Concepts Flashcards
What is social engineering attack?
It is the use of deception to make people submit their personal information online.
What is Diversion Theft?
It is a social engineering attack, where social engineers trick a courier company into sending the package to a different location and intercepting the mail.
What is Baiting?
It is a social engineering attack, where an attacker leaves a physical device infected with a type of malware in a place where it can be found. Like a USB that gets left around.
What is Honey Trap?
It is a social engineering attack, where a scammer pretends to be an attractive person online to build a fake relationship online to earn money or collect personally identifiable information (PII) such as the victim’s phone number and email account.
What is Pretexting?
It is a social engineering attack, where the attacker is practically lying in order to gain access to personal data or other privileged information. It is the use of believable reasons for the target to go along with whatever the person perormfing the social engineering is attempting to do.
I.e. an attacker may pose as a third-party vendor and claim that he needs to know a person’s full name and title to identify her identity.
What is Phishing?
It is a social engineering attack, where an attacker collects sensitive information such as login credentials, credit card numbers, bank account details, often posing as a trusted resource.
Phishing emails usually create a sense of urgency so that a victim feels that it is important to disclose information quickly. Despite being a relatively straightforward attack, phishing is one of the biggest cybersecurity risks.
i.e. A typical example is the use of email spoofing to disguise itself as a trusted resource like a financial institution to trick the target into downloading an infected attachment or clicking a malicious link.
What is Qui Pro Quo?
It is a social engineering attack that exploits the human tendency to reciprocate to gain access to information.
I.e. an attacker can provide free technical assistance by making a phone call to a victim and requesting assistance by making a phone call to a victim and requesting that they disable antivirus software or install a Trojan that takes over a computer.
What is Smishing?
It is a social engineering attack, is phishing done via SMS instead of email.
What is Spear Phishing?
It is a social engineering attack that targets a specific individual or organization. These types of attacks are aimed at infecting the victim with ransomware or tricking them into revealing sensitive information and data.
What is Rogue Security Software?
It is a social engineering attack, it is software that claims that there is malware present on your computer. The end-user receives a pop-up message requesting payment for the removal. If payment is not made, the pop-ups will continue, but the files are generally safe.
What is Vishing?
It is a social engineering attack, of phishing over the phone and directed at users of voice over IP (VoIP) services such as Skype. Vishing along with deep, false voices is a huge cybersecurity risk.
What is Tailgating?
It is a social engineering attack, where an attacker follows a person to a safe area. This attack relies on the person being followed, assuming they have legitmate access to the area.
What is Whaling?
It is a social engineering attack like spear-phishing yet targets high-profile individuals, like politicians, celebrities, and public company objectives.
What is Waterholing?
It is a social engineering attack, which occurs when an attacker targets a specific group of people by infecting a website they know and trust.
What are the 5 Principles (components) of Social Engineering (attacks)?
1) Authority of intimidation.
2) Consensus
3) Scarcity
4) Urgency
5) Trust and Familiarity
What is meant by the Principle of Social Engineering, of Authority or Intimidation?
Attackers use this principle of attack by playing the role of a person in leadership. They make use of this role to intimidate the target into action, or into revealing information.
What is meant by the Principle of Social Engineering, of Consensus?
This is when a hacker declares that action is normal or generally accepted in the context of an attack. Attackers use this technique when they receive skepticism from their target.
What is meant by the Principle of Social Engineering, of Scarcity?
Scarcity is similar to urgency, but the attacker will claim that there is a limited supply. The target is under the pressure to make a decision or is at risk of losing the offer due to a limited number.
What is meant by the Principle of Social Engineering, of Urgency?
This is when the attacker claims that something will only exist for a limited time. Scams like this are common for bitcoin.
What is meant by the Principle of Social Engineering, of Trust and Familiarity?
This is where the attacker tries to take advantage of exploiting a target by presenting it with something familiar. This is often something the target likes or supports.
What is up to 10 different strategies to prevent social engineering attacks?
1) Regularly conduct penetration tests using social engineering techniques. This helps identify who needs training.
2) Start a security training program targeted to create awareness.
3) Implement secure emails and web gateways to scan emails for malicious links and filter them into the trash.
4) Keep anti-malware and antivirus software up-to-date to prevent malware in phishing emails from being installed.
5) stay up-to-date with software and firmware patches on the endpoints.
6) Implement 2FA.
7) Keep track of employees with advanced authentication or who handle sensitive information.
8) Training against social engineering, password hygiene, and secure remote work practices.
9) Make sure employees don’t use the same passwords for work and personal accounts.
10) Implement spam filters for email.
What is Malware?
Nefarious software is designed for nefarious purposes.
What is Polymorphic Malware?
It changes the form and shape of code after each replication. This makes the code and signature more difficult to detect.
What is a Virus?
It is a piece of malicious code that replicates itself and is attached to another piece of executable code. Viruses are system based problems.
What is Crypto-Malware?
This is a malware designed to encrypt files on a system (without being authorized to do so). This renders the files unusable, sometimes permanently, and sometimes until a ransom is paid.
What is Crypto-Jacking?
This is malware that helps attackers to mine cryptocurrency illegally.
What is Ransomware?
This form of malware performs certain actions and extracts ransom from a user. Whenever money is demanded, then it is ransomware.
What is Worm?
This is similar to viruses in that they try to penetrate computer systems and networks and then create a new copy of themselves on the penetrated system.
Worms do not need to bind to another piece of code to reproduce. Worms are network-based problems. They can also travel without human interaction and can survive on their own.
What is a Trojan?
It is a stand-alone program installed by an authorized user, yet it has hs malicious functionality.
What is a Rootkit?
This is a form of malware specifically designed to modify the operation of an operating system in some way to facilitate non-standard functionality.
A rootkit can do everything an operating system can do, and has a lot of power to perform the malicious activity and avoid detection. Sometimes this is done by hiding files, affecting application performance, etc.
Rootkits include firmware, library, virtual, kernel, and application layers.
What is a Keylogger?
A keylogger is a software that is designed to record all keystrokes typed by a user. Keyloggers turn into malware when the user is unaware of them and is not under the user’s control.
What is Adware?
This is software that supports itself through advertising. It appears free to the user, but is self-paid through paid commercials.
What is Spy Software?
Spyware is software that “spies” on its users by recording and/or reporting their activities. This could include keylogging, recording how a user uses a program, browser history, etc.
What is a Bot?
A bot is a software program that acts under the control of another program. A bunch of these bots is called a botnet, which can be used for anything from bitcoin mining to distributed computing projects.
Uses range from customer service to influential political opinions.
What is a RAT?
A RAT is a Remote Access Trojan, a set of tools designed to provide the ability to covert surveillance and or ability to gain unauthorized access to a target system.
Or defined as a type of malware that controls a system through a remote work connection.
What is a Logic Bomb?
This is malware that sits idle for a period of time until they are activated. They can be triggered by an event or specific time or date.
What is a Backdoor?
It is a way into a system to gain access without using proper channels. It is usually a backdoor into a system.
What are Indicators of Compromise (IOCs)? What does this mean, not identify actual components.
These are indicators that a system has been compromised by authorized activity. The behavior of a system after it has been infected with malware provides forensic clues about the type of malware.
What are Plain Text / Known Encryption attacks?
This is when a hacker has access to both plaintext and encrypted copies of a message, and this allows them to crack the encryption and decrypt other messages.
What are Password Attacks and Bad Password Choices?
Since password and username authentication is everywhere, and because people have so many credentials to remember, they try not to complicate things. They reuse passwords and easy-to-find information (pet names, etc) to create passwords. Or they use common passwords, “abc123”.
What are Rainbow Tables?
These are pre-computed lookup tables of hash values for a given password.
The exam has a number of questions about the “fastest way” to crack a password. The answer is through Rainbow Tables as the hashes have already been provided. One can mitigate this by using salting, which adds a random set of characters to make a hash harder to guess or calculate.
What is a “Dictionary file”?
These are like Rainbow Tables, will need a little more assembly. A dictionary will have many possible passwords, which can be then combined or modified to generate passwords for you to test.
Kali’s RockYou dictionary is an example, and these dictionaries can be used alongside tools like fcrackzip.
What is Brute Force?
This is an attack where all the passwords of a list are tried.
What are Collision Hybrid attacks?
These attacks exploit math problems in cryptographic methods, like hashes. In normal hashes, one input is to have one output. When hash values are duplicated or
What are Degrade Hybrid attacks?
These attacks capitalize on older versions of software with backward compatibility issues.
What are Replay attacks?
These attacks happen with a capture of a series of packets or communications and then a replay of those messages to achieve authentication.
What is a Denial of Service (DoS) attack?
This is where attackers exploit vulnerabilities to deny authorized users access to specific functions or an entire system.
What are DDoS attacks?
These are Denial of Service attacks using multiple computers.
What are Man in the Middle (MitM) attacks?
This is when an attacker themselves in the middle between two communication hosts. The attacker observes all traffic then can forward traffic to the intended recipient.
This can also be utilized through session hijacking, where an attacker steals a cookie and uses it for false authentication.
What is a Buffer Overflow attack?
