3.0 - Implementation Flashcards

1
Q

Define

SRTP

A
  • Secure Real-Time Transport Protocol
  • Adds security features to RTP
  • Integrity, replay protection, and AES encryption
  • Used for voice and video
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Define

NTPsec

A
  • Secure Network Time Protocol
  • Began development in 2015
  • Adds security to NTP and cleans up code base
  • (NTP has commonly been used as amplifiers in DDoS attacks)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Define

S/MIME

A
  • Secure/Multipurpose Internet Mail Extensions
  • Public key encryption and digital signing of mail content
  • Requires PKI or similar organization of keys
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Define

IPsec

A
  • Internet Protocol Security
  • Allows sending of data over OSI layer 3 with authentication and encryption for every packet
  • Very standardized, common to use across multiple vendors
  • Its two primary protocols are AH and ESP
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Explain

AH

A
  • Application Header
  • One of the core protocols of IPsec
  • Adds a hash of the IP packet and a shared key
  • The hash adds integrity
  • The shared key authenticates the origin
  • Also includes sequence numbers, to prevents replay attacks
  • Does not encrypt data, only provides integrity
  • Can be used independently, but is most often used with ESP
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define

ESP

A
  • Encapsulation Security Payload
  • One of the core protocols of IPsec
  • Adds encryption to IP packets
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Difference between FTPS and SFTP?

A
  • FTPS is “FTP over SSL”

* SFTP is “SSH FTP”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Define

LDAPS

A
  • LDAP Secure

* A non-standard implementation of LDAP over SSL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Define

SASL

A
  • Simple Authentication and Security Layer
  • Directory service to provide authentication using many different methods
  • Such as Kerberos or client certificate
  • Can be used by LDAP
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Define

DNSSEC

A
  • Domain Name System Security Extensions
  • Validates DNS responses to authenticate the origin and confirm the data integrity
  • Uses public key cryptography
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Define

SNMPv3

A
  • The secure version of SNMP

* Adds authentication, integrity, and confidentiality through encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How can security be added to DHCP?

A
  • It does not include any security functions in its original specification
  • Switches can be configured to only allow DHCP responses to come from specified trusted interfaces
  • In Active Directory, DHCP servers must be authorized
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Define

DHCP Snooping

A
  • The term used by Cisco for the feature of specifying what interfaces on a switch are allowed to send DHCP responses
  • Filters invalid IP and DHCP information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Explain

EDR

A
  • Endpoint Detection and Response
  • A newer method of threat protection, rather than signature-based
  • Detects threats through behavior analysis, machine learning, process monitoring
  • Can run through a lightweight agent on an endpoint
  • Both investigates threats and can respond to it
  • Reponses may include isolating the system, quarantining the threat, rolling back to a previous config
  • Can be automated and API-driven
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are alternative terms for NGFW?

A
  • Application Layer Gateway
  • Stateful Multilayer Inspection
  • Deep Packet Inspection
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Define

NGFW

A
  • Next-Generation Firewall
  • Inspects the application layer, all data in every packet, rather than just looking at IP address and port number
  • Can allow or block application features
  • Identify attacks and malware
  • Examine encrypted data (if configured to manage the keys)
  • Prevent access to URLs or URL categories
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Define

HIDS and HIPS

A

• Host-Based Intrusion Detection System

and

  • Host-Based Intrusion Prevention System
  • Runs directly on an endpoint/host, and looks through log files to identify intrusions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Explain

TPM

A
  • Trusted Platform Module
  • Hardware installed to assist with cryptography and device security
  • Cryptographic processor and key generator
  • Comes with unique keys burned in during production
  • Can store keys, hardware configuration info, etc.
  • Password protected with anti-brute force features
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

How does UEFI BIOS protect against malicious firmware updates?

