Security+

Ace your homework & exams now with Quizwiz!

provides authentication before securely sending information to a Web server.

Digital certification

Fibre Channel over Ethernet

FCoE

is a Russian private key encryption standard that uses a 256-bit encryption key. GOST was developed as a counter to the Data Encryption Standard (DES).

GOST

is a hashing algorithm and not an encryption algorithm. It processes 1024-bit block sizes of information. HAVAL creates message digests of variable sizes rather than a fixed output value. HAVAL produces hashes in lengths of 128, 160, 192, 224, and 256 bits.

HAVAL

HTTP Secure (HTTPS) is used to encrypt an entire channel using private key encryption. It is used to encrypt all information between two computers.

HTTPS

is a block cipher that operates on 64-bit blocks of data, requires a 128-bit key, and performs eight rounds of computation. The Pretty Good Privacy (PGP) encryption software uses IDEA.

International Data Encryption Algorithm (IDEA)

hat are used to prevent intrusion before it occurs. While you can include preventative technical controls in your security plan, preventative controls can be technical, physical, or administrative. Preventative technical controls include access control lists (ACLs), routers, encryption, antivirus software, encryption, smart cards, and call-back systems.

Preventative Controls

are wireless access points that have been connected to your network without authorization. This decreases the security of your network. A site scan can be used to determine if you have rogue access points. For example, if your company is located in a building with three wireless networks, you have a rogue access point if a quarterly scan showed the following results: CorpPrivate - Connected Channel 1 - 70dbm CorpPublic - Connected Channel 5 - 80dbm CorpResearch - Connected Channel 3 - 75dbm CorpDev - Connected Channel 6 - 95dbm

Rogue access points

A protocol that allows files to be copied over a secure connection

SCP Secure Copy Protocol

version 3 is an e-mail security method that is defined in Request for Comments (RFC) 2632 and RFC 2634. S/MIME 3 provides non-repudiation, authentication, and integrity for e-mail messages.

Secure Multipurpose Internet Mail Extension (S/MIME)

implements the 802.11i standard completely. Therefore, it does not support the use of older wireless cards. Identification and WPA2 are considered the best combination for securing a wireless network.

WPA2

File Transfer Protocol Secure (FTPS) is a more secure version of FTP. FTPS uses the same commands as FTP. FTPS uses Secure Sockets Layer (SSL) for security. FTPS uses ports 989 and 990, by default.

FTPS File Transfer Protocol Secure

is an asymmetric encryption algorithm. It is not based on the Diffie-Hellman key agreement.

Knapsack

the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers. "many victims of vishing are people who are not tech-savvy"

vishing

are both chips that implement hardware-based encryption. The main difference between the two is that a TPM chip is usually mounted on the motherboard and HSM chips are PCI adapter cards.

Trusted Platform Module (TPM) and Hardware Security Module (HSM)

A computer virus hoax is a message warning the recipients of a non-existent computer virus threat. The message is usually a chain e-mail that tells the recipients to forward it to everyone they know.

Virus hoax

was created to fix core problems with WEP. WPA is designed to work with older wireless clients while implementing the 802.11i standard. WAP is the default protocol used by most wireless networks and devices. However, because WAP can access Web pages and scripts, there is great opportunity for malicious code to damage a system. WAP does not provide maximum security. It is considered the weakest wireless protocol.

WAP

is the security standard for wireless networks and devices that uses encryption to protect data. However, WEP does have weaknesses and is not as secure as WPA or WPA2.

WEP

snapshots

Which of the following will allow the live state of the virtual machine to be easily reverted after a failed upgrade?

A hub and a repeater are central network connection devices that are designed to transmit data between computers on the same subnet. Hubs and repeaters are not used to transmit data between subnets.

hub

to allow remote employees to connect to internal resources via a RADIUS server. Implementing 802.1x would allow a company to reduce the exposure of sensitive systems to unmanaged devices on internal networks. 802.1x can also be used on wired networks to segment traffic intended for the wireless access point. For example, if a company has several conference rooms with wired network jacks that are used by both employees needing access to internal resources and guests needing access to the Internet only, you should implement 802.1x and VLANs. 802.1x is an good solution if you need to make sure that only devices authorized to access the network would be permitted to log in and utilize resources.

802.1x

is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted.

A Certificate Revocation List (CRL)

This mode ensures that wireless clients can only communicate with the wireless access point and not with other wireless clients. This is also referred to as client isolation mode.

Isolation Points

can an organization use to add security restrictions and encryption to existing mobile applications?

B. Containerization D. Application wrapping

JavaScript is a programming language that allows access to resources on the system running the JavaScript. JavaScript scripts can be downloaded from a Web site and executed.

JavaScript

is a private key encryption standard that is used in Pretty Good Privacy (PGP). International Data Encryption Algorithm (IDEA) is a private key encryption standard that was developed in Switzerland. IDEA is used in PGP and uses 128-bit encryption keys. RC5 is a private key encryption standard that was developed at the Massachusetts Institute of Technology. RC5 supports variable length encryption keys.

CAST-128

The client sends the server a request for logon. The server sends the client a challenge message. The client creates a message digest from a hashing algorithm and includes the digest in a response message. The client sends the server a response. The server uses a hashing algorithm to create a message digest. The server compares the message digest in the response with the one the server created. The server sends either an authorize message or a fail message to the CHAP client.

