Domain Two: Technologies and Tools Flashcards
What is a firewall ?
A firewall acts as a gatekeeper that allows traffic to a network segment based on rules that are implemented. A firewall can be hardware or software based.
How does a firewall work ?
- NAT rules
- Basic Packet Filtering
- Stateful Packet Filtering
ACLs - Application Layer Proxies
How are firewall rules read ?
Firewall rules are read top down so the best configuration is to have the explicit allows at the top and then an implicit deny which blocks everything else at the bottom of the list
What is a firewall ACL ?
Lists of users, network devices and addresses and their permitted actions. Most commonly used in file systems but ACLs can be used on any device. Rules are read from top down so the last rule should be a deny everything.
What is an application based firewall ?
Unlike basic packet filtering this is a much deeper dive into the packets. They suffer from perfomance degradation so only a choice for high value assets.
What is basic packet filtering ?
Basic Packet Filtering examines the headers only for protocol, ports and source and destination addresses and will either block or allow that traffic based on the implemented ruleset.
So the FTP protocol may be allowed at one destination but not another etc.
What is Network Address Translation ?
Network Address Translation is where there is only one exposed public ip which represents multiple private IP addresses on the network. The attacker only ever sees the external public IP address of the firewall and so this abstraction offers a degree of isolation that will be used even when IPv6 becomes the most prevalent network protocol.
Firewalls can be configured to perform NAT.
What is Stateful Packet inspection ?
Looks at the state of the packet - is this a new connection , an existing one, origin form internal or external source and then evaluated against a specific ruleset.
Another feature of stateful packet inspection is to have all ports closed until they are needed thus limiting the attackers port scanning usefulness.
What is an IDS and an IPS ?
IDS - Detect Log and Alert on unauthorised networks can be done in real time or after the fact
IPS - All of the above but it also prevents
NIDS/NIPS - Network based IDS and IPS that can detect network and host
HIDS/HIPS - Only detects host its more detailed than the above
You must also consider that these systems and subject to changes in business process etc which can lead them to generate
False Positives - Where there is a triggering of the rules but no malicious events
False Negatives - Where the rules were not triggered but the event was malicious
What is the function of the IDS analysis engine ?
This is the brains of the whole operation and responsible for the analysis of the caught traffic against the signatures in the database.
What is the function of the signature database ?
This is a collection of known patterns and definitions of malicious activity. An IDS/IPS should receive regular updates to this database as new attack patterns are recognised.
What is the traffic collector function of an IDS/IPS ?
Sometimes known as a sensor - it captures all the traffic that the IDS will analyse.
In HIDS that may be the logs for that host
In NIDS a copy of the network traffic is taken and then copied to a storage area for analysis
How does a user interact with a firewall ?
User interface
What are the two methods the IDS/IPS uses to capture traffic ?
Inline captures, analyses and blocks the traffic as it flows through the device on which it is installed (usually a router). The downside is that if it suffers a malfunction then there is no checking
Passive takes a copy. However its retrospective so that it will allow the traffic to pass before making a judgement.
What are the inbound and outbound methods of the IPS ?
Inband checks the info and acts on it as it flows through the device. However there are performance implications so it should only be used for high value assets.
Outbound uses the passive approach so suffers from being reactive.
What are the types of IDS/IPS ?
Signature, Heuristic, Anomaly, Behavioural
What is a signature based IDS/IPS ?
This is essentially a matching process between the signature and the activity. Its very dependent on having the latest version of the signatures in the databases.
Because the database is constantly expanding there are potential performance implications that have to be accounted for.
This is also known as blacklisting.
What is an anomaly based IDS/IPS ?
Anomaly base systems learn the system and derive what it believes as normal and anything deviating from that are considered anomalies.
What is a behaviour based IDS/IPS ?
In this approach a baseline of good behaviours is defined which represents normal on the network. Anything that doesnt fall into line with this behaviour is blocked.
However changes in business process etc can lead to a initial high level of false positives.
What is a heuristic based IPS/IDS ?
Heuristic uses algorithms to predict what is malicious. They need to have these algorithms tweaked and can describe something as being not good but not malicious and let it pass.
What is a bridge ?
Bridge - Connect different segments together - Segmentation increases security by creating boundaries. Operates at level 2 of OSI model
What are SSL/TSL Accelerators ?
SSL/TSL Accelerators - Acts as a throughput between web servers and internet done on large scale operations using ssl to prevent bottlenecks
What are SSL Decryptors ?
SSL Decryptors - Allows authorised personnell to decrypt ssl traffic for inspection
What is a HSM ?
store and generator of encryption keys more efficient than general purpose keys
What is DLP ?
Data Loss Prevention are a group of technologies designed to stop data being lost or stolen. They can be triggered to look out for a set of data markers such as SSN numbers, Account numbers etc,
USB Blocking - To prevent use of flash drives completely or selectively by account type etc
Email - DLP attaches to the mail server and scans attachments
DLP protection should still be employed in cloud
What is a NAC ?