A
  • BIOS includes the manufacturer’s public key
  • When flashing a BIOS update, the firmware’s digital signature is checked against that key
  • BIOS will prevent unauthorized writes to the flash
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Define

Secure Boot

A
  • Part of the UEFI specification
  • When enabled, Secure Boot verifies the bootloader
  • Checks the bootloader’s digital signature
  • Bootloader must be signed with a trusted certificate, or else its signature must be manually approved
  • Confirms that no part of that bootloader has been changed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Define

Trusted Boot

A
  • The bootloader verifies the digital signature of the OS kernel
  • The boot process will halt if a corrupted kernel is detected
  • The kernel then verifies all other startup components, including boot drivers and startup files
  • ELAM then runs prior to loading all remaining drivers.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Define

ELAM

A
  • Early Launch Anti-Malware
  • A security feature of Windows that checks every driver to see if it is trusted prior to loading it
  • Runs early in the boot process
  • Checks digital signatures, and prevents untrusted drivers from loading.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Explain

Measured Boot

A
  • UEFI stores a hash of firmware, boot drivers, and everything else loaded during Secure Boot and Trusted Boot processes
  • This hash is stored in the TPM and can be sent, encrypted and signed by the TPM, to a verification server
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Define

Remote Attestation / Boot Attestation

A
  • When the Measured Boot process completes, the TPM encrypts, signs, and sends an operational report to a verification server
  • The attestation server receives the boot report, and compares it to the known-trusted configuration of the system
  • If changes are found, they are identified and various actions can be taken
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is this another name for?

Fuzzing

A
  • A colloquial term for Dynamic Analysis
  • May also be referred to as:
  • Fault-injecting
  • Robustness testing
  • Syntax testing
  • Negative testing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Define

Dynamic Analysis

A
  • A type of attack on applications, where random input is sent
  • Attacker is looking for vulnerabilities, application crashes, buffer overflows, exceptions, etc.
  • “Fuzzers” are tools to perform this.
  • Very time and processor resource heavy, but often designed to perform high-probability tests first.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Describe security concerns surrounding:

Cookies

A
  • Cookies are used for tracking, personalization, and session management
  • Generally should not be a security risk, unless someone gains access to them.
  • Secure Cookies have an attribute set that requires they will only be sent over HTTPS
  • Sensitive information ought never to be stored in a cookie
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Explain

HTTP Secure Headers

A
  • A way for the web server to restrict the capabilities of a browser from performing certain functions
  • Useful when an application is being used on your web server, but you aren’t certain of that application’s security
  • For example, can be used to:○ enforce HTTPS○ only allow scripts, stylesheets, or images from the local site (preventing XSS attacks)○ prevent data from loading in an iframe
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Explain

Code Signing

A
  • Application code can be digitally signed by the developer, confirming that the code has not been modified
  • Asymmetric encryption:○ A trusted CA signs the developer’s public key○ And the developer signs the code with their private key
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

How can applications be allowed or denied?

A
  • Allow lists and deny lists can be made to control what applications may run on a system
  • Lists may be based on, for example:○ Application’s hash○ A certificate, for digitally signed applications○ The application’s path, allowing applications to only run in certain folders○ The application’s network zone
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Explain

SAST

A
  • Static Application Security Testing
  • A tool to perform automated analysis on source code to identify security flaws
  • Findings and recommendations are reported, and would still need to be manually verified and applied
  • Not all flaws can be identified this way, such as authentication security issues and insecure cryptography
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Name a tool that can scan and verify what ports are open?

A

• Nmap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Define

SED

A
  • Self-Encrypting Drive
  • Hardware-based full disk encryption
  • No operating system software needed
  • Follows the “Opal storage specification”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What functions may a Load Balancer perform? (six answers)

A
  • Primary function it to manage the load across multiple servers
  • May also perform any of the following:○ TCP offload (handles some TCP traffic rather than the servers)○ SSL offload (encryption/decryption, so that comm. between balancer and servers is in-the-clear)○ Caching (keeps copy of common responses on balancer, so it can respond quickly on behalf of servers)○ Prioritization / QoS○ Content switching (application-centric balancing, directing different functions to different servers)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Explain Scheduling and list four possible methods

A
  • Scheduling is the method of determining which server a load balancer will direct traffic to
  • Example Active/Active methods:○ Round-Robin (each server selected in turn)○ Weighted Round-Robin (prioritizing some servers over others, rather than equal)○ Dynamic Round-Robin (distribute traffic to server with lowest current load)

• Active/Passive scheduling will only route traffic to “passive” servers if an active server fails (making the passive server become active)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Define

