Messer - 4. Network Security Flashcards

Question 1

Q

What is tamper detection?

Answer

A

A feature on devices such as computers and servers that notifies you if the case is opened. Should be enabled in BIOS settings. Allows systems to monitor themselves.

Foil asset tags are also available. If tag is removed, a message is left behind on the device.

Question 2

Q

TACACS stands for _________.

Answer

A

Terminal Access Controller Access-Control System

pronounced “tack acks”

Question 3

Q

What is TACACS?

Answer

A

A remote authentication protocol similar to RADIUS that uses the AAA framework (i.e. Authentication, Authorization, Accounting).

First used to control access to dial-up lines to ARPANET (ancient precursor to the Internet).

[See AAA and RADIUS in Infrastructure section]

Question 4

Q

What is XTACACS?

Answer

A

Extended TACACS

A proprietary Cisco-created version TACACS that provides additional support for accounting and auditing.

Question 5

Q

What is TACACS+?

Answer

A

Latest version of TACACS. (If you’re using TACACS today, this is probably what you’re using.) Often associated with Cisco, but available for many different OSes. Uses similar topology as RADIUS, but encrypts ALL information between client and server, whereas RADIUS only encrypts password.

Question 6

Q

SSO stands for ________.

Answer

A

Single Sign-On

Question 7

Q

What is Single Sign-On (SSO)?

Answer

A

An authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-entering authentication factors.

(e.g. If you’re managing a group of switches and routers, you don’t have to log in to each separate device)

[See: Kerberos]

[Reminds me of PTSEM’s website. Had to log in separately for email, library, etc.]

Question 8

Q

What is Kerberos?

Answer

A

A network authentication protocol that offers single sign-on (SSO) functionality, which enables a user to log in to a system and access multiple resources without needing to repeatedly reenter username and password. Not only is this easier and less time-consuming for users, but makes network more secure because eliminates need to constantly send security credentials over a network.

It works by issuing cryptographic tickets when someone properly signs in, which can then be shown to other resources on the network. Uses mutual authentication (i.e. with both client and server) to protect against man-in-the-middle or replay attacks.

Used by Microsoft since Windows 2000, and used in Active Directory. But non-proprietary and cross-platform. However, does not work with every device. i.e. if your switches aren’t Kerberos-friendly, you may need to use a different authentication method.

Question 9

Q

What is Active Directory?

Answer

A

A Microsoft product used to centrally organize IT assets like users, computers, and printers. Allows IT admins to group people together and manage access to various devices, and provide single-on access to those devices (with the help of Kerberos). Integrates with most Microsoft Office and Server products. Uses Offers LDAP support to allow LDAP-based applications to work with an existing Active Directory environment.

Question 10

Q

LDAP stands for ________.

Answer

A

Lightweight Directory Access Protocol

Question 11

Q

What is Lightweight Directory Access Protocol (LDAP)?

Answer

A

A protocol for accessing and querying directory services systems. In the context of the N+, these directory services systems are most likely to be based on UNIX or Microsoft Active Directory. Although LDAP supports command-line queries executed directly against the directory database, most LDAP interactions are via utilities such as an authentication program (network logon) or locating a resource in the directory through a search utility.

Question 12

Q

LDAP is a derivative of the ______ protocol, also known as _______. The main advantage of LDAP is that it’s _______.

Answer

A

X.500
DAP
lightweight (duh)

Question 13

Q

What is local authentication? And what are its advantages and disadvantages?

Answer

A

Authentication done locally on a machine by an operating system using values / credentials stored within it. i.e. An alternative to using a centralized authentication server or service. Basically the opposite of technologies that use AAA Framework (e.g. Radius, TACACS, Kubernetes).

The advantage is that it works if there’s no Internet connectivity, or if the AAA server is unavailable. Functions as a backup that allows you to still access routers, switches, firewall, etc.

The downside, of course, is that by not using a centralized database, it’s difficult to scale. All changes must be made across individual devices.

Question 14

Q

PKI stands for ______.

Answer

A

Public Key Infrastructure

Question 15

Q

What is PKI?

Answer

A

A collection of software, standards, and policies combined to govern the issuance of digital certificates to protect sensitive data, provide unique digital identities for users, devices and applications and secure end-to-end communications. Uses a public and private cryptographic key pair obtained and shared through a trusted authority.

[Not sure how much we really need to know about PKI. It’s only listed in glossary of exam objectives. But I feel like it’s important to understand Certificates, which are definitely in objectives. Messer is pretty weak on this topic]

Question 16

Q

Explain how PKI’s encryption works.

Answer

A

PKI uses asymmetrical encryption, which basically just means you have two mathematically / algorithmically related keys.

