Chapter 4 Flashcards
1
Q
What do IDSs do?
A
IDSs monitor a network and send alerts when they detect suspicious events
2
Q
What do IPSs do?
A
IPSs react to attacks in progress and prevent them from reaching systems and networks
3
Q
Acronym
HIDS
A
Host-based Intrusion Detection System
4
Q
Definition
What is HIDS
A
It is additional software installed on a system that
* monitors the individual host
* can detect potential attacks
* analyzes critical operating system files
HIDS can monitor all traffic on a single host system
5
Q
Acronym
NIDS
A
Network-based Intrusion Detection System
monitors and assesses threats on the network from traffic sent in plaint
6
Q
What do NIDS sensors do?
A
Gather information and report to a central monitoring network appliance hosting a NIDS console
sensors AKA collectors
7
Q
What can a NIDS NOT do?
A
- Detect anomalies that don’t change network traffic
- Decrypt encrypted traffic
8
Q
What is port mirroring?
AKA port spanning
A
configuring a switch to send all the traffic it receives to a single port
9
Q
Where should you place a sensor if you want to see all attacks on your network?
A
On the internet side
10
Q
Where should you place a sensor if you only want to see attacks that get through on your network?
A
On the internal network
11
Q
Where are NIDS sensors installed?
A
Network devices: switches, routers, or firewalls
12
Q
What are the two primary detection methods
A
- Signature based
- heuristic/behavioral-based/anomaly based
13
Q
How do signature based IDSs detect attacks?
A
They use a database of known vulnerabilities or known attack patterns
14
Q
How do Trend based IDSs detect attacks?
A
- Identifies the network’s normal behavior and creates a baseline
- when abnormal activity is detected, it gives an alert
Good at detecting zero day exploits
15
Q
What are zero day exploits
A
vulnerabilities that are unknown to the vendor. There is no patch for the vulnerability
16
Q
IDS aggregator
A
Stores log entries from dissimilar systems
17
Q
Acronym
NOC
A
Network Operations Center
18
Q
IDS False Positive
A
An alert or alarm on an event that is non threatening or harmless
opposite of true positive
19
Q
IDS False negative
A
A real attack that is undetected by the system
Opposite of true negative
20
Q
What does a high incidence of false positives cause?
A
Increasr of the administrator’s workload
21
Q
Differences between IPS and IDS
A
- IPS can detect, react to, and prevent attacks while IDS an only detect and react
- IPS is in-line with the traffic - traffic goes through the IPS while IDS is out of band. Monitors the network but traffic doesnt go through it
- IPS is referred to as Active, IDS is referref to as Passive
22
Q
Acronym
RAT
A
Remote Access Trojan
23
Q
Acronym
APT
A
Advanced Persistent Threat
24
Q
Honeypot
A
A server that looks like an easy target so attackers spends their time in the honeypot instead of on the real network
25
Honeynet
A group of honeypots within a separate network but accessible from an organization's primary network
26
Honeyfile
A file designed to attract the attention of an attacker
27
Honeytoken
Fake data or credentials planted within a system to detect unauthorized access attempts
28
# Acronym
WLAN
Wireless Local Area Networks
29
What does a wireless access point(AP) do?
Connects wireless clients to a wired network
30
What are APs with routing capabilites marketed as?
Wireless routers
## Footnote
All wireless routers are APs but not all APs are wireless routers
31
# Acronym
WAN
Wide Area Network
32
# Acronyms
NAT and PAT
1. Networks Address Translation
2. Port Address Translation
33
# Acronym
DHCP
Dynamic Host Configuration Protocol
34
35
# Acronym and Definition
SSID
Service Set Identifier
## Footnote
The name of the wireless network
36
What is MAC Filtering
Restricting access to a network based on the MAC address
37
What is MAC address cloning
Changing the MAC address address on a device to match the MAC address of another device, typically the WAN port on an internet-facing router
## Footnote
spoofing a MAC address is easy
38
What is a site survey?
examining a wireless environment to identify issues like areas with noise or potential security issues
39
What do Wi-Fi analyzers do?
Identify and analyze activity on channels within the same wireless spectrum
## Footnote
A site survey tool
40
What is a heat map
It gives a color coded representation of wireless signals
## Footnote
A site survey tool
41
Wireless footprinting
Gives a detailes diagram of wireless APs, hotspots, and dead spots within an organization
42
# Acronym
WEP
Wired Equivalent Privacy
43
# Acronym
WPA
Wi-Fi Protected Access
44
Which wireless cryptographic protocols should not be used and why?