This occurs when an input buffer is overwritten with more data than it can handle. As a result, user input spills into other parts of memory. this make it possible for attacker to crash programs and overwrite data. Also often allow for higher level of escalation.
What is an Injection attack?
In this vulnerability, an attacker can inject data to be interpreted or executed by an application for malicious purposes.
What is Cross-Site Scripting attacks?
This is where an attacker is using a script in their input.
If run immediately and not maintained is a non-persistent xss attack.
If stored on the backend and then used against others later, it is called a persistent attack.
What is Application forgery on various sites?
This is an attack when an end-user is used to perform actions on a web application in which the user is authenticated. This attack utilities a cookie that is sent between we applications.
What are Increased Priviledges?
This simply means starting an ordinary privilege level and reaching the root or administration level. This can be done by stealing the credentials or with the help of other attacks on processes running with elevated privileges.
What are ARP Poisoning attacks?
When inquiries of the ARP table are received, the ARP table does not normally include verification. In this type of attack, an attacker can quickly provide false data in response. This is called ARP poisoning and results in a bad address of the malicious address.
What is an Amplification attack?
This refers to the use of a protocol in such a way that it applifies results by using multiple machines.
What is DNS Spoofing and poisoning attack?
DNS poisoning or spoofing is where a DNS record is changed. This results in incorrectly diverted traffic.
What is Domain hijacking attack?
Domain hijacking is simply the unauthorized act of changing the registration of a domain name.
What is a “Man in the Browser” attack?
This is similar to Man in the middle. MitB attacks involve malware that modifies the behavior of the browser through helpers or extensions.
What are Zero day attacks?
A zero day vulnerability is which there is no prior knowledge beyond the Hacker or vendor.
What are Replay attacks?
Replay attacks occur when an attacker detects a communication between two parties and replays it at a later time. This could cause a 2nd authentication not intended.
The best ways to fight these are encryption and timestamps.
What is Pass the hash attack?
This is when an attacker captures the hash value, which allows them to be able to authenticate connection without actually knowing the password.
What is Clickjacking?
Where elements of the website cause the user to click something that isn’t wanted.
A real-life example, someone subscribes to a service through a clickjacking and then needs to make a lot of phone calls to fix everything.
What is Session hijacking?
Also called TCP/IP hijacking, where an attacker takes control of an existing session between a client and a server. Since the user is already authenticated, the attacker can continue with all privileges after the attack is complete.
They could also use a DoS attack against the original client to keep them busy.
What is “URL” and “spell/typo hijacking” squat?
URL hijacking is a class of attacks that manipulate or alter a URL. This could include typos or misleading the user into thinking that they are clicking the correct URL. This could also involve malware.
The typo squat is where attackers take advantage of common typos. Political candidates face this threat all the time.
What is Driver tampering?
This isvan attack that changes drivers and therefore driver’s behavior.
This is done by shimming, which is inserting another level of code between the driver and the operating system.
This is a way developers facilitate future enhancements, but it also opens Backdoor.
What is Phishing?
Phishing refers to making it appear that a request is coming from a different than it really is.
Typically this means impersonating a known or trusted source.
What is MAC Spoofing?
This refers to changing a MAC address to bypass security checks looking for a specific MAC address.
What is IP Address Spoofing?
Changing the “from” field when sending IP packets.
What is a Smurf Attack?
When an attacker sends a spoofed packet to a broadcast address on a network, that packet will be distributed to all users on the network. Typically this means that other devices will send an echo reply to the request. The (spoofed) sender of the original echo-request packet now receives many responses.
What is Spoofing from Trusted Relationships?
One can spoof a package from one system to another system that already trusts the source. When system admins should configure firewalls to not allow packets from outside the network masquerading as packets from inside the network.
What is a Sequencing Number Spoofing?
The TCP three-way handshake generates two sequence numbers. These numbers are required for future communication. So if you are off the network, it is more difficult to see (and therefore spoof) packet sequence numbers.
What are Replay Attacks?
These are attacks where traffic is recorded between the endpoints and the wireless access point. Once recorded, the messages can be replayed to authenticate, perform a transaction, etc.
What are IV - Initialization Vector Attacks?
Initialization vectors are used in wireless systems as a “scrambling element” at the beginning of connections. Therefore, these attacks are attempts to find the IV and use it to undermine the encryption. The IV is sent in clear text and is only 24 bits long, which means it likely repeats every few hours.
What is Evil Twin Wireless Attack?
This attack uses replacement hardware. Devices connect to access points that are the “best” connection options, and inadvertently get attached to evin twins.
What is a Rogue Access Point Wireless Attack?
This is similar to an evil twin. An attacker can use an unauthorized access point to persuade users to login, enter credentials, etc.
What is Wireless Jamming?
This refers to the blocking of wireless or radio signals and the denial of service. It is illegal, so don’t do it.
What is WPS?
WPS = Wi-Fi Protected Service
This is a wireless security standard designed for easy Wi-Fi setup. Unfortuntely, the PIN used is susceptible to brute force attacks.
What is Bluejacking?
A bluetooth-related attack, which involves the unuthorized sending of messages to a Bluetooth-enabled device.
What is Bluesnarfing?
Bluesnarfing is a bluetooth-related attack that involved information theft.
What is RFID?
This is radio frequency identification. RFID tags can be passive or active. Active tags have their own power source, while passive tags are powered by Radio Frequency fields. RFIDs are increasingly used for authentication, building access, etc.
What is NFC?
NFC = Near Field Communication.
It is a wireless protocol that allows devices to talk in a very short range (about 4 inches). This is increasingly popular in mobile payment systems (touch to pay).
What are disassociation attacks?
These are attacks which disassociate or disconnect a device from the network. The Wi-Fi framework includes a “de-authorization” frame that could be sent to a device to remove it from a network. This can lead to a denial of service attack for which attackers can listen to reconnection messages and try to steal a password
What is Jamming?
This refers to the blocking of wireless or radio signals and the denial of service. This happens a lot in the military.
What is WPS?
This is a wireless security standard designed for easy Wi-Fi setup. Unfortunately, the pin it uses is susceptible to brute force attacks.
What is Bluejacking?
This involves the unauthorized sending of messages to a Bluetooth enabled device.
What is BlueSnarfing?
This is a Bluetooth related attack that involves informational theft (rather than sending unwanted information).
What is RFID?
Radio frequency ID tags can be active or passive and are used for authentication purposes.
What is NFC?
This is Near Field Communication, a wireless protocol that allows devices to talk in very short range (about 4 inches).
What is Dissolution?
Dissolution attacks mean disconnecting (or disassociating) a device from the network, and may include the “de-authentication” frame.
What are Race Conditions?
These are errors that occur when “the output of a function depends on the sequence or timing on the inputs.” If the inputs do not occur in order or are scheduled, errors occur. There are ways to work around this with locks etc. Race conditions can be used to lock down a program or system.
What are End of Life vulnerabilities?
End of Life refers to a system that no longer works as expected. Many vulnerabilities detected after after the end of life cycle bevause there is often no support for fixes or patches.
What is Lack of Supplier Support vulnerability?
This is when there is no support available if a firm keeps using software after the end of its life, or is used in a way not covered, and they are responsible for all risks.
What are Integrated System vulnerabilities?
These are vulnerabilities that occur when a system is running inside another system and often do not receive normal system updates.
What are improper handling of errors?
Avoid sharing debugging information with the outside world. Capture info to a protected log file, not the console.
What is improper inputs vulnerabilities?
These create overflow problems, XSS, XRSF, cross-paths, injection problems and more.
What is the “default settings” vulnerability?
This is a factory user name and password that often leaves default credentials, which are easy to crack.
What are “incorrect or weak configuration” vulnerabilities?
Any type of configuration that weakens the security posture of an organization or its systems.
What are “untrained users” vulnerability?
These users just break their computers, often bypassing controls or unsafe behavior.
What is “depletion of resources” vulnerability?
It is when a software program consumes all the resources available on a system.
What are “vulnerable business processes” vulnerabilities?
This falls into social engineering, it is when hackers can exploit vulnerable business practices like HR not consulting with IT, or not verifying purchase orders before sending a check.
What are “incorrectly configured accounts” vulnerabilities?
When an administrator accidentally makes configuration errors, or when user accounts have “too much” access.
What are “weak cipher suites or implementations”?
When users try to launch implementation software or poor implementation of a known cryptographic algorithm.
What is a “memory or buffer vulnerability”?
It is when the user is asked to enter input but the programmer does not verify or limit the length of input, a buffer overflow may occur, this means that other areas of memory will be overwritten.
What is “DDoS” vulnerability?
DDoS = distributed denial of service attacks
Using multiple systems to take down a target.
What are “memory leaks/loss”?
When the computer software where does not manage the memory usage properly.
What is “buffer overflow”?
This is an input valudation attack that takes advantage of programs that don’t validate the length of inputs.
This is both from programming errors and weaknesses of programming languages.
What is “integer overflow”?
Refers to an integer that “rolls over” once the maximum value is reached.
Depending on the integer, it can pass to “0” or to a negative number, which can cause logic errors.
What is “pointer reference?”
This is like an “index” of variables.
When de-referencing, we lose the index of where information is, often resulting in program crashes as information becomes misplaced or over-written.
