Chapter 4 Securing Your Network Flashcards

1
Q

What does IDS stand for?

A

Intrusion Detection System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does IPS stand for?

A

Intrusion Prevention System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does an IDS do?

A

An IDS monitors a network and send alerts when they detect suspicious events on a system or network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does an IPS do?

A

An IPS reacts to attacks in progress and prevent them from reaching systems and networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does HIDS stand for?

A

Host-based Intrusion Detection System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does an HIDS do?

A

An HIDS provides protection to the individual host and can detect potential attacks and protect critical operating system files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe the logistics of an HIDS

A

An HIDS is additional software installed on a system such as a workstation or server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the primary goal for an HIDS?

A

To monitor traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

True or False : An HIDS can help with detecting malware?

A

True
Because of this, many organizations install a HIDS on every workstation as an extra layer of protection in addition to traditional antivirus software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does NIDS stand for?

A

Network-based Intrusion Detection System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does an NIDS do?

A

An NIDS monitors activity on the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

List some devices NIDS sensors and collectors would be installed on

A

Routers, Firewalls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

True or False: An NIDS can decrypt/encrypt network traffic

A

False

An NIDS can only monitor and assess threats on the network from traffic sent in plaintext or nonencrypted traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does a tap or port mirror do and how is this beneficial for NIDS?

A

Allows administrators to send all traffic to a single port. It can be used as a tap to send all switch data to a sensor or collector, and forward this to a NIDS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

True or False: An IDS can prevent an intrusion

A

False

An IDS can only detect an intrusion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is an attack?

A

Any attempt to compromise CIA - confidentiality, integrity, and/or availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the two primary methods of detection?

A

Signature-based and heuristic ( behavioral-based)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What does a signature-based IDS do?

A

A signature-based IDS uses a database of known vulnerabilities or known attack patterns.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What does a heurist(behavioral-based) IDS do?

A

A heuristic(behavioral-based) IDS provides continuous monitoring by constantly comparing current network behavior against the baseline. When the IDS detects abnormal activity (outside normal boundaries as identified in the baseline), it gives an alert indicating a potential attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is a zero-day exploit?

A

A zero-day exploit is where there is no patch available for the vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How does an IDS utilize logs?

A

An IDS analyzes logs (real-time or regular intervals) to provide insight on trends which detect a pattern of attacks and provide insight into how to better protect a network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What triggers an IDS to report an alert or an alarm?

A

Rules configured within the IDS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

____ is an alert or alarm on an event that is nonthreatening, benign, or harmless

A

A false positive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

____ is when an attacker is actively attacking the network, but the system does not detect it.

A

A false negative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is inline/in-band monitoring?

A

Monitoring of traffic passing thru with potential to block

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

____ is considered inline/in-band monitoring

A

An IPS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is out-of-band/passive monitoring?

A

Monitoring of traffic but not able to block

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

____ is considered out-of-band/passive monitoring

A

An IDS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What does an SSL/TLS accelerator do?

A

It frees up the primary computer’s resources, such as CPU power and RAM by performing the process of establishing the HTTPS session, negotiating the best security supported by both the client and the server, sharing encryption keys, and encrypting session data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What does an SSL Decryptor do?

A

Intermediary device that establishes HTTPS connections between all end points and decrypts traffic to monitor for suspicious and malicious activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What does SDN stand for?

A

Software Defined Network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What does an SDN do?

A

An SDN separates data plane and control plane traffic through virtualization and not physical network devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is the data plane?

A

The data plane is the part of the network that carries the traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What is the control plane?

A

The control plane is the logic used to direct network traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is a honeypot?

A

A honeypot is a server that is not tightened and secure or extremely vulnerable to attacks to serve as a diversion for attackers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What are the two primary goals of a honeypot?

A
  1. Divert attackers from the live network

2. Allow observation of an attacker

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is a honeynet?

A

A group of honeypot servers within a separate network zone but accessible from an orgs primary network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

_____ is a port-based authentication protocol

A

IEEE 802.1x

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

In wireless networking what does AP/WAP stand for?

