Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
331 Cards in this Set
- Front
- Back
|
What feature of a network switch allows the admin to capture traffic?
|
Port mirroring
|
|
|
How can hackers capture network traffic (name two)
|
ARP poisoning, MAC flooding
|
|
|
Web app runs slowly, what will fix?
|
Load balancing
|
|
|
What device limits the web sites users can visit?
|
Proxy server
|
|
|
Which TCP protocol is used to convert IP addresses to MAC addresses?
|
ARP
|
|
|
Which TCP protocol is used to convert IP addresses to MAC addresses?
|
Sends a copy of data destined for one or more ports to a monitored port.
|
|
|
What is ARP poisoning?
|
Poisons ARP cache on all systems, forcing them to send data to the hacker's system.
|
|
|
What is MAC flooding?
|
Hacker sends bogus MAC addresses to the switch, which causes the switch to not trust the MAC address table, so the switch starts flooding all frames (sends the frames to every port), where the hacker is connected and running sniffer software.
|
|
|
What is ARP and what does it do?
|
It's a TCP/IP protocol that converts IP addresses to MAC addresses.
|
|
|
ICMP type 8 is used for...?
|
Identifying echo request messages.
|
|
|
What are the stages of the three-way handshake?
|
SYN, ACK/SYN, ACK
|
|
|
Name 3 things to do on a switch to increase security
|
Disable unused ports, configure port security, enable console password.
|
|
|
What feature of a switch allows you to create communications boundaries between systems connected to the switch?
|
VLANs
|
|
|
What do VLANs do?
|
Allow you to create communications boundaries between systems connected to the switch
|
|
|
What's a layer 1 device?
|
Hub
|
|
|
What layer is a hub?
|
Layer 1
|
|
|
Two drawbacks of a hub
|
Sends data to all ports, so: uses bandwidth, and security issue because sends to systems other than the intended one
|
|
|
A switch works on what level
|
Layer 2
|
|
|
MAC address is what layer?
|
Layer 2
|
|
|
What's on layer 2? (name a device and an address type)
|
Switch, MAC address
|
|
|
MAC address is also known as...?
|
Hardware address
|
|
|
A switch works on what level
|
Filters traffic by the layer-2 address (MAC address)
|
|
|
Where does the switch store MAC addresses?
|
MAC address table
|
|
|
Besides filtering by MAC address, what else might a switch do?
|
Port mirroring, port security, disable ports, collision domains, VLANs
|
|
|
Router: what layer?
|
Layer 3
|
|
|
What device is at Layer 3?
|
Router
|
|
|
OSI stands for?
|
Open Systems Interconnection
|
|
|
What does a router do?
|
Create broadcast domains, also routing, or sending, data from one network to another
|
|
|
What does a router use to determine the networks that it knows how to send data to?
|
A routing table that resides in its memory
|
|
|
What is the purpose of a VLAN?
|
Create multiple networks within one network switch
|
|
|
What does creating VLANs do?
|
When a system is a member of one VLAN, it cannot communicate with systems in another VLAN, creates a communication boundary.
|
|
|
A firewall is...
|
...a network device that controls what traffic is allowed to enter or leave the network
|
|
|
A firewall filters traffic based on...
|
...rules you place on the firewall
|
|
|
When setting up a firewall, you typically start with what kind of rule?
|
Deny all
|
|
|
A proxy server is a type of what?
|
Firewall
|
|
|
As opposed to a firewall, what does a proxy server do?
|
Controls outbound communication
|
|
|
What does a proxy server usually do? Two things
|
Requires user login for Internet access, performs high level logging so the admin can see which sites are visited by users
|
|
|
What does creating VLANs do?
|
Coax and twisted pair
|
|
|
What are the two types of twisted pair cabling
|
Unshielded twisted pair (UTP) and shielded twisted pair
|
|
|
What are the two ways to connect UTP?
|
Crossover and straight through
|
|
|
What kind of connector is usually used for UTP?
|
RJ-45
|
|
|
What kind of cable is used with RJ-45 connectors?
|
UTP
|
|
|
What are the transfer rates for: Cat 5, Cat 5e, and Cat 6?
|
Firewall
|
|
|
Crossover cables are used to...
|
...directly connect two computers or two switches
|
|
|
What are two advantages of fiber, and two downsides?
|
Faster data transfer speeds and more secure, but more expensive and won't bend easily
|
|
|
Describe two types of connectors for fiber?
|
Straight tip (ST), looks like BNC. Subscriber connection (SC), similar to RJ-45
|
|
|
What is the max distance and transfer rate for fiber?