What is “DLL injection”?
Adding a DLL (digital link library / somrtimes executible) to the program at run-time. The DLL either has a vulnerability to exploit or is maliscious.
What is “system spread and undocumented resources”?
This is the expansion of systems over time where growth exceeds understanding and documentation.
Note, the foundation of a comprehensife security program is understanding al of the resources available and how they are connected.
What are “architecture or design weaknesses”?
Structural weaknesses translate into vulnerabilities and increased risk from a systematic way. I.e. a non-segmented network allowing users to travel throughout it with ease.
What is “inadequate certificate or key management”?
When certificate or key mismangement exists, aka by not managing these keys effectively, they can be stolrn or lost.
What is a “zero-day attack”?
It is a new or not yet patched vulnerability. There often is no patch created yet.
What is penetration testing?
It is a simulated attack on a system by a hypothetical “malicious outsider”. It is meant to help identify vulnerabilities of a system.
What is “passive reconnaissance”?
Gathering information about a topic without sending traffic to a target, like using search engines. These also use passive tools like wireshark or tripwire.
What is “active reconaissance”?
Gathering information aboit a target by actively engaging or interacting directly with a target. Nmap is an active tool and can be detected by the defender.
What is a “pivot attack”?
It is where an attacker gains access to a system and then uses that system to attack or scan other systems within that network.
What is “initial exploitation”?
After reconaissance, it is simply demonstrating that a vulnerability is actually present and exploitable, but not “developing” the vulneranility.
What is persistence?
To try harder.
What is “priviledge escalation”?
Moving from a normal and assigned user account (and priviledges) to higher levels.
This is done by exploiting vulnerabilies or stealing credentials.
What is a “white box” test?
It is the penetration tester using predefined information delivered by an organization to test more complex features of a system.
What is “black box” testing?
To simulate an attack and test the software within the network without prior knowledge of internal data or infrastructure knowldge.
Many times, developers find new problems because they are not evaluating by a predefined set of rules.
What is “gray box” testing?
A mix of white and black box testing. An evaluator may have some information about a system but that information is incorrect.
What is “vulnerability scanning”?
Scanning a system for vulnerabilities. It is the process of scanning sysyems for holes, weaknesses, and problems. The goal is to find the weaknesses before the attackers.
What kind of vulnerabilities are we searching for during vulnerability scanning? Existing or new?
Existing, not zero-day.
What are “common configuration issue”?
These are often found during vulnerability scanning, like weak passwords or default credentials being used.
What is the difference between an intrusive or non-intrusive vulnerability scan?
With intrusive, it meand that data can be changed. With non-intrusive it means that data within the system is not changed. It is often the choice of the customer.
What is the difference between a credential and non-credential scans?
Credentialed scans mean attacker receives the credentials ahead of time.
What is a false positive scan?
When a scan turns up a vulnerability that doesn’t actually exist,or not reporting one that does exist, callrd a false negative.
What is the point of “web servers”?
They provide the means for users to access web pages or other data and are therefore subject to attack.
What are the point of “operating systems”?
These are the interfaces to the applications used to perform tasks or the physical hardware.
What are the point of “application servers”?
These are three servers that run messaging platforms, email servers, database servers, and more.
What are “network infrastructure devices”?
These are switches, routers, hubs, firewalls, and other special devices.
What is “Defense in Depth”?
Is a security principle that uses several different security features to increase the level of security.
What is “vendor diversity”?
This means having more suppliers.
What is “control diversity”?
It is multi-layered security in administrative and technical controls or policies to guide user actions
What are “technical policies or controls”?
These controls are those that operate in the system through technical intervention like passwords, logical access control, AV, firewalls, IPS / IDS, etc.
Why are “zones and topologies” important?
They allow layers of defense in an organization, and the innermost layers have maximum protection.
What is “DMZ”?
It is a semi-secure area that is protected from the rest of the internet by an external firewall, and the trusted area by an internal firewall.
This zone can gace web servers, remote access servers, and external email servers.
What us an “extranet”?
An externsion of a selected part of a corporate intranet to external partners. It involves both privacy and security.
What is an “intranet”?
A network that exsists entirely within the trusted zone of a network. This signifies that it is under the security control of the system administrators.
If intranet users need to access external information, a proxy server must be used to mask the location of the requester.
What are “wireless networks”?
The transmission of data over radio waves rather tgan physical cables. These networks can be concentrated and radial (a primary access point and wireless clients connecting to this AP) or a mesh network.
What is a “honeypot”?
It is a “fake” network, designed to look like the real one and thus attract attackers.
What is a “guest zone”?
It is a network segment that is isolated from the rest of the systems that guests should never have access to.
What is NAT?
Network Address Translation is used to translate private, non-routable IP addresses into public, routable IP addresses. It can be to compensate for the lack of available IP address spaces. Not all systems require all IP addresses to be routable. It is best if your organization’s topology is hidden from outsiders.
What is PAT?
Port Address Translation. Allows internal private addresses to share a single external IP address.
What is “ad hoc networking”?
Is a mesh topology in which systems can send packets to each other without a central router or switch. It is an easy and cheap direct method of communication yet it is more difficult to manage traffic and security statistics.
What are “enclaves”?
Sections of a network that are logically isolated from the rest of the network. Four ways of segmentation include physical and logical segmentation, virtualization, and air gap.
What is “physical segmentation”?
Uses seperate physical equipment for each type of traffic. Switches, routers, and cables are separate and more $$$.
What is “logical segmentation”?
Completed by using a VLAN, (virtual implementation of a LAN).
What is a “VLAN”?
A collection of devices with similar communication needs and functions that work with a single switch.
What is “virtualization”?
Provides logical isolation of the server while allowing physical co-location.
What is an “air gap”?
When there is no data path between two networks that are not connected in any way except by physical air gap. This can ve broken when someone uses a USB or other medium to transfer info out.
What are “sensors”?
These acquire data can can be network- or host-based.
What are “collectors”?
Essentially hubs for multiple sensors. Collected data often goes to other systems.
What are “correlation engines”?
These systems take collected data and compare it to known models. When traffic is routed “around” the sensors, then the engine won’t see it.
What are “process filters”?
These examine packets on a network interface and filter them based on source/destination, ports, protocols, and more. These filters must be placed inline with sensors.
What are “proxies”?
These are servers that act a as bridge between clients and other systems. For this to work, the proxy must be in the natural flow of traffic.
What are “firewalls”?
These are devices that determine whether or not traffic can pass through according to a set of rules. They need to be inline with the traffic they are regulating and are typically placed between network segments.
What are “VPN concentrators”?
These accept multiple VPN connections and terminate them at a single network point. Wherever this termination occurs, it is best to be on a network segment that allows all users to connect directly.
What are “SSL accelerators”?
These help SSL / TLS encryption at scale. They must be placed between servers and the requestors for a server.
What is a “load balancer”?
These help distribute incoming traffic across multiple servers. The load balancer must reside between the server that provides that service and the requestors for a server.
What is a “DDoS mitigator”?
This helps protect against DDoS attacks, so it must be outside the area it is protecting. It would be the first device to find a packet on its way from the internet over a network (assuming the device was present).
What are “aggregation switches”?
These provide connectivity for many other switches. This is a many-to-one connection. In must be older than the “many” devices.
What is a “Switch Port Analyzer (SPAN)”?
It is a way to copy traffic running in a port. The can be a problem if the traffic is very heavy.
What is “virtualization”?
This is an abstraction of the operating system layer so that multiple operating systems can be hosted on a single piece of hardware. These are low-level program that allow multiple operating systems to run simultaneously on a single host.
What is a “Type I Hypervisor”?
This hyper visor is running directly on the hardware. It is called native or embedded hypervisor.
What is a “Type II Hypervisor”?
This hypervisor runs on a host operating system and is common for consumers, like VMware.
What are “containers”?
These are virtual environments where parts of an operating system is separate from the kernel. This allows multiple instances of an application simultaneously. These are like virtual machines, but are for applications.
What is “virtual machine escape”?
The is when an attacker or malware can escape or move from one virtual machine to another machine using an underlying operating system.
What is “cloud storage”?
This is storage over a network. It enables better performance, availability, reliability, scalability, and flexibility.
What is “Saas”?
Software as a service. This allows providers to deliver software to end users from the cloud rather than having users download software allowing simple updates and integration.
What is “PaaS”?
Platform as a service, as offering an IT platform in the cloud. Good for scalable applications, it could work for something like a database service.
What is “IaaS”?
Infrastructure as a service. Claud-based systems that allow organizations to pay for scalable IT infrastructure instead of building their own data centers.
What is a “private cloud”?
Resources for your organization only. It is more expensive although it has less risk of exposure.
What is a “public cloud”?
The is when a cloud service is provided on a system that is open to public use. It has the least amount of security checks.
What is a “community cloud”?
This is when multiple organizations share a cloud environment for a specific, shared purpose.
What is a “hybrid cloud”?
This is a mix of community, private, and public environments that are often segregated to protect confidential and private data from public or community use.
What is a “VDI”?
Virtual Desktop Infrastructure. This allows someone to use any machine to access information hosted on the cloud.
