Security+ 9 Flashcards
birthday attack is an attack on a hashing system that attempts to send two different messages with the same hash function, causing a collision. Protect against a birthday attack, use a secure transmission medium, such as SSH, or encrypt the entire message that has been hashed.
key stretching technique will take a weak key, process it, and output an enhanced and more powerful key. Often, this process will increase the size of the key to 128 bits, making attacks such as brute-force attacks much more difficult, if not impossible. Examples of key stretching software include PBKDF2 and bcrypt.
PKI : used to create, distribute, manage, store and revoke dig cert.’s.
info …
Most cert.’s are based on X.509 standard which is used often for SSO. X.509 cert.’s include : owner (user) info including their public key, CA info, w/name, dig.sig., serial no, issue and exp. Dates and version.
DV cert.’s : CA checks rights of applicant to use a specific domain name. OV cert.’s : go beyond this by also conducting some vetting of org involved which result is displayed to customers. EV cert.’s : go further by conducting thorough vetting of org.
Wildcard Cert.’s : connect to secure website that uses sub-domains.
Single-sided Cert.’s : server validates itself to receivers of cert and users don’t need to validate their own identity. Dual-sided Cert.’s : server and user validate their identities.
info …
PEM uses .pem/.crt/.cer/.key file extensions and uses DER encoding method. P12/PFX : binary format based on PKCS#12, typically used to import/export cert.’s and private keys, uses .pfx/.p12 extensions. A .pfx file can be used combining private key w/PKCS #7 .p7b file w/Windows IIS or with S/MIME and SSO.
CA : issues cert.’s to users, in PKI that uses CA the CA is trusted 3rd party, CA is also responsible for verifying identity of receiver of cert.
If an individual certificate is mapped to a recipient, it is known as a one-to-one mapping. If multiple certificates are mapped to a recipient, it is known as many-to-one mapping.
info …
Key escrow : when a secure copy of a user’s private key is held in case the key is lost.
Remember that if a root CA is compromised, all of its certificates are then also compromised, which could affect an entire organization and beyond. The entire certificate chain of trust can be affected. One way to add a layer of security to avoid root CA compromise is to set up an offline root CA. Because it is offline, it will not be able to communicate over the network with the subordinate CAs, or any other computers for that matter. Certificates are transported to the subordinate CAs physically using USB flash drives or other removable media. Use secure policies and DLP etc …
info …
S/MIME relies on PKI and the obtaining and validating of certificates from a CA, namely X.509v3 certificates. It also relies on digital signatures when attempting to establish non-repudiation. S/MIME enables users to send both encrypted and digitally signed e-mail messages.
info …
TLS and SSL work in much the same manner. Two types of keys are required when any two computers attempt to communicate with the SSL or TLS protocols: a public key and a session key. Asymmetric encryption is used to encrypt and share session keys, and symmetric encryption is used to encrypt the session data. Session keys used by protocol such as TLS are used only once—a separate session key is utilized for every connection. A recovery key will be necessary if any data is lost in an SSL/TLS session.
info …
PPTP (VPNs) : encapsulates PPP packets for encrypted traffic sending, can be used w/CHAP-based authentication protocols but are deemed vulnerable, but is often used with EAP-TLS, but L2TP w/IPsec etc are good.
L2TP : tunneling protocol to connect VPNs but is unencrypted but combined with IPsec is encrypted and very good. Security must be configured on client/and server side, valid cert.’s need downloaded to clients before VPN connection can be made to server.
IPsec : operates at network layer, authenticates and encrypts IP packets, made up of -> SA : est of secure connections and shared security info using cert.’s or cryptographic keys. Usually set up with IKE or Kerberized Internet Negotiation of Keys. AH : offers integrity and authentication, is keyed hash based on all bytes in packet, can be used with ESP, can protect against replay attacks. ESP : provides integrity, confidentiality and authenticity. Protected data is encapsulated and encrypted.
IPsec (Transport Mode) : payload of IP packet is encrypted by header info is not, AH is still hashed so has secure data transfer. Tunnel Mode : entire IP packet is encrypted, takes regular IP packet and encapsulates that inside of new IP packet w/separate header.
info …
Fail-open means that if a portion of a system fails, the rest of the system will still be available or “open.” Fail-closed means that if a portion of a system fails, the entire system will become inaccessible or simply shut down.
Surges : unexpected increase in amount of voltage provided. Spikes : short in voltage due to short circuit, tripped circuit breaker, power outage, or lightening strike. Sags : unexpected decrease in amount of voltage provided. Brownouts : voltage drops bigtime so that lights dim and causes PCs to shut off. Blackouts : total loss of power for long period of time.
info …
RAID 0 : striping, data is striped across multiple disks to increase performance, no of disks = 2, not fault tolerant.
RAID 1 : mirroring, data is copied to 2 identical disks, if 1 disk fails other continues to operate, fault tolerant, no of disks = 2.
RAID 5 : striping w/parity, data striped across multiple disk, if 2 disk fails the array can reconstruct the data from parity info, fault tolerant, no of disks = 3.
RAID 6 : striping w/double parity, data striped across multiple disks but has 2 stripes of parity info, system can operate w/2 failed drives, fault tolerant, no of disks = 4.
RAID 0+1 : system contains 2 RAID 0 striped sets, those 2 sets are mirrored, fault tolerant, no of disks = 4.
RAID 10 : system contains at least 2 RAID 1 mirrors that are striped, fault tolerant, no of disks = 4.
Failure-resistant disk systems: Protect against data loss due to disk failure. An example of this would be RAID 1 mirroring.
Failure-tolerant disk systems: Protect against data loss due to any single component failure. An example of this would be RAID 1 mirroring with duplexing.
Disaster-tolerant disk systems: Protect data by the creation of two independent zones, each of which provides access to stored data. An example of this would be RAID 0+1.
info …
Use multiple network adapters for SPOF. Redundant ISP :
Two or more servers that work with each other are a cluster.
Full backup : backs up all contents of a folder.
Incremental Back-Up : backs up only contents of folder that have changed since last full back or last incremental backup.
Differential Back-Up : backs up only contents of folder that have changed since last full backup.
Tapes should be stored in a cool, dry area, away from sunlight, power lines, and other power sources.
info …