CHAP handshake authentication process:

act as safeguards for Internet transactions in which a user makes an online transaction with a Web server by providing services, such as non-repudiation, authentication, and encryption and decryption of data. When a certificate is created, the user's public key and the validity period are combined with the certificate issuer and the digital signature algorithm identifier before computing the digital signature.

Certificates

are organized in a trust hierarchy or trust mesh. In a hierarchy model, a root CA is at the top of a CA trust hierarchy and contains a root certificate, which is used to sign certificates for CAs in the level immediately below the root CA. The centralized model uses a CA to issue and revoke certificates. In a mesh model, CAs may certify other CAs, provided no naming constraints are applied

Certification authorities (CAs)

for a digital certificate only requires an e-mail address.

Class 1 assurance

is the use of video cameras to transmit a signal to a specific place, on a limited set of monitors. It differs from broadcast television in that the signal is not openly transmitted, though it may employ point to point (P2P), point to multipoint (P2MP),

Closed-Circuit Television (CCTV)

is an approach to computer security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication and network security enforcement.

NAC

requires more than one individual to accomplish a critical task. Separation of duties ensures that no individual can compromise a system, and it is considered valuable in deterring fraud. Separation of duties can be either static or dynamic. Static separation of duties refers to the assignment of individuals to roles and the allocation of transactions to roles. In static separation of duties, an individual can be either an initiator of the transaction or the authorizer of the transaction. In dynamic separation of duties, an individual can initiate as well as authorize transactions.

Collusion

Virtualization that allows an operating system kernel to run multiple isolated instances of the guest is called:

Containers

Defined in RFC 5216, is an IETF open standard that uses the Transport Layer Security (TLS) protocol, and is well-supported among wireless vendors. EAP-TLS is the original, standard wireless LAN EAP authentication protocol.

EAP-TLS EAP Transport Layer Security

is a Microsoft Windows feature that supports file encryption on NTFS hard disk volumes.

Encrypting File System (EFS)

is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. In other words a Host Intrusion Prevention System (HIPS) aims to stop malware by monitoring the behavior of code. This makes it possible to help keep your system secure without depending on a specific threat to be added to a detection update. Historically HIPS and firewalls are closely related. Where a firewall regulates the traffic to and from your computer based on a rule set, HIPS do more or less the same, but for the major changes made on your computer.

Host Intrusion Prevention System (HIPS)

It has 340 undecillion avialable address. It uses 128- bit addresses

IPv6

occurs when you maintain a secured copy of a user's private to ensure that you can recover the lost key. In some cases, a third party may be selected to provide the key escrow service when the key is owned by one organization but is used by another. If a third party provides this service, it ensures that the organization that is using the key can still recover data if the organization that owns the key goes out of town. Key escrow is a primary concern in cryptography and in a public key infrastructure (PKI). Key escrow is required when implementing a PKI if data loss is unacceptable.

Key escrow

are designed to invalidate keys.

Key revocation systems

is used to digitally sign packets that are transmitted on Internet Protocol Security (IPSec) connections. The standard is also referred to as Keyed-Hash Message Authentication Code (KHMAC).

Keyed Hashing for Message Authentication Code (KHMAC)

is an authentication protocol used exclusively by Cisco. Cisco is slowly transitioning from using its proprietary LEAP protocol to using PEAP because LEAP is not as secure as PEAP.

LEAP Lightweight Extensible Authentication Protocol

router acts as the interface between a local area network and the Internet using one IP address.

Network Address Translation (NAT) router

Backup controls, software testing, and anti-virus management are components of operational software controls. Operational software controls check the software to find whether the software is compromising security or not. Trusted recovery procedures, audit trails, clipping levels, operational and life-cycle assurance, configuration management, and media and system controls are all examples of operational controls.

Operational Control

a type of network address translation. During PAT, each computer on LAN is translated to the same IP address, but with a different port number assignment. PAT is also referred to as overloading, port-level multiplexed NAT or single address NAT.

PAT Port Address Translation

models approach the problem of access control based on established roles in an organization. Enforcing SELinux on a server is locking down the server for everyone. This does not vary according to job role.

Role-Based Access Control (RBAC)

is used by numerous manufacturers of network equipment and software who are developing simplified means of handling certificates for large-scale implementation to everyday users, as well as being referenced in other industry standards.

SCEP Simple Certificate Enrollment Protocol

Secure File Transfer Protocol (SFTP) is the most secure version of FTP. This version is actually Secure Shell (SSH) with FTP capabilities. FTPS is more widely known than SFTP, but SFTP is more secure. SFTP uses port 22, by default.

