3.0 - Implementation Flashcards
Define
SRTP
- Secure Real-Time Transport Protocol
- Adds security features to RTP
- Integrity, replay protection, and AES encryption
- Used for voice and video
Define
NTPsec
- Secure Network Time Protocol
- Began development in 2015
- Adds security to NTP and cleans up code base
- (NTP has commonly been used as amplifiers in DDoS attacks)
Define
S/MIME
- Secure/Multipurpose Internet Mail Extensions
- Public key encryption and digital signing of mail content
- Requires PKI or similar organization of keys
Define
IPsec
- Internet Protocol Security
- Allows sending of data over OSI layer 3 with authentication and encryption for every packet
- Very standardized, common to use across multiple vendors
- Its two primary protocols are AH and ESP
Explain
AH
- Application Header
- One of the core protocols of IPsec
- Adds a hash of the IP packet and a shared key
- The hash adds integrity
- The shared key authenticates the origin
- Also includes sequence numbers, to prevents replay attacks
- Does not encrypt data, only provides integrity
- Can be used independently, but is most often used with ESP
Define
ESP
- Encapsulation Security Payload
- One of the core protocols of IPsec
- Adds encryption to IP packets
Difference between FTPS and SFTP?
- FTPS is “FTP over SSL”
* SFTP is “SSH FTP”
Define
LDAPS
- LDAP Secure
* A non-standard implementation of LDAP over SSL
Define
SASL
- Simple Authentication and Security Layer
- Directory service to provide authentication using many different methods
- Such as Kerberos or client certificate
- Can be used by LDAP
Define
DNSSEC
- Domain Name System Security Extensions
- Validates DNS responses to authenticate the origin and confirm the data integrity
- Uses public key cryptography
Define
SNMPv3
- The secure version of SNMP
* Adds authentication, integrity, and confidentiality through encryption
How can security be added to DHCP?
- It does not include any security functions in its original specification
- Switches can be configured to only allow DHCP responses to come from specified trusted interfaces
- In Active Directory, DHCP servers must be authorized
Define
DHCP Snooping
- The term used by Cisco for the feature of specifying what interfaces on a switch are allowed to send DHCP responses
- Filters invalid IP and DHCP information
Explain
EDR
- Endpoint Detection and Response
- A newer method of threat protection, rather than signature-based
- Detects threats through behavior analysis, machine learning, process monitoring
- Can run through a lightweight agent on an endpoint
- Both investigates threats and can respond to it
- Reponses may include isolating the system, quarantining the threat, rolling back to a previous config
- Can be automated and API-driven
What are alternative terms for NGFW?
- Application Layer Gateway
- Stateful Multilayer Inspection
- Deep Packet Inspection
Define
NGFW
- Next-Generation Firewall
- Inspects the application layer, all data in every packet, rather than just looking at IP address and port number
- Can allow or block application features
- Identify attacks and malware
- Examine encrypted data (if configured to manage the keys)
- Prevent access to URLs or URL categories
Define
HIDS and HIPS
• Host-Based Intrusion Detection System
and
- Host-Based Intrusion Prevention System
- Runs directly on an endpoint/host, and looks through log files to identify intrusions
Explain
TPM
- Trusted Platform Module
- Hardware installed to assist with cryptography and device security
- Cryptographic processor and key generator
- Comes with unique keys burned in during production
- Can store keys, hardware configuration info, etc.
- Password protected with anti-brute force features
How does UEFI BIOS protect against malicious firmware updates?
- BIOS includes the manufacturer’s public key
- When flashing a BIOS update, the firmware’s digital signature is checked against that key
- BIOS will prevent unauthorized writes to the flash
Define
Secure Boot
- Part of the UEFI specification
- When enabled, Secure Boot verifies the bootloader
- Checks the bootloader’s digital signature
- Bootloader must be signed with a trusted certificate, or else its signature must be manually approved
- Confirms that no part of that bootloader has been changed
Define
Trusted Boot
- The bootloader verifies the digital signature of the OS kernel
- The boot process will halt if a corrupted kernel is detected
- The kernel then verifies all other startup components, including boot drivers and startup files
- ELAM then runs prior to loading all remaining drivers.
