Security+ SY0-501 Exam Prep (Packt PDF)
Urgency
An attack that is performed quickly so that they aren't questioned. For example, someone may arrive at a new receptionist and demand access quickly who may get flustered and let them in. Another example is a "fireman" demanding access to the server room before the building burns down.
How can data at rest be secured?
Bitlocker (Full disk encryption for windows PCs) DLP (Data Loss Prevention, can help prevent data from being stolen via USB) FDE (Full Device Encryption, tablets and phones need this) USB or removable drives need full disk encryption.
Penetration testing types
Black Box (When the pen testers are given no information on the company) Gray Box (When the pen tester are given some information on the company) White Box (When the pen testers known everything about the system)
Galois/Counter Mode (GCM)
Block cipher mode of operation that uses universal hashing over a binary Galois field to provide authenticated encryption. High speeds, low latency, low cost.
Blowfish/Twofish
Blowfish (64 bit) Twofish (128 bit, 64x2) Originally designed for encryption with embedded systems. Blowfish is faster, as it's lower bits.
What is "COPE"?
Corporate-Owned Personally-Enabled. This is where the company purchases the device and allows the employee to use it for personal use. Better than BYOD, as companies still have control.)
Generic Accounts
Default administrative accounts automatically created for devices. Username and password can be found online. Similar to router default admin credentials. Change these immediately.
Acceptable Use Policy (AUP)
Defines what is allowed to be done on company computers and BYOD devices
APIPA Address
169.254.X.X Addresses. Means DHCP cannot be contacted.
Site-to-site VPN
2 Locations with "VPN Concentrators" have an always on VPN tunnel between sites.
RAID 1
2 disks. One disk mirrors the other. Provides fault tolerance, but slower speeds.
2.4GHz vs 5GHz
2.4GHz is 20MHz. Travels further, less channels (1, 6, 11 are usable without overlap, slower speed) 5GHz is 40MHz. Travels not as far, more channels, much faster)
Minimum bits considered secure?
2046
FTP Port
21
SCP Port (Secure copy to Unix/Linux)
22
SFTP Port (Secure FTP)
22
SSH Port
22
Telnet Port
23
SMTP Port
25
ROT 13 Cipher
26 letters in the alphabet, we rotate the letters 13 times.
Rule of thumb for encrypted traffic
1/3 of the bandwidth is consumed by encryption?
RFC 1918 Private Addresses
10.0.0.0-10.255.255.255 (/8) 172.16.0.0-172.31.255.255 9 (/12) 192.168.0.0-102.168.255.255 (/16)
POP3 Port
110
IMAP4 Port ( Pull mail from mail server)
143
Account Lockout
3-5 attempts locks out an account
RDP
3389
LDAP Port
389
SIP
5060/5061
SRTP (Secure Real Time Protocol)
5061
Botnet
A bot is a program that takes control of a computer. A botnet is a collection of bots that are being used in an attack, such as a DDoS.
What is a self-signed certificate?
A certificate used by the same entity that issued it. Does not have a CRL and cannot be validated or trusted.
Collision attack
A collision attack on a cryptographic hash tries to find two inputs producing the same hash value, this is known as a hash collision.
What is a "Crypto Module"?
A combination of hardware and software that implements crypto functions such as digital signatures, encryption, random number generation, and decryption.
Worm
A program that replicates itself to spread to other computers, exploiting security weaknesses. Common ports are 1098, 4444, and those in the 5000 range. Example is "Nimda", that targeted microsoft IIS server. It runs, propogates itself, and brings server to a halt by changing file extensions of everything it found.
Shimming
A small library that transparently intercepts API calls and changes the arguments passed. This is a method of driver manipulation.
What is a "crypto service provider"?
A software library. For example, microsoft uses CryptoAPI and has providers such as the following: Microsoft AES cryptographic provider (This service provider provides support for the AES algorithm) Microsoft DDS and DH/channel cryptographic provider (This supports hashing and data signing with DSS and key exchanging for DH)
What is a Snapshot?
A stateful checkpoint of a VM. Application aware, it loads everything EXACTLY as before.
Coding: Static Code Analyzers
A tool that runs code and looks for bugs
Logic Bomb
A virus that is triggered when certain conditions are met, such as opening a file or when a certain system time is hit.
Backdoor
A way into a system in the event that someone locks themselves out. Usually undocumented. Attackers can exploit these if they exist.
MAC Spoofing Attack
A way to fake MAC addresses to circumvent things such as MAC filtering
What is a "Wildcard"?
A wildcard certificate is a certificate that can be used for multiple servers in the same domain. For example, a wildcard certificate for moltr.com could be used for mail.moltr.com, web.moltr.com etc.
DoS Attack
Denial of Service Attack. When an victims machine is flooded with a high volume of requests to cripple it. One way this is done is through SYN flood attacks, where the first 2 parts of the 3-way handshake occur and the victim holds a session waiting for the ACK that never comes.
RFC 1542 compliant router
Device that connects different networks and subnets together. DHCP broadcast traffic will pass through an RFC 1542 compliant router if setup correctly (dhcp relay). Non RFC 1542 routers can open ports 67 and 69 to allow DHCP thorugh if needed.
Every AD account has an SID (Secure Identifier) number linked. What is this for?
Differentiates between 2 accounts with the same name, and makes it so old accounts can't be re-created to get the same permissions they used to have. Every new account gets a unique serial that is never reused.
Dumpster Diving
Digging through trash hoping to find PII (personally identifiable information) to commit fraud later. Shred documents to prevent this.
DSA
Digital Signature Algorithm Used for digital signatures; they start at 512 bits, but their 1024 and 2046 bit keys are faster than RSA for digital signatures.
Digital Signatures
Digital signatures can be used to attack.
Ensuring non-repudiation
Digitally signing an email with your private key guarantees it was you who sent it. You can "digitally sign" a contract. This makes it legally binding.
Certificate trust; What is Certificate Chaining?
Digitial certificates that are verified using a chain of trust where the trust anchor for the digital certificate is the root CA.
Securing IT Systems
Disable Default accounts/passwords Disable unnecessary ports and services Secure Configurations (also audit every once and a while) Application whitelisting/blacklisting Patch Management
Policy Violations
Discipline or dismissal for policy violations
DDoS Attack
Distributed Denial of Service Attack. When a botnet is used for a DoS attack. Stateful firewalls can be set up to prevent these.
Initialization Vector (IV)
An Arbitrary number that can be used along with a secret key for data encryption. This number is only employed one time in any session. Its length is usually comparable to the length of the encryption key or block of the cipher in use. Sometimes known as a starter variable.
SCADA Explained Simply
An HMI controls the PLCs, which control the machines. SCADA server oversees all of this?
What does FDE require to work?
Either a TPM or HSM chip.
Cloud benefits
Elasticity (Pay-as-you-go, only as needed) Scalability (Self explanatory) No Capital Expenditure (No hardware to maintain or upgrade over time) Location Independent (If company burns, you can simply move and re-access the cloud from the new location) Regional Storage of Data No maintenance fees (No hidden costs) No Disaster recovery site required (99.999% availability through the cloud, no requirement for a disaster recovery site.)
SCADA System Uses
Electricity production and distribution Water supply and treatment Food production Oil and gas production and supply Chemical and pharmaceutical production Telecommunications Manufacturing of components and finished products Paper and pulp production
EMI
Electromagnetic Interference Motors, florescent loghts, radios, etc can affect a systems performance and can cause jamming
EMP
Electromagnetic Pulse Strong burst of electric energy that can damage electronic systems. Surge protectors, UPS, shielding, and faraday cages can prevent.
Embedded System
Electronic system that has software and is embedded in computer hardware. Some are programmable, some are not. Household items (Microwaves, Washing machines, fridge, printers, mp3 players, etc) IT Infrastructure (Telephone switches, routers, switches, HVAC, etc)
ECC
Elliptic Curve Cryptography A small, fast key used for encryption in small mobile devices.
Reasons to disable an account
Employee leaving (Disable account and change passwords or delete account) Extended absence period Guest account
User-Extended attributes
Employee-ID and Email. These are extended attributes used by directory services/
Best practice for ensuring integrity
Hash data stored, and digitally signing an email with your private key to prove to the recipient that it hasn't been tampered with in transit.
What are the 2 types of brute force attacks?
Online mode (When the attacker must use the same login interface as other users) Offline mode (When the attacker steals the password file first, then has unlimited attempts at guessing the password)
What is an "Anti-spoofing filter" on a router?
Only allows packets through within the address range of that subnet- ignoring packets with invalid source addresses. (Normal router behavior.)
WAN
Open public internet. Links tend to be slower than LAN/DMZ.
Shibboleth
Open source federation product that uses SAML authyentication.
PAP vs CHAP
PAP (Passwords in clear text) CHAP (Pre-shared password on both ends, handshake has to take place for the connection to establish. Involves a challenge being sent over that is a random string)
VPN/RAS Authentication Options
PAP or CHAP
PC Hostname Resolution Process
PC Checks DNS Cache, then hosts file, then to a DNS server (unless the PC IS the DNS server)
Command Line Tools
ICMP (Block replies on firewalls) Ping [-t] netstat (see connections established) tracert (see each hop IP and it's DNS resolution if possible. Max 30 hops.) nslookup (In linux, it's "Dig") arp -a (Shows the PC ARP table) ipconfig /all (ifconfig in linux) ipconfig /displaydns ipconfig /flushdns ipconfig /release ipconfig /renew tcpdump (linux) tcpdump -i eth0 nmap (free network scanner for audits) Netcat (linux, shows network connections similar to netstat)
IDS vs IPS
IDS can detect and alarm traffic, IPS can actually prevent attacks.
Explain Wireless Authentication Protocols
IEEE 802.1X (Uses certificates and can beused with a RADIUS server) RADIUS Federation (Federation service where access to the network is gained by using WAPs) EAP (Authentication framework for point-to-point connections.) PEAP (Protected Extensible Authentication Protocol, EAP except encapsulated to be used with WLANS- improves security.) EAP-FAST (EAP Flexible Authentication via Secure Tunneling, is Ciscos EAP to replace LEAP. Provides session authentication) EAP-TLS (Uses TLS public key certificat emechanism within EAP to provide mutual authentication) EAP-TTLS (2 phase: sets up secure session with certificates, then uses MSCHAP to complete the session. Designed to connect older legacy systems)
Network Layer
IP addressing and Routing. ICMP operates at this layer.
What is IPSec?
IPSec = IP Security. A suite of tools to secure IP traffic. Used to create a secure session between a client and server. Protects packets from being sniffed. Can be used by VPNs to protect traffic.
IPv6 vs IPv4
IPv4 addresses are 32 bit (4 octets with 8 bits each) IPv6 addresses are 128 bit. (8 "hextets" with 4 hex numbers each, and each hex number is 4 bits. 8 x 4 x 4 = 128)
Stored procedure
Pre-written SQL script that can't be altered, but can be run.
Mean Time to Failure (MTTF)
Predicted lifespan of a system.
6 steps to Incident Response
Preparation (Preventative measures) Identification (Identify incident) Containment Eradication Recovery Lessons Learned (prevent re-occurrence)
Preservation
Preserve data in it's original state so it can be used as evidence in court
Impersonation
Pretending to be someone else. Wearing fake clothes, fake IDs, etc.
PGP
Pretty Good Privacy Used between two users to set up asymmetric encryption and digital signatures. For PGP to work, you need a private and public key pair. First stage in using PGP is to exchange keys. It uses RSA keys.
What are Preventative Controls?
Preventative Measures. Disable user accounts when someone leaves. Hardening an operating system.
Clean desk policy
Prevents reading of papers left out
Certificate Types
Private (Decrypts data encrypted by the Public key) Public (Sent to third parties to encrypt the data)
What is a DRA?
Private key corrupted and can't see your data? DRA will recover the data. The DRA needs to get the private key from escrow
What are the 3 virtual switch options?
Private, Internal, External (PIE) (Learn more about these)
Certificate Formats
Private, P12, .pfx file extension Public, P7B, .cer file extension PEM, Base64 format, .pem file extension DER, Extension for PEM, .der file extension
What is a CSR?
Process of requesting a new certificate. 2 keys are generated and the public is sent to the CA- which then returns the file, the X509
What is "Obfuscation"?
Process of taking source code and making it look obscure. This way if it's stolen, it wouln't be understood.
Virus
Program embedded in another program that replicates itself to other hosts if possible. Malicious intent. Many viruses use port 1900
Coding: Encryption
Protects code from theft. Private key needed to decypher it.
Tools to assess security posture
Protocol Analyzer (Wireshark) Network Scanners (Orion, shows performance) Rogue System Detection (802.1X, or appliances) Network Mapping (Nmap, scan devices for IPs, ports, OS type, etc.) Wireless Scanners (Wireshark but for wireless traffic) Wireless Crackers (Fern WiFi Cracker is a tool that can crack and recover WEP/WPA and WPS keys) Password Crackers (Tools that can brute force, use rainbow tables, dictionary attack, etc) Vulnerability Scanner (2 types: Credentialed, and Non-credentialed. Credentialed is when it's run with admin permission, and non-credentialed is when it's run as a standard user. Ex: Microsoft Baseline Analyzer) Configuration Compliance Scanner (Security hardening via configuration settings) Exploitation frameworks (Tools such as Metasploit that can develop and execute exploit code against a remote target computer.) Data Sanitization tools (using services to properly destroy data in old drives etc. Simply formatting isn't safe.) Steganography tools (Hiding data inside files) Honeypot (Decoy site with lower security. Can be used as a distraction, or can be used by security analysts to discover attack methods being used.)
