Domain Two: Technologies and Tools Flashcards
What is a firewall ?
A firewall acts as a gatekeeper that allows traffic to a network segment based on rules that are implemented. A firewall can be hardware or software based.
How does a firewall work ?
- NAT rules
- Basic Packet Filtering
- Stateful Packet Filtering
ACLs - Application Layer Proxies
How are firewall rules read ?
Firewall rules are read top down so the best configuration is to have the explicit allows at the top and then an implicit deny which blocks everything else at the bottom of the list
What is a firewall ACL ?
Lists of users, network devices and addresses and their permitted actions. Most commonly used in file systems but ACLs can be used on any device. Rules are read from top down so the last rule should be a deny everything.
What is an application based firewall ?
Unlike basic packet filtering this is a much deeper dive into the packets. They suffer from perfomance degradation so only a choice for high value assets.
What is basic packet filtering ?
Basic Packet Filtering examines the headers only for protocol, ports and source and destination addresses and will either block or allow that traffic based on the implemented ruleset.
So the FTP protocol may be allowed at one destination but not another etc.
What is Network Address Translation ?
Network Address Translation is where there is only one exposed public ip which represents multiple private IP addresses on the network. The attacker only ever sees the external public IP address of the firewall and so this abstraction offers a degree of isolation that will be used even when IPv6 becomes the most prevalent network protocol.
Firewalls can be configured to perform NAT.
What is Stateful Packet inspection ?
Looks at the state of the packet - is this a new connection , an existing one, origin form internal or external source and then evaluated against a specific ruleset.
Another feature of stateful packet inspection is to have all ports closed until they are needed thus limiting the attackers port scanning usefulness.
What is an IDS and an IPS ?
IDS - Detect Log and Alert on unauthorised networks can be done in real time or after the fact
IPS - All of the above but it also prevents
NIDS/NIPS - Network based IDS and IPS that can detect network and host
HIDS/HIPS - Only detects host its more detailed than the above
You must also consider that these systems and subject to changes in business process etc which can lead them to generate
False Positives - Where there is a triggering of the rules but no malicious events
False Negatives - Where the rules were not triggered but the event was malicious
What is the function of the IDS analysis engine ?
This is the brains of the whole operation and responsible for the analysis of the caught traffic against the signatures in the database.
What is the function of the signature database ?
This is a collection of known patterns and definitions of malicious activity. An IDS/IPS should receive regular updates to this database as new attack patterns are recognised.
What is the traffic collector function of an IDS/IPS ?
Sometimes known as a sensor - it captures all the traffic that the IDS will analyse.
In HIDS that may be the logs for that host
In NIDS a copy of the network traffic is taken and then copied to a storage area for analysis
How does a user interact with a firewall ?
User interface
What are the two methods the IDS/IPS uses to capture traffic ?
Inline captures, analyses and blocks the traffic as it flows through the device on which it is installed (usually a router). The downside is that if it suffers a malfunction then there is no checking
Passive takes a copy. However its retrospective so that it will allow the traffic to pass before making a judgement.
What are the inbound and outbound methods of the IPS ?
Inband checks the info and acts on it as it flows through the device. However there are performance implications so it should only be used for high value assets.
Outbound uses the passive approach so suffers from being reactive.
What are the types of IDS/IPS ?
Signature, Heuristic, Anomaly, Behavioural
What is a signature based IDS/IPS ?
This is essentially a matching process between the signature and the activity. Its very dependent on having the latest version of the signatures in the databases.
Because the database is constantly expanding there are potential performance implications that have to be accounted for.
This is also known as blacklisting.
What is an anomaly based IDS/IPS ?
Anomaly base systems learn the system and derive what it believes as normal and anything deviating from that are considered anomalies.
What is a behaviour based IDS/IPS ?
In this approach a baseline of good behaviours is defined which represents normal on the network. Anything that doesnt fall into line with this behaviour is blocked.
However changes in business process etc can lead to a initial high level of false positives.
What is a heuristic based IPS/IDS ?
Heuristic uses algorithms to predict what is malicious. They need to have these algorithms tweaked and can describe something as being not good but not malicious and let it pass.
What is a bridge ?
