Domain 3: Implementation (25%) Flashcards
*3.2 Endpoint protection
Data Loss Prevention (DLP)
Monitors the data of a system while in use, in transit, or at rest to detect attempts to steal the data.
*Software or hardware solutions
*3.2 Boot Integrity
Unified Extensible Firmware Interface (UEFI) (Updated version of BIOS)
Firmware that provides the computer instructions for how to accept
input and send output.
A type of system firmware providing support for 64-bit CPU
operation at boot, full GUI and mouse operation at boot, and
better boot security.
*3.2 Self-encrypting drive (SED)
Storage device that performs whole disk encryption by using embedded
hardware.
*hardware based
*3.2 Full-disk encryption (FDE)
software based encription.
Mac: FileVault
Windows: BitLocker
*3.2 Trusted Platform Module (TPM)
Chip residing on the motherboard that contains an encryption key.
If your motherboard doesn’t have TPM, you can use an external
USB drive as a key.
*3.3 Network appliances
Hardware Security Module (HSM)
Physical devices that act as a secure cryptoprocessor during the encryption process
you’ll see them as an adapter card that plugs in through a USB or a network-attached device.
*3.2 Endpoint protection
Endpoint Detection and Response (EDR)
A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats.
*3.2 Endpoint protection
Antivirus/anti-malware
Software capable of detecting and removing virus infections and (in most
cases) other types of malware, such as worms, Trojans, rootkits, adware,
spyware, password crackers, network mappers, DoS tools, and others.
*3.2 Endpoint protection
Host-based firewall/personal firewall
A software application that protects a single computer from unwanted Internet traffic.
ex: Windows: windows firewall
Mac: PF and IPFW
Linux: iptables
*3.5 Mobile device management (MDM)
Remote Wipe
Remotely erases the contents of the device to ensure the information is
not recovered by the thief.
*3.1 Protocols
Transport Layer Security
puts an encryption layer and a tunnel between your device and the server to ensure you have confidentiality and nobody is conducting a man-in-the-middle attack from you.
*3.5 Mobile Device Management (MDM)
Centralized software solution that allows system administrators to create and enforce policies across its mobile devices.
-remote administration and configuration of mobile devices. I can push out software policies to you, prevent you from installing applications, and install updates remotely without your use.
*3.7 Account policies
Geotagging
Embedding of the geolocation coordinates into a piece of data (i.e., a photo).
*3.5 Mobile Device Management (MDM)
Storage Segmentation (BYOD)
Creating a clear separation between personal and company data on a single device.
*3.5 Deployment Models
BYOD
Bring your own device
*3.5 Deployment Models
CYOD
Choose your own device
CYOD gives the employee a choice of a couple of phones.
*3.2 Hardware root of trust
A cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics.
EX: Trusted Platform Module (TPM), Hardware Security Module (HSM).
*3.2 Trusted Platform Module (TPM)
A specification for hardware-based storage of digital certificates, keys,
hashed passwords, and other user and platform identification
information.
you really need to remember that TPM, the trusted platform module, is this part of your system
that allows you to have the ability to ensure that when you’re booting up, it is done securely and we can take those reports and digitally sign them using the TPM.
3.3, 3.5, 3.8
Hardware Security Module (HSM)
An appliance for generating and storing cryptographic keys that is less susceptible to tampering and insider threats than software-based storage.
3.2 Boot Integrity
Secure boot
Secure boot is a feature of UEFI that prevents unwanted processes from executing during the boot operation. Essentially, as a computer is booting up, it’s going to check things and make sure that there’s digital signatures installed from those operating system vendors. If Microsoft Windows isn’t signed by Microsoft, we’re not going to boot it. That’s the idea of secure boot. We want to make sure that the bootloader is only loading things that are valid and not loading malware.
*3.2 Boot Integrity
Measured Boot
A UEFI feature that gathers secure metrics to validate the boot process in an attestation report. So, as you’re booting up, it’s going to be taking different measurements, how much time does it take for you to do this? How much process should it take to do that, and based on that, it’s going to collect that data, it’s going to create a report, and then it’s going to attest to it.
*3.2 Boot Integrity
Boot Attestation
A claim that the data presented in a report is valid, and it does this by digitally signing it using the TPM’s private key. So, the UEFI, it’s going to take that report, it’s going to sign it with that digital key, and then send it on to the operating system into the processor. This way we know we can trust it.
