CompTIA Security+
TEMPEST
Refers to investigation of conducted emissions from electrical & mechanical devices which could be compromising to an orgranization
- LDAP (Lightweight Directory Access Protocol) - Port 389
- A process during authentication where somebody has to access someone else's directory. It's more of a structured language which allows a computer to go into someone else's directory and query it. - What port does it use?
- Null sessions - Transitive Access and Client-Side Attacks
- A type of attack on Windows-based servers in which weaknesses in the NetBIOS networking protocol are exploited to allow a user to create an unauthenticated connection with a Windows interprocess communication share or IPC$ - These attacks take advantage of transitive or federated trust established between systems/networks
- Buffer Overflow - Integer Overflow - Memory Leak - Land Attack
- An attack that occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length memory storage and can affect heaps & stacks. - An attack where arithmetic operations attempt to create a numeric value that is too big for available memory space - When a program allocates memory but does not free it up properly after the process using it has completed - This attack sends a spoofed TCP SYN packet with the target host's IP address and an open port acting both as a source and a destination to the target host on an open port. It causes the system to either freeze or crash because the machine continuously replies to itself.
- msinfo32.exe - "systeminfo" in the command prompt - "winver" in the command prompt
- Before updating or applying patches, what are three ways to find out the version number, build number, and the patch level in Windows?
- Sideloading - by direct Internet connection (usually disabled by default); by connecting to a second mobile device via USB OTG (USB On-The-Go) or Bluetooth; by copying apps directly from a microSD card; or via tethering to a PC or Mac
- Downloading an app from an unofficial third-party website. - What are several ways this can be done?
- ext4 - NTFS - FAT32
- The current Linux file system, which is the best as far as security is concerned - The current Windows file system - The less secure file system commonly used in USB thumb drives
1. Centralized: keys are generated at a central server and are transmitted to hosts. 2. Decentralized: keys are generated and stored on a local computer system for use by that system.
- What are two methods for creating key pairs in a PKI?
Measured Boot
A UEFI firmware feature that logs the startup process. Antimalware software can analyze this to log to determine if malware is on the computer or or if the boot components were tampered with.
PAC (Proxy Auto Configuration)
A file in web browsers which automatically chooses an appropriate proxy server
NAC (Network Access Control)
A group of technologies used to inspect network clients prior to granting network access.
Air Gap
A method of isolating an entity, effectively separating it from everything else—the entity could be a CPU, a system, or an entire network.
MSSP (Managed Security Service Providers)
Company that provides security management services for subscribing clients as a type of SECaaS
Disaster Recovery Plan
DRP
WAF (Web Application Firewall)
Specialized host firewall designed to prevent attacks against web applications such as SQL injection or XSS.
Failover
The process of reconstructing a system or switching over to other systems when a failure is detected or actually making your Contingency/Business Continuity plan successfully happen.
Exposure Factor (EF); if you have $5,000.00 tied up in a router and it is destroyed, then your EF is 1. If you have an asset which is not completely destroyed, your EF may be less than 1.
The proportion of an asset's value that is likely to be destroyed by a particular risk (expressed as a percentage).
- Plan - Create - Verify - Package - Release - Configure - Monitor
What are the seven steps in DevOps?
1. Full Control: do anything you want 2. Modify: read, write, and delete files & subfolders 3. Read/Execute: see contents and run programs 4. List Folder Contents: see contents of folders & subfolders 5. Read: View contents and open (but not edit) data files 6. Write: Write to files & create new files & folders
What are the six types of Windows Permissions?
- "inner join" - "select from" - "insert into"
What are three SQL commands that you may see on the exam as clues that a SQL injection is taking place?
1. HOTP (Hashed One-Time Password): secure passwords used with hardware tokens 2. TOTP (Time-based One Time Password): issued for a specific period of time before automatically expiring.
What are two types of one-time passwords?
Wifi Analyzer
What is a great tool to use for checking things like channel congestion when doing a site survey?
Public and Private keys
What keys are stored in a CRL?
PBKDF2 and Bcrypt
What are two examples of key stretching software?
CAM table (Content Addressable Memory)
Holds all the MAC-addresses-to-port mappings on a switch. May be referred to as a MAC Address Table.
RSA (Rivest-Shamir-Adleman) Encryption
Most common internet asymmetric encryption and authentication system. The system used an algorithm that involves multiplying two large prime numbers to generate a public key, used to encrypt data and decrypt an authentication, and a private key, used to decrypt the data and encrypt an authentication.
1. Categorize your information systems: need to understand your workflows, processes, vendors, etc 2. Select your security controls 3. Implement security controls; how will you enact all the controls you have selected? 4. Assess security controls; before we put everything online, let's verify everything works properly 5. Authorize controls; the big boss says yes, let's do this 6. Monitor the controls
Six Steps in NIST Risk Management
1. Identify Assets 2. Identify Vulnerabilities 3. Identify Threats 4. Risk Response 5. Identify Likelihood of Threats 6. Identify Impact of Threats
Six Steps of Risk Assessment
RedPill, Scooby Doo, and LDT attacks
What are three types of attacks which specifically target virtual machines?
- Passive Discovery is when you aren't sending any packets from your attacking computer to a target. Things like doing a "whois" lookup or doing phone calls. - Semi-Passive Discovery is putting some packets onto the target, but it's not anything that would raise alarms or set off intrusion detection. For example, going to a website and checking it out - Active Discovery is putting packets downrange on the target; running scanners, Nmap, and similar tools that could possibly alert an intrusion detection system or firewall.
What are three ways you can discover vulnerabilities while pen testing?
- "ping -t" which will make ping run continuously. In Linux, you don't need the "-t" switch to make ping keep running.
What command line tool and switch might you use when checking intermittent connection issues?
- TACACS+
What is a proprietary CISCO protocol used for AAA that is primary used to remotely manage things like routers & switches, used primarily with Unix/Linux systems?
- Ettercap
What is a tool that comes with Kali Linux that allows you carry out many types of MITM attacks?
Disk Duplexing
What is it called when each disk in a RAID array is connected to a separate controller?
RC4: 2064 bit state size, 1-2048 bit key size
What is the big streaming cipher and its properties?
Redundancy is applying the same type of security measure in multiple layers, like having lots of WWI trenches. Diversity is having lots of different types of security measures, such as adding barbed wires & mines to the trenches
What is the difference between Redundancy and Diversity?
- A Procedure is a step-by-step set of instructions on how you do something - Guidelines can also help but are considered optional. Everything else is required
What is the difference between a Procedure and a Guideline?
A stateless packet filter, also known as pure packet filtering, does not retain memory of packets that have passed through the firewall; due to this, a stateless packet filter can be vulnerable to IP spoofing attacks. But a firewall running stateful packet inspection is normally not vulnerable to this because it keeps track of the state of network connections by examining the header in each packet. It can distinguish between legitimate and illegitimate packets. Functions at the network layer of the OSI model.
What is the difference between stateful (SPI) and stateless packet filtering on a firewall?
Based on AES encryption and can use 128 bit and 256 bit keys
What standard does Bitlocker use and what key sizes?
A Reverse Proxy Server is where the proxy acts as the representative for the server instead of the client. They do very specific jobs. First of all, they protect the server from bad people on the internet. They handle DOS attacks and also load balancing. If you have multiple servers, the proxy can send the traffic to the server with the lightest workload. Can also be used for caching, just like a forward proxy. Can also do encryption acceleration.
What type of proxy acts as a representative for the server?
UAC (User Account Control)
Windows security feature that keeps every user (besides the actual Administrator account) in standard user mode instead of as an administrator—even if the person is a member of the administrators group. Enables standard accounts to do common tasks and provides a permissions dialog box when standard and administrator accounts do certain things that could potentially harm the computer (such as attempt to install a program).
- DNS Sinkhole - DNS Blackhole; remote is RTBH - DNS Blackhole List (DNSBL)
- A DNS server that can be configured to hand out false information to bots, and can detect and block malicious traffic by redirecting it to nonroutable addresses. However, can also be used maliciously to redirect unwary users to unwanted IP addresses and domains. - Similar to above, it can be used to identify domains used by spammers, domains that contain malware, and so on, and block traffic to those domains. It can also be remotely triggered - A published list of IP addresses within DNS that contains the addresses of computers and networks involved in spamming and other malicious activity such as DDoS attacks initiated by botnets. The list can be downloaded and used on an organization's DNS server to help block zombie computers and botnets.
- SFC (System File Checker) - "sfc /scannow"
- A Windows command line utility that verifies and, if necessary, refreshes a Windows system file, replacing it with one kept in a cache of current system files. - How would you type it in the command line?
- Wildcard Certificate - User Certificates - SAN (Subject Alternative Name) field
- A certificate that can be used for multiple domains with the same root domain. It starts with an asterisk. For example: "*.davidlprowse.com" - These certificates are assigned to individual users who must provide their assigned certificate for authentication prior to accessing certain resources such as web sites, hosts, and any authentication mechanism. - Altering this field in a multidomain PKI certificate allows smaller organizations to specify additional hostnames, domain names, IP addresses, and so on that are associated with a certificate; multiple hostnames are protected by a single certificate. For example, you could also cover "davidprowsetraining.com"
- Server Cluster 1. Failover clusters: Otherwise known as high-availability clusters, these are designed so that a secondary server can take over in the case that the primary one fails, with limited or no downtime. A failover cluster can reduce the chance of a single point of failure on a server, regardless of what failed on that server—hard disk, CPU, memory, and so on. An example of a failover cluster would be the usage of two Microsoft domain controllers. 2. Load-balancing clusters: Load-balancing clusters are multiple computers connected together for the purpose of sharing resources such as CPU, RAM, and hard disks. In this way, the cluster can share CPU power, along with other resources, and balance the CPU load among all the servers.
- A combination of two or more servers that are interconnected to appear as one. - What are two types of ways to break this process down?
- Key Escrow - KRA (Key Recovery Agent)
- A control procedure whereby a trusted third party is given a copy of a user's private key in case the key is lost - Software used to archive or recover lost or damaged private keys
- Ping of Death (POD) Attack - Teardrop Attack - Permanent DoS Attack (Phlashing, or PDoS) - Fork Bomb
- A crafted ICMP packet larger than the maximum 65,535 bytes; causes the recipient system to crash or freeze. - A type of DoS that sends mangled IP fragments with overlapping and oversized payloads to the target machine. This can crash and reboot various operating systems due to a bug in their TCP/IP fragmentation reassembly code. - Consists of an attacker exploiting security flaws in routers and other networking hardware by flashing the firmware of the device and replacing it with a modified image. - An attack that works by creating a large number of processes quickly to saturate the available processing space in the computer's operating system. It is a type of "wabbit" or "bacteria".
- SLE (Single Loss Expectancy); for example, if you have $5000.00 tied up in a router and a flood destroys it, $5000.00 is your SLE - ARO (Annualized Rate of Occurrence) - ARO is calculated by dividing number of failures into the number of years between failures. For example: 1 failure every 5 years (1/5 = .20) or 20% - ALE (Annualized Loss Expectancy); ARO x SLE = ALE. For the example above with the router, ALE would be $1,000.00
- A monetary value that represents how much you expect to lose at any one time (asset value x exposure factor) - In a given year, what is the percentage chance of a particular incident taking place? - How is this calculated? - What lets you express, in real dollars, how much you are expected to lose annually based on the percentage chance of a certain risk happening and how is it calculated?
