Domain 3 continued Flashcards
system (NIDS)/network-based intrusion prevention system (NIPS)Network-based intrusion detection systems (NIDSs) are designed to detect, log, and respond to unauthorized network or host use, both in real time and after the fact
(NIPS) has all the same characteristics as a NIDS but, unlike a NIDS, can automatically respond to certain events (for example, by resetting a TCP connection) without operator intervention
Network-based intrusion detection/prevention
What systems work by matching signatures in the network traffic stream to defined patterns stored in the system
The weakness of signature-based systems is that they rely on having accurate signature definitions beforehand, and as the number of signatures expand, this creates an issue in scalability.
Signature-based
The behavioral model relies on a collected set of “normal behavior”—what should happen on the network and is considered “normal” or “acceptable” traffic
This model can potentially detect zero-day or unpublished attacks but carries a high false-positive rate because any new traffic pattern can be labeled as “suspect
Heuristic/behavior
The IDS is first taught what “normal” traffic looks like and then looks for deviations from those “normal” patterns
An _____ is a deviation from an expected pattern or behavior
Anomaly
In-band solutions work great for protecting network segments that have high-value systems and a limited number of traffic types
An out-of-band system relies on a _____ sensor, or set of _____ sensors, and has the advantage of greater flexibility in detection across a wider range of traffic types-band solutions work great for protecting network segments that have high-value systems and a limited number of traffic types
An out-of-band system relies on a passive sensor, or set of passive sensors, and has the advantage of greater flexibility in detection across a wider range of traffic types
Inline vs. passive
is a device used to manage or store encryption keys. It can also assist in cryptographic operations such as encryption, hashing, or the application of digital signatures
A hardware security module (HSM)
are devices that capture data and act upon it. There are multiple kinds of sensors and various placement scenarios
Each type of sensor is different, and no single type of sensor can sense everything
Sensors
are sensors, or concentrators that combine multiple sensors, that collect data for processing by other systems
________ are subject to the same placement rules and limitations as sensor
Collectors
An _________ is a device that takes multiple inputs and combines them to a single output
These traffic management devices are located based on network layout topologies to limit unnecessary router usage
Aggregator
The heart of a ________ is the set of security policies that it enforces
Management determines what is allowed in the form of network traffic between devices, and these policies are used to build rulesets for the firewall devices used to filter network traffic across the network
Firewalls
is a device that performs restrictions based on rules associated with HTTP/HTTPS traffic
web application firewall (WAF)
can keep track of the state associated with a communication, and they can filter based on behaviors that are not properly associated with the state of the communication
Next-generation firewalls NGF
A ____ packet inspection firewall can act upon the state condition of a conversation
Stateful
The typical network firewall operates on IP addresses and ports, in essence a statelessinteraction with the traffic
The most basic firewalls simply shut off either ports or IP addresses, dropping those packets upon arrival
Stateless
is a marketing term used to describe all-in-one devices employed in network securityUTM devices typically provide a wide range of services, including switching, firewall, IDS/IPS, anti-malware, anti-spam, content filtering, and traffic shaping
Unified threat management (UTM)
To compensate for this lack of available IP address space, organizations use ____________ (NAT), which translates private (nonroutable) IP addresses into public (routable) IP addresse
Network address translation (NAT) gateway
_______ firewalls are exemplified by iptables, a built-in functionality in Linux system
Open-source vs. proprietary
Firewalls can be physical devices, hardware, or a set of software services running on a system.
