Security+ 7 Flashcards
Connecting to a punch block or RJ11 jack w/a butt set can be used to eavesdrop on communications – to protect against this lock these devices up in a secure room.
Plugging in to an open port of twisted-pair network : unused ports should be disabled, central connecting devices should be locked in server room only accessible to authorized personnel.
Splitting the wires of a twisted-pair connection : by cutting twisted-pair cable and soldering 2nd twisted-pair cable to right wires person could eavesdrop on all segments communications. Cables should not be exposed and run above ceilings and inside walls, alerts can be sent from patch panels to junior admins for investigation if tampered with.
info …
Using Spectral analyzer to access data emanations : they can decode encrypted transmissions, metal detector in building should be used to detect these devices, these devices should not be allowed inside building with exception of authorized personnel.
Using a passive optical splitter for fiber-optic networks : needs access to cable, causes disruption of communications for a time, causes chromatic dispersion.
info …
IDF’s usually 1 per floor is where all cabling for that floor gets terminated and all IDF’s connect somehow to MDF usually on 1st floor or basement, the MDF where circuits merge and connect out to external ISP’s and other network providers, these rooms should be protected by lock and biometric multifactor authentication and active video cameras.
Protected Distribution System (PDS) : secure unencrypted flow of classified info, it protects cables, terminals, etc including electrical, electromagnetic and acoustical concerns.
info …
The Wireless Transport Layer Security (WTLS) protocol is part of the Wireless Application Protocol (WAP) stack used by mobile devices. It enables secure user sessions—for instance, banking transactions—using algorithms such as RSA, ECC, Triple DES, and MD5 or SHA.
VPN over Open Wireless is insecure and unencrypted.
Many WAPs come with a built-in firewall, if used stateful packet inspection and NAT filtering should be enabled. Could also use MAC filtering, use strong encryption and NAC like 802.1X and RADIUS.
info …
AP isolation (also known as isolation mode) means that each client connected to the WAP will not be able to communicate with any other clients connected to the WAP. Each client can still access the Internet (or other network that the WAP is connected to), but every wireless user will be segmented from the other wireless users.
WLAN controller acts as switch for all WAPs thus increasing data transfer speeds and centralizes management of security options. Thin access points have less functionality while fat access points contain all functionality.
info …
IV attack : related-key attack when attacker observes operation of cipher using several different keys and finds math relation between those 2 keys allowing attacker to deciper the data.
Geofence(ing) : virtual fence defining boundaries of a geographical area, can allow/disallow persons device based on physical location.
SATCOM : at risk if firmware is not updated, can be hacked remotely and physically.
info …
crossover error rate (CER). This is also known as the equal error rate (EER) because the goal is to keep both the FAR and FRR errors at a common value, or as close as possible. The lower the CER, the better the biometric system in general.
Context-aware authentication : adaptive way of authenticating users based on their usage of resources and the confidence the system has in the user it can auto increase or decrease level of identification required and access to resources based on constant analysis of the user.
SSO can be Kerberos-based, integrated Windows authentication, or token or smart card based.
FIM/FIdM : when a users identity as well as users attributes are shared across multiple identity management systems.
SSO can be a main point of failure due to trust relationships between one sign on org. and another.
info …
802.1X encapsulates EAP over wired/wireless connections, EAP defines message formats, 802.1X is the authentication mechanism and defines how EAP is encapsulated w/in messages. Supplicant : software client running on workstation, known as authentication agent. Authenticator : WAP or switch, Authentication Server : authentication database most likely RADIUS server.
RADIUS Etc …
Kerberos : the client and server both verify each others identity known as mutual authentication. The server works with tickets to prove identity of users, in Windows the domain controller is known as KDC which is made up of 2 logical parts : authentication server and ticket-granting server. A client PC attempts to authenticate to authentication server part of KDC, when successful client receives a ticket to get other tickets known as TGT, client uses first ticket to demonstrate identity to TG-server to try to gain access to a service. Kerberos relies on centralized server like domain controller so can be SPF, to solve 2nd and 3rd domain controllers can be installed that keep copy of Active Directory so no downtime occurs is one fails. Kerberos designed to protect against replay attacks and eavesdropping. Time is not always in synch and be solved by logging on affected client locally and synching clients time to domain controller by using net time command.
Kerberos
CHAP uses PPP, challenge-response mechanism w/1-way encryption uses DES/MD5, Windows uses MS-CHAP/MS-CHAPv2 (v2 uses mutual authentication). PAP sends usernames and passwords in cleartext. CHAP authenticates a user or network host to things like Internet Access Providers, and periodically verifies identity of client by 3-way handshake, verification is based on shared secret, after link is established authenticator sends a challenge message to peer, encrypted results are compared and client is either authorized or denied access.
always-on VPN functionality—where a user can always have access via the VPN without the need to periodically disconnect and reconnect.
CHAP etc …
