Security+ (SY0-301)

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

OSI Model

(Layer 7)The Application layer integrates network functionality into the host operating system, and enables network services. The Application layer does not include specific applications that provide services, but rather provides the capability for services to operate on the network. (Layer 6) The Presentation layer formats or "presents" data into a compatible form for receipt by the Application layer or the destination system. Specifically, the Presentation layer ensures: • Formatting and translation of data between systems. • Negotiation of data transfer syntax between systems, through converting character sets to the correct format. • Encapsulation of data into message envelopes by encryption and compression. • Restoration of data by decryption and decompression. (Layer 5) The Session layer's primary function is managing the sessions in which data is transferred. Functions at this layer include: • Management of multiple sessions (each client connection is called a session). A server can concurrently maintain thousands of sessions. • Assignment of the session ID number to each session to keep data streams separate. • Set up, maintain, and tear down communication sessions. (Layer 4) The Transport layer provides a transition between the upper and lower layers of the OSI model, making the upper and lower layers transparent from each other. Two protocols associated with the Transport layer are: • (TCP) ensure accurate and timely delivery of network communications between two hosts( connection-oriented). TCP provides the following services to ensure message delivery: Sequencing of data packets, Flow control, Error checking • (UDP) connectionless protocol - Fast but does not gaurentee delivery (Layer 3) The Network layer describes how data is routed across networks and on to the destination. • Protocols associated with the Network layer include IP and IPX. • The logical host address, in the form of the IP address, is defined at the Network layer. • Routers operate at the Network layer by reading the IP address in the packet to make forwarding decisions. (Layer 2) The Data Link layer defines the rules and procedures for hosts as they access the Physical layer. • The physical device address, in the form of the MAC address used with Ethernet, is defined at the Data Link layer. • Network interface cards (NICs) contain the MAC address and perform functions at the Data Link layer. • Switches operate at the Data Link layer by reading the MAC address in a frame to make forwarding decisions. (Layer 1) The Physical layer sets standards for sending and receiving electrical signals between devices(Hubs).

(PII) Persionally Identifiable Information

(PII) Persionally Identifiable Information

Type 2 Something you have authentication

(also called token-based authentication) is authentication based on something a user has in their possession. Examples of something you have authentication controls are: • Swipe cards • Photo IDs • Smart cards

Cross-site Request Forgery (CSRF/XSRF)

(also known as a one-click attack or session riding) is a type of malicious exploit whereby unauthorized commands are transmitted from a user to a website which currently trusts the user (by way of authentication, cookies, etc.). This is almost the opposite of the XSS attack, except CSRF exploits the trust that a site has in a user's browser.

Zero day

(also known as a zero hour or day zero attack) is an attack that exploits computer application vulnerabilities before they are known and patched by the application's developer.

Directory traversal

(also known as path traversal) attack uses specific characters to traverse to parent directory in a file system. This attack exploits the insufficient security validation/sanitization of user-supplied input file names.

IPv6 address

- 32 hexadecimal numbers(128-bit address) organized into 8 quartets, separated by colons (Each quartets)representing 16-bits of data using hexadecimal number between 0 and FFFF - first 64-bits is known as the prefix(ID's the host) - The last 64-bits is the interface ID IPv6 local loopback address for the local host is 0:0:0:0:0:0:0:1(::1 or ::1/128) - IPv6 anycast address is a single address that can be assigned to multiple interfaces. - The implementation of IPSec is mandatory - Common formati for expression is 32numers, grouped using colons and Hexadecimal numbers.

Asymmetric encryption

- Aka public key encryption, uses two keys that are mathematically related. Both keys together are called the key pair. Used for data encryption, digital signing, & key exchange. - A digital signature is used to authenticate asymmetric keys. - Common algorithms are Diffie-Hellman, and RSA - Used to distribute Symmetric Keys.

digital certificates.

- CRL(Certificate Revocation list) distributes info on invalid certs - Public key and Validity period, CA info, approved uses, Cert Owner are contained

CRL (certificate Revocation list)

- Certs ar added when commoting a crime, Invalid identity issues, private key get compromized. - If the cert expires, its not added but the date is on the cert.

DES & AES encryption methods

- DES - one of the first symmetric encryption methods = now obsolete(can be used to break the encryption) (3DES improved version) - weaker than AES - AES - Stronger than DES - Stronger and faster than 3DES when implemented with large key size(256-bits)

LANMAN

- Divides passwords larger thatn 7 charaters in to two seperate hashes - Passwords are protected using hashing called LANMAN hash(uses DES and a proprietary algorithm) - Limited to 14 characters and is very weak/easily broken.

SSL

- Encrypts the entire communication session between server and client - can be used for HTTP, telnet, FTP and email - Developed by netscape - Keys employed at 40-bit, 56-bit, 128-bit and 256-bit lengths -TLS is biased on SSL - uses RSA or KEA for key exchange

NTLM & NTLMv2 (NT LAN Manager)

- NTLM is Replacement for LANMAN on Microsoft t networks and Uses stronger hashing method than LANMAN - NTLMv2 includes additional security enhancements and a stronger hashing method.

Quantitative and Qualitative Analysis

- Quantitative analysis assigns a finantial value or "real" numbers to an asset and cost to recover from loss of it - Qualitative analysis seeks to ID costs that cannot be concretely defined using quantitative analisis

Kerberos

- Requires Centralized database of users and passwords and Time Sync - both authentication and authorization(default for AD) - grants tickets (also called a security token) uses SSO. - symmetric key cryptography.