Hardware vs. software
Firewalls can be located on a host, either as a separate application or part of the operating system itselfIn software-defined networking (SDN) networks, firewalls can be instantiated as virtual network functions, providing all of the features under a virtual software solution
Appliance vs. host-based vs. virtual
What lists provide the system information as to what objects are permitted which actions. ACLs can control who gets to change the network parameters via configurations, who gets to pass specific firewalls, and a host of other decisions
Access control list (ACL)Access controls
Depending on where the source and destination are with respect to each other, the route a packet takes can be wideranging, from simple and short to complex and long
Route security
is the use of specific technologies on a network to guarantee its ability to manage traffic based on a variety of indicators
Quality of service (QoS)
has many implications for secure network designs—some good, some problematic. ____ enables end-to-end encryption, which is great for communication security
Implications of IPv6
What can have issues when traffic levels get heavy as the aggregate SPAN traffic can exceed the throughput of the device
Port spanning/port mirroring
A test access point (TAP) is a passive signal-copying mechanism installed between two points on the network The TAP can copy all packets it receives, rebuilding a copy of all messages
Port taps
(NSM) is the process of collecting and analyzing network data to detect unauthorized activity
NSM is not a way to prevent intrusions, but when deployed inside a network, it can detect where other defenses have failed
Monitoring services/Network security monitoring
are a series of internal processes that can validate the integrity of OS and application filesThere are OS utilities that can be automated to do this as well as applications to manage this critical task
File Integrity Monitors
uses Advanced Encryption Standard (AES) as the encryption protocol
_____ uses the AES block cipher, a significant improvement over WEP and WPA’s use of the RC4 stream cipher
WiFi Protected Access 2 (WPA2)
improves the security of the encryption by using Simultaneous Authentication of Equals (SAE) in place of the PSK authentication method used in prior WPA versions
Forward secrecy is only provided by _____ WPA2 uses pre-shared keys; _____ does not
WiFi Protected Access 3 (WPA3)WPA3
_____ is a data encapsulation encryption mechanism designed for wireless use
_____ is the mode in which the AES cipher is used to provide message integrity
Counter-mode/CBC-MAC Protocol (CCMP)
is a password-based key exchange method developed for mesh networks
As a peer-to-peer protocol, it does not rely on other parties, so it is an alternative to using certificates or a centralized authority for authentication
Simultaneous Authentication of Equals (SAE)
is a protocol for wireless networks that expands on authentication methods used by the Point-to-Point Protocol (PPP)
EAP can support multiple authentication mechanisms, including tokens, smart cards, certificates, one-time passwords, and public key encryption authentication
Extensible Authentication Protocol (EAP)
What was developed to protect EAP communication by encapsulating it with Transport Layer Security (TLS)
Which authentication is widely supported by vendors for use over wireless networks?
Protected Extensible Authentication Protocol (PEAP)PEAP, or Protected EAP,
lightweight tunneling protocol to enable authentication
The distinguishing characteristic is the passing of a Protected Access Credential (PAC) that is used to establish a TLS tunnel through which client credentials are verified
EAP-FASTA
What protocol is for mutual authentication requires client and server certificates
This is still considered one of the most secure implementations, primarily because common implementations employ client-side certificates
EAP-TLS
is a variant of the EAP-TLS protocolThe authentication process is protected by the tunnel from man-in-the-middle attacks, and is easier to set up than EAP-TLS to clients without certificate
EAP-TTLS (which stands for EAP–Tunneled TLS)
________ is an authentication standard that supports port-based authentication services between a user and an authorization device, such as an edge router
________ is commonly used on wireless access points as a port-based authentication service prior to admission to the wireless network
IEEE 802.1X
What allows users to use their normal credentials across trusted networks
This allows users in one organization to authenticate and access resources on another trusted organization’s network using one set of credentials
Federation Remote Authentication Dial-in User Service (RADIUS)
________ is a secret that’s shared between users
A ___ is typically entered as a passphrase of up to 63 characters and must be securely shared between users
Pre-shared key (PSK)
In ________ mode, the devices use IEEE 802.1X and a RADIUS authentication server to enable a connection
This method allows the use of usernames and passwords
Enterprise
____ uses an eight-digit PIN to configure wireless devices
____ consists of a series of EAP messages and has been shown to be susceptible to a brute force attack
Open WiFi Protected Setup (WPS)
refers to a specific technique of using an HTTP client to handle authentication on a wireless network Frequently employed in public hotspots, a ______ ______ opens a web browser to an authentication page
Captive portal
Wireless networks are dependent on radio signals to functionAntenna type, placement, and site surveys are used to ensure proper coverage of a site, including areas blocked by walls, interfering signals, and echoes
Installation considerations
involves several steps: mapping the floor plan, testing for RF interference, testing for RF coverage, and analyzing material via software
Site surveys
A Wi-Fi _____ map is a map of wireless signal coverage and strength Typically, a ______ map shows a layout of a room, floor, or facility overlaid by a graphical representation of a wireless sign
Heat maps
can determine if the Wi-Fi signal strength is sufficient, and if there are competing devices on a particular channel