- 3.2 Application Security
Static code analysis
Source code of an application is reviewed manually or with automatic
tools without running the code
Think of static analysis as your third grade English teacher looking over your essay and marking it up with a red pen to show you all of your errors.
*3.2 Application Security
Dynamic code Analysis
Analysis and testing of a program occurs while it is being executed or run
Dynamic analysis on the other hand is performed on a program while it’s being run. The most common type of dynamic analysis includes the use of fuzzing.
*3.2 Application Security
Fuzzing
Injection of randomized data into a software program in an attempt to find system failures, memory leaks, error handling issues, and improper
input validation
Fuzzing, also known as a Fuzz Test, involves using a software program to insert randomized data in an attempt to find vulnerabilities. Fuzzing is used to determine possible system failures, memory leaks, error handling issues, and improper input validation as well.
*3.3 Access Control List (ACL)
An ordered set of rules that a router uses to decide whether to permit or deny traffic based upon given characteristics
IP Spoofing is used to trick a Router’s ACL
*3.3 Network segmentation
Screened Subnet (DMZ)
A segment isolated from the rest of a private network by one or more firewalls that accept connections from the internet over designated ports.
Focused on providing controlled access to publicly available servers that are hosted within your organizational network.
Everything behind the Screened Subnet (DMZ) is invisible to the outside network.
*3.3 Network segmentation
Extranet
Specialized type of DMZ that is created for your partner organizations to access over a wide area network
*3.3 Network segmentation
Intranet
Used when only one company is involved
*3.3 Network Access Control(NAC)
Security Technique in which devices are scanned to determine its current state prior to being allowed access onto a given network
3.5 Mobile Device Management
*Context Aware Authentication
Process to check the user’s or system’s attributed or characteristics prior
to allowing it to connect
§ Restrict authentication based on the time of day or location
3.8 Authentication/Authorization
*Single Sign-On (SSO)
A default user profile for each user is created and linked with all of the
resources needed
§ Compromised SSO credentials cause a big breach in security
3.8 Authentication/authorization
*Security Assertion Markup Language (SAML)
Attestation model built upon XML used to share federated
identity management information between systems
3.8 Authentication/authorization
OpenID
An open standard and decentralized protocol that is used to
authenticate users in a federated identity management system
User logs into an Identity Provider (IP) and uses their account at
Relying Parties (RP)
OpenID is easier to implement than SAML
SAML is more efficient than OpenID
3.8 Authentication/Authorization
*802.1X
Standardized framework used for port-based authentication on wired
and wireless networks
First, 802.1x is an IEEE standard that defines Port-Based Network Access Control or PNAC. 802.1x is a data link layer authentication technology that’s used to connect devices to a wired or wireless LAN.
Also, it defines the EAP protocol.
RADIUS
TACACS+
802.1x can prevent rogue devices
3.8 Authentication/authorization
*Extensible Authentication Protocol (EAP)
A framework of protocols that allows for numerous methods of
authentication including passwords, digital certificates, and public key
infrastructure
§ EAP-MD5 uses simple passwords for its challenge-authentication
§ EAP-TLS uses digital certificates for mutual authentication
§ EAP-TTLS uses a server-side digital certificate and a client-side password
for mutual authentication
3.8 Authentication/authorization
Kerberos
An authentication protocol used by Windows to provide for two-way
(mutual) authentication using a system of tickets
Port 88
§ A domain controller can be a single point of failure for Kerberos
3.8 Authentication/authorization
*Password Authentication Protocol (PAP)
Used to provide authentication but is not considered secure since it
transmits the login credentials unencrypted (in the clear)
3.8 Authentication/authorization
Challenge Handshake Authentication Protocol (CHAP)
Used to provide authentication by using the user’s password to encrypt a
challenge string of random numbers
3.3 *Virtual Private Network (VPN)
Allows end users to create a tunnel over an untrusted network and
connect remotely and securely back into the enterprise network
§ Client-to-Site VPN or Remote Access VPN
VPN Concentrator:
§ Specialized hardware device that allows for hundreds of simultaneous
VPN connections for remote workers
Split Tunneling:
§ A remote worker’s machine diverts internal traffic over the VPN but
external traffic over their own internet connection
§ Prevent split tunneling through proper configuration and network