Bridge - Connect different segments together - Segmentation increases security by creating boundaries. Operates at level 2 of OSI model
What are SSL/TSL Accelerators ?
SSL/TSL Accelerators - Acts as a throughput between web servers and internet done on large scale operations using ssl to prevent bottlenecks
What are SSL Decryptors ?
SSL Decryptors - Allows authorised personnell to decrypt ssl traffic for inspection
What is a HSM ?
store and generator of encryption keys more efficient than general purpose keys
What is DLP ?
Data Loss Prevention are a group of technologies designed to stop data being lost or stolen. They can be triggered to look out for a set of data markers such as SSN numbers, Account numbers etc,
USB Blocking - To prevent use of flash drives completely or selectively by account type etc
Email - DLP attaches to the mail server and scans attachments
DLP protection should still be employed in cloud
What is a NAC ?
Determines which devices can attach to the network
NAP - Microsoft technology that runs on the host or device wishing to join network
NAC - Cisco determines whether endpoint device is permitted on network but it doesnt have to be installed on device
Permanent Agents - Deployed on device indefinitely
Dissolved Agents - Agents removed when access determined but can be re-issued
Host Health Checks - NAC can determine if the Host has the requisite patches etc to join network
Agent and Agentless
Agents are NAC solutions installed on the device prior to joining network
Agentless These are solutions that are installed on the network but downloaded to the device as it tries to access the network
What is a SIEM ?
A system dedicated to aggregation,storing, and correlation of security data from many varied sources.
What are the main stages of SIEM functionality ?
Aggregation - collection of data usually logs or feeds from security appliances
Correlation - analysis against patterns of the above data
Automated Triggers and Alerting - cuts down delays
Time Synchronisation - This is an issue for geographically dispersed systems. SIEMS will store in UTC and local time format. this allows us to see events that happened at the same time across different time zones
Event Deduplication - The same event can be recorded in multiple sources and the SIEM will sift out these duplicates so that security experts dont was time looking at masses of duplicated data.
Logs/WORM - SIEMS work on the principle of writing once to storage but reading multiple times to improve efficiency
What is a WAP ?
Primary purpose is to allow radio traffic into and out of a network.
SSID is a unique identifier used by a device to authenticate with a WAP. Problematic because it is often broadcast in plain text. SSID is also contained in the WAP beacon frame whose purpose is to advertise the availability of WAP. You can switch of SSID being included or get it to transmit a dummy SSID.
Signal Strength is important because if it is to weak this will cause drop out and lost information.
What is the difference between a fat/thin wap
Fat WAP - Operates standalone manages all updates, encryption, configuration and authentication best for ease of management
Thin WAP - Some of these duties are offloaded from the WAP to a centralised service good for large networks also allows for better load balancing
What are the two attenneas in wap
Yagi Antenna extends reception in straight line
Panel Antenna short range coverage of hotspot deadzones
What is a proxy ?
Proxies forward requests and can filter out malicious or bad traffic and prevent users from accessing potentially harmful websites. A proxy server provides anonymity by taking requests from the end device and forwarding them on behalf of the end system.
A Forward proxy takes requests and forwards them on
A Reverse proxy takes outside requests mainly from a company website filters and passes them on
Transparent proxy aka tunneling proxy redirects request and responses without filtering but still providing a buffer and therefore anonymity.
Application Proxy - setup for a specific application
Multipurpose Proxy
What are the main proxy functions ?
Anonymising Proxy - Makes users web browsing anonymous both internally and externally
Caching Proxy - Keeps a copy of common requests
Content-Filtering Proxy - Compares request to acceptable use policy
Open Proxy - Anonymises web traffic but available to anyone
Web Proxy - Specialised for web traffic caches commonly used websites
What is a load balancer ?
Primary function is to distribute load among servers. Works well for stateless applications where each request is not dependent of the preceding request and subsequent requests can be handled independently
Works is scheduled either
Affinity Based where host is connected to same resource throughout an entire session
Round Robin switched between servers in queue depending on factors such as load etc
The Load balancer presents to the end user a virtual IP for all the backend servers that it handles. The users sends this to the Loadbalancer which then allocates the work.
There should be more than one load balancer in case of failure
Active - Passive A spare loadbalancer is on standby in case of failure
Passive - Passive A suite of loadbalancers working in conjunction with one spare in case a balancer in the fleet breaks down
What is a router ?