SFTP Secure Transfer Protocol

SSH creates an encrypted remote terminal connection with a UNIX computer. Protocol that uses a secure channel to connect a server and a client

Secure Shell (SSH)

is a security protocol that uses both encryption and authentication to protect data sent in network communications. A protocol that secures messages between the Application and Transport layer

Secure Sockets Layer (SSL)

A load balancer has the ability to remember which server a particular client is using and always directs that client to the same server. This feature is called:

Session affinity

is a key management and distribution protocol used for secure IP communication, such as Internet Protocol Security (IPSec). SKIP uses hybrid encryption to convey session keys. These session keys are used to encrypt data in IP packets. SKIP uses a key exchange algorithm, such as the Diffie-Hellman algorithm, to generate a key-encrypting key that will be used between two parties. A session key is used with a symmetric algorithm to encrypt data. SKIP is not a key storage protocol. It is a key distribution and management protocol similar to Internet Key Exchange (IKE). SKIP works on a session-by-session basis, although it does not require prior communication for the establishment of sessions. SKIP employs encryption standards, such as Data Encryption Standard (DES) and Triple DES (3DES), to provide secure communication. SKIP does not deploy IKE for key distribution and management. IKE is a separate framework used to securely exchange keys to establish an IPSec session.

Simple Key management protocol for Internet Protocols (SKIP)

If a user signs a file with a digital signature before sending the file to another user, the recipient can then use the digital signature to ensure that the file was not changed during transmission.

a digital signature

defines how users are allowed to employ company hardware

acceptable use policy

You should use ad hoc, which is an 802.11b communications mode that enables wireless devices to communicate directly. The 802.11b wireless networking technology is sometimes referred to as WiFi. In infrastructure mode, 802.11b devices must communicate through wireless access points. Transport and tunnel modes are provided by Internet Protocol Security (IPSec) to transmit Internet Protocol (IP) packets securely.

ad hoc

ALE = ARO (Ammual Rate of Occurnce) X SLE Single Loss Expectancy

annualized loss expectancy (ALE)

is the creation of a strategy through the recognition of threats and risks facing a company, with an eye to ensure that personnel and assets are protected and able to function in the event of a disaster.

business continuity planning (BCP)

contains a list of serial numbers for digital certificates that have not expired, but that a certification authority (CA) has specified to be invalid. Typically, the serial number of a digital certificate is placed in a CRL because the digital certificate has been compromised in some way.

certificate revocation list (CRL)

n public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. It usually contains the public key for which the certificate should be issued, identifying information (such as a domain name) and integrity protection (e.g., a digital signature). The most common format for CSRs is the PKCS #10 specification and another is the Signed Public Key and Challenge SPKAC format generated by some web browsers.

certificate signing request (also CSR

A large number of Christmas tree packets can also be used to conduct a DoS attack by exploiting the fact that Christmas tree packets require much more processing by routers and end-hosts than the "usual" packets do. Christmas tree packets can be easily detected by intrusion-detection systems or more advanced firewalls.

christmas xmas attack

Cloud service provider

cloud service provider (CSP)

is an agreement established between organizations that own and operate connected systems to document the technical requirements of the connection. An ISA can also be used to ensure both parties have a clear understanding of the controls needed to protect the data.

interconnection security agreement (ISA)

is a device or software application that monitors a network or systems for malicious activity or policy violations. Any detected activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system.

intrusion detection systems (IDSs)

Input validation

is a defensive technique intended to mitigate against possible user input attacks, such asbuffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain

is a system used to monitor a network as well as protect the confidentiality, integrity, and availability of a network. Its main functions include protecting the network from threats, such as denial of service (DoS) and unauthorized usage. The NIPS monitors the network for malicious activity or suspicious traffic by analyzing the protocol activity. Once the NIPS is installed in a network, it is used to create physical security zones. This, in turn, makes the network intelligent and quickly discerns good traffic from bad traffic. In other words, the NIPS becomes like a prison for hostile traffic such as Trojans, worms, viruses, and polymorphic threats.

network intrusion protection system (NIPS)

configuring a new Linux web server where each user account is confined to a chroot jail. Which of the following describes this type of control? is a testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in the context of software development including Web development and revision control.

sandbox

This type of network can be used to ensure that internal access to other parts of the network is controlled and restricted. A VLAN is usually created using a switch. VLAN segregation protects each individual segment by isolating the segments. VLAN segregation is best used to prevent ARP poisoning attacks across a network. VLANs provide a layer of protection against sniffers, and can decrease broadcast traffic. Creating a VLAN is much simpler than using firewalls or implementing a virtual private network (VPN). A VLAN is a good solution if you need to separate two departments into separate networks. VLAN management is implemented at the switch to configure the VLANs and the nodes that are allowed to participate in a particular VLAN. You can configure a switch to allow only traffic from computers based upon their physical (MAC) address.

virtual local area network (VLAN)

SSO allows a single authentication credential--user ID and password, smart card, one-time password token or a biometric device--to access multiple or different systems within a single organization. A federated identity management system provides single access to multiple systems across different enterprises. source.

Federate Authentication

is an agreement between two companies that ensures that both parties implement the appropriate security measures. This type of agreement is particularly important when the two partners exchange data that could harm the companies' reputations if the data was accessed by an attacker.

A business partners agreement (BPA)

is an encryption method designed to be used only once. An OTP is a random number that is used to encrypt only one document. The OTP must be used to decrypt a file that was encrypted with the OTP.

A one-time pad (OTP)

implies that two operators review and approve each other's work. A two-man control acts as a crosscheck and reduces chances of fraud, minimizing the risks associated with operations involving highly sensitive information.

A two main control

is a method of determining system vulnerabilities and their risk(s). Steps are then taken to reduce the risk.

A vulnerability assessment

is employee or customer usage of company resources that is allowed and defined in a contractually binding document, referred to as an acceptable use policy.

