Course Notes Flashcards

Question 1

Q

Switch

Answer

A

An OSI layer 2 device
• Hardware bridging ASICs (very fast!)
• Forwards traffic based on MAC address
• The core of an enterprise network
• High bandwidth - Many simultaneous packets

Question 2

Q

Router

Answer

A

An OSI layer 3 device
• Routes traffic between IP subnets
• Routers inside of switches are sometimes
called “layer 3 switches”
• Layer 2 = Switch, Layer 3 = Router
• Often connects diverse network types -
LAN, WAN, copper, fiber

Question 3

Q

Firewall

Answer

A

OSI layer 4 (TCP/UDP), some firewalls filter
through OSI layer 7
• Filters traffic by port number
• Can encrypt traffic into/out of the network
and between sites
• Can proxy traffic - A common security technique
• Most firewalls can be layer 3 devices (routers)

Question 4

Q

Load balancer

Answer

A

Distributes the load over many physical servers
• Very common in large environments
• Load balanced evenly across servers or
based on specific content types

Question 5

Q

Proxy

Answer

A

Sits between the users and the external network
• Receives the user requests and sends
the request on their behalf (the proxy)
• Applications may need to know how to
use the proxy (explicit)
• Some proxies are invisible (transparent)

Question 6

Q

All-in-one security appliance

Answer

A

Unified Threat Management (UTM) /
Web security gateway
• URL filter / Content inspection, malware
inspection, spam filter, CSU/DSU, router, switch,
firewall, IDS/IPS, bandwidth shaper, VPN endpoint

Question 7

Q

VPN concentrator

Answer

A

The connection point
for remote users
• Traffic is encrypted across the
Internet and decrypted on the
internal private network

Question 8

Q

Intrusion detection/prevention system

Answer

A

Protects against OS and application exploits
• Detection
• Alerts but does not stop the attack
• Prevention
• Blocks the attack

Question 9

Q

Protocol analyzer

Answer

A

Captures network packets
Decodes each part of the communication
Sees all of the network conversation

Question 10

Q

Spam Filters

Answer

A

Stop unsolicited email at the gateway
• Whitelist
• Only receive email from trusted senders
• SMTP standards checking
• Block anything that doesn’t follow RFC standards
• rDNS - Reverse DNS
• Block email where the sender’s domain
doesn’t match the IP address
• Tarpitting
• Intentionally slow down the server conversation
• Recipient filtering
• Block all email not addressed to a valid
recipient email address

Question 11

Q

Web Application Firewall

Answer

A

• Applies rules to HTTP conversations
• Allow or deny based on expected input
• Protects against exploits like SQL injections
and buffer overflows
• Focus of Payment Card Industry Data
Security Standard (PCI DSS)

Question 12

Q

Application-aware Security Devices

Answer

A

• Network-based Firewalls
• Control traffic flows based on the application
• Microsoft SQL Server, Twitter, YouTube
• Intrusion Prevention Systems
• Identify the application
• Apply application-specific vulnerability signatures
to the traffic
• Host-based firewalls
• Work with the OS to determine the application

Question 13

Q

Configuring firewall rules

Answer

A

• Allow or disallow traffic based on security tuples
• Source IP, Destination IP, port number,
time of day, application, etc.
• Evaluated top-to-bottom
• There’s an implicit deny at the bottom

Question 14

Q

VLANs

Answer

A

Logically separate your switch ports into subnets
• VLANs cannot communicate to each
other without a router
• Group users together by function

Question 15

Q

Secure router configuration

Answer

A

Always change the default login / password
Protect configuration file transfers
TFTP - in the clear
SCP - encrypted
HTTPS - encrypted

Question 16

Q

Access Control Lists (ACLs)

Answer

A

• Permissions associated with an object
• Used in file systems, network devices,
operating systems, and more

Question 17

Q

Switch port security

Answer

A

IEEE 802.1X
Port-based Network Access Control (PNAC)
Makes extensive use of EAP and RADIUS
Extensible Authentication Protocol
Remote Authentication Dial In User Service
Disable your unused ports
Enable duplicate MAC address checking / spoofing

Question 18

Q

Flood Guards

Answer

A

Commonly seen on intrusion prevention systems
• DoS / DDoS
• Denial of Service
• SYN floods
• Overload a server
• Ping floods / ping scans
• Overwhelm the network
• Identify what’s out there
• Port floods / port scans
• Identify open ports on a device

Question 19

Q

Spanning Tree Protocol (STP)

Answer

A

IEEE standard 802.1D
Prevents loops in bridged (switched) networks
Built into the switch configuration options

Question 20

Q

Network Separation

Answer

A

Separate switches, separate routers, no overlap
• Used in sensitive environments
• Logical separation
• Virtualization of the network infrastructure

Question 21

Q

Log Analysis

Answer

A

Good for post-event analysis
Can provide useful real-time analysis
Automation and consolidation is the key

Question 22

Q

• Remote Access

Answer

A

An important requirement
• We are increasingly mobile
• Take advantage of encryption technologies
• Keep everything private
• Consider adding additional authentication
technologies (One-time passwords)
• Constantly audit your access logs

Question 23

Q

Telephony

Answer

A

One of the newest digital technologies
• And one of the most difficult to secure
• Firewalls generally don’t like VoIP technologies
• You’ll need protocol-specific application gateways
• Don’t forget your legacy telephony!
• Long distance still costs money

Question 24

Q

Network Access Control

Answer

A

A complex technology
• But powerful when well engineered
• Very useful in large open environments
• Universities and large enterprises
• Requires a large security infrastructure
• Authentication is critical
• Redundancy is required

Question 25

Q

Virtualization

Answer

A

Huge cost savings
Security must catch up to the speed of change
The control of physical objects is gone
Difficult to apply external security components
Requires additional insight
Harder to view intra-server communication
Take advantage of your logs
They’ll tell you much more than you can see

Question 26

Q

Defense in Depth

Answer

A

Good security has many layers
• Firewall, DMZ, authentication, intrusion detection,
VPN access, anti-virus and anti-malware software

Question 27

Q

DMZ (Demilitarized Zone)

Answer

A

• A layer of security between your internal network
and the Internet
• Protects external-facing services
• Usually less trusted than the Internal network connection

Question 28

Q

Vlan Additional info

Answer

A

Logically separate your switch ports into subnets
• VLANs cannot communicate to each other without a router
• The router/firewall becomes the gatekeeper
• Control your organization’s traffic from within
• Group users together by function
• Be careful not to separate users too far from their resources
• Is often integrated with the NAC
• Move people automatically into their VLAN based on credentials

Question 29

Q

Platform as a Service (PaaS)

Answer

A

No servers, no software, no maintenance team
No hardware of any kind
Someone else handles the platform, you handle the product
You don’t have control of the data, people, or infrastructure
SalesForce.com is an example of PaaS

Question 30

Q

Software as a service (SaaS)

Answer

A

On-demand software, no local installation
Used for common business functions such as payroll services
Data and applications are centrally managed
Gmail and Google Docs is an example of SaaS

Question 31

Q

Infrastructure as a service (IaaS)

Answer

A

• Sometimes called Hardware as a Service (HaaS)
• Equipment is outsourced
• You are still responsible for the overall device and application
management
• You’re also responsible for the security
• Your data is out there, but more within your control
• Web hosting and email services would be an example of IaaS

Question 32

Q

Cloud Deployment Models

Answer

A

Private - A virtualized data center
Public - Available to everyone over the Internet
Hybrid - A mix of public and private
Community - Several organizations share the same resources

Question 33

Q

Network Attached Storage (NAS)

Answer

A

Connect to a shared storage device
across the network
• File-level access

Question 34

Q

Storage Area Network (SAN)

Answer

A

Looks and feels like a
local storage device
• Block-level access

Question 35

Q

Fibre Channel over Ethernet (FCoE)

Answer

A

• Run Fiber Channel on Ethernet, not routable

Question 36

Q

Fibre Channel over IP (FCIP)

Answer

A

• Encapsulate Fibre Channel frames into IP

Question 37

Q

• iSCSI - Internet Small Computer Systems Interface

Answer

A

Send SCSI commands over an IP network

Question 38

Q

FTP

Answer

A

tcp/20, tcp/21

File Transfer Protocol

Sends and receives files between systems

Question 39

Q

SSH

Answer

A

tcp 22

Secure Shell

Encrypted console login

Question 40

Q

SCP

Answer

A

tcp 22

Secure Copy

Relatively simple file copy over SSH

Question 41

Q

SFTP

Answer

A

Secure File Transfer Protocol

SSH File Transfer with file management

Question 42

Q

Telnet

Answer

A

tcp 23

Telecommunication network

Remote console login to network devices

Question 43

Q

SMTP

Answer

A

tcp 25

Simple mail transfer protocol

Transfer email between mail servers

Question 44

Q

DNS

Answer

A

udp 53 tcp 53

domain name services

Convert domain names to IP addresses

Question 45

Q

TFTP

Answer

A

udp 69

Trivial File Transfer Protocol

A very simple file transfer protocol

Question 46

Q

HTTP

Answer

A

tcp 80

Hyper text transfer protocol

Web server communication

Question 47

Q

POP3

Answer

A

tcp 110

Post Office Protocol version 3

Receive mail into a mail client

Question 48

Q

NetBIOS Name service

Answer

A

udp 137

NetBIOS Name service

Register, remove find services by name

Question 49

Q

NetBIOS datagram service

Answer

A

Udp 138

Connectionless data transfer

Question 50

Q

NetBIOS Session Service

Answer

A

tcp 139

Connection-oriented data transer

Question 51

Q

IMAP4

Answer

A

tcp 143

Internet Message Access Protocol v4

A newer mail client protocol

Question 52

Q

SNMP

Answer

A

udp 161

Simple Network Management Protocol

Gather statistics and manage network devices

Question 53

Q

HTTPS

Answer

A

tcp 443

Hypertext Transfer Protocol Secure

Web server communication with encryption

Question 54

Q

TLS/SSL

Answer

A

tcp 443

Transport Layer Security/Secure Sockets Layer

Secure protocols for web browsing

Question 55

Q

FTPS

Answer

A

Tcp 990, 989

File transfer protocol over secure sockets layer

Adds security to FTP with TLS/SSL

Question 56

Q

RDP

Answer

A

Tcp 3389 Remote Desktop Protocol

Graphical display of remote device

Question 57

Q

ICMP

Answer

A

Internet control message protocol

Send management messages between devices

Question 58

Q

IPsec

Answer

A

Various

Internet Protocol Security

Authentication, Integrity, confidentiality, and encryption

Question 59

Q

OSI Layer 1

Answer

A

Physical

Signaling,cabling,connectors

(cables,NICs,hubs)

