Security+ (SY0-301)
OSI Model
(Layer 7)The Application layer integrates network functionality into the host operating system, and enables network services. The Application layer does not include specific applications that provide services, but rather provides the capability for services to operate on the network. (Layer 6) The Presentation layer formats or "presents" data into a compatible form for receipt by the Application layer or the destination system. Specifically, the Presentation layer ensures: • Formatting and translation of data between systems. • Negotiation of data transfer syntax between systems, through converting character sets to the correct format. • Encapsulation of data into message envelopes by encryption and compression. • Restoration of data by decryption and decompression. (Layer 5) The Session layer's primary function is managing the sessions in which data is transferred. Functions at this layer include: • Management of multiple sessions (each client connection is called a session). A server can concurrently maintain thousands of sessions. • Assignment of the session ID number to each session to keep data streams separate. • Set up, maintain, and tear down communication sessions. (Layer 4) The Transport layer provides a transition between the upper and lower layers of the OSI model, making the upper and lower layers transparent from each other. Two protocols associated with the Transport layer are: • (TCP) ensure accurate and timely delivery of network communications between two hosts( connection-oriented). TCP provides the following services to ensure message delivery: Sequencing of data packets, Flow control, Error checking • (UDP) connectionless protocol - Fast but does not gaurentee delivery (Layer 3) The Network layer describes how data is routed across networks and on to the destination. • Protocols associated with the Network layer include IP and IPX. • The logical host address, in the form of the IP address, is defined at the Network layer. • Routers operate at the Network layer by reading the IP address in the packet to make forwarding decisions. (Layer 2) The Data Link layer defines the rules and procedures for hosts as they access the Physical layer. • The physical device address, in the form of the MAC address used with Ethernet, is defined at the Data Link layer. • Network interface cards (NICs) contain the MAC address and perform functions at the Data Link layer. • Switches operate at the Data Link layer by reading the MAC address in a frame to make forwarding decisions. (Layer 1) The Physical layer sets standards for sending and receiving electrical signals between devices(Hubs).
(PII) Persionally Identifiable Information
(PII) Persionally Identifiable Information
Type 2 Something you have authentication
(also called token-based authentication) is authentication based on something a user has in their possession. Examples of something you have authentication controls are: • Swipe cards • Photo IDs • Smart cards
Cross-site Request Forgery (CSRF/XSRF)
(also known as a one-click attack or session riding) is a type of malicious exploit whereby unauthorized commands are transmitted from a user to a website which currently trusts the user (by way of authentication, cookies, etc.). This is almost the opposite of the XSS attack, except CSRF exploits the trust that a site has in a user's browser.
Zero day
(also known as a zero hour or day zero attack) is an attack that exploits computer application vulnerabilities before they are known and patched by the application's developer.
Directory traversal
(also known as path traversal) attack uses specific characters to traverse to parent directory in a file system. This attack exploits the insufficient security validation/sanitization of user-supplied input file names.
IPv6 address
- 32 hexadecimal numbers(128-bit address) organized into 8 quartets, separated by colons (Each quartets)representing 16-bits of data using hexadecimal number between 0 and FFFF - first 64-bits is known as the prefix(ID's the host) - The last 64-bits is the interface ID IPv6 local loopback address for the local host is 0:0:0:0:0:0:0:1(::1 or ::1/128) - IPv6 anycast address is a single address that can be assigned to multiple interfaces. - The implementation of IPSec is mandatory - Common formati for expression is 32numers, grouped using colons and Hexadecimal numbers.
Asymmetric encryption
- Aka public key encryption, uses two keys that are mathematically related. Both keys together are called the key pair. Used for data encryption, digital signing, & key exchange. - A digital signature is used to authenticate asymmetric keys. - Common algorithms are Diffie-Hellman, and RSA - Used to distribute Symmetric Keys.
digital certificates.
- CRL(Certificate Revocation list) distributes info on invalid certs - Public key and Validity period, CA info, approved uses, Cert Owner are contained
CRL (certificate Revocation list)
- Certs ar added when commoting a crime, Invalid identity issues, private key get compromized. - If the cert expires, its not added but the date is on the cert.
DES & AES encryption methods
- DES - one of the first symmetric encryption methods = now obsolete(can be used to break the encryption) (3DES improved version) - weaker than AES - AES - Stronger than DES - Stronger and faster than 3DES when implemented with large key size(256-bits)
LANMAN
- Divides passwords larger thatn 7 charaters in to two seperate hashes - Passwords are protected using hashing called LANMAN hash(uses DES and a proprietary algorithm) - Limited to 14 characters and is very weak/easily broken.
SSL
- Encrypts the entire communication session between server and client - can be used for HTTP, telnet, FTP and email - Developed by netscape - Keys employed at 40-bit, 56-bit, 128-bit and 256-bit lengths -TLS is biased on SSL - uses RSA or KEA for key exchange
NTLM & NTLMv2 (NT LAN Manager)
- NTLM is Replacement for LANMAN on Microsoft t networks and Uses stronger hashing method than LANMAN - NTLMv2 includes additional security enhancements and a stronger hashing method.
