3.0 Implementation Flashcards
What is Remote Access ?
Remote access refers to the user’s device connecting over or through an intermediate network, usually a public Wide Area Network (WAN). It does not make a direct cabled or wireless connection to the network.
What is Internet Protocol Security (IPSec)
Internet Protocol Security (IPSec) is a set of open, non-proprietary standards that you can use to secure data as it travels across the network or the Internet.
What is does the Authentication Header (AH) protocol perform?
What else?
What is that called and where does add it? and where ? for what?
The Authentication Header (AH) protocol performs a cryptographic hash on the packet plus a shared secret key (known only to the communicating hosts) and adds this Hashed Message Authentication Code (HMAC) in its header as an Integrity Check Value (ICV)
What is Tunnel mode?
The tunnel mode is used by IPsec to provide encrypted communication by encrypting the entire network packet. This method is used mostly in unsecured networks.
What port does DNSSec use?
DNS traffic uses port 53. However, given that most DNSSEC packets can be larger than 512 bytes, which is the limit for UDP packets,
DNSSEC uses TCP port 53.
What is TCP and UDP port 88 are used for?
TCP and UDP port 88 are used by Microsoft’s Kerberos. It is an authentication service that is based on a time-sensitive, ticket-granting system beneficial for single sign-on requirements.
What is UDP port 389 is used for?
UDP port 389 is used by Lightweight Directory Access Protocol. It is a network protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.
What is The transport mode?
Transport mode secures communications between hosts on a private network (an end-to-end implementation). AH and ESP running transport mode provides confidentiality, integrity, and authentication for internal secure communication.
The transport mode is used by IPsec to provide encrypted communication by only encrypting the payload. This method is used mostly in private networks.
What is a cipher?
A cipher is the process (or algorithm) used to encrypt and decrypt a message. A cipher mode refers to the cryptographic product processes multiple blocks. ECB or Electronic Code Book is the simplest mode of cipher operation.
What is a counter mode?
A counter mode is a type of cipher mode of operation.
What is Secure Shell (SSH)?
What are 2 main uses for SSH?
What port does it use?
Secure Shell (SSH) is the principal means of obtaining secure remote access to a UNIX or Linux server. The main uses of SSH are for remote administration and Secure File Transfer (SFTP).
Supports VPNs by using port forwarding and runs on TCP port 22
What is Telnet?
Telnet is terminal emulation software to support a remote connection to another computer. It does not support file transfer directly.
What is Remote Desktop Protocol (RDP)?
Remote Desktop Protocol (RDP) is Microsoft’s protocol for operating remote connections to a Windows machine.
What is a Virtual Private Network (VPN) is utilized for?
A Virtual Private Network (VPN) is utilized to connect to a network and the user needs to connect to a single host to complete the file transfer.
What is Secure/Multipurpose Internet Mail Extensions (S/MIME)?
Secure/Multipurpose Internet Mail Extensions (S/MIME) is a widely accepted method for sending digitally signed and encrypted messages. It allows the sender to encrypt the emails and digitally sign them
What is a characteristic of The Session Initiation Protocol (SIP) ?
The Session Initiation Protocol (SIP) is one of the most widely used session control protocols.
Security Actions to consider when deploying a new Web Server?
- The guest account must be secured so that it cannot be used to modify any data on the server.
- A secure means of uploading files and configuration changes needs to be used, such as Secure Shell (SSH).
- Web servers should be deployed using configuration templates where possible. This will assist the administrator with hardening the system.
- The location of the server should be carefully considered as a way to not expose the private network to attack from the public. This can be achieved by placing a firewall between the web server and the local network.
How can Transport Layer Security (TLS) be used to provide encrypted communication of services?
File transfer services can use the Transport Layer Security (TLS) protocol to encrypt communication such as File Transfer Protocol Secure (FTPS). A TLS tunnel is negotiated before the exchange of any FTP commands.