This enables an engineer to allocate signals both in strength and channel to improve Wi-Fi performance
WiFi analyzers
Wi-Fi radio signals exist at specific frequencies: 2.4 GHz and 5.0 GHzEach of these signals is broken into a series of channels, and the actual data transmissions occur acrossthese channels
Channel overlaps
For security reasons, you should be aware that Wi-Fi signals go through walls, so placing access points where they produce large areas of coverage outside a facility may lead to outsiders accessing your system
Protecting the access point from physical access is also important
Wireless access point (WAP) placement
What proper provisions include both physical and logical security precautionsThe physical devices and network connections should be placed in a location that is not readily accessible to an attacker
Controller and access point security
refers to the radio communication methods developed under the _____ Alliance
These systems exist on 2.4-and 5-GHz frequency spectrums, and networks are constructed by both the enterprise you are associated with and third parties
Wifi
is a short-to-medium range, low-power wireless protocol that transmits in the 2.4-GHz band, which is the same band used for 802.11
Bluetooth
is a set of wireless technologies that enables smartphones and other devices to establish radio communication when they are within close proximity to each other—typically a distance of 10 cm (3.9 in) or less
NFC Near field communication (NFC)
(IR) is a band of electromagnetic energy just beyond the red end of the visible color spectrum
IR cannot penetrate walls but instead bounces off them
Nor can it penetrate other solid objects
Infrared
has become the ubiquitous standard for connecting devices with cables
Mobile phones can transfer data and charge their battery via USB
Laptops, desktops, even servers have USB ports for a variety of data connection needs
USB Universal Serial Bus (USB)
What communications are defined as communications with one endpoint on each end—a single transmitter talking to a single receiver
A communications channel between two entities in isolation is referred to as ______ to ______
Point-to-point
What communications have multiple receivers for a transmitted signalWhen a message is sent in broadcast mode, it has multiple receivers and is called a _______ to _______ communication
Point-to-multipoint
is a series of satellites that provide nearly global coverage of highly precise time signals that, when multiple signals are combined, can produce precise positional data in all three dimensions
Global Positioning System (GPS)
What tags are used in a wide range of use cases
From tracking devices to tracking keys, the unique serialization of these remotely sensible devices has made them useful in a wide range of application
RFID Radio frequency identification (RFID)
(MDM) is a marketing term for a collective set of commonly employed protection elements associated with mobile devicesIn enterprise environments, _____ allows device enrollment, provisioning, updating, tracking, policy enforcement, and app management capabilities
Mobile device management (MDM)
What is the method of installing, updating, and managing the applications is done though a system referred to as software
Application management
What is the set of actions used to control content issues, including what content is available and to what apps, on mobile devices
Most organizations have a data ownership policy that clearly establishes their ownership rights over data, regardless of whether the data is stored on a device owned by the organization or a device owned by the employee
Content management
What mobile device typically removes data stored on the device and resets the device to factory settings
Remote wipe
is the use of the Global Positioning System (GPS) and/or radio frequency identification (RFID) technology to create a virtual fence around a particular location and detect when mobile devices cross the fence
Geofencing
Most phones have GPS built in; this enables apps and the phone to track its geographic location
Geolocation
What are used to keep data on phones safe, especially in the event of a lost or stolen phone this is often automatically deployed after a period of inactivity, such as 5 minutes
These are a key security option you should use across all phones
Screen locks
__________ is the use *** information—who the user is, what resource they are requesting, what machine they are using, how they are connected, and so on—to make the authentication decision as to whether to permit the user access to the requested resource
Context-aware authentication
on mobile devices refers to dividing the device into a series of containers—one container holding work-related materials, the other personal
Containerization
This segmentation is like containerization, but this segmentation focuses strictly on segmenting _______
Containerization and ________ segmentation are technologies to keep personal data separate from corporate data on devices
Storage segmentation
What is the encryption of the entire disk In such scenarios, you are required to unlock the encryption upon reboot, typically with a passcode or passphrase
Full device encryption
A __________ is a hardware security module in a Micro
SD form factor
This device allows you a portable means of secure storage for a wide range of cryptographic keys
MicroSD hardware security module (HSM)
MDM software is an application that runs on a mobile device and, when activated, can manage aspects of the device, including connectivity and functions
is an enterprise-level endpoint management solution that can cover all endpoints, from PCs to laptops, from phones to other mobile devices, tablets, and even some wearables
MDM/Unified Endpoint Management (UEM)
Unified endpoint management (UEM)
The deployment, updating, and configuration of applications on devices requires an enterprise solution that is scalable and provides for the installation, updating, and management of in-house applications across a set of mobile devices
Mobile application management (MAM)