Determines which devices can attach to the network
NAP - Microsoft technology that runs on the host or device wishing to join network
NAC - Cisco determines whether endpoint device is permitted on network but it doesnt have to be installed on device
Permanent Agents - Deployed on device indefinitely
Dissolved Agents - Agents removed when access determined but can be re-issued
Host Health Checks - NAC can determine if the Host has the requisite patches etc to join network
Agent and Agentless
Agents are NAC solutions installed on the device prior to joining network
Agentless These are solutions that are installed on the network but downloaded to the device as it tries to access the network
What is a SIEM ?
A system dedicated to aggregation,storing, and correlation of security data from many varied sources.
What are the main stages of SIEM functionality ?
Aggregation - collection of data usually logs or feeds from security appliances
Correlation - analysis against patterns of the above data
Automated Triggers and Alerting - cuts down delays
Time Synchronisation - This is an issue for geographically dispersed systems. SIEMS will store in UTC and local time format. this allows us to see events that happened at the same time across different time zones
Event Deduplication - The same event can be recorded in multiple sources and the SIEM will sift out these duplicates so that security experts dont was time looking at masses of duplicated data.
Logs/WORM - SIEMS work on the principle of writing once to storage but reading multiple times to improve efficiency
What is a WAP ?
Primary purpose is to allow radio traffic into and out of a network.
SSID is a unique identifier used by a device to authenticate with a WAP. Problematic because it is often broadcast in plain text. SSID is also contained in the WAP beacon frame whose purpose is to advertise the availability of WAP. You can switch of SSID being included or get it to transmit a dummy SSID.
Signal Strength is important because if it is to weak this will cause drop out and lost information.
What is the difference between a fat/thin wap
Fat WAP - Operates standalone manages all updates, encryption, configuration and authentication best for ease of management
Thin WAP - Some of these duties are offloaded from the WAP to a centralised service good for large networks also allows for better load balancing
What are the two attenneas in wap
Yagi Antenna extends reception in straight line
Panel Antenna short range coverage of hotspot deadzones
What is a proxy ?
Proxies forward requests and can filter out malicious or bad traffic and prevent users from accessing potentially harmful websites. A proxy server provides anonymity by taking requests from the end device and forwarding them on behalf of the end system.
A Forward proxy takes requests and forwards them on
A Reverse proxy takes outside requests mainly from a company website filters and passes them on
Transparent proxy aka tunneling proxy redirects request and responses without filtering but still providing a buffer and therefore anonymity.
Application Proxy - setup for a specific application
Multipurpose Proxy
What are the main proxy functions ?
Anonymising Proxy - Makes users web browsing anonymous both internally and externally
Caching Proxy - Keeps a copy of common requests
Content-Filtering Proxy - Compares request to acceptable use policy
Open Proxy - Anonymises web traffic but available to anyone
Web Proxy - Specialised for web traffic caches commonly used websites
What is a load balancer ?
Primary function is to distribute load among servers. Works well for stateless applications where each request is not dependent of the preceding request and subsequent requests can be handled independently
Works is scheduled either
Affinity Based where host is connected to same resource throughout an entire session
Round Robin switched between servers in queue depending on factors such as load etc
The Load balancer presents to the end user a virtual IP for all the backend servers that it handles. The users sends this to the Loadbalancer which then allocates the work.
There should be more than one load balancer in case of failure
Active - Passive A spare loadbalancer is on standby in case of failure
Passive - Passive A suite of loadbalancers working in conjunction with one spare in case a balancer in the fleet breaks down
What is a router ?
Routers forward data to network segments based on the destination address and internal tables.
Routers use ACLs to block a packet based on the source address. As the list grows performance degrades so it is much better to
place routers on the boundary and allow all known internal traffic.
Antispoofing - Checks internal traffic to make sure that the source ip address is correct and not spoofed. If it is then the packet is dropped.
What is a switch ?
Switches send data to nodes on a network. Routers have the capability to send data between networks.
Port Security - Is where specific devices can be allowed to access specific ports based on MAC addresses.
There are three types of port security
Static - Specific MAC addresses are associated with the ports
Dynamic Learning - The switch learns which addresses to which ports
Sticky Learning - The addresses to ports maintained in memory even after a forced power outage or reboot
Switches are generally layer 2 but some have layer 3 capabilities where instead of just throwing the packets to all connected devices the switch can actually use some routing capabilities.
A layer 2 switch suffers when a packet loops or has not determinable destination to counter this there are two mechanisms
Open Shortest Path First (OSPF) - Creates a logical point to point topology that prevents looping
Spanning Tree Protocol (STP) - Trims connections that are not part of the spanning tree
MAC Filtering - We can prevent or allow based on MAC address but is limited because MAC addresses can be spoofed and are transmitted in plaintext between device and wireless access point.
