Technologies and Tools
Port Security
A Cisco switch feature in which the switch watches Ethernet frames that come in an interface (a port), tracks the source MAC addresses of all such frames, and takes a security action if the number of different such MAC addresses is exceeded.
IPSec (Internet Protocol Security)
A Layer 3 protocol that defines encryption, authentication, and key management for TCP/IP transmissions. _______ is an enhancement to IPv4 and is native to IPv6. IPSec is unique among authentication methods in that it adds security information to the header of all IP packets.
ifconfig
A TCP/IP configuration and management utility used with UNIX and Linux systems.
netstat
A TCP/IP troubleshooting utility that displays statistics and the state of current TCP/IP connections. It also displays ports, which can signal whether services are using the correct ports.
full tunnel
A VPN technology in which all traffic is sent to the VPN concentrator and is protected.
fat vs thin Access point
A _____________ Wireless Access Point is basically a radio and antenna that is controlled by a wireless switch. In wireless local area networks (WLANs), a ____________ AP with sufficient program logic and processing power to allow it to enforce policies relating to access and usage, rather than working under the supervision of a centralized controller
VPN concentrator
A device that aggregates hundreds or thousands of VPN connections.
Hardware Security Module (HSM)
A device that can safely store and manage encryption keys. This can be used in servers, data transmission, protecting log files, etc.
media gateway
A gateway capable of accepting connections from multiple devices (for example, IP telephones, traditional telephones, IP fax machines, traditional fax machines, and so on) and translating analog signals into packetized, digital signals, and vice versa.
Vulnerability Scanner
A generic term that refers to products that look for vulnerabilities in networks or systems.
affinity
A likeness, a natural relationship, a kinship
Loop Prevention
A means to mitigate broadcast storms using the IEEE 802.1d standard spanning-tree algorithm (STA). A routing loop is a common problem with various types of networks, particularly computer networks. They are formed when an error occurs in the operation of the routing algorithm, and as a result, in a group of nodes, the path to a particular destination forms a loop.
signal strength
A measurement of how well your wireless device is connecting to other devices.
Always-on VPN
A method of VPN where the user can always access the connection without the need to periodically disconnect and reconnect. It often uses SSL/TLS for encrypted connections instead of PPTP or L2TP
MAC filtering
A method of controlling access on a wired or wireless network by denying access to an device that their MAC address does not match one that is on a pre-approved list.
Antispoofing
A method used on some routers to protect against spoofing attacks. A common implementation is to implement specific rules to block certain traffic.
signature-based monitoring
A monitoring technique used by an IDS that examines network traffic to look for well-known patterns and compares the activities against a predefined signature.
Flood Guard
A network device that blocks flooding-type DoS/DDoS attacks, frequently part of an IDS/IPS.
Wireless scanners
A network scanner that scans wireless frequency bands. Scanners can help discover rogue APs and crack passwords used by wireless APs.
nmap
A network utility designed to scan a network and create a map. Frequently used as a vulnerability scanner.
Netcat
A network utility program that reads from and writes to network connections.
password cracker
A program that uses the file of hashed passwords and then attempts to break the hashed passwords offline.
Honeypot
A security tool used to lure attackers away from the actual network components. Also called a decoy or sacrificial lamb.
network scanner
A tool that enumerates your network and provides a map of the network.
protocol analyzer
A type of diagnostic software that can examine and display data packets that are being transmitted over a network. Also called a network analyzer.
NIPS (network-based intrusion prevention system)
A type of intrusion prevention that protects an entire network and is situated at the edge of the network or in a network's DMZ.
configuration compliance scanner
A type of vulnerability scanner that verifies systems are configured correctly. It will often use a file that identifies the proper configuration for systems.
site-to-site VPN
A virtual private network in which multiple sites can connect to other sites over the Internet.
Remote Access
Ability to connect to a computer, over a network, as though you were physically present at the keyboard.
dissolvable or permanent
Agents on clients can be either dissolvable or permanent. A permanent agent (sometimes called a persistent NAC agent) is installed on the client and stays on the client. ... Some dissolvable NAC agents remove themselves immediately after they report back to the NAC system
active and passive
An _________________ cluster consists of one active server and one passive standby server with a third-party load-balancer to determine when failover is required. To prevent performance degradation if the primary server fails in an active/passive cluster, the servers should have identical hardware.
Inline vs passive IDS
An __________sensor is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor. A ____________ sensor monitors a copy of network traffic; the actual traffic does not pass through the device.
SSL/TLS accelerators
Appliances that handle the method of offloading processor-intensive public-key encryption for Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) to a hardware accelerator.
Permission issues
Audits should be done to verify that personnel have correct access. Shouldn't have too much, but just the appropriate amount.