is a mobile version of the Security Enhanced Linux (SELinux) distribution that enforces mandatory access control (MAC) over all processes, even processes running with root/superuser privileges
Security Enhanced Android (SEAndroid)
Many mobile devices have manufacturer-associated app stores from which apps can be downloaded to their respective devices These app stores are considered by an enterprise to be ____________ stores, as the contents they offer come from neither the user nor the enterprise
Third-party application stores
_________ is used to bypass OS controls on Android, and __________is used to escalate privileges and do the same on iOS devices
Both processes stop OS controls from inhibiting user behaviors
Rooting/jailbreaking
_____________ is the process of adding apps to a mobile device without using the authorized store associated with the device
_____________ is an alternative means of instantiating an app on the device without having to have it hosted on the requisite app store
Side Loading
________ is firmware for a device that has been altered from the original factory settings
This firmware can bring added functionality, but it can also result in security holes
Custom firmware
_______ __________ is the process of programming the device to sever itself from the carrier
This is usually done through the inputting of a special key sequence that unlocks the device
Carrier unlocking
updates You can connect to an app store and update the device firmware All major device manufacturers support this model because it is the only real workable solution
Firmware over-the-air (OTA)
Many mobile devices include on-board cameras, and the photos/videos they take can divulge informationThis information can be associated with anything the camera can image—whiteboards, documents, and even the location of the device when the photo/ video was taken via geo-tagging
Camera use
are standard protocols used to send messages, including multimedia content in the case of MMS, to and from mobile devices over a cellular networkRich Communication Services (RCS) is a protocol that is currently used alongside SMS and MMS
SMS/Multimedia Messaging Service (MMS)/Rich Communication Services. (RCS)
What refers to any item or device that can store data
From flash drives to hard drives, music players, smartphones, and even smart watches, if it can store data, it is a pathway for data exfiltration
External media
What is an extension of USB technology that facilitates direct connection between USB OTG–enabled mobile devices
This allows those devices to switch back and forth between the roles of host and device, including deciding which provides power (host) and which consumes power across the interface
USB On-The-Go (USB OTG)
Photos taken on mobile devices or with cameras that have GPS capabilities can have location information embedded in the digital photo
This is called ____ tagging by CompTIA and geo-tagging by others
GPS tagging
In ________, two Wi-Fi devices connect to each other via a single-hop connection
WiFi direct/ad hoc
This involves connecting a device to a mobile device that has a means of accessing a network for the purpose of sharing the network access
When you tether a device, you create additional external network connections
Tethering
The term ________ can refer to a specific piece of network equipment, an endpoint for a wireless solution, or in other respects the physical area in which it provides connectivity
These can be used for employees, customers, or guests
Hotspot
Today we have new intermediaries: smart devices with near field communication (NFC) linked to credit cards offer a convenient alternative form of payment
While the actual payment is still a credit/debit card charge, the payment pathway is through the digital device
Payment methods
Organizations install device management software and ensure that the devices meet the organization’s requirements
The big disadvantage is that employees will not be eager to limit their use of their personal device based on corporate policies, so corporate control will be limited
Bring your own device (BYOD)
Organizations offer employees a choice of supported device types and the employee pays for the device and owns the device
Because the device is owned by the organization, it has greater flexibility in imposing restrictions on device use in terms of apps, data, updates, and so forth
Choose your own device (CYOD)
The ________ model is a traditional model whereby the organization buys and maintains the hardware
The organization supplies employees with a mobile device that is restricted to company use only
Corporate-owned
What is one that provides virtual desktops to users
This isn’t a model valid for smartphone deployment but can be effective as a replacement for laptop deployment
virtual desktop infrastructure (VDI)
The system is available despite individual element failures
Zones can be used for replication and provide load balancing as well as high availability
High availability across zones
Cloud-based resources are controlled via a set of policies
Different cloud vendors have different mechanisms to define the groups, types of resources allowed, and assignments by location or compartment
Resource policies
What is the term used to denote the policies and procedures employed to connect the identity access management systems of the enterprise and the cloud to enable communication with the da
Secrets management
Cloud computing audits have become a standard as enterprises are realizing that unique cloud-based risks exist with their data being hosted by other organizations
These cloud-specific audits have two sets of requirements: one being an understanding of the cloud security environment as deployed, and the second being related to the data security requirements
Integration and auditing
Cloud-based data ________ was one of the first uses of cloud computing Security requirements related to ______ in the cloud environment are actually based on the same fundamentals as in the enterprise environment
Storage
What data access and modifications are handled in the same manner as in an on-premises IT environmentIdentity access management (IAM) systems are employed to manage the details of who can do what with each object
