of a user * Can be disabled

Answer 80

* Corporate-Owned, Personally-Enabled * A mobile deployment model * Similar to BYOD, but the company buys the device and allows it to also be used for personal use * Company keeps full control of device

Answer 81

* Choose Your Own Device | * Similar to COPE, but with the user's choice of device

Answer 82

* Virtual Mobile Infrastructure * Like thin clients, mobile phones can also connect to a cloud service where apps and data are stored * If the device is lost, no data is lost, no security concern * Allows for centralized app development, since you only need to write for a single VMI platform * No need to update all individual devices

Answer 83

* Availability Zone * Isolated locations with a cloud region (geographic location) * Each AZ is completely independent

Answer 84

High Availability Across (Availability) Zones • Highly Available applications can be aware of Availability Zones, and recognize an outage in a particular zone to adjust accordingly

Answer 85

* Identity and Access Management * Cloud resource security control to determine who gets access, and what they get access to * Maps job functions to roles * Granular policies control access by user group, IP, date and time, geolocation, etc.

Answer 86

* Virtual Private Cloud Endpoint * Allows private cloud subnets to communicate to other cloud services, even without an internet connection. * Facilitates connectivity between VPCs and cloud services such as storage.

Answer 87

* Use OSs that are designed specifically for containers | * Group containers of similar type onto the same host, to limit the scope of any intrusion

Answer 88

* In the context of Cloud Computing: * Security Groups provide Layer 4 firewall services for all resources within a VPC (Virtual Private Cloud) * Not to be confused with Security Groups in Active Directory * Not sure why they're not just called "VPC Firewalls" or something.

Answer 89

* Discretionary Access Control / Mandatory Access Control * In DAC model, users have control over access to their own data or local computer resources * In MAC model, access permissions are set by administrators. Resources objects (such as files) are given security labels which assign a classification and category, which matches it to users' classifications and categories to determine access.

Answer 90

* Cloud Access Security Broker * May be installed as client software, run as a local network appliance, or a cloud service * Four functions: ○ Visibility into what apps are in use, what data is being transferred, etc. ○ Enforce compliance regulations ○ Prevent threats / disallowed blocked items ○ Data Security: Enforce DLP, Encryption, etc.

Answer 91

* Next-Gen Secure Web Gateway * Protects users and devices regardless of location and activity * Goes beyond just examing Layer 4 (TCP/UDP), URLs, and GET requests * Examines JSON strings and API requests, to allow or disallow very specific activities

Answer 92

* Identity Provider * A third-party providing identity control for another service. * Essentially "Authentication as a Service" * Commonly used by SSO applications

Answer 93

* The use of public/private cryptographic keys to authenticate in SSH instead of a username and password * Especially used for automation and scripts, since you won't be there to enter a password when the script is running * Key management is crticial, to centralize, control, and audit key use * Both open source and commercial SSH key managers are available

Answer 94

• ssh-keygen ○ the command in Linux or MacOS ○ Creates a public/private key pair for authentication • Copy the public key to the SSH server: ○ ssh-copy-id user@host * Copy the private key to any system that will need to login * You can now login with the following command, no password required: ○ ssh user@host

Answer 95

* Knowledge-Based Authenication * A form of "Something you know" * Static KBA: Pre-configured security questions, often used with account recovery. ○ Ex., what was your first car? • Dynamic KBA: Not pre-configured, but pulled from some other source, often an identity verification service. ○ Ex., Which of the following addresses did you live at in 1999?

Answer 96

* Password Authentication Protocol * An old, basic authentication method. * Rare today. Used only in legacy systems. * No encryption, designed for analog dialup connections. * When used today, the application may provide encryption, encapsulated within PAP, so it's not sent in the clear.

Answer 97

* Challenge-Handshake Authentication Protocol * Encrypted challenge sent over the network * A step up from PAP * Server sends a challenge based on the password, which verifies both sides have that password, without sending the password itself. * This challenge-response may continue to occur periodically during the connection, invisible to the user

Answer 98

* Microsoft's implementation of CHAP * MS-CHAP v2 is the most recent version * Both v1 and v2 are insecure and should not be used, because they use DES * DES is susceptible to brute force decryption of the hash

Answer 99

* Terminal Access Controller Access-Control System * A remote authentication protocol * Originally built when using analog dial-up lines * Created for access ARPANET

Answer 100

* Extended TACACS * Cisco proprietary version of TACACS * Has additional support for accounting and auditing

Answer 101

* The latest version of TACACS. released in 1993 * If using TACACS today, it is probably this version * Adds more authentication requests and response codes

