3.0 - Implementation Flashcards
Define
SRTP
• Secure Real-Time Transport Protocol
• Adds security features to RTP
• Integrity, replay protection, and AES encryption
• Used for voice and video
Define
NTPsec
• Secure Network Time Protocol
• Began development in 2015
• Adds security to NTP and cleans up code base
• (NTP has commonly been used as amplifiers in DDoS attacks)
Define
S/MIME
• Secure/Multipurpose Internet Mail Extensions
• Public key encryption and digital signing of mail content
• Requires PKI or similar organization of keys
Define
IPsec
• Internet Protocol Security
• Allows sending of data over OSI layer 3 with authentication and encryption for every packet
• Very standardized, common to use across multiple vendors
• Its two primary protocols are AH and ESP
Explain
AH
• Application Header
• One of the core protocols of IPsec
• Adds a hash of the IP packet and a shared key
• The hash adds integrity
• The shared key authenticates the origin
• Also includes sequence numbers, to prevents replay attacks
• Does not encrypt data, only provides integrity
• Can be used independently, but is most often used with ESP
Define
ESP
• Encapsulation Security Payload
• One of the core protocols of IPsec
• Adds encryption to IP packets
Difference between FTPS and SFTP?
• FTPS is “FTP over SSL”
• SFTP is “SSH FTP”
Define
LDAPS
• LDAP Secure
• A non-standard implementation of LDAP over SSL
Define
SASL
• Simple Authentication and Security Layer
• Directory service to provide authentication using many different methods
• Such as Kerberos or client certificate
• Can be used by LDAP
Define
DNSSEC
• Domain Name System Security Extensions
• Validates DNS responses to authenticate the origin and confirm the data integrity
• Uses public key cryptography
Define
SNMPv3
• The secure version of SNMP
• Adds authentication, integrity, and confidentiality through encryption
How can security be added to DHCP?
• It does not include any security functions in its original specification
• Switches can be configured to only allow DHCP responses to come from specified trusted interfaces
• In Active Directory, DHCP servers must be authorized
Define
DHCP Snooping
• The term used by Cisco for the feature of specifying what interfaces on a switch are allowed to send DHCP responses
• Filters invalid IP and DHCP information
Explain
EDR
• Endpoint Detection and Response
• A newer method of threat protection, rather than signature-based
• Detects threats through behavior analysis, machine learning, process monitoring
• Can run through a lightweight agent on an endpoint
• Both investigates threats and can respond to it
• Reponses may include isolating the system, quarantining the threat, rolling back to a previous config
• Can be automated and API-driven
What are alternative terms for NGFW?
• Application Layer Gateway
• Stateful Multilayer Inspection
• Deep Packet Inspection
Define
NGFW
• Next-Generation Firewall
• Inspects the application layer, all data in every packet, rather than just looking at IP address and port number
• Can allow or block application features
• Identify attacks and malware
• Examine encrypted data (if configured to manage the keys)
• Prevent access to URLs or URL categories
Define
HIDS and HIPS
• Host-Based Intrusion Detection System
and
• Host-Based Intrusion Prevention System
• Runs directly on an endpoint/host, and looks through log files to identify intrusions
Explain
TPM
• Trusted Platform Module
• Hardware installed to assist with cryptography and device security
• Cryptographic processor and key generator
• Comes with unique keys burned in during production
• Can store keys, hardware configuration info, etc.
• Password protected with anti-brute force features
How does UEFI BIOS protect against malicious firmware updates?
• BIOS includes the manufacturer’s public key
• When flashing a BIOS update, the firmware’s digital signature is checked against that key
• BIOS will prevent unauthorized writes to the flash
Define
Secure Boot
• Part of the UEFI specification
• When enabled, Secure Boot verifies the bootloader
• Checks the bootloader’s digital signature
• Bootloader must be signed with a trusted certificate, or else its signature must be manually approved
• Confirms that no part of that bootloader has been changed
Define
Trusted Boot
• The bootloader verifies the digital signature of the OS kernel
• The boot process will halt if a corrupted kernel is detected
• The kernel then verifies all other startup components, including boot drivers and startup files
• ELAM then runs prior to loading all remaining drivers.
Define
ELAM
• Early Launch Anti-Malware
• A security feature of Windows that checks every driver to see if it is trusted prior to loading it
• Runs early in the boot process
• Checks digital signatures, and prevents untrusted drivers from loading.