Directory services can encrypt traffic, for example, using the Lightweight Directory Authentication Protocol Secure (LDAPS). Credentials are encrypted when in transit to a directory service like Windows Active Directory.
Web services use TLS to encrypt traffic between users and a bank’s web site, for example. The latest TLS version 1.3 is approved as of 2018
What is Network Time Security (NTS)?
What does it secure?
How does it do it?
Network Time Security (NTS) is a long-developed solution to securing the Network Time Protocol (NTP). TLS can be used to provide an authenticated channel.
What is Secure real-time transport protocol (SRTP)?
Secure real-time transport protocol (SRTP) encrypts actual real-time data, like voice and video. It provides confidentiality for the actual call data.
What does the Session initiation protocol (SIP) do?
Session initiation protocol (SIP) provides session management features between SIP endpoints and/or gateways.
What is Quality of service (QoS)?
Quality of service (QoS) provides information about the connection to a QoS system, which in turn ensures that voice or video communications are free from problems, such as dropped packets, delay, or jitter.
What is The Encapsulation Security Payload (ESP) protocol?
The Encapsulation Security Payload (ESP) protocol provides confidentiality and/or authentication and integrity. It encrypts the data payload.
ESP is used with Internet Protocol Security (IPSec) over layer 3 of the Open Systems Interconnection (OSI) model.
What does Simple Network Management Protocol (SNMP) v3 supports?
Simple Network Management Protocol (SNMP) v3 supports encryption and strong user-based authentication. Instead of community names, the agent is configured with a list of usernames and access permissions.
What does SNMPv1 use?
SNMPv1 uses community names that are sent in plaintext and should not be transmitted over the network if there is any risk they could be intercepted.
What does SNMPv2c use?
SNMPv2c also uses community names that are sent in plaintext and should not be transmitted over the network, if there is any risk they could be intercepted. Like SNMPv1, this protocol does not support strong user-based authentication.
what is the Management Information Base (MIB)?
Where does it run?
Management Information Base (MIB) is the database that the SNMP agent uses. The agent is a process that runs on a switch, router, server, or SNMP compatible network device
What port does the Lightweight Directory Access Protocol Secure (LDAPS) use?
Lightweight Directory Access Protocol Secure (LDAPS) uses port 636 to set up a secure channel to a directory service using a digital certificate.
What port does the Hypertext Transfer Protocol Secure (HTTPS) use?
Hypertext Transfer Protocol Secure (HTTPS) uses port 443 to connect clients to a web server or service using digital certificates. HTTPS is commonly secured using the transport layer security (TLS).
What is Fingerprinting?
Fingerprinting is when a port scanner uses a tool such as Nmap that can reveal the presence of a router and which dynamic routing and management protocols it is running.
What is a Route injection?
Route injection means that traffic is misdirected to a monitoring port (sniffing), sent to a blackhole (non-existent address), or continuously looped around the network, causing DoS.
What is Trivial File Transfer Protocol (TFTP)?
Trivial File Transfer Protocol (TFTP) is a connectionless protocol that provides file transfer services but does not provide guaranteed delivery.
Explain Explicit FTP over SSL (FTPES)?
What command does it use?
What does it do?
What is it preferred over?
What port does it use?
Explicit FTP over SSL (FTPES) uses the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one. This negotiates a SSL/TLS tunnel explicitly and is preferred over FTPS.
What is File Transfer Protocol over SSL (FTPS)? What port does it use?
File Transfer Protocol over SSL (FTPS) implicitly negotiates a Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel before the exchange of any File Transfer Protocol (FTP) commands. This mode uses the secure port 990 for the control connection.
What does Provisioning single sign on (SSO) access on a feed do?
Provisioning single sign on (SSO) access on the feed will provide access to logged in users as soon as the feed is configured on their email application or Intranet portal.
What is Configuring Really Simple Syndication (RSS) feeds?
