Domain 3.0: Implementation Flashcards
How to make LDAP confidential and secure?
Use TLS technology over port 636
HTTP
Unencrypted web traffic over port 80
HTTPS
Encrypted web traffic over port 443
Port # for FTP
Port 22
Port # for SSH
Port 22
Port security
Layer 2 traffic control feature that enable individual switch ports to be configured to allow only a specified number of source MAC addresses coming in through the port
Loop protection
Makes additional checks in Layer 2 switched networks
Flood guard
Firewall feature to control network activity associated with DoS attacks.
Static code analysis
White-box software testing process for detecting bugs early in the program development
Dynamic code analysis
Based on observing how the code behaves during exection.
Fuzzing
Black-box software testing process by which semi-random data is injected into a program or protocol stack to detect bugs
Sandboxing
Safe execution environment for untrusted programs
What are the recommendation for test environments?
They should be isolated from development environments.
What is staging environment?
They reduce risk of introducing issues before solutions are deployed in production.
What is baselines?
They establish pattern of use that later use help identify variations that identify unauthorized access attempts.
Smart Cards
They used embedded systems with an operating system on the included chip.
Waterfall SDLC model
SDLC –> Software Development Life Cycle
Waterfall SDLC model starts with a defined set of requirements and a well-developed plan, and adjustments are confined to the current development stages.
Agile SDLC model
It starts with less rigorous guideline and allows for adjustments during the process.
Secure DevOps
They include security in the SDLC, ensuring that security is built in during the development process.
CI server
CI stands for Continuous integration
A CI Server continually compiles, builds and test each new version of code committed to the central repository without user interaction.
Immutability
Valuable program, configuration, or server will never be modified in place.
System Hardening
Disabling unnecessary ports and services
How to keep attackers from exploiting software bugs?
An organization must continually apply manufacturers’ patches and updates
Common used services and associated ports
Port Service 15: Netstat 20 & 21: FTP 22: SSH, SFTP, SCP 23: Telnet 25: SMTP 53: DNS 80: HTTP 123: NTP 389: LDAP 443: HTTPS 636: LDAPS 989 & 990: FTPS 1812: RADIUS 3389: RDP
TPM chips
Secure cryptoprocessor used to authenticate hardware devices
File integrity checker
Tool that computes cryptographic hash and compares the result to known good value to ensure that the file has not been modified.
Signature-based method
They detects known signatures or patterns
VPN concentrator
They are used to allow multiple external users to access internal network resources using secure features that are built in to the device. They are deployed when a single device needs to handle a very large of VPN tunnels.
NAC
Network Access Control offers a method of enforcement which helps ensure that computers are properly configured.
Zero trust
It’s a model that provides granular and dynamic access control, regardless of where the user or application resides and does not place trust in the entire network.
Screened subnet
Small network between internal and the Internet that provides a layer of security and privacy.
What is effective control to implement to mitigate the effect of a network intrusion?
Network segregation, isolation and segmentation.
Air gaps
Physically isolated machines or networks.
What are primary methods to get network traffic to network monitoring tools?
Network taps, SPAN and mirror ports.
SPAN stands for Switch Port analyzer.
VLAN’s purpose
Virtual LAN - they unite network nodes logically into the same broadcast domain, regardless of their physical attachment to the network.
What are two basic methods that manages intrusion detection?
Knowledge-based and behavior based.
How does IDS monitor packets?
They use behavior based to identify anomalies or knowledge-based method operating in network-based or host-based configurations.
NIDS and NIPS are designed to do what?
They are designed to catch attacks in progress within a network, not just on individual machines or boundary between private and public networks.
Where can proxy servers be placed in the network?
Between private network and the Internet for Internet connectivity. They can be also placed internally for web content caching.
What does firewalls separate?
They separate external and internet networks.
What type of firewalls are out there?
Packet-filtering firewall (network layer, Layer 3)
Proxy-service firewall including circuit level (session layer, Layer 5)
Application level (application layer, Layer7) gateways
Stateful inspection firewall (application layer, Layer 7)
What is stateless firewall?
They work as basic access control list filter.
What are stateful firewalls?
Deeper inspection firewall type that analyze traffic patterns and data flows, often combining layered security and known as next-gen firewalls.
Wireless access methods includes what?
From least secure to most secure include open authentication, shared authentication and EAP
WPA-Personal
They require password shared by all devices on the network
WPA-Enterprise
Requires certificate and uses an authentication server from which keys are distributed
WPA2, WPA3 favors which encryption over what encryption?
WPA2 and WPA3 favors CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol, also known as CCM mode Protocol) over TKIP common to WPA.
TKIP (Temporal Key Integrity Protocol) should be still used for systems that are unable to support 802.1i.