Affinity

A
  • In Load Balancing, Affinity connects users to specific servers, so that whenever they reconnect, they will be directed to the same server as previously
  • Often based on IP address / port number or session ID
  • Used when an application requires communication to the same instance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Explain

Extranet

A
  • Similar in structure to a DMZ, but usually requires additional authentication to access, rather than allowing any public access
  • Often used for partners, vendors, suppliers, etc. to gain access to internal resources
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Define

East-West Traffic

A
  • Traffic between devices in the same data center

* Includes traffic between separate customers within the same data center

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Define

North-South Traffic

A
  • A term for a data center’s Ingres/egress traffic to and from an outside device
  • Usually requires a stricter security posture than east-west traffic
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Define

Concentrator

A
  • The device that performs encryption and decryption for a VPN connection
  • Often integrated into a firewall, but can also be a standalone device
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Explain

SSL VPN

A
  • Uses the common SSL/TLS protocol (tcp 443)
  • Therefore, usually does not run into any firewall issues
  • can authenticate users
  • Doesn’t require digital certificates or shared passwords
  • Can be run from within a browser or a light VPN client, but often doesn’t require a VPN client
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Explain

HTML5 VPN

A
  • HTML5 includes API support with web cryptography API

* Allows for the creation of a VPN tunnel in a browser without any VPN application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Explain

L2TP

A
  • Layer 2 Tunneling Protocol
  • Connecting sites over a layer 3 network as though they were connected at layer 2
  • Commonly implemented with IPsec (L2TP for the tunnel, IPsec for the encryption)○ Sometimes referred to as L2TP over IPsec or L2TP/IPsec
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Explain

Transport Mode vs. Tunnel Mode

A
  • IPsec modes of operation
  • in Transport mode, only the Data portion of the IP packet is encrypted
  • In Tunnel mode, both the IP Header and the Data are encrypted, and a new IP header is added, which directs the packet to the VPN concentrator on the other side of the tunnel.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Define

Broadcast Storm Control

A
  • A security feature for switches
  • Limits the number of broadcasts per second
  • Often also used to control multicast and unknown unicast traffic
  • Can be managed either by specific values, percentages, or deviations baseline behavior
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Define

BPDU

A
  • Bridge Protocol Data Unit

* The primary protocol used by Spanning Tree Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Define

BPDU Guard

A
  • If a BPDU frame is seen on a PortFast configured interface, the interface will shutdown
  • This is because PortFast interfaces are only supposed to connect to endpoints, which would never send BPDUs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Define

PortFast

A
  • Cisco’s term for the feature of bypassing the STP listening and learning steps when a device is plugged in
  • Configured for ports that are known to only be needed to connect to endpoints, so STP is not needed since it won’t create a loop.
  • STP takes 20-30 seconds to determine how to handle a new connection, so bypassing it saves time
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Explain

MAC Filtering

A
  • Limiting access to the network based on MAC address Allow Lists
  • Security through obscurity
  • Not very secure since Allowed MACs on the network can be easily discovered and spoofed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

List some security implications of IPv6

four bullets

A
  • No need for NAT
  • Some attack types no longer apply (such as ARP spoofing, since there is no ARP)
  • But some new attack types apply, such as Neighbor Cache Exhaustion
  • It is not necessarily more or less secure than IPv4, it’s just different
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Define

Neighbor Cache Exhaustion

A
  • An IPv6 attack which fills up the neighbor cache on devices
  • Can make a system unable to communicate with other devices on the network
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Define

SPAN

A
  • Switched Port ANalyzer

* Cisco’s name for port mirroring to a software-based tap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Define

FIM

A
  • File Integrity Monitoring
  • Monitoring changes to files that should never change
  • Notifies when changes occur
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Two examples of FIM tools?

A
  • Tripwire: Real-time FIM tool for Linux

* SFC (System File Checker) - On-demand FIM for Windows

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Define

Stateless Firewall

A
  • Older style of firewall that does not keep track of traffic flows
  • Packets coming into the network will need access rules to get in, even if it is in response to requests originating from the firewall’s internal network
  • Access rules are required for both directions of a session’s traffic
  • Security concerns since rules require that external traffic will gain entry even if it is unsolicited
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Explain

UTM

A
  • Unified Threat Management
  • An all-in-one security appliance
  • Firewall, Content filter, anti-malware, spam filter, IDS/IPS, VPN endpoint, etc.
  • A precursor to NGWF
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Explain

WAF

A
  • Web Application Firewall
  • Applies rules to HTTP/HTTPS conversations
  • Instead of looking at ports and IPs, it allows or denies based on expected input.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

If a firewall has an implicit deny, why might an admin create an explicit deny for a specific service?