|
2 km, 1+ Gbps
|
|
|
What is the max distance and transfer rate for Thinnet?
|
185 meters, 10 Mbps
|
|
|
What is the max distance and transfer rate for Thicknet?
|
500 meters, 10 Mbps
|
|
|
What is the max distance and transfer rate for Cat 3?
|
100m, 10 Mbps
|
|
|
In a subnet mask, octets with 255 indicate...
|
...network ID
|
|
|
In a subnet mask octects with 0 indicate...
|
...host ID
|
|
|
When a system wants to send data to a system on another network, it must pass the data to the....
|
...router
|
|
|
Crossover cables are used to...
|
Between 1 and 126, 255.0.0.0
|
|
|
Class B addresses: what are the values for the first octet, and what is the default subnet mask?
|
Between 128 and 191, 255.255.0.0
|
|
|
An IP address is how long?
|
32 bits
|
|
|
Class C addresses: what are the values for the first octet, and what is the default subnet mask?
|
Between 192 and 223, 255.0.0.0
|
|
|
What are Class D addresses used for?
|
Multicasting applications
|
|
|
What value is not allowed in the first octet, and why?
|
185 meters, 10 Mbps
|
|
|
What is the usual value of the loopback address?
|
127.0.0.1
|
|
|
What is a private address?
|
An address that can be assigned to a system, but which cannot be used for any kind of Internet connectivity
|
|
|
What is the first range of private addresses?
|
10.0.0.0 to 10.255.255.255
|
|
|
What is the second range of private addresses?
|
172.16.0.0 to 172.31.255.255
|
|
|
What is the third range of private addresses?
|
192.168.0.0 to 192.168.255.255
|
|
|
What does a NAT server do?
|
Translates private IP addresses to public IP addresses
|
|
|
What does APIPA stand for, and what does it do?
|
Automatic Private IP Addressing. When a Windows system cannot obtain an IP address from a DHCP server, Windows assigns the system an IP address like: 169.254.x.y
|
|
|
What are the four types of illegal IP addresses, and what is each one for?
|
127.x.x.x.............loopback
all host bits set to 0..............network ID all host bits set to 1..............broadcast address duplicate |
|
|
TCP: connection-oriented or connectionless?
|
Connection-oriented
|
|
|
Main diff between TCP and UDP
|
TCP is connection-oriented and UDP is connectionless
|
|
|
Class C addresses: what are the values for the first octet, and what is the default subnet mask?
|
Connection-oriented communication involves first establishing a connection, then ensuring data sent, reaches the destination. Connectionless is not concerned with data reaching destination.
|
|
|
UDP: connection-oriented or connectionless?
|
Connectionless
|
|
|
What does TCP use to establish a connection?
|
Three-way handshake
|
|
|
With TCP, what is the sequence number?
|
A number assigned to each piece of data that is sent
|
|
|
With TCP, what is the name of the number that is assigned to each piece of data that is sent?
|
The sequence number
|
|
|
What are the polite and impolite processes for terminating a TCP connection?
|
An address that can be assigned to a system, but which cannot be used for any kind of Internet connectivity
|
|
|
When applications want to use TCP or UDP to communicate, they use a unique number or address assigned to the application. What is this number called?
|
Port
|
|
|
With TCP and UDP, what is a port?
|
A unique number or address assigned to the application
|
|
|
FTP: what port(s)?
TCP or UDP? Secure? |
20 data
21 control TCP Not secure |
|
|
Telnet: what port(s)?
TCP or UDP? Function? |
port 23
TCP Remote connection not secure |
|
|
SMTP: what port(s)?
TCP or UDP? Function? Secure? |
25
TCP send email |
|
|
DNS: what port(s)?
TCP or UDP? Function? Secure? |
53
TCP DNS zone transfers |
|
|
HTTP: what port(s)?
TCP or UDP? Function? Secure? |
80
TCP web not secure |
|
|
POP3: what port(s)?
TCP or UDP? Function? Secure? |
110
TCP read email |
|
|
IMAP: what port(s)?
TCP or UDP? Function? Secure? |
143
TCP read email (newer) |
|
|
HTTPS: what port(s)?
TCP or UDP? Function? Secure? |
443
TCP web secure |
|
|
What is meant by connection-oriented and connectionless?
|
6:
SYN, ACK, PSH, URG, FIN, RST |
|
|
UDP stands for...
|
User Datagram Protocol
|
|
|
DNS: what port(s)?