Certificate trust; What is a trust model?
Proves authenticity of the certificate. 2 models: Hierarchical model: Uses a hierarchy from the root CA down to the intermediary. This is the normal PKI model. Bridge trust model:When 2 separate PKI environments trust each other. Certificate authorities trust each other.
User Certificate
Provides authenticity to a user for applications that they use
PRNG
Pseudo Random Number Generator An algorithm that produces sequences of randon numbers. These nubmers can be used when generating data encryption keys.
PKI
Public Key Infrastructure
Wireless - Open System Authentication
Public Wifi, no password. Use at own risk.
Jamming
Purposeful wireless interference with a wireless jamming device
2 Types of Remote Access
RAS (Remote Access Server) Legacy, requires modem and dial-up networking. Discontinued. VPN (Client-to-site or site-to-site tunnel)
What is a "Private Cloud"?
Single tenant cloud. One tenant on the cloud systems, no resource/IP sharing. Typically you purchase and install your own equipment.
IP Spoofing
Sending packets with false source IP to impersonate another computer to prevent tracing
Coding: Data Exposure
Sensitive data should be encrypted to limit data access to the user using the application
What is SSO?
Single Sign On. Kerberos (Microsoft authentication protocol) or LDAP feature where a user logs in once then receives a token allowing them into all necessary systems.
What is "Internet-based open source authentication"?
Some online application companies don't want to have to manage user accounts for their services- so you can do things like sign in with google.
Intimidation
Someone pretending to be an authority who threatens to get them in trouble if they don't do what they say.
Anomaly-based detection
Starts off the same as signature-based with the known database but they have the ability to identify new variants.
Heuristic/behavioral-based
Starts with a baseline and matches traffic patterns against the baseline. This can also be known as Anomaly-based.
Interconnection Security Agreement (ISA)
States how two businesses should connect. VPN policies etc.
Application Layer
WAF (Web Application Firewall) Operates at the Application layer. Applications run at this layer.
Annual Loss Expectancy (ALE)
Total loss in a year. Calsulated by: SLE x ARO. 6 x 1,000 = 6,000.
Tracking Man Hours
Track man hours to realize costs incurred during incidents. This will help the company realize that they have to spend more money on resources to protect against incidents.
User training
Train users so that they know common security threats (phishing/social engineering, etc.)
Media Gateway
Translation device that can convert media streams. Example: Karaka: an XMPP Gateway that allows communication between Jabber and Skype.
DMZ Device placement
WAN --- Firewall --- SSL/TLS Decryptor --- NIPS --- NIDS (Passize mode) --- DMZ --- Firewall --- LAN
Wireless Encryption Types
WEP (Wired Equivalent Privacy, 40-bit key that's easy to crack.) WPA (WiFi Protected Access, uses TKIP (Temporal Key Integrity Protocol) which was designed to be more secure than WEP. Backwards compatible with WEP.) WPA2-PSK (WPA2 Pre-shared-key, typical for home users who don't have an enterprise setup) WPA2-enterprise (WPA2 where users have to authenticate using RADIUS with 802.1X user certificates) WPA2-TKIP (can be backwards compatible wit legacy systems, but was replaced by CCMP which is more secure) WPA2-CCMP (Strongest version of WPA2, uses AES for authentication)
What command line tool should be used and output recorded when an attack is happening for evidence?
netstat (Shows all listening and active ports. Rebooting the computer will clear these connections)
Voice VLAN
Voice specific VLAN. Do cisco voice VLANs auto-tag traffic with DSCP?
Cross-site scripting
When a user injects malicious code into another users browser. Example: code can be inserted to change what a webpage says when loaded.
What is a "VLAN on a SAN"?
When a virtual switch is created on the SAN, the VLAN is said to be created on a SAN. Always use an iSCSI connector when creating a VLAN on a SAN. ???
NAT (Network Address Translation)
When an IP is translated through a device. For example, a private IP is NAT translated to a useable public IP via PAT when crossing the edge router/firewall into the internet.
Coding: Null Pointer Exception
When an application tries to reference something that doesn't exist, it will show as "null"
Asymmetric keys are obtained from a CA. If you are selling products or services with external entities, then you need to obtain your X509s from a public CA, otherwise your internal certificate will not be accepted.
~
CHAPTER 1
~
CHAPTER 2
~
CHAPTER 4
~
Chapter 8
~
Data Loss Prevention (DLP) Personally Identified Information (PII)
~
Don't enable "account lockout duration" or "reset account lockput counter after" options. This way IT must unlock the account manually.
~
How to have redundant load balancers?
~
Identify common misconfigurations
~
In Symmetric Encryption, don't use stream ciphers- they're easy to crack. Use block ciphers instead.
~
KNOW how IPSec works. Know the AH (Authenticated Header), and ESP (Encapsulated Payload)
~
LEARN PKI BETTER.
~
Layer 2 switches are vulnerable to ARP attacks.
~
Learn about EFS file encryption supported by windows.
~
Logged in users check to make sure the Session ticket is within 5 minutes of the domain controllers.
~
MDM allow IT to enforce policies on smartphones/tablets/and other endpoint devices.
~
Microsoft Active Directory uses LDAP (Lightweight Directory Access Protocol) to manage users and groups.
~
Single Factor Two Factor Multifactor (two factor is also multifactor)
~
The most common asymmetric algorithms include the DH algorithm, which creates a secure session so that symmetric data can flow securely.
~
Witness Statements
~
netstat -an
~
Replay Attack
When an attacker captures data to play back at a later date. Attacker may try to replay packets that could contain login credentials to simulate a login. Kerberos has built-in protections against this with sequence numbers and timestamps.
Collision Attack
When an attacker compares hashes until one matches another one- indicating the same password is used.
Clickjacking
When an attacker embeds a transparent frame over a link to trick someone into clicking something they didn't intend to.
Persistence attack
When an attacker gains access to a system and remains undetected for extended periods
Distributive Allocation
When using IaaS, you may install a virtual load balancer appliance.
(Stopping Attacks) File Integrity Checker
Ex: Microsoft SFC (System File Checker). This can replace corrupt files by replacing them with a copy held in a compressed folder in system32. To run it: sfc /scannow
Use Case
Example (case) of when something is used
Scarcity
Example: websites selling something that says "only one left" for everyone. Another example is when an attacker calls a company while a CEO is at a conference telling them that their domain name will expire in 30 minutes, and that they need to pay quickly or they'll lose it.
XOR Encryption
Exclusive OR Two bits that are equal: 0 Two bits that are different: 1 Example: Data 01010100 is combined with the encryption key 01101000. XOR spits 00111100. XOR encrpytion is commonly used with AES, several symmteric ciphers, and a one-time pad.
False positive vs False negative
False positive (Good traffic identified as bad) False negative (Bad traffic identified as good)
What 3 layers does the security+ focus on?
2, 3, and 7.
If the qualitative risk of losing a switch is 9, but the probability is a 3, what is the quantitative risk?
27 (9x3)
Compensating Controls
A way to satisfy a security measure that you can't implement immediately. (Ex: badges are required for access to PCs, a new employee came in is allowed to use a username and password until they get their badge.)
Corrective Controls
Actions taken to recover from an incident. (Ex: hard drive failure backup plan, or fire-suppression systems)
Business Partnership Agreement (BPA)
Agreement between businesses defining what each partner is supposed to contribute, who makes decisions, what happens if/when the partnership ends etc. Essentially, all the rules for a partnership between companies.
Name the 7 layers of the OSI model
Application Presentation Session Transport (Datagrams) Network (L3 switch/router. Packets.) Data link (Switch, VLAN, IPSec, ARP. Frames.) Physical (Cable/HUB. Bits.)
TCP/IP Model
Application (Application presentation, and session) Transport (Transport) Internet (Network) Network (Data link and physical)
Explain the 7 layers of the OSI model
Application (Applications are windows sockets, such as HTTP for web browsers or SMTP for email) Presentation (Formats data into a character format that can be understood. It can also encrypt data.) Session (Responsible for logging in and out, maintaining connections.) Transport (Breaking up packets, TCP or UDP) Network (Packet encapsulation of the transport chunks of data. IP traffic.) Data link (Frame encapsulation of the transport chunkcs of data. MAC traffic.) Physical (Transmits raw data over a physical cable medium, 1s and 0s.)
What are Physical Controls?
Cable Locks (Kensington locks) Laptop Safe, Biometric locks, Fences/Gates, Burglar alarms, Fire alarms/smoke detectors, Lighting, Security guards, Mantraps, Perimeter protection (fences/gates/lights) Internal protection (protected cabling in metal pipes, safes, screen filters) Faraday cage (Metal meshpreventing wireless or cellular signals/EMPs) Key management (keys being signed in and out to prevent copies being made) Proximity card (RFID badge) Tokens (Small physical device where you either touch it to something for access, press a button on the device for access, or it displays a code for a number of seconds before it expires) Environmental Controls (Heating, ventilation, HVAC) AirGap (isolating a computer either logically or physically from other devices) Motion Detection Cameras Barricades (Road blocks) Bollards (steel pole preventing car rammings)
Job rotation
Changing departments every 6 months for cross-training.
ISO/IEC 17789:2014 Specifies what?
Cloud Computing Reference Architecture (CCRA). This contains cloud best practices.
Threat Assessments 4 categories
Environmental Threat (nature) Man-made threat (malicious or accidental intent) Internal threat (disgruntled employee) External threat (Hacker)
HMAC Authentication
Hash Based Message Authentication Code is a specific type of Message Authentication Code (MAC) involving a cryptographic hash function and cryptographic key. We can have HMAC-MD5 or HMAC-SHA1. This provides both data integrity and data authentication.
What is "Defense in depth"?
Having multiple layers of protections. Example: the data is stored on a server, with file permissions, it's encrypted, in a secure area of the building, security guard checking ID, CCTV on the perimeter, High fence on the perimiter. 7 layers of security must be passed to get the data.
Industry-specific frameworks
Industry specific regulations. Ex: International Financial Reporting Standards Foundation (IFRS)
What is "least privilege policy"
Only giving users access to what they need to work. Micro-segmentation.
What does OSI stand for?
Open Systems Interconnection model
Linux Permissions (Not SELinux)
Owner (First number) Group (Second number) All Other users (Third number) 4 Read 2 Write 1 Execute For a example, if a file has "764" access: Owner can Read/Write/Execute, Group can Read/Write All other users: Read To adjust file permissions: chmod 764 File X
What are Administrative Controls?
Policies written by administrators to prevent possible security threats. Internet use policies, security awareness training, risk assessments, vulnerability scans, Penetration testing, and change management are examples of these.
Rules of behavior
Proper professional conduct at work
Supply chain risk assessment
Suppliers relied upon for business. Example: laptop manufacturers may have a supplier for batteries. If they don't deliver, you can't sell laptops. This goes for redundant ISPs also.
What are the 3 main security controls?
Technical Administrative Physical (TAP)
What are Technical Controls?
Technical measures in place to prevent active security threats. Firewall rules (IP/Application/Protocol filtering), Antivirus software, Screen savers, Screen filters, IDS/IPS systems are examples of these.
Policies are written so that security administrators know what to configure, and end users know what part they play in keeping the company secure.
~
CYOD
Choose Your Own Device Company allows employees to pick from a range of devices, but then take the device back upon offboarding.
CASB
Cloud Access Security Broker Enforces policies between on-premises and cloud.
CSP
Cloud Service Provider Before choosing one, make sure you trust them 100%
Cloud-based email
Cloud provider hosted email services. Office 365 and G Suite are several options.
What things does a vulnerability scanner passively test?
Code Review (Scans source code of software) Attack surface (Scans for unnecessary services, missing patches, and anything else that can be hit) Permissions (Scans for permissions that may be set too high) Baselines (Computer and traffic baselines can be analyzed to anomalies)
Coding: Code Signing
Code hashes to ensure it hasn't been altered
Coding: Dynamic Code Analysis
Code is run and random inputs are put in to see what the output will be
Coding: Use of third party libraries
Code libraries that can be used for apps
HVAC for Data Centers Explained
Cold isles and hot isles are set up to push air through the racks to keep servers cool.
Data acquisition
Collecting all evidence (USB drives, cameras, computers, paper files, letters, bank statements etc)
Hybrid attack
Combination of both a dictionary attack and a brute force attack
Weak password implementations
Common passwords, less than 7 characters, all letters or all numbers, default passwords
Reverse proxy example:
Company wants to set up Skype webinar. All conferencing requests will pass through the reverse proxy server so that they're authenticated and it redirects them to the relevant skype server.
Coding: Compiled versus runtime code
Compilers show bugs, and runtime shows bugs while it's running. Both used to find errors/bugs.
Air Gaps
Completely separate networks/hardware for sensitive traffic. The DoD has their "internets" called SIPRNet and NIPRNet.
What is the "Agile" SDLC?
Concept (Conceptualize project) \/ Inception (Start project) \/ Construction (Build project) \/ Release (Test and deploy into production) \/ Production (Operate and support release) \/ Retirement (Remove from production)
Certificate trust; Web of trust
Concept used by PGP to establish the authenticity of the certificate being used. In PGP, 2 people are going to encrypt data between themselves; the first stage would be to give each other a public key so that they can encrypt the data being sent back and forth.
Certificate OIDs
Kind of like a certificate serial number. Located on the X509 itself.
What are the main tunneling protocols?