Question 60

Q

OSI Layer 2

Answer

A

Data Link Switching Layer

The switching layer (frames, Mac addresses, EUI-48, EUI, 64, switches

Question 61

Q

OSI Layer 3

Answer

A

Network - The routing Layer

Ip addresses, routers, packets

Question 62

Q

OSI Layer 4

Answer

A

Transport - post office layer

TCP segements UDP datagrams

Question 63

Q

OSI Layer 5

Answer

A

Session - communication between devices (control protocols, tunneling protocols

Question 64

Q

OSI Layer 6

Answer

A

Presention - encoding and encryption

SSL/TLS

Answer 65

A

Application - The layer we see

Google mail, twitter, facebook

Answer 66

A

Physical, Data link, network, transport, session, presentation, application

Answer 67

A

EAP (Extensible Authentication Protocol)
• An authentication framework
• WPA and WPA2 use five EAP types as
authentication mechanisms

Answer 68

A

Lightweight Extensible Authentication Protocol
• Cisco proprietary
• Uses passwords only
• No detailed certificate management
• Based on MS-CHAP
(including MS-CHAP security shortcomings)

Answer 69

A

(Protected Extensible Authentication Protocol)
• Created by Cisco, Microsoft, and RSA Security
• Encapsulates EAP in a TLS tunnel
• Only one certificate needed, on the server

Answer 70

A

64-bit or 128-bit key size
Cryptographic vulnerabilities found
WEP is no longer used

Answer 71

A

Short-term workaround after WEP
Used RC4 cipher as a TKIP (Temporal Key Integrity Protocol)
TKIP has its own vulnerabilities

Answer 72

A

• Replaced TKIP with CCMP (Counter Mode with Cipher Block
Chaining Message Authentication Code Protocol)
• Replaced RC4 with AES (Advanced Encryption Standard)
• WPA2 is the latest and most secure wireless encryption method

Answer 73

A

WPA2-Enterprise adds 802.1x

* RADIUS server authentication

Answer 74

A

Authentication to a network
• Common on wireless networks
• Access table recognizes a lack of authentication
• Redirects web access to a captive portal page
• Username / password
• And additional authentication factors
• Once proper authentication is provided,
the web session continues
• Until the captive portal removes your access

Answer 75

A

One of the most common
Included on most access points
Signal is evenly distributed on all sides
Omni=all
Good choice for most environments
You need coverage in all directions
No ability to focus the signal
A different antenna will be required

Answer 76

A

Focus the signal - Increased distances
Send and receive in a single direction
Focused transmission and listening
Antenna performance is measured in dB
Double power every 3dB of gain
Yagi antenna - Very directional and high gain
Parabolic antenna
Focus the signal to a single point

Answer 77

A

Access is controlled through
the physical hardware address
• It’s easy to find a working MAC addresses with
wireless LAN analysis
• MAC addresses can be spoofed
• Security through obscurity

Answer 78

A

• The SSID is the name of the wireless network
• i.e., LINKSYS, DEFAULT, NETGEAR
• Change the SSID to something appropriate for its use
• The SSID broadcasts can be disabled
• You can still determine the SSID
through wireless network analysis
• Security through obscurity

Answer 79

A

Temporal Key Integrity Protocol
• Created when WEP was broken - we needed a stopgap
• Mixed the keys - Combines the secret root key with the IV
• Adds sequence counter - Prevents replay attacks
• 64-bit Message Integrity Check - Protects against tampering
• Used in WPA (Wi-Fi Protected Access)
prior to the creation of WPA2

Answer 80

A

• Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol
• Replaced TKIP when WPA2 was published
• Based on AES and uses a 128-bit key and a 128-bit block size
• Requires additional computing resources
• Data confidentiality - Only authorized parties can access info
• Authentication - Provides proof of genuineness of the user
• Access control - Allow or disallow access to the network

Answer 81

A

Sample the existing wireless spectrum
• Identify existing access points
• Work around existing frequencies, plan for interference
• Plan for ongoing site surveys - things will certainly change

Answer 82

A

Wireless from your local coffee shop - no encryption
• Everyone around the coffee shop can see your traffic
• Exceptionally easy to capture your data
• Some of your data might be encrypted with HTTPS. Maybe.
• Protect all of your traffic with a VPN tunnel

Answer 83

A

Technical security controls, Management security controls, Operational security controls

Answer 84

A

Access control, audit and accountability,
identification and authentication,
system and communications protection

Answer 85

A

Security assessment and authorization, planning,
risk assessment, system and services acquisition,
program management

Answer 86

A

Awareness and training, configuration management,
contingency planning, incident response, maintenance,
media protection, physical and environmental
protection, personnel security, system and
information integrity

Answer 87

A

A report that isn’t true - a false alarm or mistaken identity
• IDS/IPS information - only as good as the signatures
• Workstation anti-virus - False positives can remove legit files
• Consider a second opinion - http://www.VirusTotal.com

Answer 88

A

A report missed identifying something - no notification
• Malicious traffic got through your defenses
• It’s difficult to know when this happens - It’s completely silent
• Get catch/miss rates with industry tests - IPS, anti-virus

Answer 89

A

A set of policies that covers many areas of security
• Human resource policies
• Business policies
• Certificate policies
• Incident-response policies

Answer 90

A

• Annualized Rate of Occurrence (ARO)
• How likely is it that a hurricane will hit?
In Montana? In Florida?
• SLE (Single Loss Expectancy)
• What is the monetary loss if a single event occurs?
• Laptop stolen = $1,000
• ALE (Annual Loss Expectancy)
• ARO x SLE
• 7 laptops stolen a year (ARO) x $1,000 (SLE) = $7,000
• The business impact can be more than monetary
• Quantitative vs. qualitative

Answer 91

A

Assign a dollar value to risk
Single Loss Expectancy (SLE) - How much loss for one event?
Annual Loss Expectancy
SLE x Annual Rate of Occurrence (ARO)
Often difficult to calculate without historical reference
How risky is a buffalo stampede?

Answer 92

A

• Identify significant risk factors
• Ask opinions about the significance
• Display visually with traffic light grid
or similar method

Answer 93

A

Where are we vulnerable to threats?
OS, applications, 3rd-party connections, Internet
Constant vigilance
New threats discovered all the time
Old threats become popular again

Answer 94

A

Actively scan a network in search of vulnerabilities
• Known vulnerabilities
• Automated process
• For unknown vulnerabilities,
consider input validation/fuzzing
• Can identify obvious and no-so-obvious vulnerabilities
• Lack of application/OS patches
• No anti-virus/anti-spyware
• Weak passwords

Answer 95

A

• A flaw or weakness
• A door with a broken lock
• An operating system library that
grants administrative access
• This doesn’t mean your system has been breached
• Someone first has to know about the vulnerability
• Vulnerabilities were there, but previously unknown
• This is why we patch
• New vulnerabilities are identified all the time

Answer 96

A

The path that the threat takes to the target
• Target: Your computer, mobile
device, gaming system
• Email: Embedded links, attached files
• Web browser: Fake site, session hijack
• Wireless hotspot: Rogue access point
• Telephone: Social engineering
• USB flash drive: Auto-executing malware
• And many more…

Answer 97

A

• Identify actual and potential threats
• Regardless of the probability
• Identify as many vulnerabilities as possible
• Check your OS, your services, and your applications
• Nobody said this would be easy
• Now you can calculate the likelihood
of a successful exploit
• There’s no official formula here
• Different organizations will have different priorities

Answer 98

A

Risk avoidance, risk transference, risk acceptance, risk mitigation, risk deterrence.

Answer 99

A

stop participating in high-risk activity

Answer 100

A

Buy some insurance

Answer 101

A

A business decision; we’ll take the risk!

Answer 102

A

Decrease the risk level

Answer 103

A

Big dogs, security fences, warning signs

Answer 104

A

Control of data
• Data in the cloud can potentially
be accessed by anyone
• Security is managed elsewhere
• Your control mechanisms are
in the hands of others
• Server unavailability / Account lockout
• Cloud computing doesn’t
guarantee availability

Answer 105

A

Compromising the virtualization layer puts all systems at risk
There is little control over VM to VM communication
Support for “virtual firewalls” is an emerging technology
Single physical host contains VMs that have different security profiles
Physical separation is no longer possible
There is potential for loss of separation of duties
System admin controls many servers on a single piece of hardware

Answer 106

A

Mean time to Restore (MTTR), Mean time to repair(MTTR), Mean time to failure, (MTTF), Mean time between failures(MTBF), Recovery time objective(RTO), Recovery point objectivces(RPO)

Answer 107

A

Mean time to restore (MTTR)

• Mean time to repair

Answer 108

A

Mean time to failure (MTTF)

• The expected lifetime of a product or system

Answer 109

A

Mean time between failures (MTBF)

* Predict the time between failures

Answer 110

A

Recovery time objectives (RTO)
• Get up and running quickly
• Get back to a particular service level

Answer 111

A

Recovery point objectives (RPO)
How much data loss is acceptable?
Bring the system back online; how far back does data go?

Answer 112

A

• Bring a new partner into the organization
• This is more particular than hiring new staff
• Many agreements will be in place
• Legalities associated with business
and security matters
• Implement technical functions
• Secure connections between partners
• Usually as an IPsec tunnel or physical segmentation
• Establish an authentication method
• Provide access to shared resources
• Audit all security controls
• Properly share (and separate) data

Answer 113

A

This process should be pre-planned
• You don’t want to decide how to do
things at this point
• How will the systems be dissolved?
• What happens to the data?
• When will the final connections be terminated?

Answer 114

A

Management of data
• Social media data includes privacy concerns
• Some of the data is extremely valuable
• Your social media reputation
• Someone else is tweeting for you
• The tone is as important as the message
• Account control is important
• Social media accounts are shared by a large group
• A mistake on one phone can be seen by many

Answer 115

A

Memorandum of Understanding(MOU), Service Level Agreement(SLA), Businesss Partners Agreement(BPA), Interconnection Security Agreement(ISA)

Answer 116

A

Memorandum of Understanding
• Informal letter of intent;not a signed contract
• Usually includes statements of confidentiality

Answer 117

A

Service Level Agreement (SLA)
Minimum terms for services provided
Uptime, response time agreement, etc

Answer 118

A

Business Partners Agreement (BPA)

• Commonly seen between manufacturers and resellers

Answer 119

A

nterconnection Security Agreement (ISA)

• Used by US Federal Government to define security controls

Answer 120

A

Privacy of the individual
• Both personal and professional
• Legally mandated privacy laws in many European countries
• An employer can’t track your personal computer use
• Customer data often contains a aspect of privacy
• Even benign data can be combined to violate privacy
• Third-party agreements must consider privacy
• The rules should be in place from the beginning

Answer 121

A

Data is everything
• The most important asset in an organization
• Without the data, there’s no company
• The owner of the data has a responsibility
• Protection, privacy
• Technical / Logical controls
• Physical controls
• Who owns the data if the third-party agreement ends?

Answer 122

A

Combine two systems
• Hopefully get a seamless technical integration
• Security must be designed into the project
• Usually designed by teams from
both organizations
• Everyone must be aware of the risks
• Security policies must be examined
for additional risks
• Resources, business requirements,
and risk must be balanced
• Agreements must be in place
• For example: Who does backups?
Who gets access to the backups?
How are the backups stored?