- DLL injection - Shimming - Pass the Hash
- A piece of malware designed to run code into the address space of another process by forcing it to load a Dynamic Link Library, and execute the code - This is when malware inserts itself in a library, such as a DLL, between an application and the real system library the application is trying to communicate with - This is when an attacker takes a stored hash of a password and sends it directly to a backend authentication service, bypassing the application
- Nonce - Pharming
- A random number issued by an authentication protocol that can only be used once. - A phishing attack that automatically redirects the user to a fake site.
- Fuzz Testing (fuzzing) - Static Code Analysis
- A software testing technique that deliberately provides invalid, unexpected, or random data as inputs to a computer program in an attempt to find vulnerabilities. - A method of debugging that is carried out by examining the code without executing a program. Also ensures memory allocation commands have corresponding deallocation commands
- Change Management - Due Diligence - Due Care - Due Process
- A structured way of changing the state of a computer system, network, or IT procedure. The idea behind this is that change is necessary, but that an organization should adapt with change, and be knowledgeable of it. - Ensuring that IT infrastructure risks are known and managed. - The mitigation action that an organization takes to defend against the risks that have been uncovered during the above process - The principle that an organization must respect and safeguard personnel's rights.
- Black Box Testing (expensive & slow) - White Box Testing (cheapest and fastest model) - Gray Box Testing (somewhere between the first two)
- A testing approach that focuses on the functionality of the application or product and does not require knowledge of the code intervals. The goal is to see if the tester can crash the system. - Similar testing as above, but done with internal knowledge of the system & code - A combination of the two methods above
- DHCP starvation attack - ARP Spoofing/Poisoning
- This attack spoofs many MAC's to use up all valid IP's. Then the attacker could fire up his own DHCP server and hand out bogus DG and DNS addresses to set himself up as MITM - When an attacker can make a system appear as the destination host sought by the sender, with obvious repercussions.
- XSS (Cross Site Scripting) - XSRF (cross-site request forgery)
- A type of application attack that exploits the trust a user's browser has in a website. Can be initiated through web forms or email & usually uses JavaScript. The attacker takes advantage of scripting and input validation vulnerabilities in an interactive website to attack legitimate users. - The inverse of the above, aka Session Riding. An attack that exploits the trust that a website has in a user's browser. Causes users to perform actions on websites without their knowledge. In some cases, attackers use header manipulation to steal cookies and harvest passwords.
- S/MIME (Secure/Multipurpose Internet Mail Extensions) - SSL (older) and TLS (current) - SSH (Secure Shell)
- An IETF standard that provides cryptographic security for electronic messaging such as e-mail. It is used for authentication, message integrity, and non-repudiation of origin. Most e-mail clients use this. - These are cryptographic protocols that provide secure Internet communications such as web browsing, instant messaging, e-mail, and VoIP. These protocols rely on a PKI for the obtaining and validating of certificates. - This is a protocol that can create a secure channel between two computers or network devices, enabling one computer or device to remotely control the other. Designed as a replacement for Telnet
- Smurf Attack - Fraggle Attack - Xmas Attack
- An attack that broadcasts a ping ICMP echo request to computers yet changes the address so that all responses are sent to the victim. A combination of IP spoofing and the saturation of a network with ICMP messages - A variant of the above attack which instead uses UDP echo traffic to IP broadcast addresses - A network-based attack in which specific TCP flags are set to the "on" position; many hosts are not configured to properly deal with the specific combination, and it may cause a denial-of-service attack on the host.
- Data Emanation - Spectral analyzer - Use of a Faraday Cage to block all EM signals
- An electromagnetic (EM) field that is generated by a network cable or network device, which can be manipulated to eavesdrop on conversations or to steal data. - What type of device can see these fields? - What is a good way to guard against this?
- SQL injection attack 1. LDAP Injection: uses a web form to gain access to directory information & attacks weak LDAP lookup configurations 2. XML injections: compromise the logic of Extensible Markup Language and can be used to create new users and possibly obtain administrative access.
- Attacks against a web site that take advantage of vulnerabilities in poorly coded database back-ends in order to introduce malicious program code into a company's systems and networks. Attackers enter a database query statement into a form in which they are supposed to enter a name or other data and can inject malicious code or gain access to resources & information - What are two more attacks similar to this?
- Rainbow Tables - Dictionary attack
- Cryptanalysis attack using a bunch of pre-calculated hashes - This attack uses a text file with a bunch of well-known words and spelling variations to try and brute force passwords
- GLB - HAVA (Help America Vote Act) - SB 1386
- Enables commercial banks, investment banks, securities firms, and insurance companies to consolidate. Enacted in 1999. Protects against pretexting. Individuals need proper authority to gain access to nonpublic information such as Social Security numbers. - Goal is to replace physical voting systems with digital - Requires California businesses that store computerized personal information to immediately disclose breaches of security.
- Windows Active Directory - SAML
- For the exam, what SSO method would be reference for a LAN or smaller environment? - What about something spread out over a large area with a lot of different devices?
- Computer Management, command is "compmgmt.msc" - "openfiles"
- How can you monitor any files and shares being accessed by remote computers in Windows? - What command will let you see files that have been opened locally as well as by any remote computers?
- In DBI (Decibels); higher number is good. 1. Omni-directional antennas looks like a huge sphere, signal goes out in every possible direction. Useful for public places, somewhere like a stadium. 2. Dipole antennas look like one antenna but is actually two. Makes a shape that looks like a stomped bagel. Useful for covering something like a single office floor, a flat outdoor area, or the deck of a ship. 3. Directional antennas shoot out a long, narrow beam. A "Yagi" is one type of directional antenna and they look like the ones that used to be on top of people's houses. "Parabolic" antennas look like satellite dishes, usually more powerful than yagis. 4. Patch antenna is like half of an omni. Basically, take the sphere and cut it in half. Good for mounting on a wall where you don't need to broadcast behind the wall.
- How is wireless signal strength measured? - What are four types of antennas used in wireless networks?
- SEH - Structured Exception Handler - Runtime errors - Compile-time errors
- Module within an application that handles errors or exceptions. Prevents applications from crashing or responding to events that can be exploited by attackers. - These types of errors happens with users running programs and include things like running out of memory, buffer overflows, invalid parameter value, and result in software exceptions. - These types of errors might include syntax errors in the code and type-checking errors. A programmer can check these without actually "running" the program, and instead checks it in the compile stage when it is converted into machine code.
- LANMAN (Local Area Network Manager) - NTLM (NT LAN Manager)
- Older authentication protocol used to provide backward compatibility to Windows 9x clients. Easily cracked due to how they are stored and should be disabled. - What is an improved version of this?
- Caesar Cipher; rotates alphabet aka "ROT" system - Vingere Cipher; uses a lookup table with all possible ROT combinations based on a keyword
- One of the oldest known encryption methods - What is an improvement on this method and how does it work?
- Directory Traversal aka "../" (Dot Dot Slash) attack - Zero Day Attack
- This attack is a method of accessing unauthorized parent (or worse, root) directories. It is often used on web servers that have PHP files and are Linux or UNIX-based, but it can also be perpetrated on Microsoft operating systems. It is designed to get access to files such as ones that contain passwords. -This is basically a brand new attack no one has ever seen before
- SIEM (Security Information and Event Management) - Aggregation: grabbing data from many different places and storing it. Correlation: analyzing and reporting the data in a meaningful way. Normalization: creating multiple tables of data to make reporting more efficient. 1. Time synchronization: devices on the network must be set to the same time for accurate reporting purposes, such as one device noticing an intrusion when a second device notices failure of a web sever soon after. 2. Event Duplication: must avoid this so you do not have a bunch of devices all reporting the exact same event and glutting up the logs 3. Alerts: some type of notification if something goes bad 4. Trigger: these are what set off the alerts, like something exceeding a certain threshold.
- Software that collects and analyzes security alerts, logs and other real time and historical data from security devices on the network - What are three huge benefits it provides? - What are four big things that must be monitored for this process to work well?
- VLAN hopping 1. Switch Spoofing: A malicious host uses DTP to masquerade as a switch, with the goal of negotiating a trunk link and gaining access to additional VLANs. 2. Double-Tagging Attack: an attacking host attaches two VLAN tags to the frames it transmits. The first, proper header is stripped off by the first switch the frame encounters, and the frame is then forwarded. The second, false header is then visible to the second switch that the frame encounters.
- The act of gaining access to traffic on other VLANs that would not normally be accessible. - What are two types of this attack?
- RAS (Remote Access Service) - RRAS (Routing and Remote Access Service)
- The dial-up networking software provided with Microsoft Windows 95, 98, NT, and 2000 client operating systems. It requires software installed on both the client and server, a server configured to accept incoming clients, and a client with sufficient privileges (including username and password) on the server to access its resources. - What has this been incorporated into In more recent versions of Windows?
- Session Hijacking - Session Theft - TCP/IP Hijacking - Blind Hijacking
- The exploitation of a computer session in an attempt to gain unauthorized access to data, services, or other resources on a computer. - This attack can be accomplished by making use of packet header manipulation or by stealing a cookie from the client computer, which authenticates the client computer to a server. - An attack in which the attacker commandeers a TCP session from a legitimate user after the legitimate user has achieved authentication, thereby removing the need for the attacker to authenticate himself. - When an attacker blindly injects data into a data stream without being able to see whether the injection was successful. The attacker could be attempting to create a new administrator account or gain access to one.
- MTTR - MTTF - MTBF
- The length of time it takes to repair something and resume operations after a failure - The length of time from when a system is back up until it fails again - The length of time from the first failure until the next, including the time it took to repair the original failure
- MTD (Maximum Tolerable Downtime). Each business process can have its own MTD. - RTO (Recovery Time Objective) - WRT (Work Recovery Time). For example, if a computer goes down due to a power surge the WRT would be time to fix the system - RPO (Recovery Point Objective). For example, if you get hit by ransomware and want to restore from a previous restore point, how far back in time can you tolerate the data loss? You are focused on how long you can be without your data.
- The maximum period of time that a business process can be down before the survival of the organization is at risk. - The length of time it takes after an event to resume normal business operations. - The length of time in addition to the above metric of individual systems to perform reintegration and testing of a restored or upgraded system following an event - The longest period of time an organization can tolerate lost data being unrecoverable
- Threat Vector - Attack Vector
- The method a threat uses to gain access to a target. - Collectively, the means by which an attacker gains access to a computer in order to deliver malicious software
- Security Posture - SPA (Security Posture Assessments) - Performance Monitor in Windows. Type "perfmon.exe" to run - Wireshark
- The risk level to which a system is exposed - Assessments that use baseline reporting and other analyses to discover vulnerabilities and weaknesses in systems and networks. - What is a Windows tool for creating baselines and what command will run it? - What is a very popular, free protocol analyzer?
- Wet Pipe Sprinkler System - Pre-Action Sprinkler System
- The type of fire-suppression system where the glass things on the sprinkler heads break when they get too hot. - Similar to the above type except it has additional requirements such as smoke before it is set off. Typically used in places like a server room to ensure no one can accidentally set off water and destroy servers & equipment unless there is actually a fire happening.
- Certificates - X.509 1. DV (Domain Validation) Certs: where the certificate authority checks the rights of the applicant to use a specific domain name. 2. OV (Organizational Validation) Certs: these also conduct some vetting of the organization involved, the result of which is displayed to customers. 3. EV (Extended Validation) Certs: The most thorough type which conducts a complete vetting of the organization.
- These are digitally signed electronic documents that bind a public key with a user identity; common and low cost. - What standard are they commonly based on? - What are three types of these documents?