L2TP/IPSec (Most secure tunneling protocol that can use certification, Kerberos authentication or a PSK.) Secure Socket Layer (SSL) VPN (Uses SSL certificates for authentication, used on legacy systems)
Best practice for remote access while supporting confidentiality
L2TP/IPSec VPN tunnel using AES encryption.
LDAPS
LDAP, but secure. Encrypted sessions with SSL/TLS, known as LDAP over SSL. Normal LDAP is susceptible to LDAP injection attacks where an attacker tries to gain information from the directory service.
RAID 10
RAID 1+0. Minimum 4 disks. RAID 0 between 2 RAID 1 pairs.
Substitution Cipher
A method of encryption and decryption in which each letter in the alphabet is replaced by another.
What type of encryption do IoT devices need to use due to their tiny processing power?
ECC
What is a "Unified Threat Management Firewall" (UTM)?
Multipurpose firewall, it does malware, content, and URL filtering. Cisco Firepower Firewalls (Next Gen Firewalls) are like this. All in one security appliance.
What is a Public Cloud?
Multitenant. Multiple tenants on same systems in VMs.
Non-credentialed vs Credentialed scans
Non-credentialed scans are scans done from an attackers perspective, credentialed scans are done from ITs perspective.
RAID
Redundant Array of Independent Disks
4 Types of frameworks
Regulatory Non-regulatory National vs international Industry-specific frameworks
RAT Trojan
Remote Access Trojan Program that allows attackers full control of a computer
RADIUS Acronym
Remote Authentication Dial-In User Service
Account monitoring
SIEM (Security Information and Event Management) will alert you of changes are made to the system
Voice and Video Protocols and Components
SIP RTP STRP VLAN Media Gateway
Memorandum of Agreement (MOA)
Similar to an MOU but as a legal document.
Key stretching
Similar to salting a password; inserting strings to prevent rainbow table and collision attacks. Bcrypt and PBKDF2 can be used for key stretching.
SMTP
Simple Mail Transport Protocol Used to transfer files between different mail servers, and for outbound emails
NETBIOS Port (NETBIOS to IP resolution)
UDP 137-139
SNMP Port
UDP 161
SNMPv3 Port
UDP 162
DNS Port
UDP 53
DHCP Port
UDP 67/68
TFTP Port
UDP 69
RADIUS Server Info
UDP Based, Port 1812 Authenticates things such as VPN servers, Remote Access Servers, and 802.1x authenticating switches or WLCs.
What are the 3 main functions of proxy servers?
URL Filter (Self explanatory) Content Filter (Monitors page content and will block it if needed) Web-page caching (Frequently visited websites can be cached to prevent network strain. Make sure this isn't done for sites that NEED realtime information such as stocks. Otherwise, the cached page may not be up-to-date right away.)
Trojan
Viruses that create backdoors on your computer to allow malicious access to your computer. THese often try to exploit system32.exe and then run a DLL file to attack the OS kernel- the management part of the OS. Trojans often try to find password information and set up an SMTP engine that uses a random port to send those details to an attacker. Trojans can invole RAT installations.
Asymmetric Algorithms
Use a PKI environment as they use 2 keys, one private and one public. Diffie Hellman RSA DSA ECC Ephemeral keys PGP GnuPG
Account Creation Naming Conventions
Use a naming convention for accounts. Ex: John.Smith Jsmith jhs142488 etc Make sure all user accounts are unique so that each person is responsible for their account.
Credential Management
Use difference credentials between sites. Clicking "Remember Password" will cache your password for next login. This can be a security risk.
Low Latency
Use symmetric ciphers (such as 3DES or AES) to encrypt large amounts of data since they use a block cipher encryption with a small key length. Asymmetric keys have a minimum of 1024 bits. The larger the key length is, the more processing and possible latency there can be.
Asymmetric Encryption
Uses two keys, one private and one public key (also known as a PKI, complete with it's CA and intermediary authorities).
Logical seperation
VLANs
Virtualization for segmentation
VLANs can be used to separate users on virtual networks.
What is a "Virtual Switch"?
VM "switches" to determine connectivity. You can assign VMs to virtual switches, and can bridge an adapter to virtual switches.
Screenshots
You can screenshot applications for evidence.
Public CA
(Known as a third party CA) A commercially accepted CA (EX: Comodo, Symantec, Go Daddy etc). Simply purchase the certificate from the provider, then install it. They maintain the CRL (Certificate Revocation List) where you can check if the certificate is still valid.
What is a reverse proxy?
(Load Balancer?) Internet traffic to internal network proxy. Placed in the DMZ. This performs authentication and decryption of a secure session so it can filter incoming traffic.
Legal Hold
(Sometime called "litigation hold") Protecting documents that can be used as evidence from being altered or destroyed
Class A-E IPs
0.0.0.0-127.255.255.255 128.0.0.0-191.255.255.255 192.0.0.0-223.255.255.255 224.0.0.0-239.255.255.255 240.0.0.0-255.255.255.255 128, 192, 224, 240 are the boundaries between each class.
LDAPS Port
636
HTTP Port
80
Name all wireless standards
802.11a (5GHz, 54Mbps) 802.11b (2.4GHz, 11Mbps) 802.11g (2.4GHz, 54Mbps) 802.11n (2.4GHz/5GHz, 150Mbps, MIMO)
Wireless Authentication Protocols
802.1X RADIUS Federation EAP PEAP EAP-FAST EAP-TLS EAP-TTLS
Switching use case
802.1X (Switch allows devices to authenticate via EAP to a RADIUS Server before being allowed to use the wired or wireless port.) Port Security (For security+, this is when a port on a switch is switched off to prevent someone from plugging their laptop into a wall jack. For reality, it's a suite of tools cisco offers to do a range of things on switches) Flood Guard (Prevents MAC flooding attacks, which can result in DDoS and man-in-the-middle attacks when the switch broadcasts every frame to everyone since the MAC table is constantly being filled with bogus addresses.) VLAN STP
Port-based authentication
802.1X on switches/WLCs.
Kerberos Port
88
FTPS (Secure FTP)
989/990
IMAP4 Port
993
Secure POP3 Port
995
DNS Records
A (IPv4 host) AAAA (IPv6 host) CNAME (Alias) MX (Mail Server) SRV Records (Finds services such as a domain controller)
Private CA
A CA that can only be used internally. Free, but the company must maintain the CA.
What is an SSL VPN?
A VPN that can be used with a web browser that uses an SSL certificate for encryption. This has been replaced by TLS (Transport Layer Security) which is a more modern version of SSL. For the Security+. know that the SSL VPN is normally used for legacy VPNs that don't support L2TP/IPSec.
Hostname Resolution
A database of hostnames to IP addresses that can be queried for resolution. PCs have a hosts file, and DNS servers have databases.
DHCP Relay Agent
A device that can forward DHCP requests and replies. Kind of like a DHCP proxy. Cisco switches can do this, they take DHCP broadcasts and send them as unicast to the DHCP server in another subnet if ip helper address is set.
SSL/TLS Decryptor
A device that decrypts data before it passes through a NIPS/NIDS/DLP filter. This way, the traffic can be analyzed for malicious behavior.
Load Balancer
A device that load balances traffic to multiple servers. The load balancer has a Virtual IP (VIP) that when reached, forwards traffic to one of several servers based on factors you can set. One factor you can set is the least utilized host. The load balancer can be tied into the servers so that it knows the status of each for load balancing. Round-robin is another option. A user who has requested 3 web pages may be sent to multiple web servers, the load balancer keeps track of each session.
Main gateway
A device that scans emails going in and out. This can also filter spam.
Sensor/Collector
A device, tap, or firewall log set up to alert a NIDS of traffic pattern changes. It scans for weird behavior, and if found, alerts the IDS.
Industrial Control System (ICS)
A general term that encompasses several types of control systems used in industrial production, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures.
Risk Register
A list of all the risks a company could face. Financial director and IT manager are the "risk owners", and are responsible for the risks.
What is DNS Round-robin?
A load balancer can use DNS round robin to pick the server to send traffic to. When a request comes in, the load balancer contacts the DNS server and rotates the request based on the lowest IP address first, then rotates around the servers.
ARP Poisoning
A local attack where an attacker sends spoofed ARP messages saying it's an IP that it's not. gARPs used?
Perfect Forward Secrecy
A property of a public key system in which a key derived from another key is not compromised even if the originating key is compromised in the future. (AKA: when there is no link between the session key and the servers private key. THis way, if the VPN server has been compromised, the attacker cannot use the servers private key to decrypt the session.
Implementing Secure Protocols
A protocol is the rules required for different applications for the exchange of data. Each application has a unique port number.
Rule-based Access Control (RBAC)
A restriction to permissions for a certain group. For example, contractors can be given access between 8am to 5pm for only certain buildings.
Secure Baseline/Integrity
A secure baseline is a list of applications, the application configurations, the patches, etc. FCIV (File Checksum Integrity Verifier) and SFC (System File Checker) can identify changes in the integrity of the application
What is a proxy server?
A server that makes requests on behalf of the client.
ACL for files vs ACL for firewalls
ACL for files allow for rwx, ACL for network devices allow for you to filter IPs/Ports/Protocols.
Router ACLs
ACLs can filter based on Source/Destination IP/Port number.
Special Purpose Devices
AED, Defib, CPAP, other mobile medical devices,
Symmetric Encryption Algorithms
AES DES 3DES RC4 BlowFish/Twofish Diffie Hellman
What 3 policies are needed when allowing employees to BYOD?
AUP (Acceptable Use Policy) Onboarding Policy (Ensures devices entering are fully patched) Offboarding Policy (Covers things like handing back the companies data. May have to take people to court if they refuse to comply)
Keys that are not Ephemeral Keys (one-time use), what is the lifespan?
About 2 years for static keys (any other symmetric/asymmetric encryption keys)
Recovery Point Object (RPO)
Acceptable downtime. Time that a company can last without it's data before it affects operations.
Intermediary Authority
Accepts incoming requests for certificates and issues them once the CA has signed them. The certificates issued are known as X509 certificates.
Attribute-based access control (ABAC)
Access determined by an attribute, such as an AD group.
HTTPS (Web Mail)
Accessing web mail via a secure browser. Microsoft Outlook Anywhere is an example.
Guest Account
Account designed to grant limited access to guests without the need to create a user account. No longer enabled in most cases, can be seen as a security risk.
Account lockout
Accounts being locked out after so many failed attempts. Stops dictionary and brute force attacks.
Account expiry
Accounts can be set to expire automatically on a certain date.
Privilege Account
Accounts with higher access, typically IT team members use these.
Adverse action
Actions that are unlawful if taken for certain reasons (such as discrimination)
What are the 5 types of caching?
Active caching Caching Transparent cache Non-transparent-cache Application proxy
Active Logging
Actively log changes to patterns in log files. Installing a SIEM system can help collate all entries in the log files.
Salting passwords
Adding bits to a password before it's hashed so that a rainbow table can't find a matching hash value to decipher the password.
AES
Advanced Encryption Standard (AES) Either 128, 192 or 256 bits. COmmonly used for L2TP/IPSec VPNs.
IPv4 Registries for areas (managing public IPs)
Afrinic (Africa) Apnic (Asia) Arin (US, Canada, Caribbean islands) Lacnic (Latin america) Ripe NCC (Europe, Middle East, Central Africa)
TGT (Ticket Granting Ticket)
After kerberos authentication, user gets a ticket that allows them into multiple things for 10 hours. Computer exchanges a service ticket for a session ticket.
What are the 5 SIEM functionalities?
Aggregation (SIEM system can move log files from everything to a common location) Event Correlation (SIEM system uses a correlation engine to correlate events from different systems. For example, if a single user tried to log in from 3 different devices, the SIEM system would alarm a potential attack. When the same event is duplicated and is logged by different devices, the SIEM system will use event de-duplication to ensure the event is only logged once.) WORM drive backup (WORM = Write Once Read Many. This means the events are backed up to a drive that events cannot be altered or deleted from.) Automated alerting and triggers (SIEM systems can install agents on several devices so the SIEM system is alerted when several events occur. Time synchronization (SIEM system can sync with NTP so events can be ordered by when they happened.)
Wifi Direct/Ad hoc
Airdrop. No wireless AP device to device connection.
Firewall default settings
Allow nothing through
ACLs
Allow or deny packets based on IP, Port, Protocol etc. Deny all is default for matched traffic at the bottom of every ACL.
Containerization
Allows organizations to deploy and manage corporate content securely in an encrypted space on the device. All corporate resources (corporate emails, calendars etc) reside here.
USB On-The-Go (USB OTG)
Allows other USB devices to attach to the device (mouse/keyboard/cameras/flash drives) and be used. Apple does not allow this.
Time and Day restriction
Allows you to set time limits when an employee can access the network.
Refactoring
Altering software's internal functions without it being obvious too the user. This is a method of driver manipulation. Changing a computer programs internal structure without modifying it's external functional behavior or existing functionality.
"Always On" vs "In-demand" VPNs
Always on VPNs (Site-to-site VPNs) are always up. On Demand VPNs (Client to site VPNs, such as Cisco Anyconnect to a firewall) are established only when needed then turned off.
Evil twin
An access point with no security that when a user connects to it, all of their traffic is monitored.
Service Account
An account that can manage software/run antivirus etc. Basically a lower-level administrative account.
Shared account
An account used by multiple people who share the same duties. Can cause issues with accounting, mischief can't easily be traced to a person to be held accountable.