Explain
Measured Boot
• UEFI stores a hash of firmware, boot drivers, and everything else loaded during Secure Boot and Trusted Boot processes
• This hash is stored in the TPM and can be sent, encrypted and signed by the TPM, to a verification server
Define
Remote Attestation / Boot Attestation
• When the Measured Boot process completes, the TPM encrypts, signs, and sends an operational report to a verification server
• The attestation server receives the boot report, and compares it to the known-trusted configuration of the system
• If changes are found, they are identified and various actions can be taken
What is this another name for?
Fuzzing
• A colloquial term for Dynamic Analysis
• May also be referred to as:
• Fault-injecting
• Robustness testing
• Syntax testing
• Negative testing
Define
Dynamic Analysis
• A type of attack on applications, where random input is sent
• Attacker is looking for vulnerabilities, application crashes, buffer overflows, exceptions, etc.
• “Fuzzers” are tools to perform this.
• Very time and processor resource heavy, but often designed to perform high-probability tests first.
Describe security concerns surrounding:
Cookies
• Cookies are used for tracking, personalization, and session management
• Generally should not be a security risk, unless someone gains access to them.
• Secure Cookies have an attribute set that requires they will only be sent over HTTPS
• Sensitive information ought never to be stored in a cookie
Explain
HTTP Secure Headers
• A way for the web server to restrict the capabilities of a browser from performing certain functions
• Useful when an application is being used on your web server, but you aren’t certain of that application’s security
• For example, can be used to:
○ enforce HTTPS ○ only allow scripts, stylesheets, or images from the local site (preventing XSS attacks) ○ prevent data from loading in an iframe
Explain
Code Signing
• Application code can be digitally signed by the developer, confirming that the code has not been modified
• Asymmetric encryption:
○ A trusted CA signs the developer's public key ○ And the developer signs the code with their private key
How can applications be allowed or denied?
• Allow lists and deny lists can be made to control what applications may run on a system
• Lists may be based on, for example:
○ Application's hash ○ A certificate, for digitally signed applications ○ The application's path, allowing applications to only run in certain folders ○ The application's network zone
Explain
SAST
• Static Application Security Testing
• A tool to perform automated analysis on source code to identify security flaws
• Findings and recommendations are reported, and would still need to be manually verified and applied
• Not all flaws can be identified this way, such as authentication security issues and insecure cryptography
Name a tool that can scan and verify what ports are open?
• Nmap
Define
SED
• Self-Encrypting Drive
• Hardware-based full disk encryption
• No operating system software needed
• Follows the “Opal storage specification”
What functions may a Load Balancer perform? (six answers)
• Primary function it to manage the load across multiple servers
• May also perform any of the following:
○ TCP offload (handles some TCP traffic rather than the servers) ○ SSL offload (encryption/decryption, so that comm. between balancer and servers is in-the-clear) ○ Caching (keeps copy of common responses on balancer, so it can respond quickly on behalf of servers) ○ Prioritization / QoS ○ Content switching (application-centric balancing, directing different functions to different servers)
Explain Scheduling and list four possible methods
• Scheduling is the method of determining which server a load balancer will direct traffic to
• Example Active/Active methods:
○ Round-Robin (each server selected in turn) ○ Weighted Round-Robin (prioritizing some servers over others, rather than equal) ○ Dynamic Round-Robin (distribute traffic to server with lowest current load)
• Active/Passive scheduling will only route traffic to “passive” servers if an active server fails (making the passive server become active)
Define
Affinity
• In Load Balancing, Affinity connects users to specific servers, so that whenever they reconnect, they will be directed to the same server as previously
• Often based on IP address / port number or session ID
• Used when an application requires communication to the same instance
Explain
Extranet
• Similar in structure to a DMZ, but usually requires additional authentication to access, rather than allowing any public access
• Often used for partners, vendors, suppliers, etc. to gain access to internal resources
Define
East-West Traffic
• Traffic between devices in the same data center
• Includes traffic between separate customers within the same data center
Define
North-South Traffic
• A term for a data center’s Ingres/egress traffic to and from an outside device
• Usually requires a stricter security posture than east-west traffic
Define
Concentrator
• The device that performs encryption and decryption for a VPN connection
• Often integrated into a firewall, but can also be a standalone device
Explain
SSL VPN
• Uses the common SSL/TLS protocol (tcp 443)
• Therefore, usually does not run into any firewall issues
• can authenticate users
• Doesn’t require digital certificates or shared passwords
• Can be run from within a browser or a light VPN client, but often doesn’t require a VPN client
Explain
HTML5 VPN
• HTML5 includes API support with web cryptography API
• Allows for the creation of a VPN tunnel in a browser without any VPN application
Explain
L2TP
• Layer 2 Tunneling Protocol
• Connecting sites over a layer 3 network as though they were connected at layer 2
• Commonly implemented with IPsec (L2TP for the tunnel, IPsec for the encryption)
○ Sometimes referred to as L2TP over IPsec or L2TP/IPsec
Explain
Transport Mode vs. Tunnel Mode
• IPsec modes of operation
• in Transport mode, only the Data portion of the IP packet is encrypted
• In Tunnel mode, both the IP Header and the Data are encrypted, and a new IP header is added, which directs the packet to the VPN concentrator on the other side of the tunnel.