* WEP and WPA
* These protocols are weak and deprecated
45
# Acronym
WPA2
* Wi-Fi Protected Access 2
* Uses AES and Counter-mode/CBC-MAC
46
# Acronym
AES
Advanced Encryption Standard
47
# Acronym
CCMP
Counter-mode/CBC-MAC
48
What modes can WPA2 operate in?
1. Open
2. PSK
3. Enterprise Mode
49
What is open mode
* Doesn't use any security
* Data is transferred in cleartext
* Turns off all the security featues of WPA2
## Footnote
WPA2
50
What is PSK mode
Allows users to access the wireless network anonymously with a PSK or passphrase
## Footnote
WPA2
51
What is enterprise mode
* Forces users to authenticate with unique credentials before granting access to the wireless network
* uses an 802.1X server (implemented as a RADIUS server) to add authentication
## Footnote
WPA2: think of eduroam
52
# Acronym
WPA3
Wi-Fi Protected Access 3
53
What modes can WPA3 operate in?
1. Enhanced open mode
2. SAE mode
3. Enterprise mode
54
What is Enhanced open mode
* replaces the unencrypted open mode of WPA2
* Allows you to easily run a secure guest network
55
# Acronym
SAE mode
Simultaneos Authentication of Equals mode
56
What is SAE mode
* replaces WPA2's PSK mode p
* uses a passphrase
57
True or false: WPA2 and WPA3 have the same enterprise mode
True
58
What is the purpose of authentication protocols in wireless networks?
to verify the identity of devices attempting to connect to a wireless network.
59
# Acronym
EAP
Extensible Authentication Protocol
60
What is the function of the EAP in wireless security?
* provides a method for two systems to create a secure encryption key (PKA).
* Systems then use the PTK to encrypt data transmitted between devices
61
# Acronym
PMK
Pairwise Master Key
62
# Acronym
PTK
Pairwise Transient key
63
# Acronym and Definition
PEAP
* Protected EAP
* Provides an extra layer of protection for EAP by requiring a certificate on the server
64
# Acronym
LEAP
Lightweight Extensible Authentication Protocol
65
What makes LEAP an insecure authentication protocol?
It has known vulnerabilities that make is susceptible to attacks
66
# Acronym
EAP-FAST
EAP- Flexible Authentication via Secure Tunneling
67
How does EAP-FAST improve upon LEAP's security?
uses PACs to authenticate users within a secure tunnel.
68
# Acronym
PAC
* Protected Access Credentials
* Pre shared keys
69
EAP-TLS is considered a highly secure protocol. What are its key features?
* requires both the client device and the network server to have digital certificates.
* implementing this can be more complex due to the need for certificate management
| Mutual Authentication
70
# Acronym
EAP-TTLS
EAP- Tunneled TLS
71
How do EAP-TTLS and PEAP balance security and ease of use?
* These protocols create a secure tunnel using TLS, However, only the server is required to have a digital certificate
* Simplifies configurtation for client devices but also maintains security
72
What is IEEE 802.1X?
* A port based authentication protocol
* Requires devices to authenticate when they connect to a specfic wireless AP or a specific physical port
| Only authorized clients can connect
73
What is a captive portal
a technical solution that forces clients using web browsers to complete a specific process before it allows them access to the network
74
What is a dissassociation attack?
an attack that removes a wireless client from a wireless network, forcing them to re-authenticate
## Footnote
hotels could use this to kick people off hotspots so they are forced to pay for hotel wifi
75
# Acronym
WPS
* Wi-fi protected setup
* Allows users to configure wireless devices by entering an 8 digit pin
## Footnote
Susceptible to brute force attacks
76
What is a rogue AP?
* An AP placed within a network without official authorization
* Used to capture and exfiltrate data
77
What is data exfiltration?
the unauthorized transfer of data from an organization to a location controlled by an attacker
78
What is an evil twin?
A rogue AP with the same SSID as a legitimate AP, sending wireless traffic through the rogue AP instead
79
What is a jamming attack
* an attack where noise or another radio signal is transmitted on the same frequency used by a wireless network.
* usually prevents all users from connecting to a wireless network
80
What is an IV attack?
* Initialization vector attack
* An acctack that attempts to discover the pre shared key after discovering the IV
81
# Acronym and definition
NFC
* Near field communication
* A group of standards that allows mobile devices to communicate with other devices when they are close to each other
82
How does an NFC attack work?
The attacker uses an NFC reader to capture data from another NFC device
83
# Acronym
RFID
Radio Frequency Identification
84
What are the common RFID attacks?