If we use a public key to encrypt something, only the private key can decrypt it. This is great for secret correspondence. Just hand out the public key, and people can send us communication that only we can decrypt

But if I understand properly, we can also use the private key to encrypt something. And anyone can use the public key to decrypt it. Because we’re the only ones who can encrypt a message that the public key can decrypt, we’re able to prove our identity. So this would be helpful for digitally signing a document.

[Note: This is my own understanding based on looking at a few resources. Messer did not cover this at all]

Question 17

Q

What are four important components of a PKI?

Answer

A

Certificates
Certificate Authorities (CAs)
Certificate Templates
Certificate Revocation List (CRL)

Question 18

Q

What are certificates?

Answer

A

Electronic credentials that validate users, computers, or devices on the network. A digitally signed statement that associates the credentials of a public key to the identity of the person, device, or service that holds the corresponding private key.

ex. Certificates can be stored on laptop or thumb drive, then accessed during log-in process. They can also be on smart cards, which you can slide into a computer for access (along with PIN.)

Question 19

Q

What are Certificate Authorities (CAs)?

Answer

A

Issuers and managers of certificates. They validate the identity of a network device or user requesting data. CAs can be either independent third parties, known as public CAs, or they can be organizations running their own certificate-issuing server software, known as private CAs.

Question 20

Q

What are Certificate Templates?

Answer

A

Templates used to customize certificates issued by a certificate server. This customization includes a set of rules and settings created on the CA and used for incoming certificate requests.

[Don’t really get this one]

Question 21

Q

What is a Certificate revocation list (CRL)?

Answer

A

A list of certificates that were revoked before they reached the certificate expiration date. Certificates are often revoked because of security concerns, such as a compromised certificate.

Question 22

Q

What are the five possible factors in Multi-Factor Authentication? Give examples.

Answer

A

Something you know (e.g. password, pin, wipe pattern)
Something you have (e.g. smart card, dongle, USB token, phone)
Something you are (e.g. biometrics, fingerprint, voice, iris scan, gait)
Something you do (e.g. handwriting analysis, typing technique)
Geolocation (e.g. IP address, geolocation)

Question 23

Q

NAC stands for _________.

Answer

A

Network Access Control

Cisco calls their flavor Network Admission Control

Question 24

Q

What is Network Access Control (NAC)? Describe how it works.

Answer

A

A standardized approach for verifying that a node (i.e. device) meets certain minimum security criteria before it is allowed on a network. Certain advanced Cisco devices (e.g. switches and routers) use a feature called ‘posture assessment’ to do this. Includes checking for things like type and version of anti-malware, type and version of OS, level of QoS, presence of digital certificates, presence of keyloggers, whether machine is real or virtual, etc.

If everything checks out, host will be granted access to production network. Otherwise, host can be denied access, or quarantined on a non-production network.

The criteria to be assessed is gathered by a NAC agent, a piece of software that sits on the device being assessed.

Question 25

Q

What is 802.1X?

Answer

A

1X is a port-based authentication network access control (PNAC) mechanism. Available for wired networks, VPNs, and wireless access points. [But mainly used for wireless??] It’s a complete authentication standard designed to force devices to go through a full AAA process to get anywhere past the interface on a gateway system. Before 802.1X, a system on a wired network could always access another system’s port. Granted, an attacker wouldn’t be able to do much until he gave a user name/password or certificate, but he could still send packets to any computer on the network.
1X worked hard to use already existing technologies. For wired connections, 802.1X commonly uses RADIUS as an authentication server. However, other AAA authentication servers can be used, such as LDAP and TACACS+.

802.1X combines RADIUS-style AAA with EAP (for password encryption, I assume). The folks who developed 802.1X saw it as
a total replacement for every other form of authentication (even Kerberos), but according to Meyers, only wireless networking broadly adopted 802.1X.

Allows for administratively disabling unused ports / interfaces. And for duplicate MAC address checking to prevent spoofers trying to get around NAC.

[Btw, Prof. Messer says a capital letter like ‘X’ in an IEEE standard indicates that it’s a standalone standard, Lower-case letters identify amendments / supplements / revisions to existing standards. e.g. WiFi standards like 802.11g]

Question 26

Q

When using wired 802.1X, what is a supplicant, control, port and authenticator?

Answer

A

supplicant - The device (or a client on that device?) that is attempting to connect to a protected network and that requires authenticating

control port - The port that a supplicant is plugged into, and that ultimately controls access to the network

authenticator - the switch that is set up for 802.1x

[Messer says there’s also usually an authentication / AAA server on the back-end.]

Question 27

Q

What is port security?

Answer

A

A form of access control that restricts specific MAC addresses OR a specific number of MAC addresses on a physical port. Commonly implemented by network admins to mitigate the threat of end users plugging in hub, switches, or wireless access ports (WAPs) to extend switching of a single port.

Question 28

Q

What is MAC filtering?

Answer

A

A form of access control that restricts or allows specific MAC addresses (i.e. the unique hardware address of every device) to be forwarded by a switch or wireless access point.