- "netcat"
- This Linux command line tool is sort of a swiss army knife which does a lot. For exam purposes, it can open and listen on device ports. Can open and act as a client on just about any port that you want. Very helpful for pen testing or doing vulnerability assessments. This is used for aggressive and great for system reconnaissance. Usually requires the "sudo" command
- "net stop [service name]" and "net start [service name]" - "sc" - "service [service name] stop" (or replace "stop" with "start" or "restart")
- This Windows command line utility will allow you to disable and run services - What is another command that will let you do this? - What about in Linux?
- Public Key Pinning - OCSP Stapling
- This allows an HTTPS website to resist impersonation attacks by presenting a set of trusted public keys to the user's web browser as part of the HTTP header - This allows the certificate holder to get the OCSP record from the server at regular intervals and include it as part of the SSL or TLS handshake
- "nslookup" - "digg"; it query certain types of records such as MX (Mail Exchange) or Start of Authority which nslookup can't do
- This command line tool can help with DNS problems. It helps figure out who your DNS server is as well as whether your system is running as a DNS server. Can also change your DNS server or try another server to see if it works. Has pretty much been shut down, however, due to security concerns. - What is a Linux tool for this and what can it do that the Windows command cannot?
- "ipconfig /all" - "ip" is the current Linux command and "ifconfig" is the deprecated command - "ip addr"
- This command line tool is a quick way to give you a ton of information about your own system, including IP address and MAC address - What is the Linux way to do this and a deprecated Linux command? - What is a switch for the Linux command which shows a lot of additional info?
- "netstat" - "netstat -n" (remember "n" is for "numbers" b/c it shows extra numbers) - "netstat -a" (remember the "a" is for "all" b/c it shows you all the open ports)
- This command line tool lets you know what session a host is running at any particular moment. Great for scenarios where you want to know who you are talking to and who out there is trying to talk to you. - What is a switch that shows connected IP addresses and port numbers? - What is a switch that shows all open ports, including ones with no current connection?
- "tracert" - If it fails on the first or second line, it's probably one of your internet devices at fault
- This command line tool shows all the hops on the way to a destination. - Using this, what's a good way to tell if you have a problem in your own internal network?
- "ARP" (address resolution protocol) - "arp -a" shows the ARP cache
- This command line tool will translate an IP address into a MAC address. Useful if you think someone is doing something bad inside the world of your switches - What is a switch that shows your whole cache?
- Certificate mapping 1. One-to-one mapping: an individual certificate is mapped to one recipient 2. Many-to-one mapping: multiple certificates are mapped to a recipient - RA (Registration Authority)
- This defines how many certificates are associated with a particular recipient. - What are two different types of this? - This is a subordinate entity designed to handle specific CA tasks such as processing certificate requests and authenticating users.
- XOR (Exclusive OR) - Everything gets converted into binary and changes are based on the binary key. If both digits of key & plaintext are 0, the 0 is carried. If there is a 1 and the other digit is a 0, the 1 is carried. If both digits are a 1, then they are changed to zero. When you take the resulting ciphertext and then run it back against your key, the answer will revert back to the original plaintext.
- This function is very important for cryptographic algorithms b/c it is reversible - How does it work?
- RADIUS - A RADIUS server, a supplicant (user), and RADIUS client which is the gateway for the supplicant to connect with the server
- This is a AAA service originally designed for dial-up networking but frequently used with wireless networks - What three parts are required for it?
- PIV (Personal Identity Verification) Card - CAC (Common Access Card)
- This is a certificate-based smart card issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login. - This is similar but used for military personnel and DOD contractors.
- PKCS-7 - PKCS-12 - X.509 - OID (Object Identifiers)
- This is a way to store digital certificates as individual files. - This is a way to store certificates and private keys as a package - This is the old standard many certificates are still based on - These are extensions which assist with identifying objects such as street addresses of certificate owners
- OAuth - OpenID Connect - Shibboleth
- This is an SSO service that grants an application limited access to a user's account on a third-party site, such as Facebook or Twitter. Grants the application access to a friend's list or give the application the ability to post on the user's behalf. - This provides authentication of the user for the above and stores the information in a token, but is not actually a service itself - This is a single sign-on (SSO) system that uses SAML but does not allow the usage of Facebook or Twitter credentials. is a standards-based, open-source software package for single sign-on across or within organizational boundaries on the web. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.
- FIM (Federated Identity Management) - MFA (Multi-factor Authentication)
- This is another way to refer to what SSO is - What is having several different authentication requirements?
- SAML (Security Assertion Markup Language) - XML (Extensible Markup Language) - First you logon to an Identify Provider (IdP) which gives you access to the various Service Providers (SP) which are the web apps for the various things you are logging into. For example, if you had to manage software for multiple devices spread out on an oil pipeline, SAML allows you to log on once and jump between devices rather than log on to each individual device.
- This is commonly used with SSO options and is used exclusively for web applications, especially letting people log in and out of web apps. - What language does it use for communication? - What is the way this works?
- SNMP 1. Agent: this is software built into the device from the manufacturer which lets it do SNMP. 2. Managed Device: what the device becomes once you have connected with an agent. 3. NMS (Network Management System) or SNMP Manager: this is the device you choose to manage the devices, usually a PC. It will have to be running some sort of application for SNMP management. 4. MIB (Management Information Base): this is built into devices and it's what lets proper communication take place with the NMS. For example, so that a printer will receive information it can understand versus a switch or different device also connected via SNMP. It's really a database we query
- This is the de facto standard of network management protocols & is a tool which allows us to administer & manage network devices from a single source. - What four things are required for it to function?
- Windows Active Directory - Federated System or trust situation
- This is the gold standard for SSO tools for LANs. Requires Windows Server and administrator must connect each host to a domain. - What is created once this process has been done?
- FM-200 ArgonVDry Chemicals; this is a type of Special Hazard Protection or Clean Agent System - Class C - The corrosive powder in a Class C can destroy electrical equipment
- This is the gold standard in fire suppression for server rooms - This type of extinguisher is for electrical equipment fires - Why is the first method better than the extinguisher?
- Single-sided certificate - Dual-sided certificate 1. A CSR (Certificate Signing Request) which is used when a new, or renewed, certificate is required for a web server. It is submitted to the company that sells the SSL certificates (such as VeriSign). 2. Proof of user's identity 3. The public key which is matched to the CA's private key.
- This is used in most communication sessions where only the server is validating itself to the user; is less resource intensive - This is used when an organization requires the server AND user validate their identities; can cause a strain on the CA if a lot of computers are involved. - What three items does a user need to to obtain a digital identity certificate from a CA?
- DCL (Data Control Language) - DML (Data Manipulation Language)
- This language implements security through access control and granular restrictions. - This language, provided with a DBMS, allows users to access and modify the data, to make queries, and to generate reports.
- Ephemeral key/Session key - Perfect forward secrecy; knowledge of a key from a previous session will not help you crack encryption of subsequent sessions.
- This type of key is a big help with symmetric encryption; used only once then discarded - What does this help to provide?
- Protocol analyzer - Wireshark 1. Sniffer: some type of software that grabs the data going in and out of a particular interface. This includes ethernet info, IP info, application info, etc. Once it grabs the info, the sniffer will either save it into a file or make a live feed directly into the protocol analyzer. 2. Analyzer: looks over the captured data and presents it in a way that we can read it. - Wireshark tends to miss packets when sniffing. In Linux, you can use TCP Dump to sniff instead and it is a much more robust sniffer.
- This type of tool is what we use to look at traffic going in and out of a specific computer - What is the most popular type of this tool? - What two parts will a tool of this type have? - What is a downside to the popular tool above and what is a workaround for that?
- Network scanners - Nmap - Zenmap
- This type of tool would be used for checking out the network around us. Very useful if we are needing to look for open ports during vulnerability assessment or device hardening, doing network inventory to see what devices are connected, and also when finding rogue devices connected without authorization. - What is a popular command line tool or this type used with both Linux and Windows? - What is a GUI interface for it?
- AS (Authentication Service) Exchange - TGS (Ticket Granting Service) Exchange - Client-Server (CS) Exchange
- What Kerberos protocol authenticates users and provides users with a ticket-granting ticket? - What protocol uses a TGT to create a session key for the client requesting service and the server providing service? - What protocol is used to enable a client and a server to authenticate one another?
- chown - passwd - "pwd" which only shows the "present working directory" - sudo (super user or admin)
- What Linux command lets you change ownership of a file or directory? - What command lets you change the password for a user? - What command is sometimes confused with this? - What command is often required to be used with these?
- chmod 1. "chmod 0=[file name]" will switch off all permissions, or "chmod g=rx [file name]" would give read and execute but not write permissions to the group 2. "chmod 777" would give full permissions to everyone; each number represents a value for "rwx" for each one of the three groups. The value for "r" is 4, value for "w" is 2, and "x" is 1. so "chmod 751" permissions would turn out "rwxr-x--x"
- What Linux command lets you change permissions? - What are two ways you can use it?
- Security: show things like unauthorized or failed logins - Application: deals with events concerning applications within the operating system and some third-party applications - System: deals with drivers, system files, and so on - DNS: related to domain name system
- What are four types of log files?
1. Adversarial: someone is intentionally doing bad things to you 2. Accidental is like someone inadvertently formatting an important hard drive 3. Structural is like the power supply on your router dies or equipment failure 4. Environmental is like fires, earthquakes, etc
- What are four types of threats?
1. COBO or Corporate Owned, Business Only. The company owns the device and decides everything for it. 2. COPE (Corporate Owned, Personally Enabled) is another form. When everybody has the exact same device, may have a steep learning curve 3. CYOD (Choose your own device) is employees can select a device from a pre-approved list. 4. BYOD (Bring your own device) is when you bring your own device to use for work. Requires very heavy MDM and app management
- What are the four types of mobile device deployment?
- It will either be a "d" or a "-". If a "d", it's a directory, and a "-" signifies a file - They are three groups of three; first is for the Owner of the file/directory, the second set is for the Group, third set is for "other" aka everyone else besides the Owner & Group. Will be a combination of "rwx" or a "-". - "r" means read, "w" means write, "x" means execute a file or "cd" change present working directory
- What are the options for the very first character with Linux permissions? - What are the nine values after that? - What do these values stand for?
1. Planning and analysis. Goals are determined, needs are assessed, and high-level planning is accomplished. 2. Software/systems design. The design of the system or application is defined and diagrammed in detail. 3. Implementation. The code for the project is written. 4. Testing. The system or application is checked thoroughly in a testing environment. 5. Integration. If multiple systems are involved, the application should be tested in conjunction with those systems. 6. Deployment. The system or application is put into production and is now available to end users. 7. Maintenance. Software is monitored and updated throughout the rest of its life cycle. If there are many versions and configurations. version control is implemented to keep everything organized. - Agile or DevOps
- What are the seven steps in the waterfall SDLC? - What method has recently become more popular than the waterfall?
- NIDS are passive and set up out of band or "off to the side" of the network. They are simply watching the data and reporting if something triggers them. Should be set to promiscuous mode so it captures all data it sees in the network. - NIPS are active and in-band, set up directly in the network path so all traffic must flow directly through them. You should implement a fail-close (failure=all network transmissions stop) or fail-open (failure=all network traffic is allowed) policy with them. 1. Network Tap: a little sensor box you plug into your network. 2. Port Mirroring: grabs all of the data from one port and copies it all. 3. Collectors: computers whose job is to take all the data coming from the different sensors & they store it in a database. We can then examine the database to see if we have any problems. 4. Correlation Engine: the tool that does the actual data checks, such as checking against signatures, anomalies, heuristics, etc. It is the actual device that will set off the alarms & let us know or deal with things itself.
