Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
125 Cards in this Set
- Front
- Back
|
A network authentication protocol in a Microsoft Windows Active Directory domain or a Unix realm. It uses a database of objects such as Active Directory and a KDC (or TGT server) to issue timestamped tickets that expire after a certain time period. |
Kerberos (TCP/UDP 88) |
|
|
Based on an earlier version of X.500, Windows Active Directory domains and Unix realms use this to identify objects in query strings with codes such as CN=Users and DC=GetCertifiedGetAhead, The secure version uses SSL or TLS to encrypt transmission. |
Lightweight Directory Access Protocol (LDAP) Secure LDAP LDAPv2 uses SSL LDAPv3 uses TLS (TCP/UDP 389) |
|
|
Enhances security by requiring users to use and remember only one set of credentials for authentication. Once signed on, this one set of credentials is used throughout a users's entire session. This can provide central authentication against a federated database for different operating systems. |
Single Sign On (SSO) |
|
|
Users have to reenter their credentials each time they access another system. However, they use the same credentials. |
Same Sign-on (Not the same as SSO) |
|
|
An indirect trust relationship. In an LDAP-based network, domains use this for SSO. |
Transitive Trust |
|
|
Links a user's credentials from different networks or operating systems, but treats it as one identity. Provides central authentication in a non-homogeneous environment. |
Federated Identity Management System (Federation) |
|
|
An Extensible Markup Language (XML)-based standard used to exchange authentication and authorization information between different parties. Provides SSO for web-based applications. |
Security Assertion Markup Language (SAML) |
|
|
SAML defines 3 roles. What are they? |
-Principal; A typical user. -Identity Provider; creates, maintains, manages identity info for principals. -Service Provider; an entity that provides services to the principal. |
|
|
Provides access to an internal network from an outside source. |
Remote Access Service (RAS) |
|
|
This is a remote access authentication method that uses a password or a PIN. A significant weakness is that it sends the information across a network in cleartext, making it susceptible to sniffing attacks. It is used with Point-to-Point Protocol (PPP). |
Password Authentication Protocol (PAP) |
|
|
This is a remote access authentication method also uses PPP and authenticates users, but it is more secure than PAP. The goal of this is to allow the client to pass credentials over a public network without allowing attackers to intercept the data and later use it in an attack. Uses a shared secret in the authentication process; Uses hashing of a nonce (number used once). |
Challenge Handshake Authentication Protocol (CHAP) |
|
|
An improvement over CHAP with the ability to perform mutual authentication, where client authenticates to the server and the server authenticates to the client before data is transmitted. |
Microsoft CHAP (MS-CHAP, MS-CHAPv2) |
|
|
A centralized authentication service. Instead of each individual RAS server needing a separate database to identify who can authenticate, authentication requests are forwarded to a central server. Encrypts only the password. |
Remote Authentication Dial-In User Service (RADIUS) UDP 1812/1813 |
|
|
An extension of RADIUS and many organizations have switched to Diameter as a replacement for RADIUS due to its extra capabilities. Also supports EAP, which significantly enhances its security, and also uses TCP instead of UDP. |
Diameter |
|
|
An older Cisco proprietary authentication protocol that is rarely used today. Most organizations use either RADIUS, DIAMETER, or TACACS+. |
XTACACS |
|
|
The Cisco alternative to RADIUS, and is a recommended replacement for XTACACS. Can be used for authentication with routers and other network devices. The benefit over RADIUS is that it encrypts the entire authentication process. |
TACACS+ |
|
|
Provides authentication, authorization, and accounting. Authentication verifies a user's identification. Authorization determines if a user should have access. Accounting tracks users access with logs. RADIUS, TACACS+ are examples of this protocol. |
AAA Protocols |
|
|
A server that is left open or appears to have been sloppily locked down, allowing an attacker relative easy access. Then intent is divert the attacker from the live network and observe the attack and learn from the attacker's methodologies. |
Honeypot |
|
|
A group of virtual servers contained within a single physical server. It mimics the functionality of a live network. An attacker looking in will not be able to determine if the servers are physical or virtual. |
Honeynets |
|
|
The most commonly used wireless antenna on both WAPs and wireless devices. It transmits and receives signals in all directions at the same time. |