segmentation
3.8 Authentication/authorization
Remote Authentication Dial-In User Service (RADIUS)
1.Provides centralized administration of dial-up, VPN, and wireless
authentication services for 802.1x and the Extensible Authentication
Protocol (EAP)
2.Centralization administration system for dial-up, VPN, and wireless
authentication (802.1x) that uses either ports 1812/1813 (UDP) or 1645/1646 UDP (alternative)
§ RADIUS operates at the application layer
3.8 Authentication/authorization
Terminal Access Controller Access Control System Plus (TACACS+)
Cisco’s proprietary version of RADIUS that provides separate
authentication and authorization functions over port 49 (TCP)
3.8 Access Control Schemes
Discretionary Access Control (DAC)
- The access control policy is determined by the owner
- DAC is used commonly
- Every object in a system must have an owner
- Each owner determines access rights and permissions for each
object
- Each owner determines access rights and permissions for each
3.8 Access Control Schemes
Mandatory Access Control (MAC)
An access control policy where the computer system determines
the access control for an object
- The owner chooses the permissions in DAC but in MAC, the
computer does
3.8 Access Control Schemes
Rule-based Access Control
Label-based access control that defines whether access should be
granted or denied to objects by comparing the object label and
the subject label
3.8 Access control schemes
Role-based Access Control (RBAC)
- An access model that is controlled by the system (like MAC) but
utilizes a set of permissions instead of a single data label to define
the permission level - Power Users is a role-based permission
3.8 Access Control Schemes
Attribute-Based Access Control (ABAC)
- An access model that is dynamic and context-aware using IF-THEN
statements - If Jason is in HR, then give him access to \fileserver\HR
3.3 Port spanning/port mirroring
One or more switch ports are configured to forward all of their packets to
another port on the switch
3.1 Protocols
SNMP
A TCP/IP protocol that aids in monitoring network-attached devices and
computers
§ SNMP is incorporated into a network management and monitoring
system
3.1 Protocols
SNMP v3
Version of SNMP that provides integrity, authentication, and encryption
of the messages being sent over the network
Monitors the data of a system while in use, in transit, or at rest to detect attempts to steal the data.
*Software or hardware solutions
*3.2 Endpoint protection
Data Loss Prevention (DLP)
Firmware that provides the computer instructions for how to accept
input and send output.
A type of system firmware providing support for 64-bit CPU
operation at boot, full GUI and mouse operation at boot, and
better boot security.
*3.2 Boot Integrity
Unified Extensible Firmware Interface (UEFI) (Updated version of BIOS)
Storage device that performs whole disk encryption by using embedded
hardware.
*hardware based
*3.2 Self-encrypting drive (SED)
software based encription.
Mac: FileVault
Windows: BitLocker
*3.2 Full-disk encryption (FDE)
Chip residing on the motherboard that contains an encryption key.
If your motherboard doesn’t have TPM, you can use an external
USB drive as a key.
*3.2 Trusted Platform Module (TPM)
Physical devices that act as a secure cryptoprocessor during the encryption process
you’ll see them as an adapter card that plugs in through a USB or a network-attached device.
*3.3 Network appliances
Hardware Security Module (HSM)
A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats.
*3.2 Endpoint protection
Endpoint Detection and Response (EDR)
Software capable of detecting and removing virus infections and (in most
cases) other types of malware, such as worms, Trojans, rootkits, adware,
spyware, password crackers, network mappers, DoS tools, and others.
*3.2 Endpoint protection
Antivirus/anti-malware
A software application that protects a single computer from unwanted Internet traffic.
ex: Windows: windows firewall
Mac: PF and IPFW
Linux: iptables
*3.2 Endpoint protection
Host-based firewall/personal firewall
Remotely erases the contents of the device to ensure the information is
not recovered by the thief.
*3.5 Mobile device management (MDM)
Remote Wipe
puts an encryption layer and a tunnel between your device and the server to ensure you have confidentiality and nobody is conducting a man-in-the-middle attack from you.
*3.1 Protocols
Transport Layer Security
Centralized software solution that allows system administrators to create and enforce policies across its mobile devices.
-remote administration and configuration of mobile devices. I can push out software policies to you, prevent you from installing applications, and install updates remotely without your use.
*3.5 Mobile Device Management (MDM)
Embedding of the geolocation coordinates into a piece of data (i.e., a photo).
*3.7 Account policies
Geotagging
Creating a clear separation between personal and company data on a single device.
