3.0 - Implementation Flashcards

Question 1

Q

Define

SRTP

Answer

A

• Secure Real-Time Transport Protocol

• Adds security features to RTP

• Integrity, replay protection, and AES encryption

• Used for voice and video

Question 2

Q

Define

NTPsec

Answer

A

• Secure Network Time Protocol

• Began development in 2015

• Adds security to NTP and cleans up code base

• (NTP has commonly been used as amplifiers in DDoS attacks)

Question 3

Q

Define

S/MIME

Answer

A

• Secure/Multipurpose Internet Mail Extensions

• Public key encryption and digital signing of mail content

• Requires PKI or similar organization of keys

Question 4

Q

Define

IPsec

Answer

A

• Internet Protocol Security

• Allows sending of data over OSI layer 3 with authentication and encryption for every packet

• Very standardized, common to use across multiple vendors

• Its two primary protocols are AH and ESP

Question 5

Q

Explain

AH

Answer

A

• Application Header

• One of the core protocols of IPsec

• Adds a hash of the IP packet and a shared key

• The hash adds integrity

• The shared key authenticates the origin

• Also includes sequence numbers, to prevents replay attacks

• Does not encrypt data, only provides integrity

• Can be used independently, but is most often used with ESP

Question 6

Q

Define

ESP

Answer

A

• Encapsulation Security Payload

• One of the core protocols of IPsec

• Adds encryption to IP packets

Question 7

Q

Difference between FTPS and SFTP?

Answer

A

• FTPS is “FTP over SSL”

• SFTP is “SSH FTP”

Question 8

Q

Define

LDAPS

Answer

A

• LDAP Secure

• A non-standard implementation of LDAP over SSL

Question 9

Q

Define

SASL

Answer

A

• Simple Authentication and Security Layer

• Directory service to provide authentication using many different methods

• Such as Kerberos or client certificate

• Can be used by LDAP

Question 10

Q

Define

DNSSEC

Answer

A

• Domain Name System Security Extensions

• Validates DNS responses to authenticate the origin and confirm the data integrity

• Uses public key cryptography

Question 11

Q

Define

SNMPv3

Answer

A

• The secure version of SNMP

• Adds authentication, integrity, and confidentiality through encryption

Question 12

Q

How can security be added to DHCP?

Answer

A

• It does not include any security functions in its original specification

• Switches can be configured to only allow DHCP responses to come from specified trusted interfaces

• In Active Directory, DHCP servers must be authorized

Question 13

Q

Define

DHCP Snooping

Answer

A

• The term used by Cisco for the feature of specifying what interfaces on a switch are allowed to send DHCP responses

• Filters invalid IP and DHCP information

Question 14

Q

Explain

EDR

Answer

A

• Endpoint Detection and Response

• A newer method of threat protection, rather than signature-based

• Detects threats through behavior analysis, machine learning, process monitoring

• Can run through a lightweight agent on an endpoint

• Both investigates threats and can respond to it

• Reponses may include isolating the system, quarantining the threat, rolling back to a previous config

• Can be automated and API-driven

Question 15

Q

What are alternative terms for NGFW?

Answer

A

• Application Layer Gateway

• Stateful Multilayer Inspection

• Deep Packet Inspection

Question 16

Q

Define

NGFW

Answer

A

• Next-Generation Firewall

• Inspects the application layer, all data in every packet, rather than just looking at IP address and port number

• Can allow or block application features

• Identify attacks and malware

• Examine encrypted data (if configured to manage the keys)

• Prevent access to URLs or URL categories

Question 17

Q

Define

HIDS and HIPS

Answer

A

• Host-Based Intrusion Detection System

and

• Host-Based Intrusion Prevention System

• Runs directly on an endpoint/host, and looks through log files to identify intrusions

Question 18

Q

Explain

TPM

Answer

A

• Trusted Platform Module

• Hardware installed to assist with cryptography and device security

• Cryptographic processor and key generator

• Comes with unique keys burned in during production

• Can store keys, hardware configuration info, etc.

• Password protected with anti-brute force features

Question 19

Q

How does UEFI BIOS protect against malicious firmware updates?

