2) Security Part 1

Question 1

Mantrap

Answer 1

Physical Security:
One at a time, controlled groups
Small area with two doors, both cannot be open at once
May process while inside (ID)

All doors normally unlocked
Opening one door causes others to lock

Or all doors normally locked
Unlocking one door prevents others from being unlocked

Question 2

Badge Reader

Answer 2

RFID Badge, Magnetic Swipe Card

Question 3

Smart Card

Answer 3

Integrates with devices & ID Cards
May require a PIN
Creates a digital certificate
Used with multifactor authentication

Types:
PIV Card (Personal Identity Verification)
CAC Card (Common Access Card)

IEEE 802.1X
Gain access to network using a certificate
On-device storage or separate physical device

Question 4

Door Access Controls (Door Locks)

Answer 4

Conventional: Lock & Key or Deadbolt

Electronic: Keyless, PIN

Token-Based: RFID badge, magnetic swipe card, key fob

Biometric: Hand, fingers, retina, voiceprint
Usually a mathematical representation
Difficult to change

Often combined (multifactor)

Question 5

Hardware/Software Tokens

Answer 5

Hardware Tokens
Generates pseudo-random auth codes

Software Tokens
In the form of a mobile app (ex: Google Authenticator)
or SMS code sent to phone

Question 6

Cable Locks

Answer 6

Physical/Temporary Security
Connects your hardware to something solid
Works almost anywhere
Reinforced notch

Thin, can be cut, not for long-term

Question 7

Server Locks

Answer 7

Locking Cabinets
Data center hardware is often managed by different groups
Racks usually installed together
Keeps everything close, but protected
Maintains airflow

Question 8

USB Locks/Tokens

Answer 8

USB Lock
Prevents access to USB port
Secondary option after disabling interface in BIOS
(Defense in depth)

USB Token
Certificate/token is on USB Drive
Insert to gain access

Question 9

Privacy Screen

Answer 9

Privacy Screen/Filter
Extremely narrow angle of view
Prevents others from seeing screen

Question 10

Entry Control Roster

Answer 10

A roster used to record identities of those who access secured hardware.

Could be inside mantrap, or with security guard
(or both)

Question 11

Active Directory: Login Script

Answer 11

A script that can be run when a user logs in.

Can map a network drive, run software, check anti-virus, verify application updates, etc

Question 12

Active Directory: Group Policy/Updates

Answer 12

Defines specific policies

Ex: password complexity, login restrictions

Question 13

Active Directory: OUs

Answer 13

Organizational Units
AD Structure Units
Can be based on the company (departments, locations)

Question 14

Active Directory: Home Folder

Answer 14

Assign a network share as the user’s home

\server1\users\kevin

Question 15

Active Directory: Folder Redirection

Answer 15

Instead of a local folder, redirects to server
Ex: Store Documents folder on \server1
Access these files from anywhere

Question 16

MDM Policies

Answer 16

Mobile Device Management
Manage company-owned & user-owned mobile devices
BYOD (Bring Your Own Device)

Centralized management of mobile devices
Manage access control
Set policies on apps/data/camera/etc
Can control entire device, or a partition

Question 17

Port Security

Answer 17

Prevent unauthorized users from connecting to a switch interface (alert/disable the port)
Based on source MAC address

Each port has its own config
Can configure max MAC addresses on interface

Question 18

MAC Address Filtering

Answer 18

Whitelists/Blacklists MAC addresses allowed on network
Requires additional administration

Easy to circumvent; MAC addresses can be spoofed
“Overriding hardware MAC, spoofing existing MAC”

Security through obscurity

Question 19

Anti-Virus/Anti-Malware

Answer 19

Must keep signatures updated all the time, updates are essential. (Can be a scaling issue)

A centralized server can be very useful for this.
Large organizations require enterprise management.
Updates are tracked, pushed, confirmed, & managed

Mobile devices will require additional management

Question 20

Firewalls

Answer 20

Host-Based/Personal Firewall (Software-Based)
Many devices come equipped with their own firewall
Included in many OSs
Stops unauthorized network access “stateful”
Blocks traffic by application

