Security+ Chapter 4

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

WPA Enterprise Mode

more secure than personal or PSK and provides strong authentication when a 802.1x RADIUS server is deployed

Network Access Control Methods (host health)

- up to date antivirus software -up to date OS, current patches/fixes - FW enabled on the client - health agents installed - can restrict access of unhealthy clientsto a remediation network -can use NAC for VPN clients and for internal clients

Antenna Types

-OmniDirectional -Directional -can limit the range of an AP to a room or building by reducing AP's power level - will prevent unwanted connections by limiting ranges

Wireless Cryptographic Protocol Timeline

-WPA replaced WEP - WEP used TKIP -WPA has stronger AES -WPA2 replaed WPA and supports much stronger CCMP

EAP-TLS (Extensible Authentication Protocol-Transport Layer Security)

-most secure EAP standards - requires certs on the 902.1x RADIUS server and each of the wireless clients

Kereberos Benefits

-protects agais replay attacks by timestamping keys involved. - protects against MOM by requiring authentication every time a service is requested. The TGS has a password as does every user (mutual authentication)

Guest Network Architecture

-usuallly just email/website browsing. No network resource access. - basically just another access point on the same router

SYN flood attack

A DoS attack that uses IP spoofing to send a large number of packets requesting connections to the victim computer. These appear to be legitimate but in fact, reference a client system that is unable to respond. Initiating an TCP connection

Software Defined Networking (SDN)

A broad and developing concept addressing the management of the various network components. The objective is to provide a control plane (logic to identify path) to manage network traffic on a more abstract level than through direct management of network components. - separate data plane as well (logis to block or allow) - commonly used with ABAC

IDS (Intrusion Detection System)

A dedicated device or software running on a workstation, server, or switch, which might be managed from another computer on the network, and is used to monitor network traffic and create alerts when suspicious activity happens within the network. - sends a notification via passive data collection considered out-of-band

Bluejacking

A method used by attackers to send out unwanted Bluetooth signals from PDAs, mobile phones, and laptops to other Bluetooth-enabled devices.

MAC filtering

A method used to filter out which computers can access the wireless network; the WAP does this by consulting a list of MAC addresses that have been previously entered. - Attacker can use a sniffer to discover allowed MAC addresses and circumvent the denial rule which makes if easy to spoof a MAC address

ad hoc network

A network created when two wireless devices connect to each other directly and securley.

HIDS (host-based intrusion detection system)

A passive IDS used to monitor an individual server or workstation. Protects local resources on the host such as the operating system files.

VPN concentrator

A single device that incorporates advanced encryption and authentication methods in order to handle a large number of VPN tunnels. - usually a hardware device

IEEE 802.1x

A standard that authenticates users on a per-switch port basis by permitting access to valid users but effectively disabling the port if authentication fails. - prevents rogue devices from establishing a connection -used for wireless connection to a LAN or WAN via an EAP Tunnel

NIDS (network-based intrusion detection system)

A type of intrusion detection that protects an entire network and is situated at the edge of the network or in a network's protective perimeter, known as the DMZ (demilitarized zone). Here, it can detect many types of suspicious traffic patterns. Usually on network devices like firewalls and routers. unable to decrypt encrypted traffic (can only monitor plaintext)

Signature-based detection

Also known as knowledge-based detection or misuse detection, the examination of system or network data in search of patterns that match known attack signatures, vulunerabilites, and anomolies.

NIPS (network-based intrusion prevention system)

An IPS that monitors the network. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress. placed on the edge of the protected network (DMZ) to provide internal network protection

Encapsulating Security Payload (ESP)

An IPSec component that provides the same services as AH but also provides confidentiality, authentication, and integrity when sending data over a VPN. Uses protocol number 50 and port 500

thin access point

An access point with limited functionality. (It does not provide authentication or encryption.) Manged by a wireless controller which configures the AP

IPS (Intrusion Prevention System)

An active, inline security device that monitors the suspicious network and/ or system traffic and reacts in real-time to block it Also called a Network Intrusion Prevention System (NIPS). -considered in-line w/ traffic (passes thought it) aka in-band

IV attack

An attack where the attacker is able to predict or control the IV of an encryption process, thus giving the attacker access to view the encrypted data that is supposed to be hidden from everyone else except for the user or network.

mutual authentication

An authentication scheme in which both computers verify the credentials of each other and do so mulitple times throughout the connected session. Used by MS-CHAPv2 and Kerberos authenticiaon schemes.

PAP (Password Authentication Protocol)

An older authentication protocol where passwords are sent across the network in clear text. Rarely used today.

Challenge Handshake Authentication Protocol (CHAP)

An older three-way authentication handshake that is accomplished during the initial authentication and may be repeated anytime after the link has been established. - protects aginst replay attack -sends messages through an authenticated session

rogue access point

An unauthorized AP that allows an attacker to bypass many of the network security configurations and opens the network and its users to attacks.

SSL decryptors

Appliances that can decrypt SSL traffic and inspect it on the fly. - can be placed with a NIPS - can decrypt encrypted malware

RFID attacks

Attacks against radio-frequency identification (RFID) systems. Some common RFID attacks are eavesdropping, replay, and DoS.

EAP-FAST

Cisco designed replacement from LEAP that Cisco also designed. EAP-FAST supports certs but are optional

Attribute order in a X.500 directory

Common Name (CN) - Org. Unit (OU) - Org. (O) - Country (C) - Comain component (DC)

Wifi jamming Attack

DoS attack that overloads channel

HOTP

HMAC-based One-Time Password (HOTP). An open standard used for creating one-time passwords, similar to those used in tokens or key fobs. It combines a secret key and an incrementing counter, and then uses HMAC to create a hash of the result. HOTP passwords do not expire until they are used. Susceptible to device sync errors and interception

Fat Access Point

Intelligent wireless access point that provides everything needed to manage wireless clients. Need to be configured individually.