Answer

A

• BIOS includes the manufacturer’s public key

• When flashing a BIOS update, the firmware’s digital signature is checked against that key

• BIOS will prevent unauthorized writes to the flash

Question 20

Q

Define

Secure Boot

Answer

A

• Part of the UEFI specification

• When enabled, Secure Boot verifies the bootloader

• Checks the bootloader’s digital signature

• Bootloader must be signed with a trusted certificate, or else its signature must be manually approved

• Confirms that no part of that bootloader has been changed

Question 21

Q

Define

Trusted Boot

Answer

A

• The bootloader verifies the digital signature of the OS kernel

• The boot process will halt if a corrupted kernel is detected

• The kernel then verifies all other startup components, including boot drivers and startup files

• ELAM then runs prior to loading all remaining drivers.

Question 22

Q

Define

ELAM

Answer

A

• Early Launch Anti-Malware

• A security feature of Windows that checks every driver to see if it is trusted prior to loading it

• Runs early in the boot process

• Checks digital signatures, and prevents untrusted drivers from loading.

Question 23

Q

Explain

Measured Boot

Answer

A

• UEFI stores a hash of firmware, boot drivers, and everything else loaded during Secure Boot and Trusted Boot processes

• This hash is stored in the TPM and can be sent, encrypted and signed by the TPM, to a verification server

Question 24

Q

Define

Remote Attestation / Boot Attestation

Answer

A

• When the Measured Boot process completes, the TPM encrypts, signs, and sends an operational report to a verification server

• The attestation server receives the boot report, and compares it to the known-trusted configuration of the system

• If changes are found, they are identified and various actions can be taken

Question 25

Q

What is this another name for?

Fuzzing

Answer

A

• A colloquial term for Dynamic Analysis

• May also be referred to as:

• Fault-injecting

• Robustness testing

• Syntax testing

• Negative testing

Question 26

Q

Define

Dynamic Analysis

Answer

A

• A type of attack on applications, where random input is sent

• Attacker is looking for vulnerabilities, application crashes, buffer overflows, exceptions, etc.

• “Fuzzers” are tools to perform this.

• Very time and processor resource heavy, but often designed to perform high-probability tests first.

Question 27

Q

Describe security concerns surrounding:

Cookies

Answer

A

• Cookies are used for tracking, personalization, and session management

• Generally should not be a security risk, unless someone gains access to them.

• Secure Cookies have an attribute set that requires they will only be sent over HTTPS

• Sensitive information ought never to be stored in a cookie

Question 28

Q

Explain

HTTP Secure Headers

Answer

A

• A way for the web server to restrict the capabilities of a browser from performing certain functions

• Useful when an application is being used on your web server, but you aren’t certain of that application’s security

• For example, can be used to:

○ enforce HTTPS

○ only allow scripts, stylesheets, or images from the local site (preventing XSS attacks)

○ prevent data from loading in an iframe

Question 29

Q

Explain

Code Signing

Answer

A

• Application code can be digitally signed by the developer, confirming that the code has not been modified

• Asymmetric encryption:

 ○ A trusted CA signs the developer's public key

 ○ And the developer signs the code with their private key

Question 30

Q

How can applications be allowed or denied?

Answer

A

• Allow lists and deny lists can be made to control what applications may run on a system

• Lists may be based on, for example:

 ○ Application's hash

 ○ A certificate, for digitally signed applications

 ○ The application's path, allowing applications to only run in certain folders

 ○ The application's network zone

Question 31

Q

Explain

SAST

Answer

A

• Static Application Security Testing

• A tool to perform automated analysis on source code to identify security flaws

• Findings and recommendations are reported, and would still need to be manually verified and applied

• Not all flaws can be identified this way, such as authentication security issues and insecure cryptography

Question 32

Q

Name a tool that can scan and verify what ports are open?