Permissions
What type of data in the cloud is one of the foundational elements to securing one’s data when it is on another system
Data should be ________ when stored in the cloud, and the keys should be maintained by the enterprise, not the cloud provide
Encryption
The act of _______ data across multiple systems is part of the resiliency of the cloud, in that single points of failure will not have the same effects that occur in the standard IT enterprise
Replication
Having multiple different physical systems working together to ensure your data is redundantly and resiliently stored is one of the cloud’s advantages
High availability
Cloud-based systems are made up of machines connected using a network
Many cloud service providers offer a virtual network that delivers the required functions without providing direct access to the actual network environment
Network
Most networking in cloud environments is via a virtual network operating in an overlay on top of a physical network
The _______ _______ can be used and manipulated by users, whereas the actual network underneath cannot
Virtual network
________-facing subnets allows internet users to interact with servers, such as mail servers and web servers
With _______ subnets, access is limited to specific addresses, preventing direct access to sensitive data
Public and private
__________ is the network process of separating network elements into segments and regulating traffic between the segments
The presence of a _______ network creates security barriers for unauthorized accessors through the inspection of packets as they move from one segment to another
Segmentation
Content inspection refers to the examination of the contents of a request to an API by applying rules to determine whether a request is legitimate and should be accepted
The use of is an active measure to prevent errors from propagating through a system and causing trouble
API content inspection
are composed of the set of rules and policies associated with a cloud instanceThese rules can be network rules, such as rules for passing a firewall, or they can be IAM rules with respect to who can access or interact with an object on the system
Security groups
Cloud service providers manage this using _______ ______ __________ software that monitors the levels of performance
In accordance with the service agreement, they can act to increase resources incrementally as needed
Dynamic resource allocation
___________ ___________ is the name of a capability that must be enabled on firewalls, secure web gateways, and cloud access security brokers (CASBs) to determine if the next system in a communication chain is legitimate or not
Instance awareness
______ ________ allows connections to and from a virtual private cloud instance
_____ _______ are virtual elements that can scaleThey are also redundant and typically highly available
Virtual private cloud (VPC) endpoint
is the process of implementing security tools and policies to ensure your container is running as intended
Container technology allows applications and their dependencies to be packaged together into one operational element
Container security
____ is a security policy enforcement point that is placed between cloud service consumers and cloud service providers to manage enterprise security policies as cloud-based resources are accessed
CASB
What is the Access to the application for updating as well as auditing and other security elements must be considered and factored into business decisions
Application security
A ______ ________ ______ ___ ______ (SWG) is a network security service located between the users and the Internet
Next-generation secure web gateway (SWG)
The ____ of a firewall is not just in the procurement but also the deployment and operation _____ needs to be included, not only for firewalls around the cloud perimeter, but internal firewalls used for segmentation as well
Cost
________ can provide additional opportunities for security checks between critical elements of a system
Need for segmentation
The open systems interconnection (OSI) layers act as a means of describing the differentlevels of communication across a networkFrom the physical layer (layer 1) to the network layer (layer 3) is the standard realm of networkingLayer 4, the transport layer, is where TCP and UDP function, and through level 7, the application layer, is where applications work
Open Systems Interconnection (OSI) layers
_____ ______ ______ vary by provider and by specific offering that an enterprise subscribes to as part of the user agreement and service license
Cloud native controls vs. third-party solutions
The identification process is typically performed only once, when a user ID is issued to a particular userUser identification enables authentication and authorization to form the basis for accountability
Identity
(IdP)The term identity provider (IdP) is used to denote a system or service that creates, maintains, and manages identity information
IdPs can range in scale and scope—fromoperating for a single system to operating across an enterprise
Identity provider
Identity attributes are the specific characteristics of an identity—name, department, location, login ID, identification number, e-mail address, and so on—that are used to accurately describe a specific entity
Attributes
-based authentication is a means of proving identity via the presentation of a ________ ________ offer a method of establishing authenticity of specific objects such as an individual’s public key or downloaded software
Certificates
An access ______ is a physical object that identifies specific access rights and, in authentication, falls into the “something you have” factor
Token
_______ are also used in implementing single sign-on (SSO) systems used by system administrators
________ are exchanged using public key cryptography, and the keys themselves are digital keys
SSH keys
are devices that store cryptographic tokens associated with an identityThe form factor is commonly a physical card, credit card sized, that contains an embedded chip that has various electronic components to act as a physical carrier of information
