Chapter 4: Securing Your Network

Question 1

What does HIDS stand for and how does it function?

Answer 1

Host-based Intrusion Detection System is instilled on a single host (computer, servers) or workstation and monitors all the traffic on that host including application activity. HIDSs add an extra layer of security as they can detect malware missed by antivirus software.

See page 106 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 2

What does NIDS stand for and what is its function?

Answer 2

Network-based Intrusion Detection System provides overall monitoring and analysis and can detect attacks on the network.

Collectors or sensors are installed on network devices such as firewalls, routers, or switches to gather information and report to a central monitoring network appliance hosting a NIDS consol.

See page 107 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 3

What some general shortcoming of NIDS?

Answer 3

NIDS are unable to detect anomalies on individual hosts unless the anomaly causes significant disturbance in network traffic. NIDS is unable to decrypt encrypted traffic, meaning NIDS can only monitor and assess threats from traffic sent in clear text or unencrypted traffic.

See page 107 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 4

What are the differences between signature-base detection and heuristic/behavioral-based detection?

Answer 4

Signature-based detection uses a database of known vulnerabilities or attack patterns to detect threats or potential security events.

Heuristic-based (aka anomaly-based) detection uses performance baselines under normal operating conditions of a network to monitor for significant devotions from baseline. Heuristic-based detection can be effective at discovering zero-day attacks.

See pages 108 & 109 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 5

What are the primary difference between an IPS and an IDS?

Answer 5

IPS detects threats (or an active attack) proceeds to stop them and sends an alert. IDS systems will only send an alert once a threat or an attack is detected.

IPS is considered in line (active) with traffic therefore all network traffic flows through it thereby giving it an opportunity to prevent malicious traffic. In contrast, IDS is out-of-band (passive), it monitors network traffic but the traffic does not directly flow through the IDS.

See pages 111 & 112 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 6

What is a RAT?

Answer 6

RAT stands for Remote Access Trojan. Once instilled on a computer (through phishing or malware attacks) attackers can launch attacks from within a network.

See page 112 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 7

What is a Honeypot and how is it used?

Answer 7

A honeypot is a server that is intentionally made easy to access or lockdown in a sloppy manner that attackers will be easily drawn to it and launch an attack. They normally hold bogus files and information to give the appearance of a live valuable server.

Honeypots are used to deceive attackers and divert them from live networks, and they allow security professionals to observe attackers and learn from their methodologies.

See page 113 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 8

What is a Honeynet and how is it used?

Answer 8

A Honeynet is a group of honeypots placed in a separate network to mimic the functionality of a live network. Honeynets are accessible from an organization’s primary network.

Honeynets like honeypots are used to deceive attackers and divert them from live networks, and they allow security professionals to observe attackers and learn from their methodologies.

See page 113 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 9

What is a Honeyfile

Answer 9

A Honeyfile is a file designed to attract the attention of an attacker by using a name such as password.txt (indicating a file storing credentials) that is left somewhere in the network where it is easily found.

See pages 113 & 114 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 10

What is Fake Telemetry?

Answer 10

Telemetry refers to the collecting of information (statistical data and measurements) and sending it to a centralized system for processing.

Fake telemetry aims to corrupt the data sent to monitoring systems which can disrupt a system and have real-life consequences on the users supported by these systems.

See page 114 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 11

What does WAN stand for?

Answer 11

WAN stands for Wide Area Network. Most vendors that manufacture wireless access point (AP) with routing capabilities (wireless routers) labels the port for internet connection as WAN.

See page 115 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 12

What are the channels for the 2.4GHz and 5GHz based on the 802.11 standards that do not overlap? Which channel overlaps for both frequencies?

Answer 12

Non-overlapping channels:

2.4GHz channels: 802.11b, 802.11g
5GHz channels: 802.11ac

Overlapping channels for 2.4 and 5GHz: 802.11n

See page 116 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 13

What is a MAC cloning attack?

Answer 13

MAC cloning attack aims to circumvent MAC filtering access control. MAC cloning attcaks are done by the attcker changing their MAC address to that of an authorized MAC address on the network.

See page 117 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 14

What is a Site Survey, and what are some tools mentioned in the text that are used?

