Comptia Sec+ - MIS 379 - Lessons 6-10 (Exam 2)
Certificate Signing Request (CSR)
A Base64 ASCII file that a subject sends to a CA to get a certificate.
sinkhole
A DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis.
SYN flood attack
A DoS attack where the attacker sends numerous SYN requests to a target server, hoping to consume enough resources to prevent the transfer of legitimate traffic.
packet filtering
A Layer 3 firewall technology that compares packet headers against ACLs to determine which network traffic to accept.
application-aware firewall
A Layer 7 firewall technology that inspects packets at the Application layer of the OSI model.
authenticators
A PNAC switch or router that activates EAPoL and passes a supplicant's authentication data to an authenticating server, such as a RADIUS server.
NT LAN Manager (NTLM)
A challenge-response authentication protocol created by Microsoft for use in its products.
Service Set Identifier (SSID)
A character string that identifies a particular wireless LAN (WLAN).
Key Distribution Center (KDC)
A component of the Kerberos system for authentication that manages the secure distribution of keys.
DHCP snooping
A configuration option that enables a switch to inspect DHCP traffic to prevent MAC spoofing.
Pinning
A deprecated method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks.
wireless controllers
A device that provides wireless LAN management for multiple APs.
server certificate
A digital certificate that guarantees the identity of e-commerce sites and other websites that gather and store confidential information.
self-signed certificate
A digital certificate that has been signed by the entity that issued it, rather than by a CA.
Routing Information Protocol (RIP)
A distance vector-based routing protocol that uses a hop count to determine the distance to the destination network.
certificate policies
A document that defines the different types of certificates issued by a CA.
screened host
A dual-homed proxy/gateway server used to provide Internet access to other network nodes, while protecting them from external attack.
Wi-Fi Protected Setup (WPS)
A feature of WPA and WPA2 that allows enrollment in a wireless network based on an 8-digit PIN.
caching engines
A feature of many proxy servers that enables the servers to retain a copy of frequently requested web pages.
Web Application Firewall (WAF)
A firewall specifically designed to protect a web application, such as a web server. A WAF inspects the contents of traffic to a web server and can detect malicious content, such as code used in a cross-scripting attack, and block it.
Man-in-the-middle (MITM) attack
A form of eavesdropping that intercepts all data between a client and a server, relaying that information back and forth.
Network Access Control (NAC)
A general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level.
regular expression (regex)
A group of characters that describe how to execute a specific search pattern on a given text.
Test Access Point (TAP)
A hardware device inserted into a cable to copy frames for analysis.
router firewall
A hardware device that has the primary function of a router, but also has firewall functionality embedded into the router firmware.
service account
A host or network account that is designed to run a background service, rather than to log on interactively.
Open Shortest Path First (OSPF)
A link-state routing protocol used on IP networks.
clustering
A load balancing technique where a group of servers are configured as a unit and work together to provide network services.
Pluggable Authentication Modules (PAM)
A mechanism used in Linux systems to integrate low-level authentication methods into an API.
Temporal Key Integrity Protocol (TKIP)
A mechanism used in the first version of WPA to improve the security of wireless encryption mechanisms, compared to the flawed WEP standard.
packet crafting
A method of manually generating packets (instead of modifying existing network traffic) to test the behavior of network devices, enabling a hacker to enumerate firewall or intrusion detection rules that are in place.
certificate chaining
A method of validating a certificate by tracing each CA that signs the certificate, up through the hierarchy to the root CA. Also referred to as chain of trust.
listener/collector
A network appliance that gathers or receives log and/or state data from other network systems.
behavioral-based detection
A network monitoring system that detects changes in normal operating data sequences and identifies abnormal sequences.
signature based detection
A network monitoring system that uses a predefined set of rules provided by a software vendor or security personnel to identify events that are unacceptable.
ARP poisoning
A network-based attack where an attacker with access to the target network redirects an IP address to the MAC address of a computer that is not the intended recipient. This can be used to perform a variety of attacks, including DoS, spoofing, and MitM.
amplification attack
A network-based attack where the attacker dramatically increases the bandwidth sent to a victim during a DDoS attack by implementing an amplification factor.
one-time password
A password that is generated for use in one specific session and becomes invalid after the session ends.
