• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/81

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

81 Cards in this Set

  • Front
  • Back

Which statements about the OSI and DoD models are correct?



A. The DoD application layer performs the same functions as the OSI application layer.


B. The DoD network access layer and OSI session layer perform the same function.


C. The DoD Internet layer is the same as the OSI network model.


D. The DoD network access layer performs the same functions as the OSI data link and physical layer.

C.


D.

1. Operating on port 21, provides the uploading and downloading of data.


2. Operating on port 143, provides the retrieval of email messages.


3. Operating on port 22, provides a secure data exchange channel through encryption and authentication.


4. Operating on port 53 and using TCP or UDP, translates domain names into IP addresses.

1. FTP


2. IMAP


3. SSH


4. DNS

What are some features of TCP/IP



A. TCP/IP is network independent


B. The network access layer is the lowest layer of TCP/IP


C. The link layer allows TCP/IP to communicate with routers


D. TCP/IP is an integrated addressing system


E. The transport layer is the highest layer of TCP/IP

A.


B


D.

Application Layer

User/Software applications. Responsible for displaying and receiving data for the user.


- FTP, DHCP, DNS, HTTP, IMAP, LDAP, MGCP, NNTP, NTP, POP, ONC/RPC, RTP, RTSP, RIP, SIP, SMTP, SNMP, SSH, Telnet, TLS/SSL, XMPP


Presentation Layer

Translate data for application/transmission


- Encryption

Session layer

Manage connections


- Establish/terminate

Transport layer

Transfer and manage data between hosts


- includes reliability and error handling


- client server or peer to peer


- TCP, UDP, DCCP, SCTP, RSVP

Network layer

Transfer datagrams from one node to another


- Routers and layer 3 switches

Data link layer

Data packets encoded/decoded; link between nodes established/maintained


- ARP, NDP, OSPF, Tunnels (L2TP, PPP, MAC (Ethernet, DSL, ISDN, FDDI)s

Physical layer

Transmits data at the hardware level


- data transmitted and received, electrical and physical specifications; electric impults, light, or radio frequency;

DoD:


- Application: App, pres, session


- Transport: transport


- Internet: network


- Network Access: Data link and physical

- Could be leveraged as the go to model world wide. AKA TCP/IP model


- Developed by the department of defense

Protocol Data Unit (PDU)



What is the PDU called at each level of the OSI model?

The process of packaging data as it passes through each layer of the OSI model aka encapsulation.



Application: Data


Presentation: Data


Session: Data


Transport: Segments


Network: Packets


Data Link: Frames


Physical: Bits

Upper layers

Application


Presentation


Session

Data flow layers

Transport


Network


Data Link


Physical

TCP/IP can be categorized as:

- An integrated addressing system


- A routing-friendly design


- Underlying networking independence


- Scalability


- Use of open standards and developemnt

TCP/IP Model aka DoD Model

Application


Transport


Internet


Network Access

Internet Control Messaging Protocol (ICMP)

- Ping requests and Replies. Testing to see if connectivity is good between systems or networks or parts of networks.


- Could be used by unauthorized users.


- Can instruct routers that a subnet is no longer at a certain subnet.

IPv6

- 128 bytes


- 16 bits


- Many attacks are not possible


- DNS attacks are less likely because DNS accepting IPv6 should have the full DNSSec suite enabled.

Dual Stacking

- Running both IPv4 and IPv6 addresses at the same time.


- Can also enable tunneling by encapsulating an IPv6 in an IPv4 packets.

IPv6 security Model

- IPSec, 802.1x, Router and FW ACLs, Authentication

TCP (Transmission Control Protocol)


UDP (User Datagram Protocol)

- TCP requires an established connection before sending PDU information and it is reliable. Whereas, UDP will send PDUs at will making it less reliable but fast. UDP is used for broadcast and multicast, and TCP is used for unicast over an established connection.

Lossless


Lossy

- TCP


- UDP

Socket

- Is used for communication. TCP uses 2 sockets to send and receive. UDP can communicate with multiple devices through 1 socket.


- TCP socket: TCP, IP, Port


- UPD socket: UDP, IP, Port

UDP Header

- Source Port


- Destination Port


- UDP checksum - confirm validity and integrity of the data transmitted.

