Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
92 Cards in this Set
- Front
- Back
|
EAPOL
|
Extensible Authentication Protocol Over Lan
|
|
|
OFDM
|
Orthogonal Frequency-Division multiplexing - accomplishes communication by breaking the data into subsignals and transmitting them simultaneously. These transmissions occur on different frequencies or subbands.
|
|
|
DSSS
|
Direct Sequence Spread Spectrum - accomplishes communication by adding the data that is to be transmitted to a higher speed transmission. The higher speed transmission contains redundant information to ensure data accuracy. Each packet can then be reconstructed in the event of a disruption.
|
|
|
FHSS
|
Frequency Hopping Spread Spectrum - accomplishes communication by hopping the transmission over a range of predefined frequencies. The changing or hopping is synchronized between both ends and appears to be a single transmission channel to both ends.
|
|
|
Certificate System
|
A certificate being handed from the server to the client once authentication has been established. If you have a pass, you can wander throughout the network. BUT limited access is allowed.
|
|
|
Security Token System
|
If your token does not grant you access to certain information, that information will either not be displayed or your access will be denied. The authentication system creates a token every time a user or a session begins. At the completion of a session, the token is destroyed.
|
|
|
Kerberos System
|
The authentication process uses a Key Distribution Center (KDC) to orchestrate the entire process. The KDC authenticates the network. Principles can be users, programs, or systems. The KDC provides a ticket to the network. Once this ticket is issued, it can be used to authenticate against other principles. This occurs automatically when a request or service is performed by another network.
|
|
|
CHAP System
|
The initiator sends a logon request from the client to the server. The server sends a challenge back to the client. The challenge is encrypted and then sent back to the server.
The server compares the value from the client and if the information matches, the server grants authorization. If the response fails, the session fails and the request phase starts over. |
|
|
Circuit-Level Firewall
|
Firewall type that allows you to configure security devices with the rate of responses to requests to handle, and block any impending communications from suspicious hosts.
|
|
|
Packet-Filtering Firewall
|
Firewall that allows or blocks traffic based on the type of application. This type of firewall decides whether to pass traffic based on the packet's addressing information and can be based on IP addresses or ports.
|
|
|
Stateful Inspection Firewall
|
Firewall that monitors the state of all network connections, and tracks information on network connections.
|
|
|
Application-Level Firewall (Gateway)
|
Gateway that works as a proxy server between the inside network perimeter and an external server to monitor and control external communications.
|
|
|
Static NAT (Network Address Translation)
|
Maps an internal IP address to an external IP address on a one-to-one basis.
|
|
|
Dynamic NAT (Network Address Translation)
|
Maps a range of internal IP addresses to a range of external IP addresses.
|
|
|
Overloading NAT (Network Address Translation)
|
Also known as port address translation (PAT). This is a possibly the most poplar form of NAT because a single Internet address can provide Internet access to multiple private clients.
|
|
|
ISAKMP
|
Internet Security Association and Key Management Protocol
|
|
|
Mesh CA
|
Multiple peer CAs issue certificates to each other. To certify, they create certificates for each other.
|
|
|
Hierarchical CA
|
Top-level CA known as a root CA issues certificates to subordinate CAs. Those CAs can then issue certificates to other CAs, and so on. The CAs at each level can issue certificates to subordinate CAs or users.
|
|
|
Bridge CA
|
Connects mesh and hierarchical architectures together. This allows different companies to have their own trust architecture, and then have a single connection using a bridge CA.
|
|
|
CPS
|
Certificate Practice Statement - describes how
the CA plans to manage the certificates it issues. |
|
|
Network-based IDS
|
Detects attacks by capturing and analyzing network traffic. A single NIDS can protect multiple hosts by listening to traffic on one network segment. NIDS implementations often utilize sensors (hosts running IDS software) at various points on a network.
|
|
|
Host-based IDS
|
Installed on individual computers to protect those individual systems. HIDS's are much more reliable than NIDS's in detecting attacks on individual systems. HIDS typically utilize operating system audit trails and system logs.
|
|
|
Application-based IDS
|
Analyzes the events occurring within a specific software application using the application's transaction log files. An application-based IDS is able to detect suspicious behavior that might go unnoticed by other forms of IDS because application-based IDS can analyze interactions between the user, the data, and the application.
|
|
|
Dropper
|
A dropper is a virus carrier program or file. When the dropper is executed or opened, it creates a virus. Virus authors often use droppers to shield their programs from virus scanners. Droppers are also called injectors.
|
|
|
Hoax
|
A hoax is false virus warning that people believe is real. These hoaxes are typically spread through e-mail messages.
|
|
|
Joke
|
A joke is a nondestructive program that is propagated like malicious code. People usually consider this type of program annoying or funny.