What are the three most common types of switches ?
Static - Specific MAC addresses are associated with the ports
Dynamic Learning - The switch learns which addresses to which ports
Sticky Learning - The addresses to ports maintained in memory even after a forced power outage or reboot
What does a protocol analyser do ?
Listens in and interprets network traffic these tools can be used on both wired and wireless networks they are used to determine patterns ports and protocols, identification of unknown traffic and verify network tools are being used correctly.
What are some of the functional features of a network scanner ?
Is an active tool that looks at ports and protocols on devices. This device can be used to determine what operating systems are on the device. You can set a target or a range of IP addresses. They create a visual map often used to determine if there is any network sprawl going on.
What tool would you use to break a password ?
Password cracker
What tool scans for misconfigurations, old software versions ?
Network Scanner
What type of vulnerability scanner does broad network scans ?
Network Vulnerability Scanner
What does a host vulnerability scanner do ?
In depth scanning on host
What does a application vulnerability scanner do ?
Scans the application layer
What is a configuration compliance scanner ?
As name suggests it uses the Security Content Automation Protocol to develop a compliance baseline and subsequently measure deviations from that baseline.
Os Version
Installed Programs and Applications
Settings of Network
Presence of Antivirus
What is metasploit ?
a framework that we can use to help analyse vulnerabilities. It takes you through the steps needed to exploit the vulnerability and so you can see what controls will remediate it.
What are data sanitisation tools ?
These are used remove data especially when we are decommissioning hardware. There is a whole disk overwrite option - some organisations require this to be used multiple times. The other technique is use self encrypting disks and then destroy the key that decrypts them. Identity Finder is an example tool in this space.
What is steganography ?
Hidden writing. It is the practice of obscuring a message with a more obvious one. Today it is used in digital streams such as hiding messages in audio or videofiles.
What are honeypots and honey nets ?
Are servers mimicking real servers. They are designed to attract attackers so that they can be studied by security professionals and the lessons learned can be used to strengthen the real network. There is a legal issue of entrapment when using honeypots especially if you make them to attractive. A honey net is a network made up of honey pots.
What are backup utilities ?
Backups should be performed and tested regularly they can be full, incremental or real-time sync for critical infrastructure
What is banner grabbing ?
Usually is only a back end process and its the meta information exchanged between interacting systems such as ports, protocols and types of data. We should limit what is included within the banner.
Why use asset management ?
Should cover both hardware and software it enables
Identification of key resources
Patch management
Baselining
What is baselining deviation ?
All new software and systems in general should be baselined so that deviations from that baseline can be understood.
What are some of the issues around certificate management ?
Certificates are issued to identify trusted users or devices or to provide encryption means between devices.
Certificates should be issued by an internal or external certificate authority (CA) - Every application should verify these certificates and there should be a policy for managing old certificates. A default option is to renew annually.
One common issue is when a user attempts to use a certificate that is lacking a chain of trust which leaves the certificate invalidated. A user can force this trust but raises a question as to whether this is in itself a security issue.
What is data exfiltration ?
Data is the most valuable commodity and their exists a large black market for that data. Exfiltration is the process by which a hacker steals data from your system.
What is licence compliance violation ?
Running the wrong licences or no licences could lead to security issues through lack of support or lack of availability.
What are log event anomalies ?
It goes without saying that we should log everything and investigate any anomalies that we may have in those logs.
SIEMS are great for this because they aggregate and correlate the data from those logs.
The identification of anomalies allows us to take appropriate action.
What are permission and access violations ?
Permissions and the granting of permissions should always follow
Least Privilege
RBAC
There should be a robust JML process as often a problem occurs when a user is not removed or they move within the organisation which means that their permissions need to be re-assessed.
Access Violations - Are when a user tries to access a resource for which they dont have the rights to. This may be a mistake, malicious or we have not assigned them the proper privileges for them to do their job.
Monitoring violations is a paramount activity as it could be an indicator of compromise.
What are personnel issues ?
People should be made aware of the acceptable use policy through training and regular communication. People are the weakest link within the organisation.
Insider threats represent the greatest danger to the organisation simply because of the level of access they already have.
Training should be targeted annually especially at social engineering aspects and a social media policy should be freely available to all users
Personal email represents another potential threat due to exfiltration of data and also as an entry point for malware and it is for this reason that it is more often than not banned in the work place.
What is the issue with unauthorised software ?
Most companies limit the ability of individuals to install software either by whitelisting or by removing admin privileges on the local account.
Authorised software will have been checked for
viruses
software licensing and support agreements
vulnerability and compatibility testing
Why are unencrypted credentials an issue ?
Credentials should be encrypted. However several application do send in clear text
Telnet
FTP
SMTP
This means that anyone can sniff those credentials.
What do you use NMAP for ?
Can be used to map your network it will find devices and open ports , os detection, and installed software,
What is ARP ?