Quantitative and Qualitative Analysis
- Quantitative analysis assigns a finantial value or "real" numbers to an asset and cost to recover from loss of it - Qualitative analysis seeks to ID costs that cannot be concretely defined using quantitative analisis
Kerberos
- Requires Centralized database of users and passwords and Time Sync - both authentication and authorization(default for AD) - grants tickets (also called a security token) uses SSO. - symmetric key cryptography.
Password Authentication Protocol (PAP)
Authentication protocol used between client and server - Transmits credentials in clear text.
S/MIME
- Used to encrypt email(included file attachments) - Uses RSA encryption - Employes encryption for confidentiality - Authenticates through digital Signatures(X.509 V3 certs) - Included in most browsers - minimal requirements: Digital Certificate.
Lightweight Directory Access Protocol (LDAP)
- allows users and applications to read from and write to a LDAP compliant directory service such as AD, eDirectory and OpenLDAP. - Modes: Anonymous, Simple and SASL. - Use SASL with Kerberos
Internet Protocol Security (IPSec)
- authentication and encryption - can support by traffic by the IP protocol. • Authentication Header (AH) provides authentication features. Use AH to enable authentication with IPSec. • Encapsulating Security Payload (ESP) provides data encryption. Use ESP to encrypt data. Note: If you use only AH, data is not encrypted. • Transport mode is used for end-to-end encryption of data. The packet data is protected, but the header is left intact, allowing intermediary devices (such as routers) to examine the packet header and use the information in routing packets. • Tunnel mode is used for link-to-link communications. Both the packet contents and the header are encrypted.
stealth virus
- can redirect the disk head to read another sector instead of one in which it resides - can alter the reading of the infected file size shown in the directory listing. - can change a file's date and time. - ince a stealth virus uses encryption techniques, it becomes totally hidden from antiviruses and operating systems(EG. Frodo & Whale)
metamorphic virus
- capable of rewriting the code upon each new file infection. - In order to avoid pattern recognition, it changes the code, not the engine. - change their code to an equivalent one so never has the same executable code in memory.
polymorphic virus
- has the ability to change its own signature at the time of infection & hard to detect. - When the user runs the infected file in the disk, it loads the virus into the RAM. The new virus starts making its own copies and infects other files of the operating system. - mutation engine of the polymorphic virus generates a new encrypted code, thus changing the signature of the virus. - cannot be detected by signature-based antivirus.
multipartite virus
- hybrid of boot sector and file viruses. - infects files, and then works as a boot sector virus, and finally it changes the MBR of the hard disk. - Once the boot sector is infected, the virus loads into the memory and begins to infect the uninfected program files. In this way, the process never ends.
trust model
- in the hierarchy, starts in Root CA -defines how CA hierarchies trust each other and the certs they use.
Hub
- physical star, logical bus topology. - Hubs simply repeat incoming frames and send it to every host connected to the hub. - All connected share bandwith
Cryptographic Service Provider (CSP)
- resides on the client and generates the key pair. - Asymmetric
The key distribution center (KDC) server
- server stores, distributes, and maintains cryptographic session keys. - Kerberos uses a KDC to authenticate a principle.
trunk port
- used to connect two switches together - Member of all VLANs
The session keys employed by SSL are available in what bit lengths?
128 & 40 bit. They are also available in 56-bit & 256-bit lengths.
binary to decimal
128 =10000000 64 =01000000 32 = 00100000 16 = 00010000 8= 0001000 4 = 00000100 2 = 00000010 1 = 00000001
Challenge Handshake Authentication Protocol (CHAP)
Authentication protocol used between client and server - Uses three-way handshake process for UN/PW. - PW is hashed then sent for authentication. and forces periodic re-authentication. MS-Chap v2 allows for Mutual authentication(each party is verified by the other) where server authenticates the client -use for Dialup
Ports
20 TCP\21 TCP - File Transfer Protocol (FTP) 22 TCP and UDP - - Secure Shell (SSH) - SSH File Transfer Protocol (SFTP) - Secure Copy (SCP) 23 TCP Telnet 25 TCP Simple Mail Transfer Protocol (SMTP) 49 TCP and UDP Terminal Access Controller Access-Control System (TACACS) 50 Encapsulating Security Payload (ESP) (used with IPSec) 51 Authenticating Header (AH) (used with IPSec) 53 TCP and UDP Domain Name Server (DNS) 67 UDP 68 UDP Dynamic Host Configuration Protocol (DHCP) 69 UDP Trivial File Transfer Protocol (TFTP) 80 TCP HyperText Transfer Protocol (HTTP) 88 TCP Kerberos 110 TCP Post Office Protocol (POP3) 119 TCP Network News Transport Protocol (NNTP) 123 UDP Network Time Protocol (NTP) 135 TCP 137 and 138 TCP and UDP + 139 TCP Network Basic Input/Output System (NetBIOS) 143 TCP and UDP Internet Message Access Protocol (IMAP4) 161 TCP and UDP 162 TCP and UDP Simple Network Management Protocol (SNMP) 389 TCP and UDP Lightweight Directory Access Protocol (LDAP) 443 TCP and UDP HTTP with Secure Sockets Layer (SSL/TLS) (HTTPS - stateful) 445 TCP Windows 2000 CIFS/SMB (file access) 500 UDP Internet Key Exchange (IKE) (used with IPSec) 636 TCP and UDP Lightweight Directory Access Protocol over TLS/SSL (LDAPS) 989 TCP and UDP 990 TCP and UDP FTP Secure (FTPS or FTP over SSL/TLS) 1701 UDP Layer 2 Tunneling Protocol (L2TP) 1723 TCP and UDP Point-to-Point Tunneling Protocol (PPTP) 1812 TCP and UDP 1813 TCP and UDP Remote Authentication Dial In User Service (RADIUS) 3389 TCP Remote Desktop Protocol (RDP)