Answer 14

A site survey is conducted to examine the wireless environment to identify potential issues (such as noisy areas or occupied frequency bands) and areas of good connectivity.

The text mentions the use of WiFi analyzers, heat mapping, and footprinting.

See page 117 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 15

What is a WiFi Analyzer?

Answer 15

WiFi analyzers are used during site surveys to identify activity on channels within the wireless spectrum and analyze activity in the 2.4GHz and 5GHz frequency range.

See page 117 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 16

What is a Heat Map?

Answer 16

Heat maps are used in site surveys to provide a color-coordinated way of representing wireless signal strengths (hotspots and dead spots if they exist).

See page 117 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 17

What is Footprinting?

Answer 17

Footprinting is used in site surveys to create a detailed diagram of APs, hotspots, and dead spots within an organization’s physical space. Footprinting is done by overlaying the heat map onto a basic architectural diagram of an organization’s space.

See page 118 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 18

What is WEP and its functionality?

Answer 18

Wired Equivalent Privacy was a cryptographic protocol for wireless security. This protocol has since been deprecated because of known vulnerabilities.

See page 118 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 19

What does WPA2 stand for and what is it function?

Answer 19

WiFi Protected Access 2 was developed to replace earlier cryptographic protocols (WEP & WPA). WPA2 (aka IEEE 802.11i) uses strong cryptographic protocols such as Advance Encryption Standard (AES) and Counter-mode/CBC-MAC Protocol (CCMP).

See page 118 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 20

What are the 3 modes of WPA2 and how does each mode functions?

Answer 20

3 modes of WPA2:

Open - Open mode doesn’t use any security, users can simply log on to a wireless network. All data is transferred in cleartext.

Pre-shared Key (PSK) - With PSK mode users can access the wireless network anonymously with a PSK or passphrase. This does not provide authentication (authentication allows users to prove their identity with credentials).

Enterprise - With enterprise mode users are required to authenticate before gaining access to a wireless network. It uses an 802.1X server, commonly implemented as a RADIUS server, which accesses a database of accounts. Without the proper credential, access is blocked.

See page 119 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 21

What three pieces of information do you need when selecting Enterprise mode using an 802.1X server implemented as a RADIUS server?

Answer 21

RADIUS Server IP address: The user will have to enter the IP address of the 802.1X server, which is commonly a RADIUS server.

RADIUS Port: The user has to enter the port used by the RADIUS Server (whatever port that is). The official default port for RADIUS 1812, but some vendors have used other ports.

Shared Secret: The shared secret is like a password, and it must be entered exactly as it is entered on the RADIUS server. This is different than the user’s password.

See page 119 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 22

What is WPA3 and what is its functionality?

Answer 22

WPA3 is the latest wireless cryptographic protocol, developed to replace WPA2. It uses Simultaneous Authentication of Equals instead of PSK used with WPA2.

WPA3 also supports enterprise mode using RADIUS servers, however, it has improved security over WPA2 enterprise mode.

See pages 119 & 120 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 23

What does EAP stand for and how does it function as a protocol?

Answer 23

Extensible Authentication Protocol: It provides a method for two systems to create a secure encryption key, known as Pairwise Master Key (PMK). Systems then use this key to encrypt all data transmitted between devices. AES-bassed CCMP uses this key.

See page 120 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 24

What does PEAP stand for and how does it function?

Answer 24

Protected Extensible Authentication Protocol (PEAP) is an authentication protocol that provides an extra layer of protection for EAP. PEAP uses TLS (tunnel) to encapsulate and encrypt the EAP converstion.

PEAP requires a certificate on the server but not the clients.

See page 120 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 25

What does EAP-FAST stand for and how does it function?

Answer 25

Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling: Is a secure replacement for Lightweight EAP (LEAP) that Cisco created.

EAP-FAST also supports certificates, but they are optional.

See page 120 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 26

What does EAP-TLS stand for and how does it function as a protocol?

Answer 26

Extensible Authenication Protocol - Transport Layer Security: This protocol is the most secure EAP standard. The primary difference between PEAP and EAP-TLS is that EAP-TLS requires certificates on the 802.1X sever and the clients.