Answer 123

A

Who owns the data?
• There’s more than one participant
• Is there more than one owner?
• What part of the data is owned by which partner?
• Data ownership agreements can avoid
some of the messy details
• Where is the data stored?
• Who owns the data when
• the relationship is over?
• How is data destroyed?

Answer 124

A

• Data shared between partners
• Network connections may exist
• Proper controls may not be in place
• Data shared with others
• Agreements are usually in place with
the data owners
• Data is sometimes shared with
others without permission

Answer 125

A

Backups are often overlooked
They contain everything
Data backups are often kept off-site
Yet-another third-party
Losing data from a backup is a very bad thing
Seems to happen more often than you might think
Not all backups are the same
Financial data, health care data, top secret data, etc.

Answer 126

A

The security policy is the weakest link
• A badly implemented security policy puts data at risk
• Protect information between vendors, partners, and
customers
• Avoid data modification, disclosure, damage, or destruction
• Most of this language is contractual
• Everybody understands their responsibilities
• Security policies are constantly updated
• The threat landscape is constantly changing

Answer 127

A

Third-party relationships add to the need for security
compliance
• Shared resources require additional oversight
• Compliance can be technically challenging
• Cloud-based services add additional complexity
• Some compliance requirements are legally mandated
• HIPAA - Health Insurance Portability and Accountability Act
• PCI DSS - Payment Card Industry Data Security Standard
• FISMA - Federal Information Security Management Act
• Perform a gap analysis
• Determine all gaps in security
• Resolve the issues
• Some issues can’t be easily resolved
• A decision must be made regarding cost vs. benefit
• Perform periodic audits
• These audits may be involved and far-reaching
• More coordination required with the third-party

Answer 128

A

• Upgrade software, change firewall configuration,
modify switch ports
• Occurs very frequently
• The change management process is often
overlooked or ignored
• Clear policies are needed
• Frequency, duration, installation process, fallback procedures

Answer 129

A

Series of events that negatively affects the organization
Database hack, stolen laptop, water pipe burst
Who will be contacted when an incident occurs?
Who’s responsible for managing the incident response?
Technical steps for handling systems and preserving evidence
What goes on the report?

Answer 130

A

• Management sets the limits
• Security team administers the limits
• You must translate management requirements
into technical access
• Periodic audits are useful

Answer 131

A

Does everyone have the correct permissions?
How are your resources used?
Are your systems and applications secure?
Are your disaster recovery plans going to work?
Can you contact the right people at the right time?
Document everything

Answer 132

A

Copy the contents of a disk
• Bit-for-bit, byte-for-byte
• Software imaging tools
• Use a bootable device
• Remove the physical drive
• Use a hardware write-blocker
• Get the backup tapes
• These may already be available

Answer 133

A

Involves process and procedure
Some of the most difficult data policies to implement
It’s very easy to carry large amounts of data around
There are both internal and external threats
You have to protect everywhere
This is a bigger threat every day

Answer 134

A

On your computer - Data in use
On your network - Data in motion
On your server - Data at rest

Answer 135

A

Traffic logs
• Firewalls log a lot of information
• Switches and routers don’t usually
log user-level information
• Intrusion Detection/Prevention Systems
• Raw network traffic data
• Rebuild images, email messages,
browser sessions, file transfers

Answer 136

A

• A moving record of the event
• Gathers information external to
the computer and network
• Captures the status of the screen
and other volatile information
• Don’t forget security cameras
• The video content must also be archived

Answer 137

A

• Windows: 64-bit time stamp
• Number of 100-nanosecond intervals since
January 1, 1601 00:00:00 GMT
• This stops working in 58,000 years
• Unix: 32-bit time stamp
• Number of seconds since January 1, 1970 00:00:00 GMT
• This stops working on Tuesday, January 19, 2038 at
3:14:07 GMT
• Different file systems store timestamps differently
• FAT: Time is stored in local time
• NTFS: Time is stored in GMT
• Record the time offset from the operating system
• The Windows Registry
• Many different values (daylight saving time,
time change information, etc.)

Answer 138

A

MD5(Message Digest 5), CRC(Cycilical Redundancy Check)

Answer 139

A

Hashing algorithm

128 bits, displayed as hexadecimal

Answer 140

A

Hashing Algorithm
.
• 32 bits, displayed as hexadecimal

Answer 141

A

Capture the state of the screen
Difficult to reproduce, even with a disk image
External capture
Use digital camera
Internal capture
PrintScreen key
Third-party utility

Answer 142

A

Who might have seen this?
• Interview and document
• Not all witness statements are 100% accurate
• Humans are fallible

Answer 143

A

Some incidents can use massive resources
May have an impact on the bottom line
May be required for restitution
Be as accurate as possible

Answer 144

A

Controlling and managing the evidence
to maintain integrity
• Document everyone who contacts the evidence
• Use hashes with digital evidence
• Label and catalog everything
• Seal, sign, and store

Answer 145

A

Large amounts of data, stored without structure
Incidents can create an enormous amount of data
Diverse log formats and data types
Collecting the data is only the first part
You must also be able to view it
Query the data
A structured language that applies to large scale data
Visualization tools can display the data in unique ways
Graphs
Statistical analysis
Tag clouds

Answer 146

A

• Communication methods - phones and contact info
• Incident handling hardware and software
• Laptops, removable media,
forensic software, digital cameras
• Incident analysis resources
• Documentation, network diagrams,baselines,
critical file hash values
• Incident mitigation software
• Clean OS and application images
• Policies needed for incident handling
• Everyone knows what to do

Answer 147

A

Risk assessments
• Periodic analysis, prioritization of risk, disposition of risk
• Host security
• Harden the operating system, patches, and
ongoing monitoring
• Network security
• Firewalls, VPNs, intrusion prevention systems
• Malware prevention
• Hosts, email and file servers, application clients
• User awareness and training
• Keep your users updated with the
latest security techniques

Answer 148

A

Web server log - Vulnerability scanner in use
• Exploit announcement
• Monthly Microsoft patch release, Adobe Flash update
• Direct threats - A hacking group doesn’t like you

Answer 149

A

An attack is underway or an exploit is successful
• Buffer overflow attempt
• Identified by an intrusion detection/prevention system
• Anti-virus software identifies malware
• Deletes from OS an notifies administrator
• Host-based monitor detects a configuration change
• Constantly monitors system files
• Network traffic flows deviate from the norm
• Requires constant monitoring

Answer 150

A

• Corporate / Organization
• CIO / Head of Information Security / Internal
Response Teams
• Internal non-IT
• Human resources, public affairs, legal department
• External contacts
• System owner, law enforcement
• US-CERT (for U.S. Government agencies)

Answer 151

A

Notification is ongoing during an event
• Status updates, wide-scale notifications
• Consider in-band and out-of-band methods
• Email, Web (intranet, external, etc.), Telephone calls,
In-person updates, Voice mail recordings,
Paper flyers, notices

Answer 152

A

Potential damage and theft - prevent the destruction
Preserve the evidence
Gather as many details as possible
Maintain service availability
The organization must continue
Implementation resources and time
Every task requires resources
Effectiveness - amount of containment
Duration of the mitigation - Let’s get this over quickly

Answer 153

A

Generally a bad idea to let things run their course
• An incident can spread quickly
• Sandboxes
• The attacker thinks they’re on a real system,
but they’re not
• Isolation can be sometimes be problematic
• Malware or infections can monitor connectivity
• When connectivity is lost, everything is
deleted/encrypted/damaged

Answer 154

A

What happened, exactly?
• Timestamp of the events
• How did your incident plans work?
• Did the process operate successfully?
• What would you do differently next time?
• Retrospective views provide context
• Which indicators would you watch next time?
• Different precursors may give you better alerts

Answer 155

A

A lot of information is created during an incident
• Information should be objective and factual
• Logbook - a pencil and paper is remarkable technology
• Digital camera - a snapshot or movie of a device
• Audio recorder - easier to say it and transcribe later
• Laptop - capture terminal sessions and digital evidence

Answer 156

A

Incident status
Summary information
Relationship between incidents
Actions taken by all parties
Chain of custody information
Contact information
Comments from incident handlers
Next steps to be taken

Answer 157

A

Eradicate the bug
• Remove malware, disable breached user accounts,
fix vulnerabilities
• Recover the system
• Restore from backups, rebuild from scratch, replace
compromised files, tighten down the perimeter

Answer 158

A

A phased approach - it’s difficult to fix everything at once
Recovery may take months
Large-scale incidents require a large amount work
The plan should be efficient
Start with quick, high-value security changes
Patches, firewall policy changes
Later phases involve much “heavier lifting”
Infrastructure changes, large-scale security rollouts

Answer 159

A

Very specific tasks for the first person on the scene
• Objective is to contain the damage
• Don’t disturb the environment
• Get the right people in place before poking around
• Follow the escalation policy

Answer 160

A

Try to determine the attacker
• Useful for law enforcement and to stop future breaches
• Security must be analyzed and secured
• Change passwords, update firewalls
• Even across systems that may not appear to be breached
• Notify all affected people - customers, partners, employees
• Personally Identifiable Information (PII) may require
additional notifications
• Credit monitoring requirements

Answer 161

A

Prevent the spread of damage
• Needs to be part of the incident response policy
• Virus infection may be handled differently than a DoS attack
• Device removal - pull a device from the network
• Disconnect the Internet
• Every case is a bit different
• What’s attacked or damaged?
• Can you gather additional details if you leave it in place?