Omnidirectional Antenna |
|
|
This type of antenna transmits in a single direction and receives signals back form the same direction. Has greater gain than an omni antenna because the power is focused in a single direction, and can transmit and receive signals over greater distances. |
Directional Antenna |
|
|
A theoretical concept where an antenna has a perfect three-dimensional radiation pattern of 360 degrees vertically and horizontally. Other antennas attempt to mimic this antenna. |
Isotropic Antenna |
|
|
Is an actual antenna. Assuming the antenna is standing vertically, it has a radiation pattern of 360 degrees horizontally, and about 75 degrees vertically. Most omnidirectional antennas used in wireless networks are a type of this antenna. |
Dipole Antenna |
|
|
A common type of directional antenna. This antenna typically uses a dipole, folded dipole, or half-wave dipole combined with additional elements such as a reflector or director element. Focus antenna in a single direction while also increasing the gain and reducing the radiation pattern. |
Yagi Antenna |
|
|
Was the original security protocol used to secure wireless networks. The goal was to provide the same level of privacy and security as wired network. Due to the widely published vulnerabilities, IEEE deprecated the use of this in 2004. |
Wired Equivalent Privacy (WEP) |
|
|
An interim replacement for WEP and originally used TKIP and RC4, which was compatible with older hardware. |
Wi-Fi Protected Access (WPA) |
|
|
The permanent replacement for WEP and WPA. Also known as 802.11i, uses stronger cryptography than both WEP and WPA with the use of CCMP (based on AES), which is much stronger than the older TKIP protocol. |
Wi-Fi Protected Access II (WPA2) |
|
|
A wireless security protocol introduced to address the problems with WEP. It was used with WPA but has been deprecated. WPA2 with CCMP is recommended instead. |
Temporal Key Integrity Protocol (TKIP) |
|
|
An encryption protocol based on AES and used with WPA2 for wireless security. It is more secure than TKIP, which was used with the original release of WPA. |
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) |
|
|
Server integrated with a database of accounts and it provides port-based authentication by requiring users and devices to authenticate before granting them access to a network. Prevents roque devices from being able to access the network. |
IEEE 802.1X |
|
|
When used with WPA and WPA2 in personal mode, this allows users access to the wireless network anonymously with a preshared key (PSK). |
IEEE 802.1X |
|
|
When used with WPA and WPA2 in Enterprise mode, it forces users to authenticate with unique credentials before granting them access to the wireless network. |
IEEE 802.1X |
|
|
An authentication framework that provides general guidance for authentication methods. Provides two systems to create a secure encryption key, also known as a Pairwise Master Key (PMK). Systems then use this key to encrypt all data transmitted between the devices. Both TKIP and CCMP use this key. |
Extensible Authentication Protocol (EAS) |
|
|
Provides an extra layer of protection for EAP. Encapsulates and encrypts the EAP conversation in a TLS tunnel. Requires certificates on a server, but not the clients. A common implementation is with MS-CHAPv2. |
Protected EAP (PEAP) |
|
|
An extension of PEAP, allowing systems to use some older authentication methods such as PAP within a TLS tunnel. It requires a certificate on the 802.1X server but not the clients. |
EAP-Tunneled TLS (EAP-TTLS) |
|
|
One of the most secure EAP standards and is widely implemented. The primary difference from PEAP is that it requires certificates on the 802.1x server and on each of the wireless clients. |
EAP-TLS |
|
|
Cisco created this using a modified version of CHAP and does not require a digital certificate. Most wireless devices support this, but it is susceptible to a known attack. Cisco recommends using stronger protocols. |
Lightweight EAP (LEAP) |
|
|
Used to encrypt traffic for smaller wireless devices. |
Wireless Transport Layer Security (WTLS) |
|
|
A technical solution that forces clients using web browsers to complete a specific process before it allows them access to the network. |
Captive Portal |
|
|
The practice of looking for a wireless network. Attackers use this to discover wireless networks that they can exploit and often use directional antennas (cantennas) to detect wireless networks with weak signals. |
War Driving |
|
|
Attackers use packet injection techniques to add additional packets into the data stream. The WAP responds with more packets, increasing the probability that it will reuse a key. This also decreases the time it takes to crack a WEP to a very short time, sometimes less than a minute. |
Initialization Vector (IV) Attack |
|
|