- What are the two big differences between NIDS and NIPS? - What are four things used with these types of systems?
1. Non-Network Events: things which happen on a host even if it is not connected to a network. A generic log of this type would typically have a date, time, process/source, user account, event number, and event description. These would include OS Events (host starting, shutting down, rebooting, services starting & stopping or failing, OS updates), Application Events (app installation, start, stop, or fail), and Security Events (local user logon successes & failures) 2. Network Event: any event which takes place between a host and something going on in the network. A big clue is if you see IP addresses and port numbers. Two types are OS or System Level (remote logins) and Application Level (shared apps or resources or activity on web server or firewall) - Generic log file would typically have a date, time, process/source, user account, event number, and event description
- What are the two main categories that log files can be broken down into? - What would a generic log file be made up of?
1. IP Proxy: secures the network and hides individual host IP using NAT. 2. Caching proxy: Attempts to serve client requests without actually contacting the remote server. These could be FTP or SMTP proxies, but most common types are HTTP or Web proxies. They cache internet content from frequently visited web pages so that content does not have to be loaded each time by individual users thus saving time and bandwidth.
- What are the two main types of proxy servers?
- Type 1 or Native: runs directly on host computer's hardware aka "Bare Metal" - Type 2 or Hosted: runs on top of host computer's OS
- What are the two types of Hypervisors?
1. Statistical anomaly: It establishes a performance baseline based on normal network traffic evaluations, and then compares current network traffic activity with the baseline to detect whether it is within baseline parameters. If the sampled traffic is outside baseline parameters, an alarm is triggered and sent to the administrator. 2. Signature-based: Network traffic is analyzed for predetermined attack patterns, which are known as signatures. These signatures are stored in a database that must be updated regularly to have effect. 3. Behavior-based (aka Statistical Anomaly-based): looks at the previous behavior of applications, executables, and/or the operating system and compares that to current activity on the system. 1. False positive: The IDS identifies legitimate activity as something malicious. 2. False negative: The IDS identifies an attack as legitimate activity. For example, if the IDS does not have a particular attack's signature in its database, the IDS will most likely not detect the attack, believing it to be legitimate.
- What are three main types of monitoring that an IDS performs? - What are two types of mis-identification?
- Rule-based and Lattice-based. Lattice-based access control is used for more complex determinations of object access by subjects; this is done with advanced mathematics that creates sets of objects and subjects and defines how the two interact. 1. Bell-LaPadula is a state machine model used for enforcing access control in government applications. It is a less- common, multilevel security derivative of mandatory access control. This model focuses on data confidentiality and controlled access to classified information. 2. The Biba Integrity Model describes rules for the protection of data integrity. 3. Clark-Wilson is another integrity model that provides a foundation for specifying and analyzing an integrity policy for a computing system.
- What are two common implementations of Mandatory Access Control (MAC)? - What are three other access control models?
- Remote Access: when a remote user is trying to phone home - Site-to-Site: two offices directly connection through a VPN, typically with endpoints being routers or VPN concentrators 1. Full Tunneling: all traffic has to go through the VPN tunnel, back to the gateway at the head office, that gateway processes the request and gets the info, then sends it back through the tunnel to the user. 2. Split Tunneling: faster option. VPN endpoint on the laptop itself recognizes the types of traffic going out. If the traffic is going to the office network you are connected to, it goes through the tunnel. Different types of traffic going to different IP addresses will not bother going through the VPN tunnel. Downside is that it may bypass upper-layer security in the company infrastructure.
- What are two types of VPNs? - What are the two types of VPN tunneling and which is faster?
1. FAR (False Acceptance Rate): someone is allowed who shouldn't be allowed 2. FRR (False Rejection Rate): someone is rejected who should be approved - CER (Crossover Error Rate) or ERR (Equal Error Rate): the goal is to keep both the FAR and FRR errors at a common value, or as close as possible. The lower the CER, the better the biometric system in general.
- What are two types of errors common with biometric security systems? - What calculation is used to see if a biometric system is operating within acceptable parameters?
1. Decentralized: each device is keeping its own logs. This is more for small organizations that don't have a lot of devices. 2. Centralized Logging: when logs are consolidated in one location. - Centralized Logging is used in enterprise with SNMP which allows it to go out to the devices to gather information as opposed to having every device constantly sending logs in and eating up network traffic. - MaaS (Monitoring as a Service)
- What are two ways to keep track of logs? - Which is more popular for enterprise environments and what is often used to accomplish it? - What terms describes when a third party is hired to do logging for an organization?
- Receiver's public key - Receiver's private key - Sender's private key - Sender's public key
- Which key do you need to send an encrypted message? - Decrypt an encrypted message? - Send an encrypted signature? - Decrypt an encrypted signature or verify a certificate?
- 802.1x (EAP over Ethernet/Wireless) - EAP-FAST; uses a protected access credential instead of a certificate to achieve mutual authentication. 1. LEAP, from Cisco; basically EAP with a password inside a TLS tunnel 2. PEAP, from Microsoft; also EAP inside a TLS tunnel but passwords were too easy to crack
- What authentication standard is used with RADIUS? - What is a Cisco standard used for wireless security? - What are two outdated standards that were similar to these?
1. Certificates 2. Key repository 3. Method to revoke certificates 4. Method to evaluate certificate chain - Issuer - Principal - Verifier - Subject
- What four things does a PKI generally consist of? - In PKI, what is is the entity that signs a certificate? - What is any entity that possesses a public key? - What is an entity that verifies a public key chain? - What is an entity that seeks to have a certificate validated?
- EAP (Extensible Authentication Protocol) is a framework designed to run inside transport layer protocols and it is king right now. It is only handling the authentication stuff, that's it. Was originally created as an extension to PPP and that's it. 1. EAP-MD5 is the most basic. Basically just MS-CHAP and it takes the passwords and hashes them with MD5. Only provides one-way authentication, not mutual. 2. EAP-PSK (Pre-shared Key) uses predetermined symmetric keys. No key exchange is required. Similar to WPA and WPA2. 3. EAP-TLS requires both a server certificate and client certificate; both must have certificates to work. This does not work well in enterprise scenarios because certificates must be configured or managed on the client side and server side. 4. EAP-TTLS uses the TLS exchange method but it is done through an encrypted channel and only the server has the certificate. 5. EAP-FAST; Cisco standard, uses a protected access credential instead of a certificate to achieve mutual authentication. 6. PEAP, from Microsoft; uses MSCHAPv2; also EAP inside a TLS tunnel but passwords were too easy to crack
- What is EAP? - What are the six methods of EAP?
- SA (Security Association) 1. AH (Authentication Header): this is only for providing integrity. An integrity check is done on the packet and then an AH (authentication header) is inserted into it. This is an HMAC (Hash-based Message Authentication Code). 2. ESP (Encapsulating Security Payload) is more popular b/c it encrypts the packet and then puts an AH on it. Works at Layer 3 IP address 1. Transport Mode: when you keep the original IP address. Doesn't work very well in the real world b/c of NAT and other things. 2. Tunnel Mode: more popular option and is generally used with ESP. The original packet has been encrypted and authenticated with ESP, so we just add a new IP address on top of that packet. This will get it through the various hops it needs to go through while protecting the original, core packet.
- What is IPsec's establishment of secure connections and shared security information, using either certificates or cryptographic keys? - What are the two ways IPsec runs? - What are two ways IPsec moves data?
- Metasploit - Armitage 1. Banner Grabbing: when someone connects to a target web server and attempts to gather information, literally grabbing the web services "banner." This is often done by telnetting into the web server. It can also be done with netcat, using an HTTP request. Usually intercepts a text file sent by a server or a host. The text file includes OS information. 2. Pivot: uses an initial exploit as a launching point to attack other systems. For example, gaining root access to a system and using that to expand your attack. 3. Persistence: we keep doing something for a while. Good pen testing doesn't happen overnight or over a few days, but may go on for weeks just like real attacks. 4. Privilege Escalation: when an attacker has used a design flaw in an application to obtain unauthorized access to the application
- What is a famous framework in Kali Linux used for exploiting vulnerabilities? - What is a graphical front end for it? - What are four ways you can exploit vulnerabilities?
- A transparent proxy doesn't modify requests of the user systems and may not provide anonymity. It is more efficient, but there is less security. It usually has to literally be in-line between you and the internet. Everyone has to go through the proxy due to how the network is connected. - A forward proxy hides the clients while a reverse proxy hides the servers.
- What is a transparent proxy? - What is the general difference between a forward & reverse proxy?
- Static Hosts 1. ICS (Industrial Control Systems) can fall under this. Usually some type of machine in an industrial environment controlling machines designed to do a specific thing. Most famous example of this is HVAC systems which regulate environmental conditions. 2. SCADA (Supervisory Control and Data Acquisition) is similar to SAML in that it is used for industrial-type settings where devices are spread out over long distances, like an oil pipeline. Usually require a cellular WAN connection or something to stay connected.
- What is another name for IoT devices or appliances that have embedded operating systems and is designed for a specific task or process? - What are two types of these that are usually found in an industrial setting?
- BSSID (basic service set identifier) - ESSID (extended SSID) - In large environments, it allows clients to move from WAP to WAP as they seamlessly authenticate and handoff the client to each other so their connection is not interrupted. - Associated list
- What is it called when you have only one WAP broadcasting (usually refers to its MAC address)? - What is called when you have a group of WAPs broadcasting and they are all connected to the same broadcast domain? - What is the big advantage of this second type? - What is the name for the group of connected clients a WAP keeps via their MAC addresses?
- ISAKMP: a negotiation protocol which creates a SA (Security Association) between two hosts and that is its only job. If two hosts want to start using IPsec, ISAKMP is the first step. It does initial authentication with certifications or preshared keys. Also handles key exchange and HMAC. - KHMAC (Keyed Hashing for Message Authentication Code)
- What is the "cornerstone" of what gets IPsec going and the first step of the IPsec process? Provides a framework for authentication & key exchange - What is used to digitally sign packets that are transmitted on IPSec connections?
- In-band management - Out-of-band management - When working with devices that do not have a direct network connection, such as UPSs, PBX systems, and environmental controls, or if the main LAN fails, out-of-band management is used as a backup method.
- When the admin connects locally through the main company network for SNMP monitoring - When the admin has to connect remotely or through some other means - What types of situations might call for the second type?
- The root CA (Certificate Authority) 1. BER (Basic Encoding Rules): This is the original ruleset governing the encoding of ASN.1 data structures. Any data created is encoded with a type identifier, a length description, and the content's value. BER can use one of several encoding methods. 2. CER (Canonical Encoding Rules): This is a restricted version of BER in that it only allows the use of one encoding type; all others are restricted. 3. DER (Distinguished Encoding Rules): Another restricted variant of BER, this only allows for one type of encoding, and has restrictive rules for length, character strings, and how elements are sorted. - DER is widely used for X.509 certificates. For example, certificate enrollment in Windows Servers uses DER exclusively.
- What is the anchor for the certificate chain of trust? - What are three types of ITU-T X.690 encoding formats? - Which of these is a default file extension for Windows certificate exports and is most widely used with X.509?
- TACACS+ is very good with authorization which RADIUS can't really do it - Authentication and Auditing
- What is the big difference between RADIUS and TACACS+? - What are they both good at?
