Security/Network Basics (Ch. 1,2)

Question 1

CIA triad

Answer 1

_ confidentiality
_ integrity
_ availability

Question 2

User identification

Answer 2

_ Claiming an identity prior to authentication

Question 3

Integrity

Answer 3

_ Ensures data has not changed.
_ Can uses hashes to verify integrity

Question 4

Redundancy

Answer 4

_ Provides fault tolerance

Question 5

SPOF

Answer 5

_ Single point of failure
_ If it fails, the entire system “can” fail

Question 6

Scalability vs. elasticity

Answer 6

Scalability:
_ long-term strategy for being able to scale
_ done manually
Elasticity:
_ ability to dynamically scale up or out as needed
_ scales back down when not needed

Question 7

TCO

Answer 7

_ total cost of ownership

Question 8

resiliency

Answer 8

_ ability to self-heal or recover from faults with minimal downtime
_ e.g. performing and testing backups
_ e.g. UPS or generators
_ e.g. NIC teaming
_ e.g. redundant disk subsystems
_ e.g. retrying failed processes

Question 9

Space needed for encryption

Answer 9

_ typically about a 40% increase

Question 10

risk

Answer 10

_ the possibility or likelihood of a threat exploiting a vulnerability and resulting in a loss

Question 11

threat

Answer 11

_ a circumstance or event that has the potential to compromise confidentiality, integrity, or availability
_ can be natural or man-made
_ can be intentional or accidental

Question 12

Risk mitigation

Answer 12

_ reducing the chances that a threat will exploit a vulnerability

Question 13

Categories of security controls

Answer 13

_ managerial controls
_ operational controls
_ technical controls
_ (classification alternative to “control types”)

Question 14

Managerial controls

Answer 14

_ administrative controls
_ document policy
_ regular reviews, such as risk assessments and vulnerability assessments

Question 15

Operational controls

Answer 15

_ ensure day-to-day ops comply with security plan
_ primarily implemented by people rather than systems
_ e.g. awareness and training
_ e.g. configuration management (such as secure baselines and change management)
_ e.g. media protection
_ e.g. physical and environmental protection

Question 16

Technical controls

Answer 16

_ technological controls, whether software or hardware

Question 17

Control types

Answer 17

_ preventative
_ detective
_ corrective
_ deterrent
_ compensating
_ physical
_ (classification alternative to “control categories”)

Question 18

Preventative controls

Answer 18

_ hardening (making more secure than default config, using defense-in-depth)
_ training
_ security guards
_ change management (a change process helps catch configuration problems before they occur)
_ account disablement policy
_ intrusion prevention system (IPS)
_ and others (not listed)

Question 19

SEM

Answer 19

_ security event management
_ real-time monitoring and analysis of security events

Question 20

SIM

Answer 20

_ security information management
_ long-term storage of security data
_ used for analyzing trends and creating reports

Question 21

SIEM

Answer 21

_ security information and event management system
_ collects, analyzes, manages data from multiple sources
_ detects trends
_ raises alerts
_ combines SEM and SIM functions

Question 22

IDS

Answer 22

_ intrusion detection system
_ monitors network and sends alerts
_ out-of-band with traffic (can’t block traffic)
_ may modify ACLs, terminate processes, or redirect traffic in response to detections

Question 23

Detective controls

Answer 23

_ post-exploit
_ log monitoring
_ SIEM systems
_ security audit of organization
_ video surveillance
_ motion dection
_ intrusion detection system (IDS)
_ and others (not listed)

Question 24

Corrective and recovery controls

Answer 24

_ backups and system recovery
_ incident handling process

Question 25

Deterrent controls

Answer 25

_ discourage hackers from attacking or employees from violating security policies _ often also preventative _ e.g. cable locks (for laptops) _ e.g. physical locks

Question 26

TOTP

Answer 26

_ time-based one-time password _ example of a compensating control

Question 27

Compensating controls

Answer 27

_ controls that are alternatives to the primary control _ usually for handling special situations _ e.g. TOTP access until user receives a security card