TCP or UDP? Function? Secure? |
53
UDP domain name queries N/A, since UDP |
|
|
DHCP: what port(s)?
TCP or UDP? Function? Secure? |
67, 68
UDP assigning IP addresses, 67 for service, 68 for requests N/A, since UDP |
|
|
TFTP: what port(s)?
TCP or UDP? Function? Secure? stands for? |
69
UDP downloading files w/o auth N/A, since UDP Trivial File Transfer Protocol |
|
|
NetBIOS: what port(s)?
TCP or UDP? Function? Secure? Stands for? |
The sequence number
|
|
|
SNMP: what port(s)?
TCP or UDP? Function? Secure? Stands for? |
161
UDP ? N/A, since UDP Simple Network Management Protocol |
|
|
OSI model mnemonic, physical up to application
|
Please Do Not Throw Sausage Pizza Away
|
|
|
OSI model mnemonic, application down to physical
|
All People Seem To Need Data Processing
|
|
|
What are the layers of the OSI model?
|
Application
Presentation Session Transport Network Datalink Physical |
|
|
TCP and UDP are at what OSI layer?
|
Transport (4)
|
|
|
The IP protocol is at what OSI layer?
|
Layer 3, Network
|
|
|
IP provides...
|
...packet delivery for protocols higher in the model
|
|
|
Does IP guarantee delivery of packets?
|
No, that is the job of the transport protocols. IP makes a best-effort attempt to deliver the packets to the correct destination.
|
|
|
What is responsible for decrementing the TTL of a packet?
|
The IP protocol on the router
|
|
|
ICMP stands for...
|
...Internet Control Message Protocol
|
|
|
POP3: what port(s)?
TCP or UDP? Function? Secure? |
ICMP
|
|
|
What is ICMP responsible for?
|
Error and status reporting
|
|
|
Which programs use ICMP?
|
Ping and tracert
|
|
|
What protocol uses types and codes instead of ports?
|
ICMP
|
|
|
What does ICMP use instead of ports?
|
Types and codes
|
|
|
What does Ping do?
|
used to send ICMP echo requests to an IP address, and wait for ICMP echo responses
|
|
|
What ICMP code is used for the message type Echo Reply?
|
0
|
|
|
What ICMP code is used for the message type Echo Request?
|
8
|
|
|
What ICMP message type corresponds with message code 0?
|
Echo reply
|
|
|
What ICMP message type corresponds with message code 8?
|
Echo request
|
|
|
ARP stands for...
|
...Address Resolution Protocol
|
|
|
HTTP and HTTPS protocols are at what layer?
|
Application
|
|
|
DNS is at what layer?
|
Application
|
|
|
What does DNS do?
|
Converts FQDNs to IP addresses
|
|
|
Name some application layer protocols
|
HTTP, HTTPS, DNS, NNTP, SMTP, POP3, IMAP4, SNMP, FTP, TFTP, SFTP, Telnet, SSH, SCP, NTP, LDAP, LPD, LPR, NetBIOS
|
|
|
HTTPS: what port(s)?
TCP or UDP? Function? Secure? |
443
TCP web secure |
|
|
TCP and UDP are at what OSI layer?
|
22
TCP create shell or session with remote device secure Secure Shell |
|
|
IPv4 vs IPv6: length
|
IPv4 = 32 bits
IPv6 = 128 bits |
|
|
IPv6 loopback address
|
0:0:0:0:0:0:0:1 or ::1
|
|
|
Basic security steps for devices
|
Physical security, do not use hubs, configure passwords on devices, disable unused ports, use port security, use VLANs,
|
|
|
What is the most secure type of cable?
|
Fiber optic
|
|
|
Use what instead of Telnet, FTP, HTTP?
|
The IP protocol on the router
|
|
|
Use what instead of hubs?
|
Switches
|
|
|
TCP/IP is a...
|
...suite of protocols
|
|
|
What are the four main goals of information security?