Zacker book says MAC filtering is a very effective method of security, because of the difficulty an attacker has identifying specific MAC addresses that are specifically allowed to be forward by a switch or WAP.

Messer disagrees. Says it’s easy to find working MAC addresses through packet captures and that MAC addresses can be spoofed. Says anyone who knows a working MAC address can easily circumvent filter. Calls this security through obscurity.

[NOTE: Wireless Access Points (WAPs) use an access control list (ACL) to whitelist or blacklist MAC address

Question 29

Q

What is a captive portal?

Answer

A

A method of redirecting users who connect to wireless or wired systems to a portal for login or agreement to the acceptable use policy (AUP). Using a captive portal is common for wireless system access. (e.g. hotels, airports, but also common for corporate access to an organization’s wireless network)

Question 30

Q

ACL stands for _______.

Answer

A

Access Control List

Question 31

Q

What is an Access Control List (ACL)?

Answer

A

A list of rules either permitting or denying different pieces of traffic from entering (ingress) or leaving (egress) a network. The general idea is that a router, switch, or firewall receives a packet and then typically allows or denies the packet based on the source or destination IP address (IP filtering), or the source and destination port (port filtering). Can also be based on protocols being used (e.g. TCP, UDP, ICMP, IP).

Question 32

Q

What are the two main components of wireless network security?

Answer

A

Encryption

Authentication

Question 33

Q

____ was an early WiFi network security technology that had major cryptographic weaknesses. In 2002, it was replaced by ______, which relied on _____ encryption. In 2004, that was replaced by _______, which used ______ encryption and is still used today.

Answer

A

WEP
WPA
TKIP-RC4
WPA2
CCMP-AES

Question 34

Q

EAP stands for _______.

Answer

A

Extensible Authentication Protocol

Question 35

Q

What is Extensible Authentication Protocol (EAP)?

Answer

A

An authentication framework commonly used for wireless networks.

Question 36

Q

Name the four types of EAP that WPA and WPA2 use for authentication.

Answer

A

EAP-FAST
EAP-TLS (EAP Transport Layer Security)
EAP-TTLS (EAP Tunneled Transport Layer Security)
PEAP (Protected EAP)

Question 37

Q

Describe EAP-FAST

Answer

A

EAP Flexible Authentication via Secure Tunneling

Cisco’s proposal to replace LEAP (Lightweight EAP), previously used with WEP.
Lightweight and secure.

[Not doing a great job on the EAP flashcards. Pretty confusing. Just copying Messer’s stuff]

Question 38

Q

Describe EAP-TLS.

Answer

A

EAP Transport Layer Security

Gained wide adoption as wireless tech became more popular
Same security we use for web servers. Now using for wireless authentication
Strong security, wide adoption
Support form most of the industry

Question 39

Q

Describe EAP-TTLS.

Answer

A

EAP Tunneled Transport Layer Security

Some orgs needed additional options for authentication
Supports other authentication protocols in a TLS tunnel
Use any authentication you can support, maintains security with TLS

Question 40

Q

Describe PEAP.

Answer

A

Protected EAP

Created by Cisco, Microsoft, and RSA Security
Encapsulates EAP in a TLS tunnel, one certificate on the server
Combined a secure channel and EAP
Commonly implemented on Microsoft devices as PEAPv0/EAP-MSCHAPv2
Authenticates to Microsoft’s MS-CHAPv2 databases

Question 41

Q

Name the three wireless security / authentication modes.

Answer

A

Open
WPA2 Personal (WPA2-PSK)
WPA2 Enterprise (WPA2-802.1X)

Question 42

Q

What is open / shared authentication?

Answer

A

A configuration mode on a wireless access point / wireless router that allows access without a password. This was the default setting for older APs.

[It looks more complicated than this based on some things I was reading. But I’m going to hope Messer is pointing in the right direction on this]

[Do NOT confuse a shared (i.e. open) network with pre-shared keys, which is WPA2 protected]

Question 43

Q

What is WPA2 Personal mode?

Answer

A

WPA2-PSK - Requires pre-shared key

A configuration mode on a wireless access point / wireless router, often used in homes or small offices, that require a pre-shared key for access. Everyone uses the same 256-bit key. If you change the pre-shared key, you also have to change configuration of all devices connected to that network.

[You could see how this would be hugely inadequate for a business. Frankly, a business of almost any size. If one person leaves the office, you have to re-configure ALL devices. Even in our home, would be a huge pain to change the wireless password]

Question 44

Q

What is WPA2 Enterprise mode?

Answer

A

WPA2-802.1X

A configuration mode on a wireless access point / wireless router, often used for larger businesses, that authenticates users individually with an authentication server (e.g. AAA, RADIUS). When someone leaves an organization, all of their access can be disabled without impacting others. Individuals can also change their own password without affecting anyone else.