Question 33

Q

Define

SED

Answer

A

• Self-Encrypting Drive

• Hardware-based full disk encryption

• No operating system software needed

• Follows the “Opal storage specification”

Question 34

Q

What functions may a Load Balancer perform? (six answers)

Answer

A

• Primary function it to manage the load across multiple servers

• May also perform any of the following:

 ○ TCP offload (handles some TCP traffic rather than the servers)

 ○ SSL offload (encryption/decryption, so that comm. between balancer and servers is in-the-clear)

 ○ Caching (keeps copy of common responses on balancer, so it can respond quickly on behalf of servers)

 ○ Prioritization / QoS

 ○ Content switching (application-centric balancing, directing different functions to different servers)

Question 35

Q

Explain Scheduling and list four possible methods

Answer

A

• Scheduling is the method of determining which server a load balancer will direct traffic to

• Example Active/Active methods:

 ○ Round-Robin (each server selected in turn)

 ○ Weighted Round-Robin (prioritizing some servers over others, rather than equal)

 ○ Dynamic Round-Robin (distribute traffic to server with lowest current load)

• Active/Passive scheduling will only route traffic to “passive” servers if an active server fails (making the passive server become active)

Question 36

Q

Define

Affinity

Answer

A

• In Load Balancing, Affinity connects users to specific servers, so that whenever they reconnect, they will be directed to the same server as previously

• Often based on IP address / port number or session ID

• Used when an application requires communication to the same instance

Question 37

Q

Explain

Extranet

Answer

A

• Similar in structure to a DMZ, but usually requires additional authentication to access, rather than allowing any public access

• Often used for partners, vendors, suppliers, etc. to gain access to internal resources

Question 38

Q

Define

East-West Traffic

Answer

A

• Traffic between devices in the same data center

• Includes traffic between separate customers within the same data center

Question 39

Q

Define

North-South Traffic

Answer

A

• A term for a data center’s Ingres/egress traffic to and from an outside device

• Usually requires a stricter security posture than east-west traffic

Question 40

Q

Define

Concentrator

Answer

A

• The device that performs encryption and decryption for a VPN connection

• Often integrated into a firewall, but can also be a standalone device

Question 41

Q

Explain

SSL VPN

Answer

A

• Uses the common SSL/TLS protocol (tcp 443)

• Therefore, usually does not run into any firewall issues

• can authenticate users

• Doesn’t require digital certificates or shared passwords

• Can be run from within a browser or a light VPN client, but often doesn’t require a VPN client

Question 42

Q

Explain

HTML5 VPN

Answer

A

• HTML5 includes API support with web cryptography API

• Allows for the creation of a VPN tunnel in a browser without any VPN application

Question 43

Q

Explain

L2TP

Answer

A

• Layer 2 Tunneling Protocol

• Connecting sites over a layer 3 network as though they were connected at layer 2

• Commonly implemented with IPsec (L2TP for the tunnel, IPsec for the encryption)

 ○ Sometimes referred to as L2TP over IPsec or L2TP/IPsec

Question 44

Q

Explain

Transport Mode vs. Tunnel Mode

Answer

A

• IPsec modes of operation

• in Transport mode, only the Data portion of the IP packet is encrypted

• In Tunnel mode, both the IP Header and the Data are encrypted, and a new IP header is added, which directs the packet to the VPN concentrator on the other side of the tunnel.

Question 45

Q

Define

Broadcast Storm Control

Answer

A

• A security feature for switches

• Limits the number of broadcasts per second

• Often also used to control multicast and unknown unicast traffic

• Can be managed either by specific values, percentages, or deviations baseline behavior

Question 46

Q

Define

BPDU

Answer

A

• Bridge Protocol Data Unit

• The primary protocol used by Spanning Tree Protocol

Question 47

Q

Define

BPDU Guard

Answer

A

• If a BPDU frame is seen on a PortFast configured interface, the interface will shutdown

• This is because PortFast interfaces are only supposed to connect to endpoints, which would never send BPDUs

Question 48

Q

Define

PortFast

Answer

A

• Cisco’s term for the feature of bypassing the STP listening and learning steps when a device is plugged in

• Configured for ports that are known to only be needed to connect to endpoints, so STP is not needed since it won’t create a loop.