This involves three steps; Use a wireless sniffer or protocol analyzer to capture a wireless packet, wait for a wireless client to authenticate, use a brute force attack. The key here is that the attacker must capture the four-way handshake. |
WPA Cracking Attack |
|
|
An attacker keeps trying different PINs until it succeeds. Reaver, an open source tool, allows attackers to discover the PIN within 10 hours, and often much quicker. Once the PIN is discovered, it can discover the passphrase in both WPA and WPA2 wireless networks. |
WPS Brute Force Attack |
|
|
A WAP placed within a network by someone with some type of attack in mind. Sometimes called counterfeit access points. May be connected to a network device in wireless closets that lack adequate physical security. |
Rogue Access Points |
|
|
An access point with the same SSID as a legitimate access point. An attacker can set up a WAP using the same SSID as the public Wi-Fi as a service and many users will unsuspectingly connect to it. |
Evil Twin |
|
|
Attackers can transmit noise or another radio signal on the same frequency used by a wireless network. This interferes with the wireless transmissions and can seriously degrade performance. A type of denial-of-service attack can prevent users from connecting to a wireless network. |
Jamming or Interference |
|
|
A group of standards used on mobile devices that allow them to communicate with other mobile devices when they are close to them. This includes Bluetooth Wireless system. |
Near Field Communication (NFC) |
|
|
The practice of sending unsolicited messages to nearby Bluetooth devices (images or sounds). Although relatively harmless, it can cause some confusion when users start receiving messages. |
Bluejacking |
|
|
Any unauthorized access to or theft of information from a Bluetooth connection. Can access information, such as email, contact lists, calendars, and text messages. Attackers use tools such as hcitool and obexftp. |
Bluesnarfing |
|
|
Allows an attacker to take over a mobile phone and can listen in on phone conversations, enables call forwarding, send messages, and more. |
Bluebugging |
|
|
What is the single best protection against attacks on Bluetooth devices? |
Turn off discovery mode |
|
|
An extension of telephony, allows users to make phone calls using a network connection with access to the internet, rather than traditional phone systems. |
Voice over Internet Protocol (VoIP) |
|
|
Uses telephone technologies including phones and modems. Both the client and server need access to phone lines, and each must have a modem. Allows the client to have access to a remote network over traditional phone wires. |
Dial-Up Remote Access Service (RAS) |
|
|
Which IPSec mode encrypts the entire IP packets, and is the mode used with VPNs. |
Tunnel Mode |
|
|
Which IPSec mode encrypts the payload within the IP packets and is used within private networks. |
Transport Mode |
|
|
Is a secure encryption protocol used with VPNs by providing security in two ways; authentication and encryption. |
Internet Protocol Security (IPSec) |
|
|
IPSec includes this to allow each of the hosts in the IPSec conversation to authenticate with each other before exchanging data. Provides authentication and integrity. Uses protocol ID number 51. |
Authentication Header (AH) |
|
|
IPSec includes this to encrypt data and provide confidentiality. Includes AH so it provides CIA. Uses protocol ID number 50. |
Encapsulating Security Payload (ESP) |
|
|
Cisco and Microsoft joined forces to create this. It doesn't include any encryption, so it does not provide confidentiality of data. You can combine IPSec with L2TP (L2TP/IPSec) to provide security for the VPN tunnel. |
Layer 2 Tunneling Protocol (L2TP) |
|
|
When do you use SSL or TLS to secure the VPN channel? As an example, Secure Socket Tunneling Protocol (SSTP) encrypts VPN traffic using SSL over port 443. |
When the VPN tunnel must go through a device using NAT, and IPSec is not feasible. |
|
|
Includes two VPN servers that act as gateways for two networks separated geographically. Connects both networks without requiring additional steps on the part of the user. |
Site-to-site VPN |
|
|
What includes methods (such as health agents) to inspect clients for health, such as having up-do-date antivirus software. Can restrict access of unhealthy clients to a remediation network. You can use this for clients and for internal clients. |
Network Access Control (NAC) |
|
|
Uses one or more techniques to make it difficult to reverse engineer. Common techniques include using complex code, using encryption, or hiding the location. |
Armored Virus |
|
|
What has the ability to morph or mutate when it replicates itself, or when it executes. The goal is to create a virus or other malware with enough variations that AV software cannot detect it as the same malware. Over time, a single malware file could have thousands of variants. |