A

Access point/wireless access point

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

True or false: All wireless routers are APs

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

True or false: All APs are routers

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What is a fat AP?

A

An AP which includes everything needed to connect wireless clients to a wireless network. It typically includes features such as a routing component, NAT, DHCP, wireless security options, access control lists (ACLs), and more.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

True or False: Fat APs must be configured separately from each other

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What is a thin AP?

A

An AP that is managed by a controller and is not stand-alone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What are the two primary radio bands used in wireless networks?

A

2.4gHz and 5.0gHz

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

____ channels are more likely to overlap with other wireless devices and this interference affects overall performance.

A

Wider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

In wireless networks, what does SSID stand for?

A

Service Set Identifier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

What does SSID represent?

A

The name of the wireless network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

True or False: It’s a good idea to change the name of a default SSID. Explain why.

A

True
If a default SSID is left it could provide an attacker with details that he/she could leverage to exploit vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

How would an attacker be able to determine the SSID of a wireless network if the broadcast is disabled?

A

Using a protocol analyzer, an attacker can view the probe frame responses which contain the SSID information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

_____ is a form of network access control used with port security on switches that can be used to restrict access to wireless networks.

A

MAC filtering

52
Q

____ is the most commonly used antenna on APs and wireless devices

A

Omnidirectional antennas

53
Q

Adjusting the _____ affects the range of the AP

A

Power level

54
Q

What is a guest network used for?

A

A guest network is typically a wireless network used to provide guests with Internet access.

55
Q

An ____ network is where wireless devices connect to each other without an AP on an as needed basis

A

Ad-hoc

56
Q

What does WPA stand for?

A

Wi-Fi Protected Access

57
Q

What does TKIP stand for and what is it?

A

Temporary Key Integrity Protocol

It is an older encryption protocol with WPA but should no longer be used

58
Q

What does CCMP stand for and what is it?

A

Cipher Block Chaining Message Authentication Code Protocol

It is a newer encryption protocol that replaced TKIP for use with WPA2

59
Q

What does AES stand for and what is it?

A

Advanced Encryption Standard

It is a very strong and efficient encryption algorithm

60
Q

What does PSK stand for and what is it?

A

Pre-shared key

Its a mode where users access a wireless network with a PSK or passphrase (a form of authorization)

61
Q

What is the difference between PSK and enterprise mode?

A

PSK only allows for authorization where as enterprise mode is for authentication and authorization. Each user has a unique set of credentials to authenticate with.

62
Q

To configure an AP in enterprise mode, what information do you need?

A

An IP address assigned to an 802.1x RADIUS server
A port number used by the RADIUS server
A shared secret which is similar to a password

63
Q

What is open mode?

A

A wireless mode where no security configuration is implemented and allows all users to access the AP

64
Q

What does EAP stand for and what is it?

A

Extensible Authentication Protocol

An authentication framework that provides general guidance for authentication methods.

65
Q

What does PMK stand for and what is it?

A

Pairwise Master Key

A secure encryption key used for two systems to encrypt all data transmitted between them

66
Q

What is EAP-FAST?

A

Extensible authentication protocol - flexible authentication via secure tunneling
Created by CISCO to replace light EAP (LEAP). Supports certificates (optional)

67
Q

What is PEAP?

A

Protected EAP
A protocol which protects the communication channel by encapsulating and encrypting the EAP conversation in a TLS tunnel. Requires a cert on the server but not on the client. MS-CHAPv2

68
Q

What is EAP-Tunneled TLS EAP-TTLS?

A

Extension of PEAP which allows systems to use older authentication methods such as Password Authentication Protocol (PAP) within a TLS tunnel. Requires cert on the server but not on the clients

69
Q

What is EAP-TLS?

A

Most secure EAP standards and widely implemented. Requires certs on both server and client

70
Q

What is RADIUS federation?

A

Where two or more entities share the same identity management system through use of RADIUS.