Define
Broadcast Storm Control
• A security feature for switches
• Limits the number of broadcasts per second
• Often also used to control multicast and unknown unicast traffic
• Can be managed either by specific values, percentages, or deviations baseline behavior
Define
BPDU
• Bridge Protocol Data Unit
• The primary protocol used by Spanning Tree Protocol
Define
BPDU Guard
• If a BPDU frame is seen on a PortFast configured interface, the interface will shutdown
• This is because PortFast interfaces are only supposed to connect to endpoints, which would never send BPDUs
Define
PortFast
• Cisco’s term for the feature of bypassing the STP listening and learning steps when a device is plugged in
• Configured for ports that are known to only be needed to connect to endpoints, so STP is not needed since it won’t create a loop.
• STP takes 20-30 seconds to determine how to handle a new connection, so bypassing it saves time
Explain
MAC Filtering
• Limiting access to the network based on MAC address Allow Lists
• Security through obscurity
• Not very secure since Allowed MACs on the network can be easily discovered and spoofed
List some security implications of IPv6
(four bullets)
• No need for NAT
• Some attack types no longer apply (such as ARP spoofing, since there is no ARP)
• But some new attack types apply, such as Neighbor Cache Exhaustion
• It is not necessarily more or less secure than IPv4, it’s just different
Define
Neighbor Cache Exhaustion
• An IPv6 attack which fills up the neighbor cache on devices
• Can make a system unable to communicate with other devices on the network
Define
SPAN
• Switched Port ANalyzer
• Cisco’s name for port mirroring to a software-based tap
Define
FIM
• File Integrity Monitoring
• Monitoring changes to files that should never change
• Notifies when changes occur
Two examples of FIM tools?
• Tripwire: Real-time FIM tool for Linux
• SFC (System File Checker) - On-demand FIM for Windows
Define
Stateless Firewall
• Older style of firewall that does not keep track of traffic flows
• Packets coming into the network will need access rules to get in, even if it is in response to requests originating from the firewall’s internal network
• Access rules are required for both directions of a session’s traffic
• Security concerns since rules require that external traffic will gain entry even if it is unsolicited
Explain
UTM
• Unified Threat Management
• An all-in-one security appliance
• Firewall, Content filter, anti-malware, spam filter, IDS/IPS, VPN endpoint, etc.
• A precursor to NGWF
Explain
WAF
• Web Application Firewall
• Applies rules to HTTP/HTTPS conversations
• Instead of looking at ports and IPs, it allows or denies based on expected input.
If a firewall has an implicit deny, why might an admin create an explicit deny for a specific service?
• Implicit denies are not logged. Creating a rule means an attempted access will generate a log.
What is an advantage of host-based firewalls?
• Since it runs on your local machine, it can view traffic from an encrypted communication (HTTPS, etc.), since it is decrypted locally.
Define
Dissolvable Agent
• Used for Network Access Control
• For running health checks and posture assessment on devices on / connecting to the network
• No installation required
• Runs during the assessment, and terminates when no longer required
Define
Agentless NAC
• Used for Network Access Control
• For running health checks and posture assessment on devices on / connecting to the network
• Integrated with Active Directory
• Checks are made during login and logoff
• Only runs at those times; cannot be scheduled
What functions may a Proxy Server perform? (list 5)
• Keeping a local cache of information
• Access Control
• URL Filtering
• Content Scanning
• A Reverse Proxy, which examines incoming requests from the Internet before sending them to a web server
Define
Transparent Proxy Server
• A proxy server on a network, where endpoints don’t need to be explicitly configured to use it, and aren’t aware of it.