What is a “CASB”?
Cloud Access Security Broker. This is a service that enforces security policies between your cloud service and your clients. This lets customers know they are using a cloud service securely.
What is “Security as a service”?
No acronym. This is the outsourcing of security functions. It is a third-party vendor offering a wide range of security specialties. This allows scalability without the infrastructure.
What is the “waterfall software development process”?
It is a linear process where once one phase is completed another phase starts. It tends to break easily.
What is the “agile software development process”?
This process focuses on small and quick increases in functionality. The two subcategories are scrum and XP.
Scrum is process-based while XP focuses on “user stories”.
Each adds functionality to a product iteratively.
What is “DevOps”?
A buzzword that refers to the combination of development and operations. This often takes care of large-scale systems. Automating tasks, allows us to focus on the most important and urgent items. I.e. Routine security processes can be automated.
What is “continuous integration”?
This occurs when one continuously updates and improves a production code base, and is mixed with automated testing and development in the mix.
I.e. Making a routine and incremental changes can help with safety. Well-documented changes allow tracing for any sort of problem.
What is “baselining”?
It is a process of defining metrics, measuring success against them, and then taking future snapshots of system health. And rinsing and repeating.
What are “immutable systems”?
Systems that once implemented are never modified. If there are problems or an update is needed, a completely new system replaces the older one. This can simplify difference and tracking issues.
What is “infrastructure as code”?
The use of code to build systems programmatically rather than with manual configuration. This helps maintain settings and configurations and simplifies things as systems get larger and more complex.
What is “version control”?
Thus tracks the versions of a product that is being worked on during any stage like development, staging, or production.
What is “change management”?
This is the way an organizations manages the versions currently in use and also manages changes as they are released.
What is “provisioning”?
The process by which you assign privileges and permissions to a user.
What is “de-provisioning”?
Reverse revocation of permissions.
What is “correct error handling”?
It is when errors when an attacker forces errors into an exception-handling state, these errors are caught and handled in a compilation routine and then safely reported in a log file.
What is “validation of the correct entry”?
By validating user inputs we help mitigate attacks like buffer overflows, XSS, XSRF, path traversal, and more. If the input does not make sense with the rules, it is probably a standardized request.
What is “entry standardization”?
This is the process of taking the lead and creating the simplest form of the string before continuing.
What are “store procedures”?
These are pre-compiled methods for use in databases. This helps prevent users from trying to run SQL injections because the procedures for storing entry data is standardized.
What is “code signaling”?
This is applying a digital signature to a code. It has two purposes. 1) It provides end users with a means to verify the integrity of code, and 2) it provides evidence of the origin of the software.
What is “concealment and camouflage of code”?
Purposely not exposing more information versus necessary and hiding information purposely from attackers.
What are “code reuse” and “dead code”?
This is the process of re-using code that is checked and discarding code that no longer has a purpose.
Dead code still can be run, but the results are not utilized anywhere.
What is “server-side and client-side execution and validation”?
Server-side validation is the most secure when it is performed on the server. Endpoints or clients can be easily compromised prior to validation.
What is “memory management”?
This is a set of actions used to control and coordinate the memory of a computer. This includes freeing up memory after use. If not done properly, we can get a memory leak (vulnerability).
What are “third-party libraries” and “SDKs”?
These are controlled libraries to reuse code.
What is “data exposure”?
This is losing control of the data.
What is “code quality and testing”?
Code should be reviewed before going into production to find bugs and weaknesses before an attacker does.
What is “code analysis”?
This is the process by which code is inspected. It can be done dynamically (while executing code) or statically (without executing code).
What is “static code analysis”?
This is done using automated tools. Any system including the unit, subsystem, system, and full application level is a candidate for static testing.
What is “dynamic code analysis”?
Performed by running code on the target system or in an emulator.
What is a “sandbox”?
It is an isolated environment that allows administrators to run untrusted or unverified code.
How is “validation different than checking code / code testing”?
Code testing is verifying that code meets functional requirements.
Validation checks if the program specifications capture the customer’s requirements.
Verification checks whether the software meets the specifications of the model.
What is “compiled code”?
It is code written in a language and then transformed into a compiler into executable code. This means that it can be optimized and run faster at runtime.
What is “interpreted code”?
This is when code is compiled at run time. This is slower because the interpreter handles the transformation on the fly, but it also is more flexible when changes are needed
What is “access control”?
This refers to all security functions used to prevent unauthorized access to a computer system or network.
Access is the ability of a subject (process, user, etc) to interact with an object (file, data, etc). access controls determine what a user can do or cannot do, as long as they are already authenticated.
What is the simplest form of access control?
An array, but this becomes cumbersome for larger organizations. Larger firms use Access Control Lists (ALCs).
What is “MAC”? (ACL)
Mandatory Access Control. This is used in environments with different levels of security classification.
This is a method of restricting access to objects based on the sensitivity (represented by a tag) of the information contained as objects and a form of authorization of subjects to access information of that sensitivity.
MAC uses least privilege or “need to know”.
What is “DAC”? (ACL)
Discretionary Access Control. This is a way to restict access to objects based on the identity of the subjects and/or groups to which they belong. Controls are discretional in the sense that a subject with certain access permission can pass that permission (sometimes indirectly) to another subject.
DAC uses ACLs.
What is “ABAC”?
Attribute-based access control.
This is like role-based access control, and also allows Boolean Logic. Attributes can be attributed to users, environmental, and objects.
What is “RBAC”? (ACL)
Role-based access control.
This grants or restricts permissions based on a user’s role.
or Rules-based access control.
Uses ACL to determine if access should be granted. Follows logic-based rules.
What is “physical access control”?
This is the process of enforcing and defining who has physical access to a system.
What are “proximity cards”?
These are electronic cards that allow entry through electronic gates. Sometimes these are used with pins.
What is a “smart card”?
Same as an electronic card or proximity card, usually associated with pin numbers.
What is a “biometric factor”?
Items used for security utilizing body parts like eyes, fingerprints and handscans.
What is “FRR”?
False Rejection Rate
This is the rate at which false rejections happen.
What is “FAR”?
False Acceptance Rate
Falsely accrptince people or users that should not be accepted.
What are “tokens”?
These are also security devices that include something you “have” and are often utilized along with two-factor authentication.
What is “certificate-based authentication”?
It is a means of proving identity by showing a certificate, like a smartcard or a digital certificate.
What is “file system security”?
It is a set of processes and mechanisms involved to prevent unauthorized access or or alterattion of file systems. The file system must be able to differentiate access at the user level. First you would need an access control level and yhen need to set read/write/execute permissions.
What is “database security”?
Same security conceprs, just for databases, with user access levels and defined or associated permissions.
What are “resilient systems”?
These systems quickly return to normal after some kind of outage.
What is “automation”?
It is the methods and tools used to perform tasks that would otherwise be performed manually by humans, thus improving efficiency and precision, and reducing risks.
What is “SCAP”?
Security Content Automation Protocol.
This are standards and protocols related to automation for vulnerability management.
What is “continuos monitoring”?
Describes a system in which monitoring is embedded rather than being an external event or action.
What is “configuration validation”?
This is validation of the configuration of a system against security standards.
What are “templates”?
These are master recipes that aee used to create servers, programs, systems, and more. They allow “fast and error-free creation of configurations, connecting services, testing, deployment, and more.”
Templates are based on master images of a system and also provide clean backups of operating systems and applications. This does not apply to data.
What is a “non-persistent system”?
A system that doesn’t need a backup, because changes to systems are not permament, so when a user logs off, all new files are removed.
What are “master images”?
A pre-defined full patched image of a given system.
What are “snapshots”?
These are “instant save points” in time. Usually used for virtual machines.
They are a form of backup that allows an administrator to restore a system to an earliee point in time.
What is a “rollback”?
Reverting to a previous good configuration of a system.
What is a “live boot”?
Storing a virtual machine or operating system on an external device.
It is called a live boot because it contains a complete boot system. This is useful for task specific operations like forensics, incident response and more.
What is “elasticity”?
It is the ability to dynamically increase the workload capacity of a system by using on demand hardware resources to increase scalability.
What is “scalability”?
It is a desgn element that enables a system to scale to larger workloads
What is “distributive allocation”?
The transparent allocation of requests through a variety of resources. This directly addresses the issue of security availability for a given system.
What is “redundancy”?
This is the use of multiple independent elements to perform a critical function so that if one component fails, then another can take its place.
What is “high availability”?
It is a measure of a system’s ability to provide uninterrupted access to data and services, even in the event of failure or interruption.
Fault tolerance is a design goal to achieve high availability.
What is “RAID”?
Redundant Array of Independent Disks.
This is a way to take data that is normally stored in one location and storing it across multiple disks.
Options = RAID 0 to 5, RAID 6, RAID 10.
What are “embedded systems”?
Computer systems that have a specific purpose and exist within a larger mechanical and/or electrical system.
What is “SCADA”?
Supervisory Control and Data Acquisition.
Systems designed to control automated systems in cyber-physical environments.
Aka Industrial Control Systems (ICS)?
What is “IoT”?
Internet of things.