ARP is a broadcast message that resolves a mac address to an ip address and vice versa by broadcasting to the network awaiting for device response and then builds a mapping table.
The ARP command allows the administrator to determine if the ARP table has been spoofed or poisoned.
What do the tools Dig and NSLookup do ?
Used to resolve an IP address to a dns name and vice versa.
Nslookup has been deprecated whereas dig returns more info in a machine readable format so it is better for scripting.
Nslookup just returns the ip or the dns name1
What commands would I use to find out my IP address ?
Ifconfig (mac) Ipconfig (windows)
What tool do I use to read and write data across network connections ?
NCAT
What is NETSTAT ?
Returns a list of all actively established network connections
netstat -a (all)
netstat -at (all tcp)
netstat -au (all udp)
What does PING do ?
Tests network reachability
ping [options] ip address/name
The options are packet size, ttl, how many pings to send
What does tcpdump do ?
Tcpdump and windump captures tcp traffic and can save to pcap format to be used by other tools such as wireshark.
What does traceroute do ?
Traces the hops to destination from host machine. Uses ICMP so wont work if ICMP is blocked on any of the hops.
tracert is the windows equivalent.
What is ANT ?
Short range wireless technology that is providing a challenge to bluetooth. It is proprietary (owned by Garmin) but has been opened up to allow other manufacturers to use. It relies on a personal area network being setup (PAN)
Used mainly in sports and fitness sensors.
Describe bluetooth
Short wave communication used to transmit data usually between mobile devices. Operates on 2.4Ghz band does use the traditional ports networking but rather pairing to establish a connection.
Ideally users should always have discoverable mode turned off.
What is cellular ?
Connections can be 4/5g and LTE. There is pretty good coverage although we should understand that there are some areas where there is no connection or weak connections at best.
What is Infrared ?
Long range line of sight communication using electromagnetic energy beyond red spectrum. Used in mic, keyboards and television remotes and because it is a long range medium can be a security risk if the signal is monitored by key sniffing technology.
What is NFC ?
Very short range 10cm or less technology to provide communications. Used mainly by mobile devices and payment systems besides the short range being a protection mechanism there are also some security standards.
What is SATCom ?
SATCom is a line of site solution using transmitters and satellites. Mainly used in remote locations due to the line of site restrictions and is expensive. Usually used by the military.
Describe USB ?
High speed high volume connections that are very much plug and play and can be used whilst connected to a computer while the device is charging.
They are a security risk.
Describe WiFi ?
Uses short wave radio frequencies to maintain a high speed network connection. WiFi is broadcast on 2.4, 2.5 and 5ghz spectrum and must conform IEEE802.11
Supported by most hardware devices and is relatively cheap to implement
What is Mobile Device Management (MDM)
MDM is about managing the mobile devices owned by the company but it can also be extended to include devices by individuals when they connect to the corporate network.
What is application management ?
This refers to the control of what applications are downloaded to the device. Applications can present a security risk because they need access to areas of the phone including data that can be sensitive.
Some companies even have their own version of the app store so that they have complete control over applications.
What is biometric and context aware controls for mobile devices ?
Biometrics can allow access on facial or fingerprint recognition however they are seen as a convenience rather than a security control because the sensors have been proven to be hackable.
Context aware controls will measure certain variables before allowing the user access
Who the user is
Which resource is requested
Location of device
Which device is in use
Which connection method is in use
What is containerisation and segmentation in MDM ?
Containerisation is about splitting the device into different containers one for public and one for private company use. Some MDM solution allow an administrator to have full access to the company container. You can also encrypt the container.
Segmentation is similar except it just marks areas of a drive to be private again highly recommended for devices with sensitive data.
What is content management in MDM ?
We also need to manage what content the devices have access to. Data ownership and usage policies should also make clear what data is and is not allowed on mobile devices.
There are also mechanisms to investigate what data is contained on those devices.
What is full disk encryption ?
The encrypting of the whole disk. Prompted for a passphrase on booting up the device.
What is Geolocation and Geofencing ?
Geolocation is the tracking of devices via geography can be used to recover lost devices.
Geofencing is about setting up a secure geographical area that once employees enter they can start accessing mobile data.
What is remote wipe ?
This is the ability to wipe a device back to its original factory settings which is useful for lost or stolen devices. This is important because lost or stolen devices allow the hacker to attack the device at their leisure.
Remote wipe can be done from anywhere as long as you have a stable internet connection. You can also configure devices to remote wipe automatically for example on a number of incorrect pin code inputs.
What are screen locks ?
Screen locks and passwords and pins should be in place for mobile devices and they should adhere to the company policy.
What are the security concerns around cameras and voice recording on MD
Camera and voice recording are security concerns because they enable the recording of conversation or capturing of documents outside of the company.
If a company owned mobile device is used for illegal purposes then there maybe a liability for the company.
