Messer - 4. Network Security Flashcards
1
Q
What is tamper detection?
A
A feature on devices such as computers and servers that notifies you if the case is opened. Should be enabled in BIOS settings. Allows systems to monitor themselves.
Foil asset tags are also available. If tag is removed, a message is left behind on the device.
2
Q
TACACS stands for _________.
A
Terminal Access Controller Access-Control System
pronounced “tack acks”
3
Q
What is TACACS?
A
A remote authentication protocol similar to RADIUS that uses the AAA framework (i.e. Authentication, Authorization, Accounting).
First used to control access to dial-up lines to ARPANET (ancient precursor to the Internet).
[See AAA and RADIUS in Infrastructure section]
4
Q
What is XTACACS?
A
Extended TACACS
A proprietary Cisco-created version TACACS that provides additional support for accounting and auditing.
5
Q
What is TACACS+?
A
Latest version of TACACS. (If you’re using TACACS today, this is probably what you’re using.) Often associated with Cisco, but available for many different OSes. Uses similar topology as RADIUS, but encrypts ALL information between client and server, whereas RADIUS only encrypts password.
6
Q
SSO stands for ________.
A
Single Sign-On
7
Q
What is Single Sign-On (SSO)?
A
An authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-entering authentication factors.
(e.g. If you’re managing a group of switches and routers, you don’t have to log in to each separate device)
[See: Kerberos]
[Reminds me of PTSEM’s website. Had to log in separately for email, library, etc.]
8
Q
What is Kerberos?
A
A network authentication protocol that offers single sign-on (SSO) functionality, which enables a user to log in to a system and access multiple resources without needing to repeatedly reenter username and password. Not only is this easier and less time-consuming for users, but makes network more secure because eliminates need to constantly send security credentials over a network.
It works by issuing cryptographic tickets when someone properly signs in, which can then be shown to other resources on the network. Uses mutual authentication (i.e. with both client and server) to protect against man-in-the-middle or replay attacks.
Used by Microsoft since Windows 2000, and used in Active Directory. But non-proprietary and cross-platform. However, does not work with every device. i.e. if your switches aren’t Kerberos-friendly, you may need to use a different authentication method.
9
Q
What is Active Directory?
A
A Microsoft product used to centrally organize IT assets like users, computers, and printers. Allows IT admins to group people together and manage access to various devices, and provide single-on access to those devices (with the help of Kerberos). Integrates with most Microsoft Office and Server products. Uses Offers LDAP support to allow LDAP-based applications to work with an existing Active Directory environment.
10
Q
LDAP stands for ________.
A
Lightweight Directory Access Protocol
11
Q
What is Lightweight Directory Access Protocol (LDAP)?
A
A protocol for accessing and querying directory services systems. In the context of the N+, these directory services systems are most likely to be based on UNIX or Microsoft Active Directory. Although LDAP supports command-line queries executed directly against the directory database, most LDAP interactions are via utilities such as an authentication program (network logon) or locating a resource in the directory through a search utility.
12
Q
LDAP is a derivative of the ______ protocol, also known as _______. The main advantage of LDAP is that it’s _______.
A
X.500
DAP
lightweight (duh)
13
Q
What is local authentication? And what are its advantages and disadvantages?
A
Authentication done locally on a machine by an operating system using values / credentials stored within it. i.e. An alternative to using a centralized authentication server or service. Basically the opposite of technologies that use AAA Framework (e.g. Radius, TACACS, Kubernetes).
The advantage is that it works if there’s no Internet connectivity, or if the AAA server is unavailable. Functions as a backup that allows you to still access routers, switches, firewall, etc.
The downside, of course, is that by not using a centralized database, it’s difficult to scale. All changes must be made across individual devices.
14
Q
PKI stands for ______.
A
Public Key Infrastructure
15
Q
What is PKI?
A
A collection of software, standards, and policies combined to govern the issuance of digital certificates to protect sensitive data, provide unique digital identities for users, devices and applications and secure end-to-end communications. Uses a public and private cryptographic key pair obtained and shared through a trusted authority.
[Not sure how much we really need to know about PKI. It’s only listed in glossary of exam objectives. But I feel like it’s important to understand Certificates, which are definitely in objectives. Messer is pretty weak on this topic]
16
Q
Explain how PKI’s encryption works.
A
PKI uses asymmetrical encryption, which basically just means you have two mathematically / algorithmically related keys.
If we use a public key to encrypt something, only the private key can decrypt it. This is great for secret correspondence. Just hand out the public key, and people can send us communication that only we can decrypt
But if I understand properly, we can also use the private key to encrypt something. And anyone can use the public key to decrypt it. Because we’re the only ones who can encrypt a message that the public key can decrypt, we’re able to prove our identity. So this would be helpful for digitally signing a document.