Answer 162

A

All of your policy information is on the Intranet
Provide in-person mandatory training sessions
Train people on general security best practices
Define a company policy for visitors GUI configuration

Answer 163

A

Part of your privacy policy
Not everyone realizes the importance of this data
It should become a normal part of security management

Answer 164

A

Unclassified (public) - no restrictions on viewing the data
• Classified (private / restricted / internal use only)
• Confidential (low) - highly sensitive,
must be approved to view
• Secret (medium) - viewing is severely restricted
• Top-Secret (high) - highest level of classification

Answer 165

A

Data is usually saved for a very long time
• Document and label everything
• Some backups must be legally preserved
• Trash and recycling can be a security concern

Answer 166

A

• Non-compliance has serious repercussions
• Sarbanes-Oxley Act (SOX) - The Public Company
Accounting Reform and Investor Protection Act of 2002
• The Health Insurance Portability and
Accountability Act (HIPAA)
• Extensive standards for storage, use, and
transmission of health care information
• The Gramm-Leach-Bliley Act of 1999 (GLBA)
• Disclosure of privacy information from
financial institutions

Answer 167

A

Promote good password behaviors
• Document data handling processes
• Define clean desk policies
• Personally owned devices can be a challenge
• Tailgating can allow unauthorized people
to enter the building

Answer 168

A

• New viruses - thousands every week
• Phishing attacks
• Spyware
• Learns personal info, captures keystrokes and
browsing information
• Zero-day exploits
• Quick reaction is the only defense

Answer 169

A

You become a file server
All of your content can be exposed
Social networks provide false sense of trust

Answer 170

A

Formative assessment
• Constant monitoring, target areas that need work
• Summative assessment
• High-stakes, final exam, certification exam

Answer 171

A

Large-scale monitoring - automation is the key
• Learning Management System (LMS) assessment software
• Training delivery- video, text, quizzes
• Score tracking - individual performance
• Student feedback - communication path to the trainers

Answer 172

A

• Thermodynamics, fluid mechanics, and heat transfer
• Not something you can properly design yourself
• Must be integrated into the fire system
• Data Center should be separate from
the rest of the building
• Overheating is a huge issue
• Engineer for closed-loop recirculating and
positive pressurization
• Recycle internal air and air is pushed out

Answer 173

A

Computers produce large amounts of EMI
Metal shielding inside of a computer case can minimize EMI
Appears as noise on video and analog audio

Answer 174

A

Optimize your cooling infrastructure
Constantly monitor and log the environment
Many servers include internal temperature sensors
Portable or emergency cooling may be valuable

Answer 175

A

Hardware locks - Lock and key, deadbolt, electronic, tokenbased,
biometric, multi-factor smart card
• Mantraps - Multiple doors that only unlock one at a time
• Video surveillance - closed-circuit television
• Fencing - a perimeter
• Proper lighting - deter crime and provide camera lighting
• Signs - specific instructions, fire exits, warning signs
• Guards - access lists, physical protection
• Barricades - channel people through a particular access point
• Protected Distribution System (PDS) - physically secured cabling
• Alarms - circuit-based, motion detection

Answer 176

A

Technical - Controls implemented using systems
• Administrative - Controls that determine
how people act
• Deterrent - Discourages an intrusion attempt
• Preventive - Physically control access
• Detective - Identifies and records any
intrusion attempt
• Compensating - Restores using other means

Answer 177

A

• What are your critical business functions?
• Is there loss of revenue, legal requirements,
or customer service?
• How long will you be impacted?
• What’s the impact to the bottom line?

Answer 178

A

Make a list of critical systems - this is an involved process
• List business processes - Accounting systems,
manufacturing application, VoIP call center, etc.
• Associate tangible and intangible assets and resources
with the business processes

Answer 179

A

People - employees, suppliers, visitors
• Tangible assets
• Buildings, furniture, equipment,
data, paper documents
• Intangible assets - Ideas, commercial reputation, brand
• Procedures - Supply chains, critical procedures, standard
operating procedures

Answer 180

A

A single event can ruin your day
Network redundancy with multiple devices
Backup power, multiple cooling devices
Plan for additional people and other locations
There’s no practical way to remove all points of failure

Answer 181

A

Assign a dollar value to risk
Single Loss Expectancy (SLE)
How much loss for one event?
Annual Loss Expectancy
SLE x Annual Rate of Occurrence (ARO)

Answer 182

A

Identify significant risk factors
Ask opinions about the significance
Display visually with traffic light grid or similar method

Answer 183

A

• Business processes are interrelated
• HR drives payroll, IT provides payroll system,
accounting provides the money
• Almost everything business-related relies on IT
• Involve the entire company
• It can be difficult to document the company operations

Answer 184

A

Plan for both small disasters and large disasters
• Can be managed through a 3rd-party
• Take advantage of geographically diverse areas
• Many variables, the unknown can bite you

Answer 185

A

Develop the contingency planning policy statement
• Conduct the business impact analysis
• Identify preventive controls
• Create contingency strategies
• Develop an information system contingency plan
• Ensure plan testing, training, and exercises
• Ensure plan maintenance

Answer 186

A

Manage the leadership of the company
A gap can cause a vacuum or financial impact
Management can leave the company, retire, die
Often a deputy who can assume the role
Travel restrictions may apply

Answer 187

A

Performing a full-scale disaster drill can be costly
• Many of the logistics can be determined
through analysis
• You don’t physically have to go through
a disaster or drill
• Get key players together for a tabletop exercise
• Talk through a simulated disaster

Answer 188

A

Maintain uptime
The organization continues to function
No hardware failure - servers keep running
No software failure - services always available
No system failure - network performing optimally

Answer 189

A

Redundancy doesn’t always mean always available
• HA (high availability) - always on, always available
• May include many different
components working together
• Watch for single points of failure

Answer 190

A

Cold spare - in the box, turned off
Warm spare
May be racked and powered, but not connected
Software and configurations may occasionally be updated
Hot spare - powered on, always updated

Answer 191

A

Cold site - no hardware, no data, no people
Warm site - hardware is waiting, you bring the data
Hot site
An exact replica, stocked with hardware and software
Flip a switch and everything moves

Answer 192

A

Raid 0, 1, 5,

Answer 193

A

Striping without parity

High performance no fault tolerance

Answer 194

A

Mirroring

Duplicates data for fault tolerance, but requires twice the disk space

Answer 195

A

Striping with parity

fault tolerant, only requires an additional disk for redundancy

Answer 196

A

Certain information should only be known to certain people
Encryption - Encode messages so only certain people can read it
Access controls - Selectively restrict access to a resource
Steganography
Conceal information within another piece of information
Commonly associated with hiding information in an image

Answer 197

A

Data is stored and transferred as intended
• Any modification to the data would be identified
• Hashing
• Map data of an arbitrary length to data of a fixed length
• Digital signatures - Verify the integrity of data
• Certificates
• Combine with a digital signature to verify an individual
• Non-repudiation - Provides proof of integrity

Answer 198

A

Information is accessible to authorized users
Redundancy
Build services that will always be available
Fault tolerance
System will continue to run with failures
Patching - Stability, close security holes

Answer 199

A

Fencing - Keep out the unwanted
Lighting - Protect assets, especially at night
Locks - Prevent access through doors
CCTV - Closed-circuit television - video monitoring
Escape plans and routes - Best way out of an area
Drills - Test and adjust
Testing controls
Test against physical and digital security

Answer 200

A

Can gather information
• Can capture your keystrokes
• Often controlled over the ‘net
• Can show you advertising
• May install an OS backdoor

Answer 201

A

Malware that can reproduce itself
It doesn’t need you to click anything
It needs you to execute a program
Reproduces through file systems or the network
Just running a program can spread a virus
Some viruses are invisible, some are annoying
Anti-virus software is very common
There are thousands of new viruses every week

Answer 202

A

Boot sector, Program, Script, Macro, Multipartite

Answer 203

A

Installs into the drive boot area

Answer 204

A

Part of a legitimate application

Answer 205

A

Operating system and browser-based

Answer 206

A

Common in Microsoft Office

Answer 207

A

Infects and spreads in multiple ways

Answer 208

A

• Self-replicates without human intervention
• Uses the network as a transmission medium
• Can infect many PCs very quickly
• Firewalls and IDS/IPS can mitigate
many worm infestations

Answer 209

A

Your computer shows you advertisements
• May cause performance issues
• May be included with other software installations
• Be careful of software that claims to remove adware

Answer 210

A

Malware that spies on you
• Advertising, identity theft, affiliate fraud
• Can trick you into installing
• Monitors your browser activity
• Logs your keystrokes
• Send this information back to a central server

Answer 211

A

Software that pretends to be something else
• Replicating isn’t the primary requirement
• Circumvents your existing security
because you ran it yourself
• Anti-virus may catch it when it runs
• The better trojans are built to avoid and disable AV
• Once it’s inside it has free reign
• May then open the gates for other programs

Answer 212

A

Why go through normal authentication methods?
Just walk in the back door
• Often placed on your computer through malware
• Some malware software can take advantage
of backdoors created by other malware
• Bad software can have a backdoor as part of the app

Answer 213

A

Modifies core system files
May be part of the kernel
Designed to be invisible to the operating system
You won’t see it in Task Manager
Also invisible to traditional anti-virus utilities

Answer 214

A

Waits for a predefined event
• Time bomb - Based on time or date
• Logic bomb - Set off through a user event
• Difficult to identify
• Difficult to recover if it goes of

Answer 215

A

Robot networks
• Once your machine is infected, it becomes a bot
• You usually do not know that you’re a bot
• May be installed as part of a malware
• Waits around until receiving commands from the mothership

Answer 216

A

The bad guys want your money
• They’ll take your data in the meantime
• May be a “fake” ransom
• Locks your computer “by the police”
• The ransom may be avoided
• A security professional can remove these kinds of malware

Answer 217

A

Changes itself to avoid signature detection
• Every download is different
• The attack code doesn’t change
• Just everything around it
• Encrypt the malware executable
• Use a different key pair every time
• Create signatures that look for a specific payload
• One signature can stop many variants
• Use heuristic detection systems
• Be ready to use some additional resources

Answer 218

A

Virus writers don’t want their work to be discovered
• Makes the anti-virus software look elsewhere
• If found, make it difficult to deconstruct
• Security researchers disassemble the virus code
• The virus is usually obfuscated with unnecessary and
nonsense code
• The virus writer’s goal is to make it
as painful as possible to identify and block
• The longer the research, the more widespread the infection

Answer 219

A

Redirects your traffic, then passes it on to the destination
You never know your traffic was redirected
ARP has no security, relies on security in the switch

Answer 220

A

Force a service to fail
• Overload the service
• Take advantage of a design failure or vulnerability
• Cause a system to be unavailable
• Can create a smokescreen for some other exploit
• May be a precursor to a DNS spoofing attack
• Not usually a very complicated attack
• Turning off your power is an effective DoS

Answer 221

A

Useful information is transmitted over the network
Network Tap is used to access to the raw network data
ARP poisoning can redirect traffic
Malware on the victim computer gathers information
Data is replayed to appear as someone else

Answer 222

A

Pretend to be something you aren’t
• Fake web server, fake DNS server, etc.
• Email address spoofing
• The sending address of an email isn’t really the sender
• Man-in-the-middle attacks
• The person in the middle of the conversation pretends
to be both endpoints
• Caller ID spoofing
• The incoming call information is completely fake

Answer 223

A

Modify the DNS server, modify the client host file

• Send a fake response to a valid DNS request

Answer 224

A

Redirection to a bogus site
Combines farming with phishing
Farming - Harvest large groups of people
Phishing - Collect access credentials
Difficult for anti-malware software to stop
Everything appears legitimate to the user

Answer 225

A

Unsolicited email, traditionally for advertising

* Can also be used to spread trojans/botnets

Answer 226

A

• Spam over IM - links in IM can be malicious

Answer 227

A

Spam over internet telephony

• VoIP providers have made this difficult to implement

Answer 228

A

White list to only allow known senders
Black list to remove the bad senders
Bayesian filtering is based on certain words/phrases
Cloud-based spam services check email before it arrives

Answer 229

A

Social engineering with a touch of spoofing
Often delivered by spam, IM, etc.
Don’t be fooled, check the URL
Vishing is done over the phone

Answer 230

A

More believable phishing with inside information

• Spear phishing the CEO is “whaling”

