Monitoring and Diagnosing Networks Flashcards
demilitarized zone (DMZ)
A network segment between two firewalls. Allows separation of public and private information on a network
DMZ
demilitarized zone
Honeypot
A fake system designed to divert attackers from your real system. Often has much more monitoring and logging to gather information on possible threats
Honeynet
A network that functions the same as a honeypot
Information security management system (ISMS)
A broad term that applies to a wide range of systems used to manage information security
ISMS
information security management systems
Intrusion detection system (IDS)
A system that monitors the network for possible intrusions and logs that activity
IDS
intrusion detection system
Intrusion prevention system (IPS)
A system that monitors the network for possible intrusions and logs that activity, then blocks the suspicious traffic
IPS
intrusion prevention system
Personally identifiable information (PII)
Any information that could identify a particular individual
PII
personally identifiable information
Software-defined network (SDN)
The entire network, including all security devices, is virtualized
SDN
software-defined network
Stateful packet inspection (SPI)
A firewall that examines each packet and remembers the recent previous packets
SPI
stateful packet inspection
ISO
International Organization for Standardization
NERC
North American Electric Reliability Corporation
NIST
National Institute of Standards and Technology
Six phases of the IT security life cycle, according to NIST
- Initiation
- Assessment
- Solution
- Implementation
- Operations
- Closeout
ISA/IEC-62443
Series of standards that define procedures for implementing electronically secure industrial automation and control systems (IACSs)
IACSs
industrial automation and control systems
Payment Card Industry Data Security Standard (PCI-DSS)
Security standards used by Visa, Mastercard, American Express, and Discover
PCI-DSS
payment card industry data security standard
Three types of zones
- Secure zone
- General work zone
- Low security zone
The three choices of wireless protection protocol (list from least secure to most secure)
WEP, WPA, WPA2
Defense in depth
Security should be extended throughout the network, not just the perimeter; utilizes network segmentation
Virtual local area network (VLAN)
A set of ports on a switch are configured to behave like a separate network
VLAN
virtual local area network
air-gap
When one or more systems are literally not connected to a network
Control Diversity
Addressing a particular security concern with more than a single control or a single vendor
Vendor Diversity
Utilizing several vendors to scan for threats and malware
Types of controls
- Administrative
- Technical
- Physical
Virtual private network (VPN)
A private network connection that occurs through a public network. Typically uses a tunneling protocol.
VPN
virtual private network
VPN concentrator
A hardware device used to create remote access VPNs. It creates encrypted tunnel sessions between hosts
Where should you place a firewall in your network?
At the perimeter and every junction of a network zone
Correlation engine
Applications that look at firewall logs and attempt to correlate the entries to understand possible attacks
What security devices are best suited to be placed on the perimeter of the network?
- VPN concentrators
- Proxies
- DDos mitigator
What devices are best placed in the network?
- Load balancers
- Port mirroring
- Network aggregation switches
Firewall
One of the first lines of defense in a network. The basic purpose is to isolate one network from another
Appliances
Freestanding devices that operate in a largely self-contained manner
Three types of firewalls
- Packet filter
- Proxy firewall
- Stateful packet inspection firewall
Packet filter firewall
Decides whether to pass a packet along based on its addressing information; the data of packet is not analyzed
Proxy firewall
An intermediary between your network and any other network; examines data and makes rule-based decisions on whether it should be forwarded
dual-homed firewall
A proxy firewall that uses two network interface cards (NICs), with one connected to the outside network and one connected to the internal network
NIC
network interface card
On what do stateless firewalls base their decisions?
The data that comes in the current packet
On what does stateful packet inspection (SPI) filtering base its decision?
The entire conversation between client and server, using data from the current packet and all previous packets
SPI
stateful packet inspection
How do IPSs most ofter react to an intrusion that has been detected?
Blocks communication from the offending IP address. False positives tend to have an impact on this approach.
FDE
full disk encryption
self-encrypting drive (SED)
A drive with a controller chip built into it that automatically encrypts the drive
SED
self-encrypting drive
Media encryption key (MED)
The encryption key used in SEDs
MED
media encryption key
Key encryption key (KEK)
Used to lock or unlock a SED
KEK
key encryption key
Trusted platform modules (TPMs)
Dedicated processors that use cryptographic keys to perform a variety of tasks
TPM
trusted platform module
Hardware security modules (HSMs)
Devices that handle digital keys; can be used to facilitate encryption and authentification via digital signatures
HSM
hardware security module
Secure boot
A process where the BIOS or UEFI makes a cryptographic hash of the operating system boot loader. Used to prevent rootkits and boot sector viruses
Root of trust (RoT)
A security process that must begin with some unchangeable hardware identity
RoT
root of trust
Faraday cage
Used to prevent or mitigate the effects of an EMI or EMP
Recommended process for patch management
- Read the description of the patch
- Deploy the patch on a test system
- Roll it out to a small number of live systems
Principle of ‘least functionality’
similar to ‘least privilege’; a system should be configured and capable of doing only what it is intended to do and no more
Application blacklisting
The process of listing blocked applications
Application whitelisting
Listing of only the applications which can be downloaded
Development environment
The environment in which the application is developed
Test environment
Mimics a live environment and network to allow addressing of security issues
Staging
Rolling out new software to sections of the network individually
Sandbox
A test environment that is completely isolated from the network
Secure baseline
The base requirements to meet for an application or software to be considered “secure enough” by an organization
Integrity measurement
Monitoring a system to make sure it does not deviate from the secure baseline