Border Gateway Protocol (BGP)
A path vector routing protocol used by ISPs to establish routing between one another.
extranet
A private network that provides some access to outside parties, particularly vendors, partners, and select customers.
federation
A process that provides a shared login capability across multiple systems and enterprises. It essentially connects the identity management services of multiple systems.
session affinity
A scheduling approach used by load balancers to route traffic to devices that have already established connections with the client in question. Also known as source IP affinity.
Identity and Access Management (IAM)
A security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications.
proxy server
A server that mediates the communications between a client and another server. It can filter and often modify communications, as well as provide caching services to improve performance. Also known as forward proxy.
non-transparent proxy
A server that redirects requests and responses for clients configured with the proxy address and port.
transparent proxy
A server that redirects requests and responses without the client being explicitly configured to use it. Also referred to as a forced or intercepting proxy.
bastion hosts
A server typically found in a DMZ that is configured to provide a single service to reduce the possibility of compromise.
account policies
A set of rules governing user security information, such as password expiration and uniqueness, which can be set globally.
Intrusion Detection System (IDS)
A software and/ or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress.
content filter
A software application or gateway that filters client requests for various types of internet content (web, FTP, IM, and so on).
host-based firewall
A software application running on a single host and designed to protect only that host. Also known as personal firewall.
Security Information and Event Management (SIEM)
A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.
appliance firewall
A standalone hardware device that performs only the function of a firewall, which is embedded into the appliance's firmware.
port-based network access control (PNAC)
A switch (or router) that performs some sort of authentication of the attached device before activating the port.
spanning tree protocol
A switching protocol that prevents network loops by dynamically disabling links as needed.
Network-based IDS (NIDS)
A system that uses passive hardware sensors to monitor traffic on a specific segment of the network.
failover
A technique that ensures a redundant component, device, or application can quickly and efficiently take over the functionality of an asset that has failed.
stateful inspection
A technique used in firewalls to analyze packets down to the application layer rather than filtering packets only by header information, enabling the firewall to enforce tighter and more security.
host-based IDS
A type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system's state
Stateless
A type of firewall that does not preserve information about the connection between two hosts. Often used to describe packet-filtering firewalls.
dictionary attack
A type of password attack that compares encrypted passwords against a predetermined list of possible password values.
brute-force attack
A type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to try to crack encrypted passwords.
reverse proxy
A type of proxy server that protects servers from direct contact with client requests.
File Integrity Monitoring
A type of software that reviews system files to ensure that they have not been tampered with.
load balancer
A type of switch or router that distributes client requests between different resources, such as communications links or similarly-configured servers. This provides fault tolerance and improves throughput.
Jitter
A variation in the time it takes for a signal to reach the recipient. Jitter manifests itself as an inconsistent rate of packet delivery. If packet loss or delay is excessive, then noticeable audio or video problems (artifacts) are experienced by users.
MAC flooding
A variation of an ARP poisoning attack where a switch's cache table is inundated with frames from random source MAC addresses.
captive portal
A web page or website to which a client is redirected before being granted full network access.
evil twin
A wireless access point that deceives users into believing that it is a legitimate network access point.
IV attacks
A wireless attack where the attacker is able to predict or control the IV of an encryption process, thus giving the attacker access to view the encrypted data that is supposed to be hidden from everyone else except the user or network.
Discretionary Access Control (DAC)
Access control method in which access rights are configured at the discretion of accounts with authority over each resource, including the capability to extend administrative rights through the same mechanism.
Mandatory Access Control (MAC)
Access control model where resources are protected by inflexible, system defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label).
Unified Threat Management (UTM)
All-in-one security appliances and agents that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, data loss prevention, content filtering, and so on.
Online Certificate Status Protocol (OCSP)
Allows clients to request the status of a digital certificate, to check whether it is revoked.
Terminal Access Controller Access-Control System Plus (TACACS+)
An AAA protocol developed by cisco that is often used to authenticate administrator accounts for network appliance management
EAP-Tunneled TLS (EAP-TTLS)
An EAP method that enables a client and server to establish a secure connection without mandating a client-side certificate.
EAP-TLS
An EAP method that requires server-side and client-side certificates for authentication using SSL/ TLS.
Intrusion Prevention System (IPS)
An IDS that can actively block attacks.
Simple Object Access Protocol (SOAP)
An XML-based web services protocol that is used to exchange messages.