Answer 231

A

Send a carefully crafted packet to a host
• URG, PUSH, and FIN are set - 00101001
• Lit up “like a Christmas tree”
• May slow down the remote device (DoS)
• Easy to see this attack with an IPS
• Most modern devices will drop these packets

Answer 232

A

Gain higher-level access to a system
• Exploit a vulnerability, might be a bug or design flaw
• Higher-level access means more capabilities
• This commonly is the highest-level access
• These are high-priority vulnerability patches
• You want to get these holes closed very quickly
• Any user can be an administrator
• Horizontal privilege escalation
• User A can access user B resources

Answer 233

A

Patch quickly - Fix the vulnerability
Updated anti-virus/anti-malware software
Data Execution Prevention
Address space randomization
Prevent a buffer overrun at a known memory address

Answer 234

A

This is why we have the concept of least privilege
Insiders have more access than others
Lock away your documents
Harms your organization’s reputation
Can cause a critical system disruption
May include loss of confidential or proprietary info

Answer 235

A

A trusts B, B trusts C, therefore A trusts C
Often the case in network security
Little control over the transitive
Common to trust nobody
Firewalls often separate business partners
Firewalls can only stop so many things
You can’t stop all access from your business partner

Answer 236

A

Servers are more secure than ever
Attack the client - Bad programming makes it easier
Browsers, media players, office apps, email clients
A single insecurity can reveal all information
Keep operating system and applications updated
A single vulnerability can own a computer

Answer 237

A

Brute force - Guess the password, calculate the hash
Dictionary attack - Use common words as passwords
Hybrid attack - Combine brute force and dictionary attacks
Birthday attack - The same hash value for two plaintexts
Rainbow tables - An optimized, pre-built set of hashes

Answer 238

A

Determine which website the victim group uses
• Educated guess - Local coffee shop, industry-related sites
• Infect one of these third-party sites
• Site vulnerability, email attachments
• Infect all visitors, even if you’re just looking for specific victims

Answer 239

A

Typosquatting / brandjacking
• Take advantage of poor spelling
• Outright misspelling
• professormesser.com vs. professermesser.com
• A typing error
• professormeser.com
• A different phrase
• professormessers.com
• Different top-level domain
• professormesser.org

Answer 240

A

A threat that doesn’t actually exist, but SEEMS real
• Still often consume lots of resources
• Forwarded emails, printed memorandums, wasted time
• Often an email or social network post
• A hoax about a virus can waste as much time as a regular virus

Answer 241

A

t’s difficult to identify whaling with traditional security devices
• Passes through the firewall and IPS
• Difficult to train
• Consider using practical exercises

Answer 242

A

Constantly changing
You never know what they’ll use next
May involve multiple people and multiple organizations
There are ties connecting many organizations
May be in person or electronic
Phone calls from aggressive “customers”
Emailed funeral notifications of a friend or associate

Answer 243

A

A significant potential backdoor
• Very easy to plug in a wireless AP
• Schedule a periodic wireless survey
• Consider using 802.1X (Network Access Control)

Answer 244

A

Buy a wireless access point
• Configure it exactly the same way as an existing network
• Same SSID and security settings
• May not require the same physical location
• Use HTTPS and a VPN to help mitigate

Answer 245

A

Radio waves can be disrupted
• Intentional jamming or disruption of wireless signals
is illegal in the United States (and elsewhere)
• Degrades or completely denies service
• May be used in conjunction with a wireless “evil twin”

Answer 246

A

Stop the offending station at the source
• May require additional monitoring equipment
• Boost the power of existing access points
• Try different frequencies

Answer 247

A

Combine WiFi monitoring and a GPS
• Gather a huge amount of intel in a short period of time
• All of this is free with tools like Kismet, inSSIDer
• You can also use warflying or warbiking

Answer 248

A

• Historical footnote to
802.11 wireless networking
• Created in June 2002,
publicized by Matt Jones
• If you find a node, let
someone else know
• By the time this was a big problem,
it wasn’t a problem anymore

Answer 249

A

Sending of unsolicited messages to
another device via Bluetooth
• Typical functional distance is about 10 meters
• Bluejack with an address book object, instead of
contact name a message is written
• “You are Bluejacked! Add to contacts?”
• Third-party software may also be used

Answer 250

A

A rare attack that takes advantage of a vulnerability
Access a Bluetooth-enabled device and transfer data
Exploited through security weaknesses
Must be fixed with a patch
Download a file without authentication

Answer 251

A

• IV is an extra bit of data thrown in to change
the encryption stream
• The IV changes each time data is sent (ideally)
• With 802.11 WEP, the IV is sent with the encrypted data
• The other side reverses the process

Answer 252

A

• No key management, everyone usually has the same key
• The WEP IV is 24-bits long - relatively small
• 16,777,216 possible RC4 cypher streams for a given
WEP key
• IV values eventually are reused
• Some “weak” IVs don’t properly provide for good
encryption, and makes it easy to discover the key
• The bad guys will inject frames to intentionally
duplicate IVs and make key identification easier

Answer 253

A

Most information over the network is “in the clear”
• Relatively difficult to capture data over wired networks
• Wireless networks are incredibly easy to monitor
• Some network drivers won’t capture wireless information
• Free capture software - http://www.wireshark.org

Answer 254

A

Use WPA2 encryption on your wireless access point
Use encryption for authentication
Use end-to-end VPN
Use encrypted proxy services and virtual tunnel networks

Answer 255

A

Two-way wireless communication
Payment systems, i.e., Google wallet and MasterCard
Bootstrap for other wireless
NFC helps with Bluetooth pairing
Access token, identity “card”
Short range with encryption

Answer 256

A

Remote capture - It’s a wireless network
• Frequency jamming - Denial of service
• Relay attack - Man in the middle
• Loss of RFC device control - Stolen/lost phone

Answer 257

A

WPA-Personal / WPA-PSK
WPA with a pre-shared key
Everyone uses the same 256-bit key
The only way in is a brute force / dictionary attack
Some cloud-based services already have the hashes
Use a complex set of letters and numbers / Avoid words
WPA-Enterprise / WPA-802.1X
Authenticates users individually with an auth server
No practical attacks

Answer 258

A

• PIN is an eight-digit number
• Really seven digits and a checksum
• Seven digits, 10,000,000 possible combinations
• The WPS process validates each half of the PIN
• First half, 4 digits. Second half, 3 digits.
• First half, 10,000 possibilities. Second half, 1,000
possibilities
• It takes about four hours to go through all of them
• Most devices never considered a lockout function

Answer 259

A

Called cross-site because of browser security flaws
• Information from one site can be shared with another
• One of the most common vulnerabilities
• Used by malware that uses JavaScript vulnerabilities

Answer 260

A

Web site allows scripts to run in user input /search box
• Bad guy may email a link
• Email link runs a script that sends
credentials/session IDs/cookies to the bad guy
• Script embedded in URL executes in the victim’s
browser, as if it came from the server
• Bad guys use credentials/session IDs/cookies to
steal victim’s information without their knowledge

Answer 261

A

• Bad guy posts a message to a social network that
includes a malicious payload (it’s now “persistent”)
• Everyone gets the payload
• No specific target
• For social networking, this can spread quickly
• Everyone who views the message can have it posted
to their page, where someone else can view it and

Answer 262

A

Be careful when clicking untrusted links
• Consider disabling or controlling JavaScript
• Keep your browser and applications updated
• Keep your web server applications updated

Answer 263

A

• Adding information into a data stream
• Applications should be developed to properly
handle input and output
• Used with many different data types
• HTML, SQL, XML, LDAP, etc.

Answer 264

A

• The most common relational database management
system language
• SQL Injection modifies SQL requests in the browser
• The application should be written to prevent this

Answer 265

A

• XML - Extensible Markup Language
• XML injection modifies XML requests
• A good application will validate all input
• LDAP - Lightweight Directory Access Protocol
• LDAP injection modifies LDAP requests to manipulate
application results

Answer 266

A

Many applications have undiscovered vulnerabilities
• Someone is working hard to find the next big vulnerability
• A zero-day vulnerability has not been detected or published
• Zero-day exploits are increasingly common
• Common Vulnerabilities and Exposures (CVE)
• http://cve.mitre.org/

Answer 267

A

A misconfigured server allows inappropriate access
Command injection can be dangerous when this happens
Run unauthorized commands from your browser
Combine with directory traversal for really scary results

Answer 268

A

Overwriting a buffer of memory
Spills over into other memory areas
Developers need to perform bounds checking
The bad guys spend a lot of time looking for openings
A really useful buffer overflow is repeatable

Answer 269

A

Usually has a fixed boundary
Vulnerable software may allow an integer to go out of bounds
This integer may allocate a memory location for a buffer
The buffer will now be too small, and overflow may occur

Answer 270

A

Cookies contain browser information
stored on your computer
• Used for tracking, personalization,
session management
• Not executable, not generally a security risk
• Could be considered be a privacy risk
• Session IDs are often stored in the cookie
• Used with cookies to masquerade as another person

Answer 271

A

Also called Flash Cookies
• Used by Adobe Flash Player to store data
• Information is saved on the user’s computer
• On by default
• Applies to all browsers
• Data is stored in a common directory
• Can only be read by the domain
that created the LSO
• www.example.com can only be read
by www.example.com
• Unless specifically passed to another domain

Answer 272

A

You can store anything in the Flash cookie
• Many web sites use Flash cookies
• Class-action suits have been filed regarding LSOs
• Personal information has been given to third-parties
• Some countries require knowledge and consen

Answer 273

A

Attachments may be files sent via email
All attachments should be considered a security risk
Add-ons extend your browser functionality
Add-ons tend to be more trusted

Answer 274

A

Arbitrary code execution - The attacker runs whatever they want
• An attacker takes over a process
• The original executable is vulnerable to this attack
• No elevated rights needed for many attacks
• Infect with malware or adware
• Remote code execution - Attack a machine from a remote device
• Extremely dangerous vulnerability

Answer 275

A

Media Access Control - The physical address of your interface
• Collect and filter the MAC address of all devices
• MAC addresses are easily spoofed
• Don’t rely on this for security

Answer 276

A

Huge source of detailed network information
• Routers, switches, firewalls, IDS/IPS, anti-virus scanners,
applications, authentications, etc.
• Contain data on servers, applications, security

Answer 277

A

Details of normal activity
• Not remarkably useful in the moment, very useful after the fact
• Huge storage requirements
• Logs from everything - Servers, routers, switches, firewalls

Answer 278

A

Changes must be controlled
• Can recognize legitimate activity
• Firewall policy change, file permission update
• Can recognize unapproved activity, unapproved changes
• Not as many logs as event log, but perhaps more important

Answer 279

A

Many different instances of access
• Files, VPN connection, partners, customers
• Many different formats - Servers, application logs, etc.
• Important to know who’s coming in and out, and who is failing
• Automation can limit the attack vector
• Very useful when rebuilding after an attack

Answer 280

A

• Focused on security-related events
• Very specific events
• Not necessarily useful to the rest of the organization
• Many diverse devices
• Firewall, VPN concentrator, IPS, content filter, authentication
server, router, switch, email gateway, anti-virus manager, etc.
• Often requires it’s own logging strategy

Answer 281

A

Increase the security of your operating system
• Constant maintenance to patch vulnerabilities
• One configuration error can create an opening
• Plan a regular preventive maintenance cycle

Answer 282

A

This is a good best-practice
• Requires additional maintenance
and constant vigilance
• Plan on periodic reviews using
the switch management console

Answer 283

A

• Find devices that should not be on the
network and remove them
• Visual audit - Check ports and switches for incursion
• Network mapping
• Automated functions for finding devices
• Wireless audits
• Walk around and find rogue access points
• Network Access Control (NAC)
• Require authentication before gaining
access to the network

Answer 284

A

• Initial Baseline Configuration
• Determine the minimum level of protection required
• Continuous Security Monitoring
• New threats are announced every day
• Systems are constantly modified and updated
• Remediation network
• Access may be based on the missing security
• Access allowed once the device is back
to full security posture

Answer 285

A

Every device contains information
Define metrics to monitor
Throughput, authentications, etc.
Define thresholds per metric
Up/down, Percentage, Exact value
Disposition - Email, SMS

Answer 286

A

Identify details that would be otherwise invisible
• Monitoring intervals and reporting timeframes
• You’re collecting a LOT of data - age it out as you go
• Focus on security metrics
• Malware activity, patch failures, increase in bandwidth, etc.