Smart cards
When accessing a computer system, each user is generally given a user ID—a unique alphanumeric identifier they will use to identify themselves when logging in or accessing the system
Having unique, nonshared user IDs for all users of a system is important when it comes time to investigate access control issues
User account
__________ go against the specific premise that accounts exist so that user activity can be tracked
Shared and generic accounts/credentials
are frequently used on corporate networks to provide visitors access to the Internet and to some common corporate resources, such as projectors, printers in conference rooms, and so forth
Guest accounts
are accounts that are used to run processes that do not require human intervention to start, stop, or administer. _________ run without human intervention and are granted only enough permission to run the services they support
Service accounts
An account ______ can act to ensure that the necessary steps are taken to enact a secure password solution, both by users and by the password infrastructure system
Account policies
Having restrictions for accounts based on the network location to limit attacks against privileged accounts
Network location
is the use of the Global Positioning System (GPS) and/or radio frequency identification (RFID) technology to create a virtual fence around a particular location and detect when mobile devices cross the fence
Geofencing
is the process of applying ______ (location information) to a specific item. The actual ________ can be in a variety of formats but are typically some form of an encoding of latitude and longitude
Geotagging
Most mobile devices are now capable of using GPS for tracking device location
Many apps rely heavily on GPS location, such as device-locating services, mapping applications, traffic-monitoring apps, and apps that locate nearby businesses such as gas stations and restaurants
Geolocation
______ ______ _______ are the implementation of time-based authentication, and the proper deployment of this method requires appropriate policies and procedures
Time-based logins
_________ _______ are a set of policies to assist in the management of the access control system
Access policies
Developing a policy for _______ ________ provides just that guidance to those who are implementing the access control schemes
Data owners may wish to determine who has what rights to their data, but trying to keep up with the details, on an account-by-account basis, is a pathway to failure
Account permissions
are like all other audits—they are an independent verification that the policies associated with the accounts are being followed
Account audits
There are applications that can detect login anomalies and make decisions as to whether or notthe second login should be allowed
Impossible travel time/risky login
What is akin to disablement, although lockout typically refers to temporarily blocking the user’s ability to log in to a system
Account lockout
____________ is a step between the account having access and the account being removed from the system. Whenever an employee leaves a firm, all associated accounts should be disabled to prevent further access by the ex-employee
Disablement
_________ represents the access pathway to the passwords and changes
the myriad of different passwords, which can be unique for every site or use, into a single secret represented by the password key
Password keys
_______ are software mechanisms designed to manage the problem of users having multiple passwords for the myriad of different systems
Vaults provide a means of storing the passwords until they are needed
Password vaults
TPM is a hardware solution on the motherboard, one that assists with key generation and storage as well as random number generation
A TPM assists with key generation and secure, encrypted storage
Trusted Platform Module (TPM)
_______ is a device used to manage or store encryption keys. It can also assist in cryptographic operations such as encryption, hashing, or the application of digital signatures
______ typically are peripheral devices connected via USB or a network connection
A hardware security module (HSM)
________ _________ ________ is a method where the identity of a user is verified via a common set of knowledge
This is a very useful method for verifying the identity of a user without having a stored secret in advance
Knowledge-based authentication
EAP is a protocol for wireless networks that expands on authentication methods used by the Point-to-Point Protocol (PPP)
EAP is designed to support multiple authentication mechanisms, including tokens, smart cards, certificates, one-time passwords, and public key encryption authentication
The Extensible Authentication Protocol (EAP)
________ _______ _______ is used to provide authentication across a point-to-point link using PPPIn this protocol, authentication after the link has been established is not mandatory
Challenge-Handshake Authentication Protocol (CHAP)
____ is a cleartext authentication protocol and hence is subject to interception
____ authentication does not provide any protection against playback and line sniffing
CHAP uses a challenge/response handshake protocol to secure the channel
Password Authentication Protocol (PAP)
__________ is an authentication standard that supports port-based authentication services between a user and an authorization device, such as an edge router
802.1X802.1X
_______ is a protocol that was developed as an AAA protocol
_______ is designed as a connectionless protocol utilizing User Datagram Protocol (UDP) as its transport-level protocol
Remote Authentication Dial-In User Service (RADIUS)
___________ is a form of authentication that involves the transferring of credentials between systems
As more and more systems are combined in daily use, users are forced to have multiple sets of credentials
Single sign-on (SSO)
________ _______ ______ ________is a single sign-on capability used for web applications to ensure user identities can be shared and are protected
SAML allows you log in to many different websites using one set of credentials.
