Domain 3 continued Flashcards by Jesse Margarini

system (NIDS)/network-based intrusion prevention system (NIPS)Network-based intrusion detection systems (NIDSs) are designed to detect, log, and respond to unauthorized network or host use, both in real time and after the fact
(NIPS) has all the same characteristics as a NIDS but, unlike a NIDS, can automatically respond to certain events (for example, by resetting a TCP connection) without operator intervention

Network-based intrusion detection/prevention

How well did you know this?

Not at all

Perfectly

What systems work by matching signatures in the network traffic stream to defined patterns stored in the system
The weakness of signature-based systems is that they rely on having accurate signature definitions beforehand, and as the number of signatures expand, this creates an issue in scalability.

Signature-based

How well did you know this?

Not at all

Perfectly

The behavioral model relies on a collected set of “normal behavior”—what should happen on the network and is considered “normal” or “acceptable” traffic
This model can potentially detect zero-day or unpublished attacks but carries a high false-positive rate because any new traffic pattern can be labeled as “suspect

Heuristic/behavior

How well did you know this?

Not at all

Perfectly

The IDS is first taught what “normal” traffic looks like and then looks for deviations from those “normal” patterns
An _____ is a deviation from an expected pattern or behavior

Anomaly

How well did you know this?

Not at all

Perfectly

In-band solutions work great for protecting network segments that have high-value systems and a limited number of traffic types
An out-of-band system relies on a _____ sensor, or set of _____ sensors, and has the advantage of greater flexibility in detection across a wider range of traffic types-band solutions work great for protecting network segments that have high-value systems and a limited number of traffic types
An out-of-band system relies on a passive sensor, or set of passive sensors, and has the advantage of greater flexibility in detection across a wider range of traffic types

Inline vs. passive

How well did you know this?

Not at all

Perfectly

is a device used to manage or store encryption keys. It can also assist in cryptographic operations such as encryption, hashing, or the application of digital signatures

A hardware security module (HSM)

How well did you know this?

Not at all

Perfectly

are devices that capture data and act upon it. There are multiple kinds of sensors and various placement scenarios
Each type of sensor is different, and no single type of sensor can sense everything

Sensors

How well did you know this?

Not at all

Perfectly

are sensors, or concentrators that combine multiple sensors, that collect data for processing by other systems
________ are subject to the same placement rules and limitations as sensor

Collectors

How well did you know this?

Not at all

Perfectly

An _________ is a device that takes multiple inputs and combines them to a single output
These traffic management devices are located based on network layout topologies to limit unnecessary router usage

Aggregator

How well did you know this?

Not at all

Perfectly

The heart of a ________ is the set of security policies that it enforces
Management determines what is allowed in the form of network traffic between devices, and these policies are used to build rulesets for the firewall devices used to filter network traffic across the network

Firewalls

How well did you know this?

Not at all

Perfectly

is a device that performs restrictions based on rules associated with HTTP/HTTPS traffic

web application firewall (WAF)

How well did you know this?

Not at all

Perfectly

can keep track of the state associated with a communication, and they can filter based on behaviors that are not properly associated with the state of the communication

Next-generation firewalls NGF

How well did you know this?

Not at all

Perfectly

A ____ packet inspection firewall can act upon the state condition of a conversation

Stateful

How well did you know this?

Not at all

Perfectly

The typical network firewall operates on IP addresses and ports, in essence a statelessinteraction with the traffic
The most basic firewalls simply shut off either ports or IP addresses, dropping those packets upon arrival

Stateless

How well did you know this?

Not at all

Perfectly

is a marketing term used to describe all-in-one devices employed in network securityUTM devices typically provide a wide range of services, including switching, firewall, IDS/IPS, anti-malware, anti-spam, content filtering, and traffic shaping

Unified threat management (UTM)

How well did you know this?

Not at all

Perfectly

To compensate for this lack of available IP address space, organizations use ____________ (NAT), which translates private (nonroutable) IP addresses into public (routable) IP addresse

Network address translation (NAT) gateway

How well did you know this?

Not at all

Perfectly

_______ firewalls are exemplified by iptables, a built-in functionality in Linux system

Open-source vs. proprietary

How well did you know this?

Not at all

Perfectly

Firewalls can be physical devices, hardware, or a set of software services running on a system.

Hardware vs. software

How well did you know this?

Not at all

Perfectly

Firewalls can be located on a host, either as a separate application or part of the operating system itselfIn software-defined networking (SDN) networks, firewalls can be instantiated as virtual network functions, providing all of the features under a virtual software solution

Appliance vs. host-based vs. virtual

How well did you know this?