What is carrier unlocking ?
In the US phones are locked to the carrier and wont accept a SIM card of another carrier. This is not the case outside of the US. In the US you need the carrier to send you a key sequence that will allow the device to leave that carriers network,
What is custom firmware
This is firmware that has additional functionality not present in the standard firmware that comes with the device. Again this can be dangerous from as security point of view.
What are the four MD deployment models ?
BYOD - Bring your own device
CYOD - Companies allow employees to choose their own device and pay for it
COPE - Corporate owned personally enabled - Corporate owned devices that can be used for personal means
COBO - Corporate owned business only
What is external media ?
Anything that can be plugged into and detached to a computer while it is still running is considered external media. This covers phones, flash drives, music players
If they store data they must be considered as a means to exfiltrate data and as a point where malware can enter the system.
Organisational Policies must be in place that governs their use also stating the enforcement and auditing of such devices.
What is firmware OTA ?
Firmware Over The Air (OTA) allows the firmware of a device to be updated via the app store rather than from a central point.
What is GPS/Geo Tagging ?
When taking photos geo data is embedded into that photo that could be a privacy concern especially if you make those photos available.
It should be turned off on the device.
What should organisational policies address ?
Organisational Policies should cover the following
Should be consistent with existing policies
Training should cover mobile device app use
Disciplinary actions should be consistent
Monitoring should cover mobile devices
What is rooting and jaibreaking ?
Both terms aim at giving the user elevated administration privileges on the device.
Rooting - Google
Jailbreaking - Apple
Some arguments are put forward for this such as development but on the whole the elevated privilege has come at the cost of bypassing some of the security controls built into the device.
What is sideloading
This is the installation of apps without going through the app store. This can only happen on google devices. Apps that have not gone through the app store checks may be a security hazard or malicious.
What is sms and mms ?
Again we should cover these technologies in our organisational policies to make sure information is leaked via these channels.
What is tethering ?
Allows other devices to use the mobile device as an access point. The most common scenario is using the phone to allow a computer to access the internet.
In the US tethering is switched off by default and you have to pay an additional package to enable tethering.
What is the problem with third party apps ?
The two main app store are
Apple Ios
Google Play
Apple is more stringent on the requirements for apps to make it into their app store meaning we have greater cause for concern with Google play.
What is WiFi direct and adhoc ?
Wifi Direct allows a device to connect to another device without needing an access point. Think phone to printer. Adhoc is multiple devices.
Again this is a security concern because it means there is a network to share information that is not governed by the corporation.
Give two examples of DLP tools ?
USB Blocking - To prevent use of flash drives completely or selectively by account type etc
Email - DLP attaches to the mail server and scans attachments
What is agent based DLP ?
Agent or host based DLP monitors for certain actions and blocks them such as USB removal media being attached
What is agent less DLP ?
Sit on the network monitoring outbound traffic
What are the two mechanisms by which DLP operates ?
Pattern matching and Watermarking (tagging of critical info) that can then be monitored.
What is the data minimisation technique of tokenisation ?
The swapping out of key data items for a token that can be reverted back.
What are the three primary data minimisation techniques ?
Masking, Hashing and Tokenisation
What is a NAC dissolved agent ?
Agents removed when access determined but can be re-issued
What is the opposite of a NAC dissolved agent ?
Permanent agents
What is the main feature of a NAC agentless installation ?
Agentless These are solutions that are installed on the network but downloaded to the device as it tries to access the network - could be delivered by a browser
What is a postadmission NAC ?
Action is taken after the device has joined the network unlike pre-admission
NAC and EAP 802.1x
802.1x is the standard for authentication on wired and wireless networks so supplicants need this installed on their host.
What is Port security ?
Port Security is about limiting the number of MAC Addresses that can use a single port. This prevents a number of possible problems including MAC hardware address spoofing, Content Addressable Memory overflows and the plugging in of additional devices to extend the network.
What is dynamic level port security ?
Dynamic locking is specifying the number of MAC addresses
What is static level port security ?
Static locking is specifying the actual MAC addresses
What is a network loop and what problems does it cause ?
A network loop occurs when a network has more than one active path carrying information from the same source to the same destination. The information loops and amplifies itself using the additional path instead of stopping when it reaches its destination. Network loops might cause a slow, irregular Internet connection or network failure. A network loop can be as simple as a cable with both end plugged into the same switch or cables plugged into different devices but eventually a loop is created or other network misconfigurations.
What is STP ?
Spanning Tree Protocol (STP) using protocol bridge units as well as anti loop detection software such as Cisco’s loopback detection capability sends in frame headers switch identifiers so that they can be monitored by the switch and loops prevented.
What is Bridge Protocol Data Unit Guard ?
Protects STP and prevent attackers directing traffic by interfering with the STP messages and headers.
What is DHCP snooping ?