Password Authentication Protocol (PAP)

Authentication protocol used between client and server - Transmits credentials in clear text.

S/MIME

- Used to encrypt email(included file attachments) - Uses RSA encryption - Employes encryption for confidentiality - Authenticates through digital Signatures(X.509 V3 certs) - Included in most browsers - minimal requirements: Digital Certificate.

Lightweight Directory Access Protocol (LDAP)

- allows users and applications to read from and write to a LDAP compliant directory service such as AD, eDirectory and OpenLDAP. - Modes: Anonymous, Simple and SASL. - Use SASL with Kerberos

Internet Protocol Security (IPSec)

- authentication and encryption - can support by traffic by the IP protocol. • Authentication Header (AH) provides authentication features. Use AH to enable authentication with IPSec. • Encapsulating Security Payload (ESP) provides data encryption. Use ESP to encrypt data. Note: If you use only AH, data is not encrypted. • Transport mode is used for end-to-end encryption of data. The packet data is protected, but the header is left intact, allowing intermediary devices (such as routers) to examine the packet header and use the information in routing packets. • Tunnel mode is used for link-to-link communications. Both the packet contents and the header are encrypted.

stealth virus

- can redirect the disk head to read another sector instead of one in which it resides - can alter the reading of the infected file size shown in the directory listing. - can change a file's date and time. - ince a stealth virus uses encryption techniques, it becomes totally hidden from antiviruses and operating systems(EG. Frodo & Whale)

metamorphic virus

- capable of rewriting the code upon each new file infection. - In order to avoid pattern recognition, it changes the code, not the engine. - change their code to an equivalent one so never has the same executable code in memory.

polymorphic virus

- has the ability to change its own signature at the time of infection & hard to detect. - When the user runs the infected file in the disk, it loads the virus into the RAM. The new virus starts making its own copies and infects other files of the operating system. - mutation engine of the polymorphic virus generates a new encrypted code, thus changing the signature of the virus. - cannot be detected by signature-based antivirus.

multipartite virus

- hybrid of boot sector and file viruses. - infects files, and then works as a boot sector virus, and finally it changes the MBR of the hard disk. - Once the boot sector is infected, the virus loads into the memory and begins to infect the uninfected program files. In this way, the process never ends.

trust model

- in the hierarchy, starts in Root CA -defines how CA hierarchies trust each other and the certs they use.

Hub

- physical star, logical bus topology. - Hubs simply repeat incoming frames and send it to every host connected to the hub. - All connected share bandwith

Cryptographic Service Provider (CSP)

- resides on the client and generates the key pair. - Asymmetric

The key distribution center (KDC) server

- server stores, distributes, and maintains cryptographic session keys. - Kerberos uses a KDC to authenticate a principle.

trunk port

- used to connect two switches together - Member of all VLANs

The session keys employed by SSL are available in what bit lengths?

128 & 40 bit. They are also available in 56-bit & 256-bit lengths.

binary to decimal

128 =10000000 64 =01000000 32 = 00100000 16 = 00010000 8= 0001000 4 = 00000100 2 = 00000010 1 = 00000001

Challenge Handshake Authentication Protocol (CHAP)

Authentication protocol used between client and server - Uses three-way handshake process for UN/PW. - PW is hashed then sent for authentication. and forces periodic re-authentication. MS-Chap v2 allows for Mutual authentication(each party is verified by the other) where server authenticates the client -use for Dialup

Ports

20 TCP\21 TCP - File Transfer Protocol (FTP) 22 TCP and UDP - - Secure Shell (SSH) - SSH File Transfer Protocol (SFTP) - Secure Copy (SCP) 23 TCP Telnet 25 TCP Simple Mail Transfer Protocol (SMTP) 49 TCP and UDP Terminal Access Controller Access-Control System (TACACS) 50 Encapsulating Security Payload (ESP) (used with IPSec) 51 Authenticating Header (AH) (used with IPSec) 53 TCP and UDP Domain Name Server (DNS) 67 UDP 68 UDP Dynamic Host Configuration Protocol (DHCP) 69 UDP Trivial File Transfer Protocol (TFTP) 80 TCP HyperText Transfer Protocol (HTTP) 88 TCP Kerberos 110 TCP Post Office Protocol (POP3) 119 TCP Network News Transport Protocol (NNTP) 123 UDP Network Time Protocol (NTP) 135 TCP 137 and 138 TCP and UDP + 139 TCP Network Basic Input/Output System (NetBIOS) 143 TCP and UDP Internet Message Access Protocol (IMAP4) 161 TCP and UDP 162 TCP and UDP Simple Network Management Protocol (SNMP) 389 TCP and UDP Lightweight Directory Access Protocol (LDAP) 443 TCP and UDP HTTP with Secure Sockets Layer (SSL/TLS) (HTTPS - stateful) 445 TCP Windows 2000 CIFS/SMB (file access) 500 UDP Internet Key Exchange (IKE) (used with IPSec) 636 TCP and UDP Lightweight Directory Access Protocol over TLS/SSL (LDAPS) 989 TCP and UDP 990 TCP and UDP FTP Secure (FTPS or FTP over SSL/TLS) 1701 UDP Layer 2 Tunneling Protocol (L2TP) 1723 TCP and UDP Point-to-Point Tunneling Protocol (PPTP) 1812 TCP and UDP 1813 TCP and UDP Remote Authentication Dial In User Service (RADIUS) 3389 TCP Remote Desktop Protocol (RDP)