Not at all

Perfectly

What lists provide the system information as to what objects are permitted which actions. ACLs can control who gets to change the network parameters via configurations, who gets to pass specific firewalls, and a host of other decisions

Access control list (ACL)Access controls

How well did you know this?

Not at all

Perfectly

Depending on where the source and destination are with respect to each other, the route a packet takes can be wideranging, from simple and short to complex and long

Route security

How well did you know this?

Not at all

Perfectly

is the use of specific technologies on a network to guarantee its ability to manage traffic based on a variety of indicators

Quality of service (QoS)

How well did you know this?

Not at all

Perfectly

has many implications for secure network designs—some good, some problematic. ____ enables end-to-end encryption, which is great for communication security

Implications of IPv6

How well did you know this?

Not at all

Perfectly

What can have issues when traffic levels get heavy as the aggregate SPAN traffic can exceed the throughput of the device

Port spanning/port mirroring

How well did you know this?

Not at all

Perfectly

A test access point (TAP) is a passive signal-copying mechanism installed between two points on the network The TAP can copy all packets it receives, rebuilding a copy of all messages

Port taps

(NSM) is the process of collecting and analyzing network data to detect unauthorized activity NSM is not a way to prevent intrusions, but when deployed inside a network, it can detect where other defenses have failed

Monitoring services/Network security monitoring

are a series of internal processes that can validate the integrity of OS and application filesThere are OS utilities that can be automated to do this as well as applications to manage this critical task

File Integrity Monitors

uses Advanced Encryption Standard (AES) as the encryption protocol _____ uses the AES block cipher, a significant improvement over WEP and WPA’s use of the RC4 stream cipher

WiFi Protected Access 2 (WPA2)

improves the security of the encryption by using Simultaneous Authentication of Equals (SAE) in place of the PSK authentication method used in prior WPA versions Forward secrecy is only provided by _____ WPA2 uses pre-shared keys; _____ does not

WiFi Protected Access 3 (WPA3)WPA3

_____ is a data encapsulation encryption mechanism designed for wireless use _____ is the mode in which the AES cipher is used to provide message integrity

Counter-mode/CBC-MAC Protocol (CCMP)

is a password-based key exchange method developed for mesh networks As a peer-to-peer protocol, it does not rely on other parties, so it is an alternative to using certificates or a centralized authority for authentication

Simultaneous Authentication of Equals (SAE)

is a protocol for wireless networks that expands on authentication methods used by the Point-to-Point Protocol (PPP) EAP can support multiple authentication mechanisms, including tokens, smart cards, certificates, one-time passwords, and public key encryption authentication

Extensible Authentication Protocol (EAP)

What was developed to protect EAP communication by encapsulating it with Transport Layer Security (TLS) Which authentication is widely supported by vendors for use over wireless networks?

Protected Extensible Authentication Protocol (PEAP)PEAP, or Protected EAP,

lightweight tunneling protocol to enable authentication The distinguishing characteristic is the passing of a Protected Access Credential (PAC) that is used to establish a TLS tunnel through which client credentials are verified

EAP-FASTA

What protocol is for mutual authentication requires client and server certificates This is still considered one of the most secure implementations, primarily because common implementations employ client-side certificates

EAP-TLS

is a variant of the EAP-TLS protocolThe authentication process is protected by the tunnel from man-in-the-middle attacks, and is easier to set up than EAP-TLS to clients without certificate

EAP-TTLS (which stands for EAP–Tunneled TLS)

________ is an authentication standard that supports port-based authentication services between a user and an authorization device, such as an edge router ________ is commonly used on wireless access points as a port-based authentication service prior to admission to the wireless network

IEEE 802.1X

What allows users to use their normal credentials across trusted networks This allows users in one organization to authenticate and access resources on another trusted organization’s network using one set of credentials

Federation Remote Authentication Dial-in User Service (RADIUS)

________ is a secret that’s shared between users A ___ is typically entered as a passphrase of up to 63 characters and must be securely shared between users

Pre-shared key (PSK)

In ________ mode, the devices use IEEE 802.1X and a RADIUS authentication server to enable a connection This method allows the use of usernames and passwords

Enterprise

____ uses an eight-digit PIN to configure wireless devices ____ consists of a series of EAP messages and has been shown to be susceptible to a brute force attack

Open WiFi Protected Setup (WPS)

refers to a specific technique of using an HTTP client to handle authentication on a wireless network Frequently employed in public hotspots, a ______ ______ opens a web browser to an authentication page