Configuring Really Simple Syndication (RSS) feeds is the first step to starting a subscription. RSS feeds push updated articles or news items to the client or browser.
Name 3 protocols or ways to provide IP Header integrity and encrypted data payload?
The Authentication Header (AH) protocol performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts) and adds this HMAC in its header as an Integrity Check Value (ICV).
Transport mode secures communications between hosts on a private network (an end-to-end implementation). AH and ESP running transport mode provides confidentiality, integrity, and authentication for internal secure communication.
The Encapsulation Security Payload (ESP) protocol provides confidentiality and/or authentication and integrity. It encrypts the data payload.
What is the primary difference between TLS 1.1 and TLS 1.2?
Transport Layer Security (TLS) 1.2 added support for the strong Secure Hash Algorithm (SHA)-256 cipher. That is the primary difference between TLS 1.1 and TLS 1.2.
What does a whitelist do ?
Execution control to prevent the use of unauthorized software can be implemented as a whitelist. This control means that nothing can run if it is not on the approved whitelist.
What does Blacklist do?
Blacklist is another method of blocking application. This control means that anything not on the prohibited blacklist can run.
What is application hardening?
Application hardening is the process of securing an application with settings like changing the default port of service or removing default administrative accounts.
What is a trusted, or measured, boot process?
A trusted, or measured, boot process uses the trusted platform module (TPM) at each stage in the boot process to check hashes of key system state data, which then uses an attestation process to verify if the system has not been tampered with.
What is Host intrusion prevention systems (HIPS)?
Host intrusion prevention systems (HIPS) provide threat detection and prevent those threats based on signature values, heuristic behaviors, and security policies.
Host Intrusion Prevention System (HIPS) is software located on the host system and has an active response to threats. In the example of an unknown IP range trying to gain access to a server, the HIPS at the server level will block the connection
What are Secure Cookies?
Secure cookies help to prevent the session hijacking and data exposure attack vector found in unsecure cookies. It uses a SetCookie header for increased security.
What is an endpoint detection and response (EDR) product?
An endpoint detection and response (EDR) product provides real-time and historical visibility into the compromise, contains the malware, and facilitates remediation of the host to its original state.
What is Unified Extensible Firmware Interface (UEFI)? What does it do?
What is it a replacement for?
Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer’s firmware to its operating system. UEFI is the replacement for Basic Input/Output System (BIOS) and has many advancements to include provisions for secure booting.
What is The Basic Input/Output System (BIOS)
The Basic Input/Output System (BIOS) is firmware used to manipulate settings on a system. It provides basic instructions on how a system should start up. It does not support secure boot.
What is a hardware root of trust?
A hardware root of trust is a known secure starting point by embedding a private key in the system. The key remains private until the public key is matched.
What is Attestation?
Attestation is the process of checking and validating system files during a boot process.
It is not a part of Secure DevOps.
How can a Data Loss Prevention (DLP) allow the use of a certain kind of USBs?
Information, like a vendor ID, product ID, or device instance ID, can be added to the “excluded drives” definition. Doing so will prevent all drives, except the specified USB IDs.
What does Removing the rule that blocks USB drives do?
Removing the rule that blocks USB drives will allow the use of USB drives. The goal is to allow specific USB drives access, not to allow all USB drives.
What is Host Intrusion Detection System (HIDS)?
Host Intrusion Detection System (HIDS) is also software located on the host system. It can log and notify admins or users about intrusion attempts without an active response, like denying or blocking.
can detect attacks on a host and protect critical files.
What is Network Intrusion Detection System (NIDS) ?
Network Intrusion Detection System (NIDS) is an appliance at the network level. The logs revealed, in this case, came from a NIDS. This device is generally non-intrusive.
What are Network Intrusion Prevention System (NIPS)?
Network Intrusion Prevention System (NIPS) is like a NIDS but uses intrusive means to protect the network.
What is A Hardware Security Module (HSM)? What does it do?