71
Q

A ____ ____ is a technical solution that forces clients using web browser to complete a specific process before it allows them access to the network

A

Captive portal

72
Q

What are some common examples of captive portals?

A
  1. Free Internet Access through AUP (acceptable use policy) which allows guests to have access to the internet
  2. Paid internet access - when attempting to access the internet redirected to a captive portal to pay
  3. Alternative to IEEE 802.1x server since it (IEEE 802.1x server) is expensive
73
Q

What is a disassociation attack?

A

An attack which effectively removes a wireless client from a wireless network forcing them to reauthenticate. An attacker sends a disassociation frame to the AP spoofing the client’s MAC address

74
Q

What does WPS stand for and what does it do?

A

Wi-Fi Protected Setup
Allows users to configure wireless devices without typing in the passphrase. Users can configure devices by pressing buttons or by entering a short eight digit PIN

75
Q

What is a WPS attack?

A

When an attacker keeps trying different PINs until it succeeds (brute force attack). Recommended to disable on APs

76
Q

What is a rogue AP?

A

An AP placed in a network without official authorization

77
Q

What is an evil twin?

A

A rogue access point with the same SSID as a legitimate access point.

78
Q

What is a jamming attack?

A

When an attacker transmit noise or another radio signal on the same frequency used by a wireless network interfering with the wireless transmissions

79
Q

What are some ways to overcome a jamming attack?

A

Using a different channel (although the attacker can also switch channels)
Increasing the power level

80
Q

What is a wireless initialization vector attack?

A

An attack that attempts to discover the pre-shared key from the IV

81
Q

When is an IV attack successful?

A

When an encryption system reuses the same IV. In many IV attacks the attacker uses packet injection techniques to add additional packets into the data stream.

82
Q

An eavesdropping attack is a form of what?

A

NFC attack

83
Q

What happens during an eavesdropping attack?

A

The NFC reader uses an antenna to boost its range, and intercepts the data transfer between two other devices.

84
Q

What is bluetooth?

A

Bluetooth is a short-range wireless system used in personal area networks (PANs) and within networks.

85
Q

A __ is a network of devices close to a single person

A

Personal Area Network (PAN)

86
Q

What is Bluejacking?

A

The practice of sending unsolicited messages to nearby Bluetooth devices. Typically text but can be images or sounds.

87
Q

What is Bluesnarfing?

A

Unauthorized access to or theft of information from a Bluetooth device

88
Q

What is bluebugging?

A

Similar to Bluesnarfing but in addition to gaining full access to the device the attacker installs a backdoor allowing them to listen in on phone conversations, enable call forwarding, send messages, etc.

89
Q

What is a replay attack?

A

When an attacker captures data sent between two entities, modifies it, and then attempts to impersonate one of the parties by replaying the data.

90
Q

True or False: WPA2 using CCMP and AES are vulnerable to replay attacks

A

False

WPA2 using CCMP and AES is not vulnerable to replay attacks but WPA with TKIP is

91
Q

What does RFID stand for and what is it?

A

Radio Frequency Identification

RFID systems include a reader and tag used to track and manage inventory, assets, etc.

92
Q

What is RFID sniffing/eavesdropping?

A

When an attacker listens on the same frequency that the RFID transmits data on and exfiltrates data

93
Q

What is an RFID replay attack?

A

When an attacker performs eavesdropping and then captures data transferring between entities and impersonates one of the parties

94
Q

What is an RFID DoS attack?

A

Attempts to disrupt services i.e. by launching a jamming or interference attack, flooding the frequency

95
Q

What does VPN stand for and what does it do?

A

Virtual Private Network

Allows users to access private networks via a public network

96
Q

What is a VPN concentrator?

A

It is a dedicated device used for VPNs which includes all the services needed to create a VPN including strong encryption and authentication techniques and supports many clients.

97
Q

Where in the network is a VPN concentrator typically located?

A

In the DMZ

98
Q

What are two ways IPSec provides security?