Security Assertion Markup Language (SAML)
What is a protocol that takes a client/server model approach and handles authentication, authorization, and accounting (AAA) servicesIt is similar to RADIUS but uses TCP (port 49) as a transport method
Terminal Access Controller Access Control System Plus (TACACS+)
(which implies open authentication) is an open standard used for access delegation
The latest version of this framework is _______ 2.0; it is supported by many online service provider
OAuth
What is the connect is an authentication layer that uses the OAuth 2.0 framework
It provides decentralized authentication, allowing users to log in to multiple unrelated websites with one set of credentials maintained by a third-party service, which is referred to as the _______ provider
OpenID
What uses a ticket system for authenticationIt offers a single sign-on solution for users and provides protection for logon credentials
_________ provides confidentiality and integrity for authentication traffic using end-to-end security and helps protect against eavesdropping and replay attacks
Kerberos
What model uses rules that can include multiple attributes about users and objects
This allows the model to be flexible, as it applies the rules to all users and objects equally
Attribute-based access control (ABAC)
What model uses roles or groups, which are typically identified by job functionsInstead of assigning permissions directly to users, user accounts are placed in roles and administrators assign privileges to the roles role-based access control (RBAC) model uses roles or groups, which are typically identified by job functionsInstead of assigning permissions directly to users, user accounts are placed in roles and administrators assign privileges to the roles
Role-based access control (RBAC)
What applies global rules that apply to all subjects
For example, a firewall uses rules that allow or block traffic to all users equally
Rule-based access control
This model uses labels that are applied to both users and objects
The security mechanism controls access to all objects, and individual subjects cannot change that access
The Mandatory Access Control (MAC)
What uses an access control list (ACL) that is applied to objects
The ACL defines the owner for the object, and the owner can grant or deny access to any other users
The Discretionary Access Control (DAC)
What is an access control scheme where specific conditions are examined before access is given
A condition could be the user location when accessing resources: if local, then grant access; if remote, then deny access
Conditional access
What is a combination of the policies, procedures, and technologies for controlling access to and use of elevated or privileged accounts
This enables the organization to log and control privileged access across the entire environment
Privileged access management
What can be applied to a specific user or group to control that user or group’s ability to view, modify, access, use, or delete resources such as folders and files
Filesystem permissions
What is the security associated with the use of public key cryptography revolves around the security of the private key
Nonrepudiation depends on the principle that the private key is only accessible to the holder of the key
If another person has access to the private key, they can impersonate the proper key holder
Key management
What is a trusted entity that issues digital certificates based on the X.509 standard
Similar to notarization services for digital certificates, the CA acts as a trusted third party between the owner of the certificate and the party relying on the certificate
Certificate authority (CA)
What subordinate, ___ is a variation of the ___ in that it performs the day-to-day work of signing certificates and updates revocation information of certificates
A root __will frequently have one or more intermediate ___s that is trusted by the root ___
intermediate CA
A ____ _____ is the PKI component that accepts a request for a digital certificate and performs the necessary steps of registering and authenticating the person requesting the certificate.
Registration authority (RA)
A is a list of digital certificates that have been revoked by the issuing CA and should no longer be trusted
Similar to a blacklist, the CRL is used by various clients (e.g., web browsers) to check whether a certificate is valid
certificate revocation list (CRL)
A digital certificate binds an individual’s identity to a public key, and it contains all the information a receiver needs to be assured of the identity of the public key owner
Certificate attributes
_________ provides a request/response mechanism for clients to obtain the revocation status of a digital certificate
This advantage eliminates the latency inherent in maintaining a CRL by providing real-time certificate verification
Online Certificate Status Protocol (OCSP)
What is a specially formatted message sent from an applicant to a CA for the purpose of requesting a digital certificate
Along with the CSR, the applicant will send the public key for which the certificate should be issue
Certificate signing request (CSR)
What field is represented in the Subject field of the certificate and is the fully qualified domain name (FQDN) for which the certificate is valid
(CN) Common Name
What is a field (extension) in a certificate that has several usesIn certificates for machines, it can represent the FQDN of the machine
Subject Alternative Name (SAN)
What certificate itself has a lifetime that can be different from the key pair’s lifetime
The certificate’s lifetime is specified by the validity dates inserted into the digital certificate
Expiration
What certificates include an asterisk and period before the domain nameA certificate issued for *.example.com would be valid for one.example.com as well as two.example.com
Wildcard
What is a field (extension) in a certificate that has several usesIn certificates for machines, it can represent the fully qualified domain name (FQDN) of the machine; for users, it can be the user principal name (UPN)
Subject Alternative Name (SAN)
What certificates can be designated for specific purposes, such as code signing
This is to enable the flexibility of managing certificates for specific functions and to reduce the risk in the event of compromise
Code signing
What is a digital certificate that is signed using its own private key
For example, a root CA certificate is considered a self-signed certificate
Self-signed certificate
______/______ certificates help computers to authenticate to the network
Machine/computer certificates can be used allow clients to verify the authenticity of servers as well as mutual authentication, or two-way, authentication.