Wireless security
802.11i defines security for wireless networks(WPA,WPA2). 802.1x is authentication protocol that can be used on wireless networks 802.11a: The 802.11a standard provides wireless LAN bandwidth of up to 54 Mbps in the 5GHz frequency spectrum. 802.11b: The 802.11b standard provides bandwidth of up to 11 Mbps (with fallback rates of 5.5, 2, and 1 Mbps) in the 2.4GHz frequency spectrum. 802.11g: The 802.11g standard provides bandwidth of up to 54 Mbps in the 2.4GHz frequency spectrum. 802.11n: The 802.11n standard provides bandwidth of up to 300 Mbps in the 5GHz frequency spectrum (it can also communicate at 2.4GHz for compatibility). Shared key is sued with WEP. WPA(uses TKIP), WPA2(uses AES) WPA, WPA2 enterprize uses 802.1x for authentication. WPA provides encryption and user authentication
fire extinguiser
A - Wood, paper, cloth, plastics B - Pertoleum, oil, solvent, alchohol C - Electrical D - Sodium & potassium
address class
A 1-126 255.0.0.0 /8 B 128-191 255.255.0.0 /16 C 192-223 255.255.255.0 /24 D 224-239 E 240-255
Digital Signatures
A combination of asymmetric encryption and hashing values. - should be used for integrity validation and non-repudiation. - Created using senders private key, and only the senders public key can verify and open the data. - Most likely to use RSA and ECC protocols
One-time pad (Algorithm)
A cryptography method in which the plaintext is converted to binary and combined with a string of randomly generated binary numbers (referred to as the pad). It is a form of substitution.
Trusted Platform Module (TPM)
A hardware chip on the motherboard that can generate and store cryptographic keys. Save Start-up key to TPM to avoid using USB to store the key.
Diffie-Hellman
A key exchange protocol used for generating and securely exchanging symmetric encryption keys(SSL,SSH, IPSec). - Asymmetric
Hardware Security Modules (HSM)
A piece of hardware and associated software/firmware that is connected to a computer system to provide cryptographic functions such as encryption, decryption, key generation, and hashing.
Logic bomb
A program that performs a malicious activity at a specific time or after a triggering event. - (AKA) Asynchronous attack
ElGamal
A protocol used for encryption & based on Diffie-Hellman. Used in the free GNU privacy guard software and recent versions of PGP. - Asymmetric - Used primarily for secure key exchange
What two protocols is IPsec implemented through?
AH & ESP
Simple Authentication
Always use SSL
GNU Privacy Guard (GPG) and Pretty Good Privacy (PGP)
An encryption tool that encrypts emails, digitally signs emails, and encrypts documents. - Compresses plain text before encrypting - High resistance to cryptanalysis
Cramming
Application of charges to a phone bill for services which were not authorized or ordered by the consumer or disclosed.
Annualized Loss Expectancy (ALE)
Asset value(AV) x exposure factor (EF) x Annualized Rate of Occurance ARO)
A collection of zombie computers have been setup to collect personal information. What type of malware do the zombie computers represent?
Botnet
goals of cryptography
Confidentiality, authentication, integrity, Authentication, Nonrepudiation are the goals of cryptography that are achieved by the symmetric key cryptosystem.
Cryptanalysis
Cryptanalysis is the method of recovering original data that has been encrypted without having access to the key used in the encryption process.
Which of the following is the employment of two separate key pairs in order to separate the security functions of confidentiality and integrity in a communication system?
Dual key pair
Which IPSec subprotocol provides data encryption?
ESP. Encapsulating Security Payload protocol provides data encryption for IPSec traffic.
You would like to implement bitlocker to encrypt data on a hard disk even if it is moved to another system. You want the system to boot automatically without providing a startup key on an external usb device. What should you do?
Enable TPM in the BIOS. The system startup key can be saved in the TPM.
Block Cipher
Encrypt by transposing plaintext to cipher text in chunks (block-by-block) - Symmetric Encryption
Which of the following is a direct protection of integrity?
Digital Signature
What is the most obvious means of providing non-repudiation in a cryptography system?
Digital signatures
DriveLock
Encrypts the entire contents of a hard drive, protecting all files on disk. Special key allows system to decrypt the files on the hard drive.
Whole disk encryption (Bitlocker)
Encrypts the entire contents of the OS partition, including OS files, swap files, hibernation files, and alk user files. It uses integrity checking early in the boot process to ensure the drive contents have not been altered, and the drive is in the original computer. For hardware failure(assuming startup key stored on TPM) use the recovery key to unlock the disk on another system)
Which of the following are denial of service attacks?
Fraggle & Smurf
Which of the following will enter random data to the inputs of an application?
Fuzzing
Which of the following are characteristics of a rootkit
Hides itself from detection, requires administrator-level privileges for installation, resides below regular antivirus software detection, might not be malicious, often replaces operating system files with alternative versions that allow hidden access
Which of the following can be used to encrypt Web, e-mail, telnet, file transfer, and snmp traffic?