Wireless security

802.11i defines security for wireless networks(WPA,WPA2). 802.1x is authentication protocol that can be used on wireless networks 802.11a: The 802.11a standard provides wireless LAN bandwidth of up to 54 Mbps in the 5GHz frequency spectrum. 802.11b: The 802.11b standard provides bandwidth of up to 11 Mbps (with fallback rates of 5.5, 2, and 1 Mbps) in the 2.4GHz frequency spectrum. 802.11g: The 802.11g standard provides bandwidth of up to 54 Mbps in the 2.4GHz frequency spectrum. 802.11n: The 802.11n standard provides bandwidth of up to 300 Mbps in the 5GHz frequency spectrum (it can also communicate at 2.4GHz for compatibility). Shared key is sued with WEP. WPA(uses TKIP), WPA2(uses AES) WPA, WPA2 enterprize uses 802.1x for authentication. WPA provides encryption and user authentication

fire extinguiser

A - Wood, paper, cloth, plastics B - Pertoleum, oil, solvent, alchohol C - Electrical D - Sodium & potassium

address class

A 1-126 255.0.0.0 /8 B 128-191 255.255.0.0 /16 C 192-223 255.255.255.0 /24 D 224-239 E 240-255

Digital Signatures

A combination of asymmetric encryption and hashing values. - should be used for integrity validation and non-repudiation. - Created using senders private key, and only the senders public key can verify and open the data. - Most likely to use RSA and ECC protocols

One-time pad (Algorithm)

A cryptography method in which the plaintext is converted to binary and combined with a string of randomly generated binary numbers (referred to as the pad). It is a form of substitution.

Trusted Platform Module (TPM)

A hardware chip on the motherboard that can generate and store cryptographic keys. Save Start-up key to TPM to avoid using USB to store the key.

Diffie-Hellman

A key exchange protocol used for generating and securely exchanging symmetric encryption keys(SSL,SSH, IPSec). - Asymmetric

Hardware Security Modules (HSM)

A piece of hardware and associated software/firmware that is connected to a computer system to provide cryptographic functions such as encryption, decryption, key generation, and hashing.

Logic bomb

A program that performs a malicious activity at a specific time or after a triggering event. - (AKA) Asynchronous attack

ElGamal

A protocol used for encryption & based on Diffie-Hellman. Used in the free GNU privacy guard software and recent versions of PGP. - Asymmetric - Used primarily for secure key exchange

What two protocols is IPsec implemented through?

AH & ESP

Simple Authentication

Always use SSL

GNU Privacy Guard (GPG) and Pretty Good Privacy (PGP)

An encryption tool that encrypts emails, digitally signs emails, and encrypts documents. - Compresses plain text before encrypting - High resistance to cryptanalysis

Cramming

Application of charges to a phone bill for services which were not authorized or ordered by the consumer or disclosed.

Annualized Loss Expectancy (ALE)

Asset value(AV) x exposure factor (EF) x Annualized Rate of Occurance ARO)

A collection of zombie computers have been setup to collect personal information. What type of malware do the zombie computers represent?

Botnet

goals of cryptography

Confidentiality, authentication, integrity, Authentication, Nonrepudiation are the goals of cryptography that are achieved by the symmetric key cryptosystem.

Cryptanalysis

Cryptanalysis is the method of recovering original data that has been encrypted without having access to the key used in the encryption process.

Which of the following is the employment of two separate key pairs in order to separate the security functions of confidentiality and integrity in a communication system?

Dual key pair

Which IPSec subprotocol provides data encryption?

ESP. Encapsulating Security Payload protocol provides data encryption for IPSec traffic.

You would like to implement bitlocker to encrypt data on a hard disk even if it is moved to another system. You want the system to boot automatically without providing a startup key on an external usb device. What should you do?

Enable TPM in the BIOS. The system startup key can be saved in the TPM.

Block Cipher

Encrypt by transposing plaintext to cipher text in chunks (block-by-block) - Symmetric Encryption

Which of the following is a direct protection of integrity?

Digital Signature

What is the most obvious means of providing non-repudiation in a cryptography system?

Digital signatures

DriveLock

Encrypts the entire contents of a hard drive, protecting all files on disk. Special key allows system to decrypt the files on the hard drive.

Whole disk encryption (Bitlocker)

Encrypts the entire contents of the OS partition, including OS files, swap files, hibernation files, and alk user files. It uses integrity checking early in the boot process to ensure the drive contents have not been altered, and the drive is in the original computer. For hardware failure(assuming startup key stored on TPM) use the recovery key to unlock the disk on another system)

Which of the following are denial of service attacks?

Fraggle & Smurf

Which of the following will enter random data to the inputs of an application?

Fuzzing

Which of the following are characteristics of a rootkit

Hides itself from detection, requires administrator-level privileges for installation, resides below regular antivirus software detection, might not be malicious, often replaces operating system files with alternative versions that allow hidden access

Which of the following can be used to encrypt Web, e-mail, telnet, file transfer, and snmp traffic?

IPSec (Internet Security Protocol). It supports any traffic supported by the IP protocol.