Answer 287

A

Vulnerabilities are identified every day
• National Vulnerability Database (http://nvd.nist.gov/)
• Applications, operating systems, services
• Scan a device to determine susceptibility to a known vulnerability
• Can be quite invasive
• Scan general OS, web servers, application, database servers

Answer 288

A

• Scanners aren’t perfect
• Network-level challenges with firewalls
• Device-level challenges with OS changes,
patch updates, application versions

Answer 289

A

Passive tools
• No interaction
• Gather information external to the device
• Packet captures
• Active tools
• The device can see you looking
• Vulnerability scanners, honeypots, port scanners,
banner grabbing

Answer 290

A

Capture and display network traffic, Packet by packet
Wireshark, a popular open-source option
Valuable vulnerability recon - Encrypt your traffic

Answer 291

A

Application scanners identify vulnerabilities in
web servers, database servers, etc.
• OS scanners identify operating system
vulnerabilities for Windows, Linux, Mac OS, etc

Answer 292

A

Attract the bad guys and trap them there
Makes for interesting recon
Honeypots
Single-use/single-system traps
Honeynets
More than one honeypot on a network

Answer 293

A

dentify open ports on a system
• Identify firewalls and packet filters
• Identify operating systems and services
• Based on simple packet requests and responses
• Identify applications without authenticating

Answer 294

A

Applications can be chatty
The banner is always there
Capture it with telnet or an automated tool

Answer 295

A

Baseline Reporting
Determine risk
Determine which metrics and resources to monitor
Changes might indicate security concern
The baseline is constantly changing

Answer 296

A

Simulate an attack
• Similar to vulnerability scanning, except we actually
try to exploit the vulnerabilities

Answer 297

A

• Try to break into the system
• This might cause a denial of service or loss of data
• Buffer overflows can cause instability
• You may need to try many different vulnerability types
• Password brute-force
• Social engineering
• Database injections
• Buffer overflows
• You’ll only be sure you’re vulnerable if you can
successfully exploit a system
• If you can get through, the bad guys can get through

Answer 298

A

Black box - A “blind” test
The pentester knows nothing about the systems
White box
Full disclosure - The pentester knows everything
Grey box
A mix of black and white
Focus on certain systems or applications

Answer 299

A

A passive test, unlike a penetration test
May include port scanning
Test from both the outside and inside
Gather as much information as possible

Answer 300

A

Non-intrusive scans
Gather information, don’t try to exploit a vulnerability
Intrusive scans
You’ll try out the vulnerability to see if it works
Non-credentialed scans
The scanner can’t login to the remote device
Credentialed scan
You’re a normal user, emulates an insider attack

Answer 301

A

Many results can be identified:
Lack of security controls
No firewall
No anti-virus, no anti-spyware
Misconfigurations
Open shares
Guest access
Real vulnerabilities

Answer 302

A

• Send random input to an application
• Fault-injecting, robustness testing, syntax testing, etc.
• Looking for something out of the ordinary, such as an
application crash, server error, exception
• Many different fuzzing utilities and options
• Fuzzing is time and resource heavy
• Many fuzzing engines use high-probability tests

Answer 303

A

There’s a balance between time and quality
• Programming with security in mind is often secondary
• The Quality Assurance (QA) process tests applications
• Vulnerabilities will eventually be found

Answer 304

A

Validate actual input and expected output
• Document all input methods (forms, fields, type)
• The fuzzers will find what you missed

Answer 305

A

Cross-site scripting (XSS)
• Check the input for embedded scripts
• Validate the input prior to storing
• Cross-site request forgery (XSRF)
• One-click attack / session riding
• Authentications should be protected
and/or encrypted

Answer 306

A

• What happens when an error occurs?
• Network connection fails, server hangs,
database unavailable
• Think of every possible problem
• Mishandled exceptions can allow execution of code

Answer 307

A

Update the operating system
• Apply security patches and service packs
• Update application software
• Restrict user accounts to “least privilege” access
• Restrict additional software installations

Answer 308

A

Keep important information centralized
In a format that allows for easy retrieval
Relational Database Management Systems (RDBMS)
Data is stored in a table
Each table has records/rows
Each table is like a big spreadsheet
Structured Query Language (SQL)
Standard programming language for database interaction
Very common method of storing data

Answer 309

A

Not Only SQL
• Not SQL, not relational
• A good choice for large datasets
• Scales very large
• Can analyze very large unstructured data sets
• Big data
• Grab as much data as you can and put it into a database
• There might be relationships between
the data, or perhaps not
• The database needs to be able to handle anything

Answer 310

A

Key-value store
• Relies on a hash table to locate and represent data
• Column family store
• Large data stores can reference multiple
columns with a single key
• Document database
• Similar to key-value stores
• Contains documents that are collections of other
key-value collections
• Graph database
• Instead of a spreadsheet, use nodes, node
properties, and the relationship
between the nodes

Answer 311

A

Attack an application through the user input
Provide data the application isn’t expecting
Unexpected results may occur
SQL injection
Gain access to the database
Filenames
Traverse the file system
Perform extensive tests before releasing app
Fuzzing or random input testing

Answer 312

A

Server-side validation
• All checks occur on the server
• Helps protect against malicious users
• Bad guys may not even be using your interface
• Client-side validation
• The end-user’s app makes the validation decisions
• Can filter legitimate input from genuine users
• May provide additional speed to the user
• Use both
• But especially server-side validation

Answer 313

A

Manage company-owned and user-owned mobile devices
• BYOD - Bring Your Own Device
• Centralized management of the mobile devices
• Specialized functionality
• Set policies on apps, data, camera, etc.
• Control the remote device
• The entire device or a “partition”
• Manage access control
• Force screen locks and PINs on these single user devices

Answer 314

A

Scramble all of the data on the mobile device
• Even if you lose it, the contents are safe
• Devices handle this in different ways
• Strongest/stronger/strong ?
• Encryption isn’t trival
• Uses a lot of CPU cycles
• Don’t lose or forget your password!
• There’s no recovery

Answer 315

A

• An MDM can control exactly what’s loaded
• Only approved corporate applications
• Unapproved applications are
restricted or removed
• The MDM has complete control
• Some MDM software segments corporate data
• A separate area of the mobile device
• Run personal and corporate without conflict
• Some devices support removable storage
• Control where organization’s data is stored
• Individual and unused features
can also be disabled
• Bluetooth, video camera, etc.

Answer 316

A

Encrypted data is important to mobile devices
• Keep your information safe as it moves around
• Is information encrypted when stored on the device?
• Every application does this differently
• Data across the network
• Use the device APIs to send traffic via SSL
• SSL requires a stored group of trusted
Certificate Authorities (CA)
• Locally-created CA certificates can be added
through an MDM

Answer 317

A

Post-attack actions
• What forensic processes are followed?
• With a desktop, the entire device is quarantined
• The organization may not own the mobile device
• The mobile device contains personal data
• The forensics process may need to look at all
information
• Does the organization have a legal right
to the device/data?
• Does the user have a legal requirement of
privacy to their data?

Answer 318

A

Protect against others on the network
• Can restrict access to your personal computer
• Protect wherever you go
• Important for laptops and mobile devices
• Restricts by application and network port numbers

Answer 319

A

Started as a separate application
• Now integrated into many “endpoint” products
• Protect based on signatures
• Constantly growing database
• Protect based on activity
• Why are you modifying that file?

Answer 320

A

Temporary security
• Connect your hardware to something solid
• Cable works almost anywhere, useful when mobile
• Most devices have a standard connector
• Reinforced notch
• Not designed for long-term protection
• Those cables are pretty thin

Answer 321

A

Every guest is self-contained in a single file
• Virtual hosts can be versioned
• Take snapshots at any point, revert instantly
• Store multiple snapshots
• Easy to recover to a specific date and time
• Historical analysis - determine when a vulnerability was
exploited

Answer 322

A

Elasticity
• Provide resources when demand requires it
• Scale down when things are slow
• Host availability
• New server deployed with a few mouse clicks
• Virtualization integrates a layer of orchestration
• Automate the deployment and movement of virtual hosts
• Servers can be added or moved to other data centers
• All of the management systems follow the servers

Answer 323

A

• Virtualized hosts are perfect for spinning
up a custom host
• Network scans, vulnerability scanning,
penetration testing
• Sandboxing
• Don’t click that link!
Don’t launch that attachment!
• Unless you’re in a sandbox
• Individual sandboxes
• Or centralized sandboxes for everyone

Answer 324

A

The network is the SAN
• You’re in one place, the data is in another
• Physically secure SAN
• Restricted physical access
• Protected data center
• Self-encrypting drives
• Encrypt data when it leaves the protected area
• Network-to-network (switch-to-switch)
• Backup tapes
• Plan for encryption overhead in CPU and network use

Answer 325

A

Massive datasets
• Normal access controls may not apply
• Doesn’t fit a “need to know” principle
• You don’t even know what’s in there
• An important part of big data is hunting for patterns
• Consider removing Personally Identifiable Information (PII)
• Difficult to completely remove an
individual’s identification
• Difficult to audit every bit of information accessed
• Log just the queries
• Implement Data Loss Prevention (DLP) techniques

Answer 326

A

Serious data protection - Every bit and byte is encrypted
Perfect for mobile devices - But not exclusive to laptops
Built-in protection - BitLocker
Commercial and open-source options - PGP, TrueCrypt
Key management is incredibly important
Lose the key, lose your data

Answer 327

A

Relatively impractical to encrypt an entire database
• Huge files, lots of access
• Encryption based on the Database
Management System (DBMS)
• Different capabilities across different
software platforms
• Individual columns/fields are usually encrypted
• Don’t encrypt your key fields!