[Note: This is my own understanding based on looking at a few resources. Messer did not cover this at all]
17
Q
What are four important components of a PKI?
A
Certificates
Certificate Authorities (CAs)
Certificate Templates
Certificate Revocation List (CRL)
18
Q
What are certificates?
A
Electronic credentials that validate users, computers, or devices on the network. A digitally signed statement that associates the credentials of a public key to the identity of the person, device, or service that holds the corresponding private key.
ex. Certificates can be stored on laptop or thumb drive, then accessed during log-in process. They can also be on smart cards, which you can slide into a computer for access (along with PIN.)
19
Q
What are Certificate Authorities (CAs)?
A
Issuers and managers of certificates. They validate the identity of a network device or user requesting data. CAs can be either independent third parties, known as public CAs, or they can be organizations running their own certificate-issuing server software, known as private CAs.
20
Q
What are Certificate Templates?
A
Templates used to customize certificates issued by a certificate server. This customization includes a set of rules and settings created on the CA and used for incoming certificate requests.
[Don’t really get this one]
21
Q
What is a Certificate revocation list (CRL)?
A
A list of certificates that were revoked before they reached the certificate expiration date. Certificates are often revoked because of security concerns, such as a compromised certificate.
22
Q
What are the five possible factors in Multi-Factor Authentication? Give examples.
A
Something you know (e.g. password, pin, wipe pattern)
Something you have (e.g. smart card, dongle, USB token, phone)
Something you are (e.g. biometrics, fingerprint, voice, iris scan, gait)
Something you do (e.g. handwriting analysis, typing technique)
Geolocation (e.g. IP address, geolocation)
23
Q
NAC stands for _________.
A
Network Access Control
Cisco calls their flavor Network Admission Control
24
Q
What is Network Access Control (NAC)? Describe how it works.
A
A standardized approach for verifying that a node (i.e. device) meets certain minimum security criteria before it is allowed on a network. Certain advanced Cisco devices (e.g. switches and routers) use a feature called ‘posture assessment’ to do this. Includes checking for things like type and version of anti-malware, type and version of OS, level of QoS, presence of digital certificates, presence of keyloggers, whether machine is real or virtual, etc.
If everything checks out, host will be granted access to production network. Otherwise, host can be denied access, or quarantined on a non-production network.
The criteria to be assessed is gathered by a NAC agent, a piece of software that sits on the device being assessed.
25
What is 802.1X?
802. 1X is a port-based authentication network access control (PNAC) mechanism. Available for wired networks, VPNs, and wireless access points. [But mainly used for wireless??] It's a complete authentication standard designed to force devices to go through a full AAA process to get anywhere past the interface on a gateway system. Before 802.1X, a system on a wired network could always access another system’s port. Granted, an attacker wouldn’t be able to do much until he gave a user name/password or certificate, but he could still send packets to any computer on the network.
802. 1X worked hard to use already existing technologies. For wired connections, 802.1X commonly uses RADIUS as an authentication server. However, other AAA authentication servers can be used, such as LDAP and TACACS+.
802.1X combines RADIUS-style AAA with EAP (for password encryption, I assume). The folks who developed 802.1X saw it as
a total replacement for every other form of authentication (even Kerberos), but according to Meyers, only wireless networking broadly adopted 802.1X.
Allows for administratively disabling unused ports / interfaces. And for duplicate MAC address checking to prevent spoofers trying to get around NAC.
[Btw, Prof. Messer says a capital letter like 'X' in an IEEE standard indicates that it's a standalone standard, Lower-case letters identify amendments / supplements / revisions to existing standards. e.g. WiFi standards like 802.11g]
26
When using wired 802.1X, what is a supplicant, control, port and authenticator?
supplicant - The device (or a client on that device?) that is attempting to connect to a protected network and that requires authenticating
control port - The port that a supplicant is plugged into, and that ultimately controls access to the network
authenticator - the switch that is set up for 802.1x
[Messer says there's also usually an authentication / AAA server on the back-end.]
27
What is port security?
A form of access control that restricts specific MAC addresses OR a specific number of MAC addresses on a physical port. Commonly implemented by network admins to mitigate the threat of end users plugging in hub, switches, or wireless access ports (WAPs) to extend switching of a single port.
28
What is MAC filtering?
A form of access control that restricts or allows specific MAC addresses (i.e. the unique hardware address of every device) to be forwarded by a switch or wireless access point.
Zacker book says MAC filtering is a very effective method of security, because of the difficulty an attacker has identifying specific MAC addresses that are specifically allowed to be forward by a switch or WAP.
Messer disagrees. Says it's easy to find working MAC addresses through packet captures and that MAC addresses can be spoofed. Says anyone who knows a working MAC address can easily circumvent filter. Calls this security through obscurity.