EAP authentication protocols include the following:
EAP-TLS, PEAP, EAP-TTLS, and EAP-FAST. Only EAP-TLS requires a client certificate and only EAP-FAST does not require a server certificate.
EAP
Extensible Authentication Protocol is an authentication framework and is used by WPA, WPA2 and WPA3 for authentication.
PEAP
Protected Extensible Authentication Protocol is a protocol that encapsulate EAP in a TLS tunnel and only requires a certificate on the server.
What is jailbreaking / rooting?
It’s a method to remove restriction on mobile devices imposed by the manufacturers and can introduce risks.
What is the recommended actions to be done when an employee leave an organization?
Disable their account, and do not delete.
What is recommended action for generic accounts used by multiple users?
They are to be prohibited.
What are two models exist for working with logical control, especially with assignment of permissions and rights?
User-based and role
Group based
What should happen when there’s too many failed authentication attempts?
They should incur a penalty such as account lockout.
What will the issue be prevented when enforcing password history?
They prevent users from reusing old passwords.
What is the common method for identifying access violations and issues?
Auditing user permissions
What is a federation system?
It allows for accessbility from each domain. Accounts in one area can be granted access right to any other resource, whether local or remote within the domains.
What are example of remote access authentications?
RADIUS - Remote Authentication Dial-In User Service
TACACS+ - Terminal Access Controller Access-Control System Plus
RADIUS
Remote Authentication Dial-In User Service provide authentication and authorization functions in addition to network access accounting functions, but it does not provide further access control.
Kerberos prevents what type of attacks?
Since they support mutual authentication, they prevent on-path attacks.
Why should we be strongly discouraged from using PAP?
User passwords are easily readable.
OAuth
Open Authorization provides authorization services and does not provide authentication such as OpenID and SAML
SAML
Security Assertion Markup Language offers single sign-on capabilities.
IdP
IdP stands for ID Provider. They are source of a username and password and authenticates the user. The SP (Service Provider) provides service to the user.
What are example of access control?
MAC - Mandatory access control
DAC - Discretionary access control
ABAC - Attribute-based access control
RBAC - Role-based access control
MAC (access control)
Mandatory access control involves assigning labels to resources and accounts (for example, SENSITIVE, SECRET, and PUBLIC). If the label on the account and the resource does not match, the resource remains unavailable in nondiscretionary manner.
DAC
Discretionary access control restricts access for each resource in a discretionary manner. This is widely used in Windows OS and servers.
RBAC
Role-based access control, sometimes known as Rule-based access control
They dynamically assign roles to users based on criteria that the data custodian or system administrator defines. It can include controls such as time of the day, day of the week, specific terminal access, and GPS coordinates of the requester along with other factor that might overlay a legitimate account’s access request.
Implementation may require rules to be programmed using code rather than allowing traditional access control by checking the box.
ABAC
Attribute-based access control is a logical access control model that Federal Identity, Credential, and Access Management (FICAM) Roadmap recommends as the preferred access control model for information sharing among diverse organization.
They are based on Extensible Access Control Markup Language (XACML).
It’s very similar to core components of AAA. The authorization process is determined by evaluating rules and policies against attributes associated with an entity such as subject, object, operation and environment condition.
CACs and PIV cards provide what function?
Smart Card functions for identity and authentication.
CAC = Common Access Code, it’s a smart card, size of credit card and the standard identification for active duty uniformed service personnel and so on.
PIV is Personal Identity Verification and it’s a security standard detailed in NIST FIPS 201-2 which creates framework for multi-factor authentication on a smartcard.
What is Implicit deny?
Access Control practice in which resource availability is restricted to only logins that are explicitly granted access.
PKI replies on what?
Public Key Infrastructure replies on asymmetric key cryptography using certificates which are digitally signed block of data issued by CA.
What is CSR
Certificate Signing Request is generated and submitted before a CA signs a certificate
What is the recommendation for root CA
Root CA should be taken offline to reduce the risk of key compromise because this would compromise the entire chain or system.
What are three types of validated certificates?
DV - Domain Validation
OV - Organization Validation
EV - Extended Validation
EV Certificate
Extended Validation provides the highest level of trust and require teh most effort for a CA to validate
Which certificates are encoded in binary and which certificate are encoded in ASCII.
DER and PFX certificates are binary encoded.
PEM and P7B certficates are ASCII encoded.
What ensures a certificate validility?
This is accomplished through a CRL or OCSP.
OCSP Stapling
OCSP (Online Certificate Status Protocol) Stapling puts responsibility of OCSP requests on the web server instead of on the issuing CA.
Key Escrow
It stores private key with a trusted third party.