Attribute-based access control (ABAC)
An access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.
HMAC-based one-time password (HOTP)
An algorithm that generates a one-time password using a hash-based authentication code to verify the authenticity of the message.
hardware security module
An appliance for generating and storing cryptographic keys that is less susceptible to tampering and insider threats than software-based storage
Secure Web Gateway (SWG)
An appliance or proxy server that mediates client connections with the Internet by filtering spam and malware and enforcing access restrictions on types of sites visited, time spent, and bandwidth consumed.
MAC cloning
An attack in which an attacker falsifies the factory-assigned MAC address of a device's network interface
jamming
An attack in which radio waves disrupt 802.11 wireless signals.
hybrid password attack
An attack that utilizes multiple attack methods including dictionary, rainbow table, and brute force attack methodologies when trying to crack a password.
Open ID Connect (OIDC)
An authentication layer that sits on top of the OAuth 2.0 authorization protocol.
multifactor authentication
An authentication process that requires the client to provide two or more pieces of information, from something you know, something you have something you are, and somewhere you are. Specifying two factors is known as 2FA
single sign-on
An authentication technology that enables a user to authenticate once and receive authorizations for multiple services.
Time-based One-time Password Algorithm (TOTP)
An improvement on HOTP that forces one-time passwords to expire after a short period of time.
Initiative for Open Authentication (OATH)
An industry body comprising the main PKI providers, such as Verisign and Entrust, that was established with the aim of developing an open, strong authentication framework.
snort
An open source NIDS. A subscription ("oinkcode") is required to obtain up to date rulesets, which allows the detection engine to identify the very latest threats. Non-subscribers can obtain community-authored rulesets.
MAC filtering
Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.
network monitor
Auditing software that collects status and configuration information from network devices. Many products are based on the Simple Network Management Protocol (SNMP).
Challenge Handshake Authentication Protocol (CHAP)
Authentication scheme developed for dial-up networks that uses an encrypted three-way handshake to authenticate the client to the server. The challenge-response is repeated throughout the connection (though transparently to the user) to guard against replay attacks.
Privacy Enhanced Mail (PEM)
BAse64 encoding scheme used to store certificate and key data as ASCII text
False Acceptance Rate (FAR)
Biometric assessment metric that measures the number of unauthorized users who are mistakenly allowed access.
False Rejection Rate (FRR)
Biometric assessment metric that measures the number of valid subjects who are denied access.
Crossover Error Rate (CER)
Biometric evaluation factor expressing the point at which FAR and FRR meet, with a low value indicating better performance.
password spraying
Brute force attack in which multiple user accounts are tested with a dictionary of common passwords.
hashcat
Command-line tool used to perform brute force and dictionary attacks against password hashes.
SPAN (switched port analyzer)/mirror port
Copying ingress and/or egress communications from one or more switch ports to another port. This is used to monitor communications passing over the switch.
east-west traffic
Design paradigm accounting for the fact that data center traffic between servers is greater than that passing in and out (north-south).
sentiment analysis
Devising an AI/ML algorithm that can describe or classify the intention expressed in natural language statements.
Protected Extensible Authentication Protocol (PEAP)
EAP implementation that uses a server-side certificate to create a secure tunnel for user authentication, referred to as the inner method
Subject Alternative Name (SAN)
Field in a digital certificate allowing a host to be identified by multiple host names/subdomains.
Extensible Authentication Protocol (EAP)
Framework for negotiating authentication methods that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication.
Enhanced Interior Gateway Routing Protocol (EIGRP)
IGRP is a distance vector-based routing protocol using a metric composed of several administrator weighted elements including reliability, bandwidth, delay, and load. E(nhanced)IGRP, the version now in use, supports classless addressing and more efficient route selection.
supplicant
In EAP architecture, the device requesting access to the network.
Ticket-Granting Ticket (TGT)
In Kerberos, a token issued to an authenticated account to allow access to authorized application servers.
offline CA
In PKI, a CA (typically the root CA) that has been disconnected from the network to protect it from compromise.
online CA
In PKI, a CA that is available to accept and process certificate signing requests, publish certificate revocation lists, and perform other certificate management tasks.
root certificate
In PKI, a CA that issues certificates to intermediate CAs in a hierarchical structure.
recovery agent
In PKI, an account or combination of accounts that can copy a cryptographic key from backup or escrow and restore it to a subject host or user.
heat map
In a Wi-Fi site survey, a diagram showing signal strength at different locations.
state table
Information about sessions between hosts that is gathered by a stateful firewall.