[NOTE: Wireless Access Points (WAPs) use an access control list (ACL) to whitelist or blacklist MAC address
29
What is a captive portal?
A method of redirecting users who connect to wireless or wired systems to a portal for login or agreement to the acceptable use policy (AUP). Using a captive portal is common for wireless system access. (e.g. hotels, airports, but also common for corporate access to an organization's wireless network)
30
ACL stands for _______.
Access Control List
31
What is an Access Control List (ACL)?
A list of rules either permitting or denying different pieces of traffic from entering (ingress) or leaving (egress) a network. The general idea is that a router, switch, or firewall receives a packet and then typically allows or denies the packet based on the source or destination IP address (IP filtering), or the source and destination port (port filtering). Can also be based on protocols being used (e.g. TCP, UDP, ICMP, IP).
32
What are the two main components of wireless network security?
Encryption
| Authentication
33
____ was an early WiFi network security technology that had major cryptographic weaknesses. In 2002, it was replaced by ______, which relied on _____ encryption. In 2004, that was replaced by _______, which used ______ encryption and is still used today.
```
WEP
WPA
TKIP-RC4
WPA2
CCMP-AES
```
34
EAP stands for _______.
Extensible Authentication Protocol
35
What is Extensible Authentication Protocol (EAP)?
An authentication framework commonly used for wireless networks.
36
Name the four types of EAP that WPA and WPA2 use for authentication.
EAP-FAST
EAP-TLS (EAP Transport Layer Security)
EAP-TTLS (EAP Tunneled Transport Layer Security)
PEAP (Protected EAP)
37
Describe EAP-FAST
EAP Flexible Authentication via Secure Tunneling
- Cisco's proposal to replace LEAP (Lightweight EAP), previously used with WEP.
- Lightweight and secure.
[Not doing a great job on the EAP flashcards. Pretty confusing. Just copying Messer's stuff]
38
Describe EAP-TLS.
EAP Transport Layer Security
- Gained wide adoption as wireless tech became more popular
- Same security we use for web servers. Now using for wireless authentication
- Strong security, wide adoption
- Support form most of the industry
39
Describe EAP-TTLS.
EAP Tunneled Transport Layer Security
- Some orgs needed additional options for authentication
- Supports other authentication protocols in a TLS tunnel
- Use any authentication you can support, maintains security with TLS
40
Describe PEAP.
Protected EAP
- Created by Cisco, Microsoft, and RSA Security
- Encapsulates EAP in a TLS tunnel, one certificate on the server
- Combined a secure channel and EAP
- Commonly implemented on Microsoft devices as PEAPv0/EAP-MSCHAPv2
- Authenticates to Microsoft's MS-CHAPv2 databases
41
Name the three wireless security / authentication modes.
```
Open
WPA2 Personal (WPA2-PSK)
WPA2 Enterprise (WPA2-802.1X)
```
42
What is open / shared authentication?
A configuration mode on a wireless access point / wireless router that allows access without a password. This was the default setting for older APs.
[It looks more complicated than this based on some things I was reading. But I'm going to hope Messer is pointing in the right direction on this]
[Do NOT confuse a shared (i.e. open) network with pre-shared keys, which is WPA2 protected]
43
What is WPA2 Personal mode?
WPA2-PSK - Requires pre-shared key
A configuration mode on a wireless access point / wireless router, often used in homes or small offices, that require a pre-shared key for access. Everyone uses the same 256-bit key. If you change the pre-shared key, you also have to change configuration of all devices connected to that network.
[You could see how this would be hugely inadequate for a business. Frankly, a business of almost any size. If one person leaves the office, you have to re-configure ALL devices. Even in our home, would be a huge pain to change the wireless password]
44
What is WPA2 Enterprise mode?
WPA2-802.1X
A configuration mode on a wireless access point / wireless router, often used for larger businesses, that authenticates users individually with an authentication server (e.g. AAA, RADIUS). When someone leaves an organization, all of their access can be disabled without impacting others. Individuals can also change their own password without affecting anyone else.
45
Describe MAC Filtering.
A configuration setting on some wireless and wired access points that allows an admin to only grant network access to a device if that device's MAC address has been whitelisted.
This is considered security through obscurity (i.e. not strong security). It's relatively easy to find MAC addresses through wireless LAN analysis. (You can use a wireless analyzer to find all MAC addresses on a network.) And then it's possible for someone to spoof a MAC address and gain access. Not quite as bad on wired networks, but still not considered good security.
46
What is geofencing?
When a wireless technology (usually GPS or RFID) is used to define a virtual fence around a geographic location within an application so that individuals can be tracked when entering or leaving that “virtual fenced” area.