Polymorphic Malware |
|
|
A string of code embedded into an application or script that will execute in response to an event. The event may be a specific date or time, when a user launches a specific program, or any event the programmer decides on. |
Logic Bombs |
|
|
Provides another way of accessing a system. Many types of malware create this, allowing attackers to access systems from remote locations. Employees have also created backdoors in applications and systems. |
Backdoor |
|
|
Appears to be something useful but includes a malicious component, such as installing a backdoor o a user's system. Many are delivered via drive-by downloads. They can also infect systems with rogueware, pirated software, games, or infected USB drives. |
Trojans |
|
|
Includes multiple computers that act as software robots and function together in a network (such as the Internet), often for malicious purposes. Computers in this are called zombies and they do the bidding of whoever is in control of this network. |
Botnets |
|
|
A specific type of Trojan attack where attackers take control of the user's computer and then demand the user pay a ransom to get the control back. |
Ransomware |
|
|
A type of Ransomware virus, accuses users of being involved in illegal activities and demands they pay a fine. Often displays a notification from a law enforcement agency such as the US FBI. |
The Police Virus |
|
|
Doesn't try to trick the user, but instead uses basic kidnapping and ransom tactics by taking control of valuable user files. Encrypts valuable user files, such as photos, videos, and text documents, then demands the user pay a ransom. |
CryptoLocker |
|
|
A group of programs that hides the fact that the system has been infected or compromised by malicious code. System-level or kernel-level access and can modify system files and system access. Hide their running processes to avoid detection with hooking techniques. |
Rootkits |
|
|
A link included in the email that links to an image stored on an Internet server. The link includes unique code that identifies the receiver's email address. |
Beacon |
|
|
A targeted form of phishing. Instead of sending the email out to everyone indiscriminately, the attacker attempts to target specific groups of users, or even a single user. |
Spear Phishing |
|
|
A form of span using instant messaging (IM) and targets IM users. Sometimes trying to impersonate a user's friend and encourages the victim to click on a link. |
Spim |
|
|
Attacks use the phone system to trick users into giving up personal and financial information. Often using VoIP technologies to trick the user similar to phishing attacks. Attackers can spoof caller ID when using VoIP, making it appear that the call came from a real company. |
Vishing |
|
|
What is the most effective protection against unwanted adware in web browsers? |
Pop-up Blockers |
|
|
What is a vulnerability or bug that is unknown to trusted sources, such as operating systems and antivirus vendors? Operating system vendors write and release patches once they know about them, but until the vendors know about them, the vulnerability remains. |
Zero-Day |
|
|
What are all the different types of spoofing? |
IP, MAC, and Email |
|
|
An attack from two or more computers against a single target. These attacks often include sustained, abnormally high network traffic on the network interface card of the attacked computer. The goal is to prevent legitimate users from accessing services on the target computer. |
Distributed Denial-of-Service (DOS) Attack |
|
|
This attack spoofs the source address of a directed broadcast ping packet to a flood a victim with ping replies. The attacker sends a directed broadcast ping through a router into another network, spoofing the source IP address with the victim's address instead. |
Smurf Attack |
|
|
A common attack used against servers on the internet. They are easy for attackers to launch, difficult to stop, and can cause significant problems by disrupting the TCP handshake process and can prevent legitimate clients from connecting. The attacker sends a barrage of SYN packets, leaving the server with multiple half-open connections. |
SYN Flood Attack |
|
|
Many firewalls and intrusion detection systems include these, which are simply techniques to limit the success of a SYN flood attacks. They can block all traffic from the attacking IP, but attackers can still spoof the source IP address and launch attacks from multiple systems at the same time making it difficult to identify legitimate traffic. |
Flood Guards |
|
|
A type of port scan used to identify underlying details of an operating system. It has several bits set in the packet header and is reminiscent of lights. This attack sets specific flags within the TCP packet header. Different op systems respond in different ways, attackers analyze the response to determine the op system, sometimes they can even determine the version. |