Question 45

Q

Describe MAC Filtering.

Answer

A

A configuration setting on some wireless and wired access points that allows an admin to only grant network access to a device if that device’s MAC address has been whitelisted.

This is considered security through obscurity (i.e. not strong security). It’s relatively easy to find MAC addresses through wireless LAN analysis. (You can use a wireless analyzer to find all MAC addresses on a network.) And then it’s possible for someone to spoof a MAC address and gain access. Not quite as bad on wired networks, but still not considered good security.

Question 46

Q

What is geofencing?

Answer

A

When a wireless technology (usually GPS or RFID) is used to define a virtual fence around a geographic location within an application so that individuals can be tracked when entering or leaving that “virtual fenced” area.

When someone or something enters the geofenced area, an alert or text message can be generated to notify you. Or you can restrict or allow certain features when a device is in a particular area. For example, you can disable the camera on a phone when inside a sensitive building. Or perhaps you only allow logins when a device is located in a particular area.

Question 47

Q

DoS stands for ________.

Answer

A

Denial of Service

Question 48

Q

What is a Denial of Service (DoS)?

Answer

A

A type of attack that causes a system or its services to either crash or become unresponsive. As a result, the system cannot fulfill its purpose and provide those services.

Careful: Does not have to involve flooding of traffic. Could be as simple as turning off power to a building. Could involve seriously and/or permanently damaging a service (e.g. Stuxnet).

Messer: Could be a friendly, unintentional action (e.g. creating a layer 2 loop or breaking a pipe in a server room).

Question 49

Q

What are three common types of DoS attack?

Answer

A

Distributed (DDoS)
Amplified
Reflective

[I feel like these overlap. I could see a situation where the attack is distributed, amplified, AND reflective]

Question 50

Q

What is a Distributed DoS (DDoS)?

Answer

A

A DoS attack where a hacker uses multiple hosts or systems to attack a single target system. Very difficult to stop because attack is coming from many places at the same time.

One example would be using a botnet to create a huge traffic spike, using all the bandwidth or resources of a service. Another would be a smurf attack, in which hacker pings a number of computers but modifies source address of those packets so they appear to originate from victim’s system. All those replies then flood the victim.

Question 51

Q

What is a reflective DoS?

Answer

A

A DoS attack in which the attacker sends requests containing the target server’s IP address to legitimate servers on the Internet, such as DNS servers, causing them to send a flood of responses that overwhelm the target. (The reflection helps disguise the identify of the attacker.)

Question 52

Q

What is an amplified DoS?

Answer

A

A DoS attack in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would.

Messer: Can involve abusing older protocols with little (if any) authentication (e.g. NTP, ICMP).

[Note: This is often a type of reflective attack, from what I understand]

Question 53

Q

What is social engineering?

Answer

A

A very low-tech form of attack where hacker attempts to trick a person into compromising security through social contact such as an e-mail or phone call. Can involve multiple people and multiple organizations.

[Note: Often, social engineering is not attempted against the ultimate target, but against third parties connected to the target. e.g. the Target’s social media accounts, or domain registrar, or credit card, or Paypal]

Question 54

Q

Describe some of the principles / strategies used in social engineering

Answer

A

Authority (e.g. “I’m calling from the help desk / office of the CEO / police”)
Intimidation (e.g. “Bad things will happen if you don’t help”)
Consensus / social proof (e.g. Your co-worker Jill did this for me last week)
Scarcity (e.g. ?)
Urgency (e.g. We need to hurry because…) [often connected to scarcity]
Familiarity / Liking (e.g. referring to acquaintances, common friends)
Trust (e.g. I’m from IT, and I’m here to help)

[You see this stuff all the time in the movies. Or even old television shows. Think of all the stuff Face did on the A-Team. I feel like he used just about all of these]

Question 55

Q

What is an insider threat?

Answer

A

The potential for attacks or security breaches posed on by employees of an organization. Can include a disgruntled employee, an employee with criminal intent, or an employee participating in corporate espionage. [Or an activist / hacktivist / whistleblower like Edward Snowden?] Depending on how broad the definition, could also include innocent employees who were scammed or coerced, or careless employees (e.g. using a company laptop for personal use).

Insiders are especially dangerous because they tend to be more trusted than outsiders, and often have access to sensitive data. Messer shows some scary stats: 20% of attacks caused by insiders, often never publicized.

Can cause critical system disruption, loss of confidential or proprietary information, financial harm, harm to reputation. Can inject malware and initiate attacks.

Some ways to mitigate the threat: Logging and auditing. Assigning privileges only as needed (i.e. “least privilege). Physical security. Encryption. Policies and procedures. Best to use a layered approach to defense.

Question 56

Q

What is a logic bomb?

Answer

A

Malware that executes when a certain time or predefined event occurs, often left by someone with a grudge, and usually causing devastation (e.g. destruction of data).