Captive portal

Wireless networks are dependent on radio signals to functionAntenna type, placement, and site surveys are used to ensure proper coverage of a site, including areas blocked by walls, interfering signals, and echoes

Installation considerations

involves several steps: mapping the floor plan, testing for RF interference, testing for RF coverage, and analyzing material via software

Site surveys

A Wi-Fi _____ map is a map of wireless signal coverage and strength Typically, a ______ map shows a layout of a room, floor, or facility overlaid by a graphical representation of a wireless sign

Heat maps

can determine if the Wi-Fi signal strength is sufficient, and if there are competing devices on a particular channel This enables an engineer to allocate signals both in strength and channel to improve Wi-Fi performance

WiFi analyzers

Wi-Fi radio signals exist at specific frequencies: 2.4 GHz and 5.0 GHzEach of these signals is broken into a series of channels, and the actual data transmissions occur acrossthese channels

Channel overlaps

For security reasons, you should be aware that Wi-Fi signals go through walls, so placing access points where they produce large areas of coverage outside a facility may lead to outsiders accessing your system Protecting the access point from physical access is also important

Wireless access point (WAP) placement

What proper provisions include both physical and logical security precautionsThe physical devices and network connections should be placed in a location that is not readily accessible to an attacker

Controller and access point security

refers to the radio communication methods developed under the _____ Alliance These systems exist on 2.4-and 5-GHz frequency spectrums, and networks are constructed by both the enterprise you are associated with and third parties

Wifi

is a short-to-medium range, low-power wireless protocol that transmits in the 2.4-GHz band, which is the same band used for 802.11

Bluetooth

is a set of wireless technologies that enables smartphones and other devices to establish radio communication when they are within close proximity to each other—typically a distance of 10 cm (3.9 in) or less

NFC Near field communication (NFC)

(IR) is a band of electromagnetic energy just beyond the red end of the visible color spectrum IR cannot penetrate walls but instead bounces off them Nor can it penetrate other solid objects

Infrared

has become the ubiquitous standard for connecting devices with cables Mobile phones can transfer data and charge their battery via USB Laptops, desktops, even servers have USB ports for a variety of data connection needs

USB Universal Serial Bus (USB)

What communications are defined as communications with one endpoint on each end—a single transmitter talking to a single receiver A communications channel between two entities in isolation is referred to as ______ to ______

Point-to-point

What communications have multiple receivers for a transmitted signalWhen a message is sent in broadcast mode, it has multiple receivers and is called a _______ to _______ communication

Point-to-multipoint

is a series of satellites that provide nearly global coverage of highly precise time signals that, when multiple signals are combined, can produce precise positional data in all three dimensions

Global Positioning System (GPS)

What tags are used in a wide range of use cases From tracking devices to tracking keys, the unique serialization of these remotely sensible devices has made them useful in a wide range of application

RFID Radio frequency identification (RFID)

(MDM) is a marketing term for a collective set of commonly employed protection elements associated with mobile devicesIn enterprise environments, _____ allows device enrollment, provisioning, updating, tracking, policy enforcement, and app management capabilities

Mobile device management (MDM)

What is the method of installing, updating, and managing the applications is done though a system referred to as software

Application management

What is the set of actions used to control content issues, including what content is available and to what apps, on mobile devices Most organizations have a data ownership policy that clearly establishes their ownership rights over data, regardless of whether the data is stored on a device owned by the organization or a device owned by the employee

Content management

What mobile device typically removes data stored on the device and resets the device to factory settings

Remote wipe

is the use of the Global Positioning System (GPS) and/or radio frequency identification (RFID) technology to create a virtual fence around a particular location and detect when mobile devices cross the fence

Geofencing

Most phones have GPS built in; this enables apps and the phone to track its geographic location

Geolocation

What are used to keep data on phones safe, especially in the event of a lost or stolen phone this is often automatically deployed after a period of inactivity, such as 5 minutes These are a key security option you should use across all phones

Screen locks

__________ is the use *** information—who the user is, what resource they are requesting, what machine they are using, how they are connected, and so on—to make the authentication decision as to whether to permit the user access to the requested resource

Context-aware authentication

on mobile devices refers to dividing the device into a series of containers—one container holding work-related materials, the other personal

Containerization

This segmentation is like containerization, but this segmentation focuses strictly on segmenting _______ Containerization and ________ segmentation are technologies to keep personal data separate from corporate data on devices

Storage segmentation

What is the encryption of the entire disk In such scenarios, you are required to unlock the encryption upon reboot, typically with a passcode or passphrase

Full device encryption

A __________ is a hardware security module in a Micro SD form factor This device allows you a portable means of secure storage for a wide range of cryptographic keys

