Module 12 Protection Mechanisms

private key encryption / symmetric encryption

A cryptographic method in which the same algorithm and secret key are used both to encipher and decipher the message.

asymmetric encryption / public key encryption

A cryptographic method that incorporates mathematical operations involving both a public key and a private key to encipher or decipher a message. Either key can be used to encrypt a message, but then the other key is required to decrypt it.

XOR cipher conversion

A cryptographic operation in which a bit stream is subjected to a Boolean XOR function against some other data stream, typically a key stream. The XOR function compares bits from each stream and replaces similar pairs with a "0" and dissimilar pairs with a "1."

transposition cipher / permutation cipher

A cryptographic operation that involves simply rearranging the values within a block based on an established pattern. Also known as a permutation cipher.

Bluetooth's

A de facto industry standard for short-range wireless communications between wireless telephones and headsets, between PDAs and desktop computers, and between laptops.

application layer proxy firewall

A device capable of functioning both as a firewall and an application layer proxy server.

bastion host / sacrificial host

A device placed between an external, untrusted network and an internal, trusted network. Also known as a sacrificial host, as it serves as the sole target for attack and should therefore be thoroughly secured.

proxy firewall

A device that provides both firewall and proxy services.

wireless access points (WAPs)

A device used to connect wireless networking users and their devices to the rest of the organization's network(s). Also known as a Wi-Fi router.

screened-host architecture

A firewall architectural model that combines the packet filtering router with a second, dedicated device such as a proxy server or proxy firewall.

screened-subnet architecture

A firewall architectural model that consists of one or more internal bastion hosts located behind a packet filtering router on a dedicated network segment, with each host performing a role in protecting the trusted network.

single bastion host architecture

A firewall architecture in which a single device performing firewall duties, such as packet filtering, serves as the only perimeter device providing protection between an organization's networks and the external network. This architecture can be implemented as a packet filtering router or as a firewall behind a non-filtering router.

deep packet inspection (DPI)

A firewall function that involves examining multiple protocol headers and even content of network traffic, all the way through the TCP/IP layers and including encrypted, compressed, or encoded data.

dynamic packet filtering firewalls

A firewall type that can react to network traffic and create or modify configuration rules to adapt.

stateful packet inspection (SPI) firewalls

A firewall type that keeps track of each network connection between internal and external systems using a state table, and that expedites the filtering of those communications. Also known as a stateful inspection firewall.

total cost of ownership

A measurement of the true cost of a device or application, which includes not only the purchase price, but annual maintenance or service agreements, the cost to train personnel to manage the device or application, the cost of systems administrators, and the cost to protect it.

honey nets

A monitored network or network segment that contains multiple honey pot systems.

ports

A network channel or connection point in a data communications system.

dual-homed host

A network configuration in which a device contains two network interfaces: one that is connected to the external network and one that is connected to the internal network. All traffic must go through the device to move between the internal and external networks.

packet filtering firewalls

A networking device that examines the header information of data packets that come into a network and determines whether to drop them (deny) or forward them to the next network connection (allow), based on its configuration rules.

passphrase

A plain-language phrase, typically longer than a password, from which a virtual password is derived.

clipping level

A predefined assessment level that triggers a predetermined response when surpassed. Typically, the response is to write the event to a log file and/or notify an administrator.

virtual private network (VPN)

A private, secure network operated over a public and insecure network. A VPN keeps the contents of the network messages hidden from observers who may have access to public traffic.

cache server

A proxy server or application-level firewall that stores the most recently accessed information in its internal caches, minimizing the demand on internal servers.

password

A secret word or combination of characters that only the user should know; used to authenticate the user.

proxy server

A server that exists to intercept requests for information from external users and provide the requested information by retrieving it from an internal server, thus protecting and minimizing the demand on internal servers. Some proxy servers are also cache servers.

Wired Equivalent Privacy (WEP)

A set of protocols designed to provide a basic level of security protection to wireless networks and to prevent unauthorized access or eavesdropping. WEP is part of the IEEE 802.11 wireless networking standard.