A

Authentication and encryption

99
Q

How does IPSec handle authentication?

A

IPSec includes an authentication header (AH) to allow each of the hosts in the IPSec conversation to authenticate with each other before exchanging data. Using protocol 51.

100
Q

How does IPSec handle encryption?

A

IPSec includes encapsulating security payload (ESP) to encrypt the data and provide confidentiality. Using protocol 50.

101
Q

What does IKE stand for and what is it?

A

Internet Key Exchange
Used in IPsec over port 500 to authenticate clients in the IPsec conversation. Creates security associations (SAs) for the VPN and uses these to set up a secure channel between the client and the VPN server

102
Q

What does SSTP stand for and what does it do?

A

Secure Socket Tunneling Protocol

It encrypts VPN traffic using TLS over port 443

103
Q

What are the benefits for using SSTP?

A

Provides administrators with flexibility and rarely requires opening additional ports. Good alternative when the VPN tunnel must go through a device using NAT and IPsec is not feasible

104
Q

What is a split tunnel VPN?

A

Filter traffic based on criteria. If meets criteria send traffic through VPN tunnel otherwise send to public internet

105
Q

What is a full tunnel VPN?

A

Where all traffic goes through the encrypted tunnel while the user is connected to the VPN.

106
Q

What is a disadvantage of full tunnel VPN?

A

It can be slow due to the additional hops the traffic makes and since it has to be decrypted and encrypted

107
Q

What is a site-to-site VPN?

A

Where two VPN servers act as gateways for two networks separated geographically.

108
Q

What is an always-on VPN?

A

When a VPN connection is persistent. The opposite is that the VPN connection is only established when a user connects to a remote system.

109
Q

What does NAC stand for and what is it?

A

Network Access Control

Method of control to ensure that clients meet predetermined characteristics prior to accessing a network.

110
Q

What are common health conditions checked by a NAC?

A

Up-to-date antivirus software, including updated signature definitions
Up-to-date operating system, including current patches and fixes
Firewall enabled on the client

111
Q

What are authentication agents and what do the do?

A

They inspect NAC clients to check different conditions on a computer and document the status in a statement of health

112
Q

What is a remediation (quarantine) network?

A

An intermediary network which a client/host is directed to if the computer fails health check conditions. The remediation network provides access to resources the client can use to get healthy.

113
Q

What is a permanent agent?

A

A persistent agent installed on the client and stays on the client.

114
Q

What is a dissolvable agent?

A

A non-persistent agent which is downloaded and run on the client when the client logs on remotely. Removed either after performing health check or end of remote session. Often used on mobile devices

115
Q

What does PAP stand for and what is it?

A

Password authentication Protocol

A protocol used with Point-to-Point Protocol (PPP) to authenticate clients.

116
Q

A significant weakness of ___ is that it sends passwords over a network in cleartext, representing a significant security risk.

A

PAP

117
Q

What does CHAP stand for and what is it?

A

Challenge Handshake Authorization Protocol
A protocol that uses PPP to authenticate clients but is more secure than PAP. Client hashes a shared secret with a nonce (number used once)

118
Q

What is a benefit of MS-CHAPv2?

A

It allows for mutual authentication. Client to server and server to client

119
Q

What does RADIUS stand for and what is it?

A

Remote Authentication Dial-In User Service

A centralized authentication service

120
Q

Does RADIUS use TCP or UDP?

A

UDP

121
Q

What does TACACS+ stand for and what is it?

A

Terminal Access Controller Access-Control System

Cisco alternative to RADIUS

122
Q

Which system encrypts the entire authentication process?

A

TACACS+

123
Q

Which system uses multiple challenges and responses between the client and server?

A

TACACS+

124
Q

_____ is an extension of RADIUS that can work with EAP

A

Diameter

125
Q

What does AAA stand for?

A

Authentication Authorization Accounting

126
Q

RADIUS, TACACS+, and Diameter are considered ____ protocols because they provide authentication, authorization, and accounting

A

AAA