Nonce
An arbitrary number that can be used just once. It's often a random number issued in an authentication protocol to ensure old communications can't be used in replay attacks.
What is a "Session Key"?
An encryption and decryption key that is randomly generated to ensure the security of a communications session between a user and a computer or between two computers. A RADIUS server could create a session key for a user being authenticated.
Online CA
An internal Online CA is always up and running so that people in the company can request a certificate any time day or night.
Coding: Pointer Dereference
An object in programming that stores the memory address of another value in memory.
Carrier unlocking
An unlocked device can be used with any carrier.
What is a "Stateful Firewall"?
Analyzes traffic to determine if it's allowed in. Similar to an IPS? Allows for content based filtering*
What is Role-based awareness training?
Annual training for employees, such as for security.
Supporting Authentication
Corporate environments must have 2 factor authentication. Smart card and pin, RADIUS server, etc.
OSI Model Layers and Example Protocols
Application (HTTP, SMTP) Presentation (Encryption/Formatting) Session (Logging On/Off) Transport (TCP/UDP) Network (IP, ICMP) Data Link (IPsec, VLAN, ARP) Physical (Cables)
What is a "Host-Based Firewall"?
Application firewall built into a host, such as windows.
Types of encryption (Used for tunnels and data protection)
Asymmetric (Certificate based, private and public key.Public key encrypts data and the private key decrypts data) Symmetric (Pre-shared key (PSK) based. Much faster, but less secure. A secure tunnel is created using an asymmetric technique called Diffie Hellman to create the tunnel before data is sent across the internet.) Key Length (Certificate keys are formed in units called "bits" Higher the bit means more secure. Stay above 4096 bits.)
Asymmetric Encryption Summary 1
Asymmetric is more secure, has 2 keys, and uses DH (an asymmetric technique for setting up a secure tunnel for symmetric data)
Risk Management 4 Components
Assets (What you own) Risk (Probability assets will be affected) Threat (Anything that wants to inflict loss on a company) Vulnerability (Weakness in a system that can be exploited)
Stratum 0
Atomic clock NTP server. Everything downstream is incremented by 1.
DNS poisoning
Attacker can spoof DNS servers or poison the hosts file or DNS cache.
Pass-the-hash attack
Attacker obtains hashes from a system using NTLM (NT Lan Manager) then uses a tool to put these hashes on a Local Security Authority Subsystem service.Windows-based authentication systems will believe the attacker is a legit user, and provide the required login credentials. Disable NTLM to prevent this.
Brute Force Attack
Attempting every possible combination of characters to break the password.
Phishing
Attempting to trick people into revealing sensitive information, such as passwords and credit card numbers, often by using emails or fake websites that look like they are from trusted organizations.
Kerberos
Authentication protocol. Only authentication protocol that uses tickets, Updated Sequence Numbers (USN) and is time stamped. The process of obtaining your service ticket is called a Ticket Granting Ticket (TGT) session. Make sure all time servers are synchronized within 5 minutes.
Kerberos
Authentication system used to log into AD and grants tickets for authentication. The user completes a session, called a TGT (Ticket Granting Ticket) session, and obtains a 10 hour service ticket. When the user tries to access email, their computer exchanges their service ticket for a session ticket
SIEM (Security Information and Event-Management) System
Automates the collection of log files from hosts/servers/network devices/firewalls etc in real-time.
Mean Time to Repair (MTTR)
Average time to repair a system.
Social media policies
Avoid personal data online. "Cognitive hacking" is social engineering with data found online. Don't post about your employer. Don't use the same password for multiple sites. Don't use company email for personal things.
Type 1 Hypervisor
Bare Metal Hypervisor. Each VM can access the hardware directly. The processor must support this (most do). No OS Required for the VMs to hang off of. VMWare ESX, Hyper-V, or Zen by Amazon Web Services are all examples of this.
Mandatory Access Control (MAC)
Based on classification level. Top secret (Grave damage) Secret (Serious damage) Confidential (Damage) Restricted (Undesirable effects) Roles: Custodian: Person who stores and manages classified data. Security Administrator: Person who grants access to data Security Enhanced Linux: SELinux, stricter security measures, NSA published as open code.
BIOS
Basic Input Output System Chip on the motherboard. ROM, determines how to computer boots up.
Key stretching algorithms
BCRYPT PBKDF2
Disaster Recovery
BIA (Business Impact Analysis, monetary loss if company is down) Recovery Sites (Hot site: already online site with data backups loaded every hour, Warm site: same as hot site but data loaded daily, Cold Site: Has power and water but no staff or equipment) Order of Restoration (self explanatory. Restore critical things first) Geographic Considerations (Distance, location selection, Off-site backups) Data sovereignty Legal Implications Continuity of operations planning Disaster Recovery Exercises (Tabletop exercise is theory, Structured walkthrough is a drill) After-action reports (Review what happened to prevent re-occurrence) Failover (Active/Standby) Alternative processing sites (mobile site or cloud provider) Alternative Business Practices (Backup plan, such as outsourcing)
On-boarding policy
BYOD (Checking devices as they come in)
DMZ (Demilitarized Zone)
Boundary layer between the LAN and WAN that holds information that companies may want people from the internet to access. You may put your email server in the DMZ, but never a domain controller. The webs erver inside the DMZ is called the extranet, which needs a username and password to access the site.
BYOD
Bring Your Own Device
Data Destruction Methods
Burning Shredding Pulping (combining shredded mateiral with water or acid) Pulverizing (smashing HDDs) Degaussing (using a magnet to clean a HDD) Purging Data (Removing unwanted data from a database, such as SQL) Wiping data (Process of removing data from a mobile device, most MDM systems can remote wipe data when stolen) Cluster tip wiping (Completely wipes clusters) Most companies hire third parties to destroy their data properly.
Off-boarding policy
Business data from BYOD devices need removed upon departure.
Who handles change management?
Change Management Board (CMB)
WAP Security
Change default username and password, Disable the SSID (so it must be entered manually. Wireless sniffers can still see it), MAC filtering.
Cipher Block Chaining (CBC)
CBC adds XOR to each plaintext block from the ciphertext block that was previously produced. It applies XOR over and over again to the same code.
Capturing Video
CCTV traffic
Physical Layer
Cables, Coaxial, Wireless etc. 1s and 0s transmission.
Caching
Cache auto-fills, copies of pages are automatically put into a cache.
Camera Use
Cameras can be a risk, trade secrets can be captured. MDM policies may disable the camera.
What is a HSM?
Can be a piece of hardware attached to the server or a portable device that is attached to store the keys.
Subject Alternative Name (SAN) Certificate
Can be used for multiple domain names (EX: abc.com and xyz.com). 2 completely seperate domain names can use the same certificate.
Geo-tracking
Can help you locate a lost or stolen device
Administrative Account
Can install software and manage configurations. Can manage user accounts. Recommended to have 2 administrative accounts, one for normal tasks and one for administrative duties. (Similar to dmp vs admindmp)
DLP Summary
Can prevent data from leaving via flash drive or email.
Network Traffic and Logs
Capture these before stopping the attack. This will help us identify the source of the attack.
Industry Standard Frameworks
Carrying out best practices. The best way operations should be set up and carried out.
Mobile Device Connection Methods
Cellular (3G, 4G, 5G. Cellular connections are encrypted) Wifi (Make sure conection is encrypted) Bluetooth (10 meter range) NFC (Near-Field Communication) (Wireless payment when the card must be within 4cm of the card reader?) Infrared (Line of sight, 1 meter range. Connections aren't encrypted, but you can see the attacker as they would have to be within 1 meter.) USB (USB tether. DLP is typically used to prevent data from being stolen by USBs) SATCOM (Secure Satellite Communications, US military use this. Fast and reliable.) ANT (Proprietary, open access, multicast wireless sensor network. Similar to bluetooth low energy. Can provide secure access to wireless sensors.)
CA
Certificate Authority
CSR
Certificate Signing Request
Domain Validation (DV) Certificate
Certificate typically used for TLS (Transport Layer Security) where the domain name of the applicant has been validated by proving some control over a DNS domain
Extended Validation Certificates
Certificate with higher trust, this certificate identifies the entity using the certificate. Typically used for online finance. When the background of the URL turns green, it's using an EV certificate. Companies that apply for an EV certificate have to provide more detailed information about the company.
Data Handling
Confidential data (Legal data and R&D) Private data (Things like minimum sales price) Public data (Data available to anyone) Proprietary data (Trade secrets and R&D) Personally Identifiable Information (PII) (Personal information about a person) Protected Health Information (PHI) (Medical records) Privacy (Laws for data protection)
What does "CIA" stand for in security?
Confidentiality (Only those who should see it can. Encryption.) Integrity (Data is unchanged and untampered with. Hashing, either MD5 or SHA1 are common hashing algorithms) Availability (Ensures that data is always available to those who need it. Unplugging a computer has perfect security, but no availability.)
TCP
Connection oriented. 3 way handshake to establish connection before data is sent. SYN > < SYN ACK ACK > SYN (Sender tell receiver packet is coming) SYN ACK (Receiver tells sender what packet sequence number to send) ACK (Sender acknowledges this and sends data)
UDP
Connectionless. Send and forget. Faster, but less reliable.
AH
Consists of either: SHA-1 (160 bits) OR MD5 (128 bits) hashing protocols which ensure data integrity)
Service Level Agreement (SLA)
Contract between service provider and a customer about the level of service expected. (Ex: speed of service, uptime of service, response time for solutions, etc)
Non-Disclosure Agreement (NDA)
Contract to agree not to disclose information. Usually for trade secrets.
Coding: Memory Management
Controlling how much memory an application can use. Memory leaks are when an application breaks this limit.
Network Access Control (NAC)
Controlling network access by ensuring devices are compliant (such as up to date)
Version Control and Change Management
Controlling the version, and documenting changes
Home Automation
Controls lighting, climate, etc
Encryption Defined
Converting plaintext into cyphertext to make it hard to read without the cipher.
LAB 2 Encrypting Data with EFS and stealing certicates
Create folder called "test" with a text document called "data" inside. Right click the folder and under properties, go to General > Advanced then check the box against encrypt content to secure data. The data folder should turn green, meaning it is encrypted with EFS. Open MMC, add the Certificates span-in, expand certificates > current user > personal, then right click the EFS certificate and select All tasks > Export. Follow prompt to export it, it will be in P12 format. Select the password box and enter 123 twice then name it "PrivKey" and export it to the desktop. Repeat these steps and export the public key as "PubKey". The public key has a .cer extension, and the private key has a .pfx extension. The public key looks like a certificate, and the private key looks like a letter in an envelope.
Provisioning and Deprovisioning
Creating vs Removing. You can provision users, network devices etc)
DH Groups
DH Groups specify the strength of the key. Group 1: 768 bit Group 2: 1024 bit Group 5: 1536 bit Group 14: 2048 bit Group 19: 256 bit elliptic curve Group 20: 384 bit elliptic curve
What are the 3 X500 object types?
DC (Domain) OU (Organizational Unit, helps divide users and computers in your domain into departments. Users and computers are subject to policies once grouped.) CN (Common Name, for everything that isn't a DC or OU. User, Computer, Printer, etc.) EX: If Ian is a user in IT within a domain called moltr.com cn=Ian, ou=IT, dc=moltr, dc=com
Most companies have direcotry services that store objects (such as users and computers) as x500 objects. There are only 3 x500 values, what are they?
DC (domain) Organizational Unit (OU) CN (anything else) Domain OU CN
Amplification Attack
DDoS attack where an attacker exploits vulnerabilities in DNS servers to turn small queries into large payloads to bring down servers
DDoS Mitigator
DDoS attacks are when large amounts of traffic/requests are directed to a server to overwhelm it. A DDoS mitigator is a device that can detect such attacks and prevent it.
LAN Device Placement
DMZ --- Stateful firewall --- NIPS --- NIDS --- LAN 802.1X, storm control, lldp, bpduguard, port security*, dhcp snooping etc
DNS process
DNS Server . (Root server) .com Authoritative DNS Server (Any hostname to resolve)
IPv4 DHCP Process
DORA Discover (Client boots, sends broadcast discover) Offer (All DHCP Servers that hear this will respond with an offer) Request (Client replies to the DHCP server it wants to get an address from) Acknowledgement (DHCP Server acknowledges client and sends details?)
DES
Data Encryption Standard 56 bits. Could be used for L2TP/IPSec VPNs, but weaker than AES.
(Stopping Attacks) DEP
Data Execution Prevention Prevents malware from executing in restricted areas of the OS. To see if it's on, enter this in CMD: wmic OS Get DataExecutionPrevention_SupportPolicy The value will be 0, 1, 2 or 3. 2 means its enabled.
(Stopping Attacks) DLP
Data Loss Prevention DLP templates can be set up to prevent PII data from being emailed out, removal of documents from a file server, and block files from being copied to USB
DRA
Data Recovery Agent
Data in transit
Data being transmitted across a network(s). HTTPS can be used to encrypt traffic, VPN tunnels, and TLS for email encryption between mail servers.
Data in use
Data in RAM on a device (or CPU cache) being used. Full memory encryption can be used to secure this.
Data at rest
Data not being used and is stored on a hard drive or external storage.
Application proxy
Deals with requests on behalf of another server. For example, a webpage can display data from another store's webpage.
Data Link Layer
Deals with transmission errors, regulates the flow of data, and provides a well defined interface to the network layer. MAC Addresses, ARP, IPsec (an encryption-tunneling protocol), switches, VLANs, etc.