What's the acronym? |
Confidentiality
Integrity Availability Accountability CIA or CIAA |
|
|
What are two ways to help ensure information confidentiality?
|
Permissions, encryption
|
|
|
Two techniques to help ensure availability
|
RAID, clustering
|
|
|
Name four popular methods to implement accountability
|
Log files, audit files, firewalls and proxy servers, application logging
|
|
|
Identification...
|
...happens before authentication, and is the process of having users identify themselves to the system
|
|
|
Four popular methods used for identification?
|
Username, smartcard, token, biometrics
|
|
|
Four examples of authentication
|
Permissios, router ACLs, proxy servers, facility
|
|
|
Data integrity means...
|
...data does has no unwanted changes in transit or at rest
|
|
|
What ICMP code is used for the message type Echo Request?
|
username
password file permissions |
|
|
Four main types of security
|
Physical (facility)
Communication (man-in-the-middle, encryption) Computer (just the box, not the network) Network (switch security, firewalls, intrusion detection) |
|
|
Name three principles of security
|
Least privilege
Separation of duties Rotation of duties Need to know Layered security Diversity of defense Due care Due diligence |
|
|
What's the diff between due care and due diligence?
|
Due care: doing the right thing. implementing correct security controls
Due diligence: identifying risk. performing regular assessments and analyzing assessments |
|
|
Name four security roles
|
System or data owner (management)
Custodian (IT staff) User Security Officer (liaison between management and IT staff) |
|
|
Before implementing a security policy, get...
|
Application
|
|
|
Three types of security policy are...
|
Standard (must be followed)
Guideline (just recommendation) Procedure (step by step) |
|
|
PII, what does it stand for, and two examples
|
Personally Identifiable Information
SSN, DL# |
|
|
What is a security control, and give three examples
|
Any mechanism used to protect and asset
firewalls, A/V, access control lists |
|
|
AUP stands for...
|
Acceptable Use Policy
|
|
|
Two types of security policy that apply to users
|
Acceptable use policy
Password policy |
|
|
Two types of security policy that affect administrators
|
Change management policy
Secure disposal of computers |
|
|
Diff between data classification labels and security clearance levels
|
Labels for data, clearance levels for people
|
|
|
A security policy is...
|
...a large document made up of different policies
|
|
|
Main types of attacks
|
Social Engineering
Network Password Application |
|
|
Types of social engineering attacks
|
Impersonation (of admin, user, or mgmt)
Phishing (also whaling, vishing) Shoulder surfing Dumpster diving Tailgating Hoaxes |
|
|
What is the most secure type of cable?
|
DoS, DDoS, spoofing, sniffing, replay, MiTM, DNS poisoning, ARP poisoning, spam, privilege escalation, port scanning attacks,
|
|
|
Who is impersonated in impersonation attack?
|
Admin, user, or mgmt
|
|
|
The only way to prevent social engineering is...
|
...security training and awareness
|
|
|
Three types of spoofing
|
IP, MAC, email
|
|
|
Popular sniffing app
|
Wireshark
|
|
|
Two types of poisoning
|
ARP
DNS |
|
|
Two ways a hacker could lead you to the wrong website, collectively known as...?
|
DNS poisoning, modifying the hosts file
Pharming |
|
|
What is modified in an ARP attack?
|
The ARP cache
|
|
|
Three types of password attacks
|
Brute-force
Dictionary Hybrid |
|
|
Countermeasures for dictionary and brute-force attacks
|
Password complexity
Lockout policy |
|
|
Two password hacking tools
|
Cain & Abel
John the Ripper |
|
|
Four types of application attacks
|
SQL injection
Buffer overflow Cross-site scripting Directory traversal / command injection |
|
|
How to protect against injection attacks?
|
Validate input
|
|
|
What is a smurf attack?
|
DDoS where ping is sent with source spoofed, so replies go "back" to and overwhelm the target
|
|
|
List four physical security threats
|
Snooping
Theft and loss of assets Human error Sabotage |
|
|
Safeguards against compromise of data from a lost or stolen device
|
Remote wipe
Safeguards on the device, such as PIN or password Encryption |
|
|
Four main types of security
|
Able to reproduce without user activation
|
|
|
Three ways a worm can spread
|
Network protocols / ports
Flash drives |
|
|
A trojan typically modifies the system by...
|
...opening a TCP/IP port, which allows the hacker to connect and take control
|
|
|
Two techniques to avoid spam
|
Filters on email servers
Not posting email addresses on the internet |
|
|
Five actions to protect against malicious software
|
A/V s/w
Keep A/V defs up to date Keep a close eye on listening ports Keep a close eye on running processes Train users to use good surfing habits |
|
|
Define
Bluesnarfing Bluejacking Bluebugging |
...buyin from management
|
|
|
Four ways to increase physical threats to systems
|
Shred docs
Clean desk policy Encrypt data Passwords on devices |
|
|
OS commands to help t/s infected computers
|
netstat
tasklist taskkill |
|
|
Three things to help prevent threats against hardware
|
Configure BIOS to disallow booting from CD-ROM
Disable USB ports Limit use of removable media |
|
|
What should be hardened?
