N10-009-Section_4 Flashcards
Data in Transit/Motion
Data in Transit refers to the process of securing data as it is transmitted between systems, devices, or networks. Usually referred to in the context of security and how to encrypt said data while it’s in motion
Data at Rest
Data at Rest refers to the process of securing stored data by encrypting it to protect it from unauthorized access, theft, or breaches when it is not actively being transmitted or used. This includes data stored on devices such as servers, hard drives, SSDs, USB drives, or cloud storage.
PKI
PKI (Public Key Infrastructure) is a framework (policies, procedures, hardware, software, people) used to manage digital certificates and public-key encryption, enabling secure communication and authentication over networks. Uses key pair
CA
Certificate Authority - A third party that is trusted to sign digital certificates - this is a public entity that is not within your org
IAM
IAM (Identity and Access Management) is a framework of policies, processes, and technologies used to manage digital identities and control access to resources within an organization. It ensures the right individuals have access to the right resources at the right times, while keeping unauthorized access at bay.
Least Privilege
Users only have the minimum access they need to perform job
RBAC
Role-based Access Control. Users are in groups that give them permissions to resources
Geofencing
Geofencing, refers to the use of virtual boundaries, defined by GPS or RFID technology, to control or monitor network access, device usage, or services based on a specific geographic location.
AAA
Authentication, Authorization, Accounting
Identification
Part of Authentication. Keeping track of who is who. Who you are, your username/email - this is public information
Authentication
Goes hand in hand with Identification. The act of proving you are who you say you are. password, or other MFA
Authorization
Based on who you, what access do you have?
Accounting
Resources used, login time, data sent and received, logout time
RADIUS
Remote Authentication Dial-in User Service. An AAA protocol supported on many platforms to centralize authentication for users. Can be used for server authentication, routers, switches, firewalls, Remote VPN access, 802.11X network access.
LDAP
Lightweight Directory Access Protocol. Protocol for reading and writing directories over an IP network. Uses the X.500 standard (a directory standard)
X.500
A standard for organizing directories. Uses attribute=value pairs. CN=Common Name, OU=Organizational Unit and so on.
Container Objects
In an X.500 directory, Container Objects store and organize Leaf Objects. An OU.
Leaf Objects
In an X.500 directory, Leaf Objects represent the users, computers, printers and files themselves
SAML
Security Assertion Markup Language. An open standard for authentication and authorization. Manifests as a service itself that provides authentication to other services. The SAML service will authenticate the user, then pass a SAML assertion to the service provider of the service the user is trying to access. SAML is used a lot when using SSO for web-apps. SAML was not built for mobile devices and is weak in this area.
TACACS
Terminal Access Controller Access Control System. A remote authentication protocol originally created to control access to dial-up lines to ARPANET
TACACS+
Terminal Access Controller Access Control System Plus. The latest version of TACACS. Usually associated with Cisco products.
TOTP
Time-based One-time Password - random code that changes every few seconds for authentication. Generated from a secret key and the time of day (or something like that). Not really random, both the server and the client have synchronized clocks and the secret key so they will generate the same code at the same time.
Honeypot
A host designed to be enticing for hackers to try and hack. Hackers can reveal vulnerabilities so the network admins can put preventative measures in place
Honeynet
A network of honeypots. This will look more “real” to an attacker. Contains servers, workstations, routers, switches etc�
Risk
An exposure to harm or danger
Threat
Threat: The potential danger. A threat is any potential danger that could harm or disrupt an organization’s network, data, or resources. Threats can come from various sources, including malicious attackers (hackers), natural disasters (such as floods or fires), or even internal users (whether intentional or accidental). In essence, a threat is anything that poses a risk to the confidentiality, integrity, or availability of network resources.
Vulnerability
Vulnerability: The weakness that could be targeted. A vulnerability is a weakness or flaw in a system, network, software, or process that could be exploited by a threat. Vulnerabilities could exist in outdated software, poor network configurations, weak passwords, or unpatched systems. If a vulnerability is not addressed, it increases the likelihood that a threat could compromise the system or network.
Exploit
Exploit: The action taken to use the vulnerability maliciously. An exploit is the specific method or technique used to take advantage of a vulnerability in order to carry out an attack. Exploits are often developed by attackers to bypass security controls and gain unauthorized access, manipulate data, or disrupt services. Examples of exploits include malware, phishing attacks, or specially crafted software designed to trigger a vulnerability.
CIA
Confidentiality, Integrity, Availability. Sometimes (ICA)
Confidentiality
Prevent disclosure of information to unauthorized individuals or systems
Integrity
Ensure data remains un-edited when sent across a network (unless there is some kind of detection in place)
Availability
Data needs to be available for access when its needed
Data Localization
Any data from a region or country must be stored within that region or country
PCI DSS
PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. It was created by the Payment Card Industry Security Standards Council (PCI SSC) to protect cardholder data and prevent fraud.
