Exam 2 Flashcards
What are the 5 functional categories of the NIST Cybersecurity Framework?
- Identify – critical processes and assets; document flow; software/hardware inventory;roles and responsibilities; threats and vulnerabilities
- Protect – establish safeguards and practices
- Detect – establish and implement activities to detect breaches
- Respond – establish detailed guidelines of actions to take when a breach is detected
- Recover – establish plans for recovering and restoring operations back to normal
National Institute of Standards and Technology (NIST)
What’s the difference between threats, vulnerabilities, and exploits?
Threat – any potential danger to an asset. (Latent vs realized; latent threat has not been exploited, and may not be publicly known. A realized threat is when attackers actively exploit vulnerabilities.)
Vulnerability – a weakness in design, implementation, code. Can include lack of mechanisms (for example, not having a firewall).
Exploits – a piece of software, tool, or technique that takes advantage of a vulnerability. (Zero-day exploit, Exploit-DB & Metasploit)
What is a CVE & what organization catalogs them?
CVE (Common Vulnerabilities and Exposure) identifier & MITRE is the agency responsible for cataloging CVEs.
What a zero-day exploit is?
Zero-day exploit – vulnerability that is not publicly known, but is actively
being exploited
What are the 3 elements used to determine risk?
Risk – probability of the occurrence of a threat.
Risk is based upon 3 elements:
1. Assets
2. Threats
3. Vulnerabilities
What are some of the most common forms of authentication-based vulnerabilities?
Authentication-based – vulnerability that is exploited by manipulating, bypassing, or stealing authentication credentials.
Common forms:
1. Session hijacking
2. Brute force
3. Default credentials
4. Redirecting
5. Unpatched Kerberos vulnerabilities
What are the two types of firewalls?
Hardware-based, stand-alone appliance
Software-based installed on host devices
What’s the differences between the 3 profiles for Windows firewalls?
3 Profiles: Domain, Private,
Public.
- Domain Profile is applied
when joined to domain; This
allows firewall settings
through Group Policy. - Private Profile – home use or
non-domain office use. - Public Profile – when
connected to public
networks, such as public
library, etc.
What is Netfilter & the difference between it and iptables/nftables?
Netfilter is a component of the Linux kernel. It interacts with the network stack to intercept and examine traffic.
iptables and firewalld were the defacto tools until 2015-ish.
nftables was introduced in 2014 and has slowly become the defacto tool.
What is a chain?
iptables chains; organizes traffic into categories called “chains.”
There are 5 chains:
1. INPUT –packets coming into the host.
2. OUTPUT –packets going out of the host.
3. FORWARD –packets coming into the host that are to be routed to another destination.
4. PREROUTING –used for NAT when the packet arrives at the host.
5. POSTROUTING –used by NAT before the packet exits the host.
The INPUT, OUTPUT, and FORWARD chains are the most common
In iptables, what are the 3 targets?
“Target” refers to the action applied to traffic.
There are 3 targets:
1. ACCEPT –packet is accepted and passed through the firewall.
2. REJECT –packet is dropped and not allowed to pass through the firewall. A rejection
message is sent to the sending device.
3. DROP –packet is dropped and no rejection message is sent
What’s nft?
nft is the CLI command keyword to interact with the nftables tool
How do you display the current nftables rules?
nft list ruleset
Where is the nftables config file located?
located in /etc/nftables.conf
type in command line, nano /etc/nftables.conf
How do you restart nftables from the command line?
systemct1 restart nftables
Define Metasploit and Meterpreter.
Metasploit and Meterpreter are custom-built tools that are usually used to performed sandbox escapes attacks
Metasploit Framework (MSF) is a highly customizable penetration testing tool written in
Ruby. It contains an updatable database of thousands of exploits and payloads. Additionally, it houses a development environment for creating your own custom exploits and payloads.
Meterpreter is arguably the most powerful payload in the Metasploit Framework. It is a Linux
shell that is deployed into the target’s RAM. Because it runs in memory and is not written to the target’s hard drive, it leaves behind very little forensic evidence of the attack.
Note: Metasploit exploits and payloads that create bind or reverse shells will have “bind” and
“reverse” in their names. Likewise, payloads that open Meterpreter shells will have “meterpreter” in their names.
what is a subject?
Subject – entity that requests access to a resource. The subject usually performs the request on behalf of a principal.
what is an object?
Object – entity that is, or contains, the requested resource
What does AAA stands for, and name the differences between each
Authentication, Authorization, and Accounting are known as “AAA.” Several protocols exist to implement them
Define Authentication.
Authentication – challenge issued to user to prove their identity.
- Auth by knowledge – user provides secret. Ex: password, pin, answers to
security questions, etc. - Auth by ownership – user must provide proof of owning something specific. Ex: employee badges, smart cards, randomized tokens.