- X.500 - DIT (Directory Information Tree) - LDIF (LDAP Data Interchange Format) 1. DN (Distinguished Name) is everything; the entire listing 2. CN (Common Name) is the basic name itself; remember that this could be a device name or people. 3. OU (Organizational Unit) are like groups and helps to define where the person or device is within the organization. 4. DC (Domain Components) list which domain the person or device belongs to. - "DN:cn=John_Smith, ou=Accounting, ou=Dallas, ou=People, dc=totalsem, dc=com" This example shows someone named John Smith who is a person in the accounting group located in Dallas and the domain is totalsem.com
- What protocol is LDAP based on? - What contains LDAP entries? - What enables LDAP servers to exchange directory information? - What are the four components of an LDAP listing? - What is an example of what an LDAP listing might look like?
- SSL (Secure Socket Layer) - TLS (Transport Layer Security)
- What protocol was first created to help secure websites? - What has supplanted that?
- Salt - The salt is intermixed with the message that is to be hashed - It can complicate dictionary and rainbow table attacks
- What term refers to random bits that are used as one of the inputs to a hash? - How does this work? - Why is this useful?
- A protocol to set up the tunnel and another protocol to handle authentication and encryption of the traffic. 1. PPTP (Point-to-Point Tunneling Protocol) is the oldest VPN protocol. Uses PPP as the tunnel and has no serious authentication, just password and very basic encryption. Uses UCP port 1723. Not used much anymore b/c of security concerns. 2. L2TP (Layer 2 Tunneling Protocol) is proprietary Cisco. Similar to PPTP except the tunnel is not encrypted; uses L2TP tunnel and IPSec for encryption which is very fast. Uses UDP ports 500 and 4500. 3. Pure IPsec uses IPsec for the tunnel and the authentication & encryption. Also uses ports 500 & 4500. Great for IPv6 networks. 4. SSL/TLS same stuff used on secure webpages. Uses TCP port 443 and will work with a web browser. Uses TUN/TAP virtual network driver tunnel. Uses TLS for encryption. 5. Open VPN is a program with its own type of unique tunnel & encryption based on SSL/TLS protocol. Uses TCP port 1194 but can be changed easily.
- What two types of protocols are required to set up a VPN? - What are five types of protocols used with VPNs?
- PEM (Primary Enhanced Mail) certificate and it is converted via SSL - PFX certificate
- What type of certificate is primarily used with web servers in a Linux environment, and what is used to convert it from a DER file extension? - What type of certificate is used by Microsoft, is fully encoded, and supports storage of both the private & public keys?
- Dual-homed firewall - Bastion Host - Screened Host: The router acts as a screening device, and the firewall is the screen host. - Screened subnet
- What type of firewall has two network interfaces? - What is a computer that resides on a network that is locked down to provide maximum security and resides on the front line in a company's network security systems? An example would be a server that resides in a DMZ. - What is a firewall that resides between the router that connects a network to the Internet and the private network? - What is another term for DMZ?
- DNSSEC - It only provides authentication, not encryption. A DNSSEC-capable server generates a key pair and has upstream DNS servers sign them which creates new DNS records for each zone. Has become quite popular on public DNS servers.
- What was created in the late '90s as a tool to improve on the unsecure DNS protocol? - What does it provide and how?
- Diversion Theft - Hoax - Baiting - Pretexting - Spim
- When a thief attempts to take responsibility for a shipment by diverting the delivery to a nearby location. - An attempt to make people believe something that is false - Leaving a USB or similar device, loaded with malware, somewhere in plain view with the hopes that a user will connect it to their system to check the contents, thus infecting their system - When a person invents a scenario or masquerades in the hopes of getting someone to divulge information - A type of spam that manifests in IM pop-up advertisements
- Clickjacking - MITM (Man in the middle) - MITB (Man in the browser) - Watering Hole Attack (aka Pivot Attack)
- When a user browsing the web is tricked into clicking something different than what the user thought he or she was clicking. - These attacks intercept all data between a client and a server. It is a type of active interception. If successful, all communications now go through the attacking computer. - Similar to above, this attack makes use of a Trojan (from a proxy location) that infects a vulnerable web browser and modifies web pages and online transactions, in an attempt to ultimately steal money or data. - When an attacker profiles the websites that the intended victim accesses. The attacker then scans those websites for possible vulnerabilities. If the attacker locates a website that can be compromised, the website is then injected with a JavaScript or other similar code injection that is designed to redirect the user when the user returns to that site. Often designed to profile users of specific organizations
- RCE (Remote Code Execution) - Pointer Dereferencing
- When an attacker acquires control of a remote computer through a code vulnerability by injecting "shellcode". Also known as arbitrary code execution. Attackers often use a web browser's URL field or a tool such as Netcat to accomplish this. Can be used to turn computer into a zombie. - This changes the target memory location of a pointer. As a result, the calling application receives an incorrect, unexpected, or critical value. For example, in a computerized blood bank, this attack can cause a blood type to be categorized incorrectly.
TPM (Trusted Platform Module)
A chip on a motherboard that holds an encryption key required at startup to access encrypted data on the hard drive. Windows BitLocker Encryption can use this
STARTTLS
A command (not an acronym) used to upgrade an unencrypted connection to an encrypted connection on the same port. For example, can create an encrypted tunnel for insecure IMAP/POP3 email exchange.
Diffie-Hellman
A cryptographic asymmetric algorithm that allows two users to share a secret key securely over a public network.
CVE (Common Vulnerabilities and Exposures)
A dictionary of publicly known security vulnerabilities and exposures. These are regularly put out by various companies as vulnerabilities are found and patches are released.
MDM (mobile device management)
A formalized structure that enables an organization to account for all the different types of mobile devices used to process, store, transmit, and receive organizational data.
SED (Self Encrypting Drive)
A hard drive with a circuit built into the disk drive controller chip that encrypts all data to the magnetic media and decrypts all the data from the media automatically.
Syslog
A log management service that uses special servers and programs to collect logs from various devices and make them easier to read as opposed to logging onto each individual device and using its interface.
SCP (Secure Copy Protocol)
A protocol that uses SSH to securely copy files between a local and a remote host, or between two remote hosts. Uses port 22 since it is SSH.
CAN (Controller Area Network)
A serial network designed to allow comms between embedded programmable logic controllers in something like an automobile
HSM (Hardware Security Module)
A software or appliance stand-alone used to enhance security and commonly used with PKI systems. Commonly used for encryption during secure login/authentication processes, during digital signings of data, and for payment security systems. Typically come in adapter card/USB form
APT (Advanced Persistent Threat)
A sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments
- OVAL (Open Vulnerability and Assessment Language)
A standard and a programming language designed to standardize the transfer of secure public information across networks and the Internet utilizing any security tools and services available. Uses XML as a framework for the language.
PDS (Protected Distribution System)
A system of cable conduits that is used to protect classified information being transmitted between two secure areas. These approved circuits use many techniques techniques to secure the unencrypted transmission of classified information. It is all-encompassing: cables, terminals, and other equipment, including safeguards for electrical, electromagnetic, and acoustical concerns.
Federated or Transitive Trust
A system where one organization will tell another organization: if you trust a network, I will also trust it without checking it. An example is when computers are added to a domain by an administrator.
GRE (Generic Routing Encapsulation)
A tunneling protocol developed by Cisco that is used to transmit PPP data frames through a VPN tunnel. It encapsulates PPP frames to make them take on the temporary identity of IP packets at Layer 3. To the WAN, messages look like inconsequential IP traffic.
TCSEC (Trusted Computer System Evaluation Criteria)
Also known as the Orange Book; Evaluation model developed by the U.S. Department of Defense that sets basic requirements for assessing the effectiveness of computer security access policies.
OCSP (Online Certificate Status Protocol)
An HTTP-based alternative to a CRL (certificate revocation list) that checks the status of certificates. Starting to replace CRLs b/c it is faster & updated more frequently
ECC (Elliptic Curve Cryptography)
An asymmetric algorithm that uses elliptic curves instead of prime numbers to compute keys. Used primary with smaller devices as it is faster and uses less resources than RSA
A DNS amplification attack
An attack that initiates a DNS attack with a spoofed address. It floods an unsuspecting victim by redirecting valid responses to it.
Context-aware Authentication
An authentication method using multiple elements to authenticate a user and a mobile device. It can include identity, geolocation, the device type, usage of resources, and more.
LSO (locally shared object) or "flash cookies"
Data stored on a user's computer after visiting a website that uses Adobe Flash Player. These can be used to track a user's activity.
Group Policy Object (GPO)
Enables network administrators to define multiple rights and permissions to entire sets of users/computers all at one time. Requires Windows Server and Active Domain
- If copying or moving an object from one disk drive to another, the object will take on the destination permissions - If copying an object within the same drive, it takes on the destination permissions. If MOVING an object within the same drive, it will keep its source permissions
How does inheritance work with NTFS permissions?
ASLR (Address Space Layout Randomization)
Involves randomly arranging the positions of key data areas of a program, including the base of the executable and the positions of the stack, heap, and libraries in a process's memory address space. This can aid in protecting mobile devices (and other systems) from exploits caused by memory-management problems.
Active interception
Normally refers to placing a computer between the sender and the receiver in an effort to capture and possibly modify information; the type of attack a man-in-the-middle is
An assessment that determines the impact on the privacy of the individuals whose data is being stored, and ensures that the organization has sufficient security controls applied to be within compliance of applicable laws or standards.
PIA (Privacy Impact Assessment)
49 (TCP)
Port for TACACS+
MDM (mobile device management)
Software suites designed to manage use of smartphones and tablets within an enterprise.
UTM (Unified Threat Management)
The evolution of the traditional firewall into an all-inclusive security product able to perform multiple security functions within one single system: network firewalling, network intrusion prevention and gateway antivirus (AV), gateway anti-spam, VPN, content filtering, load balancing, data loss prevention and on-appliance reporting.
Application Whitelisting
The practice of allowing approved programs to run on a computer, computer network, or mobile device.
Implicit Deny
The principle that establishes that everything that is not explicitly allowed is denied.
Input validation
The process of inspecting data given to a program by the user and determining if it is valid. It is an important security defense because it: A. rejects bad or malformed data. B. enables verbose error reporting. C. protects mis-configured web servers. D. prevents denial of service attacks and SQL Injections.
DSA (Digital Signature Algorithm)
The standard for digital signatures of the US government, this asymmetric encryption algorithm is based on discrete logarithms and is used only for authentication.
Race Condition
This is a difficult exploit to perform because it takes advantage of the small window of time between when a service is used and its corresponding security control is executed in an application or OS, or when temporary files are created. It is associated with multithreaded applications. Improper handling of a variable that is accessed by several threads of an application can lead to unexpected values associated with the variable in question. For example, if you remove all permissions in a file and apply new permissions, the short period of time between the actions would be the vulnerable window.
SKIP (Simple Key Management for Internet Protocols)
This is a key management and distribution protocol used for secure IP communication. It uses hybrid encryption to convey session keys. These session keys are used to encrypt data in IP packets. Ituses a key exchange algorithm, such as the Diffie-Hellman algorithm, to generate a key-encrypting key that will be used between two parties. A session key is used with a symmetric algorithm to encrypt data. This is not a key storage protocol. It is a key distribution and management protocol similar to Internet Key Exchange (IKE). It works on a session-by-session basis
HSTS (HTTP Strict Transport Security)
This is a protocol where a server can require web browsers to use HTTPS. Prevents downgrade attacks.
Virus
This is code that runs on a computer without the user's knowledge; it infects the computer when the code is accessed and executed. Must be executed by a user to propagate and spread copies of itself throughout the computer and infect other systems by infecting shared files they access. Needs some sort of carrier to get to where it wants to go and needs explicit instructions to be executed.