Honeypot
Decoy server with lower security to monitor attack methods and stop attacks to real servers.
Rootkit
Designed to enable access to a computer or areas of it's software that is not otherwise allowed. Deeply entrenched malware. Often targets C:\windows\system32 for windows or bin/ and /usr/bin for linux. Not all are malware, some developers use these intentionally to override protections by a service provider on a device.
Data retention policy
Determines how long data must be kept. Financial data must be kept 6 years, while medial data may have to be 20-30 years.
What is the "Order of Volatility" of an attack?
Determining the most volatile evidence of where an attack came from. Make sure evidence of the attack that will quickly be lost (such as logs in a buffer) is stored.
What are Deterrent Controls?
Deterrence Measures. CCTV/Motion Sensors
DevOps vs Secure DevOps
DevOps (IT and developers work together on software development) Secure DevOps (IT, Developers, and Security together on software development.)
4 Phases of App Development
Development (Use secure programming language) Test (Ensures the application works) Staging (Pushing the application out to simulate a production environment) Production (Going live with the application)
Reference architecture
Document containing best practices for reference
Diffie Hellman
Does not encrypt data, it's main purpose is to create a secure session so that symmetric data can travel down it. DIffie Hellman uses UDP port 500 to set up and secure session for the L2TP/IPSec VPN. Diffie Hellman creates the keys used in the IKE (Internet Key Exchange). Once the secure tunnel has been created, then the symmetric encrypted data flows down the tunnel.
Seperation of duties
Don't give a single person the power to complete a task. Lesser chance of bad behavior.
Device Management Pillars
Download manager (traffic limiter) Application Management (Controls what applications can be installed onto the mobile device) Content Management (Stores business data in encrypted formats) Remote Wipe (Lost or stolen devices need to be remote wiped)
Crypto-malware
Encrypts files and demands a ransom.
Passwords are one way to authenticate. Name a few options for password that can be enforced by group policy:
Enforce password history (remember last 24 passwords) Maximum password age (forced password changes) Minimum password age (limits how often a password can be changed) Password complexity requirements Store passwords using reversible encryption (bad idea, similar to Cisco service password encryption)
Account maintenance
Ensuring accounts follow a naming convention, are disabled when employees leave then deleted 30 days later.
Types of Wireless Attacks
Evil Twin (WAP that has no password with the same SSID to trick you into using it. Traffic is captured.) Rogue Access Point (Unauthorized AP used as Evil twin, or to bypass security through NAT etc. 802.1X switchports can prevent.) Packet sniffing
Define the following: FAR FRR CER
FAR (False Acceptance Rate, false negative letting in bad user. Type 2 error.) FRR (False Rejection Rate, false positive blocking legit user. Type 1 error.) CER (Crossover Error Rate, where FAR and FRR are equal.)
File Transfer - use case
FTP port 20 or 21, 21 is for "Passive FTP". FTP IS CLEAR TEXT. SFTP is FTP packaged with SSH. Secured file download. TFTP (Clear text and no authentication required usually) FTPS (Faster than SFTP, uses 2 ports. Secure file download)
Symptom of steganography
File size being larger or smaller than it should be
Business Impact Analysis (BIA)
Financial loss due to an incident
Exit Interview
Find out real reason they are leaving. Can help with employee retention.
Biometric Authentication Examples
Fingerprint scanner Retina scanner Iris scanner Voice recognition Facial Recognition
Miscofigured Devices
Firewalls Content Filters Access Points (Secure with WPA2-CCMP encryption coupled with disabling the SSID and enabling MAC filtering.) Weak Security Configurations (No default credentials)
Firmware Over-The-Ait Update (OTA)
Firmware is software that is installed on a small, read-only memory chip used to control the hardware running on the device. OTA is updates to that device pushed out by the vendor.
IPv6 Info
First 64 bits are used for the network, and last 64 are for the host. First 48 bits are for global network addresses, the following 16 are for subnet ID, and the last 64 bits are for the address of the device itself (this can be derived multiple ways, including EUI-64)
Digital Signatures Explained
First stage in digital signatures: exchange public keys. When an email or file is sent from the private key holder to the public key holder, the public key holder can use the public key to validate that nothing has been changed and guarantee it came from who it said it was from (non-repudiation)
Each time a certificate is used, it must be checked for validity. Name the steps taken.
First, the CRL is checked. If the X509 is in the CRL, it is no longer valid and will not be accepted. If the CRL is going slow, the OSCP (Online Certificate Status Protocol) comes into play. The OSCP is much faster than the CRL and can take load from the CRL in a busy environment. OSCP Stapling (Certificate stapling) is when a web server bypasses the CRL to use the OSCP for a faster confirmation when it's certificate is valid.
How to secure boot
First, upgrade the BIOS to UEFI, then upgrade to an OS that supports wit (Windows 10). Next, enable Device Guard which logs the setting of the OS and checks the integrity of the software and hardware, otherwise the boot fails.
Tailgating
Following someone through a door that requires badge access.
What happens with accounts when people move departments?
For Security+, a new account is created. In the real world, permissions are edited.
DLL injection attack
Forcing a process to load a DLL to make an application run differently than how it's designed. EX: you could install malware DLL in another process
Memorandum of Understanding (MOU)
Formal agreement, but not legally binding.
Background checks
Obvious
Mandatory vacations
Fraudulent employees tend not to take many vacations to hide things
GnuPG
Free version of OpenPGP. Uses RSA keys.
FDE
Full Device Encryption. Example: Bitlocker. Protects data stored on mobile devices when they are data at rest. Devices require TPM (Trusted Platform Module) chip to store encryption keys.
FDE
Full Disk Encryption Uses X509 certificates to fully encrypt the disk, but needs a TPM chip on the motherboard to store the keys.
Backup types
Full backup (Backup of ALL of your data) Incremental (Backs up data since the last full backup or the last incremental backup. A full backup must be taken first before incremental backups can be used.) Differential (Backs up the data that has changed since the last full backup. Sunday: Full backup Monday: Backup all data that has changed since sunday Tuesday: Backup all data that has changed since sunday Wednesday: Backup all data that has changed since sunday etc. Eventually you will have to do another full backup, as differential backups accumulate in size each time.
Ephemeral keys
One-time use keys- used to create a single session. 2 types of these: Diffie Hellman Ephemeral (DHE) Elliptic Curve Diffie Hellman Ephemeral (ECDHE)
Device protection
Geofencing (Alerts security when devices leave certain defined geographical boundaries set) Geolocation (Shows device location) Cable Locks (Kensington locks)
How are VMs scalable?
Given enough processor cores and ram, if drive space runs out you can simply create a LUN on the SAN and give that server more space.
Least Privilege
Giving someone the least amount of access required for them to complete their job
Custom Firmware, Android Rooting
Giving yourself higher permissions on that device
(Stopping Attacks) Removable Media Control
Group policies can be set to prevent installation of removable devices
IPv6 Address Shortening Methods
Groups of 0's can become "::" once in the address, and 0000 can become :0: for sections not in the "::". Remove leading zeroes.
Sponsored guest account
Guest account created with defined permissions for someone with permission. For example, someone from an external company requests access to corporate wifi for a presentation they are giving.
Guest
Guest wireless network. Internet access only.
What are VMs known as running on a hypervisor?
Guests.
(Stopping Attacks) HIDS/HIPS
HIDS detects attacks, HIPS can stop attacks.
What is a "Network Based Firewall"?
Hardware device to keep the network safe. Only open ports that are required.
HTTP vs HTTPS
HTTP (Port 80) is used to request websites. HTTPS (Port 443) Secure HTTP, encrypted requests and replies. Uses TLS SSL. Certificate?
Every application has a different port number.
HTTP = 80 etc
Heating, Ventilation, AC
HVAC, can be networked to control centrally
Threat Actors
Hackavist (Hacker looking to deface your website or image for political or social reasons) Competitor (Stealing trade secrets) Script Kiddie (Low technical skill script running person) Advanced persistent threat (Long-term sophisticated threat, such as a foreign government) Organized crime (Criminals hacking for profit) Insider threat (disgruntled employee)
Familiarity and Trust
Hackers who gain the trust of companies/personnel. Build up access to things they shouldn't.
URL Hijacking
Hacking a search engine result to redirect elsewhere. Another form of this is typo-squatting.
Hashing is NOT Encryption
Hashing does not hide data, it only verifies integrity. Encryption hides data.
RIPEMD
Hashing function. 128, 160, 256, and 320 bit versions.
Group-based access control
Having groups to determine permissions. Easier than using individual permissions per-person.
(Stopping Attacks) DLP
Helps prevent against data loss via USB
DNS
Hierarchicial naming system . (root) com/net/edu etc Actual authoritative DNS server Hostname
Cost/Benefit of cipher bits
Higher bits is more secure, but slower Lower bits is less secure, but faster
Bluejacking
Hijacking a bluetooth device to make calls.
Bluesnarfing
Hijacking a bluetooth for contact info and any other sensitive information
What is the server running the VMs knows as?
Host
4 Components of NAC
Host Health Checks (Fully patched devices) Compliant/noncompliant device (Patched or not) Agents (Installed on the computers to perform Health Checks and determine compliance.) Remediation server (Sits on the boundary or quarantine network; It's the bouncer to make sure devices are compliant before it allows them to connect.)
Cloud-hosting services network environment
Hosting is provided by virtual servers. Lease line or internet connection. Cloud provider has full responsibility for hardware and availability of the IT systems.
What are the 2 name resolutions?
Hostname resolution (most common) NETBIOS (Legacy name resolution)
Standard Operating Procedures (SOP)
How an activity will be carried out. (Ex: data backup procedure, daily, using X program)
Privacy Impact Assessment (PIA)
How personal info is handled.
Who developed the OSI model?
ISO
Cloud Service Models
IaaS SaaS PaaS SECaaS
Access Controls
Identification (Username/badge etc) Authentication (Password) Authorization (Privileges)
What is Risk Management?
Identifying risks and determining how to minimize them to protect assets.
What is "Transitive Trust"?
If A trusts B, and B trusts C, then A trusts C. Basically, if a parent domain trusts two child domains then they trust each other permission wise.
Birthday
If passwords are stored as hashes, then attackers know a password is the same if the hash is the same. Two hashes are the same = hash collision. The "Birthday" paradox says that in a random gathering of 23 people, there is a 50% chance that two people will have the same birthday.
Depending on the type of breach, what may you have to disclose to customers?
If things such as credit card info was stolen, customers must be notified legally.
WEP IV Attack
In WEP, if an attacker learns the plain text of one packet, they can reverse engineer the cipher used to encrypt it
International Standard Organization (ISO)
In networking, ISO makes the framework for communications.
High Resiliency
In an RSA encryption environment, we should use a key with at least 3072 bits. We should also look at implementing accelerator cards to reduce the amount of latency on encryption or decryption.
What documents should exist for incident response procedures?
Incident Types List Category Definitions (Unauhtozied access, loss of computers or data, loss of availability, malware attacks, DDoS attacks, power failure, natural disasters such as floods, tornadoes, hurricanes, fires, and cyber security incidents)
WHo does what during an incident?
Incident response manager (top level manager who takes charge.) Security Analyst (technical support to the incident) IT Auditor (audits compliance) Risk analyst (risk evaluator) HR Legal Public relations
Infrastructure
Infrastructre wireless networks are where devices connect to a wireless network through a WAP.
IaC
Infrastructure as Code, Managing systems with scripts
IaaS
Infrastructure as a Service Virtual network infrastructure. You install and patch the virtual devices.
Penetration testing techniques
Initial Exploitation (Self explanatory, the pen tester takes what they know and tries to exploit vulnerabilities) Active Reconnaissance (Actively trying to gain information on the system. Port scans etc. When an action is taken to gain information) Passive Reconnaissance (Gaining knowledge passively, such as eavesdropping on a conversation)
What are the 2 modes of operations for NIPS and NIDS
Inline (In-band IPS, can analyze and block traffic) Passive (Out-of-band, can only detect traffic. Usually done through mirroring.)
Microsoft Baseline Security Analyzer Demo
Install Click scan See "score"
Sideloading
Installing an app with the .apk package. Useful for developers who want to trial third-party apps
Sandboxing
Installing an application on a VM to patch/test it before placing it onto a production environment
System On a Chip (SoC)
Integrated circuit that integrates all components of a computer or other electronic system
Real Time Operating System (RTOS)
Intended to server real-time applications, faster than standard OS. Much faster response time.
Non-transparent cache
Intercepts the request and verifies validity, ensuring the URL filter allows the site first. It is used to stop people from caching web pages that are restricted.
Transparent cache
Intercepts the request by the host and does not modify the search
What is a "Back to Back Firewall Configuration"?
Internal Network, Firewall, Boundary network (DMZ), Firewall, External network.
Auditing
Internal auditors ensure everything is up to policy. They inform management of anything outside of policy.
Administrative Controls
Internal audits and contracting penetration testing.
WLAN
Internal corporate wireless network that sits in your LAN. Normally, WPA2 Enterprise or WPA2 CCMP are used for encryption methods.
Who developed x500 objects?
International Telecommunication Union (ITU)
IMAP4
Internet Message Access Protocol An email client that downloads the email and leaves a copy on the server. Port 143.
IoT
Internet connect and control everything. These are a security nightmare due to the diversity if devices.
LAN
Intranet, internal only information. Keep secure, private information leaks can damage a company.
Detective Controls
Investigative things, allowing you to investigate an incident. CCTV records. Log Files.
What is a "Container"?
Isolated guest virtual machines.