Acceptable use

You should not use ActiveX. ActiveX customizes controls, icons, and other Web-enabled systems to increase their usability. ActiveX components and controls are downloaded to the client. is very vulnerable to attacks because users can configure their computer to automatically access an ActiveX component or control.

ActiveX

include policies and procedures, personnel controls, supervisory structure, security training, and testing.

Administrative Controls

is a newer encryption standard that uses the Rijndael algorithm with 128-bit, 192-bit, or 256-bit keys. AES256 is stronger than DES, 3DES, SHA, or RC4. Blowfish is a private key encryption algorithm that was developed for optimal performance on 32-bit central processing units (CPUs). Blowfish supports keys up to 448 bits in length. Data Encryption Standard (DES) is an older private key encryption algorithm that was developed by IBM in the 1970s. DES uses 56-bit encryption keys on 64-bit data blocks.

Advanced Encryption Standard (AES)

provides confidentiality because encryption protects the contents of a file from being viewed by unauthorized users.

Asymmetric Encryption

CHAP is typically used for authentication on dial-up connections. A challenge/response mechanism, sometimes referred to as a three-way handshake, uses a secret password that verifies the identity of a user or node without revealing the password. CHAP uses only encrypted passwords during the authentication process.

Challenge Handshake Authentication Protocol (CHAP) uses a challenge/response mechanism.

Distinguish between your system types. Document your change process. Develop your changes based on the current configuration. Always test your changes. Do NOT make more than one change at a time. Document your fallback plan. Assign a person who is responsible for change management. Regularly report on the status of change management.

Change Management

for a digital certificate verifies a user's name, address, social security number, and other information against a credit bureau database.

Class 2 assurance

Regulatory compliance - Consider how the cloud provider will comply with the federal, state, and local regulations that apply to your organization. Data location - Consider where your data will be physically stored. Data recovery - Consider what happens to your data is case of disaster. Investigate support - Consider how security breaches will be investigated. Long-term viability - Consider if the cloud provider would ever close or sell to a larger entity. Data segregation - Consider that your organization's data can reside in the same physical space as a competitor. Privileged user access - Consider who from the provider has access to your data.

Cloud Computing Risks

is a network system that monitors data on computers to ensure the data is not deleted or removed. If your organization implements a DLP system, you can prevent users from transmitting confidential data to individuals outside the company.

DLP Data Loss Prevention

is a private key encryption standard that is used in IPSec to ensure that data packets are confidentially transmitted. Diffie-Hellman facilitates encryption key sharing. Internet Security Association and Key Management Protocol (ISAKMP) supports the establishment of security associations (SAs), which are sets of parameters that define the methods used by computers to communicate securely. (DES) is a block cipher encryption standard that uses a single 56-bit encryption key to encrypt 64-bit blocks of data. It is a symmetric or private key encryption algorithm.

Data Encryption Standard (DES)

Detective controls are controls that are used to detect intrusion when it occurs. While you can include detective technical controls in your security plan, detective controls can be technical, physical, or administrative. Detective technical controls include audit logs and intrusion detection systems (IDSs).

Detective Controls

is a method used to implement public-key (asymmetric) cryptography. ECC serves as an alternative to the RSA algorithm and provides similar functionalities. The functions of ECC are as digital signature generation, secure key distribution, and encryption and decryption of data. The advantage of Elliptic Curve Cryptography (ECC) over the Rivest, Shamir, and Adleman (RSA) algorithm is its improved efficiency and requirement of fewer resources than RSA. ECC has a higher strength per bit than an RSA.

ECC Eliptic Curve Cryptography

is an asymmetric public key encryption algorithm based on the Diffie-Hellman key agreement. It is used for digital signatures, encryption of data, and key exchange. The mathematical functions in the ElGamal algorithm calculate discrete logarithms in a finite field. Diffie-Hellman is one of the first implementations of a public/private key system.

ElGamal

File Transfer Protocol (FTP) is considered more secure than TFTP because it can provide authentication and encryption mechanisms. FTP uses ports 20 and 21, by default. is used to transfer files on a TCP/IP network. FTP transmits data in clear text. Secure Copy (SCP) enables users to transfer files over a secure connection. Telnet is a protocol that enables a user to establish terminal connections with UNIX computers. Telnet transmits data in clear text.

FTP File Transfer Protocol

provides the highest level of security.

HTTPS

include MD2, MD4, MD5, HAVAL, and all of the Secure Hash Algorithm (SHA) variants. Hashing is the best way to protect confidentiality of sensitive data entered in a database table.

Hashing algorithms

is the preferred authentication protocol for Windows 2000 Server, Windows Server 2003, and Windows Server 2008. It uses DES for encryption.

Kerberos

is the oldest authentication protocol listed. LANMan uses a hash and two Digital Encryption Standard (DES) keys. LANMan is seen as non-secure based on its ability to only store seven uppercase characters of data, making it susceptible to brute force attacks.

LAN Manager (LANMan)

is an enhancement of PPTP and can also be used to create a VPN. L2TP is a combination of PPTP and Cisco's Layer 2 Forwarding (L2F) tunneling protocols and operates at the Data Link layer (Layer 2) of the Open Systems Interconnection (OSI) model. L2TP uses User Datagram Protocol (UDP) for sending packets as well as for maintaining the connection. Internet Protocol Security (IPSec) is used in conjunction with L2TP for encryption of the data. L2TP can be combined with Internet Protocol Security (IPSec) to provide enhanced security. Both PPTP and L2TP create a single point-to-point, client-to-server communication link.