Challenge Handshake Authentication Protocol (CHAP)

Like PAP, CHAP performs one-way authentication. However, authentication is performed through a three-way handshake (challenge, response, and acceptance messages) between a server and a client. The three-way handshake allows a client to be authenticated without sending credential information across a network.

Honeypots/honeynets

Machines that exist on the network, but do not contain sensitive or valuable data, and are meant to distract and occupy malicious or unauthorized intruders, as a means of delaying their attempts to access production data/assets. A number of machines of this kind, linked together as a network or subnet, are referred to as a "honeynet." - often placed in the DMZ

IPSec tunnel mode

One of two modes for IPSec. encrypts the entire IP packed use in the internal network and is the mode use with VPN's over the Internet. - intercept packet will reveal source IP and destination address of the VPN server but internal IP address remains hidden

Something you know

Password or PIN - saying a passphrase

PEAP (protected EAP)

Protected Extensible Authentication Protocol. PEAP provides an extra layer of protection for EAP. PEAP-TLS uses TLS to encrypt the authentication process by encapsulating and encrypting the EAP conversation in a Transport Layer Security (TLS) tunnel. Since TLS requires a certificate on the server but not clients, PEAP-TLS requires a certification authority (CA) to issue certificates.

Diameter

RADIUS extension and improvement with additional capabilites including securing transmissions with EAP

WPS attack (wifi protected setup)

Security exploit in which a WPS PIN is discovered by means of a brute force attack, giving the attacker access to the network's WPA2 key. The PIN feature in WPS should be disabled if possible.

Bluebugging

Taking control of a phone to make calls, send text messages, listen to calls, or read text messages.

Crossover Error Rate (CER)

The point at which FRR equals FAR. Expressed as a percentage, this is the most important metric.

Bluesnarfing

The unauthorized access of information from a wireless device through a Bluetooth connection.

Service Set Identifier (SSID)

The user-supplied network name of a WLAN; it can generally be alphanumeric from 2 to 32 characters. Best practice is to change name from default. Disableing can hide network from casual user but attack er can easily discover with a sniffer

What Protocols prevent wireless replay attacks?

WPA2 and CCMP

LM (LAN Manager) hash

a legacy format for storing Windows passwords that is considered very weak. Replaced by NTLM and NTLMv2

Permananet agent

are installed on devices/clients for host health purposes

Dissolvable agent (agentless)

are not installed on clients and are downloaded. Some remove themesleves immediately after they report back to the NAC or after the session ends. - often use to inspect employee owned mobile devices

false negative

attack is occuring but system does not detect it

OAuth2.0

authorization not authentications. Facilitrates a transfer of info of functionality between websites. Authorization is delegated to OAuth provider not the consumer or user.

WPA-open mode

doesnt use any security, no password

Wireless Access Point

enables devices to connect to a wireless network to communicate with each other like a router. - all wireless routers are AP's but not all AP' are wireless

Full Tunneling

encrypts all traffic after a user has connected to a VPN

TLS/SSL Accelerator

hardware that provides TLS encryption for common protocols like HTTPS - frees up resources like CPU and RAM - place close to related devices

false positive

incorrectly indicating an attack is occurring when an attack is not occurring.

IPSece transport mode

only encrypts the payload and is commonly used in private networks, but not with VPNs

split tunneling

only encrypts traffic destined for the VPN private network which is configured by an admin. Website search behind a split tunnel configuration - the traffic will not go through the encrypted tunnel and straight to the internet

TACACS+

proprietary CISCO alternative to RADIUS - can interact with Kerberos and MSAD

VPN (Virtual Private Network)

provides an encrypted network connection to a private network via the internet (public network)

RADIUS (Remote Authentication Dial-In user service

provides centralize auth for wireless remote access servers. - encrypts password packets, but not the entire auth process -uses UDP

OpenIDC

provides federation for applications

EAP (Extensible Authentication Protocol)

provides two systems to creat a seucure encryption key, Pairwise Master Key (good the entire session). Systems use key to encrypt all data transmitted. Both TKIP and AES-based CCMP use this - CCMP much stronger

Dissassociation Attack

removes wireless client from a wireless network, forcing it to reauthenticate

TOTP (Time-Based One-Time Password)

similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP expire after 30 seconds. Suseptible to device sync errors and interception

Behavioral-Based Detection

start w/ a performance baseline of normal behavior and than compare network traffic against this baseline. When traffic differs the IDS sends an alert.

MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol, version 2)

stronger than MS-CHAP due to mutual authentication. Client challenges before data is transmitted. Server challenges client. - helps make sure data goes to the right server/destination

Evil Twin Attack

the attacker is in the vicinity with a Wi-Fi-enabled computer and a separate connection to the Internet. Using a hotspotter—a device that detects wireless networks and provides information on them the attacker simulates a wireless access point with the same wireless network name, or SSID, as the one that authorized users expect. If the signal is strong enough, users will connect to the attacker's system instead of the real access point.

WPA- PSK mode

uses a pre-shared key and designed for home and small office networks and doesn't require an authentication server. Another name for a Wifi password


Ensembles d'études connexes

management of patients cardiac disorders

View Set

Earth Materials, Processes, and Environments

View Set

chapter 54: pancreas and biliary

View Set

US History II Chapter 12 Section 2

View Set