Question 28

Response controls

Answer 28

_ aka incident response controls _ prepare for security incidents _ respond to security incidents

Question 29

Network discovery

Answer 29

_ devices on a network discovering other devices on the same network

Question 30

Network reconnaissance

Answer 30

_ acquiring details about a network and its devices

Question 31

ICMP

Answer 31

_ Internet Control Message Protocol _ often used in DoS attacks _ used by ping

Question 32

ping (e.g count)

Answer 32

_ sends an ICMP echo request packet _ can limit counts on Linux with “-c count” _ can loop pings on Windows with “-t” _ firewall may block

Question 33

hping

Answer 33

_ only on Linux _ sends pings to TCP, UDP, and ICMP

Question 34

NIC

Answer 34

_ network interface card _ wired or wireless

Question 35

ifconfig

Answer 35

Often first step in troubleshooting network problems. Can show: _ IP address _ subnet mask _ default gateway _ MAC address _ DNS address _ config info for NICs _ deprecated but still useful _ ipconfig on Windows

Question 36

Use ifconfig to get basic network info

Answer 36

_ ifconfig

Question 37

Use ifconfig to show TCP/IP config for each NIC

Answer 37

_ ifconfig -a

Question 38

Show local DNS cache

Answer 38

_ displaydns

Question 39

Flush the local DNS cache

Answer 39

_ flushdns

Question 40

Ip command

Answer 40

_ recommended over ifconfig, but not as functional _ show details on interfaces: ip link show _ enable a network interface: ip link set eth0 up _ show stats on network interface: ip -s link

Question 41

netstat

Answer 41

_ shows TPC/IP stats _ shows active TCP/IP connections _ switches can be combined

Question 42

Display list of all open connections

Answer 42

_ netstat

Question 43

Display list of all TCP and UDP ports being listened to, plus display all open connections

Answer 43

_ netstat -a

Question 44

Display network statistics details, including bytes sent/received

Answer 44

_ netstat -e

Question 45

traceroute

Answer 45

_ lists all routers between two systems (each is a hop) _ provides IP, hostname, and round-trip times (RTTs) _ useful for identifying faulty routers (e.g. where traffic stops) _ often used after ping fails to reach an IP _ can find an unauthorized router monitoring packets _ on windows: tracert

Question 46

ARP

Answer 46

_ Address Resolution Protocol _ resolves IPv4 addresses to MAC addresses _ caches resolved mappings _ required when packet reaches destination subnet

Question 47

arp

Answer 47

_ command to show/manipulate the ARP cache _ can be used to find MAC addresses of other systems on local network (after getting their IPs)

Question 48

Show the entire ARP cache

Answer 48

_ arp

Question 49

Show the ARP cache for a single IP address

Answer 49

_ arp -a 192.168.1.1

Question 50

logger command

Answer 50

_ adds a log entry to “/var/log/syslog”

Question 51

Linux permission groups

Answer 51

_ 1st: owner _ 2nd: owner’s group _ 3rd: everyone else

Question 52

Give owner’s group only write permission to a file

Answer 52

_ chmod g=w filename

Question 53

Remove owner’s execute permission from file

Answer 53

_ chmod u-x filename

Question 54

Add read permission to file for everyone

Answer 54

_ chmod o+r filename

Question 55

Windows logs

Answer 55

_ security log (audit and access) _ system log _ app log

Question 56

Network logs

Answer 56

_ found on a variety of devices

Question 57

UBA

Answer 57

_ user behavior analysis

Question 58

NTP

Answer 58

_ network time protocol _ for syncing time across a network

Question 59

SIEM capabilities

Answer 59

_ log collection - keeps logs in a searchable DB _ log aggregation - storing varying log data in same format _ correlation - looks for patterns, raises alerts _ reporting _ packet capture _ user behavior analysis (UBA) _ sentiment analysis - detects unwanted behavior _ security monitoring - predefined alerts _ automated triggers - actions to perform after detecting a predetermined number of repeated events _ time sync across servers providing source data using NTP (or converting time to a common format) _ event deduplication - same data only stored once _ WORM logs - write-once read-many log archiving