Blocking unrecognised DHCP servers from allocating IP addresses or blocking messages where MAC addresses are not recognised.
What is a IPSEC Vpn ?
Operate at layer 3 and require a client at either end. They can operate in tunnel mode where entire packets of data are encrypted or transport mode where the ip header is not protected but the body is.
IPSec vpns are for heavy traffic both web and application.
What is a SSL Vpn ?
Usually accessed through a browser and a web page dont need a client installed or specific endpoint configuration. Tunnel mode is also offered.
SSL VPNs also provide the ability to segment application access allowing them to be more granular.
What are the tunneling options with VPN ?
Split tunneling is faster because only traffic destined for the VPN endpoint goes through the VPN
A full tunnel VPN is a great way to ensure that traffic sent through an untrusted network such as a coffee shop remains secure.
What port does DNS and DNSSEC use ?
TCP 53
What port doe FTP use ?
20 ans 21
What port dose SFTP use ?
TCP 22
What port does HTTPS use ?
TCP 443
What port does IMAP use ?
TCP 143
What port does IMAPS use ?
TCP 993
What port does LDAP use ?
UDP and TCP 389
What port does LDAPS use ?
TCP 636
What port does POP 3 use ?
TCP 110
What port range does RTP use ?
UDP 16384 - 32767
What port does SRTP use ?
udp 5004
What port does SNMP use ?
Udp 161 162
What port does Telnet use ?
TCP 23
What port does SSH use ?
TCP 22
What is a jump or bastion server ?
Also known as Bastion servers these are a way of controlling access to resources by tunneling admin traffic through a dedicated server. Typically accessed via ssh.
What are the two modes of operation for Load Balancers ?
Active/Active and Active/Passive
What is round robin pattern of load balancing scheduling ?
Load balancer cycles through a list for the next server to send traffic to
What is the least connection pattern of load balancing scheduling ?
Traffic send to the server with least number of active connections.
What is the agent based pattern of load balancing scheduling ?
Server env is actively monitored and the appropriate destination is chosen
What is the source ip hashing pattern of load balancing scheduling ?
Uses a hash of source ip to determine the server
What is weighted least connection in load balancing
least connection algorithm used to determine the weights of the server destination
What is fixed weighted least in load balancing
Each server has a fixed weight determined by capacity and size
What is weigted response time in load balancing ?
The response time is calculated in the server choice
What is load balancer sticky session ?
the same destination is used for the entire session interaction
What is a web filter ?
Web filters are usually deployed as a centralised proxy which filters on either the url, content scanning or block rules. They can be deployed as an agent on individual devices.
Block rules are applied by content categories.
What are the common locations in a network to base a DLP system ?
Common locations for DLP systems is the exfiltration points of a network such as network border or email servers.
What is the difference between Unified Threat Management devices and Next Generation Firewall devices ?
UTM refers to a collection of measures such as IDS/IPS,anti-malware, dlp and Vpn whereas NGFD these controls are contained in one device which leads to faster detection and remediation
What is a waf ?
WAF is a web application firewall it intercepts, analyzes and applies rules to web traffic it behaves like a firewall and IPS combined.
What is a screened subnet also known as ?
DMZ where there is a splitting of between public facing and internal traffic.
What is the concept of out of band management ?
It is a protection of the admin network software by either placing it on a separate VLAN or allowing only a physical access
What are the common DNS protection techniques ?
Prevention of zone transfers, Logging switched on, blocking of requests to malicious zones.
What are the three major email protection controls ?
DKIM, DMARC, SPF
How does DKIM work ?
It allows organisations to add content to messages identifying them from the domain. It adds a encrypted DKIM signature header that can be decryped via a public key stored in DNS.
How does SPF work ?
SPF is an email authentication technique that allows organisations to publish a list of email servers that can then be added to DNS. Limited to 255 chars
How does DMARC work ?
Combines DKIM and SPF but allows rejection and quarantine of unverified messages
What are ephemeral keys ?
Used in TLS and Diffie Helman each connection recieves a new temp key
What is SNMP and how does it work ?
SNMP is used to manage and monitor network devices. When a SNMP enabled device has a problem it sends a SNMP message or trap for example coldStart, warmStart, linkDown, linkUp, authenticationFailure, egpNeighbourLoss
What is the purpose of DKIM,SPF and DMARC ?
Verification of email not the accessing of it
What is a file integrity checker ?
Monitors if a file changes such as configuration file. Tripwire is a commercial example
What is SIPS and SRTP ?
Secure version of voice and messaging protocols SIP and RTP
What is NTS ?
Secure version of NTP - relies on TLS does not protect but verifies the source of the data and whether or not it has been tampered with
What are the secure protocols for recieving mail and web traffic ?
HTTPS, POPS, IMAPS
Is Microsofts RDP encrypted by default ?
Yes
Does bgp have security features
No
Does DHCP offer a secure protocol ?