• STP takes 20-30 seconds to determine how to handle a new connection, so bypassing it saves time

Question 49

Q

Explain

MAC Filtering

Answer

A

• Limiting access to the network based on MAC address Allow Lists

• Security through obscurity

• Not very secure since Allowed MACs on the network can be easily discovered and spoofed

Question 50

Q

List some security implications of IPv6

(four bullets)

Answer

A

• No need for NAT

• Some attack types no longer apply (such as ARP spoofing, since there is no ARP)

• But some new attack types apply, such as Neighbor Cache Exhaustion

• It is not necessarily more or less secure than IPv4, it’s just different

Question 51

Q

Define

Neighbor Cache Exhaustion

Answer

A

• An IPv6 attack which fills up the neighbor cache on devices

• Can make a system unable to communicate with other devices on the network

Question 52

Q

Define

SPAN

Answer

A

• Switched Port ANalyzer

• Cisco’s name for port mirroring to a software-based tap

Question 53

Q

Define

FIM

Answer

A

• File Integrity Monitoring

• Monitoring changes to files that should never change

• Notifies when changes occur

Question 54

Q

Two examples of FIM tools?

Answer

A

• Tripwire: Real-time FIM tool for Linux

• SFC (System File Checker) - On-demand FIM for Windows

Question 55

Q

Define

Stateless Firewall

Answer

A

• Older style of firewall that does not keep track of traffic flows

• Packets coming into the network will need access rules to get in, even if it is in response to requests originating from the firewall’s internal network

• Access rules are required for both directions of a session’s traffic

• Security concerns since rules require that external traffic will gain entry even if it is unsolicited

Question 56

Q

Explain

UTM

Answer

A

• Unified Threat Management

• An all-in-one security appliance

• Firewall, Content filter, anti-malware, spam filter, IDS/IPS, VPN endpoint, etc.

• A precursor to NGWF

Question 57

Q

Explain

WAF

Answer

A

• Web Application Firewall

• Applies rules to HTTP/HTTPS conversations

• Instead of looking at ports and IPs, it allows or denies based on expected input.

Question 58

Q

If a firewall has an implicit deny, why might an admin create an explicit deny for a specific service?

Answer

A

• Implicit denies are not logged. Creating a rule means an attempted access will generate a log.

Question 59

Q

What is an advantage of host-based firewalls?

Answer

A

• Since it runs on your local machine, it can view traffic from an encrypted communication (HTTPS, etc.), since it is decrypted locally.

Question 60

Q

Define

Dissolvable Agent

Answer

A

• Used for Network Access Control

• For running health checks and posture assessment on devices on / connecting to the network

• No installation required

• Runs during the assessment, and terminates when no longer required

Question 61

Q

Define

Agentless NAC

Answer

A

• Used for Network Access Control

• For running health checks and posture assessment on devices on / connecting to the network

• Integrated with Active Directory

• Checks are made during login and logoff

• Only runs at those times; cannot be scheduled

Question 62

Q

What functions may a Proxy Server perform? (list 5)

Answer

A

• Keeping a local cache of information

• Access Control

• URL Filtering

• Content Scanning

• A Reverse Proxy, which examines incoming requests from the Internet before sending them to a web server

Question 63

Q

Define

Transparent Proxy Server

Answer

A

• A proxy server on a network, where endpoints don’t need to be explicitly configured to use it, and aren’t aware of it.

Question 64

Q

What does this stand for?

NIDS

Answer

A

• Network-based Intrusion Detection System

Answer 64

A

• Network-based Intrusion Prevention System

Answer 65

A

• When a passive IPS (not in-line with traffic) identifies malicious traffic and sends an TCP RST (reset) frame to prevent further traffic

• It does not prevent the original packet from going through, but disrupts the traffic flow and prevents further communication

• The reset frame is part of the TCP protocol; this response does not work with UDP traffic

Answer 66

A

• Signature-based: Must match exactly

• Anomaly-based: Create a baseline of what’s normal to detect unusual activity

• Behavior-based: Programmed to know what certain malicious activities might look like

• Heuristics: use artificial intelligence and big data

Answer 67

A

• A system that you connect to in order to access other internal systems

• Must be highly-secured, hardened, and monitored

Answer 68

A

• Hardware Security Module

• A dedicated server for handling cryptographic functions, storing keys, certificates, etc.