|
|
|
Logic Bomb
|
A logic bomb is a destructive program that goes off when a predetermined event takes place, such as the user typing a certain series of keystrokes, changing a file, or occurrence of a certain time and date. A logic bomb that is triggered at a certain date and time is also called a time bomb.
|
|
|
Multipartite Virus
|
A multipartite virus infects multiple locations on a system. These viruses typically infect memory first and then copy themselves to multiple other locations, such as the boot sector of each hard disk, files, and executables on the system.
|
|
|
Polymorphic Virus
|
A polymorphic virus, or mutating virus, changes or mutates as it copies itself to other files or programs. The goal is to make it difficult to detect and remove the virus.
|
|
|
Sparse Virus
|
A sparse virus doesn't immediately infect files. Instead, it waits a certain period of time (or for some other condition to be met) before it infects a program. For example, the sparse virus might wait until a file is accessed 50 times or until it reaches 500 MB in size. This makes the virus more difficult to detect. A sparse virus is also called a sparse infector.
|
|
|
Stealth Virus
|
A stealth virus attempts to hide itself from detection attempts by deceiving people or virus scanning software. When a person or virus scanner attempts to view the virus-infected file, the stealth virus intercepts the disk access request and feeds the person or virus scanner an uninfected version of the file. The virus might also report the uninfected file size of certain files, which prevents people and virus scanners from noticing that a file is too large. Of course, the virus must be resident in memory to perform this action, so a good virus scanner can detect a stealth virus. Stealth viruses are also called interrupt interceptors.
|
|
|
Trojan Horse
|
A Trojan horse is a seemingly useful (or harmless) program that performs malicious or illicit action when activated, such as destroying files.
|
|
|
Virus
|
A virus is malicious code that infects or attaches itself to other objects or programs. All viruses have some form of replication mechanism, which is how they propagate.
|
|
|
Wild
|
Wild is a descriptor for malicious code that exists outside of virus and antivirus labs. Malicious code is "in the wild" when it is infecting unsuspecting computer users. The opposite of malicious code in the wild is malicious code in the zoo.
|
|
|
Worm
|
A worm is malicious code that replicates by making copies of itself on the same computer or by sending copies of itself to another computer. Worms, unlike viruses, do not infect other program files on a computer. All worms have some form of replication mechanism, which is how they propagate.
|
|
|
Zoo
|
Zoo is a descriptor for malicious code that only exists inside a virus or antivirus lab. The opposite of malicious code in the zoo is malicious code in the wild.
|
|
|
Macro Virus
|
Macro viruses can infect all of the documents on your system and spread to other systems using mail or other methods. Macro viruses are the fastest growing exploitation today.
|
|
|
Companion Virus
|
This virus attaches itself to legitimate programs and then creates a program with a different file extension. This file may reside in the temporary directory of your system.
When the user types the name of the legitimate program, the companion virus executes instead of the real program. This effectively hides the virus from the user. Many of the viruses that are used to attack Windows systems make changes to program pointers in the Registry so that it points to the infected program. The infected program may perform its dirty deed and then start the real program. |
|
|
Phage Virus
|
This virus modifies and alters other programs and databases. The virus infects all of these files. The only way to remove this virus is to reinstall the programs that are infected. If you miss even a single incident of this virus on the victim system, the process will start again and infect the system.
|
|
|
Armored Virus
|
This virus is designed to make itself difficult to detect or analyze. These viruses will cover themselves with "protective code" that stops debuggers or disassemblers from examining critical elements of the virus. The virus may be written in such a way that some aspects of the programming act as a decoy to distract analysis while the actual code hides in other areas in the program.
|
|
|
Retro Virus
|
It attacks or bypasses the antivirus software installed on a computer. You can consider it as an anti-antivirus. It can directly attack your antivirus software and potentially destroy the virus definition file of your antivirus software. Destroying this information without your knowledge would leave you with a false sense of security.
|
|
|
Smurf Attack
|
A smurf attack uses IP spoofing and broadcasting to send a PING to a group of hosts in a network.
When a host is pinged, it sends back ICMP message traffic information indicating status to the originator. If a broadcast is sent to a network, all of the hosts will answer back to the ping. The result of this is an overload of the network and the target system. |
|
|
Dual Key Pair
|
Using distinct key pairs to separate confidentiality services from integrity services to support non-repudiation.
|
|
|
Key Escrow
|
When a company uses key escrow, they keep copies of their private key in two separate secured locations where only
authorized persons are allowed to access them.The keys are split up and one half is sent to the two different escrow companies (see Figure 10.11). Using two different escrow companies is a separation of duties, preventing one single escrow company from being able to compromise encrypted messages by using a clients key set. |
|
|
Rootkits
|
Set of software tools intended to conceal running processes, files or system data from the operating system; used by malware to help intruders maintain access to systems while avoiding detection. Rootkits exist for a variety of operating systems. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules.
