Chapter 4: Securing Your Network Flashcards
What is an Intrusion Detection System (IDS)?
A generally reactive security system that monitors network or system activities for signs of malicious activity, unauthorized access, or policy violations and provides real-time alerts for security teams.
What is an Intrusion Prevention System (IPS)?
A proactive security system that monitors network or system traffic for malicious activity and takes immediate action to prevent attacks, such as blocking malicious packets or unauthorized access.
What are Protocol Analyzers? AKA sniffers.
A tool that captures, decodes, and analyzes network traffic to monitor communications, troubleshoot issues,and identify threats based on the analysis of network protocols.
What is a Host-based Intrusion Detection System (HIDS)?
A security system that monitors and analyzes activity on an individual host or device, detecting malicious actions, unauthorized access, and policy violations by inspecting system files, processes, and logs.
What is a Network-based Intrusion Detection System (NIDS)?
A security system that monitors and analyzes network traffic for suspicious activity, unauthorized access, or attacks, generating alerts when potential threats are detected on the network.
What is a Port Tap?
A device or method that passively captures network traffic from a specific port or interface, allowing for real-time monitoring and analysis without interfering with data flow.
What are Signature-based IDSs?
An IDS that detects known threats by comparing network traffic or system activity to a predefined set of attack signatures, generating alerts when a match is found.
What is Trend-based Detection?
A method of threat detection that analyzes historical patterns or trends over time to identify unusual behaviors or emerging threats, particularly those that develop slowly or subtly.
What is a Zero-day Exploit?
A cyberattack that exploits an unknown vulnerability in software or hardware, allowing attackers to bypass defenses before the vendor can release a patch or fix.
What is an Aggregator?
A system or service that collects and consolidates data or traffic from multiple sources into a single, unified view, often for improved management, analysis, or optimization.
An IDS reports on events of interest based on…?
Rules configured within the IDS.
What are False Positives?
Occurs when an IDS/IPS sends an alert when there is no actual attack.
What are False Negatives?
Occurs when an IDS/IPS sends no alert even though an attack exists.
What is True Negative?
Occurs when an IDS/IPS does not send an alert and there is no actual attack.
What is True Positive?
Occurs when an IDS/IPS sends an alert after recognizing an attack.
What are some similarities between IDSs and IPSs?
Both detect threats, provide real-time monitoring, and use signature and anomaly detection. Both generate alerts for suspicious activities. Both are essential components in network security infrastructure.
What are some differences between IDSs and IPSs?
An IDS is passive whilst an IPS is active. IDS is deployed in monitoring mode, whereas an IPS is deployed inline and can block traffic. IDS requires human intervention for response, whilst an IPS can automatically block threats. IDS does not affect network performance, while IPS may introduce latency due to inline processing.
What is a Honeypot?
A decoy system designed to attract and deceive attackers, allowing security teams to study their tactics and distract them from real systems.
What is a Honeynet?
A network of multiple honeypots designed to simulate a complex, real-world environment, capturing detailed data on attackers’ tactics, techniques, and procedures.
What is a Honeyfile?
A deceptive file designed to appear valuable to attackers, triggering alerts when accessed or tampered with to detected unauthorized activity.
What is a Honeytoken?
A deceptive piece of data (such as credentials or sensitive information) designed to lure attackers and trigger alerts when accessed, helping to detect unauthorized activity.
What is a Wireless Access Point (APs)?
A networking device that allows wireless devices to connect to a wired network, providing WiFi connectivity and managing data transmissions between wireless clients and the network.
Are all wireless routers APs?
Yes.
Are all APs wireless routers?
No.
What are the two primary radio bands?
The slower but greated ranged 2.4GHz band and the faster but shorter ranged 5GHz band.
What is a Service Set Identifier (SSID)?
What is Media Access Control (MAC) Filtering?
A network security technique that controls device access to a network by allowing or blocking devices based on their unique MAC address.