IPSec (Internet Security Protocol). It supports any traffic supported by the IP protocol.
Man-in-the-middle
IPSec is good countermeasure(VPN)
Types of threat agent: Hacker
In general, a hacker is any threat agent who uses their technical knowledge to bypass security mechanisms to exploit a vulnerability to access information. Hacker subcategories include the following: • Script kiddies download and run attacks available on the Internet, but generally are not technically savvy enough to create their own attacking code or script. • Cybercriminals usually seek to exploit security vulnerabilities for some kind of financial reward or revenge. • Cyber terrorists generally use the Internet to carry out terrorist activities, such as disrupting network-dependent institutions.
CryptoHeaven
It provides secure Internet connections, secure instant messaging, secure mail, secure file sharing, secure online storage, etc - 2048 to 4096 bit asymmetric and 256-bit symmetric key encryption with no third party key holder.
Which of the following is NOT true concerning symmetric key cryptography?
Key management is easy when implemented on a large scale.
When a sender encrypts a message using their own private key, what security service is being provided to the recipient?
Non-repudiation
Service Set Identifiers (SSIDs)
On a wireless network case sensitive text strings that have a maximum length of 32 characters.
Key Management solution
Only a centralized key management solution provides a key escrow service that allows key recovery to occur
Non-repudiation
Proves that sender sent a message
IPsec
Provides authentication and encryption services for IP biased network traffic. - Uses IKE for key exchange.
Authentication Header (AH)
Provides message integrity through authentication, verifying that data are received unaltered from the trusted destination. AH provides no privacy and is often combined with ESP to achieve integrity and confidentiality.
RAID 3 (disk striping with a parity disk)
RAID 3 arrays implement fault tolerance by using striping (RAID 0) in conjunction with a separate disk that stores parity information.
Which of the following protocols are most likely used with digital signatures? (Select two)
RSA & ECC. Digital signatures use asymmetric encryption, rsa and ecc are asymmetric.
Replication
Replication is the process of copying changes to Active Directory between the domain controllers.
802.1x
Requires an authentication server for validation user credentials(typically RADIUS). Used on LAN for port authentication on switches and authentication to wireless access points.
Strong
Requires two or more methods, but they can be of the same type.
Common symmetric encryption methods
Rivest Cipher (RC), International Data Encryption Algorithm (IDEA), Carlisle Adams Stafford Tavares (CAST), Twofish, Blowfish, Data Encryption Standard (DES), Triple DES (3DES), Advanced Encryption Standard (AES)
Spanning tree protocol
Run to prevent switching loops - ensures only a single active path between any two switches.
What are two hashing protocols
SHA1 & MD5
Protocols that are used with Asymmetric Encryption
SSL/TLS, IPSEC, VPNs (PPTP, L2TP, SSTP), S/MIME and PGP for email security, SSH tunnels
Fraggle
Same as smurf but uses UDP packets directed to port 7 echo and port 19 character generation.
Digital envelope
Secure data transmission uses asymmetric encryption to protect the msg. from hackers.
A receiver wants to verify the integrity of a message received from a sender. A hashing value is contained within the digital signature of the sender. What must the receiver use to access the hashing value to verify the integrity of the transmission?
Sender's public key
Salami
Small amounts of info, data, or valuables are taken over time. The result is to construct or obtain data or property of great value.
Smurf
Spoofs the source address in ICMP packets and sends the ICMP packets to a bounce site. The bounce site then responds to thoudands of messages the victim site didn't send.
Subnets
Subnets divide an IP network address into multiple network addresses. - Cannot be used to combine networks of diffrent media type on the same subnet.
Dynamic Trunking Protocol (DTP)
Switches have the ability to automatically detect ports that are trunk ports, and to negotiate the trunking protocol used between devices.
WhaPGP(Pretty Good Privacy)t are two commonly used protocols for encrypting data?
TKIP( used with WPA wireless) & AES( used with WPA2 wireless)
Cryptosystem
The associated items of cryptography that are used as a unit to provide a single means of encryption and decryption
Key Space
The range of possible values that can be used to construct a key. Generally - the longer the space the stronger the encryption
MD5
The weakest hashing algorithm. It produces a message digest of 128 bits. The larger the message digest the more secure the hash. SHA-1 produces 160 bit.
The aspect of certificates that makes them a reliable and useful mechanism for proving the identity of a person, system, or service on the internet
Trusted third-party
Stream Cipher
Use a sequence of bits known as a keystream which is the key used for encryption. The encryption is performed on each bit within the stream in real time. - Symmetric Encryption
Online Certificate Status Protocol (OCSP)
Used by PKI to immediately verify whether a certificate is valid.
Eliptic Curve Cryptography (ECC)
Uses a finite set of values w/in an eliptic curve (algebraic set of numbers). Considered a more efficient method of an encryption. - Asymmetric - Can be used in key exchange.
Which of the following tools can you use on a Windows network to automatically distribute and install software and operating system patches on workstations?
WSUS & Group Policy
Windows Software Update Service
WSUS is a patch management tool that allows clients on a network to download software updates from a WSUS internal server to their organization
RC5
a block cipher algorithm with a variable block size (32, 64, or 128 bits), key size (0 to 2040 bits), and number of rounds (0 to 255). 12-round RC5 (with 64-bit blocks) can be easily cracked by using a differential attack of 244 chosen plaintexts. Hence, 18-20 rounds of RC5 are suggested as sufficient protection.