What does this stand for?
NIDS
• Network-based Intrusion Detection System
What does this stand for?
NIPS
• Network-based Intrusion Prevention System
What is an out-of-band response?
• When a passive IPS (not in-line with traffic) identifies malicious traffic and sends an TCP RST (reset) frame to prevent further traffic
• It does not prevent the original packet from going through, but disrupts the traffic flow and prevents further communication
• The reset frame is part of the TCP protocol; this response does not work with UDP traffic
What methods can be used by an IPS to identify malicious activity? (Four answers)
• Signature-based: Must match exactly
• Anomaly-based: Create a baseline of what’s normal to detect unusual activity
• Behavior-based: Programmed to know what certain malicious activities might look like
• Heuristics: use artificial intelligence and big data
Define
Jump Server
• A system that you connect to in order to access other internal systems
• Must be highly-secured, hardened, and monitored
Define
HSM
• Hardware Security Module
• A dedicated server for handling cryptographic functions, storing keys, certificates, etc.
• Used in very large environments with many devices that need cryptographic keys
• Usually installed in clusters with lots of redundancy
• Built with specialized hardware designed for cryptography
• Can act as a proxy to offload encrypted communication for webservers, and forward the traffic to the webservers in the clear
What does this stand for?
MIC
• Message Integrity Check
Define:
CCMP
• Stands for: Counter/CBC-MAC Protocol
• A block cipher mode
• The type of encryption used with WPA2
• Uses AES for confidentiality
• Uses CBC-MAC for MIC
Define:
CBC-MAC
• Cipher Block Chaining Message Authentication Code Protocol
• A form of MIC (Message Integrity Check)
Define:
GCMP
• Galois/Counter Mode Protocol
• A block cipher mode
• The type of encryption used in WPA3
• Uses AES for confidentiality
• Uses GMAC for MIC
Define:
GMAC
• Galois Message Authentication Code
• A form of MIC
What security advantages does WPA3 have over WPA2?
• WPA2 is susceptible to brute force attacks. Once the passphrase is known, an attacker can read all communication of all devices
• WAP3 uses:
○ mutual authentication ○ creates a shared session key without sending that key across the network ○ perfect forward secrecy ○ SAE
Explain:
Perfect Forward Secrecy
• A session key is created for each session, and disposed of when the session is over
• New sessions would create a new key
• Used, among other places, in WPA3
Explain:
SAE
• Simultaneous Authentication of Equals
• A Diffie-Hellman derived key exchange (same process), but adds an authentication component
• An IEEE standard
• sometimes called the dragonfly handshake
• Used, among other places, in WPA3
Describe WPS from a security standpoint.
• Best practice is to disable it
• If it does not have brute-force protection built in, it is extremely easy to brute force
• Only 11,000 possible combinations need to be tried to gain access
• Brute-force lockouts are now the norm, but most devices out there don’t have it.
How can WPS authenticate a device?
• a PIN (which is easily brute-forced)
• A physical button to push on the WAP
• NFC
What type of authentication does WPA2-Enterprise use?
• 802.1X
Explain
802.1X
• A type of network access control that requires authentication to access the network, whether wired or wireless
• Typically uses a central authentication database such as RADIUS, LDAP, TACACS+, etc.
• The authenticator (the device that provides network access) communicates to an authentication server on behalf of the supplicant (client)
Define
NAC
• Port-based Network Access Control
• A name for 802.1X
Define:
EAP
• Extensible Authentication Protocol
• The authentication protocol used by 802.1X, as well as many other types of authentication for wireless networks
• Supports multiple types of authentication
• Manufacturers can build their own EAP methods
Explain:
EAP-FAST
• EAP Flexible Authentication via Secure Tunneling
• Ensures that the authentication server and supplicant can communicate with each other over a secure tunnel.
• The server provides a protected access credential (PAC), i.e. a shared secret, to the supplicant, they mutually authenticate and negotiate a TLS tunnel, and user authentication occurs over the TLS tunnel.
Define:
PAC
• Protected Access Credential
• A shared secret, used in EAP-FAST
Define:
AS
• The acronym used for the Authentication Server in EAP
Define
PEAP
• Protected EAP (Extensible Authentication Protocol)
• Created by Cisco, Microsoft, and RSA Security
• Similar to EAP-FAST, but instead of a PAC (Private Access Credential), the AS uses a digital certificate.