Hiring can be risky. Name a few ways to expose untrustworthy staff members
Job rotation Mandatory vacations Separation of duties Clean desk policy Background checks Exit interview Acceptable User Policy (AUP) Rules of behavior Adverse action Policy violations
Account management
Keep accounts up-to-date. Tools can be used to query for users who haven't logged in for a certain time frame.
HMAC Authentication
Keyed-hash message authentication code. Specific type of MAC (Message Authentication Code) involving a cryptographic hash function and a secret cryptographic key. HMAC-MD5 or HMAC-SHA1. The exam looks at both data integrity and data authentication.
Single sign on
Kerberos provides single sign-on. Once a user has ther service ticket, they can use this ticket for 10 hours. Users use their service ticket to get a "Session ticket" with the server they want to access resources on. Users can get SSO for things such as mail servers.
What is a "Secret Key"
Key used by Symmetric Encryption for encryption and decryption.
Cost/Benefit
Larger bit key? More secure but higher bandwidth and processing power required, and can cause latency if either are lacking.
Regulatory framework
Law and government regulations. Ex: General Data Protection Regulation (GDPR) is an EU law for data protection and privacy. Ex: Health Insurance Portability and Accountability Act (HIPAA) is US regulation for health data privacy.
Acceptable User Policy (AUP)
Lays rules for BYOD devices and company internet usage.
Remote Access Services (RAS)
Legacy protocol before VPNs. Modems were used.
Data retention
Legal hold (litigation or police investigation) Data compliance (Laws define how data must be retained)
Types of IPv6 Addresses
Link Local (Similar to APIPA, limited to one subnet and start with fe80. These are self-assigned, they do not require DHCP etc.) Unique Local ("Site-local" addresses, not internet routable, but routable on the internal network. Similar to RFC 1918 addresses. These start with either fc00 or fd00, both /8. fc00 is for globally assigned addressing, and fd00 is for locally assigned addressing. Global/Public Addresses (Globally routable, starts with either 2001, 2002, or 2003. 2001 is most common.)
Certificate Chaining
Linking several certificates together to establish trust between all the certificates involved?
Rainbow tables
Lists of pre-computed passwords with a corresponding hash. You can obtain free rainbow tables from the internet- some of the larger ones are 460GB in size. These speed up the cracking of passwords that have been hashed.
Load Balancing vs Reverse Proxy
Load balancing is good for multiple servers, and allows for server redundancy (load balancer wont send traffic to a dead server. Some load balancers have session persistence, meaning clients are always directed to the same server. This is NEEDED for things like website shopping carts to be saved.) Reverse proxies are a websites "public face". Increases security, since the website hosts themselves (linux/windows boxes) aren't directly receiving traffic (and therefore aren't susceptible to OS attacks as easily. Can also provided DDoS attack prevention (by blacklisting clients and limiting how many connections each client gets.) Also, allows for internal changes to be made much easier since clients only see the proxy's IP address, allowing you to change the configuration of your back-end infrastructure. Can also cache for internet users, SSL termination to reduce CPU on the back-end servers, and compression to reduce bandwidth to respond to a client.
Single Loss Expectancy (SLE)
Loss of one item. Laptop worth $1,000 and you lose it, SLE is $1,000.
What is Microsofts Vulnerability Scanning tool called?
MBSA (Microsoft Baseline Security Analyzer) This can only be used to detect KNOWN vulnerabilities. Will not work on zer-day exploits.
What is MSCHAP(v2)
MSCHAP is Microsofts version of CHAP.
Coding: Proper Error Handling
Make Errors vague enough so attackers don't get too much information, but detailed enough so IT knows what's causing a problem. (Erros to users should be generic, but for administrators should be full of details)
Supporting Obfuscation
Make source code hard to interpret.
Supply Chain
Make sure to vet your supply chain. They may be installing systems that aren't secure into your environment.
Keylogger
Malware that logs keystrokes. Some keyloggers can run off USBs, others are remote viruses that attempt to send keylogs to an attacker.
Spyware
Malware that tracks what you're doing and sends information to a third party.
Padding Oracle On Downloaded Legacy Encryption (POODLE) Attack
Man in the middle attack that exploits SSL 3.0 on legacy systems. A downgrade attack is when you abandon a higher level of security for an older system that can be cracked.
WHat are the two main web server options?
Microsoft IIS (Internet Information Server) Apache (Both sources have guides to help protect web applications running on a web server)
(Stopping Attacks) Patch Management Tools
Microsoft has WSUS (Windows Server Update Service) which is an example of this. Manages patches.
NETBIOS
Microsoft legacy naming convention. Each computer name has 3 separate entries: PC1 <00> (Workstation service) PC1 <03> (Messenger service) PC1 <20> (Server service)
(Stopping Attacks) File Checksum Integrity Verifier (FCIV)
Microsoft utility that can generate MD5 or SHA-1 hash values for files to compare values against a known good value.
RAID 0
Minimum 2 disks, maximum 32 disks. Stripes data across disks for much faster speeds. No fault tolerance, if one disk fails all data is lost.
RAID 5
Minimum 3 disks. When RAID 5 is created, you only lose the equivalent of 1 drive of space across the RAID. This allows for RAID 0 speeds, while allowing for recovery if one drive fails. Each disk has a parity set reserved for recovery, they are able to determine what the missing disk would have had through an equation.
RAID 6
Minimum 4 disks. Same thing as RAID 5, but one disk is reserved to hold a second copy of the parity from every disk (and nothing else). This allows for recovery if 2 drives fail.
Tap/port mirror
Mirroring traffic to another interface for analysis.
Hoax
Misdirection/fraud. One example is telling people a system file is malicious and telling them to delete it.
What is a Hybrid Cloud?
Mixture of on-premises and cloud services. Some companies function on-premises and burst into the cloud when needed.
What is MDM?
Mobile Device Management. Sets policies on the use of mobile devices on the network. This can prevent things such as camera use, or prevent things like the sending and receiving of texts.
NTP Use Case
Modern networks have the Domain Controller synced to a stratum 0 clock as a reference for the rest of the network. SIEM systems/kerberos/other devices with timestamps rely on time to be accurate for logs and security.
What is "Diameter"
Modern version of RADIUS. Works on TCP. Diameter is the AAA server that uses EAP.
MFD
Multifunctional Devices, such a printer/fax/copier combo.
Honeynet
Multiple Honeypots
Vendor Diversity
Multiple ISPs
Multifactor authentication
Multiple factors. Phone 2FA, smart card + pin + keys for blood irradiator closet.
Summary so far of mobile device management
Must be able to: Track device, Remote wipe the device, Encrypt data on the device, Push/Pull software to and from the device remotely, Prevent unauthorized apps from being installed
Near-Field Communication (NFC)
NFC is used to make wireless payments, but a credit/debit card needs to be within 4cm of the reader. Someone with a skimmer close to you can steal your information unless you have an aluminum wallet.
Name the 2 IDS types
NIDS (Network Intrusion Detection System) and HIDS (Host Intrusion Prevention System.)
Name the 2 IPS types
NIPS (Network Intrusion Prevention System) and HIPS (Host Intrusion Prevention System). NIPS goes on the permiter of the network behind the firewall, HIPS operates on host machines.
NTLM
NT Lan Manager, legacy authentication protocol. Stores passwords as MD4 hash and is easy to crack. 1990s.
Discretionary Access Control
NTFS file permissions: Full Control Modify Read and Execute List Folder Contents Read Write Special Permissions Data creator/owner
National vs international
National frameworks are by country regulation.
OS Types
Network Devices (Linux variants) Servers (Windows Server 2016, or Linux variant) Workstations (Windows 10 is the most secure- it supports Secure Boot and Bitlocker.) Appliances Kiosk Trusted OS (A secure system normally used by the military. Multiple layers of security. Used to access classified data.) Mobile OS (Apple iOS or Android)
On-premises network environment
Network and all devices are on-site and IT managed.
User Account
No real access. Cant install software. There are two types of user accounts, those local to the machine and those in a domain.
Is SSL safe to use?
No, SSL is deprecated. However, SSL VPNs are the only VPNs that use an SSL certificate and work with legacy clients.
Non-regulatory framework
Not enforceable by law (optional). Ex: Information Technology Infrastructure Library (ITIL) Ex: COBIT
Push Notification
Notification that something like a text or email has arrived.
What is the account lockout threshold?
Number of password attempts before lockout
Annual Rate of Occurrence (ARO)
Number of times an item has been lost in a year. Laptop lost 6 times per year, the ARO would be 6.
Internet-based open source authentication options
OAuth 2.0 (Enables third parties to obtain limited access to a web service.) Open ID Connect (Uses OAuth to allow users to authenticate with an external source, such as sign in with google)
Types of wireless antennas
Omnidirectional (360 degree transmission) Directional (One direction of transmission, panel antenna etc) Yagi (Very Directional antenna, long distance. Can be used between 2 buildings)
Setting on SAN Storage
On the SAN, you can allocate 100TB of space by giving it a LUN (Logical Unit Number). This LUN is an iSCSI target. A server can then connect to that storage space like a local drive using that LUN. The SAN server is kind of like a hypervisor, it can create a partition from it's massive amount of storage space, then give that partition a LUN so that computers can connect to it as iSCSI initiators.
RTP
Once SIP establishes the connection, RTP transfers voice and video traffic.
Recovery
Once the incident is eradicated, we may have to recover the data from a backup
Aggregation Switches
One switch that multiple switches connect to
Data Roles
Owner (Usually CEO) Custodian (Handling and protecting data) Security Administrator (Grant access to data as needed) Privacy Officer (Ensures access to data is controlled)
What is a "Stateless Firewall"?
Packet filtering firewall, only looks at the packet fields to determine if it's allowed in.
Wireless Captive Portal
Portal before getting access to wireless. Splash page where you accept terms or pay fee to use internet etc.
Login errors
Password typos
BCRYPT
Password-hashing algorithm based on the BLowfish cipher. Used to salt passwords- a random string is inserted to increase the password length to help protect against rainbow-table attacks. It also has an adaptive function where the iteration count can be increased to make it slower, so it remains resistant to attacks even with increasing computation power.
Penetration testing vs Vulnerability scanning
Penetration testing is more intrusive, it tries to find and fully exploit anything that could damage IT systems. Vulnerability scanning are non-intrusive scans, they just look for potential vulnerabilities. MBSA is an example of a vulnerability scanner.
2 types of environments with VDI?
Permanent (Settings saved to terminal server) Non-permanent (Settings and files don't save after logout)
Certificate Architect
Person who builds the CA, then the intermediary authority.
Transport Layer
Ports are either TCP or UDP. These protocols are what carry data around. This is where data is broken up into chunks for sending- sequence numbers attached.
POP3
Post Office Protocol 3 An email client that downloads the email and the server deletes the copy it had. Not commonly used. Port 110.
NAC (Network Access Control)
Posturing. Remote clients may be forced to update before being able to VPN into the network. Until they meet the requirements, they will be stuck in a quarantine network. When the user is authenticated, the Health Authority (HAuth) checks the registry of the client to ensure it's up to standard.
EXPLAIN IPSec Phases of tunnel creation
Phase 1: A secure tunnel is created with an IKE (Internet Key Exchange). Diffie Hellman is used to set up a secure tunnel before the data crosses. (Key Exchange occurs using Diffie Hellman on UDP port 500 between endpoints.) Phase 2: Data is encrypted. Encryption can be done using DES, 3DES, or AES. AES is most secure, allowing up to 256bit encryption.
Vishing
Phishing attacks committed using telephone calls or VoIP systems.
Whaling
Phishing attacks sent to people such as CEOs.
GPS tagging
Photos taken have GPS tracking attached in the metadata.
Hardware security module (HSM)
Physical device that stores X509 certificates used on the network. These are traditionally plug-in cards or an external device that attaches to a computer or server.
Certificate Pinning
Pinning prevents the compromise of the CA and issuing of fraudulent X509 certificates.
What is a "Web Application Firewall"?
Placed on a web server to protect web-based applications on that server.
Physical segmentation/seperation
Placing aserver in the DMZ
Group-based access
Placing people into groups to determine access
PaaS
Platform as a Service Ex: Microsoft Azure. Service to support development of applications. Provides the environment to do so.
Remote Access Policy
Policies for remote access VPN users.
Personnel Issues
Policy Violation (Force employees to follow policies) Insider threat (Hardest to stop. They could be using someone else's credentials) Social Engineering (Tailgating and familiarity) Social Media (Don't post company info) Personal Email (Block personal email providers with UTM or a proxy. DLP templates can't prevent information from leaving the company through these means)
Types of port security you can put on a switch
Port Security (shut ports or port-security config) 802.1X (Authentication for end-devices) Flood Guard Loop Protection (STP, BPDUGuard)
SQL Injection attack
Querying a SQL database with modified commands to gain information
Two AAA Server types
RADIUS TACACS+ Both provide Authentication, Authorization and Accounting.
RADIUS Terms
RADIUS Server (such as ISE) is what queries credential database (like AD or LDAP server) RADIUS Client is the network device that queries the RADIUS Server whether a device trying to connect to it should be allowed.
RADIUS vs TACACS+
RADIUS uses Port 1812, encrypts password only with traffic. TACACS+ uses port 49, encrypts the entire packet. Cisco proprietary.
Time Normalization
Recording time offsets. When evidence is collected, make sure to take note of the time offset of any timestamps.