Wi-Fi Protected Access (WPA)

A set of protocols used to secure wireless networks; created by the Wi-Fi Alliance. Includes WPA and WPA2.

content filter

A software program or hardware/software appliance that allows administrators to restrict content that comes into or leaves a network—for example, restricting user access to Web sites with material that is not related to business, such as pornography or entertainment.

monoalphabetic substitution

A substitution cipher that incorporates only a single alphabet in the encryption process.

polyalphabetic substitutions

A substitution cipher that incorporates two or more alphabets in the encryption process

state table

A tabular record of the state and context of each packet in a conversation between an internal and external user or system. A state table is used to expedite traffic filtering.

port-address translation (PAT)

A technology in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to-many basis; that is, one external valid address is mapped dynamically to a range of internal addresses by adding a unique port number to the address when traffic leaves the private network and is placed on the public network.

network-address translation (NAT)

A technology in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to-one basis; that is, one external valid address directly maps to one assigned internal address.

certificate authority (CA)

A third party that manages users' digital certificates and certifies their authenticity.

crossover error rate (CER)

Also called the equal error rate, the point at which the rate of false rejections equals the rate of false acceptances.

application layer firewall

Also known as a layer seven firewall, a device capable of examining the application layer of network traffic (for example, HTTP, SMTP, FTP) and filtering based upon its header content rather than the traffic IP headers.

anomaly-based IDPS / behavior-based IDPS

An IDPS that compares current data and traffic patterns to an established baseline of normalcy, looking for variance out of parameters. Also known as a behavior-based IDPS.

signature-based IDPS / knowledge-based IDPS

An IDPS that examines systems or network data in search of patterns that match known attack signatures. Also known as a knowledge-based IDPS.

network-based IDPSs (NIDPSs)

An IDPS that resides on a computer or appliance connected to a segment of an organization's network and monitors traffic on that segment, looking for indications of ongoing or successful attacks.

host-based IDPS (HIDPS)

An IDPS that resides on a particular computer or server, known as the host, and monitors activity only on that system. Also known as a system integrity verifier.

honey pots

An application that entices individuals who are illegally perusing the internal areas of a network by providing simulated rich content areas while the software notifies the administrator of the intrusion.

Vulnerability scanners

An application that examines systems connected to networks and their network traffic to identify exposed usernames and groups, open network shares, configuration problems, and other vulnerabilities in servers.

War driving

An attacker technique of moving through a geographic area or building while actively scanning for open or unsecured wireless access points.

dumb card

An authentication card that contains digital user data, such as a personal identification number (PIN), against which user input is compared.

Synchronous tokens

An authentication component in the form of a token-a card or key fob that contains a computer chip and a liquid crystal display and shows a computer-generated number used to support remote login authentication. This token must be calibrated with the corresponding software on the central authentication server.

Asynchronous tokens

An authentication component in the form of a token—a card or key fob that contains a computer chip and a liquid crystal display and shows a computer-generated number used to support remote login authentication. This token does not require calibration of the central authentication server; instead, it uses a challenge/response system.

smart card

An authentication component similar to a dumb card that contains a computer chip to verify and validate several pieces of information instead of just a PIN.

Kerberos

An authentication system that uses symmetric key encryption to validate an individual user's access to various network resources by keeping a database containing the private keys of clients and servers that are in the authentication domain it supervises.

substitution cipher

An encryption method in which one value is substituted for another.

public key infrastructure (PKI)

An integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services that enables users to communicate securely through the use of digital certificates.

demilitarized zone

An intermediate area between a trusted network and an untrusted network that restricts access to internal systems.

Trap and trace applications

Applications that combine the function of honey pots or honey nets with the capability to track the attacker back through the network.

Which of the following access control processes confirms the identity of the entity seeking access to a logical or physical area?

Authentication

log files / logs

Collections of data stored by a system and used by administrators to audit system performance and use both by authorized and unauthorized users.

Which of the following is a commonly used criteria used to compare and evaluate biometric technologies?

Crossover error rate

Digital signatures

Encrypted message components that can be mathematically proven to be authentic.

Which of the following biometric authentication systems is considered to be truly unique, suitable for use, and currently cost-effective?