Layer Two Tunneling Protocol (L2TP)

To increase the security of this wireless network, you should configure Media Access Control (MAC) filtering. With this filtering, the MAC address of each network interface card (NIC) that attempts to connect to the network is checked. Only MAC addresses that are specifically allowed connection are granted connection.When configuring MAC filtering, you should set up an access control list (ACL). Some access points also allow you to configure MAC filtering for those addresses that should be denied access. But always keep in mind that the MAC addresses will need to be entered manually. MAC filtering is easily vulnerable to spoofing because MAC address information is sent unencrypted. An attacker then discovers the address and impersonates an approved device. If a user is able to connect to a wireless network using one mobile device but not another, the most likely cause is that MAC filtering is enabled. MAC filtering can be used to both allow access and deny access. The following examples are both types of entries on a router: PERMIT 0A:1:FA:B1:03:37 and DENY 01:33:7F:AB:10:AB.

MAC Filtering

is a one-way hashing algorithm. One-way hashing refers to inserting a string of variable length into a hashing algorithm and producing a hash value of fixed length. This hash value is appended to the end of the message being sent. This hash value is recomputed at the receivers end in the same fashion in which it was created by using the same computational logic. If the recomputed hash value is the same as the generated hash value, the message was not altered during the course of transmission. algorithm produces 128-bit checksums to verify integrity of data from a remote user. When you are given the MD5 hash for a file, you can verify that the file has not been tampered with. MD5 derives the hashing function for the challenge response of the Challenge Handshake Authentication Protocol (CHAP). MD5 is a symmetric encryption scheme. If the MD5 hash values of a file do not match, the file has been compromised. You should discard the compromised file. When two completely different files produce the same hash values, this is referred to as a collision. When using Secure Sockets Layer (SSL) to download a file for which you have the MD5 hash, you cannot verify the MD5 hash until after the file is downloaded

MD5

is the estimated amount of time that a piece of equipment should remain operational before failure. The MTBF is usually supplied by the hardware vendor or a third party. MTBF can also be referred to as mean time to failure (MTTF).

MTBF Mean time between Failures

is the amount of time that it will take to repair a piece of equipment when failure occurs.

MTTR Mean Time To Repair

replaced LANMan and use the MD4/MD5 hashing algorithm. NTLM is backwards compatible with LANMan.

NT LAN Manager version 1 (NTLMv1) and NTLMv2

Layer 7: Application - FTP, TFTP, DNS, SMTP, SFTP, SNMP, HTTP, Telnet, DHCP, Secure Copy Protocol (SCP) Layer 6: Presentation - MPEG, JPEG, TIFF Layer 5: Session - NetBIOS, PPTP, RTP, NFS, Session Control Protocol (SCP) Layer 4: Transport - TCP, UDP Layer 3: Network - IP, ICMP, IPSec, IGMP, AppleTalk, OSPF, RIP, ARP, RARP Layer 2: Data Link - SLIP, PPP, MTU, L2TP, Frame Relay, SDLC Layer 1: Physical - IEEE 802, USB, Bluetooth, RS-232, DSL Routers operate at the Network layer (Layer 3) of the OSI networking model. They use source and destination addresses, which are located at the Network layer, to route packets. Switches use MAC addresses, which are located at the Data Link layer, to forward frames. The Data Link layer is Layer 2. The Session layer (Layer 5) starts, maintains, and stops sessions between applications on different network devices. The Physical layer (Layer 1) provides the functions to establish and maintain the physical link between network devices. Repeaters work at the Physical layer. The Transport layer (Layer 4) of the OSI model segments and reassembles data into a data stream and provides reliable and unreliable end-to-end data transmission. Bridges work at the Data Link layer (Layer 2).

OSI Model lay

is a secure password-based authentication protocol created to simplify secure authentication.

PEAP Protected Extensible Authentication Protocol

is a protocol used to establish dial-up network connections.

PPP

include network segregation, perimeter security, computer controls, work area separation, backups, and cabling.

Physical Control

was created by Microsoft to work with the Point-to-Point Protocol (PPP) to create a virtual Internet connection so that networks can use the Internet as their WAN link. This connectivity method creates a virtual private network (VPN), allowing for private network security. In effect, PPTP creates a secure WAN connection using dial-up access. is known as a tunneling protocol because the PPTP protocol dials through the PPP connection, which results in a secure connection between client and server.

Point-to-Point Tunneling Protocol (PPTP

1702

Port? VPN UDP Lay 2 Tunnelling

is the current de facto e-mail security standard. uses a web of trust to validate public key pairs. In a web of trust model, users sign their own key pairs. If a user wants to receive a file encrypted with PGP, the user must first supply the public key. Every user has a collection of signed public keys stored in a file known as a key ring. A level of trust and validity are associated with each key in that list. For example, if A trusts B more than C, there will be a higher level of trust for B compared to C. PGP is a public key encryption standard that is used to protect e-mail and files that are transmitted over the network. PGP encrypts data using symmetric encryption. PGP provides the following functionalities: confidentiality through the International Data Encryption Algorithm (IDEA) integrity through the Message Digest 5 (MD5) hashing algorithm authentication through public key certificates non-repudiation through encrypted signed messages

Pretty Good Privacy (PGP)

are older proposals for e-mail security standards that have not been adopted.

