GCGA Ch. 4 Securing Your Network Flashcards
IDS
intrusion detection system - inspects network traffic in order to detect malicious activity or policy violations; out-of-band, passive.
IPS
intrusion prevention system - monitors network traffic and takes automated actions to prevent threats, such as blocking or terminating connections. Placed in-line (in-band) with traffic & can stop attacks before they reach internal network; can actively monitor data streams, detect malicious content, and prevent it from reaching a network.
HIDS vs NIDS
can detect attacks on local systems such as workstations and servers. The HIDS monitors local resources on the host and can detect some malware that isn’t detected by traditional antivirus software. A network-based IDS (NIDS) detects attacks on networks.
Signature-based IDS or IPS
uses signatures to detect known attacks or vulnerabilities.
Trend-based IDS
(also called anomaly-based IDSs) require a baseline and detect attacks based on anomalies or when traffic is outside expected boundaries.
SCADA network
Supervisory Control And Data Acquisition - an architecture that enables industrial organizations to manage, monitor, and control processes, machines, and plants.
Honeypots & honeynets
appear to have valuable data and attempt to divert attackers away from live networks. Security personnel use them to deceive attackers, disrupt attacks, and observe attackers’ current attack methodologies. A honeyfile is a file designed to attract the attention of an attacker. Honeytokens are fake records inserted into databases to detect data theft
Wireless AP
Wireless access points (APs) connect wireless clients to a wired network.
SSID
The service set identifier (SSID) is the name of the wireless network. Disabling the SSID broadcast hides a wireless network from casual users.
MAC filtering
you can restrict access to wireless networks with media access control (MAC) filtering. However, attackers can discover authorized MACs and spoof an authorized MAC address.
Site survey
examines the wireless environment to identify potential problem areas. Wireless footprinting uses a heat map to give you a detailed diagram of wireless access points, hotspots, and dead spots within an organization.
Wi-Fi analyzers
show signal levels on individual wireless frequency channels.
WPA2
Wifi Protected Access 2 - uses AES with CCMP and supports open, pre-shared key (PSK), and Enterprise modes. Enterprise mode is more secure than Personal mode because it adds authentication. It uses an 802.1X authentication server implemented as a RADIUS server.
WPA3
Wifi Protected Access 3 - uses Simultaneous Authentication of Equals (SAE) instead of the PSK. WPA3 supports Enterprise mode, similar to WPA2 Enterprise mode. Open mode doesn’t use a PSK or an 802.1X server. Many hotspots use Open mode when providing free wireless access to customers. WPA3 offers a secure open mode that uses encryption, while earlier protocols offer insecure open modes that are subject to eavesdropping.
802.1X servers’ EAP versions
use one of the Extensible Authentication Protocol (EAP) versions, such as Protected EAP (PEAP), EAP-Tunneled TLS (EAP-TTLS), EAP-TLS, or EAP-Flexible Authentication via Secure Tunneling (EAP- FAST). The most secure EAP method is EAP-TLS, and it requires a certificate on the server and on each of the clients. PEAP and EAP-TTLS require a certificate on the server, but not the client.
802.1X server authentication
provides strong port security using portbased authentication. It prevents rogue devices from connecting to a network by ensuring only authorized clients can connect.
Captive portal
forces wireless clients to complete a process, such as acknowledging a policy or paying for access, before it grants them access to the network.
Disassociation attack
effectively removes a wireless client from a wireless network, forcing the wireless client to reauthenticate.
WPS
Wi-Fi Protected Setup - allows users to easily configure a wireless device by pressing a button or entering a short PIN. WPS is not secure with WPA2. A WPS attack can discover the PIN within hours. It then uses the PIN to discover the passphrase. However, WPA3 thwarts WPS attacks.
Rogue AP
A rogue access point (rogue AP) is an AP placed within a network without official authorization. An evil twin is a rogue access point with the same or similar SSID as a legitimate access point.
Jamming attack
floods a wireless frequency with noise, blocking wireless traffic.
IV attack
An initialization vector (IV) attack attempts to discover the IV and uses it to discover the passphrase. Near field communication (NFC) attacks use an NFC reader to read data from mobile devices.
RFID attack
Radio-frequency identification (RFID) attacks include eavesdropping, replay, and DoS.
Bluejacking
the practice of sending unsolicited messages to a phone. Bluesnarfing is the unauthorized access to or theft of information from a Bluetooth device. Placing devices into conductive metal lockboxes that act as a Faraday cage will block Bluetooth attacks.