* Sniffing or eavesdropping
* RFID cloning
* DOS
85
# Acronym
PAN
Personal Area Network
86
What is bluejacking?
Sending unsolicited messages to nearby bluetooth devices
87
What is bluesnarfing?
Unauthorized access or theft of information from a bluetooth device
88
What is bluebugging?
Similar to bluesnarfing but in addition to gaining full access to the phone, the attacker installs a backdoor.
89
What prevents the pairing of bluetooth devices?
Faraday cages
90
What is a wireless replay attack?
An attacker captures data sent between two entities, modifies it, and then attempts to impersonate one of the parties by replaying the data
91
Which protocols are resistant to replay attacks?
WPA2 and WPA3
92
What is war driving?
* The practice of looking for vulnerable wireless networks while walking or driving around
* Used by administrators as part of a wireless audit
| also war flying: doing the same thing but in a plane
93
What is a VPN concentrator?
* A dedicated device used for VPNs
* typically placed in a screened subnet
94
Tunnel mode
* Encrypts the entire IP packet, including both the payload and the packet headers.
* Commonly used by VPNs
95
Transport mode
only encyrpts the payload and is commonly used in priivate networks but not with VPNs
96
ESP
Encapsulating Security Payload
97
How does IPsec use authentication to enhance security?
IPsec incorporates an Authentication Header (AH), which allows the devices participating in an IPsec conversation to verify each other's identities before exchanging any data. This authentication process helps prevent spoofing attacks, where a malicious actor might try to impersonate a legitimate device on the network.
98
# Acronym and definition
IKE
* Internet Key Exchange
* Creates Security associations (SA) for the VPN and uses thess to set up a secure channel between the client and the VPN server
99
What is a split tunnel?
allows only specific traffic to be routed through the encrypted VPN tunnel. This means that other traffic, such as internet browsing, bypasses the tunnel and goes directly to the internet through the user's Internet Service Provider (ISP).
100
Full tunnel
routes all network traffic from the user's device through the encrypted VPN tunnel. This means that all data sent and received, including internet browsing, is protected by the VPN
101
What does IPsec use for VPN traffic?
* It uses tunnel mode and can be identified with protocol ID 50 for ESP.
* Uses IKE over port 500
102
Site-to-Site VPN
Two VPN servers that act as gateways for two networks separated geographically
## Footnote
can be on demand VPNS or always on VPNs
103
Benefit of site-to-site VPN model
it connects both networks without requiring additional steps on the part of the user
104
Host-to-gateway model
| Traditional remote acces VPN
The end user makes the direct connection to the VPN server
105
# WH
Always-on VPN
establishes and maintains a secure tunnel automatically whenever the user's device connects to the internet.
106
# Acronym and Definition
L2TP
* Layer 2 Tunneling Protocol
* Data is encrypted with another protocol such as IPsec and then passed to L2TP for transport over the VPN
107
HTML5 VPN
Allows users to connect to the VPN using their web browser
108
# Acronym
PBX
Private Branch Exchange
109
# Acronym and definition
NAC
* Network Access Control
* Provides continous secutrity monitoring by inspecting computers and preventing them from accessing the network if they don't pass the inspection
## Footnote
can redirect unhealthy clients to a remediation network
110
What are the common health conditions checked by a NAC
* the client's firewall is enabled
* the client's OS is up to date and has all current patches and fixes
* the client's antivirus software is up to date and has all updated signature definitions
111
What is a permanent NAC agent?
an agent that is installed on the client and stays on the client
112
What is a dissolvable NAC agent?
An agent that is downloaded and runs on the client when the client logs on remotely and is deleted after the session ends
113
What is an agentless NAC system?
A NAC system scans a client remotely without installing code on the client, either permanently or temporarily
114
# Acronym
PAP
* Password Authentication Protocol
* Used with PPP to authenticate clients
* Uses a passwork
## Footnote
Weakness: sends information in cleartext
115
# Acronym
PPP
Point to Point Protocol
116
# Acronym
CHAP
* Challenge Handshake Authentication Protocol
* also uses PPP and authenticates remote users but is more secure than PAP
* Its goal is to allow the client to pass credentials over a public network without allowing attackers to intercept the data and later use it in the attack
## Footnote
Doesn't send in cleartext
117
# Acronym
RADIUS
* Remote Authentication Dial In User Service
* It is a centralized authentication service
118
What do signature based IDS and IPS do?
Use signatures to detect known attacks or vulnerabilities