Privacy Enhanced Mail (PEM) and MIME Object Security

does not assign monetary values. It is simply a subjective report that is compiled by the risk analysis team that describes the threats, countermeasures, and likelihood an event will occur.

Qualitative risk Analysis

attempts to predict the likelihood a threat will occur and assigns a monetary value in the event a loss occurs.

Quantitative risk analysis

is a stream cipher. Wired Equivalent Privacy (WEP) is considered unsecure because of its improper use of RC4. RC4 would be a great algorithm to use for encrypting streaming video because it is a stream-based cipher. RC4 provides 56-bit encryption. Stream and block ciphers are the two main types of symmetric algorithms. Block ciphers process one block of bits, and stream ciphers process one bit at a time. RC4, RC5, and RC6 do not provide one-way hashing.

RC4

are block ciphers. Stream and block ciphers are the two main types of symmetric algorithms. Block ciphers process one block of bits, and stream ciphers process one bit at a time.

RC5 and RC6

Rives Shamir and Adleman. is an example of asymmetric cryptography with authentication. RSA is used as the worldwide de facto standard for digital signatures. RSA is a public key algorithm that provides both encryption and authentication. It relies on the hacker's inability to factor large prime numbers. RSA does not deal with discrete logarithms. The security that RSA provides is based on the use of large prime numbers for encryption and decryption. It is difficult to factor large prime numbers. Therefore, it is difficult to break the encryption. RSA can prevent man-in-the-middle attacks by providing authentication before the exchange of public and private keys. The key is securely passed to the receiving machine. Therefore, public key cryptography is preferably used to secure fax messages. RSA requires higher processing power due to the factorability of its numbers, but provides efficient key management.

RSA

is a service provided by the network operating system that allows remote access to the network via a dial-up connection.

Remote Access Service (RAS)

is the process of identifying information assets and their associated threats, vulnerabilities, and potential risks, and justifying the cost of countermeasures deployed to mitigate the loss. Risk analysis presents a cost-benefit analysis of deploying countermeasures. Risk analysis is part of the disaster recovery plan. Risk analysis also measures the amount of loss that an organization can potentially incur if an asset is exposed to loss. It is important to note that risk analysis is focused on a cost-benefit analysis of countermeasures, and not on the selection of countermeasures. he following are the four major objectives of a risk analysis, in order of execution: To identify all existing assets and estimate their monetary value To identify vulnerabilities and threats to information assets. Vulnerability is a weakness in the system, software, hardware, or procedure. A threat agent, leading to a risk of loss potential, can exploit this weakness. A virus is an example of a threat agent, and the possibility of a virus infecting a system is an example of a threat To quantify the possibility of threats and measure their impact on business operations. To provide a balance between the cost of impact of a threat and the cost of implementing the safeguard measures to mitigate the impact of threats.

Risk Analysis

implies the ability of an employee to carry out tasks of another employee within the organization. In an environment using job rotation, an individual can perform the tasks of more than one role in the organization. This maintains a check on other employees' activities, provides a backup resource, and acts as a deterrent for possible fraud.

Rotation of duties or job rotation

You should use Secure HTTP (S-HTTP) to encrypt a single document from your Web server. This will allow the two computers to negotiate an encryption connection if this document needs to be transmitted.

S-HTTP Secure HTTP

is an agreement between a company and a vendor in which the vendor agrees to provide certain functions for a specified period.

SLA Service level agreement

broadcast actually decreases security in a wireless network. If the SSID is broadcast, any wireless NICs in the proximity can locate the network. If you disable SSID broadcast, you increase the security of your network, and users will have to type the SSID to connect. However, it does not prevent invalid devices from connecting to the network. is a wireless network's name.

SSID Service Identifier

version 1 produces 160-bit checksums. SHA-256, also referred to as SHA-2, is a newer version of SHA and uses 256-bit checksums. SHA-256 should be used with a disk image to protect the image's integrity so that image can be retained for forensic purposes. (SHA)-1 is a hashing algorithm that creates a message digest, which can be used to determine whether a file has been changed since the message digest was created. An unchanged message should create the same message digest on multiple passes through a hashing algorithm. SHA-1 Has lowest Collusion Rates

Secure Hashing Algorithm (SHA

is employed when user accounts are created by one employee and user permissions are configured be another employee. An administrator who is responsible for creating a user account should not have the authorization to configure the permissions associated with the account. Therefore, duties should be separated. Also requires more than one individual to accomplish a critical task. Separation of duties ensures that no individual can compromise a system, and it is considered valuable in deterring fraud. Separation of duties can be either static or dynamic. Static separation of duties refers to the assignment of individuals to roles and the allocation of transactions to roles. In static separation of duties, an individual can be either an initiator of the transaction or the authorizer of the transaction. In dynamic separation of duties, an individual can initiate as well as authorize transactions.