MicroSD hardware security module (HSM)

MDM software is an application that runs on a mobile device and, when activated, can manage aspects of the device, including connectivity and functions is an enterprise-level endpoint management solution that can cover all endpoints, from PCs to laptops, from phones to other mobile devices, tablets, and even some wearables

MDM/Unified Endpoint Management (UEM) Unified endpoint management (UEM)

The deployment, updating, and configuration of applications on devices requires an enterprise solution that is scalable and provides for the installation, updating, and management of in-house applications across a set of mobile devices

Mobile application management (MAM)

is a mobile version of the Security Enhanced Linux (SELinux) distribution that enforces mandatory access control (MAC) over all processes, even processes running with root/superuser privileges

Security Enhanced Android (SEAndroid)

Many mobile devices have manufacturer-associated app stores from which apps can be downloaded to their respective devices These app stores are considered by an enterprise to be ____________ stores, as the contents they offer come from neither the user nor the enterprise

Third-party application stores

_________ is used to bypass OS controls on Android, and __________is used to escalate privileges and do the same on iOS devices Both processes stop OS controls from inhibiting user behaviors

Rooting/jailbreaking

_____________ is the process of adding apps to a mobile device without using the authorized store associated with the device _____________ is an alternative means of instantiating an app on the device without having to have it hosted on the requisite app store

Side Loading

________ is firmware for a device that has been altered from the original factory settings This firmware can bring added functionality, but it can also result in security holes

Custom firmware

_______ __________ is the process of programming the device to sever itself from the carrier This is usually done through the inputting of a special key sequence that unlocks the device

Carrier unlocking

updates You can connect to an app store and update the device firmware All major device manufacturers support this model because it is the only real workable solution

Firmware over-the-air (OTA)

Many mobile devices include on-board cameras, and the photos/videos they take can divulge informationThis information can be associated with anything the camera can image—whiteboards, documents, and even the location of the device when the photo/ video was taken via geo-tagging

Camera use

are standard protocols used to send messages, including multimedia content in the case of MMS, to and from mobile devices over a cellular networkRich Communication Services (RCS) is a protocol that is currently used alongside SMS and MMS

SMS/Multimedia Messaging Service (MMS)/Rich Communication Services. (RCS)

What refers to any item or device that can store data From flash drives to hard drives, music players, smartphones, and even smart watches, if it can store data, it is a pathway for data exfiltration

External media

What is an extension of USB technology that facilitates direct connection between USB OTG–enabled mobile devices This allows those devices to switch back and forth between the roles of host and device, including deciding which provides power (host) and which consumes power across the interface

USB On-The-Go (USB OTG)

Photos taken on mobile devices or with cameras that have GPS capabilities can have location information embedded in the digital photo This is called ____ tagging by CompTIA and geo-tagging by others

GPS tagging

In ________, two Wi-Fi devices connect to each other via a single-hop connection

WiFi direct/ad hoc

This involves connecting a device to a mobile device that has a means of accessing a network for the purpose of sharing the network access When you tether a device, you create additional external network connections

Tethering

The term ________ can refer to a specific piece of network equipment, an endpoint for a wireless solution, or in other respects the physical area in which it provides connectivity These can be used for employees, customers, or guests

Hotspot

Today we have new intermediaries: smart devices with near field communication (NFC) linked to credit cards offer a convenient alternative form of payment While the actual payment is still a credit/debit card charge, the payment pathway is through the digital device

Payment methods

Organizations install device management software and ensure that the devices meet the organization’s requirements The big disadvantage is that employees will not be eager to limit their use of their personal device based on corporate policies, so corporate control will be limited

Bring your own device (BYOD)

Organizations offer employees a choice of supported device types and the employee pays for the device and owns the device Because the device is owned by the organization, it has greater flexibility in imposing restrictions on device use in terms of apps, data, updates, and so forth

Choose your own device (CYOD)

The ________ model is a traditional model whereby the organization buys and maintains the hardware The organization supplies employees with a mobile device that is restricted to company use only

Corporate-owned

What is one that provides virtual desktops to users This isn’t a model valid for smartphone deployment but can be effective as a replacement for laptop deployment

virtual desktop infrastructure (VDI)

The system is available despite individual element failures Zones can be used for replication and provide load balancing as well as high availability

High availability across zones

Cloud-based resources are controlled via a set of policies Different cloud vendors have different mechanisms to define the groups, types of resources allowed, and assignments by location or compartment

Resource policies

What is the term used to denote the policies and procedures employed to connect the identity access management systems of the enterprise and the cloud to enable communication with the da

