Lynda Notes 2 Flashcards
Anomaly Analysis
Looks for data points that stand out from the rest of the data as clear outliers (AKA Heuristic Analysis)
Trend Analysis
Looks for historical data over time
Behavioral Analysis
Looks at the user behavior to detect suspicious or unusual user activity, Signatures or Heuristic Analysis could be used for this
Availability Analysis
Provides uptime information
Data Loss Prevention (DLP)
Technology solutions that search systems and monitor networks for sensitive information that is unsecured and provide the ability to remove the information, block the transmission, or encrypt the stored data.
Host-based DLP
Uses software agents installed on a single system
Network-based DLP
Scans network transmissions for sensitive information
Two DLP Mechanisms of Action
- Pattern Matching
2. Watermarking (Electronic tagging)
Watermarking
Electronic tags are used to identify sensitive information
Network Access Control (NAC)
Intercepts network traffic coming from unknown devices and verifies that the system and user are authorized before allowing further communication. Uses 802.1x Authentication
Supplicant
Special piece of software that performs all of the NAC-related tasks on behalf of the user and system
NAC Roles
- User and Device Authentication
- Role based access (provides access to networks where needed)
- Posture Checking (Makes sure the device meets security requirements)
NAC Posture Checking
- Verifying Antivirus software present
- Validating current signatures
- Ensuring proper firewall settings
- Verifying presence of security patches
Quarantine network
Where NAC places a device that does not pass the Posture Check
Three types of NAC
- Persistent Agent - Time consuming - NAC is permanently installed on endpoint devices
- Dissolvable Agent - NAC software downloaded from a portal for temporary endpoint use - removed once the NAC process is complete.
- Agentless - NAC systems that don’t require installation of agent
Mail Gateway Actions
- Allows a message to be sent
- Block or quarantine a message
- Tag the message with a warning to the recipient is suspicious
- Encrypt the message
Mail Gateway Filtering
- Text Analysis
- Signature Detection
- URL Filtering
Steganography
Hiding information within other information
tcpdump
Open-Source command line packet sniffing tool
Two most commonly used packet sniffers (Protocol Analyzers)
Wireshark and tcpdump
Most common network mapping tool
nMap
Metasploit
Most common exploitation framework - uses modular plugins
ICMP
Internet Control Message Protocol
ARP
Address Resolution Protocol - Translates IP addresses at the network layer and MAC addresses at the Ethernet layer. (Only works on local networks)
netstat
Shows connections active on a system (ss on Linux systems is the equivalent)
nc command
Opens raw network connections on Mac and Linux. You can send and receive raw text on a network connection
dig
Command used to perform domain lookups on Mac and Linux systems (nslookup is the equivalent on Windows)
nslookup
Performs DNS lookups on Windows systems
Whois
Discovers ownership information about domains and IP addresses
Reverse Whois
Discovers domains associated with a name or email address
CER (Canonical Encoding Rules)
Files are stored as ASCII files
DER (Distinguished Encoding Rules)
Files are stored as binary files
Difference between an HSM and TPM
HSMs (Hardware Security Module) is a removable or external device, TPMs (Trusted Platform Module) is an embedded chip in the motherboard. TPMs cannot be added at a later date.
Similarities of an HSM and TPM
Both HSM and TPM provide secure encryption capabilities by storing and using RSA keys.
HSA (Hardware Security Module)
Removable or external device that can generate, store , and manage RSA keys used in asymmetric encryption. Server-based applications use an HSM to protect keys