What is MAC Address Cloning?
The process of changing a device’s MAC address to mimic the address of another device, often used to bypass access controls or impersonate a network device.
What is a MAC Spoofing Attack?
A malicious technique where an attacker changes the MAC address of their device to impersonate another device, bypassing MAC-based security controls and potentially gaining unauthorized network access.
What is a Site Survey?
The process of evaluating the physical and environmental conditions of a location to optimize the placement and design of a network or wireless system, ensuring reliable coverage and performance.
What is a WiFi Analyzer?
A tool that scans and monitors wireless networks to provide insights on signal strength, channel usage, interference, and network performance, helping optimize and troubleshoot WiFi environments.
What is a Heat Map?
A visual tool that displays WiFi signal strength and coverage using color-coded representations, helping to identify strong signals, weak spots, and optimize network performance.
What is Wireless Footprinting?
The process of passively collecting data about wireless networks to map their structure, identify security measures, and find potential vulnerabilities.
What are the two types of wireless antennas?
Omnidirectional for broad but shorter range coverage and directional antennas for directional and greater range coverage.
What is the Wired Equivalent Privacy (WEP)?
An early WiFi security protocol using static keys and RC4 encryption, now obsolete due to severe vulnerabilities.
What is WiFi-Protected Access (WPA)?
A security protocol that improved upon WEP by using dynamic keys and TKIP, but is now outdated and less secure than WPA2 or WPA3.
What is WiFi-Protected Access 2 (WPA2)? AKA IEEE 802.11i.
A strong WiFi security standard using AES encryption and CCMP for integrity; more secure than WPA, with personal and enterprise modes.
What is the Advanced Encryption Standard (AES)?
A fast, secure symmetric encryption standard using 128-bit blocks and key sizes of 128, 192, or 256 bits, widely used in modern security systems.
What is Counter-mode/CBC-MAC Protocol (CCMP)?
A WiFi security rotocol that uses AES for encryption and CBC-MAC for integrity, providing strong data confidentiality and authenticity in WPA2 and WPA3 networks.
What are the different modes of WPA2?
There’s two modes: WPA2-Personal & WPA2-Enterprise.
What is WPA2-Personal?
A mode of WPA2 using a pre-shared key for access, best for homes and small networks.
What is WPA2-Enterprise?
A mode of WPA2 using individual credentials and a RADIUS server for authentication, best for businesses and larger networks.
What is WiFi-protected Access 3 (WPA3)?
The latest WiFi security standard offering stronger encryption, protection for open networks, improved password security with SAE, and better IoT device integration.
What are the different modes of WPA3?
There are two modes: WPA3-Personal & WPA3-Enterprise.
What is WPA3-Personal?
A WPA3 mode using Simultaneous Authentication of Equals (SAE) for stronger password protection, ideal for home and small business networks.
What is WPA3-Enterprise?
A WPA3 mode designed for larger organizations using 802.1X authentication centralized RADIUS server access with 192-bith encryption for advanced security.
What is the Extensible Authentication Protocol (EAP)?
A flexible authentication framework that supports various authentication methods, commonly used in WiFi networks and VPNs, providing secure, customizable authentication.
What is the Protected EAP (PEAP)?
An EAP method that creates a secure TLS tunnel to protect user credentials during authentication, commonly used in WPA2-enterprise networks for wireless security.
What is the EAP-Flexible Authentication via Secure Tunneling (EAP-FAST)?
An EAP method that creates a secure tunnel for fast and mutual authentication, providing protection against attacks and supporting quick reauthentication, commonly used in WPA2-enterprise networks.
What is EAP-Transport Layer Security (EAP-TLS)?
A highly secure EAP method that uses TLS encryption and mutual certificate-based authentication for both client and server, providing strong security for network access.
What is EAP-Tunneled TLS (EAP-TTLS)?
An EAP method that estabishes a secure TLS tunnel for encryption, requiring only a server certificate and supporting various innter authentication methods for flexible secure authentication.