Symmetric key encryption
a form of cryptography that provides confidentiality with a weak form of authentication or integrity (one key to encrypt/decrypt data) - Best suited for bulk encryption because its fast - Use when encryption is needed to protect contents of message. - Key management is difficult on large scale.
Cipher text
a message in a form that makes it unreadable to all but those for whom the message was intended
3DES
acceptable form of DES, applies encryption 3 times
Rule-Based Access
access control uses characteristics of objects or subjects, along with rules, to restrict access. AKA label-based management
Bluebugging
access to all mobile phone commands that use Bluetooth technology, such as initiating phone calls, sending and receiving messages, eavesdropping, and reading and writing phone book contacts.
Phreaking
act of attacking phone systems.
Bluejacking
act of sending unsolicited messages over Bluetooth wireless links to other devices such as advertising, and spam.
Role-Based Access Control (RBAC)
allows access based on a role(Job) in an organization, not individual users. • MAC(mandatory Access Control) are classification( AKA: Sensitivity labels or Clearance levels- used with "need to know" • TBAC(Task-Based Access Control) are work tasks
Static NAT
allows external hosts to contact internal hosts.
Internet Control Messate Protocol (ICMP)
allows hosts to exchange messages to indicate the status of a packet as it travels through the network.
Dynamic NAT
allows internal (private) hosts to contact external (public) hosts, but not vice versa.
crossover error rate
also called the equal error rate, is the point where the number of false positives matches the number of false negatives in a biometric system. lower crossover error rate is better
Blowfish & Twofish
alternatives to DES, but AES is the designated replacement to DES
member servers
are servers in the domain which do not have the Active Directory database.
Discretionary Access Control (DAC)
assigns access directly to subjects based on the discretion (or decision) of the owner.
distributed denial-of-service (DDoS)
attack aims a number of compromised hosts at a single target.
Command injection
attack injects and executes unwanted commands on the application. The commands are executed with the same privileges and environment as granted to the application.
A repudiation attack
attack on open SMTP relays in which the attacker accesses your e-mail server and sends spoofed e-mails to others making them appear as if they came from you.
Cross-site scripting (XSS)
attack that injects scripts into Web pages. When the user views the Web page, the malicious scripts run allowing the attacker to capture information or perform other actions.
drive-by download
attack where software or malware is downloaded and installed without explicit consent from the user usually Through social engineering or exploiting a browser or operating system bug.
LAND attack
attacker floods the victim's system with packets that have forged headers. • The packets have the same source and destination address (the victim's). • As the victim's system continues to hold more and more packets in RAM, it is unable to process legitimate requests
AAA
authentication, authorization, and accounting
DNS reverse lookup
can be used to verify that a source email address exists before a message is transmitted.
local registration authority (LRA)
can establish an applicant's identity and verify that the applicant for a certificate is valid. The LRA sends verification to the CA that issues the certificate.
Mysqlimport
client program of the MySQL distribution. It is used to load data files into the tables.
Service pack
collection of patches, hotfixes and other system enhancements that have been tested by the manufacturer for wide deployment
All-in-one security appliances
combine many security functions into a single device. Security functions include: • Spam filter • URL filter • Web content filter • Malware inspection • Intrusion detection system
Hybrid Cryptography
combined symmetric and asymmetric systems(symmetric process large environments of data fast and asymmetric can securely distribute keys)
RAID 1+0
combines disk mirroring (1) and disk striping (0). Multiple disks are configured into two mirrored arrays which are then striped across the other set. • Provide fault tolerance. • Data is available if one or more disks in a single set fails. • Data is available even if two disks in different sets fail. • Provide an increase in performance. • Require an even number of disks, with a minimum of four disks. • Have a 50% overhead. • Are the fastest, most fault tolerant, and most expensive arrays. RAID 1+0 performs better and provides more fault tolerance than RAID 0+1 arrays.
Christmas (Xmas) Tree
conducts reconnaissance by scanning for open ports, and it also conducts a DoS attack if sent in large amounts.
CIA
confidentiality, integrity, and availability
Network Access Control (NAC)
controls access to the network by not allowing computers to access network resources unless they meet certain predefined security requirements. • A client that is determined by the NAC agent to be healthy is given access to the network. - Anti-virus software with up-to-date definition files. - An active personal firewall. - Specific operating system critical updates and patches.
Port spanning (AKA port mirroring)
copies the traffic from all ports to a single port and disallows bidirectional traffic on that port.
Switch
create security segments on a LAN A VLAN and a client connected to these switch ports can communicate with other designated VLANs. Primary tool to improve network efficiency
Voice over IP (VoIP)
digital solution using an Internet connection to make phone calls. - voice data is digitized, converted into packets, and sent over an IP packet-switched network provided by the Internet Service Provider (ISP). - Uses (QoS)Quality of Service measures to ensure timely delivery of voice traffic.
Trojan horse
disguised as legitimate or desirable software • Cannot replicate itself • Does not need to be attached to a host file
RAID 0+1
disk striping (0) and disk mirroring (1). Multiple disks are striped creating a single volume. • Provide fault tolerance. • Data is available if one or more disks in a single set fails. • Data is lost if two disks in different mirrored sets fail. • Provide an increase in performance. • Require an even number of disks, with a minimum of four disks.