Man-in-the-middle

IPSec is good countermeasure(VPN)

Types of threat agent: Hacker

In general, a hacker is any threat agent who uses their technical knowledge to bypass security mechanisms to exploit a vulnerability to access information. Hacker subcategories include the following: • Script kiddies download and run attacks available on the Internet, but generally are not technically savvy enough to create their own attacking code or script. • Cybercriminals usually seek to exploit security vulnerabilities for some kind of financial reward or revenge. • Cyber terrorists generally use the Internet to carry out terrorist activities, such as disrupting network-dependent institutions.

CryptoHeaven

It provides secure Internet connections, secure instant messaging, secure mail, secure file sharing, secure online storage, etc - 2048 to 4096 bit asymmetric and 256-bit symmetric key encryption with no third party key holder.

Which of the following is NOT true concerning symmetric key cryptography?

Key management is easy when implemented on a large scale.

When a sender encrypts a message using their own private key, what security service is being provided to the recipient?

Non-repudiation

Service Set Identifiers (SSIDs)

On a wireless network case sensitive text strings that have a maximum length of 32 characters.

Key Management solution

Only a centralized key management solution provides a key escrow service that allows key recovery to occur

Non-repudiation

Proves that sender sent a message

IPsec

Provides authentication and encryption services for IP biased network traffic. - Uses IKE for key exchange.

Authentication Header (AH)

Provides message integrity through authentication, verifying that data are received unaltered from the trusted destination. AH provides no privacy and is often combined with ESP to achieve integrity and confidentiality.

RAID 3 (disk striping with a parity disk)

RAID 3 arrays implement fault tolerance by using striping (RAID 0) in conjunction with a separate disk that stores parity information.

Which of the following protocols are most likely used with digital signatures? (Select two)

RSA & ECC. Digital signatures use asymmetric encryption, rsa and ecc are asymmetric.

Replication

Replication is the process of copying changes to Active Directory between the domain controllers.

802.1x

Requires an authentication server for validation user credentials(typically RADIUS). Used on LAN for port authentication on switches and authentication to wireless access points.

Strong

Requires two or more methods, but they can be of the same type.

Common symmetric encryption methods

Rivest Cipher (RC), International Data Encryption Algorithm (IDEA), Carlisle Adams Stafford Tavares (CAST), Twofish, Blowfish, Data Encryption Standard (DES), Triple DES (3DES), Advanced Encryption Standard (AES)

Spanning tree protocol

Run to prevent switching loops - ensures only a single active path between any two switches.

What are two hashing protocols

SHA1 & MD5

Protocols that are used with Asymmetric Encryption

SSL/TLS, IPSEC, VPNs (PPTP, L2TP, SSTP), S/MIME and PGP for email security, SSH tunnels

Fraggle

Same as smurf but uses UDP packets directed to port 7 echo and port 19 character generation.

Digital envelope

Secure data transmission uses asymmetric encryption to protect the msg. from hackers.

A receiver wants to verify the integrity of a message received from a sender. A hashing value is contained within the digital signature of the sender. What must the receiver use to access the hashing value to verify the integrity of the transmission?

Sender's public key

Salami

Small amounts of info, data, or valuables are taken over time. The result is to construct or obtain data or property of great value.

Smurf

Spoofs the source address in ICMP packets and sends the ICMP packets to a bounce site. The bounce site then responds to thoudands of messages the victim site didn't send.

Subnets

Subnets divide an IP network address into multiple network addresses. - Cannot be used to combine networks of diffrent media type on the same subnet.

Dynamic Trunking Protocol (DTP)

Switches have the ability to automatically detect ports that are trunk ports, and to negotiate the trunking protocol used between devices.

WhaPGP(Pretty Good Privacy)t are two commonly used protocols for encrypting data?

TKIP( used with WPA wireless) & AES( used with WPA2 wireless)

Cryptosystem

The associated items of cryptography that are used as a unit to provide a single means of encryption and decryption

Key Space

The range of possible values that can be used to construct a key. Generally - the longer the space the stronger the encryption

MD5

The weakest hashing algorithm. It produces a message digest of 128 bits. The larger the message digest the more secure the hash. SHA-1 produces 160 bit.

The aspect of certificates that makes them a reliable and useful mechanism for proving the identity of a person, system, or service on the internet

Trusted third-party

Stream Cipher

Use a sequence of bits known as a keystream which is the key used for encryption. The encryption is performed on each bit within the stream in real time. - Symmetric Encryption

Online Certificate Status Protocol (OCSP)

Used by PKI to immediately verify whether a certificate is valid.

Eliptic Curve Cryptography (ECC)

Uses a finite set of values w/in an eliptic curve (algebraic set of numbers). Considered a more efficient method of an encryption. - Asymmetric - Can be used in key exchange.

Which of the following tools can you use on a Windows network to automatically distribute and install software and operating system patches on workstations?

WSUS & Group Policy

Windows Software Update Service

WSUS is a patch management tool that allows clients on a network to download software updates from a WSUS internal server to their organization

RC5

a block cipher algorithm with a variable block size (32, 64, or 128 bits), key size (0 to 2040 bits), and number of rounds (0 to 255). 12-round RC5 (with 64-bit blocks) can be easily cracked by using a differential attack of 244 chosen plaintexts. Hence, 18-20 rounds of RC5 are suggested as sufficient protection.