Electronic Code Book (ECB)
Replaces each block of clear text with a block of ciphertext. The same plaintext will result in the same ciphertext. The blocks are independent from the other blocks. Much less secure than CBC.
What is the "Waterfall" SDLC?
Requirement Gathering \/ System Design \/ Implementation \/ Testing \/ Maintenance
Type 2 Hypervisor
Requires an OS, then the hypervisor is installed like an application. Ex: Oracle VirtualBox, or Microsofts Virtual Machine.
Continuous Integration (CI)
Requires devs to copy code into a shared repo several times per day. Each check-in is verified by an automated build, allowing teams to detect problems early.
Recovery Time Object (RTO)
Return to operational state. Time that the company has been returned to an operational state.
Risk Treatment
Risk acceptance (Accepting risk, usually due to low probability) Risk transference (Having a third-party handle the risk) Risk avoidance (Avoiding a task since the risk is too high) Risk mitigation (Technical control)
Recording Microphones
Risk, trade secrets
RC4
Rivest Cipher 4 40 bits Used by WEP and is seen as a stream cipher.
RSA
Rivest, Shamir, and Adelman. 1024, 2046, 3072 or 4096 bits. Used for encryption and digital signatures.
Certificate trust; What is a trust anchor?
Root certificate, root CA, from which the whole chain of trust is derived
Jailbreaking
Rooting an Apple IOS device
Devices for OSI layers
Router (L3) (Packets) Switch (L2) (Frames) Hub (L1) (Bits) Transport layer: (Datagrams)
Hashing SHA vs MD5 bits
SHA-1 160bits MD5 128 bits One way function to ensure data integrity.
(Stopping Attacks) Application Whitelisting
Rules for appliactions on a computer
Coding: Sandboxing
Running applications in a VM for testing
iSCSI Connector
Runs SCSI (Small Computer System Interface) commands over Ethernet. ON AN ETHERNET ONLY ENVIRONMENT: Basically, an iSCSI initiator (Computer) can connect to an iSCSI target (remote storage server) and see that storage as a local drive. ON AN ENVIRONMENT WITH A SAN ENVIORONMENT WITH FIBER CHANNEL SWITCHES AND HBAS: Server connects to the LAN with a normal NIC. Server also has an HBA card to connect to the Fiber Channel switches which then connect to storage. There is also a "CNA" (Converged Network Adapter) servers can have installed which is a card with 2 ethernet or fiber ports, both capable of both NIC and HBA traffic. In order to use one of these on a server, the switch it connects to must support FCoE (Fiber Channel Over Ethernet.) The switch must have Ethernet/FCoE switchports. Once set up, a single connection handles both HBA traffic and LAN traffic.
Hash Algorithms Examples
SHA1 MD5
Types of Email Protocols
SMTP SMTPS POP3 IMAP4 HTTPS (Web Mail) S/MIME (Secure/Multipurpose Internet Mail Extensions)
SMTPS
SMTP but Secure. Encrypts the mail being transferred.
SNMP use case
SNMP Server can be used to monitor everything on the network that supports it (almost everything does). Agents can be installed on clients to monitor them, and some devices natively support SNMP such as cisco devices. SNMPv3 is the secure version of SNMP. It authenticates and encrypts packets.
SSL Accelerators
SSL is used to encrypt data to protect it in transit, and can be hard on CPU. SSL Acceleration is outsourcing that encryption to another device (such as reverse proxy) to relieve the server of that processing.
What is a Community Cloud?
Same Industry. Where companies in the same industry share a cloud for an application?
Active caching
Scheduling webpage caching at specific times (EX: google.com caches every day at 4am)
Ways of securing mobile devices
Screen Locks (timer auto-locks) Passwords/Pins Biometrics Context-aware authentication (Multiple factors. Example: in order for someone to access, they have to be on a certain network during a certain time period. If any factor fails, authentication fails.)
DNSSEC
Secure DNS, encrypted DNS traffic designed to prevent the following: DNS Spoofing attacks DNS cache poisoning DNS traffic capture DNSSEC produces RRSIG records for each entry in the DNS database.
DNSSEC
Secure DNS. Each DNS record is digitally signed, creating an RRSIG record.
SD Card
Secure Data Card
SRTP
Secure RTP. TCP 5061
How to protect against someone stealing a device, reinstalling the OS then stealing data?
Secure the OS and encrypt the data with things like Bitlocker.
SAML
Security Assertion Mark-up Language XML Based authentication
SECaaS
Security as a Service Where companies join a cloud and get the CSP to provide security service to them. Ex: Okta. IAM (Identity and Access Management) allows people to securely access applications anytime. Okta can provide secure web authentication into Google Apps.
What are "Security Controls?
Security controls are things that can be done to mitigate attacks.
Third-party app stores
Security risk, could be fishing. No guarantee of quality
Security Automation
Security tasks done via scripts/tasks. Ex: security scans every night.
Camera Systems
Segment and secure these
LAB 1 Build a Certificate Server on Windows Server 2016
Server Manager > (Add the "Active Directory Certificate Server" role) > Next a few times, then check the "CA" box > Next > Install. In server manager, go the the yellow triangle on the tool bar and click "Configure active directory certificate service". Select the "CA" box, select "Root CA", enter a name (EX: MyCA), etc. Server manager > Tools > CA. Expand "MyCA" then "Issued Certificates" (which should be blank, as no certificates have been issued.)
LAB 3 Revoking the EFS certificate
Server Manager > Tools > Certificate Authority. Expand Issued Certificates and you should see an EFS certificate. Right-click the certificate and select "All Tasks" and revoke it.
Server side vs Client side
Server side (backend, input is sent to the server and then a response is sent back.) Client Side (frontend, no server required, running locally.) Client side is faster, but server side is more secure.
SIP
Session Initiated Protocol Allows for VoIP/Video communications. Establishes the connection; allows features such as putting a caller on hold.
VPN Concentrator
Sets up the secure tunnel during the IKE phase. It needs to create a full IPSec tunnel. This is normally when you have a site-to-site VPN. Note: Firewalls at either side of a site-to-site VPN are known as VPN concentrators.
Baselining
Setting a standard configuration
What are the 3 modes of detection used by NIPS and NIDS?
Signature-based Anomaly-based Heuristic/behavioral-based
Control Diversity
Similar to Depth in Defense model, have multiple controls in place so if one fails, another will stop the attack. Ex: Firewall AND IDS/IPS
HSM
Similar to TSM chip, but it's removable.
Disassociation
Similar to a DDoS attack, every time you connect to an AP you are disconnected
Certificate Based Authentication
Smart Card (Credit card with a chip, this acts as a certificate) Common Access Card (CAC) (Government and military personnel card, similar to smart cards but has a picture and details on the card also) Personal Identity Verification (PIV) (Similar to CAC but is used by federal agencies instead of the military.
Wearable technology
Smart watches, heart monitors, etc
Payment methods
Smartphones allow credit card info to be cached to make purchases easy. Careful when allowing this with BYOD, otherwise someone may keep the company credit card tied to a personal device. MDM may prevent this in the first place.
Ways to backup data
Snapshots (Virtual machines can take stateful snapshots to rollback to that state. Fastest method.) Network Location (Backups can be stored on a file share on a server in the network. Use RAID. Would likely be part of a SAN.) Backing up to tape (Magnetic tape to store data. Slowest method. Can be stored off-site.)
Coding: SDKs
Software Development Kits Set of development tools allowing for the creation of applications for a certain software package.
SDLC
Software Development Life Cycle Structure followed by software developers.
SaaS
Software as a Service Ex: Office 365, Goldmine, and Salesforce. You pay for cloud hosted software access. Applications that are hosted through a web server. (Salesforce shows sales forcasts over time, Goldmine is an SaaS package, and Office 365 is office online)
Ransomware
Software that encrypts programs and data until a ransom is paid to remove it. Usually bitcoin is demanded. If you have to part with money, it's ransomware. Freeware that locks you out of your files unless you buy the full version is another subtle example of this.
(Stopping Attacks) Antivirus/advanced malware tools
Software that protects against malware
What is secure boot and attestation?
Some newer OSes (like Windows 10) can perform a secure boot at startup where the OS checks that all of the drivers have been signed. If not, the boot sequence fails. Attestation is where the integrity of the operation is also checked before booting up.
Authentication Options
Something you know (username/password/PIN/date of birth etc) Something you have (Key, key card, hardware token Something you are (Biometric scanner; iris, fingerprint, palm, voice etc) Something you do (Swipe a card, signature etc) Somewhere you are (Location based policy)
SAN
Storage Area Network Hardware device with a bunch of disks on it's own network. Typically, normal servers connect to SAN FC (Fiber Channel) switches which then connect to SAN mass storage servers. Typically, SANs have Host Bus Adapters (HBAs)
PBKDF2
Stores passwords with a random salt and with the password hash using HMAC. It then iterates, which forces the regeneration of every password and prevents any rainbow attack.
What is the PC DNS cache?
Stores recently resolved names. If the cache is empty, it goes to the hosts file.
Coding: Stored Procedures
Storing code to execute manually when needed to prevent SQL injection attacks
Cipher modes
Stream Cipher (Encrypts plaintext by applying a cryptographic key and algorithm to each binary digit in a data stream. Easy to crack. Block Cipher (Where a block of data is taken at a time and encrypted. For example, 128 bits of data may be encrypted at a time. Much faster than a stream cipher.)
SQL
Structured Query Language A language for accessing and manipulating databases. For example, you can have a website that displays data from a database. Use PHP or ASP since they are server-side scripting languages
Role-based access control
Subset of duties within a department. Not everyone in the department has the same permissions.
SCADA
Supervisory Control and Data Acquisition systems are automated control systems for industrial organizations
RFID
Susceptible to both physical and electronic attacks
Symmetric vs Asymmetric Encryption 1
Symmetric Encryption uses a block cipher, where blocks of data are encrypted at once. Asymmetric Encryption encrypts one bit at a time.
Symmetric Data Summary 1
Symmetric encryption only has one key, making encrypting large amounts of data faster. It needs DH, an asymmtric technique, to create a secure tunnel before it's used.
Symmetric Encryption Summary 1
Symmetric is much faster but less secure, as it uses a block cipher.
Immutable Systems
Systems composed of components that are always fully replaced, never upgraded.
2 token types
TOTP (Time-Based One-Time Password) Is like a token generator or authy, code changes periodically based on an algorithm. 2FA HOTP (HMAC-based One-Time Password) Is like the one time passwords given out to recover an account secured by google authenticator. One-time use password, but no time limit.
Spear Phishing
Targeted phishing. Carefully crafted to fool a specific person or organization.
What is Banner Grabbing?
Technique used to gaing information about a server. Open ports can expose certain information.
Remote Access - use case
Telnet (Clear text) SSH (Secure SHell, secures commands sent) RDP (Windows remote desktop) RAS (Legacy remote modem access) VPN (Secure site-to-site or client-to-site communication)
TACACS Acronym
Terminal Access Controller Access-Control System Plus
What is Sandboxing?
Testing done in a VM before done in production.
Coding: Stress Testing
Testing how much load the application can take
SMS/MMS Short Message Service
Text messages. MMS (Multimedia Messaging Service) can be used to send messages with multimedia content
What is PKI?
The PKI provides the infrastructure for public and private keys. There is a certificate hierarchy, which is called the certificate authority (which manages, signs, issues, validates, and revokes certificates) A certificate is known as an X509 certificate.
Chain of custody
The documented and unbroken transfer of evidence
Key Escrow
The key escrow holds private keys for third parties and stores them in a HSM (Hardware Security Module)
What does it mean when a load balancer is set to "Affinity"?
The request is sent to the same web server based on the requesters IP address. One reason for this is maybe one region/country has limited bandwidth for other webs servers in the server farm.
SAN Server Storage Explained
The servers that use SAN storage are diskless but use SAN storage as if they had disks installed. You need very fast connection speeds to prevent performance issues.
What is the Certificate Authority?
The ultimate certificate authority. It holds the master key (known as the root key), for signing all of the certificates that it gives the "Intermediary" which then in turn issues to the requester.
How does clustering work?
There is an active server and a passive (standby) server that poll each other. Clients send requests to the virtual IP, which the active server holds unless it goes down. The active server answers requests, and if the active goes down the passive server takes over. Just like HSRP, but with servers. Servers require a L2 connection to poll each other, just like HSRP. There is also clustering where both nodes are active in an active-active configuration. Both nodes need to have enough resources to act as a dual node should one fail. (This setup may be best with a load balancer)
Thin vs FAT Wireless Controllers
Thin controllers allow multiple WAPs to be controlled remotely by a single controller. Ideal in corporate environments where there are quite a few WAPs. FAT controller is a standalone WAP that has it's own DHCP pool, NAT etc. Similar to that used at home.
Tethering
This can be a security risk if done in the organization, may enable split tunneling. MDM can prevent.
DLP (Data Loss Prevention)
This can stop sensitive PII (Personally Identifiable Information) from inadvertently leaving the company. DLP can be configured on a server to prevent data from being copied to a USB. DLP can prevent data from being sent out in email format (using templates looking for regular expressions. Emails are scanned for a format (IE credit card numbers) and can be filtered accordingly).
RACE Integrity Primitives Evaluation Message Digest (RIPEMD)
This is a hashing function. 128 up to 320 bit hashing function.
Session Layer
This is where you would create a session, such as logging in and out.
Presentation Layer
This layer formats data into character code such as unicode or ASCII. Encryption also takes place here.
Identifying mission-essential functions and critical systems
This must be done to determine what gets the most redundancy and attention.