Objects
each resource is identified as an object. Common objects include: • Users • Groups • Computers • Printers • Shared folders Each object contains additional information about the shared resource that can be used for locating and securing resources. The schema identifies the object classes (the type of objects) that exist in the tree and the attributes (properties) of the object.
Hashed Keyed Message Authentication Code (HMAC)
embes a symmetric key into a msg. befor the msg. is hashed. When received, the recipient's symmetric key is added back into the msg. before hashing the message.
Encrypting file system (EFS)
encrypts files and folders stored on NTFS partitions (asymmetric encryption )
Information security
explicitly focuses on protecting data resources from malware attacks or simple mistakes by people within an organization by the use of Data Loss Prevention (DLP) techniques.
Client-side attack
exploits vulnerabilities in client applications that interact with a malicious server. A typical example of a client-side attack is a malicious web page targeting a specific browser vulnerability that would give the malicious server complete control of the client system. JavaScript is an example of client-side scripting.
Extensible Authentication Protocol (EAP)
for remote access. - Allowed various authentication methods including smart cards, Biometrics and digital certificates.
MySQL Federated storage engine
for the MySQL relational database management system. engine which allows a user to create a table that is a local representation of a foreign (remote) table.
host-based firewall
inspects traffic received by a host. use filtering rules, sometimes called access control lists (ACLs), to identify allowed and blocked traffic.
birthday attack
is a brute force attack in which the attacker hashes messages until one with the same hash is found.
forest
is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS namespaces.
Certificate Practice Statement (CPS)
is a declaration of the security that the organization is implementing for all certificates issued by the CA holding the CPS.
tree
is a group of related domains that share the same contiguous DNS namespace.
Hotfix
is a quick fix for a problem, and normally not installed unless you have the specific problem it is intended to fix
domain controller
is a server that holds a copy of the Active Directory database that can be written to.
Group Policy(policy)
is a set of configuration settings that must be applied to users or computers. Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of files that includes registry settings, scripts, templates, and software-specific configuration values. -GPOs apply to objects when they are linked to containers and configured with specific settings. • GPOs can be linked to Active Directory domains or organizational units (OUs). Built-in containers (such as the Computers container) cannot have GPOs linked to them. • A GPO only affects the users and computers beneath the object to which the GPO is linked. • A local GPO is stored on a local machine. It can be used to define settings even if the computer is not connected to a network. • A specific setting in a GPO can be: • Undefined, meaning that the GPO has no value for that setting and does not change the current setting. • Defined, meaning that the GPO identifies a new value to enforce. • GPOs are applied in the following order: 1. The Local Group Policy on the computer 2. GPOs linked to the domain that contains the User or Computer object 3. GPOs linked to the organizational unit(s) that contain(s) the User or Computer object (from the highest-level OU to the lowest-level OU). • Individual settings within all GPOs are combined to form the effective Group Policy setting as follows: • If a setting is defined in one GPO and undefined in another, the setting will be enforced (regardless of the position of the GPO in the application order). • If a setting is configured in two GPOs, the setting in the last-applied GPO will be used.
Public-Key Cryptography Standards (PKCS)
is a set of voluntary standards for public-key cryptography. This set of standards is coordinated by RSA.
Phishing
is an e-mail pretending to be from a trusted organization, asking to verify personal information or send money.
security principal
is an object that can be given permissions to an object. - users, groups, and computers. Each security principal is given a unique identification number called a SID (security ID). • When a security principal logs on, an access token is generated. The access token is used for controlling access to resources and contains user or computer, groups, rights.
Organizational Unit (OU)
is like a folder that subdivides and organizes network resources within a domain. An organizational unit: • Is a container object • Can hold other organizational units • Can hold objects such as users and computers • Can be used to logically organize network resources • Simplifies security administration
Collision
is the term used to describe a situation in which two different messages produce the same hash value. This is an indication that a stronger hashing algorithm should be used.
Magic Lantern
keystroke logging in order to capture encryption keys and other information useful for deciphering transmissions - can be delivered through e-mail to the victim's computer.
Spoofing
makes a transmission appear to have come from an authentic source by forging the IP address, email address, caller ID, etc.
(stateful inspection firewall)circuit-level proxy or gateway
makes decisions about which traffic to allow based on virtual circuits or sessions. • Operates at Session Layer • The firewall is considered stateful because it keeps track of the state of a session • Keeps track of known connections and sessions in a session table (also referred to as a state table). • a stateful inspection firewall can be faster after the initial session table has been created.
application level firewall (application level gateway or proxy server)
makes security decisions based on information contained within the data portion of a packet. • Examines the entire content (not just individual packets). • Can filter based on user, group, and data such as URLs within an HTTP request.
Simple Netowrk Management Protocol (SNMP)
managing complex networks (castle rock from TDC) SNMPv3 adds: Authentication for agents and managers, encryption, message integrety to ensure not altered in transit.