- Auth by characteristic – user provides biometric or behavioral attributes.
Ex of biometric: fingerprint, facial recognition, eye scan, voice, etc. Ex of characteristic: signature, keystroke pattern.
Define authorization
Authorization – process that grants subject access to object. These come in the form of permissions.
- Need to Know – access is granted only if job role requires it. Put another way: grant users the least possible permissions needed to complete their
jobs. Ex: user in engineering dept shouldn’t have permissions to HR files. - Implicit Deny – if no permission is specified, access is implicitly denied.
- Think RWX in Linux: read, write, execute. Windows uses similar permissions.
- Linux breaks permissions into 3 levels: owner, group, other (everyone else)
Define Accounting
Accounting – process of logging and monitoring what a user does
once a resource is accessed.
- Accounting is critical in security. Trail of actions help provide non-repudiation.
- Non-repudiation – in security, refers to collection of facts proving a user (or someone masquerading as the user) took some action.
Which authentication by characteristic is highly error prone?
- Auth by behavioral characteristic is error prone. Should not be implemented as the only authentication challenge…in other words,
use it only in multifactor auth processes
What’s the Linux command to print permissions for the current directory contents?
ls -la prints permissions in Linux
Define DAC.
Discretionary access control – in this model, access is decided by the object owner. If a user creates a file, the user owns that file and can decide who else can access it.
- Primary benefit is the simplicity.
- Two big disadvantages: 1. No centralized technical control 2. Privilege creep.
- Privilege creep – when permissions are granted to a user, but never revoked,
even when user no longer needs access to object.
Define MAC models
Mandatory access control – access authorization is provided by the operating system. Owner has no control over who can access the resource.
* Used in high security environments.
- Labels are applied to objects that indicate:
1. security level (Top Secret, Secret, Confidential, etc.)
2. category (category description is up to the organization…usually indicates
the workgroup, department, project, etc). - Labels are also applied to subjects. Indicates the subjects clearance level.
- Example of MAC-based OS: SELinux.
- Disadvantages: 1.) Rigid enforcement 2.) Complicated to administer.
Define RBAC models
Role-based access control – this model uses a subject “role” to make authorization decisions.
- Each role (not the subject) is assigned permissions over an object.
- In Windows, a role is equivalent to a group. You assign permissions to the
group, and place as many users as needed into the group. - Each subject must be assigned to at least one role, but can be assigned multiple roles.
- Offers great flexibility and scalability.
- Drawback: can be complex to manage when many users are members of many groups with many permissions…essentially, a many-to-many relationship
What are the two forms of reconnaissance? Name some examples.
Two forms: passive & active
a Google search & Social media are passive; an nmap scan & Burp Suit are active
Passive recon – no active scanning of target network; instead, search engines and open source tools are used to find publicly available information.
Active recon – attacker actively scans target network
What is Shodan?
Shodan – online database of pre-scanned network devices with public IP addresses; basically, if a device has a public IP address, Shodan has a record for it. (Passive)
- Data includes IP addresses, open ports, running services, APIs, etc.
- Has search filters that allow fine-tuning of results based on country, CIDR block, open ports, etc.
What’s the difference between a SYN and FIN scan?
TCP SYN – also known as half-open scan; TCP handshake is reset by scanner if the target port responds with SYN/ACK; originally considered a stealthy scan, but most IDSs can detect them now.
- TCP FIN – skips the TCP handshake and instead sends a FIN packet to target port. Effective for Unix/Linux targets, but not Windows. Open ports will give no response. Closed ports respond with RST/ACK packet.
What’s the difference between a NULL and XMAS scan?
TCP NULL – scanner sends packet with no flags set; originally a stealthy scan,
but is now easily detectable, because legitimate traffic will always have at least one TCP flag set.
TCP XMAS – named XMAS due to all TCP flags being set (lit up like a Christmas tree). Effective against Unix/Linux, but not Windows.
How do you run an aggressive nmap scan?
nmap -A [target]
How do you run an OS detection scan with nmap?
nmap -O [target]
What’s an aircrack-Ng?
Aircrack-ng – suite of tools for assessing wireless network
security. Included with Kali.
aircrack-ng –component of the suite used for actual wireless PSK cracking.
WEP was replaced with what and what actually got implemented?
WPA was intended to replace WEP, however, it was too easy to crack also.
So WEP3 was implemented replaces the (PSK) exchange with simultaneous authentication of equals (SAE) exchange.
- Wired Equivalent Privacy (WEP) – oldest and weakest wireless encryption.
What can you do to secure your own network?
use a long, complex password (12+ ch, upper case, lower case, digits & special characters)