What is a RADIUS Federation?
A process that enables cross-domain authentication by linking multiple RADIUS servers, allowing users to authenticate in one network and access resources in another, often supporting single sign-on and centralized user management.
What is 802.1X?
A network access control standard that uses port-based authentication to control access to a network, leveraging EAP and a RADIUS server to authenticate devices before granting access.
What are Captive Portals?
A webpage that users are redirect to for authentication or terms acceptance before accessing a network, commonly used in public WiFi to manage access and enforce security policies.
What are the three examples offered by Captive Portals?
Free Internet Access, Paid Internet Access, and other alternatives to IEEE 802.1X.
What is a Disassociation Attack?
A DoS attack that sends a disassociation frame to a device or AP to forcibly disconnect it from the network, causing service disruption without gaining network access.
What is a Jamming Attack?
A DoS attack that involves sending excessive radio signals or noise on the same frequency as a wireless network, disrupting communication between devices and APs.
What is an Initialization Vector (IV) Attack?
A cryptographic attack that exploits weak or predictable initialization vectors (IVs) in encryption protocols, often targeting WEP, to recover the encryption key and decrypt sensitive data.
What is Near Field Communication?
A short-range wireless communication technology that enables devices to exchange data within a few centimeters, commonly used for mobile payments, data transfer, and access control.
What is a Near Field Communication Attack?
An attack that exploits vulnerabilities in Near Field Communication systems, such as eavesdropping, man-in-the-middle, or data manipulation, often requiring close proximity to the victim’s device.
What is Radio-Frequency Identification (RFID) systems?
A wireless identification technology using RFID tags to store data and RFID readers to communicate and read this data over radio waves, commonly used for tracking objects, animals, and access control.
What is an Active RFID?
An RFID system where the hag has its own power source, enabling long-range autonomous signal transmission for applications like asset tracking and real-time monitoring.
What is a Passive RFID?
An RFID system where the tag lacks its own power source and relies on energy from the RFID reader to transmit data, ideal for short-range, low-cst applications like inventory tracking and access control?
What is Sniffing/Eavesdropping in the context of RFID?
It’s a passive attack where an attacker secretly intercepts wireless communication between an RFID tag and reader to capture data, especially in systems without encryption.
What is RFID Cloning?
It’s an attack where a hacker copies data from a legitimate RFID tag to a malicious one, allowing them to impersonate the original tag and gain unauthorized access.
What is DoS in the context of RFID?
It’s an attack where an adversary disrupts communication between RFID tags and readers, often by jamming signals or overloading the reader, making the system unusuable.
What is Bluetooth?
A short-range wireless technology that enables data exchange between devices over the 2.4GHz band, commonly used for connecting peripherals and smart devices.
What is Bluejacking?
The practice of sending unsolicited messages to nearby Bluetooth-enabled devices in discoverable mode, usually harmless and considered a nuisance rather than a serious attack.
What is Bluesnarfing?
A malicious Bluetooth attack where an attacker connections without permission to steal data like contacts, emails, or files from a vulnerable device.
What is Bluebugging?
A Bluetooth attack where an attacker gains control of a device to make calls, send texts, or eavesdrop, exploring Bluetooth vunerabilities.
What is a Wireless Replay Attack?
An attack where an attacker intercepts and retransmits walid wireless data to deceive a system into thinking it’s a legitimate transmission, often used to bypass authentication.
What is War Driving?
The act of driving around with a mobile device to scan for unsecured or poorly secured wireless networks, often used to gain unauthorized access to WiFi.
What is War Flying?
A technique where an attacker uses an aircraft or drone equipped with WiFi scanning tools to find unsecured or poorly secured wireless networks from the air.
What is WiFi Protected Setup (WPS)?
A network security standard that simplifies the process of connecting devices to WiFi by using methods like PIN entry, push-button setup, or NFC, though it has potential vulnerabilities.