Well known ports


Ephemeral ports

- 0 to 1023


- 1024 to 65,535

SSL Steps

1. User accessing secure site


2. Check DNS records for IP address to find web-site host


3. Web site records found. Going to the host web server.


4. Requesting secure SSL connection from web site host


5. Host responds with valid SSL cert


6. Secure connection is now established. Transferred data is encrypted.

TLS/SSL encrypt data between

- at a lower level in the TCP/IP Application layer

FTP secure


SFTP


SCP

- Uses port 990 control communication between client and server, and port 989 to send and receive data.


- SFTP uses port 22


- SCP uses port 22

Email:


SMTP


POP3


IMAP

- port 25


- Port 110 can be used with or without smtp


- Port 143

HTTP


HTTPs

- Port 80 - statless protocol


- Port 443 - uses authentication and encryption

NetBIOS: (network basic input output)


Name service


Datagram distribution services


Session Services

- Applications must register their own names, 16 bytes and the last 2 are reserved to define the network.


- NBT protocol


- Usually sessions run over TCP port 139, used to transfer larger amounts of data


- Names and datagrams run in UDP ports 137 and 138.

BootP


TFTP


NTP


SNMP

- uses UPD 67, available on dhcp servers, can be used to but without a disk drive and locate the IP of a workstation


- UDP 69, sending small amounts of data, used to boot computers, xterms, and discless ws


- UPD 123 network clock server


- UDP 161, enables network devices to exchange network information, store info in NIBs, requests in the form of PDUs.

IPSec Protocol

- Designed to encrypt all traffic no matter the app


- Transport only encrypts the data portion of Payload


- Tunnel encrypts the data and the header info


- AH


- ESP


iSCSI (Internet Small Computer System Interface)

- Transfers between data store facilities and the Internet

Fiber channel

- Hi speed data transfer tech


- Fiber channel over Ethernet, frames encapsulated in ethernet networks.

RDP aka Terminal Services

- Port 3389


- The software must be running on the remote server.

Identify correct statements about the OSI and DoD models.



A. The OSI network access layer is responsible for data transmission at the hardware level.


B. The OSI session layer controls reliability and error handling


C. The OSI presentation layer translates data for transmission


D. The DoD Internet layer transfers datagrams from one node to another


E. The DoD application layer is responsible for encryption and decryption.

C.


D.


E.

Which statement(s) about IPv4 an IPv6 are correct?



A. IPv4 addresses use 32 bit or 4 bytes for addressing.


B. IPv6 addresses use eight 16 bit segments


C. IPv6 is less vulnerable to DNS spoofing


D. In IPv4 addressing, a double colon replaces zeros


E. IPv6 is impervious to DoS attacks

A.


B.


C.

What are some functions of TCP and UDP?



A. UDP doesn't use specific ports


B. UDP is less reliable than TCP
C. TCP is slower than UDP


D. UDP cannot broadcast data


E. TCP sequences and retransmits messages

B.


C.


E.

1. A hacker uses a spoofed IP to ping network hosts.


2. Installed malware gains the same level of control as a legitimate application.


3. A hacker intrudes upon a conversation between hosts.


4. A botnet controls multiple systems that flood another system with network traffic.

1. Smurf Attack


2. Privilege escalation


3. Man in the middle


4. DDoS

How are assessment tools used to secure networks?



A. Vulnerability scanners are used to map network devices.


B. OVAL is used to compare results with a standardized network map


C. Port scanners are used to ping all active servers on a network


D. Protocol analyzers are used to analyze a data packets destination and flags


E. Vulnerability scanners are used to identify trojans and botnet malware.

A.


C.


D.

You are a network administrator. Which actions should you take to secure your network?



A. Implement a DMZ outside the network firewall.


B. Use a system to check the status of all computers in a network and log the findings.


C. Maintain unused employee accounts on a separate server.


D. Implement a policy for regular software updates and patches


E. Connect a device that uses EAP requests to a network switch.

C.


D.


E.

DoS & DDoS Attacks

- Targeting software vulnerabilities


- Create a diversion for other attacks


- Incapacitating a server totally


- Physical attacks as well



- Use ICMP, TCP, UDP to care out their deeds

Smurf Attack

- Spoof a servers IP then send a Ping request to a router that then broadcasts the request to the rest of the systems on that network.