OSINT (Open Source Intelligence)
This is the application of intelligence tradecraft to open sources of information, specifically involving the collection, processing (to include foreign language translation), and exploitation/analysis of multiple, independent open sources of information. An example would be collecting information on social media
Fingerprinting
This is used to find out information about a system. It can be done passively by sniffing packets between hosts, or actively by sending special packets to a target and analyzing the responses. It can be done by scanning ports, or by using commands in a browser's URL bar as is the case in this scenario. By adding syntax to the end of a domain, you can "test" the web server and ascertain information about it based on the results.
Alt+F4
This keyboard shortcut will close the active window. Useful for closing internet popups without worrying about accidentally clicking on something malicious.
Tokenization
This method is used to replace all or part of a data field with a randomly generated number used to reference the original value stored in another vault or database
WORM (write-once read-many)
This type of media indicates that a disc can be written to only once. Discs designated with R (such as DVD-R) can be written to once. I assures data written to it will not be deleted or overwritten.
1. Boot sector: Initially loads into the first sector of the hard drive; when the computer boots, the virus then loads into memory. 2. Macro: Usually placed in documents and e-mailed to users in the hopes that the users will open the document, thus executing the virus. 3. Program: Infects executable files. 4. Encrypted: Uses a simple cipher to encrypt itself. The virus consists of an encrypted copy of the virus code (to help avoid detection) and a small decryption module. Different encrypting keys can be used for each file to be infected, but usually there is only one decrypting code. 5. Polymorphic: Builds on the concept of an encrypted virus, but the decrypting module is modified with each infection. So, it can change every time it is executed in an attempt to avoid antivirus detection. 6. Metamorphic: Similar to polymorphic but rewrites itself completely each time it is going to infect a new file in a further attempt to avoid detection. 7. Stealth: Uses various techniques to go unnoticed by antivirus programs. 8. Armored: Protects itself from antivirus programs by tricking the program into thinking that it is located in a different place from where it actually resides. Essentially, it has a layer of protection that it can use against the person who tries to analyze it; it will thwart attempts by analysts to examine its code. 9. Multipart: A hybrid of boot and program viruses that attacks the boot sector or system files first and then attacks the other files on the system. 10. Page: modifies other programs & databases. The only way to remove it is to reinstall the infected programs.
What are 10 types of viruses?
A Security Control is a verb, an action. It will help to protect the IT infrastructure or remediate a problem we already have. There are several different types 1. Administrative Controls (or Management Controls) or "what people do" control actions people make towards IT security. They include Laws, Policies, Guidelines, and Best Practices 2. Technical Controls are actions IT systems make towards IT, or computer stuff. Includes Firewalls, , Passwords, , Authentication, Encryption 3. Physical Controls are actions which take place in the real world, not digital. Includes, Gates, Guards, Keys, Man traps
What are Security Controls and what are three types?
1. Cleaning Data Remnants: cleaning out old drives. When removing a VM, take the time to also wipe all the data associated with that VM. 2. Make Good Policies: also important and should not be overlooked. Let people know what they can and cannot do when it comes to virtualization. 3. Define User Privileges: many hypervisors have built in controls for this. 4. Patch Everything: not just the VMs or apps running on them, but also remember to patch the hypervisors themselves. 5. CASB (Cloud Access Security Brokers) is a type of Security As A Service (SECaaS)and can be used: they act as an intermediary between your infrastructure and the cloud. It could be some type of device running locally but usually shows up at some sort of service running on the cloud itself. The CASB makes sure policies are controlled, protect against malware, etc.
What are five methods of virtualization hardening?
- Determine Mission Processes - Identify Critical Systems - Single Point of Failure - Identify resource requirements - Identify recovery priorities
What are five steps in Business Impact Analysis?
1. ECB (Electronic Code Book): oldest and insecure b/c it uses the same key repeatedly and patterns start to appear 2. CBC (Cipher Block Chaining) adds an Initialization Vector (IV) which takes the first block and XORs it before encrypting. The result is copied and used to help encrypt the next block so each encryption will be slightly different from the previous one. 3. CFB (Cipher Feedback) is similar except the IV is encrypted and XORd to the first block. 4. OFB (Output Feedback) takes one IV, encrypts that, output is XORd to the first block, the same IV keeps getting used. Can turn a block cipher into a stream cipher. 5. Counter Mode (CTR) uses a nonce value and a counter value which continues to increase in binary. The nonce & counter are combined and encrypted. The next time it's used, it's the same except the counter is incremented. Can turn a block cipher into a stream cipher.
What are five types of Block Cipher Modes?
- Deterrent: deters the threat actor from even attempting the threat - Preventative: deters the actor from performing the threat - Detective: recognizes an actor's threat and may or may not do something about it. - Corrective: mitigates the impact of a manifested threat - Compensating: provides alternative fixes to any of the above functions
What are five types of security control functions?
- Mandatory Vacation; used to see if bad things stop happening when certain people are out of the office - Job Rotation; switching people to work different positions. - Multi-Person Control; more than one person required to do a task, like launching missiles - SoD (Separation of Duties); single individuals should not perform multiple duties across the board. Sales should not do purchasing, etc - Principle of least privilege yeah you know what that is
What are five types of special security controls?
- Public; no restrictions - Confidential; limited to authorized viewing as agreed upon by two parties; may require NDA - Private; for an individual, like SSN, aka PII (Personably Identifiable Information) - Proprietary; like private data, but for a corporation like formula for Coke - Protected Health Information (PHI); covered by HIPAA
What are five ways data can be organized?
- "Get" is the standard query we use with SNMP. Consists of the NMS sending a query to a managed device and that devices responds. Asking a printer how many pages have printed and getting an answer is an example of this. - "Set": An SNMP set message sets a variable in a managed device or triggers an action on a managed device. - "Trap" is something we set up on the devices themselves. There are some things where don't want to wait for a query, we would want to know right away. For example, if a switch suddenly has half its ports overloaded with data. We set it up on a managed device and it is sent to the NMS when the trigger value is reached. - "Walk" or SNMPWalk is like a batch process of "Gets". There are times when you want to ask a bunch of stuff of a managed device.
What are four big commands used with SNMP?
- PAP (Password Authentication Protocol). The oldest authentication method. It sends user names & passwords in the clear, no encryption. Do not use this. - CHAP (Challenge-Handshake Authentication Protocol) is also old and first used in PC world. The client and server each have a key. The client will ask the server for permission to authenticate and the server sends a challenge message by creating a hash. Since the client has the key, it can also generate the hash and sends it back to the server. No passwords are being exchanged, it is just hash comparison. - NTLM (NT Lan Manager) is also old. Isn't used in more advanced authentication methods but still used when we have two Windows systems in a workgroup that are logging into each other. Very similar to CHAP except each side, client and server, creates challenge messages for each other. Sort of like a double CHASP. - Kerberos is only used for authenticating to Windows domain controllers. Would have a client, domain controller or KDC (Key Distribution Center), and then something like a file server. The domain controller has two main functions: authentication service and the ticket granting service. The domain controller gives a TGT (Ticket Granting Ticket) or SID (Security Identifier) to the client which provides authentication but not authorization. The client can use the TGT to get a session key which allows the client to access one particular set of resources.
What are four big methods of authentication?
1. Planning 2. Testing 3. Implementing 4. Auditing
What are four common steps in patch management?
- 1645 - 1646 - 1812 - 1813
What are four possible ports that RADIUS can use?
1. DES: oldest and no longer secure, 56 bit key, 64 bit blocks, 16 rounds, Feistel 2. 3DES: 168 bit key, 64 bit blocks, 16 rounds, Feisetel 3. Blowfish: 32-448 bit key, 64 bit blocks, 16 rounds, Feistel 4. AES: 128, 192, 256 bit key, 128 bit blocks, 10, 12, 14 rounds, substitution-permutation, Rijyandael cipher
What are four symmetric algorithms and their properties?
1. Packet filtering: Inspects each packet passing through the firewall and accepts or rejects it based on rules, can be Stateful or Stateless 2. NAT filtering: Also known as NAT endpoint filtering, filters traffic according to ports (TCP or UDP). Matches incoming traffic to the corresponding outbound IP address connection 3. ALG (Application Level Gateway): Applies security mechanisms to specific applications, such as FTP or BitTorrent. It supports address and port translation and checks whether the type of application traffic is allowed. Downside is that ALG is resource intensive. 4. Circuit-level gateway: Works at the session layer of the OSI model, and applies security mechanisms when a TCP or UDP connection is established; it acts as a go-between for the transport and application layers in TCP/IP. After the connection has been made, packets can flow between the hosts without further checking. Circuit-level gateways hide information about the private network, but they do not filter individual packets.
What are four type of firewall methodologies?
- Mitigation is like prevention measures such as creating a DMZ - Transference is offloading risk onto a third party like using cloud services - Acceptance is when the cost of preventing the risk outweighs the likelihood and/or impact - Avoidance is when a particular risk has such a high likelihood and/or impact that you simply cannot deal with it so you may choose not to offer particular services
What are four types of Risk Response?
- Users; assigned standard permissions to perform tasks, monitor & report any breaches - Privileged Users; has increased access & control relative to a user - Executive User; makes strategic decisions & sets policies, Read Only access - System Administrator; has complete control, in charge of day to day administration, implements security controls
What are four types of User Roles?
- MD5: oldest, not used anymore b/c of issues of generating collisions; 128-bit - SHA-1: 160-bit, but can still generate collisions - SHA-2: called SHA-256 or SHA-512, etc, based on bit size; no known collisions yet - RIPEMD: open standard, 128, 160, 256, or 320 bit
What are four types of hashes and their sizes?
- Application Logs will have individual problems with applications - Security Logs have to do with individual events that are related to security - Setup Logs have to do with things that have been installed or updated - System Logs are the equivalent of what the exam calls "general logs"
What are four types of logs generated by Event Viewer?
- Vishing uses the telephone system to get private information, usually a robocall - Whaling is a type of Spear Phishing that targets high-level executives and managers. They will work hard to look like something important such as a subpoena, not just a random email asking for a password. - Hoax is pretending something bad is happening when it actually isn't - Watering Hole Attack tries to infect or exploit a website that a group of end users frequent, usually to gain access to their information or network.
What are four types of social engineering attacks that have not been covered on the previous exams?
- BPA (Business Partnership Agreement) is very generic. Will include the primary entities, some form of time frame, financial issues like how much investment each party puts in and management. Very common in private sector - SLA I think you know this one - ISA (Interconnection Security Agreement) comes from NIST 800-47; quantifies how two entities (usually gov't) can make data connections in a safe & secure way. Will have a statement of requirements, system security considerations, topological drawing, and a signature authority - MOU (Memorandum of Understanding/Agreement) is not a contract, but close. Will have purpose of interconnection, relevant authorities, specification of responsibilities, and define terms of agreement, and also conditions for termination
What are four types of third party agreements?
- ARP Poisoning is when you use Ettercap to lie to the other systems on the network so they think a particular IP addresses they are going to has one MAC address when in reality they are connecting to the attacker's system. - DHCP Spoofing is when the attacker's machine pretends to be the DHCP server - DNS poisoning is when a computer thinks an attacker's system is their DNS server. When they type in a domain name, if the system doesn't already know the IP address, the fake DNS server will direct them to a malicious site instead. - Replay Attack is directed at secure communications. This would be when you intercept a username and a hash, for example. You may be able to "replay" that information and login to a server pretending to be a legitimate user. - Downgrade Attack is useful for things like webpages. It's when you get a system to tell a webpage something like they want a secure connection but can only do SSL. That "downgrades" the security from something stronger like TLS. - Session Hijacking is when two people are already talking and the attacker injects bad information into the middle. It is a very difficult attack to pull off b/c it is on a real-time conversation taking place. - Firesheep is a simplified version of session hijacking. It's used on unsecure wireless connections.