|
All systems including users' computers, network devices such as switches, and servers
|
|
|
What is hardening?
|
Removal of unnecessary software and disabling of unnecessary services
|
|
|
Three steps to harden a computer
|
Remove unnecessary accounts
Rename default account such as administrator Patch the system on a regular basis |
|
|
Three steps to harden a switch
|
Update firmware
Disable unused ports Configure port security |
|
|
802.1x standard is...and does...
|
Port access control standard
Controls who has access to wired or wireless network by using a central authentication server such as RADIUS |
|
|
Two software tools to help with system hardening (and a brief definition)
|
Security templates (help create security baseline)
Group policies (apply restrictions to the system) |
|
|
Application hardening: one task for devs and two for admins
|
Dev: validate inpu
Admins: remove unnecessary features, create application security baseline |
|
|
Main types of attacks
|
...to reduce the attack surface
|
|
|
Two parts of patch management
|
Patch systems on a regular basis
Test patches before deploying |
|
|
What devices should be hardened first, and what is the first step of that hardening?
|
Network devices such as routers and switches
Update firmware |
|
|
Diff between firewalls: packet-filtering, stateful, and application layer
|
Filters based on:
Layer 3 and layer 4 headers Same as a above, but also based on what packets are expected during certain phases of the conversation Same as both above, plus payload data |
|
|
Linux firewall feature
|
IPTables
|
|
|
3 firewall topologies and short descriptions
|
Dual-homed host: one computer with two NICs, plus firewall or proxy s/w running
Screened-host: screening router between dual-homed host and internet Screened-subnet: two screening routers, one on either side of the dual-homed firewall |
|
|
Name security zones and defs
|
Private LAN
DMZ (between two firewalls) Public zone (internet) |
|
|
What goes in DMZ?
|
DNS, FTP, SMTP
|
|
|
A web proxy does...
|
...caching and filtering
|
|
|
IDS analysis methods and defs
|
Signature based: compares activity against signature file, few false positives
Anomaly based: understands normal (baseline), learns based on users' activity Heuristic: goal is to detect new based on past experience, runs files in sandbox |
|
|
Downfall of NIDS
|
Can't analyze encrypted traffic
|
|
|
Classes of IDSs and definitions
|
Passive, just notifies, detective
Active or IPS, notifies and takes action |
|
|
What is Snort?
|
A popular network-based IDS
|
|
|
Common mistake configuring honeypot
|
Making it too easy to break into
|
|
|
3 ways to break up or divide a network
|
Subnetting (subnet mask and IP addresses0
Segmentation VLANs |
|
|
Define and describe NAC
|
Network access control
Places health requirements on computers requesting to connect to the network, may include A/V software and current defs, personal firewall installed, patch status Common scenarios: with wireless requires ack TOS, with switch requires auth by RADIUS or other auth server |
|
|
ACL define and name where applied
|
Access Control List
folders and files, routers and firewalls |
|
|
Implicit ____________?
|
Deny
|
|
|
802.11a
frequency transfer rate range compatibility |
5
54 150 a |
|
|
802.11b
frequency transfer rate range compatibility |
2.4
11 300 b, g, n |
|
|
802.11g
frequency transfer rate range compatibility |
2.4
54 300 b, g, n |
|
|
802.11n
frequency transfer rate range compatibility |
5 or 2.4
up to 600 300 a, b, g |
|
|
Wireless protocols, bad good best
|
WEP (bad)
WPA (good) WPA2 (best) |
|
|
Wireless protocols, encryption details
|
WEP: RC4, static keys 64 or 128 (24 plus either 40 or 104)
WPA: dynamic 128 TKIP WPA2: CCMP with AES |
|
|
Home wireless best practices
|
use HTTPS to admin the router
change admin password change SSID (network name) disable SSID broadcasting MAC address filtering place access point away from exterior walls lower power levels to minimum required use VPN |
|
|
SSID stands for?
|
Service Set Identifier
|
|
|
Two tools to do a wireless survey to get list of nearby networks
|
NetStumbler
Kismet |
|
|
Bluetooth: transfer rate
|
1Mbs
|
|
|
Authentication factors and examples
|
Something they know (password)
Something they have (card, token) Something they are (biometrics) |
|
|
What's an access token used for, and what does it contain?