When someone or something enters the geofenced area, an alert or text message can be generated to notify you. Or you can restrict or allow certain features when a device is in a particular area. For example, you can disable the camera on a phone when inside a sensitive building. Or perhaps you only allow logins when a device is located in a particular area.
47
DoS stands for ________.
Denial of Service
48
What is a Denial of Service (DoS)?
A type of attack that causes a system or its services to either crash or become unresponsive. As a result, the system cannot fulfill its purpose and provide those services.
Careful: Does not have to involve flooding of traffic. Could be as simple as turning off power to a building. Could involve seriously and/or permanently damaging a service (e.g. Stuxnet).
Messer: Could be a friendly, unintentional action (e.g. creating a layer 2 loop or breaking a pipe in a server room).
49
What are three common types of DoS attack?
Distributed (DDoS)
Amplified
Reflective
[I feel like these overlap. I could see a situation where the attack is distributed, amplified, AND reflective]
50
What is a Distributed DoS (DDoS)?
A DoS attack where a hacker uses multiple hosts or systems to attack a single target system. Very difficult to stop because attack is coming from many places at the same time.
One example would be using a botnet to create a huge traffic spike, using all the bandwidth or resources of a service. Another would be a smurf attack, in which hacker pings a number of computers but modifies source address of those packets so they appear to originate from victim's system. All those replies then flood the victim.
51
What is a reflective DoS?
A DoS attack in which the attacker sends requests containing the target server’s IP address to legitimate servers on the Internet, such as DNS servers, causing them to send a flood of responses that overwhelm the target. (The reflection helps disguise the identify of the attacker.)
52
What is an amplified DoS?
A DoS attack in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would.
Messer: Can involve abusing older protocols with little (if any) authentication (e.g. NTP, ICMP).
[Note: This is often a type of reflective attack, from what I understand]
53
What is social engineering?
A very low-tech form of attack where hacker attempts to trick a person into compromising security through social contact such as an e-mail or phone call. Can involve multiple people and multiple organizations.
[Note: Often, social engineering is not attempted against the ultimate target, but against third parties connected to the target. e.g. the Target's social media accounts, or domain registrar, or credit card, or Paypal]
54
Describe some of the principles / strategies used in social engineering
* Authority (e.g. "I'm calling from the help desk / office of the CEO / police")
* Intimidation (e.g. "Bad things will happen if you don't help")
* Consensus / social proof (e.g. Your co-worker Jill did this for me last week)
* Scarcity (e.g. ?)
* Urgency (e.g. We need to hurry because...) [often connected to scarcity]
* Familiarity / Liking (e.g. referring to acquaintances, common friends)
* Trust (e.g. I'm from IT, and I'm here to help)
[You see this stuff all the time in the movies. Or even old television shows. Think of all the stuff Face did on the A-Team. I feel like he used just about all of these]
55
What is an insider threat?
The potential for attacks or security breaches posed on by employees of an organization. Can include a disgruntled employee, an employee with criminal intent, or an employee participating in corporate espionage. [Or an activist / hacktivist / whistleblower like Edward Snowden?] Depending on how broad the definition, could also include innocent employees who were scammed or coerced, or careless employees (e.g. using a company laptop for personal use).
Insiders are especially dangerous because they tend to be more trusted than outsiders, and often have access to sensitive data. Messer shows some scary stats: 20% of attacks caused by insiders, often never publicized.
Can cause critical system disruption, loss of confidential or proprietary information, financial harm, harm to reputation. Can inject malware and initiate attacks.
Some ways to mitigate the threat: Logging and auditing. Assigning privileges only as needed (i.e. "least privilege). Physical security. Encryption. Policies and procedures. Best to use a layered approach to defense.
56
What is a logic bomb?
Malware that executes when a certain time or predefined event occurs, often left by someone with a grudge, and usually causing devastation (e.g. destruction of data).
Difficult to recognize, because each is unique (i.e. no predefined signature to match). Prevention methods include: processes and procedures (e.g. formal change control), electronic monitoring (e.g. alert admin if certain files change or intrusion detected), constant auditing, and of course, backups.
(e.g. a program that always makes sure an employee's name appears on the payroll roster; if it doesn’t, key files begin to be erased)
[Think "time bomb"]
57
What is a rogue access point?
An unauthorized access point that has been installed on an organization’s LAN. [Often for malicious purposes, but there are potentially innocent reasons, as well. Like an employee wanting Internet access in the cafeteria.] When a WAP is installed without properly implementing security, it opens the organization up to possible data loss or penetration by an attacker. Port security on the local switching equipment is used to mitigate the risk of a rogue access point.
Very easy to plug in a wireless AP, or enable wireless sharing in your OS.
