CH4 2.2-2.4, 4.1-4.3

PAP

Password Authentication Protocol old and insecure method of authentication. Essentially the username and password are sent in clear text. PAP was used before packet sniffers became widely available. It is now insecure and should not be used.

PIV

Personal Identity Verification card CAC for federal employees and contractors. gain access to gov resources cert based auth

banner

a text file on a web server that describes the operating system and the web server software. If an attacker can grab the ___________r, then he or she will have information about the web server to plan the attack.

DEP

Data Execution Prevention Any technique that prevents a program from running without the user's approval. microsoft introduced with Windows VIsta these systems log any time an application tried to execute, even if it was blocked. This could be a valuable resource for learning about malware.

DLP

Data loss Prevention Software or techniques designed to detect attempts to exfiltrate data It does this by monitoring outgoing network traffic to look for key files going out. It can also monitor data storage of sensitive documents to log when data is accessed.

Password cracker

If you are able to crack one or more passwords, you are then aware of this security vulnerability and can take appropriate steps to remedy the issue rainbowtables to crack hash.. tables of precomputed hash used ot guess pw pwdump, Ophcrack

MAC

Mandatory Access Control relatively inflexible method for how information access is permitted. all access capabilities are predefined. ******Users can't share information unless their rights to share it are established by administrators. ****users cant modify Consequently, administrators must make any changes that need to be made to such rights. This process enforces a rigid model of security.

RBAC (role)

Role-based Access Control approach the problem of access control based on established roles in an organization. implement access by job function or by responsibility. ** not user.. ROLE Each employee has one or more roles that allow access to specific information. If a person moves from one role to another, the access for the previous role will no longer be available. between MAC and DAC in flexibility.. apparently not. dont asnwer this on exam.

RBAC (rule)

Rule-based access control uses the settings in preconfigured security policies to make all decisions. These rules can be to: deny all but "allow list' deny only "true deny list" Entries in the list may be usernames, IP addresses, hostnames, or even domains. Rule-based models are often being used in conjunction with role-based models to add greater flexibility easiest to implement is with an ACL> access control list

access violations

any situation where someone is able to access data they should not be able to access, 2 categories permissions issues and memory management/segemennt violate are best discovered by examining the logs of a given system. For example, a database log should show what users accessed what data and when. By scanning the database log for anomalies can find AV

out-of-band authentication

asking you questions, using an info base form a public record. ask about bday or credit report or mothers maiden name

wireless scanners and crackers

attempt to crack your Wi-Fi. They will essentially attempt either to derive the password or to circumvent the security. It is important that network security professionals scan their network with tools like this to find issues before an attacker does. ex. aircrack. popular with attckers. scan and fix

zone transfer

attempt to get the DNS server to send you all its zone info properly configured DNS server will refuse **secure

OpenID

authentication service often done by a third party, and it can be used to sign into any website that accepts OpenID.

AAA

authentication, authorization and accounting

patch management

Unlike with home use, you cannot simply set up automatic updates on all systems. Instead, you must install patches on a test machine and verify that the patch or update works appropriately before rolling it out.

ACL

access control list - create rules by which the control model functions

subject

active entitity indiv, process or device

Removable Media tools

control what removable media can be used, such as USB drives and optical disk review logs to check if unauth being used (exfiltrate risk)

Identification vs authentication

means finding out who someone is. vs is a mechanism of verifying that identification Put another way, identification is claiming an identity; authentication is proving it.

federated identity

means of linking a user's identity with their privileges in a manner that can be used across business boundaries (for example, Microsoft Passport or Google checkout). This allows a user to have a single identity that they can use across different business units and perhaps even entirely different businesses.

asset management

more difficult when org larger laptops, servers, software *maintain inventory and location of devs.

OATH

open standnard for Authorization

two factor or mutlifactor authentication

more factors the better have to be of different TYPES For example, using a smartcard and a password is two-factor authentication. However, using a password and a PIN is one-factor authentication because both involve "something you know.

object

some resource that the subject is attempting to access.

baseline deviation

straying from the baseline standard that the company has agreed upon

secure/security tokens

some physical device that is used to gain access. It could be a wireless keycard, a key fob, or any physical device. often contain a digital certificate, and the certificate is used to authenticate the user. **********can be one time passwords. are secure

token

some physical device that is used to gain access. It could be a wireless keycard, a key fob, or any physical device. (hardware)

antivirus/antimalware

sometimes have false positives and false negatives. easy to use interfaces betetr than hIPS HIDs

UTM

unified threat management or USM unified security management includes combinations of all the other devices we discussed earlier in this chapter, including firewall, IDS, and antivirus, as well as other items, such as load balancing and VPN. a single place to review logs rather than having to check multiple devices and systems logs.