Access violations
Baselines should be established. Identify was it outside of the norm. Occasional "wrong clicks" can be weeded out. Identify brute-force attacks. Probes as attackers try and see what they can access. Map the network.
Logs and events anomalies
Be sure to check for any suspicious activity that appear in logs. Verify that logging is enabled to capture these.
Band selection/width
Can choose between 2.4 GHz and 5 GHz depending on which 802.11 protocol is being used.
nslookup
Command-line program in Windows used to determine exactly what information the DNS server is providing about a specific host name.
SSL decryptors
Devices used to create separate SSL (or TLS) sessions. They allow other security devices to examine encrypted traffic sent to and from the Internet.
Tunnel Mode (IPSec)
Encrypts the entire IP packet (Used with VPNs)
Unencrypted credentials/clear text
Ensure that all usernames and passwords are encrypted using SSL/TLS and VPNs when possible.
aggregation
Event _______________ is a simple concept, however, it is important to understand the nuances to effectively operate the SIEM. In short, log aggregation allows a SIEM to be able to reduce event volume by combining like events.
forward and reverse proxy
In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client, appearing as if they originated from the proxy server itself.
bridge
In telecommunication networks, a bridge is a product that connects a local area network (LAN) to another local area network that uses the same protocol (for example, Ethernet or token ring).
virtual IPs
Load balancer that sits in front of a virtual IP.
NAC
Network ___________ __________________
Scheduling
Numerous scheduling algorithms, also called load-balancing methods, are used by load balancers to determine which back-end server to send a request to
Encryption
Process of converting readable data into unreadable characters to prevent unauthorized access.
Mail Gateway DLP
Protects against sensitive information being sent out via email.
cloud-based
Refers to applications ( word processing, presentation, spreadsheet) and files made available to users on demand via the Internet.
Certificate issues
Self-signed certificates aren't trusted by browsers because they are generated by your server, not by a CA. You can tell if a certificate is self-signed if a CA is not listed in the issuer field in our SSL Certificate tester.
spam filter
Software that limits email traffic based on the email's content, attachments, or sender's address.
DLP (Data Loss Prevention)
System or set of rules designed to stop leakage of sensitive information. Usually applied to Internet appliances to monitor outgoing network traffic.
Backup Utilities
System software can automatically copy important business files somewhere else if the original files get deleted or corrupted.
TLS
T___________y. Used to encrypt traffic on the wire. TLS is the replacement for SSL and like SSL, it uses certificates issued by CAs. PEAP-TLS uses TLS to encrypt the authentication process and PEAP-TLS requires a CA to issue certificates.
passive vs active
The Intrusion Detection System mentioned above is an example of a _______________ monitoring tool. ... Unlike the ____________ IDS, authorized network traffic constantly flows into and out of the IPS, while unauthorized traffic is stopped from proceeding further.
Time synchronization
The SIEM software can ensure that the time is the same across devices so the security events across devices are recorded at the same time.
Event Deduplication
The SIEM system can trim event logging so that the same event is not recorded over and over again, filling up the log space.
AH vs ESP VPN
The ____ protocol provides a mechanism for authentication only. ______ provides data integrity, data origin authentication, and an optional replay protection service. The ____ protocol provides data confidentiality (encryption) and authentication (data integrity, data origin authentication, and replay protection). _____ can be used with confidentiality only, authentication only, or both confidentiality and authentication.
Layer 2 vs Layer 3 Switch
The main difference between _____________ and __________ is the routing function. ... That means, a Layer ________switch has both MAC address table and IP routing table, and handles intra-VLAN communication and packets routing between different VLANs as well. A switch that adds only static routing is known as a Layer ____+ or Layer ______ Lite. (LAYER ____ IS HARDWARE/MAC ADDRESS AND LAYER ______ IS IP ADDRESS)
Antenna Types and Placement
The most important rule of thumb in antenna placement is to keep line of sight between all your antennas and transmitters for optimal performance. The orientation of your antennas should always match or be as close to the same plane as the transmit.
Implicit Deny
The principle that establishes that everything that is not explicitly allowed is denied. An implicit deny is when a user or group are not granted a specific permission in the security settings of an object, but they are not explicitly denied either.
network mapping
The study of physical and logical connectivity of networks.
ipconfig
The utility used to display TCP/IP addressing and domain name information in the Windows client operating systems.
Correlation
The various appliances in your network should be constantly generating event logs that are fed into your SIEM system. A SIEM ______________ rule tells your SIEM system which sequences of events could be indicative of anomalies which may suggest security weaknesses or cyber attack.
Automated alerting and triggers
These are sent out based on events configured by the administrator that occur within the log files.