What are seven types of MITM attacks?
1. Ransomware: encrypts files and demands a ransom be paid by the user. Often propagated via a trojan 2. Rootkit: designed to gain administrator-level control over a computer system without being detected. Can target the UEFI/BIOS, boot loader, and kernel. 3. Spam: The abuse of electronic messaging systems such as e-mail, broadcast media, and instant messaging. 4. Spyware: Malicious software either downloaded unwittingly from a website or installed along with some other third-party software. 5. Trojan horse: Appears to perform desired functions but actually is performing malicious functions behind the scenes. RAT (Remote access Trojan) is common type 6. Virus: Code that runs on a computer without the user's knowledge; it infects the computer when the code is accessed and executed. 7. Worm: Similar to viruses except that it self-replicates, whereas a virus does not.
What are seven types of malware?
- AUP (Acceptable Use Policy) you know what this is - Data Sensitivity & Classification Policies means you have to classify how important certain types of data are such as Confidential, Top Secret, etc - Access Control Policies defines how people get access to our data. - Password Policy covers more than length & complexity - Care & Use of Equipment policy covers how you maintain equipment, what to do if broken, etc - Privacy Policy means there is no privacy on company time or covers non-privacy when you're using stuff like Facebook - Personnel Policies has to deal with the people who are dealing with our data. Would cover stuff like background checks
What are seven types of security policies on the exam?
1. Surges: A surge in electrical power means that there is an unexpected increase in the amount of voltage provided. This can be a small increase, or a larger increase known as a spike. 2. Spikes: A spike is a short transient in voltage that can be due to a short circuit, tripped circuit breaker, power outage, or lightning strike. 3. Sags: A sag is an unexpected decrease in the amount of voltage provided. Typically, sags are limited in time and in the decrease in voltage. However, when voltage reduces further, a brownout could ensue. 4. Brownouts: A brownout is when the voltage drops to such an extent that it typically causes the lights to dim and causes computers to shut off. 5. Blackouts: A blackout is when total loss of power for a prolonged period occurs. Another problem associated with blackouts is the spike that can occur when power is restored. In the New York area, it is common to have an increased amount of tech support calls during July; this is attributed to lightning storms! Often, damage to systems is due to improper protection. 6. Power supply failure: Power supplies are like hard drives in two ways: One, they will fail. It's not a matter of if; it's a matter of when. Two, they can cause intermittent issues when they begin to fail, issues that are hard to troubleshoot. If you suspect a power supply failure, then you should replace the supply. Also consider using a redundant power supply.
What are six possible power supply issues to be aware of and plan for?
- Script Kiddies have very low knowledge & sophistication, use premade scripts & tools - Hacktivist has some sort of motivation - Organized Crime happens a lot with ransomware, goal is usually to make money - APT (Advanced Persistent Threat)/Nation States like China, China, and uh, China - Insiders is someone inside the company, doesn't always have to be an employee just anyone inside the infrastructure. Could be cleaning crew, contractor, etc - Competitors are professional rivals
What are six types of threat actors?
1. Preparation is coming up with the big plan. Who is doing what when an incident takes place? Organize types of incidents that might happen. - Practice Scenarios are basically a part of preparation. You should rehearse your incident plans. - Reporting is knowing what reports go to whom when an incident takes place? Escalation: under what circumstances does it take place? 2. Identification: need to be able to recognize what incident has occurred. Have to watch reports from users, monitoring tools we have set up, watching alerts & logs. Also have to assess the impact of the incident and define who is involved. 3. Containment: mitigating the damage and stopping the attack. Segregate the network, shutdown the system, turn off a service, etc. 4. Eradication: cleaning up the mess. Remove the malware, close off vulnerabilities that caused this, add new controls. 5. Recovery: get back to normal. Restore from backups, pull snapshots, hire replacement personnel, monitor for a while to ensure good operations & that threat has been removed. 6. Lessons Learned/Documentation: Document the incident, what happened, what failed, what worked, and generate a final report.
What are the Six Phases of Incident Response?
- RADIUS uses UDP while TACACS uses TCP for transport protocol - RADIUS combines authentication & authorization functions when dealing with users; TACACS separates them which provides more security - RADIUS only encrypts the password but not the username; TACACS+ encrypts the entire body of the access-request packet - TACACS+ provides for more types of authentication requests than RADIUS.
What are the big differences between RADIUS and TACACS?
- WEP uses RC4; easily cracked, don't use - WPA uses TKIP; better than WEP but should still not be used as it was just a placeholder until technology could be developed to be 802.11i compliant - WPA2 uses AES and is the current best standard as it is fully 802.11i compliant
What are the different types of wireless encryption and what do they use?
1. Fire Class A: Denoted by a green triangle, this class defines use for ordinary fires consuming solid combustibles such as wood. Think A for "ash" to help remember this type. Water-based extinguishers are suitable for Class A fires only and should not be used in a server room. 2. Fire Class B: Represented by a red square, this type defines use for flammable liquid and gas fires. I like to remember this by associating B with "butane" because butane is a highly flammable gas. 3. Fire Class C: Indicated with a blue circle, this type defines use for electrical fires—for example, when an outlet is overloaded. Think C for "copper" as in copper electrical wiring to aid in memorizing this type. 4. Fire Class D: Designated with a yellow decagon, this type defines use for combustible metal fires such as magnesium, titanium, and lithium. A Class D extinguisher is effective in case a laptop's batteries spontaneously ignite. 5. Fire Class K: Symbolized as a black hexagon, this type is for cooking oil fires. This is one type of extinguisher that should be in any kitchen. This is important if your organization has a cafeteria with cooking equipment. Think K for "kitchen" when remembering this type.
What are the five different Fire Extinguisher Classes?
1. Define the desired state of security: An organization might have written policies defining the desired state of security, or you as the security administrator might have to create those policies. 2. Create baselines: After the desired state of security is defined, baselines should be taken to assess the current security state of computers, servers, network devices, and the network in general. These baselines are known as vulnerability assessments. 3. Prioritize vulnerabilities: create a list of items that need to be mitigated in order. 4. Mitigate vulnerabilities: Go through the prioritized list and mitigate as many of the vulnerabilities as possible. This depends on the level of acceptable risk your organization allows. 5. Monitor the environment: When you finish mitigation, monitor the environment and compare the results to the original baseline. Use the new results as the post-mitigation baseline to be compared against future analyses.
What are the five steps of vulnerability management?
- Encryption - Key Exchange - Autentication - HMAC (Hash-based Message Authentication Code)
What are the four main aspects to a secure connection?
1. RSA: 1024-4096 bit variable key size, very popular, digital signatures 2. ECC: starting to replace RSA b/c it is faster & uses less resources 3. El Gamal: used in recent versions of PGP, extension of Diffie-Hellman 4. Diffie-Hellman: no authentication, vulnerable to MITM attacks, used for key exchange
What are the four main asymmetric algorithms?
1. Memory: not merely RAM but things like caches, routing tables, ARP tables. 2. Data on Disc: not just hard drives but also optical & thumb drives. There may be data running on the disc that will disappear when the system shuts down like cache or swap files or temp files. There are tons of programs designed to capture this info and they are designed to work on what we call a Write Block which is something were in a court of law you could say it is impossible for me to write on this system b/c this only grabs data, it is not capable of writing back to the data. 3. Remotely Logged Data: could be logs on a remote web site or remote file server. 4. Backups: can be a great tool if looking for trends, like things a suspect has done in the past. Backups have the lowest volatility but can take the longest to gather the data.
What are the four steps in the OOV (Order of Volatility)?
- MAC (Mandatory Access Control): a group labels the resources and your access level determines if you can access it (like Secret, Top Secret, etc) - DAC (Discretionary Access Control): the owner of the resources decides who can access - RBAC (Role-Based Access Control): most common today. Apply access to resources based on your role. In Windows, that's determined by what group you are assigned to - ABAC (Attribute-Based Access Control): access model that is dynamic and context-aware. Access rights are granted to users through the use of multiple policies that can combine various user, group, and resource attributes together such as time of day, location of logons, etc. It makes use of IF-THEN statements based on the user and requested resource.
What are the four types of Authorization Models?
- System Owner: person who is legally responsible for the data, usually a corporation; management level, maintains security of the system, defines a system admin. The owner works with all data owners to ensure data security - Data Owner: defines the sensitivity & protection of the data, works with system owner to protect the data. They also define access to the data - Steward/Custodian: group who has to protect the accuracy & integrity of the data - Privacy Officer:in charge of ensuring we are dealing with good data
What are the four types of Role-Based Data Controls?
- Private Cloud is just for your own organization, usually a bunch of VMs like at work. - Public Cloud is the opposite. It is like AWS; they are public companies open for business and anyone with a credit card can join up. - Hybrid Cloud is a mixture of both of the above method. There is one big cloud, but some of it is segregated as private and some is offered up as public, usually due to excess capacity. - Community Cloud is a joint venture with several different entities. They join up as a community in order to chip in and mitigate the costs of setting up a cloud. It is like a members only club.
What are the four types of cloud models?
- Authority is impersonating someone higher up - Intimidation is trying to bully or frighten someone - Consensus is like peer pressure, e.g. "Bob does this for me all the time." - Scarcity is to describe a lack of something, "These aren't available anywhere else" - Familiarity is to imply a close relationship when there is none - Trust to assurance reliance - Urgency is to call for immediate action
What are the seven principles of Social Engineering?
1. Identify malware symptoms. 2. Quarantine infected systems. 3. Disable System Restore (in Windows). 4. Remediate infected systems:Update anti-malware software.Use scan and removal techniques (for example, Safe Mode and preinstallation environments). 5. Schedule scans and run updates. 6. Enable System Restore and create a restore point (in Windows). 7. Educate end users.
What are the seven steps of malware removal?
- RAID 0 or STRIPING is designed to increase the speed at which you get your data & requires a minimum of 2 drives. It works by storing pieces of files on multiple drives. Advantage is speed since you aren't waiting for one hard drive, but downside is no data security b/c if one drive dies, you lose everything. Provides no integrity - RAID 1 or MIRRORING requires minimum of 2 drives, always an even number of drives, and offers integrity & redundancy where multiple copies of files are saved, but actually slows things down since the system has to do everything twice. - RAID 5 took parity to the next level b/c instead of making one drive do nothing but parity, it distributes the parity evenly across all three drives. This was the most popular form of RAID for a long time. The downside to it is that you can only lose one drive, regardless of how many drives you have in the array. - RAID 6 requires a minimum of 4 drives; generates two parities distributed on separate drives and has become more popular than RAID 5 b/c you can lose up to 2 drives before you lose any data - RAID also has hybrid levels. RAID 0+1 or RAID 01 mirrors the stripes; 4 drives and striped drives are paired and each pair is mirrored. You can lose one complete mirrored pair and be OK, but if you lose one drive inside of each pair you will lose data - RAID 10 or RAID 1+0 uses STRIPING MIRRORS and needs 4 drives; uses mirrored pairs. Data will be striped and mirrored across the drives. You can lose one drive on each mirrored pair, but no more
What are the six levels of RAID?
1. Define the Evidence: what are we collecting and what does it look like? Hard drive image, thumb drive, video? Ect 2. Document Collection Method: people will challenge us that we've changed data. This can be solved by using hashing 3. Date/Time Collected: obviously important 4. People handling the evidence: need their names & contact info showing exactly who has handled the evidence. 5. Function of the person handling the evidence: shows that the person who handled evidence is authorized and qualified to do so. 6. Locations of the evidence: it may move over time from initial collection to storage room to courtroom, etc. All of these movement steps must be documented.