• (As with a web server, the client does not need its own certificate, only the server)
• User can authenticate using MSCHAPv2 for Microsoft services, or GTC
What does this stand for?
MSCHAPv2
• Microsoft Challenge Handshake Authentication Protocol version 2
What does this stand for?
GTC
• Generic Token Card
Explain:
EAP-TLS
• EAP with TLS
• Similar to PEAP, but requires a digital certificate on the client as well as the AS, so they can mutually authenticate
• Once devices have authenticated to each other, the TLS tunnel is built for the user authentication process
• Complex implementation as it requires all network devices to have certificates
• May not be suitable, as not all devices can support the use of digital certificates,
Explain:
EAP-TTLS
• EAP Tunneled TLS
• Similar to PEAP, builds a TLS tunnel using the digital certificate of the AS
• (Does not require the supplicant to have a certificate)
• Can use any authentication method inside the TLS tunnel, including other EAPs, MSCHAPv2, or anything else.
Define
Wireless Controller
• A centralized management device for wireless access points
• Allows management of system configuration, performance, updates, etc.
Define
MCM
• Mobile Content Management
• Controls for securing access to data and protecting it from outsiders
• Managed from the mobile device manager (MDM)
• May include controls for file sharing and viewing, as well as DLP and encryption requirements
Explain
Context-Aware Authentication
• An emerging technology
• Looks at multiple contexts to determine whether a login attempt is likely to be authentic
• Contexts may include:
○ Device IP address ○ GPS information ○ Devices connected / Bluetooth paired to the device ○ more
In the context of BYOD, define:
Containerization
• The separation of enterprise mobile apps and data from personal apps and data
• Storage on a mobile device is segmented to keep business data in a contained area with restricted sharing
• Makes offboarding much easier. Business data can be wiped without removing personal data.
Define
MicroSD HSM
• A small Hardware Security Module, in microSD card form
• Provides security services to mobile devices, such as:
○ encryption ○ key generation ○ digital signatures ○ authentication
Explain
UEM
• Unified Endpoint Management
• Similar to MDM, but also manages non-mobile devices
• Allows users to change between devices, such as phone and laptop, and still have same security and access
Explain
MAM
• Mobile Application Management
• Provision, update, and remove apps from your own enterprise app catalog
• Monitor application use
• Fine-grained control of wiping data
Explain
SEAndroid
• Security Enhancements for Android
• Puts SELinux functions into Android OS
• Supports additional access control security policies
• Enabled by default since Android version 4.3 in July 2013
• Developed by NSA
List some security features added by SEAndroid (four answers)
• Protects privileged access to Android system daemons
• Changed Discretionary Access Control (DAC) to Mandatory Access Control (MAC)
• Isolate and sandboxes Android apps
• Centralized policy configuration
Define:
OTA
• Over the Air
• A type of firmware update for mobile devices
• Delivered wirelessly without needing to connect to any device
List some capabilities of MDM
• Control firmware updates
• Use an allow list or block list of approved / blocked apps
• Control microphone/camera use to disable/enable either always or only in certainly locations
• Control SMS/MMS usage by timeframe or location
Define
USB OTG
• USB On-the-Go
• A USB 2.0 Standard that allows supported devices to connect directly together
• A mobile device can act as both a host and a device, acting as storage
Define
Geotagging
• aka GPS Tagging
• Adds location to file metadata
• Can cause security concern, since investigating these files can create a path of a user
• Can be disabled
Define
COPE
• Corporate-Owned, Personally-Enabled
• A mobile deployment model
• Similar to BYOD, but the company buys the device and allows it to also be used for personal use
• Company keeps full control of device
Define
CYOD
• Choose Your Own Device
• Similar to COPE, but with the user’s choice of device
Explain
VMI
• Virtual Mobile Infrastructure
• Like thin clients, mobile phones can also connect to a cloud service where apps and data are stored
• If the device is lost, no data is lost, no security concern
• Allows for centralized app development, since you only need to write for a single VMI platform
• No need to update all individual devices
Define
AZ
• Availability Zone
• Isolated locations with a cloud region (geographic location)
• Each AZ is completely independent
Define
HA Across Zones
High Availability Across (Availability) Zones
• Highly Available applications can be aware of Availability Zones, and recognize an outage in a particular zone to adjust accordingly
Define
IAM
• Identity and Access Management
• Cloud resource security control to determine who gets access, and what they get access to
• Maps job functions to roles
• Granular policies control access by user group, IP, date and time, geolocation, etc.