Symmetric key encryption

a form of cryptography that provides confidentiality with a weak form of authentication or integrity (one key to encrypt/decrypt data) - Best suited for bulk encryption because its fast - Use when encryption is needed to protect contents of message. - Key management is difficult on large scale.

Cipher text

a message in a form that makes it unreadable to all but those for whom the message was intended

3DES

acceptable form of DES, applies encryption 3 times

Rule-Based Access

access control uses characteristics of objects or subjects, along with rules, to restrict access. AKA label-based management

Bluebugging

access to all mobile phone commands that use Bluetooth technology, such as initiating phone calls, sending and receiving messages, eavesdropping, and reading and writing phone book contacts.

Phreaking

act of attacking phone systems.

Bluejacking

act of sending unsolicited messages over Bluetooth wireless links to other devices such as advertising, and spam.

Role-Based Access Control (RBAC)

allows access based on a role(Job) in an organization, not individual users. • MAC(mandatory Access Control) are classification( AKA: Sensitivity labels or Clearance levels- used with "need to know" • TBAC(Task-Based Access Control) are work tasks

Static NAT

allows external hosts to contact internal hosts.

Internet Control Messate Protocol (ICMP)

allows hosts to exchange messages to indicate the status of a packet as it travels through the network.

Dynamic NAT

allows internal (private) hosts to contact external (public) hosts, but not vice versa.

crossover error rate

also called the equal error rate, is the point where the number of false positives matches the number of false negatives in a biometric system. lower crossover error rate is better

Blowfish & Twofish

alternatives to DES, but AES is the designated replacement to DES

member servers

are servers in the domain which do not have the Active Directory database.

Discretionary Access Control (DAC)

assigns access directly to subjects based on the discretion (or decision) of the owner.

distributed denial-of-service (DDoS)

attack aims a number of compromised hosts at a single target.

Command injection

attack injects and executes unwanted commands on the application. The commands are executed with the same privileges and environment as granted to the application.

A repudiation attack

attack on open SMTP relays in which the attacker accesses your e-mail server and sends spoofed e-mails to others making them appear as if they came from you.

Cross-site scripting (XSS)

attack that injects scripts into Web pages. When the user views the Web page, the malicious scripts run allowing the attacker to capture information or perform other actions.

drive-by download

attack where software or malware is downloaded and installed without explicit consent from the user usually Through social engineering or exploiting a browser or operating system bug.

LAND attack

attacker floods the victim's system with packets that have forged headers. • The packets have the same source and destination address (the victim's). • As the victim's system continues to hold more and more packets in RAM, it is unable to process legitimate requests

AAA

authentication, authorization, and accounting

DNS reverse lookup

can be used to verify that a source email address exists before a message is transmitted.

local registration authority (LRA)

can establish an applicant's identity and verify that the applicant for a certificate is valid. The LRA sends verification to the CA that issues the certificate.

Mysqlimport

client program of the MySQL distribution. It is used to load data files into the tables.

Service pack

collection of patches, hotfixes and other system enhancements that have been tested by the manufacturer for wide deployment

All-in-one security appliances

combine many security functions into a single device. Security functions include: • Spam filter • URL filter • Web content filter • Malware inspection • Intrusion detection system

Hybrid Cryptography

combined symmetric and asymmetric systems(symmetric process large environments of data fast and asymmetric can securely distribute keys)

RAID 1+0

combines disk mirroring (1) and disk striping (0). Multiple disks are configured into two mirrored arrays which are then striped across the other set. • Provide fault tolerance. • Data is available if one or more disks in a single set fails. • Data is available even if two disks in different sets fail. • Provide an increase in performance. • Require an even number of disks, with a minimum of four disks. • Have a 50% overhead. • Are the fastest, most fault tolerant, and most expensive arrays. RAID 1+0 performs better and provides more fault tolerance than RAID 0+1 arrays.

Christmas (Xmas) Tree

conducts reconnaissance by scanning for open ports, and it also conducts a DoS attack if sent in large amounts.

CIA

confidentiality, integrity, and availability

Network Access Control (NAC)

controls access to the network by not allowing computers to access network resources unless they meet certain predefined security requirements. • A client that is determined by the NAC agent to be healthy is given access to the network. - Anti-virus software with up-to-date definition files. - An active personal firewall. - Specific operating system critical updates and patches.

Port spanning (AKA port mirroring)

copies the traffic from all ports to a single port and disallows bidirectional traffic on that port.

Switch

create security segments on a LAN A VLAN and a client connected to these switch ports can communicate with other designated VLANs. Primary tool to improve network efficiency

Voice over IP (VoIP)

digital solution using an Internet connection to make phone calls. - voice data is digitized, converted into packets, and sent over an IP packet-switched network provided by the Internet Service Provider (ISP). - Uses (QoS)Quality of Service measures to ensure timely delivery of voice traffic.

Trojan horse

disguised as legitimate or desirable software • Cannot replicate itself • Does not need to be attached to a host file

RAID 0+1

disk striping (0) and disk mirroring (1). Multiple disks are striped creating a single volume. • Provide fault tolerance. • Data is available if one or more disks in a single set fails. • Data is lost if two disks in different mirrored sets fail. • Provide an increase in performance. • Require an even number of disks, with a minimum of four disks.

Objects

each resource is identified as an object. Common objects include: • Users • Groups • Computers • Printers • Shared folders Each object contains additional information about the shared resource that can be used for locating and securing resources. The schema identifies the object classes (the type of objects) that exist in the tree and the attributes (properties) of the object.