Seperation of Duties

You should periodically complete a site survey to ensure that no unauthorized wireless access points are established. Site surveys generally produce information on the types of systems in use, the protocols in use, and other critical information. You need to ensure that hackers cannot use site surveys to obtain this information. To protect against unauthorized site surveys, you should change the default Service Set Identifier (SSID) and disable SSID broadcasts. Immediately upon discovering a wireless access point using a site survey, you should physically locate the device and disconnect it. Site surveys are also used to analyze antenna placement. There are three main types of site surveys: Passive - a site survey application passively listens to wireless traffic to detect access points and measure signal strength and noise level. However, the wireless adapter being used for a survey is not associated with any WLANs. For system design purposes, one or more temporary access points are deployed to identify and quantify access point locations. Active - the wireless adapter is associated with one or several access points to measure round-trip time, throughput rates, packet loss, and retransmissions. Active surveys are used to troubleshoot wireless networks or to verify performance post-deployment. Predictive - a model of the RF environment, including location and RF characteristics of barriers like walls or large objects, is created using simulation tools. Therefore, temporary access points or signal sources can be used to gather information on propagation in the environment. The value of a predictive survey as a design tool versus a passive survey done with only a few access points is that modeled interference can be taken into account in the design.

Site Survey

is a private key encryption standard that was developed by the U.S. government for the Clipper Chip. Skipjack uses an 80-bit key, which might soon be vulnerable to decryption by hackers.

Skipjack

is faster than asymmetric cryptography. Symmetric cryptography is approximately 1,000 to 10,000 times faster than asymmetric cryptography. is faster than asymmetric cryptography. Symmetric cryptography is approximately 1,000 to 10,000 times faster than asymmetric cryptography. Symmetric keys do not ensure security and scalability for key management because the same key is used for encryption and decryption. Therefore, symmetric cryptography requires a secure mechanism to deliver keys among the communicating hosts. Symmetric cryptography may be less secure than asymmetric cryptography because of the same keys being used for encryption and decryption.

Symmetric Cryptography

The Trivial File Transfer Protocol (TFTP) provides the least amount of security. TFTP provides no authentication or encryption mechanism. TFTP uses port 69, by default.

TFTP Trivial File Transfer Protocol

Technical controls are used to restrict data access and operating system components, security applications, network devices, protocols, and encryption techniques. include all authentication mechanisms, including password, two-factor, Kerberos, and RADIUS authentication. Network segmentation is accomplished by using logical controls.

Technical Controls/Logical controls

is a type of qualitative risk analysis in which each member of the risk analysis team gives anonymous opinions. The anonymous opinions ensure that members are not pressured into agreeing with other parties.

The Delphi technique

is currently developing a version of PGP known as Open-PGP.

The Internet Engineering Task Force (IETF)

preventative - A preventative control prevents security breaches. detective - A detective control detects security breaches as they occur. corrective - A corrective control attempts to correct any damage that has been inflicted during a security breach and restores control. deterrent - A deterrent control deters potentials violations. recovery - A recovery control restores resources. compensative - A compensative control provides an alternative control if another control may be too expensive. All controls are generally considered compensative. directive - A directive control provides mandatory controls based on regulations or environmental requirements.

The three access control categories provide seven different functionalities or types:

In low encryption mode, Wireless Equivalent Privacy (WEP) provides 64-bit encryption. WEP provides security for data transmissions for devices communicating on wireless 802.11b networks, which are sometimes referred to as WiFi networks. In high encryption mode, WEP provides 128-bit encryption for devices transmitting data on a WiFi network. WEP is sometimes ineffective due to interoperability problems among WiFi devices from different vendors. Most organizations use WPA and WPA2 instead of WEP because of security concerns. A network administrator would like to implement a wireless solution that uses a very high performance stream cipher encryption protocol.

WEP Wireless Equivalent Privacy

is a technique used to discover wireless networks. Once intruders locate your wireless network, they attempt to hack into your system.

War Driving

is a digital certificate standard that defines the certificate formats and fields for public keys. X.509 defines the manner in which a certification authority creates a digital certificate. X.509 defines the various fields, such as distinguished names of the subject, user's public key, serial number, version number, lifetime dates, and digital signature identifier, and the signature of the issuing authority, present in digital certificates. It does not contain any private keys. There are several versions of X.509 since its inception. The current version is X.509v4. The X.509 standard is used in many security protocols, such as secure socket layer (SSL) protocol.

X.509

Keys are generated by key generation systems. Data Encryption Standard (DES), for example, provides a key generation system that produces 56-bit encryption keys. A receiver of a key can certify the identity of the sender of the key by using a key certification system. Encryption systems typically provide password protection to protect private keys.

generation systems

is a mutual agreement between two parties to perform a common action or relationship. If well-defined legal elements are included, the MOU is considered binding. MOUs are generally loose agreements and therefore may not have strict guidelines in place to protect sensitive data between the two entities.

memorandum of understanding (MOU)

are arranged in a hierarchy and sign public key pairs. Many older Ethernet networks used a bus model for their physical architecture. In a bus network, all computers on a network are connected to a central bus cable. A ring model is used to wire computers in token ring networks. In a ring network, all computers are connected to a physical ring of cable. , an issuer is the entity that signs a certificate. Signing a certificate verifies that the name and key in the certificate are valid. PKI is a system designed to securely distribute public keys. A PKI typically consists of the following components: certificates, a key repository, a method for revoking certificates, and a method to evaluate a certificate chain, which security professionals can use to follow the possession of keys. Chain of custody might be used in proving legal cases against hackers. When using a PKI, keep the following points in mind: When encrypting a message with the public key, only the private key can decrypt it. When encrypting a message with the private key, only the public key can decrypt it.