Teardrop attack
manipulates the UDP fragment number and location ' • When the victim system rebuilds the packets, an invalid UDP packet is created, causing the system to crash or reboot.
cross-certification or bridge model
model is used when one organization with a CA structure needs to trust certificates from another organization who has their own CA structure • root-to-root configuration allows clients in one organization to trust any certificate issued by the other organization's CAs and vice versa. • A mesh configuration provides trust paths that can be configured for more restrictive certificate validation
Clark-Wilson model
must be accessed through applications that have predefined capabilities. Prevents Modification, Fraud , Errors BUT not spam
DNS poisoning
occurs when a name server receives malicious or misleading data that incorrectly maps host names and IP addresses
DLL injection
occurs when a program is forced to load a dynamic-link library (DLL). This DLL then executes under the security context of the running application, and executes malicious code included with the injected DLL.
SQL injection
occurs when an attacker includes database commands within user data input fields on a form, and those commands subsequently execute on the server. The injection attack succeeds if the server does not properly validate the input to restrict entry of characters that could end and begin a database command.
buffer overflow
occurs when the operating system or an application does not properly enforce boundaries for how much and what type of data can be inputted. Hackers submit data beyond the size reserved for the data in the memory buffer, and the extra data overwrites adjacent memory locations. The extra data sent by the attacker could include executable code that might then be able to execute in privileged mode.
Serial Line Interface Protocol (SLIP)
older remote access standard commonly used by UNIX remote access servers.
TrueCrypt
open source disk encryption tool. - encryption: AES-256, Serpent, Twofishl.
working with a suspect drive
operating system copying is not forensically valid(Wont get deleted or hidden files)(still running processes that could compromise data). An offline bit stream copy is required.
ARP spoofing/poisoning
poisoning associates the attacker's MAC address with the IP address of victim devices. • The source device sends frames to the attacker's MAC address instead of the correct device.
Steganography
process of hiding one message in various forms of data(electronic watermarking)
Header manipulation
process of including unvalidated data in an HTTP response header. Header manipulation is the method used by threat agents to conduct additional exploits.
The Wireless Transaction Protocol (WTP)
provides services similar to TCP and UDP for WAP
Patch
quick fix, but generally more tested by the manufacturer and designed for a wider deployment.
Masquerading
refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access.
Point-to-Point Protocol (PPP)
remote access protocol commonly used to connect to the Internet. It supports compression and encryption and can be used to connect to a variety of networks. It can connect to a network running on the IPX, TCP/IP, or NetBEUI protocol. It supports multi-protocol and dynamic IP assignments. It is the default protocol for the Microsoft Dial-Up adapter.
virus
requires a replication mechanism which is a file that it uses as a host. • The virus only replicates when an activation mechanism is triggered.
Type 1 Something you know authentication
requires you to provide a password or some other data that you know. This is the weakest type of authentication. Examples are: • Passwords, codes, or IDs • PINs • Pass phrases (long, sentence-length passwords) • Cognitive information such as questions that only the user can answer. Note: Usernames are not a form of Type 1 authentication.
Certificate Revocation List (CRL)
resides at the CA and consists of a list of certificates that have been previously revoked. This list can be accessed by the client to verify the validity of a digital certificate.
Network Address Translation (NAT) (private)
router translates multiple private into one registered IP address. • 10.0.0.0 to 10.255.255.255 • 172.16.0.0 to 172.31.255.255 • 192.168.0.0 to 192.168.255.255
rootkit
set of programs that allows attackers to maintain permanent, administrator-level, hidden access to a computer • Is almost invisible software. • Resides below regular antivirus software detection.
Private Brance Exchange (PBX)
telephone exchange that serves a private organization and connects to the organization to the PSTN. - Threats include the 2600 club which refers to emitting 2066KHz freq which authorizes long-distance calls without payment.
X.509
the official standard that identifies the format for public key certificates and certification path validation.
Hypervisor
thin layer of software that resides between the guest operating system(s) and the hardware. A hypervisor allows virtual machines to interact with the hardware without going through the host operating system.
PGP (Pretty Good Privacy)
to encrypt internet phone calls
Bluesnarfing
unauthorized access to to view the calendar, e-mails, text messages, and contact lists.
System Access List (SACL)
used by Microsoft for auditing to identify past actions performed by users on an object.
Hashing algorithms
used to create a message digest(hash then send, receiver hashes and compares) to ensure that data integrity is maintained.
generic containers
used to organize Active Directory objects. Generic container objects: • Are created by default • Cannot be moved, renamed, or deleted • Have very few properties you can edit You cannot create generic containers. Use OUs instead.
Internet Key Exchange (IKE)
used with IPsec to create a security association between communicationg partners
Access Control List (ACL)
users with specific security assignments to an object. - Most client-server environments - Filters traffic biased on the IP header info ,protocol or socket numbers.
TLS
uses Diffie-Hellman or RSA to exchange session keys
LDAP injection
uses LDAP statements with arbitrary commands to exploit web-based applications with access to a directory service
SFTP
uses SSH for security
FTPS
uses SSL/TLS for security(requires server certficate)
Type 3 Something you are authentication
uses a biometric system. This is the most expensive and least accepted, but is generally considered to be the most secure form of authentication. Authentication must meet the following criteria: • Universality • Uniqueness • Permanence • Collectability • Performance • Circumvention (substitutes) Most biometric systems require implementation of a PKI system.
Quantum Cryptography
uses a series of phontons to encrypt and send msgs. If the receiver knows the sequence and polarity of the photons, the message can be decoded.