Routers forward data to network segments based on the destination address and internal tables.
Routers use ACLs to block a packet based on the source address. As the list grows performance degrades so it is much better to
place routers on the boundary and allow all known internal traffic.
Antispoofing - Checks internal traffic to make sure that the source ip address is correct and not spoofed. If it is then the packet is dropped.
What is a switch ?
Switches send data to nodes on a network. Routers have the capability to send data between networks.
Port Security - Is where specific devices can be allowed to access specific ports based on MAC addresses.
There are three types of port security
Static - Specific MAC addresses are associated with the ports
Dynamic Learning - The switch learns which addresses to which ports
Sticky Learning - The addresses to ports maintained in memory even after a forced power outage or reboot
Switches are generally layer 2 but some have layer 3 capabilities where instead of just throwing the packets to all connected devices the switch can actually use some routing capabilities.
A layer 2 switch suffers when a packet loops or has not determinable destination to counter this there are two mechanisms
Open Shortest Path First (OSPF) - Creates a logical point to point topology that prevents looping
Spanning Tree Protocol (STP) - Trims connections that are not part of the spanning tree
MAC Filtering - We can prevent or allow based on MAC address but is limited because MAC addresses can be spoofed and are transmitted in plaintext between device and wireless access point.
What are the three most common types of switches ?
Static - Specific MAC addresses are associated with the ports
Dynamic Learning - The switch learns which addresses to which ports
Sticky Learning - The addresses to ports maintained in memory even after a forced power outage or reboot
What does a protocol analyser do ?
Listens in and interprets network traffic these tools can be used on both wired and wireless networks they are used to determine patterns ports and protocols, identification of unknown traffic and verify network tools are being used correctly.
What are some of the functional features of a network scanner ?
Is an active tool that looks at ports and protocols on devices. This device can be used to determine what operating systems are on the device. You can set a target or a range of IP addresses. They create a visual map often used to determine if there is any network sprawl going on.
What tool would you use to break a password ?
Password cracker
What tool scans for misconfigurations, old software versions ?
Network Scanner
What type of vulnerability scanner does broad network scans ?
Network Vulnerability Scanner
What does a host vulnerability scanner do ?
In depth scanning on host
What does a application vulnerability scanner do ?
Scans the application layer
What is a configuration compliance scanner ?
As name suggests it uses the Security Content Automation Protocol to develop a compliance baseline and subsequently measure deviations from that baseline.
Os Version
Installed Programs and Applications
Settings of Network
Presence of Antivirus
What is metasploit ?
a framework that we can use to help analyse vulnerabilities. It takes you through the steps needed to exploit the vulnerability and so you can see what controls will remediate it.
What are data sanitisation tools ?
These are used remove data especially when we are decommissioning hardware. There is a whole disk overwrite option - some organisations require this to be used multiple times. The other technique is use self encrypting disks and then destroy the key that decrypts them. Identity Finder is an example tool in this space.
What is steganography ?
Hidden writing. It is the practice of obscuring a message with a more obvious one. Today it is used in digital streams such as hiding messages in audio or videofiles.
What are honeypots and honey nets ?
Are servers mimicking real servers. They are designed to attract attackers so that they can be studied by security professionals and the lessons learned can be used to strengthen the real network. There is a legal issue of entrapment when using honeypots especially if you make them to attractive. A honey net is a network made up of honey pots.
What are backup utilities ?
Backups should be performed and tested regularly they can be full, incremental or real-time sync for critical infrastructure
What is banner grabbing ?
Usually is only a back end process and its the meta information exchanged between interacting systems such as ports, protocols and types of data. We should limit what is included within the banner.
Why use asset management ?
Should cover both hardware and software it enables
Identification of key resources
Patch management
Baselining
What is baselining deviation ?
All new software and systems in general should be baselined so that deviations from that baseline can be understood.
What are some of the issues around certificate management ?
Certificates are issued to identify trusted users or devices or to provide encryption means between devices.
Certificates should be issued by an internal or external certificate authority (CA) - Every application should verify these certificates and there should be a policy for managing old certificates. A default option is to renew annually.