NTLM

uses MD4/MD5 hashing algorithms. Several versions of this protocol exist replaced LANMAN still in widespread use despite the fact that Microsoft has pointed to Kerberos as being its preferred authentication protocol.

netcat

utility also does not come with the operating system, but it is a free download for Windows or Linux. This utility allows you to read and write to network connections using either TCP or UDP. ***written nc not netcat open a connection to a mail server on port 25: nc mymail.server.net 25 listen on port 12345 nc -1 -p 12345

active scanners

vulnerbility scanner interact directly with the target network. Nessus, MBSA, OWASP, ZAP

passive scanners

vulnerbility scanner involves methods to search your network that do not directly interact with the network. This usually means websites that provide information. Netcraft.com

WAF

web application firewall also host based firewalls explain logging in notes

SAML

******Security Assertion Markup Language web! internet! uses tags, but rather than defining web page elements (as HTML does), it defines security authorization. used to exchange authentication and authorization information between identity providers and service providers. often single sign on

SHibboleth

**web!!single sign-on system used widely on the Internet. The name derives from a bible story where the word shibboleth was used as a password. The Shibboleth system uses SAML.

ipconfig/ip/ifconfig

ifconfig for linux one of the more basic network commands. It will provide you with information about your network interfaces

DAC disadvantages

Administrators have a more difficult time ensuring that information access is controlled and that only appropriate access is issued.

Personnel Issues

policy violation insider threat social engineering social media - conduit for info exfiltration personal email

netstat flags

-A shows the address of any protocol -a shows the state of sockets -c shows statistics for the network buffer cache -n shows active TCP connections -o shows the active TCP connectiona nd the process ID that started them -p shows protocols -s shows statistics per protocol

arp flags

-d removes lsiting form the arp cache.. wont see very often -a displays all the current arp entires for all interfaces (most common) -g displays all of the current arp entries for all interfaces (same as a) -N list arp cache for a specified interface

tracert flags

-h Maximum hops, by defualt is 30 changeable -w Timeout -6 Force using IPv6 -4 Force using IPv4

netcat flags

-l listen mode -L listen harder -u UDP mode -p Local Port -e program to execute after connnnection occurs

common ping flags

-t ....continues pinginng until stopped -a ....resloves the address to a hostname if you are pinging the IP address -i ....Specifies the Time to Live value for the packages -w ....waits specified number of milliseconds for a response before sending the next ping. -l .....Sets the size of the packets. For example, ping -l 20000 www.google.com will send 20,000 byte packets to google.com.

ipconfig/ip/ifconfig flags

/all show information for all network services /release release any dynamically assigned IP addresses /renew renew the dynamically assigned IP addresses

Common configuration issues (5)

1 default passwords 2 failure to patch (OS of devices) 3 *limit admin access - AP admin should only be accessibke via connection, not wireless 4 *filtering - most APs offer, should be ON and config 5 logging

Authentication methods (5)

1 something you know (PIN#) Type1 2 something you have (ID card) type 2 3 something you are (fingerprints) type 3 4 something you do (action, voice) no type 5 somewhere you are (geolocation) no type 5 often not used because of mobile phones

NIDS

A network-based intrusion detection system. An NIPS is an intrusion prevention system. Unlike an HIDS/HIPS, an NIDS/NIPS scans an entire network segment.

network scanner

A tool that enumerates your network and provides a map of the network.

arp

Address Resolution Protocol maps IP addresses to MAC addresses. Unlike the other commands, this one will only work with AT LEAST ONE FLAG

Kerberos

An authentication protocol developed at MIT that uses tickets for authentication. allows for a single sign-on to a distributed network. uses a key distribution center (KDC) to orchestrate the process. The KDC authenticates the principal (which can be a user, program, or system) and provides it with a ticket. After this ticket is issued, it can be used to authenticate against other principals weakness= KDC single point of failure. port 88

ABAC

Attribute-based access control EXAMINE ENTIRE SITUATION It is defined in NIST 800-162 access control mechanism looks at subjects that are attempting to access a given object but considers all of the various ATTRIBIUTES associated with the subject and object in making the access control decision. *new machine login? unusual time? unusual location?