• Used in very large environments with many devices that need cryptographic keys

• Usually installed in clusters with lots of redundancy

• Built with specialized hardware designed for cryptography

• Can act as a proxy to offload encrypted communication for webservers, and forward the traffic to the webservers in the clear

Answer 69

A

• Message Integrity Check

Answer 70

A

• Stands for: Counter/CBC-MAC Protocol

• A block cipher mode

• The type of encryption used with WPA2

• Uses AES for confidentiality

• Uses CBC-MAC for MIC

Answer 71

A

• Cipher Block Chaining Message Authentication Code Protocol

• A form of MIC (Message Integrity Check)

Answer 72

A

• Galois/Counter Mode Protocol

• A block cipher mode

• The type of encryption used in WPA3

• Uses AES for confidentiality

• Uses GMAC for MIC

Answer 73

A

• Galois Message Authentication Code

• A form of MIC

Answer 74

A

• WPA2 is susceptible to brute force attacks. Once the passphrase is known, an attacker can read all communication of all devices

• WAP3 uses:

 ○ mutual authentication

 ○ creates a shared session key without sending that key across the network

 ○ perfect forward secrecy

 ○ SAE

Answer 75

A

• A session key is created for each session, and disposed of when the session is over

• New sessions would create a new key

• Used, among other places, in WPA3

Answer 76

A

• Simultaneous Authentication of Equals

• A Diffie-Hellman derived key exchange (same process), but adds an authentication component

• An IEEE standard

• sometimes called the dragonfly handshake

• Used, among other places, in WPA3

Answer 77

A

• Best practice is to disable it

• If it does not have brute-force protection built in, it is extremely easy to brute force

• Only 11,000 possible combinations need to be tried to gain access

• Brute-force lockouts are now the norm, but most devices out there don’t have it.

Answer 78

A

• a PIN (which is easily brute-forced)

• A physical button to push on the WAP

• NFC

Answer 79

A

• 802.1X

Answer 80

A

• A type of network access control that requires authentication to access the network, whether wired or wireless

• Typically uses a central authentication database such as RADIUS, LDAP, TACACS+, etc.

• The authenticator (the device that provides network access) communicates to an authentication server on behalf of the supplicant (client)

Answer 81

A

• Port-based Network Access Control

• A name for 802.1X

Answer 82

A

• Extensible Authentication Protocol

• The authentication protocol used by 802.1X, as well as many other types of authentication for wireless networks

• Supports multiple types of authentication

• Manufacturers can build their own EAP methods

Answer 83

A

• EAP Flexible Authentication via Secure Tunneling

• Ensures that the authentication server and supplicant can communicate with each other over a secure tunnel.

• The server provides a protected access credential (PAC), i.e. a shared secret, to the supplicant, they mutually authenticate and negotiate a TLS tunnel, and user authentication occurs over the TLS tunnel.

Answer 84

A

• Protected Access Credential

• A shared secret, used in EAP-FAST

Answer 85

A

• The acronym used for the Authentication Server in EAP

Answer 86

A

• Protected EAP (Extensible Authentication Protocol)

• Created by Cisco, Microsoft, and RSA Security

• Similar to EAP-FAST, but instead of a PAC (Private Access Credential), the AS uses a digital certificate.

• (As with a web server, the client does not need its own certificate, only the server)

• User can authenticate using MSCHAPv2 for Microsoft services, or GTC

Answer 87

A

• Microsoft Challenge Handshake Authentication Protocol version 2

Answer 88

A

• Generic Token Card

Answer 89

A

• EAP with TLS

• Similar to PEAP, but requires a digital certificate on the client as well as the AS, so they can mutually authenticate

• Once devices have authenticated to each other, the TLS tunnel is built for the user authentication process

• Complex implementation as it requires all network devices to have certificates

• May not be suitable, as not all devices can support the use of digital certificates,

Answer 90

A

• EAP Tunneled TLS

• Similar to PEAP, builds a TLS tunnel using the digital certificate of the AS

• (Does not require the supplicant to have a certificate)

• Can use any authentication method inside the TLS tunnel, including other EAPs, MSCHAPv2, or anything else.