Hashed Keyed Message Authentication Code (HMAC)

embes a symmetric key into a msg. befor the msg. is hashed. When received, the recipient's symmetric key is added back into the msg. before hashing the message.

Encrypting file system (EFS)

encrypts files and folders stored on NTFS partitions (asymmetric encryption )

Information security

explicitly focuses on protecting data resources from malware attacks or simple mistakes by people within an organization by the use of Data Loss Prevention (DLP) techniques.

Client-side attack

exploits vulnerabilities in client applications that interact with a malicious server. A typical example of a client-side attack is a malicious web page targeting a specific browser vulnerability that would give the malicious server complete control of the client system. JavaScript is an example of client-side scripting.

Extensible Authentication Protocol (EAP)

for remote access. - Allowed various authentication methods including smart cards, Biometrics and digital certificates.

MySQL Federated storage engine

for the MySQL relational database management system. engine which allows a user to create a table that is a local representation of a foreign (remote) table.

host-based firewall

inspects traffic received by a host. use filtering rules, sometimes called access control lists (ACLs), to identify allowed and blocked traffic.

birthday attack

is a brute force attack in which the attacker hashes messages until one with the same hash is found.

forest

is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS namespaces.

Certificate Practice Statement (CPS)

is a declaration of the security that the organization is implementing for all certificates issued by the CA holding the CPS.

tree

is a group of related domains that share the same contiguous DNS namespace.

Hotfix

is a quick fix for a problem, and normally not installed unless you have the specific problem it is intended to fix

domain controller

is a server that holds a copy of the Active Directory database that can be written to.

Group Policy(policy)

is a set of configuration settings that must be applied to users or computers. Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of files that includes registry settings, scripts, templates, and software-specific configuration values. -GPOs apply to objects when they are linked to containers and configured with specific settings. • GPOs can be linked to Active Directory domains or organizational units (OUs). Built-in containers (such as the Computers container) cannot have GPOs linked to them. • A GPO only affects the users and computers beneath the object to which the GPO is linked. • A local GPO is stored on a local machine. It can be used to define settings even if the computer is not connected to a network. • A specific setting in a GPO can be: • Undefined, meaning that the GPO has no value for that setting and does not change the current setting. • Defined, meaning that the GPO identifies a new value to enforce. • GPOs are applied in the following order: 1. The Local Group Policy on the computer 2. GPOs linked to the domain that contains the User or Computer object 3. GPOs linked to the organizational unit(s) that contain(s) the User or Computer object (from the highest-level OU to the lowest-level OU). • Individual settings within all GPOs are combined to form the effective Group Policy setting as follows: • If a setting is defined in one GPO and undefined in another, the setting will be enforced (regardless of the position of the GPO in the application order). • If a setting is configured in two GPOs, the setting in the last-applied GPO will be used.

Public-Key Cryptography Standards (PKCS)

is a set of voluntary standards for public-key cryptography. This set of standards is coordinated by RSA.

Phishing

is an e-mail pretending to be from a trusted organization, asking to verify personal information or send money.

security principal

is an object that can be given permissions to an object. - users, groups, and computers. Each security principal is given a unique identification number called a SID (security ID). • When a security principal logs on, an access token is generated. The access token is used for controlling access to resources and contains user or computer, groups, rights.

Organizational Unit (OU)

is like a folder that subdivides and organizes network resources within a domain. An organizational unit: • Is a container object • Can hold other organizational units • Can hold objects such as users and computers • Can be used to logically organize network resources • Simplifies security administration

Collision

is the term used to describe a situation in which two different messages produce the same hash value. This is an indication that a stronger hashing algorithm should be used.

Magic Lantern

keystroke logging in order to capture encryption keys and other information useful for deciphering transmissions - can be delivered through e-mail to the victim's computer.

Spoofing

makes a transmission appear to have come from an authentic source by forging the IP address, email address, caller ID, etc.

(stateful inspection firewall)circuit-level proxy or gateway

makes decisions about which traffic to allow based on virtual circuits or sessions. • Operates at Session Layer • The firewall is considered stateful because it keeps track of the state of a session • Keeps track of known connections and sessions in a session table (also referred to as a state table). • a stateful inspection firewall can be faster after the initial session table has been created.

application level firewall (application level gateway or proxy server)

makes security decisions based on information contained within the data portion of a packet. • Examines the entire content (not just individual packets). • Can filter based on user, group, and data such as URLs within an HTTP request.

Simple Netowrk Management Protocol (SNMP)

managing complex networks (castle rock from TDC) SNMPv3 adds: Authentication for agents and managers, encryption, message integrety to ensure not altered in transit.

Teardrop attack

manipulates the UDP fragment number and location ' • When the victim system rebuilds the packets, an invalid UDP packet is created, causing the system to crash or reboot.

cross-certification or bridge model

model is used when one organization with a CA structure needs to trust certificates from another organization who has their own CA structure • root-to-root configuration allows clients in one organization to trust any certificate issued by the other organization's CAs and vice versa. • A mesh configuration provides trust paths that can be configured for more restrictive certificate validation

Clark-Wilson model

must be accessed through applications that have predefined capabilities. Prevents Modification, Fraud , Errors BUT not spam

DNS poisoning

occurs when a name server receives malicious or misleading data that incorrectly maps host names and IP addresses

DLL injection

occurs when a program is forced to load a dynamic-link library (DLL). This DLL then executes under the security context of the running application, and executes malicious code included with the injected DLL.