Xmas Attack (Christmas Tree) |
|
|
A form of active interception or active eavesdropping. It uses a separate computer that accepts traffic from each party in a conversation and forwards traffic between the two. The two computers are unaware of the attacking computer, and it can interrupt the traffic at will or insert malicious code. |
Man-in-the-Middle Attacks |
|
|
This attack captures data in a session with the intent of later impersonating one of the parties in the session. Can occur on both wired and wireless networks. Timestamps and sequence numbers are effective countermeasures against this attack. |
Replay attacks |
|
|
This attack attempts to discover passwords from an online system. An attacker trying to log on to an account by trying to guess the user's password. |
Online Password Attack |
|
|
This attack attempts to discover passwords from a captured database or captured packet scan. |
Offline Password Attack |
|
|
This attack attempts to guess all possible character combinations. One of the best protections against this attack is to use complex passwords with sufficient length, and to use account lockout policies. |
Brute Force Attack |
|
|
This attack uses a dictionary of words and just attempts to use every word in the dictionary to see if it works. Easily thwarted by complex passwords. |
Dictionary Attack |
|
|
Attacks the hash of a password instead of passwords. |
Hash attack |
|
|
An attacker is able to create a password that produces the same hash as the actual user's password. Named after a mathematical paradox. This attack can be thwarted by increasing the number of bits used in the hash to increase the number of possible hashes. |
Birthday Attack |
|
|
This occurs when the hashing algorithm creates the same hash from different passwords. |
Hash Collision |
|
|
This is a type of attack that attempts to discover the password from the hash. They use a special table, huge databases storing pre-calculated passwords and their hashes. They include hashes for every possible combination. |
Rainbow Table Attack |
|
|
Attacks that use a combination of two or more attacks to crack a password. |
Hybrid Attack |
|
|
Attempts to modify or corrupt DNS results by modifying the IP address associated with a website and replacing it with the IP address of a malicious web site. Many current servers use Domain Name System Security Extensions (DNSSEC) to protect the DNS records and prevent these attacks. |
DNS Poisoning |
|
|
Another attack type of attack that manipulates the DNS name resolution process. It either tries corrupt the DNS server or the DNS client. They redirect the user to a different website. They do so by modifying the client's host file used on Windows Systems. |
Pharming Attacks |
|
|
An attack that misleads computers or switches about the actual MAC address of a system. These attacks can easily create ARP reply packets with spoofed or bogus MAC addresses, and poison the ARP cache on systems in the network. |
ARP Poisoning Attacks |
|
|
Can redirect network traffic, and in some cases insert malicious code. Instead of traffic going through the switch directly to the router, it is redirected to the attacker after poisoning the ARP cache of the victim. |
ARP Man-in-the-Middle Attack |
|
|
An attacker sends an ARP reply with a bogus MAC address for the default gateway. The default gateway is the IP address of a router connection that provides a path out of the network. If all of the computers cache a bogus MAC address for the default gateway, none of them can reach it, and it stops all traffic coming out of the network. |
ARP DoS Attack |
|
|
This occurs when someone buys a domain name that is close to a legitimate domain name, often for malicious purposes. |
Typo Squatting/URL Hijacking |
|
|
Attempts to discover which web sites employees are likely to visit and then infects those web sites with malware that can infect the visitors. |
Watering Hole Attacks |
|
|
A text file stored on a user's computer and used for multiple purposes, including tracking a user's activity. Places advertisements based on previous searches or purchases. Some web developers store sensitive data, such as usernames or passwords. |
Cookies |
|
|
The attacker learns the user's session ID and uses it to impersonate the user. This is possible when users only close the browser without logging off, because cookies stored on the user's system remain active until the user logs off. |
Session Hijacking Attacks |
|
|
A cookie created by Adobe and is different from a traditional cookie. They are also known as LSOs or locally shared objects. If cookies are deleted, this recreates them without the user's knowledge or consent. |
Flash Cookies or Locally Shared Objects (LSOs) |
|
|