Port Address Translation (PAT)
Maps private host IP addresses onto a single public IP address. Each host is tracked by assigning it a random high TCP port for communications.
stapling
Mechanism used to mitigate performance and privacy issues when requesting certificate status from an OCSP responder.
AES Galois Counter Mode Protocol (GCMP)
Mode of operation for AES that ensures authenticated encryption.
Destination NAT or port forwarding
NAT service where private internal addresses are mapped to one or more more public addresses to facilitate Internet connectivity for hosts on a local network via a router
Password Authentication Protocol (PAP)
Obsolete authentication mechanism used with PPP. PAP transfers the password in plaintext and so is vulnerable to eavesdropping.
Pre-Shared Key (PSK)
Passphrase-based mechanism to allow group authentication to a wireless network. The passphrase is used to derive an encryption key.
password crackers
Password guessing software can attempt to crack captured hashes of user credentials by running through all possible combinations (brute force). This can be made less computationally intensive by using a dictionary of standard words or phrases.
biometric authentication
Physical characteristics stored as a digital data template can be used to authenticate a user. Typical features used include facial pattern, iris, retina, or fingerprint pattern, and signature recognition.
tokens
Physical or virtual objects that store authentication information.
port security
Preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.
code of conduct
Professional behavior depends on basic ethical standards, such as honesty and fairness. Some professions may have developed codes of ethics to cover difficult situations; some businesses may also have a code of ethics to communicate the values it expects its employees to practice. Also known as ethics.
zero trust
Security design paradigm where any request (host-to-host or container-to-container) must be authenticated before being allowed.
Public Key Cryptography Standards (PKCS)
Series of standards defining the use of certificate authorities and digital certificates.
application firewall
Software designed to run on a server to protect a particular application such as a web server or SQL server.
network operating system firewall
Software-based firewall running under a network server OS, such as Windows or Linux. Functions as a gateway or proxy for a network segment.
deauthentication
Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack.
Wi-Fi Protected Access (WPA)
Standards for authenticating and encrypting access to Wi-Fi networks.
Quality of Service (QoS)
Systems that differentiate data passing over the network that can reserve bandwidth for particular applications. A system that cannot guarantee a level of available bandwidth is often described as Class of Service (CoS).
Network Time Protocol (NTP)
TCP/IP application protocol allowing machines to synchronize to the same time clock that runs over UDP port 123.
DiffServ
The Differentiated Services Code Point (DSCP) field is used to indicate a priority value for a layer 3 (IP) packet to facilitate Quality of Service (QoS) or Class of Service (CoS) scheduling.
Distinguished Encoding Rules (DER)
The binary format used to structure the information in a digital certificate.
code signing
The method of using a digital signature to ensure the source and integrity of programming code.
geofencing
The practice of creating a virtual boundary based on real-world geography.
posture assessment
The process for verifying compliance with a health policy by using host health checks.
authorization
The process of determining what rights and privileges a particular entity has.
MAC address table
The table on a switch keeping track of MAC addresses associated with each port. As the switch uses a type of memory called Content Addressable Memory (CAM), this is sometimes called the CAM table.
rainbow table
Tool for speeding up attacks against Windows passwords by precomputing possible hashes.
broadcast storms
Traffic that is recirculated and amplified by loops in a switching topology, causing network slowdowns and crashing switches.
operational technology
a communication network designed to implement an industrial control system rather than datra networking
smart-card authentication
a device similar to a credit card that can store authentication information, such as a user's private key, on an embedded microchip.
spectrum analyzer
a device that can assess the quality of the wireless signal - helps with identifying where interference is greatest
access points
a device that provides a connection between wireless devices and can connect to wired networks
digital certificate
a guarantee that a public key it has issued to an organization to encrypt messages sent to it genuinely belongs to that organization.