public key infrastructure (PKI)

Platform as a Service (PaaS) - Allows organizations to deploy Web servers, databases, and development tools in a cloud Software as a Service (SaaS) - Allows organizations to run applications in a cloud Infrastructure as a Service (IaaS) - Allows organizations to deploy virtual machines, servers, and storage in a cloud

(PaaS),(SaaS), (IaaS)

is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard (AES) now receives more attention. Schneier designed Blowfish as a general-purpose algorithm, intended as an alternative to the aging DES and free of the problems and constraints associated with other algorithms. At the time Blowfish was released, many other designs were proprietary, encumbered by patents or were commercial or government secrets. Schneier has stated that, "Blowfish is unpatented, and will remain so in all countries. The algorithm is hereby placed in the public domain, and can be freely used by anyone

Blowfish

is the normal care that a reasonable entity would exercise over that entity's property. As part of due care, an organization is responsible for implementing policies and procedures to prevent data loss or theft.

Due care

is the technology of indoor and vehicular environmental comfort. Its goal is to provide thermal comfort and acceptable indoor air quality. HVAC system design is a subdiscipline of mechanical engineering, based on the principles of thermodynamics, fluid mechanics, and heat transfer.

Heating, ventilation, and air conditioning (HVAC)

A protocol used to test and report on path information between network devices A security administrator is troubleshooting a network connectivity issue. The administrator believes that a router's ACL may be blocking network traffic to a remote network. Which of the following, if enabled, would confirm the administrator's theory by providing helpful feedback?

ICMP Internet Control Message Protocol

is a security standard commonly implemented to create virtual private networks (VPNs). IPSec allows packets to be securely exchanged over the Internet Protocol (IP) at the Network layer (Layer 3) rather than at the Application layer (Layer 7) of the Open Systems in tunnel mode with the Authentication Header (AH) protocol produces an encapsulated packet that is digitally signed. AH digitally signs a packet for authentication purposes. Tunnel mode encapsulates a packet within another packet. supports two encryption modes: transport and tunnel. Transport mode encrypts only the data portion of each packet, but not the header information. Tunnel mode encrypts both the header and the data. For IPSec to work, the sending and receiving devices must share a public key.

Internet Protocol Security (IPSec)

is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.[1] Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network.[2] As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

Lightweight Directory Access Protocol (LDAP

is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.[1] It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI).[2] Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.

Online Certificate Status Protocol

PBKDF2, standardised in RFC 2898 and PKCS#5, is a function for creating a cryptographic key from a password. It is the only such function currently appearing in NIST standards, hence it has seen widespread use. The aim of the function is to create a key in such a way that dictionary attacks (where the attacker just tries a range of possible passwords) are unfeasible. To do this, PBKDF2 applies a pseudorandom function (PRF) to the password many times. This means that an attacker making a guess at the password will also have to apply the function many times to his guess.

PBKDF2

is a relatively new method of encryption. Quantum cryptography is different from proven technologies in that it relies more on physics, rather than mathematics, as a key aspect of its security model. While most organizations use proven technologies, quantum cryptography usage will increase because it is more secure.

Quantum cryptography

is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a masquerade attack by IP packet substitution.

Replay Attack

A router is a device that is designed to transmit all data that is not specifically denied between networks, and to do so in the most efficient manner possible. A router enables connectivity between two or more networks and can connect multiple network segments into one network.

Router

uses the settings in preconfigured security policies to make all decisions. Enforcing SELinux on a server is locking down the server for everyone. With SELinux, all access capabilities are predefined (in this case, restricted). This is an example of Mandatory Access Control.

Rule-Based Access Control (RBAC)

is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. As its name implies, SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions).

SAML Security Assertion Markup Language

is the science of hiding messages within another medium. A common use of steganography involves hiding a message within an otherwise normal-looking picture or graphic.

Steganography

The Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.

Smurff attack

A network administrator wants to implement a solution that will allow authorized traffic, deny unauthorized traffic and ensure that appropriate ports are being used for a number of TCP and UDP protocols. Which of the following network controls would meet these requirements?

Stateful firewall

is an older authentication protocol common to UNIX networks that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system.

TACACS+ (Terminal Access Controller Access Control System)

are cryptographic protocols that provide communications security over a computer network.[1] Several versions of the protocols find widespread use in applications such as web browsing, email, Internet faxing, instant messaging, and voice-over-IP (VoIP). Websites are able to use TLS to secure all communications between their servers and web browsers.

Transport Layer Security (TLS)

over a public network, such as the Internet.

VPN is a private network that is implemented

make less severe, serious, or painful.

metigate


Related study sets

Wk 3 - Practice: Ch. 13, Skills for Developing Others

View Set

Chapter 17- travel planning, loading, towing and driving special vehicles

View Set

Project Management Chapter 3 Questions

View Set

Chapter 1 Lesson 3: Health Risks and Your Behavior

View Set

Sudden Infant Death Syndrome (SID)

View Set