Difficult to recognize, because each is unique (i.e. no predefined signature to match). Prevention methods include: processes and procedures (e.g. formal change control), electronic monitoring (e.g. alert admin if certain files change or intrusion detected), constant auditing, and of course, backups.

(e.g. a program that always makes sure an employee’s name appears on the payroll roster; if it doesn’t, key files begin to be erased)

[Think “time bomb”]

Question 57

Q

What is a rogue access point?

Answer

A

An unauthorized access point that has been installed on an organization’s LAN. [Often for malicious purposes, but there are potentially innocent reasons, as well. Like an employee wanting Internet access in the cafeteria.] When a WAP is installed without properly implementing security, it opens the organization up to possible data loss or penetration by an attacker. Port security on the local switching equipment is used to mitigate the risk of a rogue access point.

Very easy to plug in a wireless AP, or enable wireless sharing in your OS.

Good to perform periodic surveys (e.g. walk around building / campus). Use third-party to identify where wireless communication is coming from (e.g. WiFi Pineapple). You should perform regular wireless scans with software such as NetStumbler or Kismet to locate any rogue wireless access points. Also note that enterprise networks using wireless controller–based systems using Lightweight Access Point Protocol (LWAPP) will have rogue detection builtinto the system. Consider using 802.1X (network access control) to require authentication, regardless of connection type.

Question 58

Q

What is an evil twin?

Answer

A

A rogue wireless access point that poses as a legitimate wireless device on the network to intercept transmitted data.

Messer says you can buy a wireless access point, configure it exactly the same as an existing network device (e.g. same SSID, security settings, maybe even password). The signal could overpower existing access points so users connect to your evil twin. [He says might not even require same physical location. Huh?] Public WiFi hotspots that are open and not using 802.1x, like in hotels and coffee shops, are particularly easy to fool.

Best way to mitigate this on personal level is to use HTTPS and VPN. Even if your data streams are stolen, will be encrypted.

Question 59

Q

What is war driving?

Answer

A

When someone drives around with a mobile device and tries to locate wireless networks that they can connect to and/or scan for vulnerabilities. A huge amount of intel can be quickly gathered with free tools (e.g. Kismet, inSSIDer, wigle.net).

There are a number of alternatives, including warflying with drones and warbiking. Sometimes war-drives will mark an open or vulnerable location with chalk markings (called war-chalking).

Security measures: Place wireless access points in the middle of the
building and control power levels so signal cannot be reached from outside. Implement security features such as WPA2 encryption, MAC filtering, changing the SSID, and disabling SSID broadcasting. [Changing the SSID?]

Question 60

Q

What is phishing?

Answer

A

A common type of social engineering attack (with a touch of spoofing). A phishing attack is when the hacker creates a fake replica of a popular website, such as a bank or eBay. Then sends an email (or text message, IM, etc.) trying to trick a user into clicking a link that leads to the fake site. When the user attempts to log on with their account info, the hacker records the user name and password and tries that info on the real site.

Security measures: Check URLs. Don’t click links, but enter them directly into browser instead. Look for things that don’t look quite right (e.g. spelling errors, strange fonts, missing graphics.)

Question 61

Q

What is vishing?

Answer

A

Voice phishing done over the phone (e.g. fake security checks or bank updates)

Question 62

Q

What is spear phishing?

Answer

A

Phishing directed at specific individuals or groups within an organization. Often involves phishing with customized, inside information to make the attack look more believable. Called “whaling” if targeting CEO or other high-value target.

[ex. Ten years of John Podesta’s emails ending up on WikiLeaks]
[Really does make me start to appreciate the policy of deleting old emails]

Question 63

Q

What is ransomware?

Answer

A

Malicious software that takes control of your system and does not give control back until you pay a fee. A common scenario today is that the ransomware encrypts your drive, and if you pay a fee you can get the encryption key. Sometimes it can be a fake-out (i.e. not really locked).

Security measures: Offline backups. OS patches. Antivirus / antimalware updated.

Question 64

Q

What is DNS poisoning?

Answer

A

A hacker alters (or poisons) your DNS server’s data in order to redirect clients to the wrong system. [Remember, DNS converts name into an IP address.]

Modifying a device’s host file is similar. Host file actually takes precedence over DNS queries. But tough to do this across a lot of individual machines.

Another common attack against DNS is when a hacker tries to do a zone transfer (copy your DNS data) in order to map out your network.

Answer 65

A

An attack in which an attacker sends a forged ARP reply to a client to redirect traffic to the attacker’s host. The forged ARP reply will contain the MAC address of the attacker’s host. The attacker can then use their host as a relay and eavesdrop on the conversation.

In other words: A hacker can insert himself in the middle of
communication by altering the Address Resolution Protocol (ARP) cache on a victim’s system and causing all communication to pass through the hacker’s system so he or she can capture all traffic. This is a common method to perform a man-in-the-middle attack.