*3.5 Mobile Device Management (MDM)
Storage Segmentation (BYOD)
Bring your own device
*3.5 Deployment Models
BYOD
Choose your own device
CYOD gives the employee a choice of a couple of phones.
*3.5 Deployment Models
CYOD
A cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics.
EX: Trusted Platform Module (TPM), Hardware Security Module (HSM).
*3.2 Hardware root of trust
A specification for hardware-based storage of digital certificates, keys,
hashed passwords, and other user and platform identification
information.
you really need to remember that TPM, the trusted platform module, is this part of your system
that allows you to have the ability to ensure that when you’re booting up, it is done securely and we can take those reports and digitally sign them using the TPM.
*3.2 Trusted Platform Module (TPM)
An appliance for generating and storing cryptographic keys that is less susceptible to tampering and insider threats than software-based storage.
3.3, 3.5, 3.8
Hardware Security Module (HSM)
Secure boot is a feature of UEFI that prevents unwanted processes from executing during the boot operation. Essentially, as a computer is booting up, it’s going to check things and make sure that there’s digital signatures installed from those operating system vendors. If Microsoft Windows isn’t signed by Microsoft, we’re not going to boot it. That’s the idea of secure boot. We want to make sure that the bootloader is only loading things that are valid and not loading malware.
3.2 Boot Integrity
Secure boot
A UEFI feature that gathers secure metrics to validate the boot process in an attestation report. So, as you’re booting up, it’s going to be taking different measurements, how much time does it take for you to do this? How much process should it take to do that, and based on that, it’s going to collect that data, it’s going to create a report, and then it’s going to attest to it.
*3.2 Boot Integrity
Measured Boot
A claim that the data presented in a report is valid, and it does this by digitally signing it using the TPM’s private key. So, the UEFI, it’s going to take that report, it’s going to sign it with that digital key, and then send it on to the operating system into the processor. This way we know we can trust it.
*3.2 Boot Integrity
Boot Attestation
Source code of an application is reviewed manually or with automatic
tools without running the code
Think of static analysis as your third grade English teacher looking over your essay and marking it up with a red pen to show you all of your errors.
- 3.2 Application Security
Static code analysis
Analysis and testing of a program occurs while it is being executed or run
Dynamic analysis on the other hand is performed on a program while it’s being run. The most common type of dynamic analysis includes the use of fuzzing.
*3.2 Application Security
Dynamic code Analysis
Injection of randomized data into a software program in an attempt to find system failures, memory leaks, error handling issues, and improper
input validation
Fuzzing, also known as a Fuzz Test, involves using a software program to insert randomized data in an attempt to find vulnerabilities. Fuzzing is used to determine possible system failures, memory leaks, error handling issues, and improper input validation as well.
*3.2 Application Security
Fuzzing
An ordered set of rules that a router uses to decide whether to permit or deny traffic based upon given characteristics
IP Spoofing is used to trick a Router’s ACL
*3.3 Access Control List (ACL)
A segment isolated from the rest of a private network by one or more firewalls that accept connections from the internet over designated ports.
Focused on providing controlled access to publicly available servers that are hosted within your organizational network.
Everything behind the Screened Subnet (DMZ) is invisible to the outside network.
*3.3 Network segmentation
Screened Subnet (DMZ)
Specialized type of DMZ that is created for your partner organizations to access over a wide area network
*3.3 Network segmentation
Extranet
Used when only one company is involved
*3.3 Network segmentation
Intranet
Security Technique in which devices are scanned to determine its current state prior to being allowed access onto a given network
*3.3 Network Access Control(NAC)
Process to check the user’s or system’s attributed or characteristics prior
to allowing it to connect
§ Restrict authentication based on the time of day or location
3.5 Mobile Device Management
*Context Aware Authentication
A default user profile for each user is created and linked with all of the
resources needed
§ Compromised SSO credentials cause a big breach in security
3.8 Authentication/Authorization
*Single Sign-On (SSO)
Attestation model built upon XML used to share federated
identity management information between systems
3.8 Authentication/authorization
*Security Assertion Markup Language (SAML)
An open standard and decentralized protocol that is used to
authenticate users in a federated identity management system
User logs into an Identity Provider (IP) and uses their account at
Relying Parties (RP)
OpenID is easier to implement than SAML
SAML is more efficient than OpenID
3.8 Authentication/authorization
OpenID
Standardized framework used for port-based authentication on wired
and wireless networks
First, 802.1x is an IEEE standard that defines Port-Based Network Access Control or PNAC. 802.1x is a data link layer authentication technology that’s used to connect devices to a wired or wireless LAN.