Answer 91

A

• A centralized management device for wireless access points

• Allows management of system configuration, performance, updates, etc.

Answer 92

A

• Mobile Content Management

• Controls for securing access to data and protecting it from outsiders

• Managed from the mobile device manager (MDM)

• May include controls for file sharing and viewing, as well as DLP and encryption requirements

Answer 93

A

• An emerging technology

• Looks at multiple contexts to determine whether a login attempt is likely to be authentic

• Contexts may include:

 ○ Device IP address

 ○ GPS information

 ○ Devices connected / Bluetooth paired to the device

 ○ more

Answer 94

A

• The separation of enterprise mobile apps and data from personal apps and data

• Storage on a mobile device is segmented to keep business data in a contained area with restricted sharing

• Makes offboarding much easier. Business data can be wiped without removing personal data.

Answer 95

A

• A small Hardware Security Module, in microSD card form

• Provides security services to mobile devices, such as:

 ○ encryption

 ○ key generation

 ○ digital signatures

 ○ authentication

Answer 96

A

• Unified Endpoint Management

• Similar to MDM, but also manages non-mobile devices

• Allows users to change between devices, such as phone and laptop, and still have same security and access

Answer 97

A

• Mobile Application Management

• Provision, update, and remove apps from your own enterprise app catalog

• Monitor application use

• Fine-grained control of wiping data

Answer 98

A

• Security Enhancements for Android

• Puts SELinux functions into Android OS

• Supports additional access control security policies

• Enabled by default since Android version 4.3 in July 2013

• Developed by NSA

Answer 99

A

• Protects privileged access to Android system daemons

• Changed Discretionary Access Control (DAC) to Mandatory Access Control (MAC)

• Isolate and sandboxes Android apps

• Centralized policy configuration

Answer 100

A

• Over the Air

• A type of firmware update for mobile devices

• Delivered wirelessly without needing to connect to any device

Answer 101

A

• Control firmware updates

• Use an allow list or block list of approved / blocked apps

• Control microphone/camera use to disable/enable either always or only in certainly locations

• Control SMS/MMS usage by timeframe or location

Answer 102

A

• USB On-the-Go

• A USB 2.0 Standard that allows supported devices to connect directly together

• A mobile device can act as both a host and a device, acting as storage

Answer 103

A

• aka GPS Tagging

• Adds location to file metadata

• Can cause security concern, since investigating these files can create a path of a user

• Can be disabled

Answer 104

A

• Corporate-Owned, Personally-Enabled

• A mobile deployment model

• Similar to BYOD, but the company buys the device and allows it to also be used for personal use

• Company keeps full control of device

Answer 105

A

• Choose Your Own Device

• Similar to COPE, but with the user’s choice of device

Answer 106

A

• Virtual Mobile Infrastructure

• Like thin clients, mobile phones can also connect to a cloud service where apps and data are stored

• If the device is lost, no data is lost, no security concern

• Allows for centralized app development, since you only need to write for a single VMI platform

• No need to update all individual devices

Answer 107

A

• Availability Zone

• Isolated locations with a cloud region (geographic location)

• Each AZ is completely independent

Answer 108

A

High Availability Across (Availability) Zones

• Highly Available applications can be aware of Availability Zones, and recognize an outage in a particular zone to adjust accordingly

Answer 109

A

• Identity and Access Management

• Cloud resource security control to determine who gets access, and what they get access to

• Maps job functions to roles

• Granular policies control access by user group, IP, date and time, geolocation, etc.

Answer 110

A

• Virtual Private Cloud Endpoint

• Allows private cloud subnets to communicate to other cloud services, even without an internet connection.

• Facilitates connectivity between VPCs and cloud services such as storage.

Answer 111

A

• Use OSs that are designed specifically for containers

• Group containers of similar type onto the same host, to limit the scope of any intrusion

Answer 112

A

• In the context of Cloud Computing:

• Security Groups provide Layer 4 firewall services for all resources within a VPC (Virtual Private Cloud)

• Not to be confused with Security Groups in Active Directory

• Not sure why they’re not just called “VPC Firewalls” or something.