GDPR
GDPR (General Data Protection Regulation) is a comprehensive data protection law enacted by the European Union (EU) to regulate the collection, storage, and use of personal data of individuals within the EU. It went into effect on May 25, 2018, and applies to any organization, regardless of location, that processes the personal data of EU residents.
List the 6 Control Objectives of PCI DSS
1 Build and maintain a secure network and systems, 2 Protect cardholder data, 3 Maintain a vulnerability management program, 4 Implement strong access control measures, 5 Regularly monitor and test networks, 6 Maintain an information security policy
SCADA
Supervisory Control and Data Acquisition, Designed for long distance stuff like Oil piplines or railways. ICS systems need to be more ready to control cause it may take time before a human can get onsite and interact, SCADA has a remote terminal unit (not used in traditional ICS)
OT
Operational Technology. Hardware and software for industrial equipment. Electric Grids, traffic lights, manufacturing plants
DoS
Denial of Service, forces a service to fail
Friendly DoS
Unintentional DoSing. Layer 2 loop without STP, downloading a large file on a limited bandwidth connection
DDoS
Distributed Denial of Service. Attack from a large botnet
Asymmetric Threat
When a hacker/attacker has fewer resources than the victim
DDoS Reflection and Amplification
An attacker uses a protocol with a small bit of a data. Example, a botnet could send a simple DNS query packet, the DNS server response is much larger than the initial packet, the botnet is also spoofing the source address so the DNS server responses flood back to the web-server (the spoofed address)
Switch Spoofing
One way to VLAN hop. Some switches are configured to detect a connection from another switch and automatically set up a trunk port. In this case, a bad switch could be plugged in and then have VLAN traffic sent to itself or another malicious clients. Could also be some device impersonating a switch.
Double Tagging
An extra VLAN tag is placed on packets so when that packet is stripped of its VLAN tag as it passes through the switch, it has the VLAN tag of a VLAN it didn�t come through, then the switch will send that packet on to the “wrong” VLAN. Requires that the attacker know the Native VLAN
MAC Flooding
An attacker will send a ton of frames to a switch and change its MAC address each time. This will quickly fill up the MAC table on the switch. When a MAC table is full on a switch, the switch just forwards the frames to everything its connected to. Effectively turns the switch into a hub. The attacker can then capture all traffic sent to the switch. Usually there are settings on the switch to prevent flooding from a single interface (switch port)
ARP Poisoning (Spoofing)
An attacker will send an unsolicited ARP response to the victim saying “I’m 192.168.1.1” (the router). The victim will accept this response and remove the old MAC for the real router from its ARP cache
DNS Poisoning
An attacker could modify the host file on the client, the host file takes priority over the DNS server, or could hack into the DNS server and change the IP address for certain records. The DNS server will then redirect traffic to the attackers computer.
DHCP Snooping
A feature on higher-grade switches. Has a list of all known-good MAC addresses for DHCP clients, If an unknown MAC starts sending the DHCP server messages, the server can block it
Rogue AP
Unauthorized AP plugged into a network. Can give unauthorized access to a network
802.11X
Network Access Control. Requires clients to authenticate, regardless of the connection type. Could prevent rogue ap connection
Evil Twin
A Rogue AP with the same SSID as a legitimate network to fool people into connecting - when they are connected you can packet sniff and whatever else. The clients can still access the internet and won’t know the difference. Wireless Evil Twin’s can overpower their antennas to entice clients by using a stronger signal
On-Path Attack
Man in the middle, Session highjacking, HTTPS Spoofing, WiFi Eavesdropping, ARP poisoning. Encrypting fixes most of these attacks
Virus (What makes it different from other malware)
Malware that requires human interaction to replicate
Worm (What makes it different from other malware)
Malware that does not require human interaction to replicate. More dangerous than Virus
Rootkit
Malware that can hide in the OS itself. Very hard to find and remove
Logic Bomb
A logic bomb is a type of malicious code or software that triggers a harmful action when specific conditions are met, such as a particular date, time, or action within a system. Unlike other malware that might immediately execute upon entering a system, a logic bomb remains dormant until the specified condition activates it.
Trojan
Malware that is disguised as legitimate software
Port Security
Many switches will have the option to auto-disable the port if an unknown MAC is plugged in
NAC
Network Access Control. You can’t communicate unless you’ve authenticated. This can be applied to more than just WiFi Networks. Switch Interfaces/Ports
ACL
Access Control List. Allow or disallow traffic based on rule that can be based on MAC addresses, IP addresses, Port numbers, time of day, etc..
NGFW
Next Generation Firewall
Screened Subnet
Formerly known as a DMZ
Security Zones
Firewall configuration. Zoned based security technology. More flexible and secure than IP address ranges. Each area of the network is associated with a zone. Trusted, untrusted, internal, external