SQL injection

occurs when an attacker includes database commands within user data input fields on a form, and those commands subsequently execute on the server. The injection attack succeeds if the server does not properly validate the input to restrict entry of characters that could end and begin a database command.

buffer overflow

occurs when the operating system or an application does not properly enforce boundaries for how much and what type of data can be inputted. Hackers submit data beyond the size reserved for the data in the memory buffer, and the extra data overwrites adjacent memory locations. The extra data sent by the attacker could include executable code that might then be able to execute in privileged mode.

Serial Line Interface Protocol (SLIP)

older remote access standard commonly used by UNIX remote access servers.

TrueCrypt

open source disk encryption tool. - encryption: AES-256, Serpent, Twofishl.

working with a suspect drive

operating system copying is not forensically valid(Wont get deleted or hidden files)(still running processes that could compromise data). An offline bit stream copy is required.

ARP spoofing/poisoning

poisoning associates the attacker's MAC address with the IP address of victim devices. • The source device sends frames to the attacker's MAC address instead of the correct device.

Steganography

process of hiding one message in various forms of data(electronic watermarking)

Header manipulation

process of including unvalidated data in an HTTP response header. Header manipulation is the method used by threat agents to conduct additional exploits.

The Wireless Transaction Protocol (WTP)

provides services similar to TCP and UDP for WAP

Patch

quick fix, but generally more tested by the manufacturer and designed for a wider deployment.

Masquerading

refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access.

Point-to-Point Protocol (PPP)

remote access protocol commonly used to connect to the Internet. It supports compression and encryption and can be used to connect to a variety of networks. It can connect to a network running on the IPX, TCP/IP, or NetBEUI protocol. It supports multi-protocol and dynamic IP assignments. It is the default protocol for the Microsoft Dial-Up adapter.

virus

requires a replication mechanism which is a file that it uses as a host. • The virus only replicates when an activation mechanism is triggered.

Type 1 Something you know authentication

requires you to provide a password or some other data that you know. This is the weakest type of authentication. Examples are: • Passwords, codes, or IDs • PINs • Pass phrases (long, sentence-length passwords) • Cognitive information such as questions that only the user can answer. Note: Usernames are not a form of Type 1 authentication.

Certificate Revocation List (CRL)

resides at the CA and consists of a list of certificates that have been previously revoked. This list can be accessed by the client to verify the validity of a digital certificate.

Network Address Translation (NAT) (private)

router translates multiple private into one registered IP address. • 10.0.0.0 to 10.255.255.255 • 172.16.0.0 to 172.31.255.255 • 192.168.0.0 to 192.168.255.255

rootkit

set of programs that allows attackers to maintain permanent, administrator-level, hidden access to a computer • Is almost invisible software. • Resides below regular antivirus software detection.

Private Brance Exchange (PBX)

telephone exchange that serves a private organization and connects to the organization to the PSTN. - Threats include the 2600 club which refers to emitting 2066KHz freq which authorizes long-distance calls without payment.

X.509

the official standard that identifies the format for public key certificates and certification path validation.

Hypervisor

thin layer of software that resides between the guest operating system(s) and the hardware. A hypervisor allows virtual machines to interact with the hardware without going through the host operating system.

PGP (Pretty Good Privacy)

to encrypt internet phone calls

Bluesnarfing

unauthorized access to to view the calendar, e-mails, text messages, and contact lists.

System Access List (SACL)

used by Microsoft for auditing to identify past actions performed by users on an object.

Hashing algorithms

used to create a message digest(hash then send, receiver hashes and compares) to ensure that data integrity is maintained.

generic containers

used to organize Active Directory objects. Generic container objects: • Are created by default • Cannot be moved, renamed, or deleted • Have very few properties you can edit You cannot create generic containers. Use OUs instead.

Internet Key Exchange (IKE)

used with IPsec to create a security association between communicationg partners

Access Control List (ACL)

users with specific security assignments to an object. - Most client-server environments - Filters traffic biased on the IP header info ,protocol or socket numbers.

TLS

uses Diffie-Hellman or RSA to exchange session keys

LDAP injection

uses LDAP statements with arbitrary commands to exploit web-based applications with access to a directory service

SFTP

uses SSH for security

FTPS

uses SSL/TLS for security(requires server certficate)

Type 3 Something you are authentication

uses a biometric system. This is the most expensive and least accepted, but is generally considered to be the most secure form of authentication. Authentication must meet the following criteria: • Universality • Uniqueness • Permanence • Collectability • Performance • Circumvention (substitutes) Most biometric systems require implementation of a PKI system.

Quantum Cryptography

uses a series of phontons to encrypt and send msgs. If the receiver knows the sequence and polarity of the photons, the message can be decoded.

XML injection

uses malicious content and/or structures in an XML message to alter the intend logic of the application.