A

• Implicit denies are not logged. Creating a rule means an attempted access will generate a log.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

What is an advantage of host-based firewalls?

A

• Since it runs on your local machine, it can view traffic from an encrypted communication (HTTPS, etc.), since it is decrypted locally.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Define

Dissolvable Agent

A
  • Used for Network Access Control
  • For running health checks and posture assessment on devices on / connecting to the network
  • No installation required
  • Runs during the assessment, and terminates when no longer required
61
Q

Define

Agentless NAC

A
  • Used for Network Access Control
  • For running health checks and posture assessment on devices on / connecting to the network
  • Integrated with Active Directory
  • Checks are made during login and logoff
  • Only runs at those times; cannot be scheduled
62
Q

What functions may a Proxy Server perform? (list 5)

A
  • Keeping a local cache of information
  • Access Control
  • URL Filtering
  • Content Scanning
  • A Reverse Proxy, which examines incoming requests from the Internet before sending them to a web server
63
Q

Define

Transparent Proxy Server

A

• A proxy server on a network, where endpoints don’t need to be explicitly configured to use it, and aren’t aware of it.

64
Q

What does this stand for?

NIDS

A

• Network-based Intrusion Detection System

65
Q

What does this stand for?

NIPS

A

• Network-based Intrusion Prevention System

66
Q

What is an out-of-band response?

A
  • When a passive IPS (not in-line with traffic) identifies malicious traffic and sends an TCP RST (reset) frame to prevent further traffic
  • It does not prevent the original packet from going through, but disrupts the traffic flow and prevents further communication
  • The reset frame is part of the TCP protocol; this response does not work with UDP traffic
67
Q

What methods can be used by an IPS to identify malicious activity? (Four answers)

A
  • Signature-based: Must match exactly
  • Anomaly-based: Create a baseline of what’s normal to detect unusual activity
  • Behavior-based: Programmed to know what certain malicious activities might look like
  • Heuristics: use artificial intelligence and big data
68
Q

Define

Jump Server

A
  • A system that you connect to in order to access other internal systems
  • Must be highly-secured, hardened, and monitored
69
Q

Define

HSM

A
  • Hardware Security Module
  • A dedicated server for handling cryptographic functions, storing keys, certificates, etc.
  • Used in very large environments with many devices that need cryptographic keys
  • Usually installed in clusters with lots of redundancy
  • Built with specialized hardware designed for cryptography
  • Can act as a proxy to offload encrypted communication for webservers, and forward the traffic to the webservers in the clear
70
Q

What does this stand for?

MIC

A

• Message Integrity Check

71
Q

Define:

CCMP

A
  • Stands for: Counter/CBC-MAC Protocol
  • A block cipher mode
  • The type of encryption used with WPA2
  • Uses AES for confidentiality
  • Uses CBC-MAC for MIC
72
Q

Define:

CBC-MAC

A
  • Cipher Block Chaining Message Authentication Code Protocol

* A form of MIC (Message Integrity Check)

73
Q

Define:

GCMP

A
  • Galois/Counter Mode Protocol
  • A block cipher mode
  • The type of encryption used in WPA3
  • Uses AES for confidentiality
  • Uses GMAC for MIC
74
Q

Define:

GMAC

A
  • Galois Message Authentication Code

* A form of MIC

75
Q

What security advantages does WPA3 have over WPA2?

A
  • WPA2 is susceptible to brute force attacks. Once the passphrase is known, an attacker can read all communication of all devices
  • WAP3 uses:○ mutual authentication○ creates a shared session key without sending that key across the network○ perfect forward secrecy○ SAE
76
Q

Explain:

Perfect Forward Secrecy

A
  • A session key is created for each session, and disposed of when the session is over
  • New sessions would create a new key
  • Used, among other places, in WPA3
77
Q

Explain:

SAE

A
  • Simultaneous Authentication of Equals
  • A Diffie-Hellman derived key exchange (same process), but adds an authentication component
  • An IEEE standard
  • sometimes called the dragonfly handshake
  • Used, among other places, in WPA3
78
Q

Describe WPS from a security standpoint.