Fingerprint recognition

transport mode

In IPSec, an encryption method in which only a packet's IP data is encrypted, not the IP headers themselves; this method allows intermediate nodes to read the source and destination addresses.

tunnel mode

In IPSec, an encryption method in which the entire IP packet is encrypted and inserted as the payload in another IP packet. This requires other systems at the beginning and end of the tunnel to act as proxies to send and receive the encrypted packets and then transmit the packets to their ultimate destination.

agent / sensor

In an IDPS, a piece of software that resides on a system and reports back to a management server. Also referred to as a sensor.

firewall

In information security, a combination of hardware and software that filters or prevents specific information from moving between the outside network and the inside network.

footprint

In wireless networking, the geographic area in which there is sufficient signal strength to make a network connection.

Comparing hash values can be used to assure that files retain _________ when they are moved from place to place and have not been altered or corrupted.

Integrity

Which of the following is true about symmetric encryption?

It uses a secret key to encrypt and decrypt.

security event information management (SEIM) systems

Log management systems specifically tasked to collect log data from a number of servers or other network devices for the purpose of interpreting, filtering, correlating, analyzing, storing, and reporting the data.

Unified Threat Management (UTM)

Networking devices categorized by their ability to perform the work of multiple devices, such as a stateful packet inspection firewall, network intrusion detection and prevention system, content filter, spam filter, and malware scanner and filter.

What tool would you use if you want to collect information as it is being transmitted on the network and analyze the contents for the purpose of solving network problems?

Packet sniffer

In which cipher method are values rearranged within a block to create the ciphertext?

Permutation

Which tool can best identify active computers on a network?

Port scanner

Which technology employs sockets to map internal private network addresses to a public address using a one-to-many mapping?

Port-address translation

Which of the following is not a use of a hash function?

Program execution optimization to make computers run faster

digital certificate

Public key container files that allow PKI system components and end users to validate a public key and identify its owner.

Which of the following is not among the three types of authentication mechanisms?

Something a person sees

Which type of firewall keeps track of each network connection established between internal and external systems?

Stateful packet inspection

virtual password

The derivative of a passphrase. See passphrase.

cryptology

The field of science that encompasses cryptography and cryptanalysis.

Intrusion detection and prevention systems (IDPSs)

The general term for a system with the capability both to detect and modify its configuration and environment to prevent intrusions. An IDPS encompasses the functions of both intrusion detection systems and intrusion prevention technology.

Diffie-Hellman key exchange method

The hybrid cryptosystem that pioneered the technology.

footprinting

The organized research and investigation of Internet addresses owned or controlled by a target organization.

IP Security (IPSec)

The primary and now dominant cryptographic authentication and encryption product of the IETF's IP Protocol Security Working Group. A framework for security development within the TCP/IP family of protocol standards, IPSec provides application support for all uses within TCP/IP, including VPNs.

cryptography

The process of making and using codes to secure information.

cryptanalysis

The process of obtaining the plaintext message from a ciphertext message without knowing the keys used to perform the encryption.

nonrepudiation

The process of reversing public key encryption to verify that a message was sent by a specific sender and thus cannot be refuted.

false reject rate

The rate at which authentic users are denied or prevented access to authorized areas as a result of a failure in the biometric device. This failure is also known as a Type I error or a false negative.

false accept rate

The rate at which fraudulent users or nonusers are allowed access to systems or areas as a result of a failure in the biometric device. This failure is also known as a Type II error or a false positive.

trusted network

The system of networks inside the organization that contains its information assets and is under the organization's control.

untrusted network

The system of networks outside the organization over which it has no control. The Internet is an example of an untrusted network.

fingerprinting

The systematic survey of a targeted organization's Internet addresses collected during the footprinting phase to identify the network services offered by the hosts in that range.

hybrid encryption system

The use of asymmetric encryption to exchange symmetric keys so that two (or more) organizations can conduct quick, efficient, secure communications based on symmetric encryption.

Port scanners

Tools used both by attackers and defenders to identify or fingerprint active computers on a network, the active ports and services on those computers, the functions and roles of the machines, and other useful information.