Secrets management

Cloud computing audits have become a standard as enterprises are realizing that unique cloud-based risks exist with their data being hosted by other organizations These cloud-specific audits have two sets of requirements: one being an understanding of the cloud security environment as deployed, and the second being related to the data security requirements

Integration and auditing

Cloud-based data ________ was one of the first uses of cloud computing Security requirements related to ______ in the cloud environment are actually based on the same fundamentals as in the enterprise environment

Storage

What data access and modifications are handled in the same manner as in an on-premises IT environmentIdentity access management (IAM) systems are employed to manage the details of who can do what with each object

Permissions

What type of data in the cloud is one of the foundational elements to securing one’s data when it is on another system Data should be ________ when stored in the cloud, and the keys should be maintained by the enterprise, not the cloud provide

Encryption

The act of _______ data across multiple systems is part of the resiliency of the cloud, in that single points of failure will not have the same effects that occur in the standard IT enterprise

Replication

Having multiple different physical systems working together to ensure your data is redundantly and resiliently stored is one of the cloud’s advantages

High availability

Cloud-based systems are made up of machines connected using a network Many cloud service providers offer a virtual network that delivers the required functions without providing direct access to the actual network environment

Network

Most networking in cloud environments is via a virtual network operating in an overlay on top of a physical network The _______ _______ can be used and manipulated by users, whereas the actual network underneath cannot

Virtual network

________-facing subnets allows internet users to interact with servers, such as mail servers and web servers With _______ subnets, access is limited to specific addresses, preventing direct access to sensitive data

Public and private

__________ is the network process of separating network elements into segments and regulating traffic between the segments The presence of a _______ network creates security barriers for unauthorized accessors through the inspection of packets as they move from one segment to another

Segmentation

Content inspection refers to the examination of the contents of a request to an API by applying rules to determine whether a request is legitimate and should be accepted The use of is an active measure to prevent errors from propagating through a system and causing trouble

API content inspection

are composed of the set of rules and policies associated with a cloud instanceThese rules can be network rules, such as rules for passing a firewall, or they can be IAM rules with respect to who can access or interact with an object on the system

Security groups

Cloud service providers manage this using _______ ______ __________ software that monitors the levels of performance In accordance with the service agreement, they can act to increase resources incrementally as needed

Dynamic resource allocation

___________ ___________ is the name of a capability that must be enabled on firewalls, secure web gateways, and cloud access security brokers (CASBs) to determine if the next system in a communication chain is legitimate or not

Instance awareness

______ ________ allows connections to and from a virtual private cloud instance _____ _______ are virtual elements that can scaleThey are also redundant and typically highly available

Virtual private cloud (VPC) endpoint

is the process of implementing security tools and policies to ensure your container is running as intended Container technology allows applications and their dependencies to be packaged together into one operational element

Container security

____ is a security policy enforcement point that is placed between cloud service consumers and cloud service providers to manage enterprise security policies as cloud-based resources are accessed

CASB

What is the Access to the application for updating as well as auditing and other security elements must be considered and factored into business decisions

Application security

A ______ ________ ______ ___ ______ (SWG) is a network security service located between the users and the Internet

Next-generation secure web gateway (SWG)

The ____ of a firewall is not just in the procurement but also the deployment and operation _____ needs to be included, not only for firewalls around the cloud perimeter, but internal firewalls used for segmentation as well

Cost

________ can provide additional opportunities for security checks between critical elements of a system

Need for segmentation

The open systems interconnection (OSI) layers act as a means of describing the differentlevels of communication across a networkFrom the physical layer (layer 1) to the network layer (layer 3) is the standard realm of networkingLayer 4, the transport layer, is where TCP and UDP function, and through level 7, the application layer, is where applications work

Open Systems Interconnection (OSI) layers

_____ ______ ______ vary by provider and by specific offering that an enterprise subscribes to as part of the user agreement and service license

Cloud native controls vs. third-party solutions

The identification process is typically performed only once, when a user ID is issued to a particular userUser identification enables authentication and authorization to form the basis for accountability

Identity

(IdP)The term identity provider (IdP) is used to denote a system or service that creates, maintains, and manages identity information IdPs can range in scale and scope—fromoperating for a single system to operating across an enterprise

Identity provider

Identity attributes are the specific characteristics of an identity—name, department, location, login ID, identification number, e-mail address, and so on—that are used to accurately describe a specific entity

Attributes

-based authentication is a means of proving identity via the presentation of a ________ ________ offer a method of establishing authenticity of specific objects such as an individual’s public key or downloaded software

Certificates

An access ______ is a physical object that identifies specific access rights and, in authentication, falls into the “something you have” factor