Stateful vs Stateless Firewall
These firewalls watch network traffic and restrict or block packets based on source and destination addresses or other static values. They're not 'aware' of traffic patterns or data flows. This firewall uses simple rule-sets that do not account for the possibility that a packet might be received by the firewall 'pretending' to be something you asked for. Firewalls can watch traffic streams from end to end. They are aware of communication paths and can implement various IP Security (IPsec) functions such as tunnels and encryption. In technical terms, this means that these firewalls can tell what stage a TCP connection is in (open, open sent, synchronized, synchronization acknowledge or established). It can tell if the MTU has changed and whether packets have fragmented.
In-Band vs Out-of-Band
This definition typically refers to the placement of the equipment from the monitoring tool's perspective. Basically, is the monitoring tool in the critical path of network data or not? If the tool is not in the main data path and just using copies of the packets, then it is called ___________. If it is actually processing the original data, it is said to be inline. It's that easy.
NIDS (network-based intrusion detection system)
This examines all network traffic to and from network systems. If it is software, it is installed on servers or other systems that can monitor inbound traffic. If it is hardware, it may be connected to a hub or switch to monitor traffic
Application/multipurpose proxy
This proxy can inspect many different areas of the packet such as the header and data portion of the packet. This allows you to filter packets by source and destination IP address and source and destination port numbers.
Steganography tools
Tools that enable you to encrypt data within image, video, and sound files. These tools also enable decryption of those files.
Data sanitization tools
Tools used to remove data to ensure that the data cannot be recovered. Overwrite the data "x" number of times to ensure it is unrecoverable. Number of passes can be configured.
exploitation frameworks
Tools used to store information about security vulnerabilities. They are often used by penetration testers (and attackers) to detect and exploit software.
DLP usb blocking
USB Block is a data leak prevention software to block USB drives on your PC. Prevent theft and leakage of your important files, documents and source codes from devices like USB Drives, CD/DVD, and network computers. You can white-list your USB drives and device
Rules of IDS
Understand what kind of threat or vulnerability that the rule detects for will helps you determine where the rules should be enabled and whether the rule is applicable for your environment.
false negative
When a system incorrectly rejects an action instead of accepting it.
Application-based vs. network-based
While Network Based Firewall filters traffic going from Internet to secured LAN and vice versa, a host based firewall is a software application or suite of applications installed on a single computer and provides protection to the host
tcpdump
____ _____________ is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software.
IP
__________ ________________ - a set of rules governing the format of data sent over the Internet or other network.
SIEM
____________Information and _______________ Management. A security system that attempts to look at security events throughout the organization.
Round Robin
_____________ is the preemptive process scheduling algorithm. Each process is provided a fix time to execute, it is called a quantum. Once a process is executed for a given time period, it is preempted and other process executes for a given time period.
ARP
_______________ ____________________ _______________________. Resolves IP addresses to MAC addresses. ____________ poisoning attacks can redirect traffic through an attacker's system by sending false MAC address updates. VLAN segregation helps prevent the scope of __________ poisoning attacks within a network.
transparent
_______________ proxies are intermediary systems that sit between a user and a content provider. When a user makes a request to a web server, the transparent proxy intercepts the request to perform various actions including caching, redirection and authentication
Active-Active
________________ high availability cluster. ... The main purpose of an active-active cluster is to achieve load balancing. Load balancing distributes workloads across all nodes in order to prevent any single node from getting overloaded.
Logs/WORM
________________ stands for write once, read many.
Split Tunnel VPN
__________________ is a computer networking concept which allows a mobile user to access dissimilar security domains like a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same or different network connections.
Banner Grabbing
__________________ is a technique used to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network.
controller based vs standalone AP
___________________ AP uses another device for reading packets and encrypting data. __________________________ AP does this by itself and is more vulnerable as the data can be compromised
tracert
___________________ is a command which can show you the path a packet of information takes from your computer to one you specify. It will list all the routers it passes through until it reaches its destination, or fails to and is discarded.
SSID
________________________. Identifies the name of a wireless network. Disabling _______________ broadcast can hide the network from casual users but an attacker can easily discover it with a wireless sniffer. It's recommended to change the ________________ from the default name.
Router ACL
___________________________ is a set of rules that controls network traffic and mitigates network attacks. More precisely, the aim of __________________is to filter traffic based on a given filtering criteria on a router or switch interface.
Heuristic
a problem solving approach (algorithm) to find a satisfactory solution where finding an optimal or exact solution is impractical or impossible.
Transport mode
an IPSec mode in which only the IP data is encrypted, not the IP headers
an electronic message used by individuals to communicate with one another
Access Control List (ACL)
an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.
host health checks
checks hosts for antivirus and malware checks
Rogue System Detection (RSD)
detects unauthorized devices on your network
anomaly
deviation from what is normal
ping
send a message from one computer to another to check whether it is reachable and active
agent vs agentless
using agents installed on the client end to scan the device or agentless using Active Directory which requires AD to scan the device and no agent is installed on the user's device