A
  • Best practice is to disable it
  • If it does not have brute-force protection built in, it is extremely easy to brute force
  • Only 11,000 possible combinations need to be tried to gain access
  • Brute-force lockouts are now the norm, but most devices out there don’t have it.
79
Q

How can WPS authenticate a device?

A
  • a PIN (which is easily brute-forced)
  • A physical button to push on the WAP
  • NFC
80
Q

What type of authentication does WPA2-Enterprise use?

A

• 802.1X

81
Q

Explain

802.1X

A
  • A type of network access control that requires authentication to access the network, whether wired or wireless
  • Typically uses a central authentication database such as RADIUS, LDAP, TACACS+, etc.
  • The authenticator (the device that provides network access) communicates to an authentication server on behalf of the supplicant (client)
82
Q

Define

NAC

A
  • Port-based Network Access Control

* A name for 802.1X

83
Q

Define:

EAP

A
  • Extensible Authentication Protocol
  • The authentication protocol used by 802.1X, as well as many other types of authentication for wireless networks
  • Supports multiple types of authentication
  • Manufacturers can build their own EAP methods
84
Q

Explain:

EAP-FAST

A
  • EAP Flexible Authentication via Secure Tunneling
  • Ensures that the authentication server and supplicant can communicate with each other over a secure tunnel.
  • The server provides a protected access credential (PAC), i.e. a shared secret, to the supplicant, they mutually authenticate and negotiate a TLS tunnel, and user authentication occurs over the TLS tunnel.
85
Q

Define:

PAC

A
  • Protected Access Credential

* A shared secret, used in EAP-FAST

86
Q

Define:

AS

A

• The acronym used for the Authentication Server in EAP

87
Q

Define

PEAP

A
  • Protected EAP (Extensible Authentication Protocol)
  • Created by Cisco, Microsoft, and RSA Security
  • Similar to EAP-FAST, but instead of a PAC (Private Access Credential), the AS uses a digital certificate.
  • (As with a web server, the client does not need its own certificate, only the server)
  • User can authenticate using MSCHAPv2 for Microsoft services, or GTC
88
Q

What does this stand for?

MSCHAPv2

A

• Microsoft Challenge Handshake Authentication Protocol version 2

89
Q

What does this stand for?

GTC

A

• Generic Token Card

90
Q

Explain:

EAP-TLS

A
  • EAP with TLS
  • Similar to PEAP, but requires a digital certificate on the client as well as the AS, so they can mutually authenticate
  • Once devices have authenticated to each other, the TLS tunnel is built for the user authentication process
  • Complex implementation as it requires all network devices to have certificates
  • May not be suitable, as not all devices can support the use of digital certificates,
91
Q

Explain:

EAP-TTLS

A
  • EAP Tunneled TLS
  • Similar to PEAP, builds a TLS tunnel using the digital certificate of the AS
  • (Does not require the supplicant to have a certificate)
  • Can use any authentication method inside the TLS tunnel, including other EAPs, MSCHAPv2, or anything else.
92
Q

Define

Wireless Controller

A
  • A centralized management device for wireless access points

* Allows management of system configuration, performance, updates, etc.

93
Q

Define

MCM

A
  • Mobile Content Management
  • Controls for securing access to data and protecting it from outsiders
  • Managed from the mobile device manager (MDM)
  • May include controls for file sharing and viewing, as well as DLP and encryption requirements
94
Q

Explain

Context-Aware Authentication

A
  • An emerging technology
  • Looks at multiple contexts to determine whether a login attempt is likely to be authentic
  • Contexts may include:○ Device IP address○ GPS information○ Devices connected / Bluetooth paired to the device○ more
95
Q

In the context of BYOD, define:

Containerization

A
  • The separation of enterprise mobile apps and data from personal apps and data
  • Storage on a mobile device is segmented to keep business data in a contained area with restricted sharing
  • Makes offboarding much easier. Business data can be wiped without removing personal data.
96
Q