See page 120 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 27

What does EAP-TTLS stand for and how does it function as a protocol?

Answer 27

Extensible Authentication Protocol-Tunneled Transport Layer Security: This protocol is an extension of PEAP, which allows systems to use some older authentication methods such as Password Authentication Protocol (PAP) within a TLS Tunnel.

EAP-TTLS requires a certificate on the 802.1X server but not on the clients.

See page 120 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 28

How does RADIUS Federation function?

Answer 28

Federation allows two or more entities (organizations) to share an identity system, once a user signs on once they will have access to shared resources with the other entity without logging on again. It’s possible to create a federation using 802.1X and RADIUS servers.

See page 120 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 29

How does IEEE 802.1X server provide security?

Answer 29

IEEE 802.1X servers provide port-based and wireless authentication for both wireless APs, VPN clients, and wired physical ports.

IEEE 802.1X servers can also be implemented as a Remote Authentication Dail-In User Service (RADIUS) server for remote user authentication.

802.1X can use username and password to authenticate or certificates for certificate base authentication (PEAP, EAP-TTLS, EAP-TLS).

See page 121 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 30

What is a Disassociation Attack and at a high level how is it carried out?

Answer 30

A disassociation attack occurs when an attacker causes a wireless client to be removed ( or disassociate) from a wireless network.

A disassociation frame sent to the AP with a spoofed MAC address of a victim will cause the AP to terminate the victim’s connection to the AP and force them to re-authenticate.

See page 122 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 31

What is WPS and what attack is it commonly susceptible to?

Answer 31

WiFi Protected Setup (WPS) allows users to configure a wireless AP device without using a passphrase. Instead, users can configure a wireless AP with the push of a button (physical or virtual button) on the AP itself or a web app or by entering an eight-digit PIN located on the AP.

WPS is susceptible to brute force attacks, where an attacker continuously tries multiple PINs until they gain access to the AP.

Its recommended that WPS be turned off, even if it is used for initial configuration.

See pages 122-123 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 32

What do you call an unauthorized AP placed within a network or made to look like a legitimate AP?

Answer 32

A Rouge Access Point

See page 123 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 33

An attack that involves transmitting noise or another radio signal on the same frequency used by a wireless network to degrade network performance and or block users’ connection to that network is called what?

Answer 33

Jamming attack

See page 124 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 34

What does IV stand for and what attack technique is commonly used to exploit its vulnerabilities?

Answer 34

An Initialization Vector is a number used by encryption services to encrypt data in transit. Some wireless protocols combine an IV with a pre-shared key to encrypt data in transit.

Packet injection techniques are commonly used to exploit vulnerabilities in systems that often reuse the same IV with the pre-shared key.

See pages 124-125 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 35

What are 3 common Radio-Frequency Identification (RFID) attacks mentioned in the text?

Answer 35

Sniffing or eavesdropping, replay, and DoS (jamming)

See page 125 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 36

The practice of sending unsolicited messages, images, or sounds, to a nearby Bluetooth device is called what?

Answer 36

Bluejacking (think airdropping)

See page 126 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 37

Gaining unauthroized access to, or theft of information from, a Bluetooth device is what type of attack?

Answer 37

Bluersnarfing - bluesnarfing attacks can access information such as email, contact lisit, calendars, and text messages.

See page 126 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 38

In addition to gaining full access to mobile device, this attack also installs a backdoor on the victim’s device allowing the attcker to manipulate the victim’s device at will.

Answer 38

Bluebugging - With bluebuggin the attacker can for example listen in on conversations in a room by having the user’s device call them, enable call forwarding, send messages, and more.

See page 126 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 39

The practice of driving or flying around to discover wireless netwroks and or to perform wireless aduits.

Answer 39

War Driving and War Flying

See page 126 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 40

A dectetive control that examines the wireless singal footprint, antenna placement, power levels, and encryption of wirelss traffic.

Answer 40

Wireless Audit - This can be done using war driving and war flying techniques.

See pages 126 & 127 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 41

What are the two modes supported by IPSec and how does each mode function?