One common issue is when a user attempts to use a certificate that is lacking a chain of trust which leaves the certificate invalidated. A user can force this trust but raises a question as to whether this is in itself a security issue.
What is data exfiltration ?
Data is the most valuable commodity and their exists a large black market for that data. Exfiltration is the process by which a hacker steals data from your system.
What is licence compliance violation ?
Running the wrong licences or no licences could lead to security issues through lack of support or lack of availability.
What are log event anomalies ?
It goes without saying that we should log everything and investigate any anomalies that we may have in those logs.
SIEMS are great for this because they aggregate and correlate the data from those logs.
The identification of anomalies allows us to take appropriate action.
What are permission and access violations ?
Permissions and the granting of permissions should always follow
Least Privilege
RBAC
There should be a robust JML process as often a problem occurs when a user is not removed or they move within the organisation which means that their permissions need to be re-assessed.
Access Violations - Are when a user tries to access a resource for which they dont have the rights to. This may be a mistake, malicious or we have not assigned them the proper privileges for them to do their job.
Monitoring violations is a paramount activity as it could be an indicator of compromise.
What are personnel issues ?
People should be made aware of the acceptable use policy through training and regular communication. People are the weakest link within the organisation.
Insider threats represent the greatest danger to the organisation simply because of the level of access they already have.
Training should be targeted annually especially at social engineering aspects and a social media policy should be freely available to all users
Personal email represents another potential threat due to exfiltration of data and also as an entry point for malware and it is for this reason that it is more often than not banned in the work place.
What is the issue with unauthorised software ?
Most companies limit the ability of individuals to install software either by whitelisting or by removing admin privileges on the local account.
Authorised software will have been checked for
viruses
software licensing and support agreements
vulnerability and compatibility testing
Why are unencrypted credentials an issue ?
Credentials should be encrypted. However several application do send in clear text
Telnet
FTP
SMTP
This means that anyone can sniff those credentials.
What do you use NMAP for ?
Can be used to map your network it will find devices and open ports , os detection, and installed software,
What is ARP ?
ARP is a broadcast message that resolves a mac address to an ip address and vice versa by broadcasting to the network awaiting for device response and then builds a mapping table.
The ARP command allows the administrator to determine if the ARP table has been spoofed or poisoned.
What do the tools Dig and NSLookup do ?
Used to resolve an IP address to a dns name and vice versa.
Nslookup has been deprecated whereas dig returns more info in a machine readable format so it is better for scripting.
Nslookup just returns the ip or the dns name1
What commands would I use to find out my IP address ?
Ifconfig (mac) Ipconfig (windows)
What tool do I use to read and write data across network connections ?
NCAT
What is NETSTAT ?
Returns a list of all actively established network connections
netstat -a (all)
netstat -at (all tcp)
netstat -au (all udp)
What does PING do ?
Tests network reachability
ping [options] ip address/name
The options are packet size, ttl, how many pings to send
What does tcpdump do ?
Tcpdump and windump captures tcp traffic and can save to pcap format to be used by other tools such as wireshark.
What does traceroute do ?
Traces the hops to destination from host machine. Uses ICMP so wont work if ICMP is blocked on any of the hops.
tracert is the windows equivalent.
What is ANT ?
Short range wireless technology that is providing a challenge to bluetooth. It is proprietary (owned by Garmin) but has been opened up to allow other manufacturers to use. It relies on a personal area network being setup (PAN)
Used mainly in sports and fitness sensors.
Describe bluetooth
Short wave communication used to transmit data usually between mobile devices. Operates on 2.4Ghz band does use the traditional ports networking but rather pairing to establish a connection.
Ideally users should always have discoverable mode turned off.
What is cellular ?
Connections can be 4/5g and LTE. There is pretty good coverage although we should understand that there are some areas where there is no connection or weak connections at best.
What is Infrared ?
Long range line of sight communication using electromagnetic energy beyond red spectrum. Used in mic, keyboards and television remotes and because it is a long range medium can be a security risk if the signal is monitored by key sniffing technology.
What is NFC ?
Very short range 10cm or less technology to provide communications. Used mainly by mobile devices and payment systems besides the short range being a protection mechanism there are also some security standards.
What is SATCom ?
SATCom is a line of site solution using transmitters and satellites. Mainly used in remote locations due to the line of site restrictions and is expensive. Usually used by the military.