Define
ELAM
- Early Launch Anti-Malware
- A security feature of Windows that checks every driver to see if it is trusted prior to loading it
- Runs early in the boot process
- Checks digital signatures, and prevents untrusted drivers from loading.
Explain
Measured Boot
- UEFI stores a hash of firmware, boot drivers, and everything else loaded during Secure Boot and Trusted Boot processes
- This hash is stored in the TPM and can be sent, encrypted and signed by the TPM, to a verification server
Define
Remote Attestation / Boot Attestation
- When the Measured Boot process completes, the TPM encrypts, signs, and sends an operational report to a verification server
- The attestation server receives the boot report, and compares it to the known-trusted configuration of the system
- If changes are found, they are identified and various actions can be taken
What is this another name for?
Fuzzing
- A colloquial term for Dynamic Analysis
- May also be referred to as:
- Fault-injecting
- Robustness testing
- Syntax testing
- Negative testing
Define
Dynamic Analysis
- A type of attack on applications, where random input is sent
- Attacker is looking for vulnerabilities, application crashes, buffer overflows, exceptions, etc.
- “Fuzzers” are tools to perform this.
- Very time and processor resource heavy, but often designed to perform high-probability tests first.
Describe security concerns surrounding:
Cookies
- Cookies are used for tracking, personalization, and session management
- Generally should not be a security risk, unless someone gains access to them.
- Secure Cookies have an attribute set that requires they will only be sent over HTTPS
- Sensitive information ought never to be stored in a cookie
Explain
HTTP Secure Headers
- A way for the web server to restrict the capabilities of a browser from performing certain functions
- Useful when an application is being used on your web server, but you aren’t certain of that application’s security
- For example, can be used to:○ enforce HTTPS○ only allow scripts, stylesheets, or images from the local site (preventing XSS attacks)○ prevent data from loading in an iframe
Explain
Code Signing
- Application code can be digitally signed by the developer, confirming that the code has not been modified
- Asymmetric encryption:○ A trusted CA signs the developer’s public key○ And the developer signs the code with their private key
How can applications be allowed or denied?
- Allow lists and deny lists can be made to control what applications may run on a system
- Lists may be based on, for example:○ Application’s hash○ A certificate, for digitally signed applications○ The application’s path, allowing applications to only run in certain folders○ The application’s network zone
Explain
SAST
- Static Application Security Testing
- A tool to perform automated analysis on source code to identify security flaws
- Findings and recommendations are reported, and would still need to be manually verified and applied
- Not all flaws can be identified this way, such as authentication security issues and insecure cryptography
Name a tool that can scan and verify what ports are open?
• Nmap
Define
SED
- Self-Encrypting Drive
- Hardware-based full disk encryption
- No operating system software needed
- Follows the “Opal storage specification”
What functions may a Load Balancer perform? (six answers)
- Primary function it to manage the load across multiple servers
- May also perform any of the following:○ TCP offload (handles some TCP traffic rather than the servers)○ SSL offload (encryption/decryption, so that comm. between balancer and servers is in-the-clear)○ Caching (keeps copy of common responses on balancer, so it can respond quickly on behalf of servers)○ Prioritization / QoS○ Content switching (application-centric balancing, directing different functions to different servers)
Explain Scheduling and list four possible methods
- Scheduling is the method of determining which server a load balancer will direct traffic to
- Example Active/Active methods:○ Round-Robin (each server selected in turn)○ Weighted Round-Robin (prioritizing some servers over others, rather than equal)○ Dynamic Round-Robin (distribute traffic to server with lowest current load)
• Active/Passive scheduling will only route traffic to “passive” servers if an active server fails (making the passive server become active)
Define
Affinity
- In Load Balancing, Affinity connects users to specific servers, so that whenever they reconnect, they will be directed to the same server as previously
- Often based on IP address / port number or session ID
- Used when an application requires communication to the same instance
Explain
Extranet
- Similar in structure to a DMZ, but usually requires additional authentication to access, rather than allowing any public access