Token

_______ are also used in implementing single sign-on (SSO) systems used by system administrators ________ are exchanged using public key cryptography, and the keys themselves are digital keys

SSH keys

are devices that store cryptographic tokens associated with an identityThe form factor is commonly a physical card, credit card sized, that contains an embedded chip that has various electronic components to act as a physical carrier of information

Smart cards

When accessing a computer system, each user is generally given a user ID—a unique alphanumeric identifier they will use to identify themselves when logging in or accessing the system Having unique, nonshared user IDs for all users of a system is important when it comes time to investigate access control issues

User account

__________ go against the specific premise that accounts exist so that user activity can be tracked

Shared and generic accounts/credentials

are frequently used on corporate networks to provide visitors access to the Internet and to some common corporate resources, such as projectors, printers in conference rooms, and so forth

Guest accounts

are accounts that are used to run processes that do not require human intervention to start, stop, or administer. _________ run without human intervention and are granted only enough permission to run the services they support

Service accounts

An account ______ can act to ensure that the necessary steps are taken to enact a secure password solution, both by users and by the password infrastructure system

Account policies

Having restrictions for accounts based on the network location to limit attacks against privileged accounts

Network location

Geofencing

is the process of applying ______ (location information) to a specific item. The actual ________ can be in a variety of formats but are typically some form of an encoding of latitude and longitude

Geotagging

Most mobile devices are now capable of using GPS for tracking device location Many apps rely heavily on GPS location, such as device-locating services, mapping applications, traffic-monitoring apps, and apps that locate nearby businesses such as gas stations and restaurants

Geolocation

______ ______ _______ are the implementation of time-based authentication, and the proper deployment of this method requires appropriate policies and procedures

Time-based logins

_________ _______ are a set of policies to assist in the management of the access control system

Access policies

Developing a policy for _______ ________ provides just that guidance to those who are implementing the access control schemes Data owners may wish to determine who has what rights to their data, but trying to keep up with the details, on an account-by-account basis, is a pathway to failure

Account permissions

are like all other audits—they are an independent verification that the policies associated with the accounts are being followed

Account audits

There are applications that can detect login anomalies and make decisions as to whether or notthe second login should be allowed

Impossible travel time/risky login

What is akin to disablement, although lockout typically refers to temporarily blocking the user’s ability to log in to a system

Account lockout

____________ is a step between the account having access and the account being removed from the system. Whenever an employee leaves a firm, all associated accounts should be disabled to prevent further access by the ex-employee

Disablement

_________ represents the access pathway to the passwords and changes the myriad of different passwords, which can be unique for every site or use, into a single secret represented by the password key

Password keys

_______ are software mechanisms designed to manage the problem of users having multiple passwords for the myriad of different systems Vaults provide a means of storing the passwords until they are needed

Password vaults

TPM is a hardware solution on the motherboard, one that assists with key generation and storage as well as random number generation A TPM assists with key generation and secure, encrypted storage

Trusted Platform Module (TPM)

_______ is a device used to manage or store encryption keys. It can also assist in cryptographic operations such as encryption, hashing, or the application of digital signatures ______ typically are peripheral devices connected via USB or a network connection

A hardware security module (HSM)

________ _________ ________ is a method where the identity of a user is verified via a common set of knowledge This is a very useful method for verifying the identity of a user without having a stored secret in advance

Knowledge-based authentication

EAP is a protocol for wireless networks that expands on authentication methods used by the Point-to-Point Protocol (PPP) EAP is designed to support multiple authentication mechanisms, including tokens, smart cards, certificates, one-time passwords, and public key encryption authentication

The Extensible Authentication Protocol (EAP)

________ _______ _______ is used to provide authentication across a point-to-point link using PPPIn this protocol, authentication after the link has been established is not mandatory

Challenge-Handshake Authentication Protocol (CHAP)

____ is a cleartext authentication protocol and hence is subject to interception ____ authentication does not provide any protection against playback and line sniffing CHAP uses a challenge/response handshake protocol to secure the channel

Password Authentication Protocol (PAP)

__________ is an authentication standard that supports port-based authentication services between a user and an authorization device, such as an edge router

802.1X802.1X

_______ is a protocol that was developed as an AAA protocol _______ is designed as a connectionless protocol utilizing User Datagram Protocol (UDP) as its transport-level protocol

Remote Authentication Dial-In User Service (RADIUS)

___________ is a form of authentication that involves the transferring of credentials between systems As more and more systems are combined in daily use, users are forced to have multiple sets of credentials

Single sign-on (SSO)

________ _______ ______ ________is a single sign-on capability used for web applications to ensure user identities can be shared and are protected SAML allows you log in to many different websites using one set of credentials.