Also, it defines the EAP protocol.
RADIUS
TACACS+
802.1x can prevent rogue devices
3.8 Authentication/Authorization
*802.1X
A framework of protocols that allows for numerous methods of
authentication including passwords, digital certificates, and public key
infrastructure
§ EAP-MD5 uses simple passwords for its challenge-authentication
§ EAP-TLS uses digital certificates for mutual authentication
§ EAP-TTLS uses a server-side digital certificate and a client-side password
for mutual authentication
3.8 Authentication/authorization
*Extensible Authentication Protocol (EAP)
An authentication protocol used by Windows to provide for two-way
(mutual) authentication using a system of tickets
Port 88
§ A domain controller can be a single point of failure for Kerberos
3.8 Authentication/authorization
Kerberos
Used to provide authentication but is not considered secure since it
transmits the login credentials unencrypted (in the clear)
3.8 Authentication/authorization
*Password Authentication Protocol (PAP)
Used to provide authentication by using the user’s password to encrypt a
challenge string of random numbers
3.8 Authentication/authorization
Challenge Handshake Authentication Protocol (CHAP)
Allows end users to create a tunnel over an untrusted network and
connect remotely and securely back into the enterprise network
§ Client-to-Site VPN or Remote Access VPN
VPN Concentrator:
§ Specialized hardware device that allows for hundreds of simultaneous
VPN connections for remote workers
Split Tunneling:
§ A remote worker’s machine diverts internal traffic over the VPN but
external traffic over their own internet connection
§ Prevent split tunneling through proper configuration and network
segmentation
3.3 *Virtual Private Network (VPN)
1.Provides centralized administration of dial-up, VPN, and wireless
authentication services for 802.1x and the Extensible Authentication
Protocol (EAP)
2.Centralization administration system for dial-up, VPN, and wireless
authentication (802.1x) that uses either ports 1812/1813 (UDP) or 1645/1646 UDP (alternative)
§ RADIUS operates at the application layer
3.8 Authentication/authorization
Remote Authentication Dial-In User Service (RADIUS)
Cisco’s proprietary version of RADIUS that provides separate
authentication and authorization functions over port 49 (TCP)
3.8 Authentication/authorization
Terminal Access Controller Access Control System Plus (TACACS+)
- The access control policy is determined by the owner
- DAC is used commonly
- Every object in a system must have an owner
- Each owner determines access rights and permissions for each
object
- Each owner determines access rights and permissions for each
3.8 Access Control Schemes
Discretionary Access Control (DAC)
An access control policy where the computer system determines
the access control for an object
- The owner chooses the permissions in DAC but in MAC, the
computer does
3.8 Access Control Schemes
Mandatory Access Control (MAC)
Label-based access control that defines whether access should be
granted or denied to objects by comparing the object label and
the subject label
3.8 Access Control Schemes
Rule-based Access Control
- An access model that is controlled by the system (like MAC) but
utilizes a set of permissions instead of a single data label to define
the permission level - Power Users is a role-based permission
3.8 Access control schemes
Role-based Access Control (RBAC)
- An access model that is dynamic and context-aware using IF-THEN
statements - If Jason is in HR, then give him access to \fileserver\HR
3.8 Access Control Schemes
Attribute-Based Access Control (ABAC)
One or more switch ports are configured to forward all of their packets to
another port on the switch
3.3 Port spanning/port mirroring
A TCP/IP protocol that aids in monitoring network-attached devices and
computers
§ SNMP is incorporated into a network management and monitoring
system
3.1 Protocols
SNMP
Version of SNMP that provides integrity, authentication, and encryption
of the messages being sent over the network
3.1 Protocols
SNMP v3
Uses digital signatures to provide an assurance that the software code
has not been modified after it was submitted by the developer
3.2 Application security
Code Signing
Allow all of the subdomains to use the same public key certificate and
have it displayed as valid
§ Wildcard certificates are easier to manage
3.9 Types of certificates
Wildcard Certificates
Allows a certificate owner to specify additional domains and IP addresses
to be supported
3.9 Public Key Infrastructure (PKI) and Types of Certificates
Subject Alternative Name (SAN)
