Ch12 - Ch14 Flashcards
standards‐based mechanism for providing encryption for point‐to‐point TCP/IP traffic; operates at the Network layer (layer 3)
IPSec
needed to allow an outside entity to initiate communications with an internal system behind a NAT proxy
static mode NAT
the least important aspect of security systems for Internet‐delivered email.
Availability, but yet in general availability is important
use of email as an attack mechanism by flooding a system with messages causing a denial of service
Mail-Bombing
Why is it difficult to stop spam
because source of messages are usually spoofed
encryption tool used to protect sessionless datagram protocols; was designed to integrate with IPSec. replaced by IKE
Simple Key Management for Intenet Protocol (SKIP)
provides authentication, integrity, and confdentiality using an encapsulation protocol.
Software IP Encryption (SWIPE)
authentication service and is simply a means to prevent unauthorized execution of code on remote systems.
Secure Remote Procedure Call (S-RPC)
encryption protocol developed by Netscape to protect the communications between a web server and a web browser; used to secure web, email, FTP, or even Telnet traffc. deployed using a 40-bit key or a 128-bit key
Secure Sockets Layer (SSL)
security protocol for the transmission of transactions over the Internet; based on RSA encryption and DES; not been widely accepted by the Internet in general; instead, SSL/TLS encrypted sessions are the preferred mechanism for secure e-commerce.
Secure Electronic Transaction (SET)
What tool is used to crack LEAP protocol
asLEAP
used to manipulate line voltages to steal long-distance services. They are often just custom-built circuit boards with a battery and wire clips
Black Boxes
used to simulate tones of coins being deposited into a pay phone. They are usually just small tape recorders
Red Boxes
used to simulate 2600 Hz tones to interact directly with telephone network trunk systems (that is, backbones). This could be a whistle, a tape recorder, or a digital tone generator
Blue Boxes
used to control the phone system. can use a dual-tone multifrequency (DTMF) generator (that is, a keypad). It can be a custom-built device or one of
the pieces of equipment that most telephone repair personnel use.
White Boxes
SMTP server that does not authenticate senders before accepting and relaying mail.
open relay agent
what standard is used standard for email addressing and message handling.
X.400
email security standard that offers authentication and confidentiality to email through public key encryption and digital signatures.
Secure Multipurpose Internet Mail Extensions (S/MIME)
can provide authentication, confidentiality, integrity, and nonrepudiation for email messages; employs MD2, MD5 algorithms; RSA public key; and DES to provide authentication and encryption services.
MIME Object Security Services (MOSS)
email encryption mechanism that provides authentication, integrity, confdentiality, and nonrepudiation. uses RSA, DES, and X.509.
Privacy Enhanced Mail (PEM)
assert that valid mail is sent by an organization through verifcation of domain name identity
DomainKeys Identified Mail (DKIM)
another name for dial-up connectivity
Remote Node Operation
what security border devices support NAT
firewalls, routers, proxies & gateways
Most WAN technologies require a “WAN switch”
channel service unit/data service unit CSU/DSU
some WAN technologies require additional specialized protocols to support specialized systems or devices. what are they
SDLC, HDLC, HSSI
offered no authentication, supported only half-duplex communications, had no error detection capabilities, and required manual link establishment and teardown
Serial Line Internet Protocol (SLIP)
encapsulation protocol designed to support the transmission of IP traffic over dial-up or point-to-point links.
Point to Point protocol (PPP)
PPP was originally designed to support CHAP and PAP for authentication. However, recent versions of PPP
also support 3 newer protocols…
MS-CHAP, EAP & SPAP
What security issues are related to VoIP
caller ID spoofing, vishing, SPIT, call manager software/firmware attacks, phone hardware attacks, DoS, MitM,
Are plain old telephone service (POTS) and public switched telephone network (PSTN) the same
yes
is NAT directly compatible with IPSec
No because it modifies packet headers
What version of NAT proxies are designed to support IPSec over NAT.
NAT-Traversal (RFC 3947) was designed to support IPSec VPNs through the use of UDP encapsulation of IKE
active entities (such as users) that access passive objects (such as files)
subjects
Does accountability include authorization
No
Does accountability require proper identification and authentication
Yes
to stop unwanted or unauthorized activity from occurring
Preventative
to discover unwanted or unauthorized activity
Detective
restore systems to normal after an unwanted or unauthorized activity has occurred
Corrective
attempt to discourage violation of security policies, by encouraging people to decide not to take an unwanted action
Deterent
attempt to repair or restore resources, functions, and capabilities after a security policy violation
Recovery
attempt to direct, confine, or control the action of
subjects to force or encourage compliance with security policy
Directive
provide options or alternatives to existing controls to aid in enforcement and support of a security policy
Compensation
generates and displays one‐time passwords, which work with an authentication server
synchronous token
uses a challenge‐response process to generate the one‐time password
asynchronous token
XML‐based framework used to exchange user information for single sign‐on (SSO) between organizations within a federated identity management system
Security Assertion Markup Language (SAML)
supports SSO in a single organization, not a federation.
Kerberos
combination of effective identification, authentication, and auditing provides for
accountability
most common SSO method used within organizations, and it uses symmetric cryptography and tickets to prove identification and provide authentication.
Kerberos
Other SSO methods include
scripted access, SESAME and KryptoKnight. OAuth and OpenID are two newer SSO technologies
uses UDP and encrypts passwords only to provide AAA services
RADIUS
uses TCP and encrypts entire session to provide AAA services
TACACS+
becoming more popular with smart phones, but is not compatible with RADIUS
Diameter
principle ensures that access to an object is denied unless access has been explicitly granted to a subjec
Implicit Deny not explicit
table that includes subjects, objects, and assigned privileges
Access Control Matrix
another way to identify privileges assigned to subjects. focused on subjects (such as users, groups, or roles)
Capability Table
list all the users and/or groups that are authorized
access to the file and the specific access granted to each; focused on objects
Access Control List
restricted interfaces to restrict what users can do or see based on their privileges
Constrained Interface
restrict access to data based on the content within an object
Content-Dependent Control
require specific activity before granting users access such as going thru the purchasing process on a website
Context-Dependent Control
access control model is prohibitive and it uses an implicit‐deny philosophy (not an explicit‐deny philosophy). It is not permissive and it uses labels rather than rules.
Mandatory Access control model
should threat modeling or asset value be done first?
Asset value, so that the focus on threats are set to high value items
what is an effective tool to prevent the success of social-engineering
user education