Anything that has a microcontroller connected to the web so that it can controlled remotely. Devicrs usually have a network interface and a computing platform. From a security standpoint, they are not secure.
What is “wearable technology”?
Devices we can wear like Fitbits or trackers. These run RTOS Linux systems usually.
What is “SoC”?
Systems on a Chip.
A complete miniaturized computer system on a single integrated circuit. Designed to provide full functionality of a computibg platform on a single chip, including graphical and network display functions.
Popular in mobile computing environments.
What is “RTOS”?
Real time operating systems.
Designed for systems where processing must occur in real-time and data cannot be quered or buffered for a significant period of time.
In general, most general purpose operating systems are multitasking by design.
What are “medical device special purpose embedded systems”?
These are small implantable devices or instruments for measuring vital signs.
What are “vehicle special purpose embedded systems”?
Cars have embedded systems on their motherboards. These control things such as brakes, air bags, and more
What are “UAV special purpose embedded systems”?
Unmanned aerial vehicles. These devices srrughle wuth software updates due to he highly regulated, and they pose a security risk because they need to controlled through remote network access.
What is an “air gap”?
It is a physical and logical seperation of a network from all other networks.
What is a “man-trap”?
It prevents tailgating by having two doors in a space that you can’t keep open at the same time. Both doors require an access card or token.
What is “shoulder surfing”?
It is looking over the schoulder of anotger to see their screen.
What are “faraday cages”?
They are a means of protection against electromagnetic interference.
What is “cryptography”?
It is the science of hiding (encrypting) information.
What is “cryptanalysis”?
The process of analyzing cipher-text and other information in an attempt to translate the ciphertext into plain text.
What is “symmetric algorythm encryption”?
This is when both the sender and receiver have the same key. Although sending the key safely can present problems.
What are “common symmetric algorythms”?
Twofish, 3DES, AES, Blowfish, RC4
What is “asymmetric encryption algorythm”?
It is where the sender and receiver each have a private key which they keep to themselves, and have a public key which they can share. Each key is mathematically related to each other. Keys are often distributed through certificates.
What is “elliptical curve cryptography (ECC)”?
This is an algorythm where the sender and receiver openly choose a point on the curve and tgen individually derive the keys from that point. Ideal for lower-power phones.
What is “hashing”?
It is a special mathematical function that performs one-way encryption. It is easy to do, but nearly impossible to reverse engineer.
How can a hash be beat?
They are vulnerable to collision attacks, which means the attacker encounters two different messages that have the same value; this means integrity is lost; it can’t be proven that they started with correct/original value.
What are “common hashing algorithms”?
MD2, MD4, MD5, SHA-1, SHA-256, SHA-384, SHA-512
What is “salting”?
It is the addition of high entropy data aka random characters to make it more difficult for attcker to determine origjnal data.
What is “IVs”?
Initialization vectors, used to help achieve randomness with deterministic inputs.
What is the “purpose of encryption”?
To protect the integrity and confidentiality of data
What is a “digital signature”?
It is a cryptographic implementation intended to prove the authenticity and identity of a specific message. It uses public key kryptography.
What is “diffusion”?
The principal that statistical analysis of plaintext and ciphertext are related; a change in one character in plain text = multiple changes in ciphertext.
What is “diffusion”?
The principal that one character change in plain text must correspond to multiple changes in the ciphertext.
What is “encryption confusion”?
When each character in the ciphertext must depend on different parts of the key; this has to do with the randomness of an output.
What is “cryptographic collision”?
This is when two different inputs have the same outputs.
What is “steganography”?
The science of hiding data within other data. Often times this is hiding information in a picture.
What is “obfuscation”?
This masks an item so it is unreadable, but still usable.
How is encryption by block different than by transmission?
As blocks, meaning we can transpose data and replace operations.
By transmission, we can send encryption through other media.
What is “key force”?
This is the strength of the key, which helps determine the strength of the crypto operation.
What is a “session key”?
This is a symmetric key for encrypting messages during a communication session.
What is an “ephemeral key”?
These are keys that are used only once after generation.
What is a “direct secret key”?
It is a key owned by a public key system in which a key derived from another key is not compromised, even if the original key is compromised in the future.
What is a “secret algorithm”?
Using an algorithm where the attacker has to decode the algorithm and find the key.
What is a “CSP”?
Cryptographic Service Provider.
A software library that implements cryptographic functions.
What is “transit encryption”?
This is used to protect data in transit.
What is “data encryption”?
This is used for the protection of data at rest.
What is “low latency”?
This refers to situations that have extreme low time limits, often requiring special cryptographic functions that can deliver results quickly.
What is “high resilience”?
The ability to resume normal operations after an external disruption.
What are “low-power devices”?
Things like phones that also use ECC for calculations.
What is “confidentiality”?
Protecting data from unauthorized reading.
What is “data integrity”?
When it is shown that data has not been tampered with.
What is “obfuscation”?
Protecting something from casual observation.
What is “authentication”?
It is a property that allows you to prove the identity of a party (user, hardware, etc).
What is “non-repudiation”?
The ability to verify that a message has been sent or received in such a way that the sender or recipient cannot contest the sending or receiving.
What are “protocols”?
They are a defined set of rules that allow different components to have a “common language” for exchanging commands and data. This allows the development of interoperable devices.
What are “secure protocols”?
These are protocols that have built-in security mechanisms.
What is DNSSEC, what does it do, use cases, and what port does it use?
It is Domain Name Service System Security Extensions.
Extension of DNS tool, which enables origin authentication, denial of authenticated existence, and data integrity.
Uses case: domain name resolution.
Port 53
What is DNS, what does it do, use cases, and what port does it use?
Domain Name Service
Translates domain names to IP addresses
Uses port 53
What is SSH, what does it do, use cases, and what port does it use?
Secure Shell
This is an encrypted, remote terminal connection program used to make remote connections to a server.
Use case: remote server access
Port 22
What is “S/MIME, what does it do, use cases?
Single/Multipurpose Internet Mail Extensions.
It is a standard for the transmission of binary data by email (attachments must be exchanged with the correct encoding). Attachments are sent in clear text so attackers can hear. It is a standard for public-key encryption and MIME data signals in emails.
Use case = Email
What is “SRTP”, what does it do, use cases, and what port does it use?
Secure Real Time Transport Protocol.
This is a network protocol used for the secure delivery of audio and video messages over IP networks.
SRTP use UDP?
SRTP is not a transport, it is simply the encryption of the RTP to secure it, hence the S before RTP.
It provides encryption, authentication, and message integrity, as well as replay production.
Use case=Voice and Video Streaming
No port.
What is “LDAPS”, what does it do, use cases, and what port does it use?
Lightweight Directory Access Protocol - Secure.
It is the main protocol used to transmit directory information.
Port used = 636
What is “FTPS”, what does it do, use cases, what ports?
The implementation of FTP over an encrypted SSL / TLS channel.
Use case = file transfer.
Port = 989 and 990
What is “SFTP”, what does it do, use cases, ports?
This is FTP over SSH.
Use case= file transfer
Ports = 22
What is “SNMPv3”, what does it do, use cases, ports?
Simple Network Transfer Protocol.
This is a standard for managing devices on IP-based networks. Versions 1 and 2 are cosnidered unsafe. Version 3 was developed to address these security vulnerabilities.
Use cases = network data management; network address assignment.
Ports = 161 and 162
What is “SSL/TLS”, what does it do, use cases, ports?
Secure Sockets Layer.
An application of cryptographic technology developed for transport layer protocols on the web. SSL has been superseded by TLS, but people still use the term.
Use cases = protection of other protocols i.e. HTTP > HTTPS
Ports = does not have standard ports, depending on the protocol being protected. I.e. 443 for HTTPS.
What is “HTTPS”, what does it do, use cases, ports?
Hypertext Transfer Protocol.
This is used to transmit HTTP traffic. HTTPS is protected by HTTP with SSL/TLS.
Use case = web
Ports = 443
What is “Secure IMAP/POP”, what does it do, use cases, ports?
Protocols for email servers.
Refers to POP3 and IMAP over an SSL / TLS session
Use cases = email.
Portalns = 995 for Secure POP3 and 993 for Secure IMAP.
What is “NTP”, what does it do?
Network Time Protocol.
This is the standard for time synchronization between servers. It has no security features, although you can use it in conjunction with a TLS tunnel.
What is a “fuzz test”?
It is an automatic insertion of random data into a computer program.
It is used to find vulnerabilities of the people who developed the program and of the attackers.
What is “XSRF”?
Cross-Site Request Forgery (XSRF).
The browser of the victim is compromised and transmits unauthorized commands to the website.
The likelihood of this attack can be reduced by requesting tokens on web pages containing forms, special authentication techniques, scanning XML files, and sending cookies twice instead of once, verifying that both cookies sent match.
What is “cross-site scripting”?
Ths is an attack where an attacker inserts malicious scripts in a web page with hopes of gaining accessing session cookies, elevated privileges, and other information stored by a user’s web browser.
This code is generally injected from a separate “attack site”.It can also be manifested as an embedded Javascript image tag or HTML object.
What is the “baseline for application configuration”?
This is the process of establishing the common minimum requirements of a company. It could be a group of computers or all the computers on a network. When a new computer joins the domain, the common minimum requirements are installed and applied automatically.