Security Assertion Markup Language (SAML)

What is a protocol that takes a client/server model approach and handles authentication, authorization, and accounting (AAA) servicesIt is similar to RADIUS but uses TCP (port 49) as a transport method

Terminal Access Controller Access Control System Plus (TACACS+)

(which implies open authentication) is an open standard used for access delegation The latest version of this framework is _______ 2.0; it is supported by many online service provider

OAuth

What is the connect is an authentication layer that uses the OAuth 2.0 framework It provides decentralized authentication, allowing users to log in to multiple unrelated websites with one set of credentials maintained by a third-party service, which is referred to as the _______ provider

OpenID

What uses a ticket system for authenticationIt offers a single sign-on solution for users and provides protection for logon credentials _________ provides confidentiality and integrity for authentication traffic using end-to-end security and helps protect against eavesdropping and replay attacks

Kerberos

What model uses rules that can include multiple attributes about users and objects This allows the model to be flexible, as it applies the rules to all users and objects equally

Attribute-based access control (ABAC)

What model uses roles or groups, which are typically identified by job functionsInstead of assigning permissions directly to users, user accounts are placed in roles and administrators assign privileges to the roles role-based access control (RBAC) model uses roles or groups, which are typically identified by job functionsInstead of assigning permissions directly to users, user accounts are placed in roles and administrators assign privileges to the roles

Role-based access control (RBAC)

What applies global rules that apply to all subjects For example, a firewall uses rules that allow or block traffic to all users equally

Rule-based access control

This model uses labels that are applied to both users and objects The security mechanism controls access to all objects, and individual subjects cannot change that access

The Mandatory Access Control (MAC)

What uses an access control list (ACL) that is applied to objects The ACL defines the owner for the object, and the owner can grant or deny access to any other users

The Discretionary Access Control (DAC)

What is an access control scheme where specific conditions are examined before access is given A condition could be the user location when accessing resources: if local, then grant access; if remote, then deny access

Conditional access

What is a combination of the policies, procedures, and technologies for controlling access to and use of elevated or privileged accounts This enables the organization to log and control privileged access across the entire environment

Privileged access management

What can be applied to a specific user or group to control that user or group’s ability to view, modify, access, use, or delete resources such as folders and files

Filesystem permissions

What is the security associated with the use of public key cryptography revolves around the security of the private key Nonrepudiation depends on the principle that the private key is only accessible to the holder of the key If another person has access to the private key, they can impersonate the proper key holder

Key management

What is a trusted entity that issues digital certificates based on the X.509 standard Similar to notarization services for digital certificates, the CA acts as a trusted third party between the owner of the certificate and the party relying on the certificate

Certificate authority (CA)

What subordinate, ___ is a variation of the ___ in that it performs the day-to-day work of signing certificates and updates revocation information of certificates A root __will frequently have one or more intermediate ___s that is trusted by the root ___

intermediate CA

A ____ _____ is the PKI component that accepts a request for a digital certificate and performs the necessary steps of registering and authenticating the person requesting the certificate.

Registration authority (RA)

A is a list of digital certificates that have been revoked by the issuing CA and should no longer be trusted Similar to a blacklist, the CRL is used by various clients (e.g., web browsers) to check whether a certificate is valid

certificate revocation list (CRL)

A digital certificate binds an individual’s identity to a public key, and it contains all the information a receiver needs to be assured of the identity of the public key owner

Certificate attributes

_________ provides a request/response mechanism for clients to obtain the revocation status of a digital certificate This advantage eliminates the latency inherent in maintaining a CRL by providing real-time certificate verification

Online Certificate Status Protocol (OCSP)

What is a specially formatted message sent from an applicant to a CA for the purpose of requesting a digital certificate Along with the CSR, the applicant will send the public key for which the certificate should be issue

Certificate signing request (CSR)

What field is represented in the Subject field of the certificate and is the fully qualified domain name (FQDN) for which the certificate is valid

(CN) Common Name

What is a field (extension) in a certificate that has several usesIn certificates for machines, it can represent the FQDN of the machine

Subject Alternative Name (SAN)

What certificate itself has a lifetime that can be different from the key pair’s lifetime The certificate’s lifetime is specified by the validity dates inserted into the digital certificate

Expiration

What certificates include an asterisk and period before the domain nameA certificate issued for *.example.com would be valid for one.example.com as well as two.example.com

Wildcard

What is a field (extension) in a certificate that has several usesIn certificates for machines, it can represent the fully qualified domain name (FQDN) of the machine; for users, it can be the user principal name (UPN)

Subject Alternative Name (SAN)

What certificates can be designated for specific purposes, such as code signing This is to enable the flexibility of managing certificates for specific functions and to reduce the risk in the event of compromise

Code signing

What is a digital certificate that is signed using its own private key For example, a root CA certificate is considered a self-signed certificate

Self-signed certificate

______/______ certificates help computers to authenticate to the network Machine/computer certificates can be used allow clients to verify the authenticity of servers as well as mutual authentication, or two-way, authentication.