Answer 113

A

• Discretionary Access Control / Mandatory Access Control

• In DAC model, users have control over access to their own data or local computer resources

• In MAC model, access permissions are set by administrators. Resources objects (such as files) are given security labels which assign a classification and category, which matches it to users’ classifications and categories to determine access.

Answer 114

A

• Cloud Access Security Broker

• May be installed as client software, run as a local network appliance, or a cloud service

• Four functions:

○ Visibility into what apps are in use, what data is being transferred, etc.

○ Enforce compliance regulations

○ Prevent threats / disallowed blocked items

○ Data Security: Enforce DLP, Encryption, etc.

Answer 115

A

• Next-Gen Secure Web Gateway

• Protects users and devices regardless of location and activity

• Goes beyond just examing Layer 4 (TCP/UDP), URLs, and GET requests

• Examines JSON strings and API requests, to allow or disallow very specific activities

Answer 116

A

• Identity Provider

• A third-party providing identity control for another service.

• Essentially “Authentication as a Service”

• Commonly used by SSO applications

Answer 117

A

• The use of public/private cryptographic keys to authenticate in SSH instead of a username and password

• Especially used for automation and scripts, since you won’t be there to enter a password when the script is running

• Key management is crticial, to centralize, control, and audit key use

• Both open source and commercial SSH key managers are available

Answer 118

A

• ssh-keygen

○ the command in Linux or MacOS

○ Creates a public/private key pair for authentication

• Copy the public key to the SSH server:

○ ssh-copy-id user@host

• Copy the private key to any system that will need to login

• You can now login with the following command, no password required:

○ ssh user@host

Answer 119

A

• Knowledge-Based Authenication

• A form of “Something you know”

• Static KBA: Pre-configured security questions, often used with account recovery.

 ○ Ex., what was your first car?

• Dynamic KBA: Not pre-configured, but pulled from some other source, often an identity verification service.

 ○ Ex., Which of the following addresses did you live at in 1999?

Answer 120

A

• Password Authentication Protocol

• An old, basic authentication method.

• Rare today. Used only in legacy systems.

• No encryption, designed for analog dialup connections.

• When used today, the application may provide encryption, encapsulated within PAP, so it’s not sent in the clear.

Answer 121

A

• Challenge-Handshake Authentication Protocol

• Encrypted challenge sent over the network

• A step up from PAP

• Server sends a challenge based on the password, which verifies both sides have that password, without sending the password itself.

• This challenge-response may continue to occur periodically during the connection, invisible to the user

Answer 122

A

• Microsoft’s implementation of CHAP

• MS-CHAP v2 is the most recent version

• Both v1 and v2 are insecure and should not be used, because they use DES

• DES is susceptible to brute force decryption of the hash

Answer 123

A

• Terminal Access Controller Access-Control System

• A remote authentication protocol

• Originally built when using analog dial-up lines

• Created for access ARPANET

Answer 124

A

• Extended TACACS

• Cisco proprietary version of TACACS

• Has additional support for accounting and auditing

Answer 125

A

• The latest version of TACACS. released in 1993

• If using TACACS today, it is probably this version

• Adds more authentication requests and response codes

Answer 126

A

• a Network authentication protocol

• Authenticates once, then you are trusted by the system and don’t need to re-authenticate to access resources

• Server provides a “ticket” that your system uses to authenticate to other systems without entering password again

• Mutual authentication, which protects against on-path or replay attacks

• Standard since 1980s, Microsoft began using it in Windows 2000

Answer 127

A

• Can work with a variety, including:

• RADIUS

• LDAP

• TACACS+

Answer 128

A

• Security Assertion Markup Language

• An open standard for authentication and authorization

• Authenticate through a third-party to gain access

• Not designed to support mobile apps, so is likely to decline in usage as time goes on

Answer 129

A

• Client accesses resource server

• Resource server sends signed/encrypted SAML request to client, and directs them to the authorization server

• Client signs into the Authorization Server

• Authorization Server provides SAML token

• Client sends SAML token to resource server and gain access

Answer 130

A

Open Authorization

• An authorization framework with significant industry support

• Determines what resources a user can access

• Does not authenticate, only authorizes

• Often used to provide authorization between applications

• Ex. “Datto wants permissions to your Microsoft 365 account for the following. Do you want to allow this?”