The common baseline is to change default configurations, remove unwanted software, services, and games, and enable firewalls and other security features.
What is “enhanced application protection”?
This is protecting an application by disabling unnecessary services, disabling unused accounts, removing unnecessary applications, and more.
What is “application patch management”?
Any softwre is inherently vulnerable.
These are updates which typically address any known vulnerabilities.
What is a 5 step process to protecting an operating system?
1) develop the security policy.
2) Run the host software reference.
3) Configure security and operating system settings.
4) Distribute the configuration.
5) Implement patch management.
What is “anti-virus”?
This is software that can scan a computer for infections, as well as monitor computer activity, and scan new documents that may contain a virus. The software contains a virus signature file for comparison with the software scanning tool.
What is “anti-spam”?
This is a method of using filtering software to compare a list of blacklisted senders with the emails received.
What is “pop-up blocker” and “anti-spyware”?
A pop-up is a small web browser that appears on the website being viewed. Most pop-ups are created by advertisers and start as soon as a new website is visited. Pop-up blockers are often part of a package known as anti-spyware that helps prevent computers from being infected with different types of spyware.
What is “application patch management”?
There is a process of implementing software updates and patches from time to time. These updates typically address any known vulnerabilities. Therefore it is very crucial to apply these updates.
What is a “host-based firewall”?
This runs as a program, on a local system to protect it from attacks.
What is “hardware security”?
This is physical security that involves protecting the hardware of the host system, especially portable computers, netbooks, and portable tablets that can be easily stolen.
What is a “screen lock”?
This is the software that requires a password to unlock the screen and use the device.
What is “remote wipe”?
This allows the owner of a device to send a remote wipe signal to the phone to remove all data from the phone.
What is a “proximity lock”?
This automatically locks your smartphone or mobile device when the user is away from it.
What is “voice encryption”?
Utilization of encryption to prevent eavesdropping on conversations.
What is “GPS”?
Global positioning system.
This locates the device with the software implemented.
What are “strong passwords”?
Passwords that consist of at least eight characters and various types of characters, such as uppercase, lowercase, numbers, and symbols.
What is a “firewall”?
It is a software or hardware item used to enforce network security policies on all network connections.
What is NAT?
Network Address Translation.
It is an IPv4 technique used to link privately to public IP addresses.
What is “basic packet filtering”?
Using packet information, like destination and source ports, addresses, and protocols as items to filter against.
What are “firewall rules”?
I:t is similar to network policy restrictions.
What are “ACLs”?
Access Control Lists.
It is a list of users and their allowed actions.
What are “application-based firewalls?
These fire walls scan traffic and block or allow within application traffic.
What are “network-based firewalls”?
These scan network activity, IP addresses, and ports.
What are “stateless firewalls”?
These firewalls filter packets based on the individual packets themselves.
What are “stateful firewalls”?
These filter packets based on the full context of a given network connection.
What is “implicit deny”?
If traffic is not explicitly allowed, then it is denied.
What is a “VPN concentrator”?
This is a device that manages multiple VPN conversations on a network while keeping them isolated from each other. VPNs can be remote-access or site-to-site.
What is “IPsec”?
It is a set of protocols for the secure exchange of packets at the network layer (layer 3). IPsec is used in VPN to establish connections.
What is “IPsec tunnel mode”?
This means that the data, as well as the source and destination addresses are encrypted.
What is a “security association”?
This is an established combination of algorithms, keys, and so on. An SA is a one-way coversation.
What is an “AH”?
Authentication header.
This is a type of header extension that ensures the integrity of the data and the authentication of the data source.
What are “split-level VPNs”?
These are VPNs that do not route all traffic through the VPN. This is meant to avoid battlenecks.
What is a “full-tunnel VPN”?
When all traffic goes through a VPN.
What is “NIPS/NIDS”?
Network Intrusion Protection System
Network Intrusion Detection System.
One system provides the scanning and another system provides the remediation.
What is an IDS, which is signature-based?
This means that the intrusion detection system detects intrusions based on definitions of known signatures.
IDS systems can be in-line or in-band, what do these terms mean?
In-line IDS = it monitors the data as it flows through the device, which means it copies the data and examines it offline.
In-band IDS means one examines data and takes action within the system.
What are “routers”?
Network traffic management devices are used to connect different network segments.
Routers use access control lists to determine whether or not a packet should be permitted to enter a network.
What are “switches”?
Switches connect devices to each other by moving packets.
What are “proxies”?
A proxie aka proxy server is a way of filtering traffic and can be used for security by intercepting a client’s requests and forwarding them to the intended destination.
What are “load balancers”? And what are the two types?
These devices divide traffic across multiple resources and help avoid overloading a server and increase fault tolerances.
1) Active-passive = a balancer where one system is balancing everything, with another system ready to intervene if there is a failure..
2) Active-active = a balancer with a system where all balancers are active all the time.
What is a “wireless access point”?
WAP = the entry and exit point for wireless network signals to and from a network.
What are “stand-alone access points”?
These are access points that include authentication, encryption, and channel management features.
What is “data aggregation”?
They are event logs, firewall logs security, and applications logs, all in one place.
What is “correlation”?
Events or behaviors that can be correlated basd on time, common events, and more.
What is “automatic alerts and triggers”?
This means that you can set up rules to alert you based on certain patterns. SIEMMS can also have automatic reactions.
What is “time synchronization”?
This is mapping events in one time zone to another time zone.
What is “DLP”?
Data Loss Prevention.
Method to detect and prevent unauthorized data transfers within an organization. I.e. USB blocks.
What is “NAC”?
Network Access Control.
Cicso’s management methodology. It enforces policies based on the network administrator and verifies policy settings, software updates, etc.
What is “NAP”?
Network Access Protection
Microsoft’s management methodology. This measures the system integrity of connected machines. Metrics include operating system patch level, virus protection, and system policies.
What is a “mail gateway”?
These are machines that process email packets over a network. The also manage data loss, filter spam, and handle encryption.
How do gateways filter spam?
These gateways filter spam by clacklisting spam sources by domain or IP address (or whitelist). They can filter by keywords as well. More sophisticated checks include delays, reverse DNS checks, or callback checks. Additionally, agents like Gmail can “learn” from their users as they flag messages as “spam”.
What are “bridges”?
These are layer2 devises and connect two separate network segments. This is good to know because segregation of traffic can keep confidential information more segregated.
What are “SSL decryptors”?
These allow one to control traffic. They are effectively a man-in-the-middle attack and decrypt the information, review it, then re-crypt it and forward it back.
What are “media gateways”?
These are machines designed to handle various protocols, including translating from one protocol to another. Useful for organizations that use a lot of voice or video signals.
What are “HSM”?
Hardware Security Modules.
These are devices intended to manage or store cryptographic keys. They can also help with other hashing, encryption, or digital signing features.
What is “WEP”?
Wired Equivalent Protocol.
This uses as passcode to encrypt data during transmission, using an RC4 stream passcode. It has a length of 24 bits, regardless of the length of the key. This can cause the weakness of WEP, through key reuse. If an attacker waits long enough and acquires enough data, they can determine the key.
What is “WPA”?
Wi-Fi Protected Access.
This is WEP with the addition of Temporal Key Integrity Protocol (TKIP). TKIP combines the shared key with the MAC address of the card to create a new key, but WPA has no forward privacy protection, so without a VPN, if someone knows a shared key, they can listen in on traffic.
What is “TKIP”?
Temporal Key Integrity Protocol. Is a temporary measure to replace WEP without having to replace legacy hardware. This is no longer considered safe from hackers.
What is “WPA2”?
Wi-Fi Protected Access 2.
It is also known as IEEE 802.11i. It uses AES block code as the encryption protocol.
What is “CCMP”?
(Encrypted Block) Chain Counter Mode [Protocol] - Message Authentication Code. It is like AES, but requires new hardware.
What are “authentication protocols”?
These are methods used by wireless networks to provide remote authentication services.
What is “EAP”?
Extensible Authentication Protocol.
This is a protocol for wireless networks that is baed on the authentication methods used in Point-to-Point Protocol.
What is “PEAP”?
Protected EAP. developed to secure EAP communication by encapsulating it with TLS.
What is “EAP-FAST”?
Extensible Authentication Protocol - Flexible Authentication through Secure Tunnel.
It uses the secure access credentials that are used to establish a TLS tunnel. This tunnel is then used to pass the client’s credentials for verification.
What is “EAP-TLS’?
Extensible Authentication Protocol with TLS.
This means that the attacker must also have client-side certificate key to break the TLS channel.
What is “EAP-TTLS”?
The is TLS protocol with a EAP tunnel. This enables legacy authentication protocols such as PAP (Password Authentication Protocol).
What is “IEEE 802.1X”?
An authentication standard that supports port-based authentication services between a user and an authorization device, such as an edge router.
What is a “RADIUS server”?
This server determines which other RADIUS servers to send the user’s credentials to, and from there, they will be authenticated and authorized to join the network.
What is “PSK”?
Pre-Shared Key.
If a key is not large enough, it can be easily forced open.
What is “WPS”?
