Deck Flashcards
What is counter mode (CTM) for symmetric algorithms or block ciphers?
- Uses counter to make nonce for each block encryption.
- very fast
- make nonce, encrypt nonce, XOR nonce w/ plaintext.
What is CCMP for symmetric algorithms or block ciphers?
- involves cipher block chaining(CBC) w/ MAC
- designed for block cipher of 128-bit
- length of message needs to be known first
- Data encapsulation for wireless
- AES cipher uses CCMP for integrity
What is Galois Counter Mode(GCM) for symmetric algorithms or block ciphers?
- Extention of CTM but adds authentication
- Fast as well.
What is Simultaneous Authentication of Equals (SAE)?
- Password key exchange for mesh networks
- Uses dragonfly protocol for key exchange
- resists active, passive, and dictionary attacks
- Used in WPA3
What is Extensible Authentication Protocol(EAP)?
- For wireless with better authentication with PPP
- Supports tokens, smart cards, certs, one-time passwords.
What is Protected Extensible Authentication Protocol(PEAP)?
- Protects EAP by encapsulation in TLS.
What is Extensible Authentication Protocol-FAST(EAP-FAST)?
- Cisco replacement for LEAP
- lightweight tunneling for authentication
- Need Protected Access Credential(PAC) to establish tunnel
What is Extensible Authentication Protocol-TLS(EAP-TLS)?
- Most secure of EAP
- Need client-side cert
- Attacker needs client key to break TLS channel
What is Extensible Authentication Protocol-TTLS(EAP-TTLS)?
- EAP-TLS with an extra tunnel
- protected from MITM
What are site surveys?
- Mapping floor plan, RF interference, RF coverage dictate AP placement
- site predeployment and site again post deployment to compare
What are Heat Maps?
- For wireless coverage and strength
- made with Wifi analyzer
- to find weak spots
- a heatmap is a subset of a site survey
What is a wifi analyzer?
- determines signal strength and interference
- used to make heat maps
What is the purpose of WAP placement?
- many components to consider for placement
- don’t want people outside of building to be able to access
- use site surveys to help figure out placement
What is containerization and storage segmentation on mobile devices?
- divide device into multiple containers – one for work, one for personal
- keeps corporate data separate from personal data
What is SEAndroid?
- Mobile Security Enhanced Linux(SELinux)
- Enforces Mandatory Access Control
- Implicit deny
What is sideloading?
- third-party addition of apps on device.
- installing malware is higher with this method
What is data minimization?
- Limit collection of data to only relevant and necessary
- reduces breaches
- data only stays for a period of time then it is deleted
What is a certificate authority(CA)?
- Certifies identities and issues digital certs
- digital cert links user to public key
What is an intermediate certificate authority?
- Transfers trust between different CAs
- aka subordinate CAs
- intermediate CAs use higher-level CAs as reference
What is a registration authority(RA)?
- Accepts request for a digital cert
- performs necessary steps of registering and authentication of user wanting digital cert
What is online certificate status protocol (OCSP)?
- Used for cert revocation
Reviews CRL to see if cert is valid - backup if CRL is slow
What is a Certificate Signing Request (CSR)?
- gives the public key and user info needed for digital cert to CA for decision
What is a code signing certificate?
- forces cert and app that uses cert to adhere to proper cert usage.
What are self-signed certificates?
- The highest level of cert
- aka root certificate
- highest trust
Offline vs. Online CA
- certs that are very specific and important are offline certs – this provide security
- digital certs that need to be signed a lot are online
What is stapling?
- combinig related items to reduce communication steps
- more efficient, minimizes burden
What is ceritificate pinning?
- pins a host to an X.509 certificate
- good for unsecure networks
What is certificate chaining?
- root cert trusts lower level certs creating a chain
IR Response Order:
Prep, identification,containment,eradication,recovery, lessons learned
IR Process: Preparation
- Takes place before an incident occurs
- helps to be organized when a specific incident does occur
IR Process: Identification
- gather and process info and see if incident is bad enough
- determine cause of incident
- see if it needs full IR process
IR Process: Containment
- prevent spread to mitigate damage
- helps keep production running if possible
IR Process: Eradication
- get rid of malware; wipe system clean, revert, scrap the machine, etc
IR Process: Recovery
- Return the asset to business operations
IR Process: Lessons Learned
- Used to correct weaknesses and ways to improve
- document what went wrong
- examine IR processes to see if it was effective
What is ARP Poisoning?
- attacker poisons ARP table
- Packets will then get misdirected
- causes MITM attack
What is a federation?
- policies, protocols to manage identities across systems and organization
- can use SAML
- access resources across multiple enterprises; whereas SSO is multiple resources across single enterprise.
What is Narrow-band radio?
- low power and long range
- small amount of data transfered
What is baseband radio?
- a single signal that makes a single channel of communication
What is Perfect forward Secrecy(PFS)?