Coding: Normalization
To reduce and eliminate data redundancy to make searching faster
What is Microsoft Baseline Security Analyzer (MBSA)?
Tool to determine vulnerabilities. Missing patches is something it would detect.
3DES
Triple DES 168 bits (56x3). The DES key is applied 3 times. Could be used for L2TP/IPSec VPNs, but weaker than AES.
TPM Chip
Trusted Platform Module A motherboard chip that stores encryption keys. When a system boots up, keys can be compared to make sure it hasn't been tampered with. If it has been tampered with, it locks itself up. The only way to access it is through the recovery keys (For example, if using Bitlocker it's a 48-character password)
Dictionary Attack
Trying every word in the dictionary as a password. Numbers/symbols thwart this.
What are the two types of IPsec modes?
Tunnel mode (IPsec session over the internet, as part of L2TP/IPsec tunnel) Transport mode (IPsec session over LAN, between client and server)
Counter Mode (CTR)
Turns a block cipher into a stream cipher.It generates the next key stream block by encrypting successive values of a counter rather than an IV.
Coding: Obfuscation/Camouflage
Turns lines of code into an obscure format so if stolen, it can't be understood.
Software Issues
Unauthorized Software (use application whitelists) Baseline Deviation (Make sure there is a baseline analyzer to detect when machine deviate) License Compliance violation (Make sure not to over-use licenses)
Common Security Issues
Unencrypted credentials and clear text Logs and event anomalies Permission Issues (too liberal) Access Violations Certificate Issues (When a new certificate is not working, make sure that the certificate is valid and then check that it's been added to the "Trusted Root Certification Authorities" folder so that the computers trust the certificate provider. Console Root > Certificates - Current User > Trusted Root Certificatation Authentication) Data Exfiltration (Steganography can be prevented with stateful firewalls) Asset Management (Theft. Get asset tags etc) Authentication Issues
UEFI
Unified Extensible Firmware Interface Modern BIOS, more secure. Needed for secure boot.
(Stopping Attacks) UTM
Unified Threat Management A firewall that can also prevent URL filtering, content filtering, and malware inspection.
Adware
Unwanted program that shows advertisements. Popup blockers can prevent in some cases.
What is a USN?
Updated Sequence Number. Every change made to AD increments a USN number, and is time stamped for when it happens. For example, change 23 made to AD would be USN 23, then change 24 would make it USN 24. Kerberos has each with a different update number and time stamp to prevent replay attacks.
TLS
Upgraded version of SSL used to encrypt communications. HTTPS is a common instance of it.
Offline CA
Used by military or secured environment where clearance and vetting must be completed before someone can be given a certificate. The CA is kept offline and locked up when not in use. It's only taken out to issue new certificates.
Software costs
Used to be buy once, large up-front sum, but now applications tend to be monthly subscription fees. Office 365 and Adobe Acrobat Pro are subscription costs.
Diffie Hellman
Used to create a secure tunnel before encrypted data can be transferred. DH is technically asymmetric as it used public and private keys- it does not encrypt data, but it's role is to create a secure session.
Code Signing Certificates
Used to digitally sign software so it's authenticity is guaranteed
Computer/Machine Certificate
Used to identify a computer within a domain
Digital Signatures
Used to verify the integrity of an email so you know it hasn't been tampered with in transit. The private certificate used to sign the email creates a one-way hash function, and when it arrives at its destination, the recipient uses it's public key to verify it hasn't been tampered with int transit
Digital Signature
Used to verify the integrity of an email. The email sent out is given a private certificate that the recipient has the public key for to be able to verify it's integrity. (This is covered in depth later in the book)
Name the 8 account types (Important for the exam)
User Account Guest Account Sponsored Guest Account Privilege Account Administrative Account Service Account Shared Account Generic Accounts
TGT Session explained (for kerberos)
User sends credentials to AD, and AD returns a "Service Ticket" which lasts 10 hours. This ticket is encrypted.
S/MIME
Uses PKI (Public Key Infrastructure) to encrypt the email. Each user has to exchange ther public key, so this option isn't very scalable.
ESP
Uses either: DES (64 bits), 3DES (168 bits), or AES (256 bits) for encryption, to assure confidentiality,
Symmetric Encryption
Uses one shared (private) key. The same key encrypts and decrypts the data. Dangerous if the key is stolen, an attacker gets the keys to the kingdom. Benefit of using symmetric encryption is that it's able to encrypt large amounts of data quickly.
Coding: Model Verification
Verify application has no bugs
What is hashing primarily for?
Verifying data integrity. Any changes tothe data affects the entire hash.
What is VDI?
Virtual Desktop Infrastructure When desktop environments are hosted on a central server that people then remote into for access. Terminal Servers being accessed by thin clients are an example of this.
Shoulder surfing
Watching someone use a computer to get sensitive information. Another example is watching someone use an ATM
Waterfall vs Agile
Waterfall required the previous step to be completed before you can move on. Agile is much more flexible and designed for faster development.
Cross-Site Request Forgery (CSRF or XSRF)
When a user clicks a link to a legitimate website where embedded programming is executed. Basically, when malware code gets into a legitimate website.
Rogue access point
When a user connects their own AP to a network unauthorized. This AP may not have strong security, and lets anyone on the line. 802.1X can prevent this.
(Stopping Attacks) WAF
Web Application Firewall Prevents attacks on web servers.
Order of Volatility attack examples
Web-based attack? Secure network captures. Computer attack? Secure CPU Cache, RAM, Swap/page file, and Hard Drive (in this order, more volatile)
Federation Services
When 2 companies want to authenticate between each other during a joint venture.
Asymmetric Encryption 2-way explained
When 2 parites want to communicate back and forth using asymmetric encryption, both sides have their own private key and share a public key with each other. That way the public key is used to encrypt data being sent over.
What is "Clustering"?
When 2 servers share the same storage; shared disk/database.
Active Directory and LDAP relationship
When Objects are created in AD with the GUI, LDAP stores those objects in a database in X500 format. If you need to find a user, perform a search and LDAP will find the entry in the database.
Diffie Hellman (DH)
When Symmetric data is in transit, it is protected by Diffie Hellman, whose main purpose is to create a secure tunnel for symmetric data to pass through,
Split Tunneling
When a PC is allowed to simultaneously have a VPN tunnel session open while also using their home internet. Security risk.
Cloud Storage
When a cloud provider makes storage available to you. They take care of all backups etc. Ex: Google Drive, MediaFire, etc.
Steganography
When a file can be hidden inside another file. Ex: document can be embedded into an image file.
Taking Hashes
When a forensic copy of data is being analyzed, the data may be hashed at the beginning of the investigation. This way it's known if the data has been altered.
Change management
When a new technology is introduced and procedures and policies may change.
False Positive
When a non-threat is identified as a threat in error
Interger Overflow
When a number in code exceeds the maximum size of the interger type used to store it. This can lead to unexpected values being stored.
Buffer Overflow
When a programs tries to store more data than it can hold in it's allocated buffer (memory) allocation. This can cause the application to crash, data corruption, or allow malicious code to be executed.
Qualitative risk analysis
When a risk is evaluated as low medium or high risk.
False negative
When a threat is identified as a non-threat in error
Man-In-The-Browser Attack
When a trojan is used to intercept and manipulate communication between the browser and it's security mechanism. Most common objective of this attack is to exploit online banking systems.
Escalation of privilege
When an attacker hacks for higher privileges
Domain Hijacking
When an attacker re-registers the domain of a well known company, copies the website and pretends to be them.
Typosquatting
When an attacker registers a website to a purposefully mistyped domain name. This can be used to catch others who accidentally mis-type the name.
Consensus
When an attacker uses social proof to get information. Example: an attacker may email someone asking for personal information saying they obtained it last week from another coworker and just need an update on it for them.
WPS attack
When an attacker uses the WPS button on a device to connect without a password
Privilege escalation
When an attacker wants to get more permissions than they're entitled to.
Pivot attack
When an attackers uses a computer inside a company to perform an attack
Account re-certification AND User account reviews
When an auditor reviews user accounts to determine if privileges are correct and inactive accounts removed. They report to management if any policies are violated.
Zero-day attack
When an exploit is just found and hasn't been fixed yet. Baselines of your computer are the only way to detect these.
Forensic copies
When analyzing data, make a copy of it first. That way, the data in it's original state can be presented as evidence and is unaltered.
Watering Hole attack
When attackers target websites that people of a certain industry are likely to visit and infect them with a virus.
DNS Poisoning
When bad entries are put into a computers DNS cache to take them to a fraudulent website. DNS Check Order: DNS cache, hosts file, DNS server.
Capturing System Images
When computers are being taken by police, a full image is kept of the system for analysis.
Hashing
When data inside a document is turned into a long text string (known as a hash value or message digest). SHA1 (Secure Hashing Algorithm version 1) and MD5 (Message Digest version 5) are hashing algorithms. If you have 2 files containing the same data, they will both produce the same hash value. The moment a file is edited, the hash value it would create is completely different. This is how hashing can be used to determine the integrity of a file- that it hasn't been tampered with. For the purpose of the exam, hashing is a one-way function and cannot be reversed. Note: Hashing is not encryption. It doesn't hide data, it only ensures that it hasn't been tampered with.
Coding: Race Condition
When data is accessed by different threads simultaneously. This should always be done sequentially.
Environment
When designing an application, a secure staging environment is needed for development/testing/staging before it's moved into production.
Christmas tree attack
When packets are sent with flags such as URG/PUSH/FIN to overload a network. These flags mean the packet should take priority over other packets.
Coding: Code reuse/dead code
When reusing code, make sure everything is being used. Otherwise unused code will pile up making larger than necessary executables etc.
Authority
When something like an email is sent out to employees from an authority telling them to do something. This is an attack, and they may be sending you to a phishing site to update information etc. People do it because nobody wants to defy the CEO.
Session Hijacking
When visiting websites, your browser stores your browsing information in a file called a cookie. If a hacker gets ahold of this, they can use that cookie. For example, websites where you don't have to login every time. If a hacker gets a hold of that cookie file, they can use it to get right in.
Hardware root of trust
When we use a certificate for FDE, they use a hardware root of trust that verifies that the keys match before the secure boot process takes place.
Diffusion
When you change one character of input which then changes multiple bits of the output.
Input validation
Where a program or webpage validates that the value you entered into a form is the correct format. Error is given if incorrect format detected. EX: zip code doesn't go where a phone number goes.
Strategic Intelligence/Counter intelligence gathering
Where different governments exchange data about cyber criminals so that they can work together to reduce threats
Hosts File
Where manual DNS entries can be inserted
PAT (Port Address Translation)
Where multiple internet requests are translated to the same public IP. The translating server keeps track of each session by assigning port nubmers to the traffic.
Software Defined Network (SDN)
Where packets are routed through a controller rather than traditional routers, improving performance.
Man-In-The-Middle (MITM) Attack
Where the attacker gets between two hosts to intercept traffic. ARP poisoning, Gateway IP spoofing, Fake AP (evil twin), are all examples.
Quantitative risk analysis
Where you look at the high qualitative risks and give them a number value so you can associate them with a cost for the risk.
Hosted Services network environment
Where you pay a company to host the servers for you. Hosted services provider has full responsibility over your resources, including backup.
Wireless WPS
Wifi-Prptected Setup. Press-button to access wireless, then simply connect a device without a password. Only supported by devices that support WPA Personal or WPA2 Personal.
(Stopping Attacks) Host-based firewall
Windows firewall
Ad hoc
Wireless connectivity between 2 devices without a WAP. Airdrop?
Peripherals Vulnerabilities
Wireless keyboard/mice (Not encrypted, can easily be intercepted by a wireless packet sniffer) Displays (Use display filters and do not have displays facing external windows) Wifi-enabled Micro-SD cards (Same vulnerabilities as wireless keyboards and mice) Printers/Multifunction Devices (MFDs, very vulnerable- data in the spooler or a scanned image may be stored on it that can be stolen) External Storage Device (Bitlocker-to-go can secure a drive, or use a self-encrypting device) Digital Cameras (Memory cards are easy to remove from the camera, they could have pictures of documents)
How accurate must computers time be to the domain controller?
Within 5 minutes
Coding: Proper Input Validation
Wizard or webpage controlled, verifies the input is in the correct format and rejects it if it's not.
Signature-based detection
Works on a database of known exploits. Update the exploit traffic pattern database often.
Directory Services hold accounts for users, groups, and objects such as printers in what format?
X500 Object format. (ITU, International Telecommunications Union formed this object format)
Is hashing a one-way function?
Yes (for this exam)
2 companies can exchange SAML so that an employee from company A can go to company B and log in with their email and password. Company B checks with Company A's domain controller to confirm correct credentials.
~
ACLs have an implicit deny rule.
~
How to change the group policy to prevent 12 previous passwords and have a limit of 5 password login attempts before lockout
gpedit.msc > Server Manager > Tools > Group Policy Management. Edit the DefaultDomain Policy. Computer Configurations > Windows Settings > Security Settings > Account Policy > Password Policy >Password History > (Set to 12) > OK > Minimum Password Age > (Set to 3 days) > OK > Press Password must meet complexity requirements > (Enable radio option) > OK > Go back to Account Lockout Policies > Account Lockout Threshold > (Set to 5) > OK.
Command to display DNS cache on a windows PC, then flush it
ipconfig /displaydns ipconfig /flushdns
Windows command to release IP address
ipconfig /release ipconfig /renew
Minimum number of characters
salting and key stretching can help slow down brute force