Refers to the ability of an attacker to execute commands or run programs on a target machine. |
Arbitrary Code Execution |
|
|
Refers to the ability of an attacker to execute code from a remote system. |
Remote Code Execution |
|
|
This attack can manipulate the flags within the headers to modify behavior, in some cases, the attacker modifies data within the packet, such as the session ID. If the web browser uses the session ID to log the user on automatically, it gives the attacker access to the user's account. |
Header Manipulation Attack |
|
|
This protects against many attacks, such as buffer overflow, SQL injection, and cross-site scripting attacks by verifying the validity of inputted data before using it, and server-side validation is more secure than client-side validation. |
Input Validation |
|
|
This is when two or more modules of an application, or two or more applications, attempt to access a resource at the same time, it can cause a conflict. |
Race Condition |
|
|
This helps protect the integrity of the operating system and controls the errors shown to users. They ensure that an application can handle an error gracefully. When the application doesn't catch an error, it can cause the application to fail. |
Error and Exception Handling |
|
|
This occurs when an application receives more input, or different input, than it expects. This result is an error that exposes system memory that would otherwise be protected and inaccessible. |
Buffer Overflow |
|
|
This attack often includes no operation (NOP) instructions followed by malicious code. When successful, the attack causes the system to execute malicious code to cause a buffer overflow to crash the system or disrupt its services, it is a DoS Attack. Input validation helps prevent these attacks. |
Buffer Overflow Attacks |
|
|
This attack attempts to create a numeric value that is too big for an application to handle. In some situations, the application expects a positive number, but receives a negative instead. This is a problem if the application doesn't have proper error-handling and exception-handling routines. |
Integer Overflow |
|
|
This is used to communicate with databases. Many web sites use its statements to interact with a database providing the users with dynamic content. |
Structured Query Language (SQL) |
|
|
This attack starts by sending improperly formatted statements to the system to generate errors and pass queries to back-end databases through web servers. Many attacks use the phrase ' or '1'='1' to trick the database server in to providing information. Input validation and stored proper procedures reduce the risk of these attacks. |
SQL Injection |
|
|
If an application accepts XML data without input validation and without stored procedures, it is susceptible to an XML injection attack similar to a SQL injection. Additional data creates XPath statements to retrieve or modify data. |
XML Injection |
|
|
These typically hold one or more of the following types of data: documents, key value pairs, or graphs. This give developers much more flexibility in how they can store and query data. They are still susceptible to SQL Injection Attacks if input validation techniques are not implemented. |
NoSQL Databases |
|
|
Attackers embed malicious HTML or JavaScript code into an email or web site error message. If a user responds to the email or error message, it executes the code. They can redirect users to other websites and steal the user's cookies, passwords from their cache. The primary protection against this attack is to block the use of HTML tags and JavaScript tags. |
Cross-Site Scripting (XSS) |
|
|
An attack where an attacker tricks a user into performing an action on a web site such as making purchases without their knowledge. The attacker creates a specially crafted HTML link the user follows. Dual authentication and forcing the user to manually enter credentials is one way to stop these attacks or expire the cookie after a short period of time. |
Cross-Site Request Forgery (XSRF) |
|
|
Attackers are able to inject operating system commands into an application using web page forms or text boxes. Any web page that accepts input from users is a potential threat. This attack attempts to access a file by including the full directory path, or traversing the directory structure. Input validation can prevent these attacks. |
Directory Traversal/Command Injection |
|
|
This attack queries and modifies account data in Active Directory services |
LDAP Injection |
|
|
This attack uses an application on the client computer, such as a web browser. |
Client-Side Attack |
|
|
This attack attempts to access a back-end server through another server. |
Transitive Access Attack |
|
|
This sends random strings of data to applications looking for vulnerabilities. Administrators use this to test applications and attackers use this to detect attack methods. |
Fuzzing |