|
|
|
Fork Bomb
|
fork bomb is a form of denial of service attack against a computer system that uses the fork function. It relies on the assumption that the number of programs and processes which may be simultaneously executed on a computer has a limit. It works by creating a large number of processes very quickly in order to saturate the available space in the list of processes kept by the computer's operating system.
|
|
|
Bell La-Padula access control model
|
Formal state transition model of computer security policy that describes a set of access control rules. The four elements are: subjects, objects, access modes and security levels.
|
|
|
3 basic ways of hardening systems for security are:
|
Operation System hardening, Network hardening, and Application hardening.
|
|
|
Operation System Hardening
|
Changing default administrator account names, and passwords; using file access and user access permissions; applying any OS hot fixes as and when they are available.
|
|
|
Network Hardening
|
Restricting access to network shares; disabling/removing protocols and services that are not required; applying Firewalls such as CheckPoint FireWall or NAT (Network Address Translation); restricting wireless access where it may lead to vulnerability.
|
|
|
Application Hardening
|
Applying latest patches and hotfixes; installing anti-virus software where applicable, such as mail server; changing the default user names and passwords that the applications use.
|
|
|
3 basic ways of hardening systems for security are:
|
Operation System hardening, Network hardening, and Application hardening.
|
|
|
Operation System Hardening
|
Changing default administrator account names, and passwords; using file access and user access permissions; applying any OS hot fixes as and when they are available.
|
|
|
Network Hardening
|
Restricting access to network shares; disabling/removing protocols and services that are not required; applying Firewalls such as CheckPoint FireWall or NAT (Network Address Translation); restricting wireless access where it may lead to vulnerability.
|
|
|
Application Hardening
|
Applying latest patches and hotfixes; installing anti-virus software where applicable, such as mail server; changing the default user names and passwords that the applications use.
|
|
|
3 basic ways of hardening systems for security are:
|
Operation System hardening, Network hardening, and Application hardening.
|
|
|
Operation System Hardening
|
Changing default administrator account names, and passwords; using file access and user access permissions; applying any OS hot fixes as and when they are available.
|
|
|
Network Hardening
|
Restricting access to network shares; disabling/removing protocols and services that are not required; applying Firewalls such as CheckPoint FireWall or NAT (Network Address Translation); restricting wireless access where it may lead to vulnerability.
|
|
|
Application Hardening
|
Applying latest patches and hotfixes; installing anti-virus software where applicable, such as mail server; changing the default user names and passwords that the applications use.
|
|
|
3 basic ways of security hardening
|
Operating system hardening; Network hardening; Application hardening
|
|
|
Operating system hardening
|
Changing default administrator account names and passwords; Using file access and user access permissions; Applying any OS hot fixes as/when they’re available.
|
|
|
Network hardening
|
Restricting access to network shares; Disabling/removing protocols and services that aren’t required; Applying firewalls or NAT (Network Address Translation); Restricting wireless access where it may load to vulnerability.
|
|
|
Application hardening (DNS Servers, Mail Servers, File & Print Servers)
|
Applying the latest patches and hot fixes; Installing anti-virus software where applicable (mail server); Changing the default user names and passwords that applications use.
|
|
|
Firewall OSI Layers
|
Circuit-level Firewall (Data Link Layer), Packet Filtering Firewall (Network Layer), and Proxy Server (Application Layer)
|
|
|
Circuit-level Firewall Pros
|
Pros: Excellent performance characteristics since they only relay packets between computers with little evaluation; use NAT, which allows these gateways to hide internal network Internet Protocol (IP) addresses from other computers on the Internet; flexible – automatically supports new services.
|
|
|
Circuit-level Firewall Cons
|
Cons: Software running on the user's computer must often be recompiled and/or relinked with a special software library; no way of inspecting the application level packets it is relaying between the user's computer and the Internet - easy subversion of the firewall by configuration mistakes or by the efforts of a malicious Internet hacker.
|
|
|
Packet Filtering Firewall Pros
|
Good performance, using both Network Address Translation (NAT) as well as Port-Level Address Translation to hide internal Internet Protocol (IP) addresses from other Internet computers; don’t require modifications to the applications on the user's computer; Dynamic Packet Filtering closes communications ports when not in use; Stateful Packet Inspection provides even tighter security by analyzing packet contents and securing stateless protocols.
|
|
|
Packet Filtering Firewall Cons
|
They have little or no audit or event alerting capabilities; it can be difficult to implement changes to rule sets; cannot accommodate new services easily due to it's extremely rigid rules and must be updated by either the vendor of the packet filtering firewall or by an experienced administrator.