Good to perform periodic surveys (e.g. walk around building / campus). Use third-party to identify where wireless communication is coming from (e.g. WiFi Pineapple). You should perform regular wireless scans with software such as NetStumbler or Kismet to locate any rogue wireless access points. Also note that enterprise networks using wireless controller–based systems using Lightweight Access Point Protocol (LWAPP) will have rogue detection builtinto the system. Consider using 802.1X (network access control) to require authentication, regardless of connection type.
58
What is an evil twin?
A rogue wireless access point that poses as a legitimate wireless device on the network to intercept transmitted data.
Messer says you can buy a wireless access point, configure it exactly the same as an existing network device (e.g. same SSID, security settings, maybe even password). The signal could overpower existing access points so users connect to your evil twin. [He says might not even require same physical location. Huh?] Public WiFi hotspots that are open and not using 802.1x, like in hotels and coffee shops, are particularly easy to fool.
Best way to mitigate this on personal level is to use HTTPS and VPN. Even if your data streams are stolen, will be encrypted.
59
What is war driving?
When someone drives around with a mobile device and tries to locate wireless networks that they can connect to and/or scan for vulnerabilities. A huge amount of intel can be quickly gathered with free tools (e.g. Kismet, inSSIDer, wigle.net).
There are a number of alternatives, including warflying with drones and warbiking. Sometimes war-drives will mark an open or vulnerable location with chalk markings (called war-chalking).
Security measures: Place wireless access points in the middle of the
building and control power levels so signal cannot be reached from outside. Implement security features such as WPA2 encryption, MAC filtering, changing the SSID, and disabling SSID broadcasting. [Changing the SSID?]
60
What is phishing?
A common type of social engineering attack (with a touch of spoofing). A phishing attack is when the hacker creates a fake replica of a popular website, such as a bank or eBay. Then sends an email (or text message, IM, etc.) trying to trick a user into clicking a link that leads to the fake site. When the user attempts to log on with their account info, the hacker records the user name and password and tries that info on the real site.
Security measures: Check URLs. Don't click links, but enter them directly into browser instead. Look for things that don't look quite right (e.g. spelling errors, strange fonts, missing graphics.)
61
What is vishing?
Voice phishing done over the phone (e.g. fake security checks or bank updates)
62
What is spear phishing?
Phishing directed at specific individuals or groups within an organization. Often involves phishing with customized, inside information to make the attack look more believable. Called "whaling" if targeting CEO or other high-value target.
[ex. Ten years of John Podesta's emails ending up on WikiLeaks]
[Really does make me start to appreciate the policy of deleting old emails]
63
What is ransomware?
Malicious software that takes control of your system and does not give control back until you pay a fee. A common scenario today is that the ransomware encrypts your drive, and if you pay a fee you can get the encryption key. Sometimes it can be a fake-out (i.e. not really locked).
Security measures: Offline backups. OS patches. Antivirus / antimalware updated.
64
What is DNS poisoning?
A hacker alters (or poisons) your DNS server's data in order to redirect clients to the wrong system. [Remember, DNS converts name into an IP address.]
Modifying a device's host file is similar. Host file actually takes precedence over DNS queries. But tough to do this across a lot of individual machines.
Another common attack against DNS is when a hacker tries to do a zone transfer (copy your DNS data) in order to map out your network.
65
What is ARP poisoning?
An attack in which an attacker sends a forged ARP reply to a client to redirect traffic to the attacker’s host. The forged ARP reply will contain the MAC address of the attacker’s host. The attacker can then use their host as a relay and eavesdrop on the conversation.
In other words: A hacker can insert himself in the middle of
communication by altering the Address Resolution Protocol (ARP) cache on a victim’s system and causing all communication to pass through the hacker’s system so he or she can capture all traffic. This is a common method to perform a man-in-the-middle attack.
Messer says easy to do if attacker is sitting on the same IP subnet as the two victimized devices because ARP has no security.
66
What is spoofing, and what are some different types?
When a device pretends to be something it's not in order to bypass access control systems and gain access to protected resources on a network. Often occurs in man-in-the-middle attacks and DoS attacks.
Ex of things that can be spoofed:
- Web server
- DNS server
- Email address
- Caller ID (e.g. fake local area code)
- ARP poisoning
- MAC address (very difficult to detect)
- IP address (can be legit. e.g. load balancing and testing)
67
What is deauthentication?
[How is it used by Hackers? Why does the vulnerability exist? And how is that vulnerability exploited?]
aka disassociation
An attack that allows a hacker to disconnect, or deauthenticate, a client from a wireless network. Can be done repeatedly to keep someone off a wireless network indefinitely, essentially creating a significant DoS attack. (And not much you can do about it, except plug in.)
Also, by forcing a client to reauthenticate with the wireless network, it gives hacker an opportunity to capture reauthentication traffic. The authentication packets can be replayed in hopes of cracking the wireless encryption.