A Hardware Security Module (HSM) is a device used to generate, maintain and store cryptographic keys. It is an external device and can easily be added to a system
A hardware security module (HSM) is a network appliance designed to perform centralized PKI management for a network of devices. This means that it can act as an archive or escrow for keys in case of loss or damage.
What is a Secure Sockets Layer (SSL) decryptor?
Where would it be placed?
A Secure Sockets Layer (SSL) decryptor provides protection from malicious threats over secure connections.
It would be placed in the demilitarized zone of a network.
What is Sandboxing?
What step is it in system hardening?
Sandboxing a system is the placement in an isolated area for test and development purposes. Disabling default configurations, such as usernames and passwords, is the first line of security in hardening a system.
What is Code signing
Code signing verifies application code has not been modified by the use of digital signatures. The certificate provided with the signature identifies the author of the application and the code’s authenticity.
What is an immutable system?
An immutable system is the ability to create a secure image and test it in a controlled DevOps environment.
What does Security Automation to?
As new code is introduced to an application, security testing is important to check for bugs and vulnerabilities. Automating security testing in a DevOps environment ensures defects are not introduced in systems.
What does Tokenization means?
How are tokens stored with?
Where are they stored?
Tokenization means that all or part of the data in a field is replaced with a randomly generated token or number. The token is stored with the original value on a token server or token vault, separate to the production database.
What does Hashing do?
Hashing produces a fixed-length string from arbitrary-length plaintext data using an algorithm such as Secure Hash Algorithm (SHA).
How does Full disk encryption (FDE) work? What’s an example of FDE tool?
Full disk encryption (FDE) uses a trusted platform module (TPM) to store keys that will be used to unencrypt or unlock an encrypted disk. Windows BitLocker is an example of an FDE tool.
What is Fuzzing?
Fuzzing is a dynamic analysis technique that checks code as it is running. When using fuzzing, the system is attacked with random data to check for code vulnerabilities.
what does A static code analyzer do?
A static code analyzer examines code quality and effectiveness without executing the code. An analyzer can be used in conjunction with development for continued code quality checks, or once the code is in its finalization stages.
What is Stress testing?
Stress testing attempts to simulate a production environment and focuses on the objective and threshold that an application can handle while maintaining performance.
What is Dynamic analysis? What is a common technique?
Dynamic analysis inspects code as it is running for code quality and vulnerabilities. Fuzzing is a common technique used.
What is Model verification?
Model verification is the process of ensuring software meets its intended purpose and specifications.
what is a A self-encrypting drive (SED) ?
A self-encrypting drive (SED) includes both the hardware and software to encrypt data on a drive. Keys are securely stored within for decryption. SED requires credentials to be entered for decryption.
What is Electromagnetic interference (EMI)? How Can it be avoided?
Electromagnetic interference (EMI) are radio frequencies emitted by external sources, such as power lines that disturb signals. EMI can be avoided by the use of shielding.
What is The Trusted Platform Module (TPM)?
The Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system and provides secure key storage for full disk encryption. A TPM keeps hard drives locked until proper authentication occurs.
What is Transport Layer Security (TLS)?
What is it used for?
Transport Layer Security (TLS) is a security protocol designed to provide communications security over a computer network.
What is a Virtual Local Area Network (VLAN)?
A Virtual Local Area Network (VLAN) is a logical group of network devices on the same LAN, despite their geographical distribution. It can divide the devices logically on the data link layer, and group users according to departments. A proxy is a device that acts on behalf of another service.
What does a proxy do?
A proxy examines the data and makes rule-based decisions about whether the request should be forwarded or refused.
What does creating an airgap do?
Creating an airgap would physically isolate a system and its resources from other systems.
What is Signature-based (or pattern-matching) detection?
Signature-based (or pattern-matching) detection uses a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident.
What is anomaly-based detection?
Anomaly-based detection uses an engine that looks for irregularities in the use of protocols. For example, the engine may check packet headers or the exchange of packets in a session against RFC standards and generate an alert, if they deviate from strict RFC compliance.