- makes a temporary, unique private key for every session
What is Homomorphic Encryption?
- algorithm for operations on encrypted data without decrypting and re-encrypting
- very speedy and good for transaction-based systems
What is a next-generation firewall(NGFW)?
- inspect actual traffic crossing firewall like its content
What is a disassociation attack?
- disconnect a host on a wireless network
- attacker needs MAC to de-auth victim
- intended to gain credentials during reconnect
What is an API attack?
- attackers gain access to databases through weak API security
- data breaches can occur
Forward proxy
- acts on behalf of user
- can bypass firewall settings
- act as a cache server
- obfuscate user IP
Reverse Proxy
- Installed server side and acts on behalf of server
- intercepts web requests
- can trafic filter, SSL/TLS decryption, and load balance
What is WPA2-Personal or PSK?
- Supports CCMP
- typical in personal home
- requires single key on AP and client for authentication.
What is WPA2-Enterprise?
- Uses IEEE 802.1X
- uses stronger keys
- uses authentication server
What is RFID?
- up to 200 meters
- Active or passive
- attacks include: replay and eavedropping
What is Near Field Communication(NFC)?
- Subset of RFID
- 10 cm or less
- smartcards
What is context-aware authentication?
- relies on contextual info
- who user is, what resources they are requesting, how they are connected
- EX: person being denied because they aren’t in the office
What is a P7B file format?
- base64 ASCII format
- file extension .p7b or .p7c
- file begins with “——BEGIN PKCS7—–”
- contains certificates and chain certificates
- Used on Java Tomcat, Microsoft Windows
What is a Cloud Access Security Broker(CASB)?
- sits between consumer and cloud provider
- enforce enterprise policies
- provides visibility into app use, data use, verification of compliance, monitoring of identification of threats
What is Recovery Time Objective(RTO)?
- target time set for operations to resume after an incident
- defined by the business based on needs
- shorter time = more money
What is Recovery Point Objective(RPO)?
- time period representing the max amount of acceptable data loss
- defines frequency of backups to prevent data loss
What is a directory traversal attack?
- adding “../..” in input box to gain access to filesystem in a database
- relies on bad input validation
What is a Memorandum of Understanding(MOU)?
- bilateral agreement between parties
- informal letter; not a contract
What is Data Execution Prevention(DEP)?
- Prevents users from executing code on a system
What is Infrastructure as a Service(IaaS)?
- Outsource Hardware
- No OS, or apps
- you manage security
- you have more control of data
What is Platform as a Service(PaaS)?
- Cloud provider gives hardware, OS, and runtime
- Cloud provider controls platform
- You develop applications on this model
What is Security Assertion Markup Language(SAML)?
- SSO used for web apps to share user identities
- popular with cloud providers and SaaS
- XML-Based protocol
- passes tokens and assertions about user to SAML authority
- Can log into many different websites with SAML
What is a HTML5?
- implement secure HTML5 for a VPN
- no plugins required so update management is easier than standard VPN
- alternative to a SSL/TLS VPN
What is a cer/crt file format?
- can be encoded binary DER or ASCII PEM
- CER used for Microsoft
- CRT used for Unix
What is a Distinguished encoding roles (DER)?
- encode data object into binary
- Used for a single certificate
- often JAVA certificates use DER
What is a pointer/object dereference?
- If a pointer points to nothing, then this can cause an application crash, debug info displayed, DoS
What is an Extensible Markup Language(XML) injection?
- Can be used to create new users and possibly get admin access
- Need good input validation
What is a collision attack?
- where two different inputs create same hash function.
- Birthday attack can cause a collision with weak hash functions
What is prepending?
- adding something else to the beginning of an item
- can be used for social engineering to add legitimacy
What is pretexting?
- uses a narrative(pretext) to influence victim into helping them out.
What is pharming?
- misdirect users to fake websites that look legit
- misdirects through modification of host files or DNS poisoning
What is Privacy-enhanced Mail(PEM)?
- most common cert format
- Base64-encoded ASCII
- format: “—-BEGIN CERTIFICATE—-“ and “—– END CERTIFICATE—–”
- can contain public and private keys
- can carry multiple certificates in on file
- common file formats: .pem, .cer, .crt, .key
What is Personal Information Exchange(PFX)?
- binary format to store server certificate, intermediate certificates, and a private key
- used on Windows machines to import and export certs and private keys
What is operational control?
- policy or procedure to limit security risk
- executed by people themselves primarily
- maintenance, media protection, incident response, awareness and training, personnel security
How can you mitigate a malicious USB on a Windows machine?
- User awareness training
- Disable autoplay on removable media
What is DNSSEC?
- Secure DNS
- Uses TCP port 53 for larger transfers
- adds integrity and authentication with digital signing
What is Secure Shell(SSH)?