Answer 102

* a Network authentication protocol * Authenticates once, then you are trusted by the system and don't need to re-authenticate to access resources * Server provides a "ticket" that your system uses to authenticate to other systems without entering password again * Mutual authentication, which protects against on-path or replay attacks * Standard since 1980s, Microsoft began using it in Windows 2000

Answer 103

* Can work with a variety, including: * RADIUS * LDAP * TACACS+

Answer 104

* Security Assertion Markup Language * An open standard for authentication and authorization * Authenticate through a third-party to gain access * Not designed to support mobile apps, so is likely to decline in usage as time goes on

Answer 105

* Client accesses resource server * Resource server sends signed/encrypted SAML request to client, and directs them to the authorization server * Client signs into the Authorization Server * Authorization Server provides SAML token * Client sends SAML token to resource server and gain access

Answer 106

Open Authorization * An authorization framework with significant industry support * Determines what resources a user can access * Does not authenticate, only authorizes * Often used to provide authorization between applications * Ex. "Datto wants permissions to your Microsoft 365 account for the following. Do you want to allow this?"

Answer 107

* Attribute-Based Access Control * Next-gen authorization model, aware of context * Combines and evalutes multiple parameters to determine access * Ex. IP address, time of day, desired action, etc.

Answer 108

* Privileged Access Management * Centralized management of administrative / superuser accounts * When an admin needs to perform administrative task or gain access, they make a request from the vault, and the privileged access they need is granted only temporarily. "Checked out." * Enables automation * manages access for each user * extensive tracking and auditing

Answer 109

* Certificate Revocation List * Maintained by the CA * Contains many revocations in a large file which changes all the time.

Answer 110

* Online Certificate Status Protocol * Allows a web browser to check revocation status of a single certificate * Requests are usually sent to an OCSP responder, managed by the CA, via HTTP * More efficient than downloading an entire CRL just to check one certificate * Most modern browsers support OSCP, but some older browsers and apps do not.

Answer 111

* Domain Validation Certificate * SSL Certificate that shows the owner of the certificate is control over the DNS domain * This is the most common certificate used by websites

Answer 112

* Extended Validation Certificate * Like a DV, but additional checks have verified the certificate owner's identity * Browsers will show a name in the address bar next to the padlock icon that indicates the SSL connection * Not common anymore, since SSL has become standard, there's not much point in promoting your use of it.

Answer 113

• The standard structure for digital certificates

Answer 114

* Distinguished Encoding Rules * A type of binary encoding format * Common and used across many platforms * perfect for an X.509 certificate

Answer 115

* Stands for "Privacy-Enhanced Mail" * An encoded X.509 certificate in ASCII format * Makes it easier to read and e-mail, rather than the binary form of DER * The most common format provided by CAs

Answer 116

* Public Key Cryptography Standards #12 * A container format for many certificates * Store multiple X.509 certs in a single .p12 or .pfx file * Often used to transfer a private and public key pair * The container can be password protected

Answer 117

* An X.509 file extension used primarily by Windows * Can be encoded either as binary DER or as ASCII PEM format * Usually only contains a public key; private keys would be transferred in the .pfx file format

Answer 118

* Public Key Cryptography Standards #7 * Contains certificates and chain certificates; but does not include private keys * .p7b file extension * ASCII format * Wide support across multiple OSs and platforms

Answer 119

* Instead of the CA needing to respond to all OCSP requests, the certificate holder can verify their own status * Status information is stored on the certificate holder's server * OCSP status is "stapled" into the SSL/TLS handshake, digitally signed by the CA

Answer 120

* To ensure that you're really communicating to the legitimate server, you can "pin" the expected certificate or public key to an application. * You then compare that pined certificate to what you see when actually communicating with the server. * The cert must be compiled into the app, or added at first run. * If the expected cert doesn't match the certificate the server presents, the application can either shut down, or show a message, or etc.

Answer 121

* Single CA * Hierachical (Single root CA with intermediate and leaf CAs) * Mesh (CAs that all certify each other; does not scale well) * Web-of-trust (alternative to traditional PKI) * Mutual Authentication (Server and client both authenticate to each other)

Answer 122

* When your private keys (decryption keys) are kept and controlled by a 3rd-party * Ex., A business might store employee information in encrypted form, and only be able to access that private info if it is validated by the 3rd party * Requires trust of the 3rd party and very specific and clear process and procedures for validating

Answer 123

• Full Disk Encryption

Answer 124

• Host-based Intrusion Detection System