De-authentication might also motivate the victim to choose another AP. e.g. a rogue AP or one at a venue that asks guests to pay for "premium" service rather than using free WiFi. A number of hotels were sued by the FTC for launching attacks of this type and generating revenue by requiring their guests to pay for “premium” services rather than being able to use their own free hotspots. [Wow.]
Basically, the reason this vulnerability exists is because the 802.11 wireless protocol didn't originally include a way to encrypt / validate / authenticate management frames, which are used to find access points, manage QoS, associate / disassociate with an access point, etc. IEEE addressed the problem in 2014 with 802.11w, which encrypts some important management frames. But not all frames are encrypted; some need to remain in the clear. 802.11w is required for 802.11ac compliance, and will roll out moving forward.
Tools for mounting a WiFi deauthentication attack include: Aircrack-ng suite, MDK3, Void11, Scapy, and Zulu software. Aireplay-ng, an aircrack-ng suite tool, can run a deauthentication attack by executing a one-line command. So can Pineapple WiFi, a rogue access point.
[I find this really interesting, for some reason]
68
What are the three types of password attacks?
dictionary attack
brute-force attack
hybrid attack
69
What is a dictionary attack?
An password-cracking attack that uses a dictionary as a list of potential passwords to attempt.
70
What is a brute-force attack?
A password-cracking attack that attempts every possible combination of characters.
Usually a last-ditch effort after a dictionary attack has failed, since brute force requires a lot of computational resources.
Also usually performed offline, when a hacker has obtained a list of users and hashes. Difficult to attempt online via repeated login attempts because very slow and most accounts will lock out.
71
What is a hybrid password attack?
An attack that is part dictionary and part brute-force. Uses a word list file, but also places numbers and other combinations of characters at the end of the dictionary words. e.g. Unlike a dictionary attack, a hybrid would attempt "pass1"
72
What is VLAN hopping, and how is it done?
An attack in which someone switches the VLAN to which they are
currently assigned to gain access to a system on another VLAN. Allows the attacker to bypass access controls to the protected resource.
Two methods allow this:
1) Switch spoofing. Some switches support an automatic configuration mode (i.e. trunk negotiation). Attacker can pretend to be a switch by using specialized software, and gain a trunk link to a switch, which allows them to send and receive from any configured VLAN.
Solution: Manually define which interfaces are for a trunk, and which for access device.
2) Double-tagging. Normally, when a frame is sent across a trunk connection, a tag is added to that frame. And on other side, that tag is evaluated and removed. And frame sent to correct VLAN. Attacker can get around this by crafting a packet that includes two VLAN tags. The first native VLAN tag is removed from the first switch, making the second "fake" tag now visible to the second switch. Packet is forwarded to target on a one-way trip. No way to get responses back, but good for DoS.
Solution: Don't put devices on native VLAN, change native VLAN ID, and force tagging of native VLAN.
73
What is Man-in-the-middle (MITM)?
An attack in which a hacker inserts himself in the middle of two systems that are communicating. He then passes the info back and forth between the two parties, with neither knowing that all the
communication is passing through the hacker’s system. The hacker can view and manipulate any sensitive data sent between the two systems.
Messer mentions Man-in-the-browser attack, which doesn't require that the attacker be on your local subnet. Instead, simply creates a proxy, sending all your info in and out of it. They can see everything, including encrypted traffic, because they're on your local machine. And everything looks normal to victim. Can wait for you to login to your bank, then steal your credentials. Requires attacker to first install malware on your machine.
74
What is a vulnerability and an exploit, and what's the difference.
A vulnerability is a weakness in a system; an exploit is when that weakness has been nefariously used. Analogy: An unlocked window is a vulnerability. A thief climbing in through it is the exploit.
Vulnerability could be in an OS, application, or process. Some are never discovered, or only discovered after years of use. Could involve a broken authentication process, a security misconfiguration, etc.
75
What is a zero-day attack?
An attack that exploits a vulnerability that has yet to
be detected or published. Researchers around the world are working hard to find vulnerabilities in OSes and applications, but sometimes the bad guys get there first.
76
What is network hardening? List some methods for implementing it.
Improving the security of a network. Can be accomplished by:
- Changing default credentials (of network devices)
- Avoiding common passwords
- Upgrading device firmware
- Patching and updating OSes and other software
- Hashing our files
- Disabling unnecessary services
- Using secure protocols
- Generating new keys
- Disabling unused ports (e.g. IP ports and physical / virtual device ports)
77
Explain the importance of changing default credentials.
Most devices have default usernames and passwords, often well-known and available on sites like RouterPasswords.com. Those credentials may provide full, administrator access. Not ideal for network security.
78
Explain the importance of avoiding common passwords.
When hackers are trying to crack passwords, they start with low-hanging fruit. That is, passwords that can be found in dictionaries, other word lists, and lists of previously cracked passwords. The brute forcers also start with the easier passwords first.