Wi-Fi Protected Setup.
Designed to make wireless network setup easier for home users. Unfortunately an 8-digit pin is easy to access by brute force, so it is best to disable.
What is “mobile device app management”?
The management of applications allowed on devices and the necessary permissions included in the category of application management.
What is “mobile device content management”?
Control over what content is allowed or available on phones or within apps on phones.
What is “mobile device remove wipe”?
Allows the ability to erase the data stored on a device and restore it to factory settings.
What is “mobile device geofencing”?
GPS and RFID technology can be used to create a virtual fence around certain areas. When the phone “knows” you are within that area, you can enable/disable the function, send alerts, and more.
What is “mobile device geolocation”?
Using the GPS to locate a phone and inform others.
What are “mobile device screen locks”?
This is a screen that prompts a passcode or PIN to use a device.
What are “mobile push notification services”?
These are services that send information to a phone without the phone asking for it. Push notifications allow the transfer of external information to the device, thus creating some security implications.
What are scrolling patterns on a mobile device not a good plan regarding security?
The oil residue from our fingers give away past patterns.
What are “biometrics”?
The use of fingerprints, facets, etc as phone authentication.
What is “context-sensitive authentication”?
Using contextual information such as who the user is, where the phone is, and how it is connected determines what actions or resources to follow.
What is “storage segmentation”?
Logical separation of memory within a phone.
What is “containerization”?
This is the division of the phone memory into a series of containers. This can allow the separation of personal and business information.
What is “full device encryption”?
Then is when the full device is encrypted.
What is “rooting?”
This is bypassing the operating system checks; usually in Androids.
What is “a jailbreak”?
When a user increases the privilege level of itself to avoid normal checks of an operating system.
What is a “side download”?
This is adding apps without using authorized app stores.
What is “custom firmware”?
Changing the device firmware from its original configuration. This can cause security holes.
What is a “carrier unlock”?
Breaking the connection on a mobile phone with a certain phone carrier.
What is “geo-tagging”
When the GPS location is embedded in a file like a photo.
What is “BYOD”?
Bring Your Own Device.
Benefits include minimizing costs to the organization and the ability for employees to have a single device. Disadvantages include limited corporate contol.
What is “CYOD”?
Choose Your Own Device.
Benefits = Employees gert to choose their own device.
What is “COPE”?
Company-owned, personally entrusted or licensed. The organization provides devices to employees who have chosen and paid.
What is “user identification”?
The process of assigning a computer identification to a specific user, computer network, or computing process.
What is “user authentication”?
The process of verifying an identity that has already been established in a computer system.
What is “user accounting”?
The process of allocating resource usage by account for purpose of tracking resource usage. It is also very useful for forensics after a security incident has occurred.
What are 5 types of multi-factor authentication?
1) Something You Are: refers to biometrics.
2) Something You Own: security tokens and other items that a user physically owns.
3) Something You Know: a password, PIN, or answers to “challenge” questions.
4) Something You Do: An action you perform in a unique way.
5) Somewhere You Are: Your locations, as determined by GPS and other locations.
What are “service accounts”?
Accounts that are used to run processes that do not require human intervention to start, complete, or manage. I.e. batch jobs.
What are “privileged accounts”?
These are usually administrator or root-level accounts.
What is “privilege management”?
The process of limiting a user’s ability to interact with the computer system.
What is the “least privilege”?
The idea is that privileges should be limited to what a user/application/process needs to perform its tasks and nothing else.
What is “onboarding” and “offboarding”?
Adding or removing people to a project.
What are regular “reviews of audits of permissions”?
An administrator should periodically check that user accounts on a system are necessary, justified, and represent real people who are still employed.
What is “account maintenance”?
It is a routine check of all the attributes of an account.
What are “time restrictions”?
This is where the system restricts accounts to access or privileges during non-business hours. Location-based policies also restrict access or privileges.
What is “recertification”?
This process is to determine if all users are still employed and/or require them to re-authenticate.
What is “credential management”?
It s the set of processes, software, and services use to store, manage and record the use of user credentials.
What is “LDAP”?
Lightweight Directory Access Protocol
Used to manage user authentication and authorization and to control access to Active Directory objects.
What is “Kerberos”?
It is a network authentication protocol designed for client/server environments. It involves securely exchanging symmentric keys on an insecure network.
What is “NTLM”?
In a Windows network, NT LAN Manager is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager, an older Microsoft product. Aka Windows Challenge / Response
This is a response protocol and encrypter challenge to authenticate a user. It is considered weak and outdated.
What is “TACACS”?
Terminal Access Controller Access Control System./
This is another client/service protocol operating on TCP, part 49, for identification, authorization, authentication, and accounting.
What is “CHAP”?
Challenge Handshake Authentication Protocol.
This provides authentication for a peer-to-peer connection and a periodic request / response handshake.
What is “MS-CHAP”?
Microsoft Challenge Handshake Authentication Protocol. Microsoft version of CHAP.
What is “PAP”?
Password Authentication Protocol.
A two-way handshake with established authentication. This tech is deprecated since the info is sent unencrypted.
What is “RADIUS”?
Remote Authentication Dial-In User Service.
Connectionless protocol using UDP, ports 1818 and 1813.
Another protocol that handles authorization, authentication, and accounting.
Supports authentication for PPP, PAP, CHAP, Unix login, and others.
What is “SAML”?
Security Assertion Markup Language.
A method of authentication and authorization for users in a way that allows single sign-on.
Based on XML.
What is “OpenID Connect and OAuth”?
OpenID Connect handles authentication and is based on OAuth2.0
This is best solution for new web and mobile projects.
With OpenID, a 3rd party handles authentication, so you don’t have to sign up for other accounts.
OAuth (open authentication) is a protocol that enables secure token-based authorization on the internet. Like OpenID, it is suitable for web, mobile devices, etc.
What is “Shibboleth”?
Another SSO service that enables identity-based federated authentication and authorization across networks. Built using SAML.
What are “secure tokens”?
Protocols provide tokens to users. These secure token services are responsible for renewing, issuing, validating, and canceling these security tokens. Once a client is successfully authenticated, it sends the tokens along with each request to provide its identity to the server.
What is “PKI”?
Public Key Infrastructure.
All components of secure communication like software, hardware, applications, algorithms, users, policies, services, etc. These components properly facilitate public key cryptography like digital signatures, etc.
All components are certificate-centric.
What are “certificates”?
The digital framework that carries the public keys. The use of certificates allows people to communicate and know that the messages they receive really come from the alleged sender.
What are “RAs”?
Registration Authorities.
Authority body that provides certificates once identification is obtained.
What are “CAs”?
Certification Authorities.
The trusted authority certifies people’s identity and creates electronic documents that indicate that people are who they say they are. The electronic document resulting is called a digital certificate and establishes an association between the identity of the subject and a public key.
What are “Certification Practice Statements”?
These describe how identities are verified, how certificates are generated and managed, etc.
What are “Intermediate CAs”?
These CAs work in hierachical models and also work to transfer trust between different CAs.
What is “Certificate Revocation”?
If a private key is jeopardized, the corresponding certificate must be revoked, which the CA can do. CAs render a list of all revoked certificates in a certification revocation list (CRL).
What is “OSCP”?
Online Status Certificate Protocol.
A request and response protocol that obtains the serial number of a validated certificate for a client and campares it to CRLs.
What is “certificate suspension”?
A temporary revocation of a certificate by a CA.
What is a “CSR”?
Certificate Signing Request.
This is a request made to a CA that contains a public key and other information necessary to generate a certificate.
What are “certificates”?
It is a digital document that links the identity of an individual to a public key. X.509 is the latest version.
What are the 11 certificate fields?
1) Version number X.409
2) certificate holder aka “subject”
3) public key
4) The CA issuing the certificate aka “issuer”
5) Certificate serial number
6) Dates in which it is valid for its use aka “validity”
7) Approved for certified use
8) Signature algorithm
9) Extensions
10) private and public keys
11) private keys
What is “PKI online vs offline”?
Public Key Infrastructures must be online at least part of the time so that customers can consult them. For security reasons, many PKIs are taken offline and made available only when necessary
What are “Stapled PKIs”?
This describes the process of combining related items to reduce communication steps (like lean steps).
What are “trust models”?
This is a reconstruction of systems, people, applications, protocols, technologies and policies that work together to provide a certain level of protection.
For devices in two different trusted domains to communicate, their certificate authorities must form a trust relationship aka asking for a certificate to form a bond.
What is a “hierarchical trust model”?
This is when trust models and certificates are intertwined to the end result of a root certificate, configured as a trust anchor through the client software.
What is a “peer trust model”?
This is where a CA is not subordinate to another CA, and there is no reliable anchor bwtween the CAs. Instead, the CAs certify the public key with each other. It is also called cross-certification and creates a two-way trust.
What is a “hybrid trust model”?
This is where hierarchical models can be linked via a cross-certification model or peer-to-peer. One other option is to have a bridge CA that handles cross-certification.
What is “key escrow”?
A system that allows a third party to keep your private key, as well as to store it on her hardware. This is common for law enforcement and corporations because it allows them to bypass encryption or when employees lose their private keys.
What is “certificate chaining”?