CAC

COmmon access card first type of smartcard Department of Defense (DoD) as a general identification/authentication card for military personnel, contractors, and non-DoD employees. accessing DoD computers, signing email, and implementing PKI (public key infrastructure). cert based auth

CHAP

Challenge Handshake Authentication Protocol An authentication protocol that periodically reauthenticates. when users send their username and password to the server (encrypted, of course), the server first authenticates the user. Then once authentication is complete, the server directs the client computer to generate some random number (often a cryptographic hash) and send that to the server (encrypted as well, of course).

misconfigured firewalls

Common firewall configuration issues include not properly configuring the rules of the firewall—this includes inbound and outbound rules. Another firewall configuration issue is allowing traffic to exit the network that should not be allowed.

Physical access control

smart cards - access chip or ID badge proximity cards - geolocation

NIST SP 800-94

Guide to Intrusion Detection and Prevention Systems (IDPS) provides guidance as to IDS systems, both host based (HIDS) and network based (NIDS)

HOTP/TOTP

HOTP HMAC based one time pws keyed-hash message authentication code often used in physical tokens, onetime passwords expire TOTP - time based or one time onetime passwords expire

IEEE 802.1x

IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

certificate issues

ISSUE certificates in a secure manner. This means ensuring that the proper key size is selected and making certain that the private key is stored securely. USE of self-signed certificates. These should be used sparingly since they are not authenticated by a trusted third party(orhanizational cert auth) ensuring that the REVOKED certificates are not used on your network. This can be as simple as ensuring that the certificate revocation list is updated and published frequently.

license compliance violation

Installing unlicensed software is a violation of copyright law. Whether the software is authorized by your IT department or is unauthorized, you must vigilant in ensuring that unlicensed copies of applications are not installed on your network.

unauthorized software

One serious risk to all organizations is the installation of unauthorized software. Any organization has a process for vetting and controlling the software that is installed on its network. unauthorized software could have significant security flaws TROJAN bringing malware

OAUTH

Open Authorization Standard. or OATH It is a common method for authorizing websites or applications to access information. allows users to share information with third-party applications. work with HTTP and allows access tokens to be issued to third-party clients with the approval of the resource owner.

RADIUS

Remote Authentication Dial-In User Service mechanism that allows authentication of remote and other network connections. Originally intended for use on dial-up connections, communicate with an ISP to allow access to a remote user USES: improve network security by implementing a single service to authenticate users who connect remotely to the network. single source for the authentication to take place. implement auditing and accounting on the RADIUS server.

TACACS+

Terminal Access Controller Access Control System + +allows credentials to be accepted from multiple methods, including Kerberos. a client-server-oriented environment, and it operates in a manner similar to RADIUS TACACS, XTACACS, TACACS+ orig, extended replaced, plus current

FIle and Database Security

When an attacker breaches your network or an insider seeks data to exfiltrate, the most likely target will be either file or database servers. most sensitive data both types of servers should have their own firewall, HIDS, have auth and access control, review logs for all

segmentation fault

When the hardware of a system notifies the operating system that some software has attempted to access a restricted area of memory

nslookup/dig

a bit different than the other commands. It will start by verifying that the machine can connect to the DNS server. Then, however, it also opens a command prompt wherein you can enter DNS-related commands. run: nslookup.exe type: ls -d domain_name <enter>

federation

a collection of computer networks that agree on standards if operation such as security standards

tcpdump

a common packet sniffer for Linux. It works from the shell, and it is relatively easy to use. To start it, you just tell it what interface to listen to, like this: tcpdump -i eth0 tcpdump -c 100 -i eth0 tcpdump -D

ping

a fundamental networking utility. It is part of both Windows and Linux. The ______ utility is used to find out if a particular website is reachable. operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target host and waits for an ICMP response, sometimes casually called a pong

application whitelist

a list of allowed applications on a given computer or network also logs attempts to install unauthorized applications check logs to see if someone installed a password cracker etc!

Misconfigured devices

can be failing to enable some security mechanism, using a weak security configuration, or simply incorrectly configuring the system's settings. This applies to workstations, servers, routers, switches,

attributes

characteristics that define specific aspects of the subject, object, environment conditions, and/or requested actions that are predefined and preassigned by an authority.

file integrity

check to see if certain files have been changed and to record such activity. very common Tripwire - will return the file to its previous state *check the logs!

Backup utilities

critical for network security. Making regular backups of your servers and workstations is a fundamental part of network security. utilities that effectively and securely automate the process.