Describe USB ?
High speed high volume connections that are very much plug and play and can be used whilst connected to a computer while the device is charging.
They are a security risk.
Describe WiFi ?
Uses short wave radio frequencies to maintain a high speed network connection. WiFi is broadcast on 2.4, 2.5 and 5ghz spectrum and must conform IEEE802.11
Supported by most hardware devices and is relatively cheap to implement
What is Mobile Device Management (MDM)
MDM is about managing the mobile devices owned by the company but it can also be extended to include devices by individuals when they connect to the corporate network.
What is application management ?
This refers to the control of what applications are downloaded to the device. Applications can present a security risk because they need access to areas of the phone including data that can be sensitive.
Some companies even have their own version of the app store so that they have complete control over applications.
What is biometric and context aware controls for mobile devices ?
Biometrics can allow access on facial or fingerprint recognition however they are seen as a convenience rather than a security control because the sensors have been proven to be hackable.
Context aware controls will measure certain variables before allowing the user access
Who the user is
Which resource is requested
Location of device
Which device is in use
Which connection method is in use
What is containerisation and segmentation in MDM ?
Containerisation is about splitting the device into different containers one for public and one for private company use. Some MDM solution allow an administrator to have full access to the company container. You can also encrypt the container.
Segmentation is similar except it just marks areas of a drive to be private again highly recommended for devices with sensitive data.
What is content management in MDM ?
We also need to manage what content the devices have access to. Data ownership and usage policies should also make clear what data is and is not allowed on mobile devices.
There are also mechanisms to investigate what data is contained on those devices.
What is full disk encryption ?
The encrypting of the whole disk. Prompted for a passphrase on booting up the device.
What is Geolocation and Geofencing ?
Geolocation is the tracking of devices via geography can be used to recover lost devices.
Geofencing is about setting up a secure geographical area that once employees enter they can start accessing mobile data.
What is remote wipe ?
This is the ability to wipe a device back to its original factory settings which is useful for lost or stolen devices. This is important because lost or stolen devices allow the hacker to attack the device at their leisure.
Remote wipe can be done from anywhere as long as you have a stable internet connection. You can also configure devices to remote wipe automatically for example on a number of incorrect pin code inputs.
What are screen locks ?
Screen locks and passwords and pins should be in place for mobile devices and they should adhere to the company policy.
What are the security concerns around cameras and voice recording on MD
Camera and voice recording are security concerns because they enable the recording of conversation or capturing of documents outside of the company.
If a company owned mobile device is used for illegal purposes then there maybe a liability for the company.
What is carrier unlocking ?
In the US phones are locked to the carrier and wont accept a SIM card of another carrier. This is not the case outside of the US. In the US you need the carrier to send you a key sequence that will allow the device to leave that carriers network,
What is custom firmware
This is firmware that has additional functionality not present in the standard firmware that comes with the device. Again this can be dangerous from as security point of view.
What are the four MD deployment models ?
BYOD - Bring your own device
CYOD - Companies allow employees to choose their own device and pay for it
COPE - Corporate owned personally enabled - Corporate owned devices that can be used for personal means
COBO - Corporate owned business only
What is external media ?
Anything that can be plugged into and detached to a computer while it is still running is considered external media. This covers phones, flash drives, music players
If they store data they must be considered as a means to exfiltrate data and as a point where malware can enter the system.
Organisational Policies must be in place that governs their use also stating the enforcement and auditing of such devices.
What is firmware OTA ?
Firmware Over The Air (OTA) allows the firmware of a device to be updated via the app store rather than from a central point.
What is GPS/Geo Tagging ?
When taking photos geo data is embedded into that photo that could be a privacy concern especially if you make those photos available.
It should be turned off on the device.
What should organisational policies address ?
Organisational Policies should cover the following
Should be consistent with existing policies
Training should cover mobile device app use
Disciplinary actions should be consistent
Monitoring should cover mobile devices
What is rooting and jaibreaking ?
Both terms aim at giving the user elevated administration privileges on the device.
Rooting - Google
Jailbreaking - Apple
Some arguments are put forward for this such as development but on the whole the elevated privilege has come at the cost of bypassing some of the security controls built into the device.