Messer says easy to do if attacker is sitting on the same IP subnet as the two victimized devices because ARP has no security.

Answer 66

A

When a device pretends to be something it’s not in order to bypass access control systems and gain access to protected resources on a network. Often occurs in man-in-the-middle attacks and DoS attacks.

Ex of things that can be spoofed:

Web server
DNS server
Email address
Caller ID (e.g. fake local area code)
ARP poisoning
MAC address (very difficult to detect)
IP address (can be legit. e.g. load balancing and testing)

Answer 67

A

aka disassociation

An attack that allows a hacker to disconnect, or deauthenticate, a client from a wireless network. Can be done repeatedly to keep someone off a wireless network indefinitely, essentially creating a significant DoS attack. (And not much you can do about it, except plug in.)

Also, by forcing a client to reauthenticate with the wireless network, it gives hacker an opportunity to capture reauthentication traffic. The authentication packets can be replayed in hopes of cracking the wireless encryption.

De-authentication might also motivate the victim to choose another AP. e.g. a rogue AP or one at a venue that asks guests to pay for “premium” service rather than using free WiFi. A number of hotels were sued by the FTC for launching attacks of this type and generating revenue by requiring their guests to pay for “premium” services rather than being able to use their own free hotspots. [Wow.]

Basically, the reason this vulnerability exists is because the 802.11 wireless protocol didn’t originally include a way to encrypt / validate / authenticate management frames, which are used to find access points, manage QoS, associate / disassociate with an access point, etc. IEEE addressed the problem in 2014 with 802.11w, which encrypts some important management frames. But not all frames are encrypted; some need to remain in the clear. 802.11w is required for 802.11ac compliance, and will roll out moving forward.

Tools for mounting a WiFi deauthentication attack include: Aircrack-ng suite, MDK3, Void11, Scapy, and Zulu software. Aireplay-ng, an aircrack-ng suite tool, can run a deauthentication attack by executing a one-line command. So can Pineapple WiFi, a rogue access point.

[I find this really interesting, for some reason]

Answer 68

A

dictionary attack
brute-force attack
hybrid attack

Answer 69

A

An password-cracking attack that uses a dictionary as a list of potential passwords to attempt.

Answer 70

A

A password-cracking attack that attempts every possible combination of characters.

Usually a last-ditch effort after a dictionary attack has failed, since brute force requires a lot of computational resources.

Also usually performed offline, when a hacker has obtained a list of users and hashes. Difficult to attempt online via repeated login attempts because very slow and most accounts will lock out.

Answer 71

A

An attack that is part dictionary and part brute-force. Uses a word list file, but also places numbers and other combinations of characters at the end of the dictionary words. e.g. Unlike a dictionary attack, a hybrid would attempt “pass1”

Answer 72

A

An attack in which someone switches the VLAN to which they are
currently assigned to gain access to a system on another VLAN. Allows the attacker to bypass access controls to the protected resource.

Two methods allow this:

1) Switch spoofing. Some switches support an automatic configuration mode (i.e. trunk negotiation). Attacker can pretend to be a switch by using specialized software, and gain a trunk link to a switch, which allows them to send and receive from any configured VLAN.

Solution: Manually define which interfaces are for a trunk, and which for access device.

2) Double-tagging. Normally, when a frame is sent across a trunk connection, a tag is added to that frame. And on other side, that tag is evaluated and removed. And frame sent to correct VLAN. Attacker can get around this by crafting a packet that includes two VLAN tags. The first native VLAN tag is removed from the first switch, making the second “fake” tag now visible to the second switch. Packet is forwarded to target on a one-way trip. No way to get responses back, but good for DoS.

Solution: Don’t put devices on native VLAN, change native VLAN ID, and force tagging of native VLAN.

Answer 73

A

An attack in which a hacker inserts himself in the middle of two systems that are communicating. He then passes the info back and forth between the two parties, with neither knowing that all the
communication is passing through the hacker’s system. The hacker can view and manipulate any sensitive data sent between the two systems.

Messer mentions Man-in-the-browser attack, which doesn’t require that the attacker be on your local subnet. Instead, simply creates a proxy, sending all your info in and out of it. They can see everything, including encrypted traffic, because they’re on your local machine. And everything looks normal to victim. Can wait for you to login to your bank, then steal your credentials. Requires attacker to first install malware on your machine.

Answer 74

A

A vulnerability is a weakness in a system; an exploit is when that weakness has been nefariously used. Analogy: An unlocked window is a vulnerability. A thief climbing in through it is the exploit.

Vulnerability could be in an OS, application, or process. Some are never discovered, or only discovered after years of use. Could involve a broken authentication process, a security misconfiguration, etc.

Answer 75

A

An attack that exploits a vulnerability that has yet to
be detected or published. Researchers around the world are working hard to find vulnerabilities in OSes and applications, but sometimes the bad guys get there first.