Define

MicroSD HSM

A
  • A small Hardware Security Module, in microSD card form
  • Provides security services to mobile devices, such as:○ encryption○ key generation○ digital signatures○ authentication
97
Q

Explain

UEM

A
  • Unified Endpoint Management
  • Similar to MDM, but also manages non-mobile devices
  • Allows users to change between devices, such as phone and laptop, and still have same security and access
98
Q

Explain

MAM

A
  • Mobile Application Management
  • Provision, update, and remove apps from your own enterprise app catalog
  • Monitor application use
  • Fine-grained control of wiping data
99
Q

Explain

SEAndroid

A
  • Security Enhancements for Android
  • Puts SELinux functions into Android OS
  • Supports additional access control security policies
  • Enabled by default since Android version 4.3 in July 2013
  • Developed by NSA
100
Q

List some security features added by SEAndroid (four answers)

A
  • Protects privileged access to Android system daemons
  • Changed Discretionary Access Control (DAC) to Mandatory Access Control (MAC)
  • Isolate and sandboxes Android apps
  • Centralized policy configuration
101
Q

Define:

OTA

A
  • Over the Air
  • A type of firmware update for mobile devices
  • Delivered wirelessly without needing to connect to any device
102
Q

List some capabilities of MDM

A
  • Control firmware updates
  • Use an allow list or block list of approved / blocked apps
  • Control microphone/camera use to disable/enable either always or only in certainly locations
  • Control SMS/MMS usage by timeframe or location
103
Q

Define

USB OTG

A
  • USB On-the-Go
  • A USB 2.0 Standard that allows supported devices to connect directly together
  • A mobile device can act as both a host and a device, acting as storage
104
Q

Define

Geotagging

A
  • aka GPS Tagging
  • Adds location to file metadata
  • Can cause security concern, since investigating these files can create a path of a user
  • Can be disabled
105
Q

Define

COPE

A
  • Corporate-Owned, Personally-Enabled
  • A mobile deployment model
  • Similar to BYOD, but the company buys the device and allows it to also be used for personal use
  • Company keeps full control of device
106
Q

Define

CYOD

A
  • Choose Your Own Device

* Similar to COPE, but with the user’s choice of device

107
Q

Explain

VMI

A
  • Virtual Mobile Infrastructure
  • Like thin clients, mobile phones can also connect to a cloud service where apps and data are stored
  • If the device is lost, no data is lost, no security concern
  • Allows for centralized app development, since you only need to write for a single VMI platform
  • No need to update all individual devices
108
Q

Define

AZ

A
  • Availability Zone
  • Isolated locations with a cloud region (geographic location)
  • Each AZ is completely independent
109
Q

Define

HA Across Zones

A

High Availability Across (Availability) Zones

• Highly Available applications can be aware of Availability Zones, and recognize an outage in a particular zone to adjust accordingly

110
Q

Define

IAM

A
  • Identity and Access Management
  • Cloud resource security control to determine who gets access, and what they get access to
  • Maps job functions to roles
  • Granular policies control access by user group, IP, date and time, geolocation, etc.
111
Q

Define

VPC Endpoint

A
  • Virtual Private Cloud Endpoint
  • Allows private cloud subnets to communicate to other cloud services, even without an internet connection.
  • Facilitates connectivity between VPCs and cloud services such as storage.
112
Q

What are some tips for container security?

A
  • Use OSs that are designed specifically for containers

* Group containers of similar type onto the same host, to limit the scope of any intrusion

113
Q

Define

Security Group

A
  • In the context of Cloud Computing:
  • Security Groups provide Layer 4 firewall services for all resources within a VPC (Virtual Private Cloud)
  • Not to be confused with Security Groups in Active Directory
  • Not sure why they’re not just called “VPC Firewalls” or something.
114
Q

Define

DAC vs. MAC

A
  • Discretionary Access Control / Mandatory Access Control
  • In DAC model, users have control over access to their own data or local computer resources
  • In MAC model, access permissions are set by administrators. Resources objects (such as files) are given security labels which assign a classification and category, which matches it to users’ classifications and categories to determine access.
115
Q

Explain

CASB

A
  • Cloud Access Security Broker
  • May be installed as client software, run as a local network appliance, or a cloud service
  • Four functions:○ Visibility into what apps are in use, what data is being transferred, etc.○ Enforce compliance regulations○ Prevent threats / disallowed blocked items○ Data Security: Enforce DLP, Encryption, etc.
116
Q