What is Heuristic-based detection?
Heuristic-based detection learns from experience to detect differences from the baseline. This type of detection is the same as behavioral-based detection.
What is Behavioral-based (statistical or profile-based) detection?
Behavioral-based (statistical or profile-based) detection uses an engine to recognize baseline “normal” traffic or events. Any deviation from the baseline (outside a defined level of tolerance) generates an incident.
What does a Hypertext Markup Language 5 (HTML5) Virtual Private Network (VPN) do ?
Hypertext Markup Language 5 (HTML5) Virtual Private Network (VPN) uses modern web browsers to access and manage a desktop with relatively little lag. This is also known as a clientless remote desktop gateway.
What is Layer 2 Tunneling Protocol (L2TP) used for?
Layer 2 Tunneling Protocol (L2TP) is used with IP Security (IPSec) to provide a VPN tunnel. This will require installing a VPN agent at the client.
What’s a common use of an access control list (ACL)?
An access control list (ACL) can be used to restrict communications between two network segments or two switches connected to a router.
is used by firewalls. The list of rules defines the type of data packet and the appropriate action to take when it exits or enters a network or system. The actions are to deny or accept.
Explainm
What is a Virtual IP (VIP) address?
Each server node has its own IP address, but externally a load-balanced service is advertising a Virtual IP (VIP) address. Clients go to an IP address or FQDN (fully qualified domain name) and will be routed accordingly between the servers in the cluster.
What is Gateway Load Balancing Protocol (GLBP)?
Gateway Load Balancing Protocol (GLBP) is Cisco’s proprietary service to providing a load-balanced service with a VIP. The infrastructure is Cisco-based, so this service will most likely be implemented.
What is the Common Address Redundancy Protocol (CARP)?
What is it comparable to?
Common Address Redundancy Protocol (CARP) is another commonly used network protocol that works in the same way as GLBP.
What is Spanning Tree Protocol (STP) is principally designed for?
Spanning Tree Protocol (STP) is principally designed to prevent broadcast storms.
These storms occur when a bridged network contains a loop and broadcast traffic is amplified by the other switches. This can disrupt the network services.
What is Dynamic Host Configuration Protocol (DHCP) snooping?
Dynamic Host Configuration Protocol (DHCP) snooping is a network setting that inspects traffic on access ports to ensure that a host is not trying to spoof its MAC address.
What does Media Access Control (MAC) filtering protect against?
Media Access Control (MAC) filtering guards against MAC flooding attacks. It sets a limit on permitted MAC addresses on a port and disables when the limit is reached.
What does a Bridge Protocol Data Unit (BPDU) guard prevents?
Where are the settings applied to?
What does it cause?
A Bridge Protocol Data Unit (BPDU) guard prevents BPDUs from communicating network topology information on access ports. This protects against misconfiguration or a possible malicious attack.
A Bridge Protocol Data Unit (BPDU) guard setting is applied to switches.
This causes a portfast-configured port that receives a BPDU to become disabled
What is a split-tunnel VPN?
In a split-tunnel VPN, administrators decide where traffic is routed. A split tunnel can decipher whether traffic goes to a private network or not.
What is an extranet?
An extranet is a zone created to allow authorized users access to company assets separate from the intranet.
What do Sensors do in Networking?
Where do Sensors send the data?
Sensors gather information to determine if the data being passed is malicious or not. The Internet facing sensor will see all traffic and determine its Intent. The sensor behind the firewall will only see filtered traffic. The sensors send findings to the NIDS console.
What is an aggregation switch?
An aggregation switch can connect multiple subnets to reduce the number of active ports. When aggregating subnets, the subnets are connected to the switch versus the router.
What is a correlation engine?
What uses it?
A correlation engine is part of a Security Information and Event Manager (SIEM). It captures and examines logged events to alert administrators of potential threats on a network.