RSA

uses multiplication of large prime numbers. - Asymmetric

Stunnel

wrapper that allows a network administrator to encrypt an arbitrary TCP connection inside the Secure Socket Layer (SSL) protocol

PKI hierarchy

• A root CA is the first CA in the hierarchy and the first CA you set up. The root CA has a self-signed certificate, and is often offline to protect the CA from compromise • A subordinate CA is a CA authorized by the root CA to issue certificates to other CAs or users or computers. • PKI depends on asymmetric cryptography. • Public keys are found in a browser's trusted root. while private is used to encrypt

Backup - Daily

• Backs up all files modified that day regardless of the archive bit status. • Resets the Archive Bit? No

Backup - Full

• Backs up all files regardless of the archive bit and will reset the archive bit. • Requires large tapes for each backup. • Takes a long time to perform each backup. • To restore, restore only the last backup. This is the fastest restore method.

Backup - Copy

• Backs up all files regardless of the archive bit status and will not reset the archive bit.

Backup - Incremental

• Backs up files on which the archive bit is set. This will back up only the data changed since the last full or incremental backup and will reset the archive bit. • To restore, restore the full backup and every subsequent incremental backup.

Backup - Differential

• Backs up files on which the archived bit is set. This will back up only the data changed since the last full backup will not reset the archive bit. • To restore, restore the last full backup and the last differential backup. • Next to a full backup, this is the fastest restore method.

RADIUS

• Combines authentication and authorization using policies to grant access. • Centralized Remote access authentication protocol • Used UDP • When configuring, configure a single server as a RADIUS server and all remote access servers as RADIUS Clients • RADIUS encrypts only the password

Mandatory Access Control (MAC)

• Controls biased on rules rather than identity. • uses labels for both subjects (i.e., users who need access) and objects (i.e., resources with controlled access, such as data, applications, systems, networks, and physical space).

RAID 0 (striping)

• Does not provide fault tolerance. A failure of one disk in the set means all data is lost. • Requires a minimum of two disks. • fastest of all RAID types

Layer 2 Forwarding (L2F)

• Operates at the Data Link layer (layer 2). • Offers mutual authentication. • Does NOT encrypt data. • Merged with PPTP to create L2TP

RAID 1 (mirroring)

• Provide fault tolerance. • Do not increase performance. • Require two disks. • Have a 50% overhead. Data is written twice, meaning that half of the disk space is used to store the second copy of the data. • RAID 1 is the most expensive fault tolerant system.

RAID 5 (striping with distributed parity)

• Provide fault tolerance. • Provide an increase in performance. • Do not provide fault tolerance if two or more disks fail. • Require a minimum of three disks.

Clustering

• Several grouped computers to increase the availability to applications and services. • Clustered by a shared IP(clients directed to shared IP) • periodic heartbeat signals to maintain contact • Convergence - cluster members are aware of all other members

Grandfather Father Son (GFS)

• Son (daily). Son backups are rotated daily. • Father (weekly). Father backups are rotated weekly. One daily backup each week becomes a Father backup. • Grandfather (monthly). One weekly backup each week becomes a Grandfather backup.

Backup - Image

• Takes a bit-level copy of a disk or partition. Individual files are not examined, so all data is copied regardless of the archive bit. • Resets the Archive Bit? No

SYN flood

• The attacker floods a victim site with SYN packets • The victim responds to each SYN packet with a SYN ACK packet. • The attacker does not respond with the last portion of the handshake (an ACK packet), leaving the victim waiting for a response.

Ping of death (long ICMP attack)

• The attacker sends one very large ICMP packet (larger than 65,536 bytes) directly to the victim.

dual key pairs

• The private key used for digital signatures is kept completely private. Only the user has access to this key and the key is never archived. • The private key used for encryption is archived so that encrypted documents can be recovered if the private key is lost.

Layer Two Tunneling Protocol (L2TP)

• Use for connecting LANs(use VPN) • Operates at the Data Link layer (layer 2). • Supports multiple protocols (not just IP). • Uses IPSec for encryption Combining L2TP with IPSec (called L2TP/IPSec) provides: Per packet data origin authentication non-repudiation), Replay protection, Data confidentiality • Is not supported by older operating systems.

Point-to-Point Tunneling Protocol (PPTP)

• Uses standard authentication protocols, such as Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP). • Supports TCP/IP only. • Encapsulates other LAN protocols and carries the data securely over an IP network. • Uses Microsoft's MPPE for data encryption.

packet filtering firewall

• makes decisions about which network traffic to allow by examining information in the IP packet header such as source and destination addresses, ports, and service protocols. • Uses access control lists (ACLs) or filter rules to control traffic. • considered a stateless firewall because it examines each packet and uses rules to accept or reject each packet without considering whether the packet is part of a valid and active session.

TACACS+

•Provides three protocols, one each for authentication, authorization, and accounting. This allows each service to be provided by a different server. • Centralized Remote access authentication protocol • Uses TCP • encrypts the entire packet contents, not just authentication packets. • Supports more protocol suites than RADIUS.

Round Robin

•Round robin uses a full backup on one day with incremental/differential backups on subsequent days. •When all the tapes have been used for backup, you start over with the tape with the oldest data. Round robin is probably the simplest of backup rotation schemes.


Set pelajaran terkait

CHP 17: Helping People through Change and Burnout Prevention

View Set

Entrep - The Marketing Mix. Promotion

View Set

BIO Final Exam Chapters 12, 13, 14, and 15

View Set

Ch. 16 Managing Change & Organizational Learning

View Set

AWS Cloud Practitioner Exam Study Guide

View Set

Reproductive/Maternity/Newborn medications

View Set

TEAS 6: Science - Human Anatomy & Physiology: Skeletal System

View Set