Answer 131

A

• Attribute-Based Access Control

• Next-gen authorization model, aware of context

• Combines and evalutes multiple parameters to determine access

• Ex. IP address, time of day, desired action, etc.

Answer 132

A

• Privileged Access Management

• Centralized management of administrative / superuser accounts

• When an admin needs to perform administrative task or gain access, they make a request from the vault, and the privileged access they need is granted only temporarily. “Checked out.”

• Enables automation

• manages access for each user

• extensive tracking and auditing

Answer 133

A

• Certificate Revocation List

• Maintained by the CA

• Contains many revocations in a large file which changes all the time.

Answer 134

A

• Online Certificate Status Protocol

• Allows a web browser to check revocation status of a single certificate

• Requests are usually sent to an OCSP responder, managed by the CA, via HTTP

• More efficient than downloading an entire CRL just to check one certificate

• Most modern browsers support OSCP, but some older browsers and apps do not.

Answer 135

A

• Domain Validation Certificate

• SSL Certificate that shows the owner of the certificate is control over the DNS domain

• This is the most common certificate used by websites

Answer 136

A

• Extended Validation Certificate

• Like a DV, but additional checks have verified the certificate owner’s identity

• Browsers will show a name in the address bar next to the padlock icon that indicates the SSL connection

• Not common anymore, since SSL has become standard, there’s not much point in promoting your use of it.

Answer 137

A

• The standard structure for digital certificates

Answer 138

A

• Distinguished Encoding Rules

• A type of binary encoding format

• Common and used across many platforms

• perfect for an X.509 certificate

Answer 139

A

• Stands for “Privacy-Enhanced Mail”

• An encoded X.509 certificate in ASCII format

• Makes it easier to read and e-mail, rather than the binary form of DER

• The most common format provided by CAs

Answer 140

A

• Public Key Cryptography Standards #12

• A container format for many certificates

• Store multiple X.509 certs in a single .p12 or .pfx file

• Often used to transfer a private and public key pair

• The container can be password protected

Answer 141

A

• An X.509 file extension used primarily by Windows

• Can be encoded either as binary DER or as ASCII PEM format

• Usually only contains a public key; private keys would be transferred in the .pfx file format

Answer 142

A

• Public Key Cryptography Standards #7

• Contains certificates and chain certificates; but does not include private keys

• .p7b file extension

• ASCII format

• Wide support across multiple OSs and platforms

Answer 143

A

• Instead of the CA needing to respond to all OCSP requests, the certificate holder can verify their own status

• Status information is stored on the certificate holder’s server

• OCSP status is “stapled” into the SSL/TLS handshake, digitally signed by the CA

Answer 144

A

• To ensure that you’re really communicating to the legitimate server, you can “pin” the expected certificate or public key to an application.

• You then compare that pined certificate to what you see when actually communicating with the server.

• The cert must be compiled into the app, or added at first run.

• If the expected cert doesn’t match the certificate the server presents, the application can either shut down, or show a message, or etc.

Answer 145

A

• Single CA

• Hierachical (Single root CA with intermediate and leaf CAs)

• Mesh (CAs that all certify each other; does not scale well)

• Web-of-trust (alternative to traditional PKI)

• Mutual Authentication (Server and client both authenticate to each other)

Answer 146

A

• When your private keys (decryption keys) are kept and controlled by a 3rd-party

• Ex., A business might store employee information in encrypted form, and only be able to access that private info if it is validated by the 3rd party

• Requires trust of the 3rd party and very specific and clear process and procedures for validating

Answer 147

A

• Full Disk Encryption

Answer 148

A

• Host-based Intrusion Detection System

Brainscape's Knowledge GenomeTM

3.0 - Implementation Flashcards

Brainscape's Knowledge Genome^TM