Network-Based Firewalls
Filters traffic by port number
Modern firewalls can identify applications
Can encrypt inbound/outbound traffic (VPN Firewall)

Can proxy traffic (user sends request, firewall makes request, receives response, validates, sends to user)

Most firewalls can be layer 3 devices (routers)
Can provide routing & NAT for inside/outside of network

Question 21

User Authentication/Strong Passwords

Answer 21

Unique Identifier
Windows: SID (Security Identifier)
Credentials: Password/Authentication data
Profile: Info stored about user

Strong Passwords
Weak passwords are difficult to protect against
Prone to brute force
Passwords need complexity & constant refresh

Question 22

Multifactor Authentication

Answer 22

More than one factor
Something you are/have/know/do
Somewhere you are

Question 23

Directory Permissions

Answer 23

NTFS Permissions
Supports encryption, file permissions
Prevent accidental modification/deletion

Question 24

VPN

Answer 24

Virtual Private Network
Encrypts inbound/outbound data

Concentrator - Encryption/decryption access device
Hardware/software based

Common to use 3rd party apps

Question 25

DLP

Answer 25

Data Loss Prevention
Limitation of what kind of information is transferred across a network.
SSNs, Credit Cards, Medical Records
Protects against “data leakage”

Question 26

ACLs

Answer 26

Access Control Lists
Used to allow/deny traffic
Also used for NAT, QoS, etc
Switches, Routers, Firewalls

Criteria: Source/Destination IP, TCP/UDP Port, or particular protocol (ex: ICMP)

Question 27

Email Filtering

Answer 27

Identifies & stops any malicious/unsolicited emails.
Much filtering occurs in cloud nowadays.

Scan & block malicious software
EXEs, known vulnerabilities, phishing attempts

Question 28

Trusted/Untrusted Software Sources

Answer 28

CONSIDER THE SOURCE
Important to know where software is coming from

Trusted Sources
Internal apps, well-known publishers, digitally signed apps

Untrusted Sources
Apps from 3rd party sites, links from email, pop-up downloads

Question 29

Principle of Least Privilege

Answer 29

Rights & permissions should be set to bare minimum
You only get exactly what’s needed to complete your objective/task

All user accounts must be limited

Don’t allow users to run with admin privileges
Limits scope of malicious behavior

Question 30

WEP

Answer 30

Wired Equivalent Privacy
Significant vulnerabilities (never use)
IV (Initialization Vector) - Relatively small

Question 31

WPA

Answer 31

Wi-Fi Protected Access (2002)
A short-term bridge between WEP & successor
Ran on existing WEP hardware, but better security

RC4 & TKIP (Temporal Key Integrity Protocol)
IV is larger & has encrypted hash
Every packet gets 128-bit encryption key

Question 32

WPA2

Answer 32

Wi-Fi Protected Access 2 (2004)
AES Encryption standard (replaced RC4)
Authentication & Access Control

CCMP (Counter Mode w/Cipher Block Chaining Message Authentication Code Protocol)
Replaced TKIP

Block cipher mode
Takes 128-bit key & 128-bit block size
Uses AES for data confidentiality

WPA2-Personal (WPA2-PSK)
Pre-Shared Key

WPA2-Enterprise (WPA2-802.1X)
Authenticates users individually
RADIUS/TACACS+

Question 33

TKIP

Answer 33

Temporal Key Integrity Protocol
Combines the secret root key with the IV

Adds sequence counter (prevents replay attacks)

Implements 64-bit message integrity check
Protects against tampering

Has its own set of vulnerabilities
Deprecated in 2012

Question 34

Authentication: RADIUS

Answer 34

Remote Authentication Dial-In User Service

One of the more common AAA protocols
Supports a wide variety of platforms/devices
Not just for dial-in

Centralized authentication for users
Routers/Switches/Firewalls
Server authentication
Remote VPN Access
802.1X Access

On most server OSs

Question 35

Authentication: TACACS+

Answer 35

Terminal Access Controller Access-Control System
Remote authentication protocol
Created to control access to dial-up lines to ARPANET

TACACS+ (Latest version)
More authentication requests & response codes