wires equivalent privacy
a legacy mechanism for encrypting data sent over a wireless connection
application interface api
a library of programming utilities used ,for example, to enable software developers to access functions of the TCP/IP network stack under a particular operating system
M of N
a means of limiting access to critical encryption keys such as the private key of a root CA. At least M of the total number N of authorized individuals must be present to access the key
authentication
a method of validating a particular entity's or individual's unique credentials
heuristics
a method that uses feature comparisons and likeness rather than specific signature matching to identify whether the target of observation is malicious
routers
a network device that links dissimilar networks and can support multiple alternate paths between location-based parameters such as speed, traffic loads, and price
switches
a networking device that receives incoming data, reviews the destination MAC address against an internal address table, and sends the data out through the port that contains the destination MAC address
Acceptable Use Policy
a policy that governs employee's use of company equipment and internet services. ISPs may also apply AUPs to their customers
segment
a portion of a network where all attached hosts can communicate freely with one another
Intranet
a private network that is only accessible by the organization's own personnel
network address translation
a routing mechanism that conceals internal addressing schemes from the public Internet by translating between a single public address on the external side of a router and private, non-routable addresses internally
authentication, authorization, and accounting
a security concept where a centralized platform verifies subject identification, ensures the subject is assigned relevant permissions, and then logs these actions to create an audit trail
Demilitarized Zone (DMZ)
a segment isolated from the rest of a private network by one or more firewalls that accapts connections from the internet over designated ports
Certificate Authority (CA)
a server that guarantees subject identities by issuing signed digital certificate wrappers for their public keys.
kerberos
a single sign-on authentication and authorization service that is based on a time-sensitive ticket-granting system
segregation
a situation where hosts on one network segment are prevented from or restricted in communicating with hosts on other segments
Remote Authentication Dial-In User Service (RADIUS)
a standard protocol used to manage remote and wireless authentication infrastructures
EAP with Flexible Authentication via Secure Tunneling (EAP-FAST)
an EAP method that is expected to address the shortcomings of LEAP
common name
an X500 attribute expressing a host or user name, also used as the subject identifier for a digital certificate
security assertions markup language
an XML based data format used to exchange authentication information between a client and a service
Distributed Denial of Service (DDoS)
an attack that uses multiple compromised hosts (a botnet) to overwhelm a service with request or response traffic
Security Identifier (SID)
an entry in windows access control that is a unique number issued to the user for security
Denial of Service (DoS)
any type of physical, application, or network attack that affects the availability of a managed resource
Public Key Infrastructure (PKI)
framework of certificate authorities, digital certificates, software, services, and other cryptographic components deployed for the purpose of validating subject identities.
next generation firewall
host or network firewall capable of parsing application layer protocol headers and data so that sophisticated, content-sensitive ACLs can be developed
MS-CHAPv2 (Microsoft Challenge Authentication Protocol, version 2)
implementation of CHAP created created by Microsoft for use in its products.
Registration Authority (RA)
in PKI, an authority that accepts requests for digital certificates and authenticates the entities making those requests
identity provider
in a federal network, the service that holds the user account and performs authentication
persistence
in load balancing, the configuration option that enables a client to maintain a connection with a load-balanced server over the duration of the session. Also referred to as sticky sessions
zone
in networking infrastructure, an area of network where the security configuration is the same for all hosts within it. in physical security, an area separated by barriers that control entry and exit points
group policy objects
on a windows domain, a way to deploy per-user and per-computer settings such as password policy, account restrictions, firewall status, and so on
simultaneous exchange of equals
personal authentication mechanism for Wi-Fi networks introduced with WPA3 to address vulnerabilities in the WPA-PSK method
privileged access management
policies, procedures, and support software for managing accounts and credentials with administrative permissions
Open Authentication (OATH)
standard for federated identity management, allowing resource servers or consumer sites to work with user accounts created and managed on a separate identity provider
BPDU Guard
switch port security feature that disables the port if it receives BPDU notifications related to spanning tree. This is configured on access ports where there any BPDU frames are likely to be malicious
identification
the process by which a user account (and its credentials) is issued to the correct person. (Also referred to as enrollment)
Escrow
the storage of a backup key with a third party
latency
the time it takes for a signal to reach the recipient. A video application can support a latency of about 80 ms, while typical latency on the internet can reach 1000 ms at peak times. Latency is a particular problem for 2-way applications, such as VoIP (telephone) and online conferencing.
accounting
tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted
remotely triggered black hole
using a trigger device to send a BGP route update that instructs routers to drop traffic that is suspected of attempting DDos