|
Determines whether the user will be allowed to access particular files and perform particular tasks
SID Group security identifiers Primary group security identifer (POSIX only) Access rights |
|
|
Windows authentication methods and descriptions
|
Anonymous
Basic (u/n and p/w sent in clear to the server) Integrated Windows authentication Kerberos |
|
|
Talk about Kerberos
|
Popular mutual authentication protocol
Used by default in AD environments Uses KDC server, responsible for issuing tickets First the Authentication Server (AS) gives a ticket-granting ticket (TGT), which is used to request a ticket from the ticket-granting service (TGS) to access server |
|
|
KDC?
|
Key Distribution Center
|
|
|
RAS and VPN use these protocols
|
PAP
CHAP MS-CHAP MS-CHAPv2 EAP |
|
|
PAP stands for...? And brief description
|
Password Authentication Protocol, credentials sent in plain. unsecure
|
|
|
CHAP stands for...? And brief description
|
Challenge Handshake Authentication Protocol
server sends challenge/key, client combines it with password and hashes and sends, server hashes existing password and compares hashes. password was not sent. |
|
|
MS-CHAP stands for...? And brief description
|
Microsoft Challenge Handshake Authentication Protocol
uses MD4 instead of MD5 for hashing |
|
|
MS-CHAPv2 stands for...? And brief description
|
Microsoft Challenge Handshake Authentication Protocol v2
uses stronger encryption than CHAP and MS-CHAP authenticates both client and server |
|
|
EAP stands for...? And brief description
|
Extensible Authentication Protocol
used with smartcards, certs, Kerberos, PKI, and RADIUS |
|
|
Name the components of authentication services, and a brief description of each
|
Authentication, validating user credentials
Authorization, access granted Accounting, logging |
|
|
What is AAA?
|
Components of authentication services:
Authentication, Authorization, Accounting |
|
|
Name some authentication services
|
RADIUS
DIAMETER TACACS and XTACACS TACACS+ |
|
|
Diff betw identification and authentication
|
Identification is presenting identifying information such as a username
Authentication is proving you are that person, for example by knowing the password |
|
|
Username is used to ____________the user, and password is used to ___________ the user.
|
Identify, authenticate
|
|
|
The accounting feature of AAA is for...
|
...tracking logged in time for billing purposes
|
|
|
What is the most secure form of biometrics?
|
Iris scan
|
|
|
What defines a smartcard?
|
Contains a microprocessor
|
|
|
Authorization is implemented by using....
|
....access control methods
|
|
|
An access control system....?
|
...determines who has access to the environment, and what level of access
|
|
|
Types of security controls
|
Administrative
Logical Physical Operational |
|
|
Description and examples of an administrative control
|
Written policy, procedure, or guideline
Password policy, mandatory vacations, security awareness training |
|
|
Description and examples of a logical control
|
AKA technical control
controls access to a resource firewalls, encryption, passwords, IDSs |
|
|
Description and examples of a physical control
|
controls access to the physical facility
doors, locks, fences, guards, lockdown cables, video surveillance |
|
|
Description and examples of an logical control
|
day to day actvities
example: backups |
|
|
Access control models
|
Discretionary: access based on DACL (users and groups)
Mandatory: people (subjects) assigned clearances, resources assigned (classification or sensitivity) labels Role-based: privileges based on roles Rule-based: rules on network gear about traffic or computers |
|
|
What's a "trusted OS" and what's the new standard?
|
evaluated for strict security practices
common criteria |
|
|
Methods to implement access control
|
Security groups
Rights and privileges Securing files and printers Access Control Lists (ACLs) Group Policies |
|
|
What's the r'ship between users, groups, and permissions
|
User goes into group
Group is assigned permissons |
|
|
Diff betw permission and right
|
Perm is level of access to a resource
Right is privilege to perform a specific task |
|
|
NTFS and Linux permissions
|
Read, Modify, Full Control
Read, Write, Execute |
|
|
Define symmetric encryption
Name some algorithms |
uses the same key for encryption and decryption
DES, 3DES, RC4, AES |
|
|
3DES, how many bits?
|
168
|
|
|
AES, how many bits?
|
128, 192, or 256
|
|
|
Name asymmetric algorithms
|
RSA, Diffie-Hellman, and elliptic curve
|
|
|
Name hashing algorithms
|
MD Message Digest
SHA Secure Hash Algorithm SHA-256 and SHA-512 LANMAN NT LAN Manager (NTLM) RIPEMD RACE Integrity Primitive Evaluation Message Digest HMAC Hash-based Message Authentication Code |
|
|
Hash length of MD5?
|
128
|
|
|
Hash length of SHA-1
|
160
|
|
|
Secure communication protocols
|
HTTPS
SSL/TLS (Transport Layer Security) S/Mime IPSec (Internet Protocol Security) SSH (Secure Shell) SFTP SCP (Secure Copy Protocol) |
|
|
Instead of Telnet, use...