- Secure remote terminal connection
- uses asymmetric encryption
- uses public key cryptography
What is Secure/Mulipurpose Internet Mail Extensions(S/MIME)?
- base64 encoding for email messages
- public key encryption and digital signing of MIME data in emails
- provides authentication, message integrity, and nonrepudiation
What is Secure Real-time Transport Protocol(SRTP)?
- secure audio and video over IP networks
- provides encryption, message authentication, and integrity, and replay protection
What is LDAPS?
- uses TCP port 636 for communication
- uses TCP port 3269 for comms to global catalog server
- LDAP over SSL
- uses certificate from trusted CA
- replaced by LDAPv3 and SASL
What is File Transfer Protocol, Secure (FTPS)?
- FTP over SSL/TLS for encryption
- uses TCP 989 for data connection
- uses TCP 990 for control connection
What is SSH File Transfer Protocol(SFTP)?
- FTP over SSH
- leverages SSH for encryption
- Uses TCP port 22
What is SNMPv3?
- manages devices on IP networks
- the only secure version of SNMP
What is HTTPS?
- HTTP over SSL/TLS
- TCP port 443
- offers integrity and confidentiality
What is IPSec?
- securely exchange packets at layer 3 of OSI
- uses AH to protect header
- uses ESP to protect body of data
- Two modes: transport(only protects data) and tunnel(protects the whole packet)
What is Secure POP3?
- Uses TCP port 995
- POP3 over TLS
What is IMAP4?
- uses TCP port 993
- IMAP over TLS
What is NTPSec?
- Uses TLS
- port 123
What is USB OTG?
- Helps directly connects between USB OTG devices
- they change between host and device
What is a Next-Generation Secure Web Gateway(SWG)?
- between users and internet
- check web requests against company policy
- includses URL filtering, app control, dlp, antivirus, and HTTPS inspection
- similar to a NGFW
What are SSH keys?
- credentials used by SSH
- used primarily for automated processes and services
- uses public key cryptography
What is Challenge-Handshake Authentication Protocol(CHAP)?
- provide authentication through three-way handshake
- uses PPP which does three things: encapsulates datagrams, establish, configure, and test links with link control protocol(LCP), establish and configure different network protocols using network control protocol(NCP)
What is password authentication protocol(PAP)?
- authentication protocol
- two-way handshake where credentials are sent in clear-text
- no protection against playback and line sniffing
- deprecated
What is attribute-based access control (ABAC)?
- based on user attributes, resource or object attributes, environmental attributes
- more costly and complicated than other access control models
What is Role-based Access Control?
- user granted permissions based on role in corporation
What is Rule-based Access Control?
- access determination based on ACLs
- only admin can modify rules
- example can be no access to resources outside of work hours
What is stakeholder management?
- includes defined personnel roles and responsibilites for stakeholder relationships during an incident
- functions include legal, communications, liaisons, customer support, and operations personnel
What is a business continuity plan?
- defines policies and planning that ensures business continuity during a time of turmoil
- only cares about the essential functions to operate
What is continuity of operation planning(COOP)?
- determines which operations need to continue during periods of disruption.
- Identifying critical assets, critical systems and keeping high availability.
What is Nxlog?
- tool suite to help with syslog and Windows
- can do log correlation, context-based lookups, and rule-based enrichments
- can also act as log collector, forwarder, aggregator, and investigative tool.
What is journalctl?
- command to view systemd logs
- examine logs on a server
What is Rsyslog?
- open source variant of syslog
- has content filtering, log enrichment, and correlation of data elements
What is syslog-ng?
- open source variant of syslog
- has content filtering, log enrichment, and correlation of data elements but in REAL-TIME
What is Netflow?
- made from Cisco
- collect packets from routers and switches
- Useful in intrusion investigations
What is sFlow?
- Collects packets from routers and switches
- Used more for traffic management, and can help with DDos attacks.
IPFIX
- IETF’s version of netflow
- provide central monitoring station with info about state of network
- push-based protocol;sender pushes reports, but gets no response
SOAR Runbook
- accelerate incident response process by automating steps
- more technical and focuses on systems and services
SOAR Playbook
- approved steps to respond to a specific incident or threat
- focuses more on people and general business
Order of Volatility
- CPU, cache, and registers
- routing tables, ARP cache, process tables, Kernel stats
- live network connections and data flows
- RAM
- temp files/swap space
- Data on hard disk
- remotely logged data
- backups
swap/pagefile
- provides temp storage for memory that exceeds RAM capacity
- pagefile.sys
- extension of RAM
E-Discovery
- document used for legal discovery in civil litigation
- electronic info is that same as paper docs
Managerial Control
- based on overall risk management
- risk assessment, planning, system and services acquisition, certification, accreditation, and security assessments
Corrective Control
- Used after an event to minimize extent of damage
- load balancers, redundant systems, backups