Answer 41

Tunnel Mode: Functions by encrypting the entire IP packet, including both the payload and the packet headers. Packet headers include IP addresses (source and VPN servers) and MAC addresses. Note, private networks’ internal IP addresses are kept hidden in tunnel mode

Transport Mode: This mode only encrypts the payload and is commonly used in private networks, but not with VPNs. private IP addresses are not hidden in this mode.

See page 128 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 42

What is SSTP stand for, its function, and what ports does it use?

Answer 42

Secure Socket Tunneling Protocol (SSTP) uses SSL/TLS to encrypt VPN traffic using TLS over port 443. It is a useful alternative when a VPN tunnel must go through a device using NAT, and if IPSec is not feasible.

OpenVPN and OpenConnect are two open-source application that uses TLS to create a secure channel.

See page 129 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 43

What is the difference between Split Tunnel VPN configuration versus Full Tunnel VPN configuration?

Answer 43

Split Tunnel: In a split tunnel, only web traffic going to the organization’s private network will be encrypted, while all other web traffic will not go through the tunnel (i.e., general internet searches).

Full Tunnel: In a full tunnel, all web traffic (traffic to the org’s private network and general internet traffic) will be encrypted in the tunnel.

See page 129 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 44

What is a Site-to-Site VPN?

Answer 44

A site-to-site VPN uses two VPN servers that act as gateways to connect two networks separated geographically.

See page 130 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 45

What is the difference between Always-On VPN and On-Demand VPN?

Answer 45

Always-On VPN: Aim to always establish or maintain a VPN connection at all times. For example, in a Site-to-Site VPN both VPN gateway will look to maintain their connection regardless if the user is actively using it. In a remote access or direct access VPN, the VPN gateway launches a connection as soon as a user’s device connects to the internet or after the device is turned on.

On-demand: The VPN connection is initiated as needed, i.e., when a user connects to a remote system.

See page 130 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 46

What does L2TP stand for and how does it function?

Answer 46

Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol that can also be used for VPN. L2TP versions by themselves do not provide any encryption, data is encrypted by another protocol (IPsec) and then passed to L2TP for transport over the VPN.

See page 131 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 47

What does HTML5 stand for and how does it function?

Answer 47

Hypertext Markup Language version 5 can be used to connect a VPN using a web browser. It uses TLS to encrypt the session, however, it can be resource intensive.

See page 131 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 48

What does what NAC stand for and what is its general function?

Answer 48

Network Access Control (NAC) system conducts continuous security monitoring aka “health checks” of devices as they log on and as they are on the org’s network to assess if they meet the org’s predetermined security standards (i.e., up-to-date patches, firewall enabled, up-to-date antivirus software, etc…). Devices that do not meet these standards are sent to a Remediation network (quarantined) until standards are met.

NAC controlled networks can use agents to inspect devices, however, some NAC networks are agentless.

See pages 131 & 132 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 49

What is the difference between Agent and Agentless NAC systems?

Answer 49

Agents in a NAC system (permanent agents) are permanently installed on a user’s device and stays on the client.

NAC running agentless or dissolvable agents download agents on a client’s device and runs when the client logs on remotely. Code is not instilled on the client’s device permanently or temporarly, some dissolveable agents remove themselves immediatley after reporting back to the NAC system, some wait until the remote session ends.

See pages 131 & 132 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 50

What does PAP and CHAP stand for and what is the fundamental difference between the two?

Answer 50

Password Authentication Protocol (PAP) is used with Point-to-Point to authenticate remote clients. PAP’s significant weakness is that it transmits passwords or PINs over a network in cleartext.

Challenge Handshake Authentication Protocol (CHAP) also uses PPP and authenticates remote clients, however, it uses a shared secret between the client and server that is never transmitted over a network making it more secure than PAP.

See page 133 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

Question 51

What does TACACS+ stand for and what is its function?

Answer 51

Terminal Access Controller Access-Control System Plus (TACACS+) is an alternative to RADIUS and provides two essential benefits over RADIUS.

First: TACACS+ encrypts the entire authentication process, whereas RADIUS only encrypts the password by default.

Second: TACACS+ uses multiple challenges and responses between the client and the server.

See page 134 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study