Last Concepts Flashcards
What are Typical Cloud based attacks?
- Weak Authentication
- Misconfiguration
- Insufficient Network Segmentation
- Poor Access Controls
- Side- Channel Attacks
CASB: Functions and Implementations
Cloud Access Security Broker
- Enterprise Management software
- Designed to mediate Access to cloud services
- Provides Visibility into how clients and othe rnetwork nodes are using cloud services
Functions:
* SSO, Access Control, Authentication
* Maleware Scan
* Monitor audit user and resource activity
* Mitigate Dara exfiltration
Implemented:
* Forward Proxy
* Reverse Proxy
* API
Netflow: Sources and Features
- Flow collector
- Network Security
- Records Metadata and statistics about network traffic, rather then each frame
- CISCO
- Redeveloped as IP Flow Information Export (IPFIC) IETF-standard
Sources:
* Switches, Routers, Firewalls, web proxies
Features:
* Highlighting of trends in traffic
* Allerting based on anomalies
* Identification of traffic patterns revealing rogue user behavior, maleware in transit, tunneling or bandwith exceeding
Rootkit and what it does
- Class of Malware
- Modifies system files
- Kernel level
- Conceales presence
What it does:
* Runs with SYSTEM level privileges
* Compromises system files and programming interfaces:
- Local shell processes such as Explorer, taskmgr, tasklist, netstat no longer reveal its presence
* May contain tools for containing system logs
Cipher Suite
Algorithms supported by both the client and server to perform different encryption and hashing operations required by protocol
Main Features of TLS 1.3
Removing ability to perform Downgrade Attacks:
- Preventing use of unsecure features and algorithms
- Changes in handshake protocol to reduce number of messages and speed up connections
TLS and its implementation
- Used within HTTP application
- Secure other Application protocols
- VPN
Implementation
* Server is assigned digital certificate, signed by trusted CA
* Server uses its key pair and TLS protocol to aggree on mutually supported cyphers and negotiate encryped communication session
SNMP
Framework for management and monitoring
Consists of:
Agents
* maintains database (MIB) that holds statistics relating activities of device
* Process running on switch, router, server
Monitors
* Software Program
* Provides location from which network activity can be overseen
* monitors all agents
Use SNMP v3 whenever possible:
encryption, strong user based authentication
SMTPS
- Message delivery
- can be secured using TLS
POP3S
- Mailbox Protocol
- Store messages delivered by SMTP on a server
- Downloads messages to recipients email clienth
Email Security
- Three main technologies
- Verificating authenticity of Emails
- Preventing phishing and Spam
SPF
* Email Authentication Method
* Detect and prevent sender address forgery
* Verifying senders IP
DKIM
* Leverages encryption features to enable email verification
* Allowing sender to sing emails using digital signature
DMARC
* Uses results of SPF and DKIM
* moving messages to quarantine, spam rejection or message tagging
* reporting capabilities
IMAPS
- Supports permanent connections to server
- Connects multiple clients to same mailbox simultaneously
HSTS
HTTP Strict Transport Security
* Web security Policy Mechanism
* Forces Web browsers to interact with with websites ONLY over HTTPS
Helps protect:
* Downgrade Attacks, Cookie Hijacking, On-path
S/MIME
- Protocol securing Email communications
- Encrypts Emails and enables sender authentication to ensure confidentiality and integrity
- PKI techniques to secure Emaio content
- Digital signatures to support sender verification
But:
* complicated to implement
* prone to misconfiguration
Email Gateway
- Controlpoint for all incoming and outcoming email traffic
Several security measures:
* Anti-spam filters
* Anti Virus scanners
* threat detection algorithms
* DMARC, SPF, DKIM
DNSSEC
- Providing validation process for DNS responses
- Help mitigate spoofing, poisioning attacks by providing validation process
How does it work?
Authoritative server for the zone creates a “package” of resource records (called an RRset) signed with a private key (the Zone Signing Key). When another server requests a secure record exchange, the authoritative server returns the package along with its public key, which can be used to verify the signature.
How should data be securely erased from an SSD, and why is it different from HDD erasure methods?
Securely erasing data from an SSD typically involves using the manufacturer’s tools or commands like:
* Secure Erase
* Enhanced Secure Erase,
which trigger the SSD’s built-in erasure routines.
This process is different from HDD erasure due to SSDs’ wear-leveling mechanisms, which make traditional data overwriting methods ineffective.
Parsing
- Software Component
- Breaks fown data into smaller elements for analysis
- Used in IDS, SIEM and Antivirus
Watermarking
- Embedd information into digital media
- Protect copyrights, verify authentication, trace unauthorized distribution
- Enables tracking of sensitive information
USB What is USB tethering, and what security implications does it have for a network?
USB tethering is a method to share a device’s internet connection with another device via a USB cable.
The security implications include:
* potential unauthorized access to the network
* bypassing network security measures
* exposing the network to vulnerabilities from the tethered device.
Service Set Identifiers (SSIDs) in wireless networking and their importance in network security.
- Each Network is identified to users by service set identifiers (SSID)
- Can be used in Rogue Acces points and evil twin attacks to mimic and spoof legitimate network
NAC
Network Access Control
* Authenticates Users and devices before network access
* ALSO checks and enforces compliance with established security policies
* Devices mus meet minimum set of security standards before access
- Leverages dynamic VLAN assignment based on user identity, attributes, device types, location and health check
- NAC can automatically quarantine device in VLAN
NAC Agent vs. Agentless
Agent
* Software agent installed on device
* communicates with NAC platform
* detailed information about devices status and compliance level
Automatic Remediation:
Updating software, disabling specific settings
Can be persistent:
Installed as software
Nonpersistent:
loaded into memory during posture assessment but not installed
Agentless
* Port-based NAC or Network scans to evaluate devices
* DHCP fingerprint to identify type and configuration
* Not as detailles but can be used with any device that connects to network
Screened Subnet
- Also known as perimeter Network
- Creates additional layer of protection between internal network and Internet
Neutral Zone:
* Seperating public facing server from sensitive internal network resources
* Ofen hosts web, email, DNS, FTP services
Firewalls
1. between internet and screened subnet, allow traffic to services hosted in subnet
2. between screened subnet and internal network, block most traffic to network
Example of network segmentation
Fileless Malware
- Uses Memory resident techniques to run own processes
- Within host process or DLL
- Lightweight Shell code
- Uses legitimate system scripting tools: PowerShell and WMI
DLL Injection
DLL injection is a technique used by attackers to run unauthorized code within the address space of another process by forcing it to load a dynamic-link library (DLL). This can compromise system security by allowing attackers to execute malicious actions or escalate privileges within the context of legitimate applications, often bypassing security measures and controls.
Buffer Overflow
- More data written to buffer than it can hold
- Causing data to overflow in adjacent memory space
Can lead to:
Arbitrary code execution
System crashes
Privilege escalation
How do infrared, ultrasonic, and pressure sensors contribute to physical security systems?
Infrared
* Detect heat and movement
Ultrasonic
* Soundwaves to detect objects and movement
Pressure sensors
* Weight and force on surface
RAID/SAN/NAS
- DATA storage and management
RAID
* Redundant Array of Independent Disks
* Storing same Data in different places on multiple hard Disks
* Protect data in case of DIsk Failure
Proximity reader
- Device used in Access control systems
- Read data from card or token that is held near
- Without needing physical contact
Degaussing
- Reducing or Eliminating data stored on magnetic storage medium
- Harddrives, Tapes