No
What is SNMPv3
Improvment on SNMP by adding authentication, encryption
How does DNSSEC work ?
Via digital signatures
What are the two main components of IPSEC security protocols ?
Authentication Header and Encapsulating Security Payload
In IPSEC how does the Authentication Header work ?
uses hashing and a secret key to ensure integrity of data and validates senders by authenticating the IP packets that are sent.
In IPSEC how does Encapsualting Security Payload (ESP) work ?
In tunnel mode it protects the entire packet in transport mode it protects only the payload.
Is Man in Browser attack a MITM or On Path attack ?
Yes - Achieved usually via a browser plugin or extension it can bypass TLS and other securities
What is a credential replay attack ?
The attacker captures valid network data to re-use in a malicious way ?
What is an amplified denial of service attack ?
The use of a protocal where a small query genrates a large payload such as DNS
What is a reflected denial of service attack ?
Reflection Denial of Service attacks makes use of a potentially legitimate third party component to send the attack traffic to a victim, ultimately hiding the attackers’ own identit
What is a DNS sinkhole ?
server that has been configured to hand out non-routable addresses for a certain set of domain names. Computers that use the sinkhole fail to access the real site - Stops bots talking to command and control
What is not an appropriate use of serverless architectures ?
Complex systems
What is an IP reputation service ?
A score on how reliable an IP is ?
What is the most common way to get IP reputation data ?
Subscription via HTTPS
What does the secure attribute for cookies mean ?
They are sent over https
What are the two connection methods to implement Geofencing ?
GPS & Wifi
What are the three disadvantages of stateful firewalls ?
Resource-intensive and interferes with the speed of network communications
More expensive than other firewall options
Doesn’t provide authentication capabilities to validate traffic sources aren’t spoofed
What are the advantages of stateful firewalls ?
Monitors the entire session for the state of the connection, while also checking IP addresses and payloads for more thorough security
Offers a high degree of control over what content is let in or out of the network
Does not need to open numerous ports to allow traffic in or out
Delivers substantive logging capabilities
What is the main concern with WIFI networks ?
One of the most important security concerns with WIFI networks is that they travel beyond the spaces that organisations own and control.
What is a AdHoc WIFI installation ?
allows devices to talk to each other directly
What is a Infrastructure WIFI installation ?
traffic is sent through a base station
How does a WIFI network identify itself ?
SSID
What range does bluetooth work over ?
2.4ghz
What are the four security modes of BlueTooth ?
Mode 1 : No Security
Mode 2 : Service Level Enforced
Mode 3 : Link Level Enforced
Mode 4 : Standard Pairing with Security Simple Pairing
What are some of the security concerns with RFID Tags ?
Cloning, Spoofing, Traffic Capture and Reader Impersonation
Which wireless connection method needs line of sight ?
Infrared
What are the two wireless connection models ?
Point to Point and Point to Multipoint
What is the best practice for security around bluetooth ?
Switch it off if not needed
What is a site survey ?
Site Surveys involve moving through the entire facility to determine existing networks that are in place and to look at the physical structure for the location options for your access points. The output is a heatmap showing signal strength and dead zones.
What is a wireless local area network controller ?
Small companies may favour independently controlled and places APs but large enterprises will use a Wireless Local Area Network controller to centrally manage APs - they facilitate software controlled networks, blended WIFI and 5g wireless roaming they can be deployed as hardware, cloud service or a virtual machine or software package some more advanced devices will have threat intelligence and intrusion prevention.
Which wireless authentication model Uses a pre-shared key which allows clients to authenticate without authentication server infrastructure
WPA2 Personal
Which wireless authentication model Relies on a radius server allowing users to be identified uniquely with their own credentials.
WPS2 Enterprise
Describe some of the features of WPA3 personal ?
Uses Simultaneous Authentication of Equals (SAE) which replaces pre-shared keys and requires interaction between server and client to validate both sides thus slowing down brute force attacks. Uses 128 bit key
Also implement Perfect Forward Secrecy
What key length does WPA3 enterprise use
192
Name the four wireless authentication mechanisms ?
EAP-Fast, PEAP, EAP-TLS,EAP-TTLS
Describe PEAP ?
Microsoft and Cisco collaboration using encrypted and authenticated TLS Tunnel. Devices on network use uniques encryption keys. Server based auth via certificate.
What are the features of EAP-Fast ?
Removes PEAP key exchange for symmetric key encryption.
Describe EAP-TLS ?
Using TLS on both clients and servers via certificates. High overhead of managing certificates on both clients and servers means its not a popular choice.
Describe EAP Trusted TLS ?
Extends EAP-TLS but does not require clients to have certificates.
What is a COBO device ?
Company Owned Business Only. Devices can only have pre installed business apps on them.
What is the difference between MDM containerisation and segmentation.
Segmentation is just data whereas containerisation covers apps. Usually used in conjunction
What are the push notifications features of a MDM solution used for ?