|
....SSH
|
|
|
VPN protocols, which is better, and why?
|
L2TP (Layer 2 Tunneling Protocol) is better than PPTP, because it uses IPSec
|
|
|
More secure than SSL
|
TLS
|
|
|
A certificate (PKI) is...
|
...an electronic file that is used to store the public key (and sometimes the private key), and associates the public key with an entity such as a person or company. The certificate binds the entity to the public key.
|
|
|
A certificate (PKI) is signed by...
|
...the CA
|
|
|
CA stands for...
|
...Certificate Authority
|
|
|
Two types of CAs
|
Public CA
Private CA |
|
|
Who signs the root CA?
|
It is self-signed
|
|
|
RA: stands for? describe
|
Registration Authority
accepts cert requests and validates requesting entity |
|
|
Repository (CA)
|
database that stores certs and public keys
|
|
|
CRL: stands for? and describe
|
certificate revocation list
list of certs that have been revoked, published by CA regularly |
|
|
What is M of N control
|
for key recovery, for example may require 2 of 3 authorized persons
|
|
|
RA: stands for? and describe
|
Recovery Agent
person or group who can decrypt in case person with key leaves org |
|
|
Two good practices for key recovery
|
Key archiving
Key recovery policy |
|
|
What is trust (PKI)
|
Two CAs trust each other's certs
|
|
|
Three main issues with certs
|
Renewals
Trusted CAs Name assigned to the cert matching address of application or server using the cert |
|
|
(PKI) The cert is digitally signed by ___________, so that _____________
|
the CA that creates the cert
applications can validate the origin of the cert |
|
|
The RA ___________, and then the CA _________________
|
validates a request for a cert
creates the cert |
|
|
Cert is good during ______________
|
validation period
|
|
|
To avoid having to get a new cert.....
|
....renew before validation period is expired
|
|
|
With SSL, the client ...
|
...generates random symmetric key to encrypt comm, but uses public key of server to encrypt the symmetric key, so it can send the symmetric key to the server
|
|
|
How does digitally signing a message work?
|
Sender hashes message into a digest
Encrypts digest with private key Sends encrypted message and digest Receiver decrypts message digest using sender's public key Receiver hashes message into digest, compares digests |
|
|
Recommended fence
|
8 ft
bobwire facing out at 45 degrees |
|
|
Fail save v fail secure
|
Fail safe: when it fails, it won't cause harm
Fail secure: when it fails, it won't be unsecure |
|
|
Classes of fire, combustibles, suppression method
|
A: wood, paper, cloth, plastic. water or soda-acic
B: liquid. CO2 or FM-200 C: electrical. Halon (recommended) or CO2 or nonconductive D: combustible metals. dry chemicals. |
|
|
Risk analysis is....
|
...process of id'ing threats against assets, and managing those threats
|
|
|
Typical steps of risk analyis
|
ID'ing assets
spotting threats prioritizing threats (based on probability and impact) ID'ing mitigation assessing residual risks |
|
|
Two main types of risk analysis
|
Qualitative and quantitative
|
|
|
What's the diff betw quantitative and qualitative risk analysis?
|
Qual: uses values assigned to probability and impact
Quant: uses formulas to calclate ALE (annual loss expectancy) |
|
|
Calculate ALE
|
SLE (single loss expectancy) = value * EF (exposure factor)
ALE = SLE * ARO (annual rate of occurence) |
|
|
3 methods of managing risk
|
mitigate by implementing a security control
transfer (insurance) accept (do nothing) |
|
|
How to mitigate risk?
|
security audits
security controls ensure that policies and procedures are followed |
|
|
BCP
|
business continuity plan
|
|
|
BIA
|
business impact assessment, the risk assessment phase of building a BCP
|
|
|
Five types of testing the BCP
|
checklist, for each dept.
structured walkthrough, BCP committee meets and reviews BCP simulation test, small parallel test, try alternate site full disruption, shutting down orig site and ensure that can operate solely from alternate site |
|
|
diff betw hot and cold spares of equipment
|
hot: powered on, fails over
cold: not powered, on shelf, increases downtime |
|
|
diff betw hot, warm, and cold alt sites
|
hot: data up to date, site ready 24/7
warm: networking h/w and backup devices, but have to restore data cold: space, but not networking hardware |
|
|
two major types of alternate sites (not hot and cold)
|
exclusive
time-shared |
|
|
succession planning is...