Explain

SWG

A
  • Next-Gen Secure Web Gateway
  • Protects users and devices regardless of location and activity
  • Goes beyond just examing Layer 4 (TCP/UDP), URLs, and GET requests
  • Examines JSON strings and API requests, to allow or disallow very specific activities
117
Q

Explain

IdP

A
  • Identity Provider
  • A third-party providing identity control for another service.
  • Essentially “Authentication as a Service”
  • Commonly used by SSO applications
118
Q

Explain

SSH Keys

A
  • The use of public/private cryptographic keys to authenticate in SSH instead of a username and password
  • Especially used for automation and scripts, since you won’t be there to enter a password when the script is running
  • Key management is crticial, to centralize, control, and audit key use
  • Both open source and commercial SSH key managers are available
119
Q

How to generate and login with an SSH key?

A

• ssh-keygen

○ the command in Linux or MacOS

○ Creates a public/private key pair for authentication

• Copy the public key to the SSH server:

○ ssh-copy-id user@host

  • Copy the private key to any system that will need to login
  • You can now login with the following command, no password required:○ ssh user@host
120
Q

Explain

KBA

A
  • Knowledge-Based Authenication
  • A form of “Something you know”
  • Static KBA: Pre-configured security questions, often used with account recovery.○ Ex., what was your first car?

• Dynamic KBA: Not pre-configured, but pulled from some other source, often an identity verification service.

 ○ Ex., Which of the following addresses did you live at in 1999?
121
Q

Explain

PAP

A
  • Password Authentication Protocol
  • An old, basic authentication method.
  • Rare today. Used only in legacy systems.
  • No encryption, designed for analog dialup connections.
  • When used today, the application may provide encryption, encapsulated within PAP, so it’s not sent in the clear.
122
Q

Explain

CHAP

A
  • Challenge-Handshake Authentication Protocol
  • Encrypted challenge sent over the network
  • A step up from PAP
  • Server sends a challenge based on the password, which verifies both sides have that password, without sending the password itself.
  • This challenge-response may continue to occur periodically during the connection, invisible to the user
123
Q

Explain

MS-CHAP

A
  • Microsoft’s implementation of CHAP
  • MS-CHAP v2 is the most recent version
  • Both v1 and v2 are insecure and should not be used, because they use DES
  • DES is susceptible to brute force decryption of the hash
124
Q

Explain

TACACS

A
  • Terminal Access Controller Access-Control System
  • A remote authentication protocol
  • Originally built when using analog dial-up lines
  • Created for access ARPANET
125
Q

Explain

XTACACS

A
  • Extended TACACS
  • Cisco proprietary version of TACACS
  • Has additional support for accounting and auditing
126
Q

Explain

TACACS+

A
  • The latest version of TACACS. released in 1993
  • If using TACACS today, it is probably this version
  • Adds more authentication requests and response codes
127
Q

Explain

Kerberos

A
  • a Network authentication protocol
  • Authenticates once, then you are trusted by the system and don’t need to re-authenticate to access resources
  • Server provides a “ticket” that your system uses to authenticate to other systems without entering password again
  • Mutual authentication, which protects against on-path or replay attacks
  • Standard since 1980s, Microsoft began using it in Windows 2000
128
Q

What databased may be used on the backend of IEEE 802.1X?

A
  • Can work with a variety, including:
  • RADIUS
  • LDAP
  • TACACS+
129
Q

Define

SAML

A
  • Security Assertion Markup Language
  • An open standard for authentication and authorization
  • Authenticate through a third-party to gain access
  • Not designed to support mobile apps, so is likely to decline in usage as time goes on
130
Q

What is the flow of SAML?