|
|
|
Application Level Firewall Pros
|
Proxy Servers, application-level firewalls allow no direct connection between the user's computer and the Internet. Proxy servers only allow packets through that comply with known protocols such as HTTP, FTP, SMTP, POP3; use NAT; implement features such as HTTP web page and image caching, ad and/or website URL filtering, and even user authentication. Application-level firewalls are also very good at generating audit trail logs, and sometimes even feature real-time pop-up alerts if conditions warrant.
|
|
|
Application Level Firewall Cons
|
They are typically much slower than packet filtering or circuit-level firewalls. Each packet must be "de-encapsulated", processed, and "re-encapsulated" each time before reaching it's final destination; susceptible to operating system and software application bugs.
|
|
|
Initialization Vector (IV)
|
A block of bits used to augment the shared secret key and produce a different RC4 key for each packet. Since it has a small key-space, the potential reuse of the same IV packet will allow a hacker to use an XOR function to mathematically link 2 packets of a session that have been processed with the same IV, so that the key can be computed. Used in WEP.
|
|
|
OCSP – Online Certificate Status Protocol
|
Defined to help PKI certificate revocation bypass the limitations of CRL schemes; returns information relating only to certain certificates that have been revoked - no need for the large files used in a CRL to be transmitted; One of the most glaring weaknesses of OCSP is that it can only return information on a single certificate, and does not attempt to validate the certificate for the CA that issued it.
|
|
|
Common methods of spoofing URLs
|
Anything on the left side of an @ sign in a URL is ignored; the % sign is
ignored; URLs do not have to be in the familiar format of a DNS name (such as www.syngress.com); they are also recognized when entered as an IP address in decimal format (such as 216.238.8.44), hexadecimal format (such as D8.EE.8.2C), or in Unicode; a spoofer can send an e-mailed link such as www.paypal.com@%77%77%77.%61%7A.%72%75/%70%70%64,” which appears to be a link to the PayPal Web site. However, it is really a link (an IP address in hex format) to the spoofer’s own server. |
|
|
Well-known Ports
|
0 - 1023
|
|
|
Registered Ports
|
1024 - 49151
|
|
|
Dynamic / Private Ports
|
49152 - 65535
|
|
|
2 Modes of IPSec
|
Tunnel Mode (both header and data are encrypted) and Transport Mode (only data is encrpyted).
|
|
|
PGP - Pretty Good Privacy
|
Encryption software used to encrypt e-mail messages and
files (freeware and commercial versions are available). PGP uses public and private keys to encrypt and decrypt email. |
|
|
Most commond sizes of symmetric and asymmetric algorithm keys
|
Symmetric: 128-bit; Asymmetric: 1024-bit and 2048-bit.
|
|
|
Network layer firewall example
|
IPtables
|
|
|
Application layer firewall example
|
TCP Wrappers
|
|
|
Stateful firewall
|
Firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) travelling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected.
|
|
|
Stateless firewall
|
Firewall that treats each network frame (or packet) in isolation. Such a firewall has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet.
|
|
|
TKIP
|
Temporary Key Integrity Protocol - guarantees that every WEP client gets a different WEP key every 10,000 packets. TKIP also provides per-packet key mixing and message integrity.
|
|
|
One-way hash function
|
Also known as a message digest (MD), it's a mathematical function which takes a variable-length input string and converts it into a fixed-length binary sequence - very hard to reverse. Commonly used for creating digital signitures.
|
|
|
Avalanche Effect
|
Slight change in an input string that causes a hash value to change drastically. Even if 1 bit is flipped in the input string, at least half of the bits in the hash value will flip as a result.
|
|
|
X.509 Certificate Structure
|
Version, Serial Number, Signature Algorithm, Issuer Name, Period of Validity (from / to), Subject Name, Subject's Public Key / Algorithm, and CA Signature.
|
|
|
SecurID
|
RSA SecurID® two-factor authentication is based on something you know (a password or PIN) and something you have (an authenticator)-providing a much more reliable level of user authentication than reusable passwords. RSA Security offers enterprises a wide range of user authentication options to help positively identify users before they interact with mission-critical data and applications.
|
|
|
LAND Attack
|
A LAND attack is a DoS (Denial of Service) attack that consists of sending a special poison spoofed packet to a computer, causing it to lock up. The reason a LAND attack works is because it causes the machine to reply to itself continuously (It involves IP packets where the source and destination address are set to address the same device.
|
|
|
What 2 parts can network policy be divided into?
|
High-level policy (deals with application usage) and low-level policy (deals with how to place administrative controls on the network to lock down firewalls.
|
|
|
Service Policy
|
Deals with communication between the internal network and external networks.
|
|
|
Firewall Solutions
|
Deals with excluding the internal use of unauthorized external services and excluding the unauthorized external use of internal services.
|