|
...have people ready to fill leadership roles
|
|
|
IT contingency plan...
|
...plan for when IT goes down
|
|
|
MTTR
|
mean time to restore
average time for a system or device to recover from failure |
|
|
MTBF
|
mean time between failures
(failures of a device or system) |
|
|
RTO
|
recovery time objective
BCP term for the amount of time allowable before a business function must be restored after failure |
|
|
types of data backup
|
full: e
very file (changed or not), slowest to backup, uses lots of space, easiest to restore incremental: only backs up files that have changed, resets archive bit to restore you need the last full plus all incrementals since differential: backs up files that have changed, but does not reset archive bit thus, restore needs only the last full and the most recent differential |
|
|
RAID
|
zero: striping, just multiple disks each with part of the data, no duplication of data, only performance benefit
1: mirroring, two HDDs, data is duplicated 5: striping with parity, splits data across multiple disks and parity data on another disk. if one disk fails, can calculate the missing data |
|
|
fault tolerance
|
if one part of the solution fails, another will pick up the workload, and it'll continue to function
|
|
|
high availability is
|
ensuring that clients can always gain access to the services that they need
|
|
|
to have high availability...
|
find all single points of failure
create redundancy in those areas |
|
|
Does fault tolerance give you high availability?
|
no, but it helps
for high availability, eliminate all single points of failure |
|
|
clustering vs. load balancing
|
clustering: high availability (servers, etc.)
load balancing: improves performance |
|
|
DRP
|
disaster recovery plan
part of the BCP |
|
|
chain of custody is...
|
...a document that records where the evidence is at all times
|
|
|
evidence should be...
|
documented
stored in a secure location with limited personnel having access |
|
|
imaging: why, how
|
why: preserves state, including deleted files
how: make multiple images in case of corruption, work only on image not original |
|
|
collect evidence in order of _______________, so in this order: ______________
|
decreasing volatility:
RAM, swap file, HDD, optical discs |
|
|
use this to block any signal to/from a mobile device
|
Faraday bag
|
|
|
the first responder should...
|
...assess and contain the security incident so it does not become a bigger problem, disconnect any affected devices from the network
|
|
|
live acquisition, advantage and downside
|
advantage: can acquire memory
disadvantage: modifies the system |
|
|
two things to remember when gathering evidence
|
securely wipe and target HDDs
document every step |
|
|
general formula for calculating risk
|
R = P * L
risk = probability * potential loss |
|
|
vulnerability assessments, passive or active?
|
passive, because you are not actively trying to bypass security controls
|
|
|
before performing any kind of penetration test...
|
...make sure you have a legal document signed by upper-level management
|
|
|
diff betw black box test and white box
|
black box: you have been given no details
white box: you have been given all the details |
|
|
penetration test: active or passive?
|
active, b/c you are actually trying to bypass security controls
|
|
|
when penetration testing, what might you cause unintentionally?
|
DoS
|
|
|
define attack surface
|
software and services running on system
|
|
|
____________ are a great way to become aware of zero-day exploits
|
honeypots
|
|
|
if security policy says you can't use live attacks or active testing....
|
....look to vulnerability scanning
|
|
|
four types of assessment
|
threat assessment
configuration assessment vulnerability scan penetration test |
|
|
a vulnerability assessment is...
|
...a passive test that simply identifies security issues with the configuration of the system
|
|
|
3 tools to perform penetration test
|
BackTrack
Metasploit Cain & Abel |
|
|
3 diff techniques to determine security issues, with descriptions
|
code review on homegrown app
design review on homegrown solution to see if meets requirements architecture review to ensure system is a secure environment |
|
|
4 tools to perform an assessment
|
port scanner
network sniffer vulnerability scanner honeypot |
|
|
Where are many log files stored in Windows?
|
C:\windows\system32\logfiles
|
|
|
which logs are used for monitoring inbound communication, and for a user's Internet activity?
|
firewall log
proxy server log |
|
|
use ________ for logging one computer, and ____________ for logging multiple
|
local security policies
group policies |
|
|
tool used to monitor health of a computer
|
Performance Monitor
|
|
|
examples of packet sniffers
|
Network Monitor
Wireshark |
|
|
what is Network Monitor and Performance Monitor
|
packet sniffer on network
health of a single computer |
|
|
what is Wireshark?
|
a packet sniffer
|
|
|
WSUS
|
Windows Server Update Service
a service that allows you to download, review, approve, and deploy patches to groups of systems on the network. |
|
|
CIRT
|
Computer Incident Response Team
|