Usefull to alert users or to ask them to do stuff
What is covered by context aware features of MDM ?
Hours of use, Location etc
How do attackers evade signature based Antimalware and Antivirus ?
Polymorphic malware
What is heuristic antimalware/antivirus ?
Looks at what the item under investigation is trying to do and matches that against unwanted behaviour.
What is sandboxing with regards to antivirus and antimalware ?
Used by vendors to study the effects of malicious code.
What five control types help with integrity ?
Hashing
Digital Signatures
Checksums
Access Controls
Regular Audits
When would you use checksums ?
To verify data that has been downloaded by comparing the vendor checksum with your calculated checksum
Describe EDR and XDR ?
Stored on the client analyses logs and behaviours for IOC. Extended takes in a wider audience than just endpoints and covers the organisations whole estate such a cloud, email etc
Describe DLP ?
Data Loss Prevention are a group of technologies designed to stop data being lost or stolen. They can be triggered to look out for a set of data markers such as SSN numbers, Account numbers etc,
USB Blocking - To prevent use of flash drives completely or selectively by account type etc
Email - DLP attaches to the mail server and scans attachments
DLP protection should still be employed in cloud
Common locations for DLP systems is the exfiltration points of a network such as network border or email servers.
They can encrypt or make data safer for sharing such as Tokenis
Which two organisations publish advice on OS hardening
CIS and NIST
How would you use VLANS in network hardening ?
Isolation of systems or users or placing critical or at risk systems such as IOT devices.
What is best security practice for windows registry ?
Because of the crucial nature of the registry a best practice where possible is to remove remote access and limiting registry tools such as regedit.
What are Microsoft Group Policy objects ?
Microsoft technology which can be controlled from the enterprise and installed on the local machine to control credential settings and password complexity rules.
What is SELinux ?
Kernel base module offers enhanced security options also been implemented on Android.
What is SNMP ?
SNMP collects information about network devices to ensure security. It allows for network monitoring, problem identification
and capacity planning by allowing configuration and storing of data.
What is infrastructure diversification ?
Diversifying infrastructure ensures that organizations are not overly reliant on a single data center, network, or platform. By distributing their assets and systems across multiple locations or platforms, they can significantly reduce the risk of total service disruption if one component fails.
How do you distinquish between impossible travel and concurrent session usage ?
Timings - If the attack is simultaneous then concurrent session usage. If there is some time delay then impossible travel.
Does a dictionary attack target multiple accounts ?
No it tends to be one account many attempts
What is threat scope ?
Threat scope reduction refers to the proactive steps and strategies taken to reduce the potential areas of attack within a system or network. By limiting the avenues that attackers can exploit, organizations can more effectively secure their assets
What is enumeration ?
numeration, in the context of hardware, software, and data asset management, refers to the practice of assigning unique identifiers, access controls, and attributes to each asset. This process helps in establishing granular control over access permissions, ensuring that only authorized users can interact with the assets. It plays a vital role in maintaining data confidentiality, integrity, and availability by preventing unauthorized access and ensuring proper management of resources
What is an advantage of volume encryption over full disk encryption.
You can vary the encryption and levels of access
What is the primary use for a fence ?
Fence - Structure that encloses an area using interconnected panels and posts. It provides a defined visual barrier that acts as a deterrent that should not be violated by unauthorised personnel. Establishes a physical barrier against unauthorised entry. Primarily a people control.
What is a primary use for a bollard ?
Bollards - Short vertical posts designe to redirect vehicular traffic and be made out of steel or concrete. Serves as a clear visual reminder of where vehicles are not permitted
Whats the difference between user behaviour analytics (UBA) and user and entity behaviour analytics (UEBA)
UEBA is UBA plus monitoring
What is EDR ?
EDR is a category of security tools that monitor endpoint and network events and record the information in a central database. It works by continuously monitoring and gathering data from endpoints.
What is file integrity monitoring ?
Used to validate the integrity of OS Files and application files using a verification method between the current state and known good baseline.
Uses an agent for continuous monitoring. Compares hashes of files against a database of hashes of last known good value.
What is the difference between EDR and XDR ?
EDR just focusses on endpoints such as mobile, laptops and servers whereas XDR is broader and looks at Email, Endpoint, Cloud and Network
What are the phases a good EDR detection tool will go through ?
Data Collection, Data Consolidation, Threat Detection, Alerts and Threat response, Threat investigation, Remediation.
What is disk imaging ?
A bit by bit copy of the device including deleted files and unused user space
What is file carving ?
File carving is a process used in computer forensics to extract data from a disk drive or other storage device without the assistance of the file system that originality created the file.
What is e-discovery ?
E-discovery is a form of digital investigation that attempts to find evidence in email, business communications and other data that could be used in litigation or criminal proceedings
Why are email gateways a good device to install anti spam on ?
Because every email passes through it