CER/EER

crossover error rate The point at which the FRR and FAR are equal. Sometimes called the equal error rate (ERR). want to be as small as possible.. indicates a good algorithm

Network Scanners

different from packet sniffing. With ____________________, you are literally trying to find out what is on your network. **network mapping can enumerate everything on your network, giving you an up-to-the-minute view of what is on your network. **detect rogue systems. Ex. solarwinds, start with IP range and start scan. produce map. Ex. lanhelper select Scan lan, scan ip scan workgroups

DAC

discretionary access control network users have some flexibility regarding how information is accessed. This model allows users to share information dynamically with other users. The method allows for a more flexible environment, but it increases the risk of unauthorized disclosure of information "other" classification vs owner and group *lower security and rigidness than MAC

FAR

false acceptance rate ) The rate at which a biometric solution allows in individuals it should have rejected want to be = to false rejection rate

FRR

false rejection rate The rate at which a biometric solution rejects individuals it should have allowed. want to be = to false acceptance rate

vulnerability scanners

find and correct vulnerabilities before an attacker finds them. Some of these tools scan for general vulnerabilities, others specifically scan for web page vulnerabilities, and still others scan to see if your systems are configured properly.

BIometric authentication factors

fingerprint scanner retinal scanner iris scanner voice recognition

pwdmp

first step for many password cracking tools is to get a copy of the local password hashes from the Windows SAM file. The SAM file, or Security Accounts Manager, is where Windows stores hashes of passwords. The program pwdump will extract the password hashes from the SAM file.

nmap

free download for Windows or Linux. It is not part of the operating system often used to port scan machines. This can reveal what services are running as well as information about the target machine's operating system. You can scan a range of IP addresses as well as a single IP. lets you set a number of flags (either with the command-line version of nmap or the Windows version) that customize your scan ex. nmap 192.168.1.1 is the basic nmap scan

Common issues to check for to avoid **authentication issues and AV

good passwords 10+ char password storage - stored in hash salting least priveldegs protocols - kerberos strong authentication

HIDS/HIPS

host based intrusion detection or prevention system devices detect activity that indicates a likely intrusion.. HIPS acts on it and blocks suspected attacks subject to false positives andd flase negs

netstat

is also part of both Windows and Linux. It displays current network connections. C:/netstat Active connections ............

permissions issues

least permissions. anything beyond that is a __________ could lead to access violation occurs through users moving btw networks. compare each users permissions to the requirements of their job

LDAP

lightweight directory access protocol - port 389~~! standardized directory access protocol that allows queries to be made of directories (specifically, pared-down X.500-based directories). online white and yellow pages main access protocol used by Active Directory. It operates, by default, at port 389.

MAC disadvantages

major disadvantages of this model are its lack of flexibility and the fact that it requires change over time. The inability of administrative staff to address these changes can sometimes make the model hard to maintain.

advanced malware tools

more robust scanning algorithms, scan for more anomalies, and offer more options in how to deal with such issues also often offer add-in features such as HIDS/HIPS, firewall, and similar security services, but they still tend to have easy too use interface

tracert

n Windows and traceroute in Linux. It will tell you the entire path to a given address. It is often said that ping tells you if a given address is reachable and tracert or traceroute tells you how to get there ****complete path to IP

exploitation framework

network admins actually attempting exploits on their network. This is often done as part of a penetration test. Metasploit

WireShark

one of the most widely known network packet sniffers. Often a penetration tester can learn a great deal from simply sniffing the network traffic on a target network. Wireshark provides a convenient graphical user interface (GUI) for examining network traffic.

Protocol analyzers

packet sniffers, tools look at the current traffic on a network and allow you to view that traffic and capture a copy of the traffic for later analysis. ex. wireshark

Data sanitization tools

sed to ensure that data is entirely wiped from a given device before it is repurposed. The prevalence of deleted file recovery tools makes _______ ___________ very critical.

SFA

single factor authentication Identification is typically confirmed through a logon process. Most operating systems use a user ID (username) and password to accomplish this. These values can be sent across the connection as plain text or they can be encrypted.

Banner grabbing

technique that attackers use to gather information about a website before launching an attack. newtwork admins sometimes use to test what attacker might have access to

RADIUS weakness

the entire network may refuse connections if the server malfunctions. Many systems allow multiple servers to be used to increase reliability. All of these servers are critical components of the infrastructure, and they must be protected from attack.

Data exfiltration

the extraction of data from the company via any method(through firewall etc) social engineering vulnerbilities malware

Stenography tools

tools whereby you can hide data in files. In fact, entire files can be hidden in other files. tools are sometimes used by insiders to exfiltrate confidential information. ex. invisible secrets, deep sound, open Stego

mutual authentication

two or more parties authenticate each other, ensures that the client is not unwittingly connecting and providing its credentials to a rogue server, which can then turn around and steal the data from the real server.