Question 60

Elements of a SIEM dashboard

Answer 60

_ sensor logs _ alerts _ sensitivity levels _ correlation _ trends

Question 61

Syslog protocol

Answer 61

_ specifies a general entry format _ specifies a protocol for transporting log entries _ can collect log entries from many devices (like SIEM) _ syslogd collects syslog messages on Linux _ log format in /etc/syslog.conf _ logs in /var/syslog _ formerly used UDP, now uses TCP

Question 62

Linux logs

Answer 62

_ in /var/log/ _ /var/log/auth.log - user login attempts (debian/ubuntu) _ /var/log/secure - user login attempts (red hat/centos) _ /var/log/syslog/ - general system messages (debian/ubuntu) _ /var/log/messages/ - general system messages (red hat/centos)

Question 63

U.S. DHS password recommendations

Answer 63

_ hash all passwords _ require MFA _ don’t require mandatory password resets _ requires passwords to be 8+ chars _ prevent use of common passwords _ tell users not to share passwords across sites _ allow all special chars but don’t require any

Question 64

Password history

Answer 64

_ prevents users from reusing old passwords

Question 65

Four security factors

Answer 65

_ Something you know _ Something you have (other than biometrics) _ Something you are (including biometrics) _ Somewhere you are

Question 66

KBA

Answer 66

_ knowledge-based authentication _ static KBA _ dynamic KBA

Question 67

Static KBA

Answer 67

_ static knowledge-based authentication _ authentication information that doesn’t change _ e.g. personal security questions

Question 68

Dynamic KBA

Answer 68

_ authenticates individuals not already having an account _ retrieves from other sources information that only the individual should know, verifies that _ time limit answering questions to reduce risk of someone looking them up on the Internet

Question 69

Smart card

Answer 69

_ card with microchip and certificated _ embedded cert holds user’s private key _ requires PKI (public key infrastructure)

Question 70

Hard token

Answer 70

_ aka hardware token _ device with a one-time password (OTP) _ password (usually a number) changes over time

Question 71

Soft token

Answer 71

_ aka software token _ app running on smartphone generating the OTP _ e.g. Google Authenticator

Question 72

HOTP

Answer 72

_ HMAC-based One-Time-Password _ token and server apply an algorithm to a shared secret key _ each time token is used, both advance to the next token _ device usually has a button for displaying the token

Question 73

TOTP

Answer 73

_ Time-based One-Time Password _ select token as a function of the time

Question 74

Retina vs iris scanners

Answer 74

_ Retinal scanners ID the pattern of blood vessels at the back of the eye - requires physical contact _ Iris canners use IR to capture the unique patterns of the iris around the pupil - no physical contact required

Question 75

Strongest authentication factor

Answer 75

_ biometrics (“something you are”) _ aka “third factor” _ retina and iris scans are strongest

Question 76

Four biometric acceptance possibilities

Answer 76

_ false acceptance (incorrectly identifies unknown user as known) _ false rejection (incorrectly rejects a known user) _ true acceptance _ true rejection

Question 77

FAR and FRR

Answer 77

_ false acceptance rate _ false rejection rate

Question 78

CER

Answer 78

_ crossover error rate _ point at which FAR crosses with FRR on a graph as system increases with sensitivity _ low CER indicates greater accuracy

Question 79

2FA combos

Answer 79

_ something you have and something you know _ something you know and something you are _ (excludes something you have and something you are) _ (can’t both use the same class of factor) _ (“something you have” often verified by push notification to smartphone)

Question 80

Account types and their credential policies

Answer 80

_ personnel or end-user accounts _ admin and root accounts _ service accounts (user account under which a server runs – credentials don’t expire) _ device accounts _ third-party accounts (used by external entities) _ guest accounts _ shared and generic account/credentials (when user varies)