A linear “chain of trust” from one certificate to another, to another, and more.
What are 4 types of certificates?
1) End entity (host) Certificates
2) CA certificate
3) Cross-certification certifiacte
4) policy certificate
What are “end-entity” certificates?
These certificates are issued by a CA to a specific subject like a user, website, firewall, etc.
What is a “CA certificate”?
This is a self-signed certificate (for a root CA), or it can be a signed by a higher CA.
What is a “CA certificate”?
It is a self-signed certificate (for a root CA) or it can be signed by a higher CA.
What is a “cross-certification certificate”?
It is when independent CAs establish a peer-to-peer trust relationship.
What is a “policy certificate”?
This is used to provide centrally controlled policy information to PKI clients.
What are “code signing certificates”?
These are certificates that allow application signing and show compliance with policy restrictions.
What are “self-signed certificates”?
This is like a root CA, which must be self-signed since there are superior authorities.
What are “computer or machine certificates”?
These are certificates that bind identities to keys and provide means of authentication for computers.
What are “email certificates”?
These are used to identify users emails.
What is a “root certificate”?
This is a certificate that forms the initial foundation of trust in a chain of trust.
What is a “user certificate”?
These certificates identify users and also end-entity certificates.
What are “EV certificates”?
These are used for software and HTTPS websites to provide a high level of trust regarding the identity of the sender.
What is “domain validation”?
This is a low-trust way to validate someone has control over a DNS domain. This does not necessarily prove someone’s identity.
What are some common extensions of certificates?
.pfx, .p12, .der, .pem, .crt, .cer, .p7b
What is “PEM”?
Privacy-protected email.
One of the most common formats for issuing certificates. This model supports multiple digital certificates, including a certificate chain.
File tyes include .cer, .crt, .pem, .key
What is “CER”?
The certificate file extension for Windows systems.
What is “WRENCH”?
This is a certificate file extension used for both public and private keys.
What is a “protocol analyzer”?
Is a tool designed to capture and analyze wired or wireless traffic that passes through a given communication channel. Sometimes this is called a packet sniffer, network analyzer, or packet analyzer.
For this to work, one must put a network interface into promiscuous mode.
What is “promiscuous mode” with a sniffer?
This is a packet or protocol analyzer that listens to all packets, not just those addressed to it.
What is “SPAN”?
Switched port analyzer.
Contrary to the name, this analyzer copies traffic, which is then sent to a designated port for traffic capture and analysis. These can also be an important component of an IDS or IPS.
What is a “network scanner”?
A tool for probing ports on a network.
The tool will inform the user which ports are open, aka “listening”, which are closed, and which are filtered. One example is Nmap.
What is a “password cracker”?
These are tools attackers use to find weak passwords.
Administrators could also use them to test the integrity of their users’ passwords and to detect problems early.
What is a “vulnerability scanner”?
These are programs designed to scan a system for problems. These problems can include configuration errors, old software versions, etc. Application vulnerability scanners look for problems in a particular application.
What is “SCAP”?
Security Content Automation Protocol.
It is a protocol to manage information related to security configurations and validate them in an automated way.
What are “exploitation frameworks”?
These are sets of tools designed to help attackers exploit systems. Some of these tools include automation. The most famous is Metasploit.
What are “data sanitation tools”?
These are tools to get rid of data. These allow systems to be destroyed, deleted, or identified for destruction.
What are “steganography tools”?
aka Stego, often found in CTF. This is the science of hiding messages in other content.
What is a “honeypot” and “honeynet”?
A fake server designed to look like the real thing meant to be a trap for attackers.
A honeynet is a network equivalent of a honeypot.
What is a “backup utility”?
self-explanatory
What is “banner grabbing”?
A technique in which you collect information about a service through banners. These banners show the types of services, versions, etc like HTTP, FTP, SMTP, and TELNET banner broadcast services.
What is the difference between active and passive instruments or tools?
Passive instruments do not interact with the system to allow detection.
Active tools interact in a discoverable way.
What does “ping” do?
It is an echo request to a machine to determine if communication is possible.
What does “tracert’ or “traceroute” do?
It is a Windows command to trace the path a packet takes on the network.
What does “netstat” do?
This shows the network connections to or from a system.
What is “nslookup” and “dig”?
Allows a DNS query for a specific address.
What does “ARP” do?
It queries or manipulates the ARP table of a device.
Address Resolution Protocol is one of the most important protocols of the network layer in the OSI model which helps in finding the MAC(Media Access Control) address given the IP address of the system i.e. the main duty of the ARP is to convert the 32-bit IP address(for IPv4) to 48-bit address i.e. the MAC address
What does “ipconfig/ifconfig” do?
It manipulates network interfaces on a system (internet protocol settings.
What does “tcpdump” do?
It is a command-line protocol analyzer that allows you to examine packets from a network connection or a logged file.
What does “Nmap” do?
It is a network scanner and for mapping.
What is “Netcat” or “NC”?
It is used to read and write over network connections using TCP or UDP.
What does “antivirus” do?
Checks files for matches to known malware signatures and warns users.
What is “file integrity verification”?
This performs an integrity check on downloaded files to ensure that the file has not been tampered with and that you downloaded file you intended to.
What is a “host-based firewall”?
It is a firewall on a single-host system.
What is an “app whitelist”?
This is a business practice where you specify which applications can run on a system. It is useful to help fight malware.
What is a “removable media check”?
Removable media controls prevent data from being transferred from a system to a removable media location, such as a USB. This prevents risk of data exfiltration from a system. Also carries the rist of malware entering the system.
What are “advanced malware tools”?
These tools allow the user to match known malware patterns and find indicators of compromise on a system.
What are “patch management tool”s?
These allow administrators to track software in an organization and whether or not it has been updated. Alerts can also be generated for users.
What is “UTM”?
Unified Threat Management.
All-in-one services inccluding firewalls, IDS, IPS, anti -malware, content filtering and more.
What is “DLP”?
Data loss prevention.
This helps defend against attacks in which a program is loaded into the data store and then executed.
What is an “incident response plan”?
It is a set of ste[s that an organization takes in the response to any abnormal situation with respect to the operation of information systems..
What is the process of “document incident types and category definitions”?
Defining a series of incident categories and types, helps planners and rescuers know how to react. Automation and scripts can be quickly deployed to include service interruption, malware delivery, phishing attacks, data filtration, and more.
Why should “roles and responsibilities be defined in advance”?
Defining who is allowed to do what helps streamline processes when accidents occur. The more we plan, the more we can be prepared.
What are 6 stages of the “incident response process”?
1) Preparation
2) identification
3) containment
4) eradication
5) recovery
6) lessons learned.
What is the incident response process of “Preparation”?
This is the first stage and takes place before the accident. It covers all the planning.
What is the incident response process of “Identification”?
This occurs when a team member believes an incident has occurred and reports back to the team for further investigation.
What is the incident response process of “Containment”?
This is the set of actions to limit the accident to the least number of machines. I.e. disconnection of nodes or hosts from the network.
What is the incident response process of “Eradication”?
This is the elimination of a problem, usually while it is still contained. This also prevents re-infection.
What is the incident response process of “Recovery”?
This is the process of returning affected resources to normal business functions and restoring normal business operations.
What is the incident response process of “Lessons Learned”?
This is process improvement and determining what went well and what did not.
What is “disaster recovery”?
This involves the process of recovering from events that disrupt normal operations.
What are “recovery sites”?
Data center with backup information.
What are “hot sites”?
Fully configured environments that are ready almost immediately. These have ready-to-use or almost ready-touse backups.
What are “warm sites”?
Partially configured site, may take a few days to get up to speed and fully operational.
What are “cold sites”?
Data centers that have the basics for backup; can takes weeks to become fully operational.
What is the “purpose of a backup”?
To provide valid and non-currupted data in case the original data is damaged or lost
What are the four types of backups?
1) Differential: This saves only the files that have changed since the last full backup.
2) Incremental: This saves files that have changed since the last full backup or the last incremental backup.
3) Snapshot: A copy of virtual machine.
4) Full, a full copy of machine data.
Where is the best spot for backups geographically?
Best to keep backups in separate locations. Have the most recent copy locally, but other backup copies are far enough away and safe from local disasters.
What are the 8 ranked items in the “volatality order on a system”?
1) CPU, cache, and registry components.
2) Routing tables, ARP caches, process tables, and kernel statistics.
3) Network connections and data streams in real-time.
4) RAM
5) Temporary file system and swap space
6) Data on the hard disk.
7) Remotely logged data
8) Data stored on storage and backup media.
What is a “chain of custody”?
This shows who obtained the evidence, where it was stored, where it was obtained, and who had control of the evidence. For each step, you must record, who, what, when what, and how the custody happened.
What is “legal block”?
That means that once an organization is aware of the need to retain evidence for a court case, it protects that evidence.
What does “data acquisition” mean when it comes to digital forensics?
When collecting evidence, make sure that all steps including who, where, and how are considered when the process of data acquisition.
What is the “test standard of proof?
Proof has to be:
1) Enough, that is to say, definitely convincing.
2) Competent, which means one is legally qualified.
3) Relevant, which means it must be related to the case at hand.