SYN Attacks:


SYN flood attack


Distributed reflection DDoS attack



* Sending a SYN packet from multiple computer simultaneously.


- Sends a SYN packet and doesn't respond to the SYN ACK packet from the remote server so the remote server continues to send the SYN ACK.


- Spoofs an IP address then attempts to open a request with multiple servers. Then those servers send a response back to the actual server.

Fraggle Attack

- similar to the smurf attack


- attacker tries to find uncommon open ports then over whelm them.

ARP poisoning

- Broadcast an unsolicited ARP request from Alice and Bobs computer trusts this request. Then, all traffic Bob tries to send to Alice will be routed through the attacker first.

Replay Attack

Traffic is captured by the attacker then used by the attacker to impersonate the user. Generally login credentials.

Privilege Escalation:


Transitive attacks


Client side attacks


Christmas Tree attacks

- captures the credentials used to log into a network share


- Attack the client directly, through a vulnerability in a browser for example, instead of the server


- All flags turned on SYN, ACK, PUSH, etc

Water Hole

- Research the sight


- Infect the site


- Users become infected

Typo Squatting

- Mistyping or misspelling a site that then takes you to anther site owned by an attacker.

Password Attacks:


Birthday Attack


Rainbow Table

- Hoping that two users will use the same password and end up with the exact same resulting hash function


- Precomputed lists of tables made to reverse hashing functions

Port Authentication

Ensures only authed users have access to the network, using the IEEE 802.1x

*EAP

- EAP request is sent

NAC

Can be used to control who can access a network. These are predefined policies. Can be complicated and requires much planning. Must gather information from different devices across the network. Create a system that does this.



Authenticator, NAC policy server, RADIUS AAA (Authorization, Authentication, Accounting) server, DHCP server.

NAC: Frameworks:

- Cisco Network Admission Control - Uses IEEE 802.1x


- Microsoft Network Access Protection - in win server.


- Trusted Network Connect - a tpm chip records hashes of the machine state. Open source.

NAC: Attacks

- An attacker could run two VMs, one that meets requirements and one that doesn't. After authing to the network the attacker switches the machine that does not meet requirements.

NAC: Post and Pre admission

- Pre - tests that the device meets standards before getting on the network.


- Post - checks the device after it has authed to the network to make sure that it continues to meet security measures.

Initialization phase: Supplicant plugs into an authenticator, the authenticator then sends an EAP request, the supplicant then sends an EAP response that says it wants to get on the network.

NA

Network Hardening Topics

Patches


OS patches


Password policies and strong passwords


Account and password expiration


close unused ports


MAC limiting/filtering


Defunct account removal


Remove unused services


Review user privileges


Wifi/BYOD policies

Vulnerability scanners

map ports

OVAL

Standardizes the main activities of a vulnerability check in three steps.


1. It creates a representation of the benchmark state of a computer system.


2. It analyzes a system state against the benchmarked state


3. The application configures a report of the state of the system that was analyzed.

Port Scanners

- Most common


- Which ports are open


- Vulnerabilities on these ports


- Netstat and Nmap

Total number of ports?


What are the port ranges?

65535


- 0 to 1023 common ports


- 1024 to 49151registered ports


- 49152 to 65535 Dynamic ports

FIN, PUSH, URG packets

This is a christmas tree attack

Port scans require a 3-way handshake

SYN, SYN-ACK, ACK

Stealth Scans

Take advantage of vulnerabilities. The receiver response without making a connection. For example, an error message may be sent back, or if the service is running the attacker may not get a response back.

Protocol Analyzers have two functions

- Traffic Analysis and Packet capture, analysis, and transmission.


- how: Plug into an existing device, or network tap.


- inline with the network


- TCPdump, wireshark, dsniff, skygrabber, cain and able, kisnet, and Microsoft network analyzer

Protect against protocol analyzers

- Encryption, this can get expensive, so you should chose which data to encrypt.


Banner grabbing

Must perform a port scan to find open ports, then, start to banner grab. Look at software versions, types of software, etc.

Passive and Active security

- Both should be used in security


- P: vulnerability anticipation


- A: Vulnerability detection such as banner grabbing and port scanning.