A
  • Client accesses resource server
  • Resource server sends signed/encrypted SAML request to client, and directs them to the authorization server
  • Client signs into the Authorization Server
  • Authorization Server provides SAML token
  • Client sends SAML token to resource server and gain access
131
Q

Explain

OAuth

A

Open Authorization

  • An authorization framework with significant industry support
  • Determines what resources a user can access
  • Does not authenticate, only authorizes
  • Often used to provide authorization between applications
  • Ex. “Datto wants permissions to your Microsoft 365 account for the following. Do you want to allow this?”
132
Q

Explain

ABAC

A
  • Attribute-Based Access Control
  • Next-gen authorization model, aware of context
  • Combines and evalutes multiple parameters to determine access
  • Ex. IP address, time of day, desired action, etc.
133
Q

Explain

PAM

A
  • Privileged Access Management
  • Centralized management of administrative / superuser accounts
  • When an admin needs to perform administrative task or gain access, they make a request from the vault, and the privileged access they need is granted only temporarily. “Checked out.”
  • Enables automation
  • manages access for each user
  • extensive tracking and auditing
134
Q

Explain

CRL

A
  • Certificate Revocation List
  • Maintained by the CA
  • Contains many revocations in a large file which changes all the time.
135
Q

Explain

OCSP

A
  • Online Certificate Status Protocol
  • Allows a web browser to check revocation status of a single certificate
  • Requests are usually sent to an OCSP responder, managed by the CA, via HTTP
  • More efficient than downloading an entire CRL just to check one certificate
  • Most modern browsers support OSCP, but some older browsers and apps do not.
136
Q

Define:

DV

A
  • Domain Validation Certificate
  • SSL Certificate that shows the owner of the certificate is control over the DNS domain
  • This is the most common certificate used by websites
137
Q

Define

EV

A
  • Extended Validation Certificate
  • Like a DV, but additional checks have verified the certificate owner’s identity
  • Browsers will show a name in the address bar next to the padlock icon that indicates the SSL connection
  • Not common anymore, since SSL has become standard, there’s not much point in promoting your use of it.
138
Q

Explain

X.509

A

• The standard structure for digital certificates

139
Q

Explain

DER

A
  • Distinguished Encoding Rules
  • A type of binary encoding format
  • Common and used across many platforms
  • perfect for an X.509 certificate
140
Q

Explain

PEM

A
  • Stands for “Privacy-Enhanced Mail”
  • An encoded X.509 certificate in ASCII format
  • Makes it easier to read and e-mail, rather than the binary form of DER
  • The most common format provided by CAs
141
Q

Define

PKCS #12

A
  • Public Key Cryptography Standards #12
  • A container format for many certificates
  • Store multiple X.509 certs in a single .p12 or .pfx file
  • Often used to transfer a private and public key pair
  • The container can be password protected
142
Q

Define

CER

A
  • An X.509 file extension used primarily by Windows
  • Can be encoded either as binary DER or as ASCII PEM format
  • Usually only contains a public key; private keys would be transferred in the .pfx file format
143
Q

Define

PKCS #7

A
  • Public Key Cryptography Standards #7
  • Contains certificates and chain certificates; but does not include private keys
  • .p7b file extension
  • ASCII format
  • Wide support across multiple OSs and platforms
144
Q

Explain

OCSP Stapling

A
  • Instead of the CA needing to respond to all OCSP requests, the certificate holder can verify their own status
  • Status information is stored on the certificate holder’s server
  • OCSP status is “stapled” into the SSL/TLS handshake, digitally signed by the CA
145
Q

Explain

Pinning

A
  • To ensure that you’re really communicating to the legitimate server, you can “pin” the expected certificate or public key to an application.
  • You then compare that pined certificate to what you see when actually communicating with the server.
  • The cert must be compiled into the app, or added at first run.
  • If the expected cert doesn’t match the certificate the server presents, the application can either shut down, or show a message, or etc.
146
Q

List 5 types of PKI trust relationships.

A
  • Single CA
  • Hierachical (Single root CA with intermediate and leaf CAs)
  • Mesh (CAs that all certify each other; does not scale well)
  • Web-of-trust (alternative to traditional PKI)
  • Mutual Authentication (Server and client both authenticate to each other)
147
Q

Explain

Key Escrow

A
  • When your private keys (decryption keys) are kept and controlled by a 3rd-party
  • Ex., A business might store employee information in encrypted form, and only be able to access that private info if it is validated by the 3rd party
  • Requires trust of the 3rd party and very specific and clear process and procedures for validating
148
Q

What does this stand for?

FDE

A

• Full Disk Encryption

149
Q

What does this stand for?

HIDS

A

• Host-based Intrusion Detection System