What is a Rogue Access Point (Rogue AP)?
An unauthorized WiFi access point set up without approval, often used to bypass network security or carry out attacks like man-in-the-middle.
What is an Evil Twin?
A malicious WiFi access point set up to mimic a legitimate network, tricking users into connecting to it and allowing the attacker to intercept or manipulate their data.
What is a Virtual Private Network (VPN)?
A technology that creates a secure, encrypted connection over the Internet to protect data privacy, ensure remote access, and bypass geographic restrictions.
What is a VPN Concentrator?
A specialized device used to create and manage multiple VPN connections simultaneously, often deployed in large networks to ensure secure remote access for many users.
What is a Remote Access VPN?
A VPN that allows individual users to securely connect to a private network from a remote location, often used by employees to access company resources securely over the Internet.
In regards to IPsec, what is Tunneling Mode?
Tunneling mode is an IPsec mode where the entire original IP packet (header and data) is encrypted and encapsulated within a new IP packet, providing secure communication between two networks over an insecure medium like the Internet.
In regards to IPsec, what is Transport Mode?
A configuration where only some traffic is routed through an IPsec VPN tunnel, while other traffic (such as general Internet browsing) bypasses the tunnel and travels directly to the Internet.
In regards to a VPN, what is a Split Tunnel?
A VPN configuration where only certain traffic is routed through the VPN tunnel, while other traffic (like web browsing) bypasses the VPN and is sent directly to the Internet.
In regards to a VPN, what is a Full Tunnel?
A VPN configuration where all traffic (including both corporate and non-corporate) is routed through the VPN tunnel, ensuring full encryption and security for all Internet activities.
What are Site-to-Site VPNs?
A type of VPN that securely connects two or more networks (e.g. branch offices or data centers) over the Internet, allowing them to communicate as if they were on the same local network.
What is an Always-on VPN?
A VPN configuration that automatically establishes and maintains a secure VPN connection at all times, ensuring constant encryption of Internet traffic without requiring user intervention.
What is L2TP?
A tunneling protocol used in VPNs to create secure connections by encapsulating data. L2TP itself doesn’t provide encryption but is commonly paired with IPsec for secure data transmission.
What is an HTML5 VPN Portal?
A web-based VPN interface that allows users to securely access a network through a web browser, without needing specialized VPN client software, leveraging HTML5 technology for cross-platform compatibility.
What is Network Access Control (NAC)?
A security solution that enforces policies for devices attempting to access a network, ensuring that only authorized and compliant devices can connect, thereby reducing the risk of security breaches.
Regarding NAC, what is a Permanent Agent?
A software agent installed permanently on a device to continuously monitor and enforce network security policies, ensuring compliance before and during network access.
Regarding NAC, what is a Dissolvable Agent?
A temporary software agent that is downloaded and executed when a device connects to the network, checking the device’s security posture and then removed after the session ends.
What is the Password Authentication Protocol (PAP)
A simple authentication protocol using a username and password, sending the credentials in cleartext, making it vulnerable to interception.
What is the Challenge Handshake Authentication Protocol (CHAP)?
A more secure authentication protocol that uses a challenge-response mechanism with hashing to verify the identity of a client without sending credentials in cleartext.
What is Point-to-Point Protocol (PPP)?
A data link layer protocol used to establish direct connections between two nodes, supporting multiple network protocols, authentication methods, and error detection.
What is Remote Authentication Dial-In User Service (RADIUS)?
A centralized AAA protcol that handles authentication, authorization, and accounting for remote access to network resources, operating over UDP with limited encryption.
What is Terminal Access Controller Access-Control System Plus (TACACS+)?
A more secure AAA protocol, commonly used for device management, which operates over TCP and fully encrypts communication, including usernames, passwords, and commands.
What are AAA Protocols?
Any protocol that provides authentication, authorization, and accounting.
What are some examples of AAA protocols?
RADIUS, TACACS+