As the network security specialist for your organization, you're developing a network topology map so you can assess the network, analyze potential risks, and build a network defense strategy.

Questions to follow:

Match the OSI layer to their corresponding DoD layers. You may use each layer more than ounce.



1. Physical layer


2. Session layer


3. Presentation layer


4. Data link layer


5. Network layer

1. Network access layer


2. Application layer


3. Application layer


4.Network access layer


5. Internet layer

Which statements about the TCP/IP protocol suite are correct?



A. DNSSEC makes IPv6 more vulnerable to certain types of DoS attacks


B. UNIX and the Winsock API communicate exclusively on the Transport layer


C. Examples of ICMP control messages are Ping Requests and Ping Reply


D. The highest layer in the TCP/IP protocol suite is the Application layer


E. The binary for of IPv6 is 128 bits long

C.


D.


E.

Security professionals need to recognize network protocols in order to secure networks and maintain smooth network operation.




Match each network protocol to its description.



A. UDP


B. TCP


C. NetBIOS


D. SSL


E. IMAP

E. Retrieves email messages and operates on port 143.


C. Working on UDP port 137, used by LANs to allow software on different hosts to communicate.


B. Sequences messages, retransmits messages lost in transit, and uses data flow and congestion control.


A. Fast and provides multicasting, but doesn't provide security, data integrity, or reliability.


D. Uses secure tunneling encryption with protocols like HTTP and FTP to ensure network traffic is safe during transit.

There are multiple types of network attacks used by hackers to infiltrate or interfere with network systems. Being able to recognize the different types of attacks is the first step toward establishing defenses against them




Match each network attack type with its corresponding description.



A. MITM


B. Spoofing


C. Christmas Tree attack


D. SYN flood


E. Smurf attack


F. DDoS attack

B. A hacker fakes his MAC address to gain access to a secure network.


D. An attacker disrupts the TCP handshake process of a network and intercepts the response packet form the target server.


F. A hacker utilizes a C&C server to instruct zombie computers to flood a web site with traffic.


A. A hacker intercepts traffic on an existing connection between two different hosts.


E. An attacker mimics the vicim's IP address and sends Ping Requests to multiple hosts.


C. An attacker uses a TCP packet with the URG, PUSH, and FIN flags turned on and sends it to a router.


Which statements about port security are correct?



A. Attackers can simply plug into a network connection and gain access if ports aren't secured.


B. Port authentication involves using IEEE 802.x protocols to secure logical ports.


C. Mobile devices don't represent a security threat because they don't have access to network ports.


D. One method of increasing port security is to disable unused, open ports.


E. Certain network switches can detect duplicate MAC addresses.

A.


D.


E.


Which descriptions of security and assessment tools are correct?



A. To protect network integrity and safety, vulnerability scanners are designed so they do not exploit network resources.


B. Port scanners detect running services on open ports.


C. OVAL is an open, interoperable language which can be used to detect network vulnerabilities, work with different applications, and share results with others.


D. Sniffing is not a legitimate process and should never be employed by administrators.

B.


C.

Label each description of a network attack according to its attack type.



A. Watering hole attack


B. Replay attack


C. Typo squatting


D. Brute force attack

A. A hacker infects a web site that an organization knows and trust with malware.


C. A hacker tricks a user into navigating to a web site that has a similar name to a legitimate site.


D. An attacker gains user passwords by using a computer(s) to run through all the possible combinations.


B. A hacker uses information taken while spying on a session to gain unauthorized access.

Which statements describe how security and assessment tools are used?



A. Packet sniffers analyze the flow of traffic between hosts.


B. Netstat is used to analyze data packets for set flags.


C. OVAL is used to create a benchmark of a system's state.


D. Port scanning is initialized by using a two-way TCP/IP handshake.


E. Sniffing is performed by connecting to network devices or taps.

A.


C.


E.

Which actions are examples of network security best practices?



A. Creating a document that lists which devices meet the minimum security requirements


B. Running scanning software to detect running services on ports


C. Enforcing a strong password policy


D. Creating a NAC policy for a small business network


E. Giving all wireless devices special access so they can access ports not used by PCs

A.


B.


C.