Answer 328

A

Many different options
Built-in to the OS
3rd-party applications
Some files are encrypted others are not
Pick and choose your security
And your resource management
Many of those still require key management
Backup your keys, protect your keys

Answer 329

A

Big concern
• Where’s my USB drive?
• Administrative controls over removable media
• Require encryption
• Again with the key management
• This can be automated in many operating systems
• No USB storage at all
• An extreme case

Answer 330

A

Practically all mobile devices encrypt user data
The key is on the device
Apps using “Data Protection” are encrypted in iOS
The key is based on the passcode
Even if stolen, you can get the data
Some information may not be encrypted in iOS
On Android, configure encryption in Settings > Security
Full-disk encryption, the key is based on the passcode

Answer 331

A

Trusted Platform Module

A specification for cryptographic functions
• Cryptographic processor with random
number generator, key generators
• Persistent memory
• Comes with unique keys burned in during production
• Versatile memory
• Storage keys, hardware configuration information
• Password protected

Answer 332

A

Hardware Security Module

High-end cryptographic hardware
Plug-in card or separate hardware device
Key backup in secured storage
Cryptographic accelerators for offloading CPU overhead
Used in large environments

Answer 333

A

Hardware-based AES encryption as part of the drive
• Includes trusted browser, identity software
• Can be used as secure tokens with
two-factor authentication and single sign-on
• Remote management included to reset remotely

Answer 334

A

Encrypt storage drive data with hardware
• Integrate with USB key
• Cleartext goes in, cipher comes out
• High speed, strong encryption

Answer 335

A

Data transmitted over the network
• Also called data in-motion
• Not much protection as it travels
• Many different switches, routers, devices
• Provide transport encryption
• TLS (Transport Layer Security), IPsec (Internet Protocol
Security)

Answer 336

A

The data is on a storage device
• Encrypt the data
• Whole disk encryption, database encryption
• File- or folder-level encryption
• Apply permissions
• Access control lists - Only authorized users
can access the data

Answer 337

A

The data is in memory
• System RAM, CPU registers and cache
• The data is almost always decrypted
• Otherwise, you couldn’t do anything with it
• The bad guys can pick the decrypted information
out of RAM

Answer 338

A

ACLs
• Permissions associated with an object
• Used in file systems, network devices, operating
systems, and more
• List the permissions
• Bob can read files
• Fred can access the network
• James can access network 192.168.1.0/24 using
• tcp ports 80, 443, and 8088
• Many operating systems use ACLs to provide
access to files
• A trustee and the access rights allowed

Answer 339

A

• Some information cannot be disposed of
• Legal requirements for maintaining information
• Some information is destroyed to make room for more
• Archived data, especially with high storage costs
• Personal data may have a very short life
• Only store for however long as is necessary
• Sensitive information may be destroyed to control
distribution
• Keep the information out of the hands of others

Answer 340

A

User can’t change very much, unlike a PC
• Very useful for security - Easier to protect and defend
• Embedded systems
• A computing system designed to
perform a specific, dedicated function
• Intravenous drip-rate meter, water treatment
plant controls
• Even static environments can be updated
• Firmware upgrades are common

Answer 341

A

• Supervisory Control and Data Acquisition System
• Large-scale, multi-site Industrial Control Systems (ICS)
• Runs on normal PCs, manages equipment
• Power generation, refining,
manufacturing equipment
• Traditionally not built with security in mind
• This has obviously been a problem these days
• Huge emphasis in securing all SCADA systems
• Enormous improvements in a short time

Answer 342

A

All-in-one or multifunction devices (MFD)
Everything you need in one single device
No longer a simple printer
Very sophisticated firmware
Some images are stored locally on the device
Can be retrieved externally
Logs are stored on the device
Contain communication and fax details

Answer 343

A

Legacy systems - Proprietary operating systems
Still used for large-scale applications
Bulk data, transaction processing
Very reliable and redundant
Can run interrupted for decades
Not many mainframe-specific attacks exist
A unique OS with relatively few installations
Attacks tend to be from the inside
Very specialized, attacking specific data sources

Answer 344

A

• Layered security
• Defense-in-depth - You need more than just one type of
security
• The security controls should be diverse
• If you get over one hurdle, there’s another one to stop you
• Avoid any single points of failure
• Security also needs redundancy
• Multiple firewalls, multiple IPS, multiple
management systems

Answer 345

A

Separate logical sections of the organization
• Internet, DMZ, storage, management, corporate, etc.
• Physical separation
• Completely different infrastructure
• Logical separation
• Firewall rules, based on zones or IP address ranges
• Specific policies for types of data per zone
• No PII in the DMZ, no credit card information on the Interne

Answer 346

A

• TCP Wrapper
• Puts a wrapper between the network
and the service
• Used ACLs to filter access to services
• A very early form of application control
• Application firewalls - Filters traffic based
on the application
• Can provide very detailed application control
• Can protect specialized applications

Answer 347

A

(Remote Authentication Dial-in User Service)
• Authentication protocol for almost everything
• A very common AAA service
• Modems, routers, switches, firewalls, etc.
• A common authentication method for 802.1X
• Secure authentication - sends passwords as a hash

Answer 348

A

(Terminal Access Controller Access-Control System)
• Remote authentication protocol, RFC 1492
• Created to control access to dial-up lines to ARPANET
• XTACACS (Extended TACACS)
• A Cisco-created (proprietary) version of TACACS
• Additional support for accounting and auditing
• TACACS+
• The latest Cisco proprietary version of TACACS
• Not backwards compatible
• More authentication requests and response codes

Answer 349

A

(Lightweight Directory Access Protocol) tcp and udp 389

Protocol for reading and writing directories over an IP network
X.500 specification was written by the International Telecommunications Union (ITU)
LDAP is lightweight, and uses TCP/IP (tcp/389 and udp/389)
LDAP is the protocol used to query and update an X.500 directory
Used in Windows Active Directory, Apple OpenDirectory, Novell eDirectory, etc.

Answer 350

A

LDAP User Access and Security
Simple Authentication and Security Layer (SASL) in LDAP v3
Usually two levels of access - Read-only (query) and read-write (update)

Answer 351

A

LDAP over SSL - Encrypt with SSL/TLS

• Commonly configured in Microsoft environments - Active Directory uses TCP port 636

Answer 352

A

Authentication Step 1:
• Send Authentication Service (AS) a logon request
• Encrypt the data and time on the local computer
• User’s password hash is the key

Authentication Step 2:
• AS sends Ticket Granting Ticket (TGT) and
Ticket Granting Service (TGS) Session Key

Client Service Authentication Step 1:
• Sends TGS a copy of the TGT and
the name the application server
• Time stamped client ID, encrypted
with TGS key

Client Service Authentication Step 2:
• Sends the application server the
encrypted service ticket and another
time-stamped authenticator

Client Service Authentication Step 3:
• App server decrypts the service ticket
to confirm an untampered message
• App server decrypts authenticator
with service session key
• App server may respond with a
timestamp to allow client to verify
no man-in-the-middle.

Answer 353

A

You need access to resources on a
service provider
• You can authenticate through a third-party
• Service provider
• You need access to this web server
• Client
• The user that needs access,
often from a browser
• Identity Provider
• The owner of the identities and credentials

Answer 354

A

Identification associates a user with an action
Authentication proves a user is who it claims to be
The access control process
Prove a user is who they say they are (authorization)
Prove a user performed an action (non-repudiation)

Answer 355

A

Proves a user or process is who it claims to be
Provide a username and a secret passphrase
Many different authentication types

Answer 356

A

Now you’re identified
• What rights and permissions do you have?
• Policy definition
• What rights and permissions should apply?
• Policy enforcement
• Only authorized rights are exercised
• Allow and deny based on defined policies

Answer 357

A

Authorization
• Ensure only authorized rights are exercised (policy
enforcement)
• The process of determining rights (policy definition

Answer 358

A

Discretionary access control (DAC)
The owner is in full control
Very flexible but very weak security

Answer 359

A

Role-based access control

Access is based on the role of the user
• Rights are gained implicitly instead of explicitly
• Windows Groups can provide role-based access control

Answer 360

A

Based on security clearance levels
• Every object gets a label
• Labeling of objects uses predefined rules

Answer 361

A

Rule-based access control
• A generic term for following the rules
• Access is determined through system-enforced rules
• Implicit Deny
• Unless otherwise stated, there’s no access of any kind
• Time of Day Restrictions
• Access control changes depending on the time of day

Answer 362

A

Something you know - Password, PIN
Something you have - Smart card, token
Something you are - Fingerprint, iris scan

Answer 363

A

More than one factor
• Something you are - Biometrics
• Something you have - Smart card, USB token, phone text
• Something you know - Password, PIN, screen pattern
• Somewhere you are - GPS information, IP address
• Something you do
• Handwriting analysis, typing technique

Answer 364

A

• HOTP - HMAC-based One-Time Password, • TOTP - Time-based One-Time Password

Answer 365

A

Time-based One-Time Password
• Use a secret key and the time of day
• Secret key is configured ahead of time
• Timestamps are synchronized via NTP
• Timestamp usually increments every 30 seconds
• Put in your username, password, and TOTP code
• One of the more common OTP methods
• Used by Google, Facebook, Microsoft, etc.

Answer 366

A

The keys are based on a secret key and a counter
Token-based authentication
The hash is different every time
Hardware and software tokens available
You’ll need additional technology to make this work

Answer 367

A

Password Authentication Protocol)
• PAP is clear-text authentication
• Unsophisticated, insecure

Answer 368

A

(Challenge-Handshake Authentication Protocol)
• Encrypted challenge sent over the network
• Three-way handshake
• After link is established, server sends
a challenge message
• Client responds with a password hash
• Server compares received hash with stored hash

Answer 369

A

Single Sign-on (SSO)
• Authenticate one time
• Kerberos authentication and authorization
• 3rd-party options

Answer 370

A

Authenticate one time
No constant username and password input
Not everything is Kerberos-friendly

Answer 371

A

• Provide network access to others - Not just employees
• Third-parties can establish a federated network
• Authenticate and authorize between
the two organizations
• Login with your Facebook credentials
• The third-parties much establish a trust relationship
• And the degree of the trust

Answer 372

A

Authentication details for one account is known by
more than one person
• Sharing accounts makes auditing very difficult,
• Breaks non-repudiation
• Activities on a shared account can be challenged
• The account credentials are more likely to be
compromised
• Changing the password will involve many people

Answer 373

A

Apply security and admin settings across many PCs
• Different than NTFS or Share permissions
• Control the use of the operating system
• Linked to Active Directory administrative boundaries
• Sites, domains, organization units (OUs)
• Define by groups, locations, etc.