Machine/computer

What is securing email using a digital certificate ensures the confidentiality and integrity of messages between parties Multiple options for the sender to secure email are available, including signing, encryption or both.

_____ are employed by users for encrypted file systems (EFS), e-mail, and client authentications A certificate assigned to a user is required to allow users to sign or encrypt email

User certificates

A ______ certificate is the top-most certificate assigned to the _____ CA It is also the most important certificate in a PKI If something happens to the certificate (such as it is revoked or it expires), it impacts all of the certificates issued by the PKI

Root

Which (DV) certificate is a digital certificate in which the domain name of the applicant has been validated by proving ownership of a DNS domain

Domain validation

An _______ _______ (EV) certificate is similar to a domain validated certificate but with more stringent verification of the requesting entity’s identity by a CA

Extended validation

What certificate is a binary encoded certificate DER formatted certificates commonly use the .cer and .der file name extensions

Distinguished encoding rules (DER)

What certificate is a variation of the DER certificate The PEM certificates are Base64 encoded ASCII files, which are enclosed between the strings “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----”EM certificates are the most common format; they use the .cer, .crt, .pem and .key file name extensions

Privacy enhanced mail (PEM)

What certificate is binary encode The ____ certificate stores the server certificate, intermediate certificates and the private key in an encrypted file ____ certificates commonly use the .pfx file name extension

Personal information exchange (PFX)

is a file extension for certificate files Certificates are usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)The Windows operating system natively handles the .CER file extension for operations such as viewing and importing certificates

Cer

What file, also called Public-Key Cryptography Standards (PKCS) #12 certificate, typically contains certificate and password-protected private keysThe ____ certificate is a successor of the PFX certificate and commonly uses the .p12 file name extension

P12

What files, also called Public-Key Cryptography Standards (PKCS) #7 certificates, contain only certificates or certificate chain certificates but not the private key _____ certificates commonly use the .p7b and .p7c file name extensions

P7BP7B

An offline CA should have no impact on any PKI operations if the root CA has delegated operations (e.g., issuing, distributing and revoking digital certificates) to one or more intermediate CAs The root CA is brought online only when required for infrequent tasks, such as the issuance or re-issuance of certificates authorizing intermediate CAs

Online vs. offline

OCSP ______ is a standard for checking the revocation status of X.509 digital certificates OCSP _______ removes the need for a browser to request the OCSP response directly from a CA by appending a time-stamped OCSP response signed by the CA to the initial handshake

Stapling

Public key _______ is a security mechanism that helps websites prevent impersonation by attackers using fraudulent digital certificates A website’s certificate is typically validated by verifying the signature hierarchy, but this chain of trust can be compromised.

Pinning

PKI relies on a hierarchical _____ _____ that assigns to a third party the responsibility of establishing a trust relationship between two parties At the top is a commonly recognized source (root CA) that all the parties using the PKI trust

Trust model

What is a key exchange process in which a key used to decrypt data is held in escrow, or stored by a third party Only an authorized party may access the key

Key escrow

Digital certificates are verified using certificate chaining, which is an ordered list of certificates in a hierarchyThe chain begins at the bottom with the digital certificate, and each certificate in the chain is signed by the entity identified by the next certificate in the chain

Certificate chaining

Secure ________ are those that have built-in security mechanisms so that, by defaultSecurity can be enforced via the protocol

Protocols

What provides integrity by validating DNS data This uses TCP port 53

Domain Name System Security Extensions (DNSSEC)

An encrypted remote terminal connection program used for remote connections to a server This uses TCP port 22

Secure Shell (SSH)

What is designed to provide cryptographic protections to e-mails and is built into the majority of modern e-mail software to facilitate interoperability

Secure/Multipurpose Internet Mail Extensions (S/MIME)

What is a protocol to secure communications, typically over a telephony or communications-based network

Secure Real-time Transport Protocol (SRTP

What uses an SSL/TLS tunnel to connect these services This communication occurs over port TCP 636

Lightweight Directory Access Protocol over SSL (LDAPS)