Answer 76

A

Improving the security of a network. Can be accomplished by:

Changing default credentials (of network devices)
Avoiding common passwords
Upgrading device firmware
Patching and updating OSes and other software
Hashing our files
Disabling unnecessary services
Using secure protocols
Generating new keys
Disabling unused ports (e.g. IP ports and physical / virtual device ports)

Answer 77

A

Most devices have default usernames and passwords, often well-known and available on sites like RouterPasswords.com. Those credentials may provide full, administrator access. Not ideal for network security.

Answer 78

A

When hackers are trying to crack passwords, they start with low-hanging fruit. That is, passwords that can be found in dictionaries, other word lists, and lists of previously cracked passwords. The brute forcers also start with the easier passwords first.

Answer 79

A

Many network devices do not use a traditional OS. Instead, all updates are made to firmware. The potential exists for security vulnerabilities (contrary to what one idiot author said in his N+ practice exam).

Answer 80

A

A file hash is a (relatively) short string of text created by running an algorithm (such as MD5 or SHA) against a data source (such as a file). If anything is changed in our original data, either intentionally or through corruption, this hash or digital fingerprint or “message digest” will also change, allowing us to verify the integrity of our downloaded or saved file.

Answer 81

A

One way to avoid vulnerabilities associated with particular services is to disable them. Every service has the potential for trouble, and some of the worst vulnerabilities are unknown (i.e. zero day).

Unfortunately, there are a growing number of services on modern OSes (over 240 on Windows 10), and it isn’t always obvious what’s necessary. May require a lot of research, different sources, trial and error, etc.

Answer 82

A

There’s a wealth of information in our network packets, which are particularly vulnerable to being intercepted on a wireless network. So whenever possible, it’s best to use secure protocols over insecure ones. (e.g. SSH instead of Telnet, SFTP instead of FTP, HTTPS instead of HTTP, SNMPv3 instead of older versions, etc.) Also good to use VPNs (e.g. TLS/SSL or IPSec)

Answer 83

A

When we communicate to network devices over encrypted channels (e.g. HTTPS, SSH), we’re usually using encryption keys. Sometimes devices ship with a default key [similar to default username / password on routers]. Important to change these. And to have a formal policy and set of procedures to ensure this.

But what Messer doesn’t mention is that key pairs may have expiry time. It’s directly related to length in bits of the encryption key pair (this length is called the modulus). At some point, a network’s operating system will require generation of new keys. Can be done automatically by the OS, or manual intervention may be required.

Also important to regenerate key pairs if they have been compromised.

Answer 84

A

The more ports we have open on a network system, the greater the surface area for a remote attack. Therefore, after a system has been installed, it is best practice to disable any TCP/IP port that is not being used for the primary purpose of the network system. This is achieved via a firewall. [Messer says either a host-based / personal / software firewall or a network-based firewall. Another guy says this requires host-based firewall. Tend to think Messer’s right on this one.]

Answer 85

A

Physical ports are susceptible to exploit. e.g. If a network device has a serial port, also known as a console port, an attacker could plug in and manipulate the system. Any unused ports on network devices should be either disabled or password protected. Virtual ports are also susceptible to attacks. Many virtual machine technologies allow
for serial ports to be extended to a remote workstation over TCP/IP. These ports generally are just as exploitable as their physical counterparts. If virtual console ports are not required, they should be disabled. Messer says particularly important to disable physical interfaces in easily accessible common areas like a conference or break room. He suggests 802.1X Network access control (NAC), which will require a user to be authenticated before gaining access to a switch interface.

Answer 86

A

The native VLAN receives all untagged frames from untagged ports. By default, this is the same as the default VLAN. [i.e. VLAN 1] However, this configuration poses a security risk when untagged traffic is allowed to travel in a VLAN-managed network. To protect the network from unauthorized traffic, the native VLAN should be changed to an unused VLAN so that untagged traffic essentially runs into a dead-end.

[I believe this prevents the “double-tagging” vulnerability]

Answer 87

A

BPDU Guard

Root Guard

Answer 88

A

Prevents host from injecting bridge protocol data units (BPDUs) into a network using Spanning Tree Protocol (STP).

i.e. Causes a port configured with PortFast that receives a BPDU to become disabled. BPDUs are not expected on access ports, so this protects against misconfigurations and attacks. (PortFast is a configuration on Cisco switches that minimizes effect of unicast flooding by ensuring that access ports are excluded from topology change notifications. Or as Messer puts it, PortFast allows you to bypass listening and learning states.)

[Note: Messer says you should only enable BPDU guard on interfaces that you know will be used by end station devices]

[Also something called BPDU filter that does something similar. But instead of disabling port, causes port to drop all BPDUs. Can lead to loops if used improperly]

Answer 89

A

Prevents devices from attempting to become root bridge on a Spanning Tree Protocol (STP) network. So even if a switch appears with a low MAC address and a priority set to 0, still won’t be able to become root bridge.