79
Explain the importance of upgrading firmware.
Many network devices do not use a traditional OS. Instead, all updates are made to firmware. The potential exists for security vulnerabilities (contrary to what one idiot author said in his N+ practice exam).
80
Explain the importance of file hashing.
A file hash is a (relatively) short string of text created by running an algorithm (such as MD5 or SHA) against a data source (such as a file). If anything is changed in our original data, either intentionally or through corruption, this hash or digital fingerprint or "message digest" will also change, allowing us to verify the integrity of our downloaded or saved file.
81
Explain the importance of disabling unnecessary services.
One way to avoid vulnerabilities associated with particular services is to disable them. Every service has the potential for trouble, and some of the worst vulnerabilities are unknown (i.e. zero day).
Unfortunately, there are a growing number of services on modern OSes (over 240 on Windows 10), and it isn't always obvious what's necessary. May require a lot of research, different sources, trial and error, etc.
82
Explain the importance of using secure protocols.
There's a wealth of information in our network packets, which are particularly vulnerable to being intercepted on a wireless network. So whenever possible, it's best to use secure protocols over insecure ones. (e.g. SSH instead of Telnet, SFTP instead of FTP, HTTPS instead of HTTP, SNMPv3 instead of older versions, etc.) Also good to use VPNs (e.g. TLS/SSL or IPSec)
83
Explain the importance of generating new keys.
When we communicate to network devices over encrypted channels (e.g. HTTPS, SSH), we're usually using encryption keys. Sometimes devices ship with a default key [similar to default username / password on routers]. Important to change these. And to have a formal policy and set of procedures to ensure this.
But what Messer doesn't mention is that key pairs may have expiry time. It's directly related to length in bits of the encryption key pair (this length is called the modulus). At some point, a network's operating system will require generation of new keys. Can be done automatically by the OS, or manual intervention may be required.
Also important to regenerate key pairs if they have been compromised.
84
Explain the importance of disabling unused TCP and UDP ports.
The more ports we have open on a network system, the greater the surface area for a remote attack. Therefore, after a system has been installed, it is best practice to disable any TCP/IP port that is not being used for the primary purpose of the network system. This is achieved via a firewall. [Messer says either a host-based / personal / software firewall or a network-based firewall. Another guy says this requires host-based firewall. Tend to think Messer's right on this one.]
85
Explain the importance of disabling unused device interfaces.
Physical ports are susceptible to exploit. e.g. If a network device has a serial port, also known as a console port, an attacker could plug in and manipulate the system. Any unused ports on network devices should be either disabled or password protected. Virtual ports are also susceptible to attacks. Many virtual machine technologies allow
for serial ports to be extended to a remote workstation over TCP/IP. These ports generally are just as exploitable as their physical counterparts. If virtual console ports are not required, they should be disabled. Messer says particularly important to disable physical interfaces in easily accessible common areas like a conference or break room. He suggests 802.1X Network access control (NAC), which will require a user to be authenticated before gaining access to a switch interface.
86
Explain the purpose of changing native VLANs as a mitigation technique.
The native VLAN receives all untagged frames from untagged ports. By default, this is the same as the default VLAN. [i.e. VLAN 1] However, this configuration poses a security risk when untagged traffic is allowed to travel in a VLAN-managed network. To protect the network from unauthorized traffic, the native VLAN should be changed to an unused VLAN so that untagged traffic essentially runs into a dead-end.
[I believe this prevents the "double-tagging" vulnerability]
87
What are the two mechanisms used to protect switches from malicious spanning tree protocol (STP) traffic?
BPDU Guard
| Root Guard
88
What is BPDU Guard?
Prevents host from injecting bridge protocol data units (BPDUs) into a network using Spanning Tree Protocol (STP).
i.e. Causes a port configured with PortFast that receives a BPDU to become disabled. BPDUs are not expected on access ports, so this protects against misconfigurations and attacks. (PortFast is a configuration on Cisco switches that minimizes effect of unicast flooding by ensuring that access ports are excluded from topology change notifications. Or as Messer puts it, PortFast allows you to bypass listening and learning states.)
[Note: Messer says you should only enable BPDU guard on interfaces that you know will be used by end station devices]
[Also something called BPDU filter that does something similar. But instead of disabling port, causes port to drop all BPDUs. Can lead to loops if used improperly]
89
What is Root Guard?
Prevents devices from attempting to become root bridge on a Spanning Tree Protocol (STP) network. So even if a switch appears with a low MAC address and a priority set to 0, still won't be able to become root bridge.
[Note: This is root bridge, not root port. Root port is a port that forwards data up to the root bridge]
90
What is Flood Guard?