XML injection
uses malicious content and/or structures in an XML message to alter the intend logic of the application.
RSA
uses multiplication of large prime numbers. - Asymmetric
Stunnel
wrapper that allows a network administrator to encrypt an arbitrary TCP connection inside the Secure Socket Layer (SSL) protocol
PKI hierarchy
• A root CA is the first CA in the hierarchy and the first CA you set up. The root CA has a self-signed certificate, and is often offline to protect the CA from compromise • A subordinate CA is a CA authorized by the root CA to issue certificates to other CAs or users or computers. • PKI depends on asymmetric cryptography. • Public keys are found in a browser's trusted root. while private is used to encrypt
Backup - Daily
• Backs up all files modified that day regardless of the archive bit status. • Resets the Archive Bit? No
Backup - Full
• Backs up all files regardless of the archive bit and will reset the archive bit. • Requires large tapes for each backup. • Takes a long time to perform each backup. • To restore, restore only the last backup. This is the fastest restore method.
Backup - Copy
• Backs up all files regardless of the archive bit status and will not reset the archive bit.
Backup - Incremental
• Backs up files on which the archive bit is set. This will back up only the data changed since the last full or incremental backup and will reset the archive bit. • To restore, restore the full backup and every subsequent incremental backup.
Backup - Differential
• Backs up files on which the archived bit is set. This will back up only the data changed since the last full backup will not reset the archive bit. • To restore, restore the last full backup and the last differential backup. • Next to a full backup, this is the fastest restore method.
RADIUS
• Combines authentication and authorization using policies to grant access. • Centralized Remote access authentication protocol • Used UDP • When configuring, configure a single server as a RADIUS server and all remote access servers as RADIUS Clients • RADIUS encrypts only the password
Mandatory Access Control (MAC)
• Controls biased on rules rather than identity. • uses labels for both subjects (i.e., users who need access) and objects (i.e., resources with controlled access, such as data, applications, systems, networks, and physical space).
RAID 0 (striping)
• Does not provide fault tolerance. A failure of one disk in the set means all data is lost. • Requires a minimum of two disks. • fastest of all RAID types
Layer 2 Forwarding (L2F)
• Operates at the Data Link layer (layer 2). • Offers mutual authentication. • Does NOT encrypt data. • Merged with PPTP to create L2TP
RAID 1 (mirroring)
• Provide fault tolerance. • Do not increase performance. • Require two disks. • Have a 50% overhead. Data is written twice, meaning that half of the disk space is used to store the second copy of the data. • RAID 1 is the most expensive fault tolerant system.
RAID 5 (striping with distributed parity)
• Provide fault tolerance. • Provide an increase in performance. • Do not provide fault tolerance if two or more disks fail. • Require a minimum of three disks.
Clustering
• Several grouped computers to increase the availability to applications and services. • Clustered by a shared IP(clients directed to shared IP) • periodic heartbeat signals to maintain contact • Convergence - cluster members are aware of all other members
Grandfather Father Son (GFS)
• Son (daily). Son backups are rotated daily. • Father (weekly). Father backups are rotated weekly. One daily backup each week becomes a Father backup. • Grandfather (monthly). One weekly backup each week becomes a Grandfather backup.
Backup - Image
• Takes a bit-level copy of a disk or partition. Individual files are not examined, so all data is copied regardless of the archive bit. • Resets the Archive Bit? No
SYN flood
• The attacker floods a victim site with SYN packets • The victim responds to each SYN packet with a SYN ACK packet. • The attacker does not respond with the last portion of the handshake (an ACK packet), leaving the victim waiting for a response.
Ping of death (long ICMP attack)
• The attacker sends one very large ICMP packet (larger than 65,536 bytes) directly to the victim.
dual key pairs
• The private key used for digital signatures is kept completely private. Only the user has access to this key and the key is never archived. • The private key used for encryption is archived so that encrypted documents can be recovered if the private key is lost.
Layer Two Tunneling Protocol (L2TP)
• Use for connecting LANs(use VPN) • Operates at the Data Link layer (layer 2). • Supports multiple protocols (not just IP). • Uses IPSec for encryption Combining L2TP with IPSec (called L2TP/IPSec) provides: Per packet data origin authentication non-repudiation), Replay protection, Data confidentiality • Is not supported by older operating systems.
Point-to-Point Tunneling Protocol (PPTP)
• Uses standard authentication protocols, such as Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP). • Supports TCP/IP only. • Encapsulates other LAN protocols and carries the data securely over an IP network. • Uses Microsoft's MPPE for data encryption.
packet filtering firewall
• makes decisions about which network traffic to allow by examining information in the IP packet header such as source and destination addresses, ports, and service protocols. • Uses access control lists (ACLs) or filter rules to control traffic. • considered a stateless firewall because it examines each packet and uses rules to accept or reject each packet without considering whether the packet is part of a valid and active session.
TACACS+
•Provides three protocols, one each for authentication, authorization, and accounting. This allows each service to be provided by a different server. • Centralized Remote access authentication protocol • Uses TCP • encrypts the entire packet contents, not just authentication packets. • Supports more protocol suites than RADIUS.
Round Robin
•Round robin uses a full backup on one day with incremental/differential backups on subsequent days. •When all the tapes have been used for backup, you start over with the tape with the oldest data. Round robin is probably the simplest of backup rotation schemes.