[Note: This is root bridge, not root port. Root port is a port that forwards data up to the root bridge]

Answer 90

A

Switch port protection features that prevent an attached host from using spoofed MAC addresses and ARP traffic to engineer a situation where switch starts flooding all unicast traffic. (i.e. MAC flooding where someone tries to flood network with numerous MAC addresses)

With Flood Guard, you configure a max number of source MAC addresses on a switch. And you can also configure specific MAC addresses. If max number is exceeded, port security is activated. By default, that usually disables interface.

Answer 91

A

A switch port protection setting that inspects DHCP traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address. Can also be used to prevent rogue DHCP servers from handing out erroneous IP addresses on a network. With DHCP snooping enabled, only DHCP offers from ports configured as trusted are allowed.

[Careful: Because DHCP involves IP address, it would be easy to confuse this for a Layer 3 process. But remember that this is switch security operating at Layer 2. It prevents erroneous IP addresses at a layer deeper than IP by preventing devices with spoofed MAC addresses.]

Answer 92

A

Involves diving a network into smaller subnetworks, and controlling how those subnetworks are accessible to each other.

Useful as a security mitigation technique because it confines an attack to a particular part of a network. Which is connected to compliance. (e.g. If you handle credit card and health info, segmentation may be mandatory.) Also useful for optimizing performance by reducing broadcast traffic, isolating heavy load systems or certain protocols, for example.

Two main ways of segmenting a network:

Physical - Devices are physical separated (e.g. Web servers in one rack, database servers in another. Application A servers in one rack, Application B in another. Customer A on one Switch, Customer B on another.) Tends to be inefficient / wasteful, because not maximizing your equipment.
Logical - Employs VLANs, VPNs, or host virtualization to segment a network

[A very stringent, highly secure method of network segmentation is requiring complete physical separation from any other network. Referred to as an air gap. Creates a lot of management issues]

Answer 93

A

The main unit of a logically segmented network is a zone. A zone is an area of the network where the security configuration is the same for all hosts within it. Network traffic between zones should be strictly controlled using a security device—typically a firewall using ACLs. (Routers can also use addressing schemes with NAT and port forwarding to control communication between zones.)

Firewalls can be used to segment a network by implementing a system of security zones. A DMZ is an Internet-facing area of the
network outside the firewall protecting the LAN.

[Not sure how great I did with this stuff]

Answer 94

A

A privileged user account has complete administrator / root access to a system, which is often necessary to manage hardware, drivers, and software installation.

As a security best practice, you should have role separation with different access rights, so that normal user accounts have limited control. (e.g. basic privileges that allow reading or modifying documents, or adjusting superficial OS / desktop properties).

This kind of role separation makes it harder for an insider threat or a breached account to compromise an entire system. This goes hand-in-hand with another principle known as ‘least privilege,’ which states that a user should only be granted minimum sufficient permissions, and no more.

Role separation, more broadly, can also refer to duties within an organization. Responsibilities within an organization should be divided among individuals to prevent ethical conflicts or abuses of power (e.g. You’d want a system developer to be different than the auditor.

Answer 95

A

File Integrity Monitoring

Answer 96

A

A type of software that audits important system and application files to ensure they have not been tampered with. Uses a security checksum or hashsum to do this.

Examples:

- Windows File Protection service (runs automatically)
- Windows - System File Checker (SFC) (downloadable)
- Multi-platform - Tripwire and OSSEC
- Many host-based IPS / IDS options

Answer 97

A

A honeypot is a computer system set up to attract attackers, with the intention of analyzing attack strategies and tools, to provide early warning of attack attempts, or possibly as a decoy to divert attention from actual computer systems. Another use is to detect internal fraud, snooping, and malpractice.

A honeynet is an entire decoy network. This may be set up as an actual network or simulated using an emulator.

Answer 98

A

(aka pen testing)

A white hat hacking technique to discover and exploit weaknesses in a network’s security.

Answer 99

A

Pen testing is a more comprehensive assessment. Actually tries to exploit the vulnerabilities that are found. Because even though the potential for an exploit exists, in practice, the permissions on the server might prevent an attacker from using it. This fact would not be identified by a vulnerability scan, but should be proven or not
proven to be the case by penetration testing.)

Penetration tests are often contracted to third parties, following the assumption that it is better to have an independent test of the system security design than to rely on the designer. (Third parting testing might also be a compliance mandate.) Alternatively, a large organization may split its security personnel into a “blue” defense team and a “red” attack team.

For a good overview, Messer recommends:
Technical Guide to Info Security Testing and Assessment
http://professormesser.link/800115 (PDF download)

Brainscape's Knowledge GenomeTM

Messer - 4. Network Security Flashcards

Brainscape's Knowledge Genome^TM