What are the six steps in the Chain of Custody process?
1. Clearing: using some internal command within a mass storage device to make the data go away. You can still use the storage device after this. Example is an erase or delete command. This is not secure b/c some data can be recovered. Another example is Wiping Programs: they start at the beginning of a drive and write all zeroes, all ones, or some random, garbage mix and go all the way to the end of a drive. 2. Purge: means to do something to the device externally to make the data go away. You will not be able to use the device any more for future storage. Good example is a Degaussing Machine. When it comes out, all the data is destroyed. Another purge example would be a Crypto erase which is destroying the keys for an encrypted hard drive. 3. Destroy: you ruin the media in some way that it is no longer functional. Remember this is not simply hard drives but can also be paper media, tapes, floppy discs, optical discs, etc. Burning is a great method for destruction. So is Pulping, which is taking your paper, getting it wet, turning it into mush. Shredding can be done to paper and hard drives. Pulverizing grinds a hard drive down into little teeny tiny pieces.
What are the three levels of Destruction/Media Sanitation and some examples of each?
1. Full Backup: backs up everything and resets the archive bit. 2. Differential backup: less backup sets required, but they are bigger. Backs up all changes since the last full backup. If you did a full backup on Monday and a differential backup every day after that: Tuesday's would only have changes since Monday's backup, Wednesday's backup would have all of Tuesday's and Wed's changes, and so on. If Friday's backup gets corrupted, the differential backup from Thursday would have all changes done since Monday's full backup. To restore the system, you would only need Monday's full backup and Thursday's differential backup. Does not reset the archive bit. 3. Incremental Backup: more backup sets required, but they are smaller. Only backs up changes from the last backup of ANY TYPE. An incremental backup done each day would only document changes done on those days. Tuesday only has Tuesday's changed, Wed only has Wed's changes, etc. So if Friday's backup failed again, to restore the system you would need Monday's full backup, plus each day's backup from Tues, Wed, and Thurs to restore the system. It resets the archive bit
What are the three types of data backups?
1. Stateless Firewall (Packet Filter): will filter and block stuff no matter the situation based on rules. For example, setting it up to always block port 197 so traffic is blocked no matter what, that is a stateless firewall. Any blocking rule that would be a stateless configuration and stored in an ACL. Takes actions based on rules you set up and the ACL. Cannot stop something like a SYN flood. 2. Stateful Firewalls (SPI; Stateful Packet Inspection): don't really have an ACL, it is based on network behavior more than rules. It looks at what is going on and then makes a decision about what it will do. For example, if a lot of pings start coming into a system a stateful firewall may decide to start blocking pings. 3. Application-Based Firewall: Controls traffic associated with specific applications, which a network firewall cannot do. Designed to protect an application such as a web application. You could set one up in front of a web server that is only protecting just the web server itself or a WAF (Web Application Firewall).
What are the three types of firewalls and how are they different?
1. MAC Flood: sending numerous packets to the switch, each of which has a different source MAC address, in an attempt to use up the memory on the switch. If this is successful, the switch changes state to what is known as fail-open mode. At this point, the switch broadcasts data on all ports the way a hub does. This reduces bandwidth and allows eavesdroppers to capture network data. 2. MAC Spoofing: when an attacker masks the MAC address of their computer's network adapter with another number. This can allow a user to disguise their computer as another system on, or off, the network, thus fooling a switch and possibly gaining access. 3. Physical tampering: someone access the management port on the switch or intentionally causes looping by plugging cables into wrong ports.
What are three attacks that can be done against network switches?
1. FDE (Full Disk Encryption) is the best option for mass storage disk security. 2. SDE (System Data Encryption) is the method of encryption that ties key files to specific hardware & OS 3. SED (Self Encrypting Drive) is a hard disk that, when you first install it, will ask for a password. Once the password is generated, every time the drive is accessed it will require the password. The drive automatically performs full encryption on its own, constantly. Don't ever lose the password as there will be no other way to recover the data.
What are three methods of disk encryption?
1. Endpoint DLP systems: These systems run on an individual computer and are usually software-based. They monitor data in use, such as e-mail communications, and can control what information flows between various users. These systems can also be used to inspect the content of USB-based mass-storage devices or block those devices from being accessed altogether by creating rules within the software. 2. Network DLP systems: These can be software- or hardware-based solutions and are often installed on the perimeter of the network. They inspect data that is in motion. 3. Storage DLP systems: These are typically installed in data centers or server rooms as software that inspects data at rest.
What are three types of DLP systems?
1. Portable gas-engine generator: The least expensive and run on gasoline or possibly solar power. They are noisy, high maintenance, must be started manually, and usually require extension cords. They are a carbon monoxide risk and are only adequate for small operations and in mobile scenarios. 2. Permanently installed generator: Much more expensive, with a complex installation. These almost always run on either natural gas or propane. They are quieter and can be connected directly to the organization's electrical panel. Usually, these are standby generators and, as such, require little user interaction. 3. Battery-inverter generator: These are based on lead-acid batteries, are quiet, and require little user interaction aside from an uncommon restart and change of batteries. They are well matched to environments that require a low amount of wattage or are the victims of short power outages only. A UPS falls under this catagory
What are three types of backup power generators?
1. 10 Tape Rotation: This method is simple and provides easy access to data that has been backed up. It can be accomplished during a two-week backup period; each tape is used once per day for two weeks. Then the entire set is recycled. 2. Grandfather-father-son: This backup rotation scheme is probably the most common backup method used. When attempting to use this scheme, three sets of backup tapes must be defined—usually they are daily, weekly, and monthly, which correspond to son, father, and grandfather. Backups are rotated on a daily basis; normally the last one of the week will be graduated to father status. Weekly (father) backups are rotated on a weekly basis, with the last one of the month being graduated to grandfather status. 3. Towers of Hanoi: based on a math puzzle. This also uses three backup sets, but they are rotated differently. Without getting into the mathematics behind it, the basic idea is that the first tape is used every second day, the second tape is used every fourth day, and the third tape is used every eighth day.
What are three types of data backup schemes?
- Scalability is how well you can handle increases in traffic. Good scalability would be if your site receives a big increase in traffic, you can easily add servers to handle the increased demand. - Elasticity is bringing up extra capabilities during a specific event or season, then taking it back down. Handles short term increases in traffic. - Redundancy is having more than one of the exact same thing. For example, adding a second or third domain controller in case the main one goes out. Distributive Allocation is related to this, so for example if you had three different locations with a main server at one, a redundant server at another location could take over in case the main one went down.
What are three types of system resiliency?
- Snapshot is taking the current state of something at a binary level and keeping a copy of it. Most commonly used with VMs. It allows you to revert a system to a previous state or configuration. - Known State is slightly different. Snapshot tends to refer to an entire machine. Known State would be one small aspect of a machine. Usually in reference to going into Windows Update and rolling back one particular update to get back to a previously known working state. - Rollback usually refers to drivers. If you update and a device begins malfunctioning, you may want to rollback the driver update.
What are three ways to do non-persistence?
- An SSL Accelerator Card helps a system with asymmetric encryption. It's only job is to encrypt & decrypt on the fly since asymmetric encryption can be burdensome on a CPU. Can be very useful to help secure something like a public facing server in a DMZ. - An SSL Accelerator can also be an appliance, not just a card. This is useful for very large enterprise organizations that may have tons of public facing servers where installing a card on each individual machine may be too onerous. - A Load Balancer is a device you put between the internet and your servers. It is essentially a proxy server and can distribute requests based on current work load of each machine. - A DDoS Mitigator is a box that can detect when a DDoS attack is occurring. It basically calls for help to a company like Cloudflare who then have servers all over the internet which act as proxies for a website.
What are three ways to protect public-facing servers in a DMZ?
- VM Sprawl: when people start creating too many virtual machines inside the network, not properly documenting or securing them, etc. - VM Escape: when attackers figure out ways to break out of the VM sandbox and infiltrate the network.
What are two potential problems with virtualization?
- Bluejacking is making a connection to take advantage of a resource or the sending of unsolicited messages to Bluetooth-enabled devices such as mobile phones. - Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth connection. Generally, bluesnarfing is the theft of data (calendar information, phonebook contacts, and so on).
What are two types of Bluetooth attacks?
- A Thick Client is a standalone WAP and usually has a bunch of antennas sticking out. It is a device we have configure by itself. - Thin Clients are smaller, more common in enterprise environment, may look like round discs, and usually don't have visible antennas. You don't go into them and manually configure them. They have to be handled through a controller. They are often more convenient since a lot of times much of the settings will be the same in your office. Multiple thin clients can be configured all at once. Many thin clients are also set up to be able to connect to an external antenna if the internal antennas they come with aren't powerful enough.
What are two types of WAPs?
- VDE (Virtual Desktop Environment) is also like old school remote desktop. This does not involve VMs but rather some type of terminal which allows a client to take control of a physical machine. Can even be done via another PC, laptop, or even smart phone app. - VDI (Virtual Desktop Integration) is like what you have at work. There is some sort of bare-bones thin client which hooks into a VM somewhere remotely, not linking up with a physical machine. You can deploy complete operating systems without needed a zillion copies of it.
What are two types of machine deployment associate with cloud integration?
1. Vertical privilege escalation: When a lower privileged user accesses functions reserved for higher privileged users; for example, if a standard user can access functions of an administrator. This is also known as privilege elevation and is the most common description. To protect against this, update the network device firmware. 2. Horizontal privilege escalation: When a normal user accesses functions or content reserved for other normal users; for example, if one user reads another's e-mail. This can be done through hacking or by a person walking over to other people's computers and simply reading their e-mail!
What are two types of privilege escalation?
Certificate Pinning
What is a way to help to detect and block many types of MITM (man-in-the-middle) attacks by adding an extra step beyond normal X.509 certificate validation?
A firewall filters, and IDS notifies, and an IPS acts to stop
What is the difference between a firewall, IDS, and IPS?
Forward Proxy Servers are when the client is aware of the proxy. The client speaks to the proxy, then the proxy handles the request and "forwards" it to the server as a representative of the client. They have been around for a long time. A traditional forward proxy would be a dedicated box or piece of software running inside an organization. Very common example are school networks. They provide caching, content filtering, can take ads out, block certain parts of websites, acts like a firewall and blocks based on rules.
What type of proxy has the client aware of the proxy?
NOP (No Operation instructions or no-op instructions): a large number of these can be used to overflow a buffer, which could allow unwanted code to be executed or result in a denial of service (DoS). Large numbers of NOP instructions can be used to perform a NOP slide (or NO-OP sled).
What would you most likely find in a buffer overflow attack?
AP isolation
When each client connected to a WAP will not be able to communicate with or see each other, but they can each still access the Internet.
IaC (Infrastructure as Code): uses definition and configuration files to provision and manage data centers. Automating this process through scripts can ensure that there is more control and less opportunity for error when deploying servers, as compared with manual configuration. IaC is the foundation for secure DevOps. Security Development Operations (DevOps) means that security is built into all your development operations.
Which process allows you to deploy, configure, and manage data centers through scripts?
ANT+
Wireless protocol that is responsible for sending information wirelessly from one device to another device, in a robust and flexible manner. Used a lot with things like heart rate monitors, exercise equipment, etc
- Always follow the order of volatility: 1. Cache 2. RAM 3. Running Processes 4. Hard Drives 5. Backup Media
With digital forensics, in what order should you collect & preserve the five most important parts of a system?