Answer 374

A

Administrative policies
Remove Add or Remove Programs
Prohibit changing sounds
Allow font downloads
Only allow approved domains to use
ActiveX controls without prompt
Security policies
Specify minimum password length
Require smart card
Maximum security log size
Enforce user login restrictions

Answer 375

A

An unencrypted message (in the clear)

Answer 376

A

An encrypted message

Answer 377

A

The algoithm used to encrypt and/or decrypt

Answer 378

A

Substitute one letter with another - ROT13
• “Uryyb Jbeyq” is “Hello World”
• Transposition Cipher
• Keep the letters, change the order - “HLOOLELWRD”
• Hack these ciphers with a frequency analysis

Answer 379

A

A single, shared key
• Encrypt with the key, decrypt with the same key
• If the key is found, all data can be decrypted
• Very fast to use, not a lot of overhead
• Often combined with asymmetric encryption

Answer 380

A

Public key cryptography
• Private key - keep this private
• Public key - give to everyone
• The private key is the only key that can decrypt data
encrypted with the public key
• You can’t derive the private key from the public key

Answer 381

A

Don’t send the symmetric key over the ‘net

• Telephone, courier, in-person, etc.

Answer 382

A

• It’s on the network
• Protect the key with additional encryption
• Often uses asymmetric encryption to deliver
a symmetric key

Answer 383

A

There’s a need for fast security
• Without compromising the security part
• Share a symmetric session key using asymmetric
encryption
• Client encrypts a random (symmetric) key with
a server’s public key
• The server decrypts this shared key and uses it
to encrypt data
• This is the session key
• Implement session keys carefully
• Need to be changed often (ephemeral keys)
• Need to be unpredictable

Answer 384

A

• Used in symmetric encryption
• Not used in asymmetric encryption
• Encrypt fixed-length groups (blocks)
• Often 64-bit or 128-bit blocks
• Pad added to short blocks to fill the block size
• Confusion
• The key-to-ciphertext relationship should be
very complicated
• You can’t determine the key based on the ciphertext
• Diffusion
• Output should depend on the input in a complex way
• If you change one bit of the input, at least 50% of the
output should be different

Answer 385

A

Also used with symmetric encryption
• Encryption is done one bit or byte at a time
• High speed, low hardware complexity
• The starting state should never be the same twice
• Key is often combined with an initialization vector (IV)

Answer 386

A

Proof of integrity
• Proof of origin, with high assurance of authenticity
• Used for digital signatures
• Digitally “sign” your files/messages with
your private key
• Others check with your public key

Answer 387

A

A trusted third-party holds the keys

* Allows for recovery of encrypted data

Answer 388

A

• Symmetric encryption - Hide a key in a safe
• Asymmetric encryption - Add an additional
private decryption key
• The process is just as important as the key
• When do you get the key? Who has access?
Is there more than one key?

Answer 389

A

Elliptic curve cryptography (ECC)
• Asymmetric encryption
• Need large integers composed of two or more
large prime factors
• Instead of numbers, use curves!
• Smaller storage and transmission requirements
• Perfect for mobile devices

Answer 390

A

Use quantum physics to provide cryptographic references
Quantum key distribution (QKD)
Used to communicate a shared key between two users
If a third-party tries to get in the middle, the data is disturbed

Answer 391

A

Perfect Forward Secrecy (PFS)
• Don’t use the server’s RSA key pair
• Use Elliptic curve, Diffie-Hellman ephemeral
• The keys aren’t kept around
• You can’t recover the key, so you can’t decrypt
• PFS requires more computing power - Not all servers use PFS
• The browser must support PFS
• Check your SSL/TLS information for details

Answer 392

A

• First published: April 1992
• Replaced MD4
• 128-bit hash value
• 1996: Vulnerabilities found - not collision resistant
• December 2008: Researchers created CA certificate
that appeared legitimate when MD5 is checked

Answer 393

A

Secure Hash Algorithm (SHA)
• Developed by the National Security Agency (NSA)
• A US Federal Information Processing Standard
• SHA-1
• Widely used
• 160-bit digest
• 2005: Collision attacks published
• SHA-2
• The preferred SHA variant
• Up to 512-bit digests
• SHA-1 is now retired for most US Government use

Answer 394

A

• A family of message digest algorithms
• RACE Integrity Primitives Evaluation Message Digest
• RACE - Research and Development in Advanced
Communications Technologies in Europe
• Original RIPEMD was found to have collision issues (2004)
• Effectively replaced with RIPEMD-160 (no known
collision issues)
• Based upon MD4 design but performs similar to SHA-1
• RIPEMD-128, RIPEMD-256, RIPEMD-320

Answer 395

A

Hash-based Message Authentication Code
• Combine a hash with a secret key
• e.g., HMAC-MD5, HMAC-SH1
• • Verify data integrity and authenticity
• No fancy asymmetric encryption required
• • Used in network encryption protocols
• IPsec, TLS

Answer 396

A

Rivest Cipher 4 - Ron Rivest (Ron’s Code 4)
• RC4 has “biased output”
• If the third byte of the original state is zero and
the second byte is not equal to two, then
the second output byte is always zero
• Not common to see RC4 these days

Symmetric

Answer 397

A

Data Encryption Standard - DES and Triple DES
One of the Federal Information Processing Standards (FIPS)
64-bit block cipher
56-bit key (very small in modern terms)
3DES - Use the DES algorithm three times
Three keys, two keys, or the same key three times
Superseded by AES (Advanced Encryption Standard)

Answer 398

A

US Federal Government Standard
128-bit block cipher - 128-, 192-, and 256-bit keys
Used in WPA2 - Powerful wireless encryption

Answer 399

A

Designed in 1993 by Bruce Schneier
• 64-bit block cipher, variable length key
• 1 to 448 bits
• No known way to break the full 16 rounds of
encryption
• One of the first secure ciphers not limited
by patents

Answer 400

A

Successor to Blowfish
• 128-bit block size, key sizes up to 256
• No patent, public domain

Answer 401

A

Ron Rivest, Adi Shamir, and Leonard Adelman (1977)
• Public-key cryptography system
• Based on the product of two large prime numbers
• You must know the factors to decode
• Now released into the public domain
• Used extensively for web site encryption and DRM

Answer 402

A

• A key exchange method over an insecure
communications channel, published in 1976
• Witfield Diffie and Martin Hellman (and Ralph Merkle)
• DH does not itself encrypt or authenticate
• It’s an anonymous key-agreement protocol
• Used for Perfect Forward Secrecy
• Ephemeral Diffie-Hellman (EDH or DHE)
• Combine with elliptic curve cryptography for ECDHE

Answer 403

A

• 1917 - Built to encrypt teletype communication
• Mixed a paper tape (message) with another
paper tape (key)
• The “pad” is a pad of paper
• Very simple encryption and decryption process
• Very secure encryption
• Unbreakable when used correctly

Answer 404

A

• The key is the same size as the plaintext
• The number of letters should be exactly the same
• The key is truly random - no pseudo-random
computer functions
• The key should only be used once - destroy after use
• There are only two copies of the key
• One for the sender, one for the receiver

Answer 405

A

LAN Manager (LANMAN)
• Microsoft and 3Com network operating system
• Hash challenge, similar to CHAP
• Somewhat insecure
• All uppercase ASCII, password is 14-characters max
• Passwords over 7 characters are split and
encrypted separately
• Passwords are not salted

Answer 406

A

• Some Windows password databases contain
LM hash versions of the passwords
• NTLM is vulnerable to a credentials
forwarding attack

Answer 407

A

(NT LAN Manager)
• Used in early versions of Windows NT
• Password is Unicode and up to
127 characters long
• Stored as a 128-bit MD4 hash
• NTLMv2 was first seen on Windows NT SP4
• New password response
• MD4 password hash (same as NTLMv1)
• HMAC-MD5 hash of username and server name
• Variable-length challenge of timestamp,
random data, domain nam

Answer 408

A

(Secure Sockets Layer)
• Developed by Netscape in 1996
• TLS (Transport Layer Security) - Derived from SSL
• HTTPS uses SSL/TLS to encrypt web server communication

Answer 409

A

• Practically everything can be brute forced
• Strong algorithms have been around for a while
• That’s part of the reason that they are strong
• Wired Equivalent Privacy (WEP) was found to
have design flaws
• Strong algorithms - PGP, AES
• Weak algorithms - DES (56-bit keys), WEP (design flaw)

Answer 410

A

A weak key is a weak key - by itself, it’s not very secure
• Make a weak key stronger by performing multiple processes
• Hash a password. Hash the hash of the password. And continue…
• Brute force attacks would require reversing each of those hashes
• The attacker has to spend much more time, even though
the key is small

Answer 411

A

• bcrypt
• Generates hashes from passwords
• An extension to the UNIX crypt library
• Uses Blowfish cipher to perform
multiple rounds of hashing
• Password-Based Key Derivation
Function 2 (PBKDF2)
• Part of RSA public key cryptography
standards (PKCS #5, RFC 2898)

Answer 412

A

Built-in to your browser
• Purchase your web site certificate
• It will be trusted by everyone’s browser
• Create a key pair, send the public key to
the CA to be signed
• A certificate signing request (CSR)
• May provide different levels of trust
and additional features
• Add a new “tag” to your web site

Answer 413

A

• You are your own CA - build it in-house
• Needed for medium-to-large organizations
• Implement as part of your overall
computing strategy
• Windows Certificate Services
• OpenCA

Answer 414

A

Certificate Revocation List (CRL)

* Maintained by the Certificate Authority (CA)

Answer 415

A

OCSP (Online Certificate Status Protocol)
The browser can check certificate revocation
Messages usually sent to an OCSP responder via HTTP
Not all browsers support OCSP
Early Internet Explorer versions did not support OCSP

Answer 416

A

You manage your own certificates
• You must find others to sign your certificate, and
those people must be trusted by others
• Plan to revoke your key with a revocation certificate
• You can also enable others to create
revocation certs for your key

Answer 417

A

Public Key Infrastructure (PKI)
• Policies, procedures, hardware, software,
people to manage digital certificates
• Create, distribute, manage, store, revoke
• Requires extensive planning
• Also refers to the binding of public keys to people

Answer 418

A

• Key generation
• Create a key with the requested strength using
the proper cipher
• Certificate generation
• Allocate a key to a user
• Distribution
• Makes the key available to the user
• Storage
• Secure storage and protection against unauthorized use
• Revocation
• Manage keys that have been compromised
• Expiration
• A certificate may only have a certain “shelf life”

Answer 419

A

Your private key is valuable
Backup and store private keys
Use “M of N” control to restrict access
Built-in to Windows Server CA and other 3rd-party CAs

Answer 420

A

Sign with the private key
• The message doesn’t need to be encrypted
• Verify with the public key
• Any change in the message will invalidate the signature

Answer 421

A

The Registration Authority (RA) provides the PKI role that
ensures the public key is bound to the individual
• Important for non-repudiation
• This can range from a casual verification to a formal,
multi-step verification
• Federal Public Key Infrastructure Policy Authority
X.509 Certificate Policy for the U.S. Federal Government

Brainscape's Knowledge GenomeTM

Course Notes Flashcards

Brainscape's Knowledge Genome^TM