Define
VPC Endpoint
• Virtual Private Cloud Endpoint
• Allows private cloud subnets to communicate to other cloud services, even without an internet connection.
• Facilitates connectivity between VPCs and cloud services such as storage.
What are some tips for container security?
• Use OSs that are designed specifically for containers
• Group containers of similar type onto the same host, to limit the scope of any intrusion
Define
Security Group
• In the context of Cloud Computing:
• Security Groups provide Layer 4 firewall services for all resources within a VPC (Virtual Private Cloud)
• Not to be confused with Security Groups in Active Directory
• Not sure why they’re not just called “VPC Firewalls” or something.
Define
DAC vs. MAC
• Discretionary Access Control / Mandatory Access Control
• In DAC model, users have control over access to their own data or local computer resources
• In MAC model, access permissions are set by administrators. Resources objects (such as files) are given security labels which assign a classification and category, which matches it to users’ classifications and categories to determine access.
Explain
CASB
• Cloud Access Security Broker
• May be installed as client software, run as a local network appliance, or a cloud service
• Four functions:
○ Visibility into what apps are in use, what data is being transferred, etc.
○ Enforce compliance regulations
○ Prevent threats / disallowed blocked items
○ Data Security: Enforce DLP, Encryption, etc.
Explain
SWG
• Next-Gen Secure Web Gateway
• Protects users and devices regardless of location and activity
• Goes beyond just examing Layer 4 (TCP/UDP), URLs, and GET requests
• Examines JSON strings and API requests, to allow or disallow very specific activities
Explain
IdP
• Identity Provider
• A third-party providing identity control for another service.
• Essentially “Authentication as a Service”
• Commonly used by SSO applications
Explain
SSH Keys
• The use of public/private cryptographic keys to authenticate in SSH instead of a username and password
• Especially used for automation and scripts, since you won’t be there to enter a password when the script is running
• Key management is crticial, to centralize, control, and audit key use
• Both open source and commercial SSH key managers are available
How to generate and login with an SSH key?
• ssh-keygen
○ the command in Linux or MacOS
○ Creates a public/private key pair for authentication
• Copy the public key to the SSH server:
○ ssh-copy-id user@host
• Copy the private key to any system that will need to login
• You can now login with the following command, no password required:
○ ssh user@host
Explain
KBA
• Knowledge-Based Authenication
• A form of “Something you know”
• Static KBA: Pre-configured security questions, often used with account recovery.
○ Ex., what was your first car?
• Dynamic KBA: Not pre-configured, but pulled from some other source, often an identity verification service.
○ Ex., Which of the following addresses did you live at in 1999?
Explain
PAP
• Password Authentication Protocol
• An old, basic authentication method.
• Rare today. Used only in legacy systems.
• No encryption, designed for analog dialup connections.
• When used today, the application may provide encryption, encapsulated within PAP, so it’s not sent in the clear.
Explain
CHAP
• Challenge-Handshake Authentication Protocol
• Encrypted challenge sent over the network
• A step up from PAP
• Server sends a challenge based on the password, which verifies both sides have that password, without sending the password itself.
• This challenge-response may continue to occur periodically during the connection, invisible to the user
Explain
MS-CHAP
• Microsoft’s implementation of CHAP
• MS-CHAP v2 is the most recent version
• Both v1 and v2 are insecure and should not be used, because they use DES
• DES is susceptible to brute force decryption of the hash
Explain
TACACS
• Terminal Access Controller Access-Control System
• A remote authentication protocol
• Originally built when using analog dial-up lines
• Created for access ARPANET
Explain
XTACACS
• Extended TACACS
• Cisco proprietary version of TACACS
• Has additional support for accounting and auditing
Explain
TACACS+
• The latest version of TACACS. released in 1993
• If using TACACS today, it is probably this version
• Adds more authentication requests and response codes
Explain
Kerberos
• a Network authentication protocol
• Authenticates once, then you are trusted by the system and don’t need to re-authenticate to access resources
• Server provides a “ticket” that your system uses to authenticate to other systems without entering password again
• Mutual authentication, which protects against on-path or replay attacks
• Standard since 1980s, Microsoft began using it in Windows 2000
What databased may be used on the backend of IEEE 802.1X?