- Often used for partners, vendors, suppliers, etc. to gain access to internal resources
Define
East-West Traffic
- Traffic between devices in the same data center
* Includes traffic between separate customers within the same data center
Define
North-South Traffic
- A term for a data center’s Ingres/egress traffic to and from an outside device
- Usually requires a stricter security posture than east-west traffic
Define
Concentrator
- The device that performs encryption and decryption for a VPN connection
- Often integrated into a firewall, but can also be a standalone device
Explain
SSL VPN
- Uses the common SSL/TLS protocol (tcp 443)
- Therefore, usually does not run into any firewall issues
- can authenticate users
- Doesn’t require digital certificates or shared passwords
- Can be run from within a browser or a light VPN client, but often doesn’t require a VPN client
Explain
HTML5 VPN
- HTML5 includes API support with web cryptography API
* Allows for the creation of a VPN tunnel in a browser without any VPN application
Explain
L2TP
- Layer 2 Tunneling Protocol
- Connecting sites over a layer 3 network as though they were connected at layer 2
- Commonly implemented with IPsec (L2TP for the tunnel, IPsec for the encryption)○ Sometimes referred to as L2TP over IPsec or L2TP/IPsec
Explain
Transport Mode vs. Tunnel Mode
- IPsec modes of operation
- in Transport mode, only the Data portion of the IP packet is encrypted
- In Tunnel mode, both the IP Header and the Data are encrypted, and a new IP header is added, which directs the packet to the VPN concentrator on the other side of the tunnel.
Define
Broadcast Storm Control
- A security feature for switches
- Limits the number of broadcasts per second
- Often also used to control multicast and unknown unicast traffic
- Can be managed either by specific values, percentages, or deviations baseline behavior
Define
BPDU
- Bridge Protocol Data Unit
* The primary protocol used by Spanning Tree Protocol
Define
BPDU Guard
- If a BPDU frame is seen on a PortFast configured interface, the interface will shutdown
- This is because PortFast interfaces are only supposed to connect to endpoints, which would never send BPDUs
Define
PortFast
- Cisco’s term for the feature of bypassing the STP listening and learning steps when a device is plugged in
- Configured for ports that are known to only be needed to connect to endpoints, so STP is not needed since it won’t create a loop.
- STP takes 20-30 seconds to determine how to handle a new connection, so bypassing it saves time
Explain
MAC Filtering
- Limiting access to the network based on MAC address Allow Lists
- Security through obscurity
- Not very secure since Allowed MACs on the network can be easily discovered and spoofed
List some security implications of IPv6
four bullets
- No need for NAT
- Some attack types no longer apply (such as ARP spoofing, since there is no ARP)
- But some new attack types apply, such as Neighbor Cache Exhaustion
- It is not necessarily more or less secure than IPv4, it’s just different
Define
Neighbor Cache Exhaustion
- An IPv6 attack which fills up the neighbor cache on devices
- Can make a system unable to communicate with other devices on the network
Define
SPAN
- Switched Port ANalyzer
* Cisco’s name for port mirroring to a software-based tap
Define
FIM
- File Integrity Monitoring
- Monitoring changes to files that should never change
- Notifies when changes occur
Two examples of FIM tools?
- Tripwire: Real-time FIM tool for Linux
* SFC (System File Checker) - On-demand FIM for Windows
Define
Stateless Firewall
- Older style of firewall that does not keep track of traffic flows
- Packets coming into the network will need access rules to get in, even if it is in response to requests originating from the firewall’s internal network
- Access rules are required for both directions of a session’s traffic
- Security concerns since rules require that external traffic will gain entry even if it is unsolicited
Explain
UTM
- Unified Threat Management
- An all-in-one security appliance
- Firewall, Content filter, anti-malware, spam filter, IDS/IPS, VPN endpoint, etc.
- A precursor to NGWF
Explain
WAF
- Web Application Firewall
- Applies rules to HTTP/HTTPS conversations
- Instead of looking at ports and IPs, it allows or denies based on expected input.
If a firewall has an implicit deny, why might an admin create an explicit deny for a specific service?
• Implicit denies are not logged. Creating a rule means an attempted access will generate a log.
What is an advantage of host-based firewalls?
• Since it runs on your local machine, it can view traffic from an encrypted communication (HTTPS, etc.), since it is decrypted locally.