Switch port protection features that prevent an attached host from using spoofed MAC addresses and ARP traffic to engineer a situation where switch starts flooding all unicast traffic. (i.e. MAC flooding where someone tries to flood network with numerous MAC addresses)
With Flood Guard, you configure a max number of source MAC addresses on a switch. And you can also configure specific MAC addresses. If max number is exceeded, port security is activated. By default, that usually disables interface.
91
What is DHCP snooping?
A switch port protection setting that inspects DHCP traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address. Can also be used to prevent rogue DHCP servers from handing out erroneous IP addresses on a network. With DHCP snooping enabled, only DHCP offers from ports configured as trusted are allowed.
[Careful: Because DHCP involves IP address, it would be easy to confuse this for a Layer 3 process. But remember that this is switch security operating at Layer 2. It prevents erroneous IP addresses at a layer deeper than IP by preventing devices with spoofed MAC addresses.]
92
What is network segmentation, why is it a useful, and what are the two main ways of implementing it?
Involves diving a network into smaller subnetworks, and controlling how those subnetworks are accessible to each other.
Useful as a security mitigation technique because it confines an attack to a particular part of a network. Which is connected to compliance. (e.g. If you handle credit card and health info, segmentation may be mandatory.) Also useful for optimizing performance by reducing broadcast traffic, isolating heavy load systems or certain protocols, for example.
Two main ways of segmenting a network:
* Physical - Devices are physical separated (e.g. Web servers in one rack, database servers in another. Application A servers in one rack, Application B in another. Customer A on one Switch, Customer B on another.) Tends to be inefficient / wasteful, because not maximizing your equipment.
* Logical - Employs VLANs, VPNs, or host virtualization to segment a network
[A very stringent, highly secure method of network segmentation is requiring complete physical separation from any other network. Referred to as an air gap. Creates a lot of management issues]
93
Networks are segmented by switches at Layer 2, but describe how security between segments is handled at Layer 3.
The main unit of a logically segmented network is a zone. A zone is an area of the network where the security configuration is the same for all hosts within it. Network traffic between zones should be strictly controlled using a security device—typically a firewall using ACLs. (Routers can also use addressing schemes with NAT and port forwarding to control communication between zones.)
Firewalls can be used to segment a network by implementing a system of security zones. A DMZ is an Internet-facing area of the
network outside the firewall protecting the LAN.
[Not sure how great I did with this stuff]
94
What are privileged user accounts and role separation? Explain their relevance as common mitigation techniques.
A privileged user account has complete administrator / root access to a system, which is often necessary to manage hardware, drivers, and software installation.
As a security best practice, you should have role separation with different access rights, so that normal user accounts have limited control. (e.g. basic privileges that allow reading or modifying documents, or adjusting superficial OS / desktop properties).
This kind of role separation makes it harder for an insider threat or a breached account to compromise an entire system. This goes hand-in-hand with another principle known as 'least privilege,' which states that a user should only be granted minimum sufficient permissions, and no more.
Role separation, more broadly, can also refer to duties within an organization. Responsibilities within an organization should be divided among individuals to prevent ethical conflicts or abuses of power (e.g. You'd want a system developer to be different than the auditor.
95
FIM stands for _________?
File Integrity Monitoring
96
What is File Integrity Monitoring (FIM)? Give examples.
A type of software that audits important system and application files to ensure they have not been tampered with. Uses a security checksum or hashsum to do this.
Examples:
- Windows File Protection service (runs automatically)
- Windows - System File Checker (SFC) (downloadable)
- Multi-platform - Tripwire and OSSEC
- Many host-based IPS / IDS options
97
Describe the difference between a honeypot and a honeynet.
A honeypot is a computer system set up to attract attackers, with the intention of analyzing attack strategies and tools, to provide early warning of attack attempts, or possibly as a decoy to divert attention from actual computer systems. Another use is to detect internal fraud, snooping, and malpractice.
A honeynet is an entire decoy network. This may be set up as an actual network or simulated using an emulator.
98
What is penetration testing?
(aka pen testing)
A white hat hacking technique to discover and exploit weaknesses in a network's security.
99
What is the difference between penetration testing and vulnerability scanning?
Pen testing is a more comprehensive assessment. Actually tries to exploit the vulnerabilities that are found. Because even though the potential for an exploit exists, in practice, the permissions on the server might prevent an attacker from using it. This fact would not be identified by a vulnerability scan, but should be proven or not
proven to be the case by penetration testing.)
Penetration tests are often contracted to third parties, following the assumption that it is better to have an independent test of the system security design than to rely on the designer. (Third parting testing might also be a compliance mandate.) Alternatively, a large organization may split its security personnel into a "blue" defense team and a "red" attack team.
For a good overview, Messer recommends:
Technical Guide to Info Security Testing and Assessment
http://professormesser.link/800115 (PDF download)