• Can work with a variety, including:
• RADIUS
• LDAP
• TACACS+
Define
SAML
• Security Assertion Markup Language
• An open standard for authentication and authorization
• Authenticate through a third-party to gain access
• Not designed to support mobile apps, so is likely to decline in usage as time goes on
What is the flow of SAML?
• Client accesses resource server
• Resource server sends signed/encrypted SAML request to client, and directs them to the authorization server
• Client signs into the Authorization Server
• Authorization Server provides SAML token
• Client sends SAML token to resource server and gain access
Explain
OAuth
Open Authorization
• An authorization framework with significant industry support
• Determines what resources a user can access
• Does not authenticate, only authorizes
• Often used to provide authorization between applications
• Ex. “Datto wants permissions to your Microsoft 365 account for the following. Do you want to allow this?”
Explain
ABAC
• Attribute-Based Access Control
• Next-gen authorization model, aware of context
• Combines and evalutes multiple parameters to determine access
• Ex. IP address, time of day, desired action, etc.
Explain
PAM
• Privileged Access Management
• Centralized management of administrative / superuser accounts
• When an admin needs to perform administrative task or gain access, they make a request from the vault, and the privileged access they need is granted only temporarily. “Checked out.”
• Enables automation
• manages access for each user
• extensive tracking and auditing
Explain
CRL
• Certificate Revocation List
• Maintained by the CA
• Contains many revocations in a large file which changes all the time.
Explain
OCSP
• Online Certificate Status Protocol
• Allows a web browser to check revocation status of a single certificate
• Requests are usually sent to an OCSP responder, managed by the CA, via HTTP
• More efficient than downloading an entire CRL just to check one certificate
• Most modern browsers support OSCP, but some older browsers and apps do not.
Define:
DV
• Domain Validation Certificate
• SSL Certificate that shows the owner of the certificate is control over the DNS domain
• This is the most common certificate used by websites
Define
EV
• Extended Validation Certificate
• Like a DV, but additional checks have verified the certificate owner’s identity
• Browsers will show a name in the address bar next to the padlock icon that indicates the SSL connection
• Not common anymore, since SSL has become standard, there’s not much point in promoting your use of it.
Explain
X.509
• The standard structure for digital certificates
Explain
DER
• Distinguished Encoding Rules
• A type of binary encoding format
• Common and used across many platforms
• perfect for an X.509 certificate
Explain
PEM
• Stands for “Privacy-Enhanced Mail”
• An encoded X.509 certificate in ASCII format
• Makes it easier to read and e-mail, rather than the binary form of DER
• The most common format provided by CAs
Define
PKCS #12
• Public Key Cryptography Standards #12
• A container format for many certificates
• Store multiple X.509 certs in a single .p12 or .pfx file
• Often used to transfer a private and public key pair
• The container can be password protected
Define
CER
• An X.509 file extension used primarily by Windows
• Can be encoded either as binary DER or as ASCII PEM format
• Usually only contains a public key; private keys would be transferred in the .pfx file format
Define
PKCS #7
• Public Key Cryptography Standards #7
• Contains certificates and chain certificates; but does not include private keys
• .p7b file extension
• ASCII format
• Wide support across multiple OSs and platforms
Explain
OCSP Stapling
• Instead of the CA needing to respond to all OCSP requests, the certificate holder can verify their own status
• Status information is stored on the certificate holder’s server
• OCSP status is “stapled” into the SSL/TLS handshake, digitally signed by the CA
Explain
Pinning
• To ensure that you’re really communicating to the legitimate server, you can “pin” the expected certificate or public key to an application.
• You then compare that pined certificate to what you see when actually communicating with the server.
• The cert must be compiled into the app, or added at first run.
• If the expected cert doesn’t match the certificate the server presents, the application can either shut down, or show a message, or etc.
List 5 types of PKI trust relationships.
• Single CA
• Hierachical (Single root CA with intermediate and leaf CAs)
• Mesh (CAs that all certify each other; does not scale well)
• Web-of-trust (alternative to traditional PKI)
• Mutual Authentication (Server and client both authenticate to each other)
Explain
Key Escrow
• When your private keys (decryption keys) are kept and controlled by a 3rd-party
• Ex., A business might store employee information in encrypted form, and only be able to access that private info if it is validated by the 3rd party
• Requires trust of the 3rd party and very specific and clear process and procedures for validating
What does this stand for?
FDE
• Full Disk Encryption
What does this stand for?
HIDS
• Host-based Intrusion Detection System