Question 81

PAM

Answer 81

_ privileged access management _ can be just-in-time permissions (given as needed, usually auto-revoked after a period of time) _ can be temporal accounts (temporary grants) _ often used for admin or root accounts _ prevents exposure of a root password

Question 82

PAM capabilities

Answer 82

_ allow users access to privileged account without giving them the password _ automatically change privileged account passwords periodically _ limit time users can use the privileged account _ allow users to check out credentials _ log all access of credentials

Question 83

deprovisioning

Answer 83

_ process of disabling a user account

Question 84

attestation

Answer 84

_ formal process of reviewing user permissions

Question 85

SSO

Answer 85

_ single-sign on _ login once to access multiple systems _ increases security because user need only remember one password, reducing likelihood they write it down _ may generate a unique secure token per sign-in _ often provided by LDAP

Question 86

Federated system

Answer 86

_ aka federated identity management system _ provides central authentication in a non-homogeneous environment _ associates varied credentials with a single identity _ single sign-on across disparate servers

Question 87

SAML

Answer 87

_ security assertion markup language _ provides federated identity management across different websites _ e.g. a frontend provides auth before redirecting user to a backend system without requiring re-auth _ does not provide authorization, but may support transfer of authorization info between systems

Question 88

SAML roles

Answer 88

_ principal - typical user _ identity provider (IdP) - maintains the auth system _ service provider - provides services to the user

Question 89

OAuth

Answer 89

_ open standard for authorization (not authentication)

Question 90

Authorization models

Answer 90

_ role-based access control _ rule-based access control _ discretionary access control (DAC) _ mandatory access control (MAC) _ attribute-based access control (ABAC)

Question 91

Role-BAC

Answer 91

_ role-based access control _ aka group-based access control _ can be hierarchy based, mimicking heirarching of org _ can be job/task/function-based _ assigns permissions to groups (windows calls roles “security groups”)

Question 92

Rule-BAC

Answer 92

_ rule-based access control _ usually in routers and firewalls in ACLs, defining what traffic is allowed into the network _ intrusion detection systems can use dynamic rules to detect and block attacks _ some rules trigger in response to an event

Question 93

DAC

Answer 93

_ discretionary access control _ owners of objects have full control over permissions to object and establish access to the objects _ Windows (e.g. NTFS) and most Unix-based systems use DAC (with DAC lists – DACLs)

Question 94

ACE

Answer 94

_ access control entry in an ACL

Question 95

NTFS

Answer 95

_ Microsoft’s New Technology File System _ permissions: write, read, read/execute, modify, full-control

Question 96

SID

Answer 96

_ security identifier on Windows _ used in DACLs

Question 97

MAC (authorization)

Answer 97

_ mandatory access control _ assigns labels to both subjects and objects _ objects are organized into compartments _ labels define security levels and designate compartments _ subjects have access to the objects for which the subject’s labels are >= the object’s label and the subject also has the label for the compartment _ also enforces need-to-know _ government classification access

Question 98

SELinux

Answer 98

_ security-enhanced Linux _ uses MAC

Question 99

MAC (networks)

Answer 99

_ media access control _ assigns physical/hardware addresses to NICs

Question 100

MAC (authentication)

Answer 100

_ message authentication code _ provides integrity akin to a hash

Question 101

SDN

Answer 101

_ software defined network _ network in which software routes traffic rather than hardware controllers and switches

Question 102

ABAC

Answer 102

_ attribute-based access control _ bases access on attributes of the user, the resource, or the environment _ rules for access control are called “policies” _ policies state subject, object, action (what user wants to do), and environment (context of request) _ commonly used in SDNs _ can enforce DAC or MAC schemes

Question 103

What to look for when reviewing authentication logs

Answer 103

_ account lockouts _ concurrent session usage _ impossible travel time _ blocked content (due to validation) _ resource consumption (indicating attack) _ resource inaccessibility _ log anomalies (e.g. unusual numbers of logs, logs at unusual times, or missing log entries)