Machine/computer
What is securing email using a digital certificate ensures the confidentiality and integrity of messages between parties
Multiple options for the sender to secure email are available, including signing, encryption or both.
_____ are employed by users for encrypted file systems (EFS), e-mail, and client authentications
A certificate assigned to a user is required to allow users to sign or encrypt email
User certificates
A ______ certificate is the top-most certificate assigned to the _____ CA
It is also the most important certificate in a PKI
If something happens to the certificate (such as it is revoked or it expires), it impacts all of the certificates issued by the PKI
Root
Which (DV) certificate is a digital certificate in which the domain name of the applicant has been validated by proving ownership of a DNS domain
Domain validation
An _______ _______ (EV) certificate is similar to a domain validated certificate but with more stringent verification of the requesting entity’s identity by a CA
Extended validation
What certificate is a binary encoded certificate
DER formatted certificates commonly use the .cer and .der file name extensions
Distinguished encoding rules (DER)
What certificate is a variation of the DER certificate
The PEM certificates are Base64 encoded ASCII files, which are enclosed between the strings “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–”EM certificates are the most common format; they use the .cer, .crt, .pem and .key file name extensions
Privacy enhanced mail (PEM)
What certificate is binary encode
The ____ certificate stores the server certificate, intermediate certificates and the private key in an encrypted file
____ certificates commonly use the .pfx file name extension
Personal information exchange (PFX)
is a file extension for certificate files
Certificates are usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)The Windows operating system natively handles the .CER file extension for operations such as viewing and importing certificates
Cer
What file, also called Public-Key Cryptography Standards (PKCS) #12 certificate, typically contains certificate and password-protected private keysThe ____ certificate is a successor of the PFX certificate and commonly uses the .p12 file name extension
P12
What files, also called Public-Key Cryptography Standards (PKCS) #7 certificates, contain only certificates or certificate chain certificates but not the private key
_____ certificates commonly use the .p7b and .p7c file name extensions
P7BP7B
An offline CA should have no impact on any PKI operations if the root CA has delegated operations (e.g., issuing, distributing and revoking digital certificates) to one or more intermediate CAs
The root CA is brought online only when required for infrequent tasks, such as the issuance or re-issuance of certificates authorizing intermediate CAs
Online vs. offline
OCSP ______ is a standard for checking the revocation status of X.509 digital certificates
OCSP _______ removes the need for a browser to request the OCSP response directly from a CA by appending a time-stamped OCSP response signed by the CA to the initial handshake
Stapling
Public key _______ is a security mechanism that helps websites prevent impersonation by attackers using fraudulent digital certificates
A website’s certificate is typically validated by verifying the signature hierarchy, but this chain of trust can be compromised.
Pinning
PKI relies on a hierarchical _____ _____ that assigns to a third party the responsibility of establishing a trust relationship between two parties At the top is a commonly recognized source (root CA) that all the parties using the PKI trust
Trust model
What is a key exchange process in which a key used to decrypt data is held in escrow, or stored by a third party
Only an authorized party may access the key
Key escrow
Digital certificates are verified using certificate chaining, which is an ordered list of certificates in a hierarchyThe chain begins at the bottom with the digital certificate, and each certificate in the chain is signed by the entity identified by the next certificate in the chain
Certificate chaining
Secure ________ are those that have built-in security mechanisms so that, by defaultSecurity can be enforced via the protocol
Protocols
What provides integrity by validating DNS data
This uses TCP port 53
Domain Name System Security Extensions (DNSSEC)
An encrypted remote terminal connection program used for remote connections to a server
This uses TCP port 22
Secure Shell (SSH)
What is designed to provide cryptographic protections to e-mails and is built into the majority of modern e-mail software to facilitate interoperability
Secure/Multipurpose Internet Mail Extensions (S/MIME)
What is a protocol to secure communications, typically over a telephony or communications-based network
Secure Real-time Transport Protocol (SRTP
What uses an SSL/TLS tunnel to connect these services
This communication occurs over port TCP 636
Lightweight Directory Access Protocol over SSL (LDAPS)
