Network Security Flashcards
CIA Triad
Confidentiality
Integrity
Availability
Confidentiality
Keeping the data private & safe
(Encryption, Authentication to access resources)
Encryption ensures data can only be read (decoded) by intended recipient (Asymmetric/Symmetric)
Symmetric Encryption
Both sender & receiver use the same key
DES
Data Encryption Standard Developed mid-1970s 56-bit key Used by SNMPv3 Considered weak today
3DES
Triple DES
Uses three 56-bit keys (168-bit total)
Encrypt, decrypt, encrypt
AES
Advanced Encryption Standard
Preferred symmetric encryption standard
Used by WPA2
Available in: 128-bit, 192-bit, 256-bit
Asymmetric Encryption
Uses different keys for sender/receiver
RSA is most popular implementation
RSA commonly used with PKI (public key infrastructure)
PKI is used to encrypt data between web browser & shopping site
Can be used for secure emails
Sender/receiver use different keys to encrypt/decrypt
Integrity
Ensures data has not been modified in transit
Verifies the source the traffic originates from
Integrity violations:
Defacing a corporate web page
Altering an e-commerce transaction
Modifying electronically stored financial records
Hashing (Integrity)
Sender runs string of data through algorithm
Result is a hash or hash digest
Data & hash are sent to receiver
Receiver runs data received via same algorithm & obtains a hash
Two hashes are compared (if same, data not modified)
Hashing Algorithms
MD5 (Message Digest 5)
128-bit hash digest
SHA-1 (Secure Hash Algorithm 1)
160-bit hash digest
SHA-256 (Secure Hash Algorithm 256)
256-bit hash digest
CRAMMD5 (Challenge-response Authentication Mechanism MD5)
Common variant often used in email systems
Network Security Attack Types
Confidentiality:
Attempts to make data viewable by attacker
Integrity:
Attempts to alter data
Availability:
Attempts to limit network accessibility & usability
Confidentiality Attacks
Packet capture Wire tapping Dumpster diving Ping sweep Port scan Wireless interception EMI MITM Social Engineering
Integrity Attacks
MITM
Data diddling (changes data before storage)
Trust relationship exploitation
Salami attack (many small attacks = one big attack)
Password attack
Session Hijacking
Botnets
Availability Attacks
DoS/DDoS TCP SYN Flood Buffer overflow ICMP attacks (Smurf) UDP attacks (Fraggle) Ping of Death Electrical disturbances Physical environment attacks (Temperature, Humidity, Gas)
Protecting a Network
Physical controls User training Patching Vulnerability Scanners Honey pots & honey nets Remote-access security Security policies Incident response
Vulnerability Scanners
Ex: Nessus, Zenmap, Nmap
Periodically test network to verify that security components are behaving as expected & detect known vulnerabilities
Honey Pots/Nets
Systems designed as an attractive target
(Trap/Distraction)
Attackers waste resources
Honey pot = single machine
Honey net = network of multiple honey pots
Remote Access Security
SSH RADIUS (Open UDP-based auth protocol) TACACS+ (Cisco, TCP-based auth protocol) Kerberos (Windows domain auth protocol) 802.1X (Permits/dennies wired/wireless client access to LAN) 2FA SSO
BYOD Vulnerabilities
Bluejacking
Unauthorized messages over bluetooth
Bluesnarfing
Unauthorized access to wireless via bluetooth
Bluebugging
Unauthorized backdoor to connect bluetooth back to attacker
System Lifecycle
Conceptual Design Preliminary Design Detailed Design Production/Installation Operations/Support Phase Out Disposal
MFA
Multifactor Authentication
Something you know (user/pass)
Something you have (key fobs/smart cards)
Something you are (fingerprints/retina)
Something you do (signature, pattern, passphrase)
Somewhere you are (geotagging/geofencing)
Packet-Filtering Firewalls
Permits/denies traffic based on packet header
(Source/Destination IP)
(Source/Destination Port)
Firewall Zones
Inside = Connects to corporate LAN Outside = Connects to Internet (typically) DMZ = Connects to devices that should have restricted access from outside zone (like web/email servers)
UTM Devices
Unified Threat Management Devices
Combines firewall, router, IDS/IPS, antimalware, & more
UTM can be queried before allowing connection to network
UTM can be a physical device or cloud solution
IDS
Intrusion Detection System
Passive device
Operates parallel to network
Monitors all traffic & sends alerts
IPS
Intrusion Protection System Active device Operates in-line to the network Monitors all traffic, sends alerts Drops/blocks offending traffic
Detection Methods
Signature-Based:
Signature contains strings of bytes (pattern) that triggers detection
Policy-Based:
Relies on specific declaration of security policy
Anomaly-Based:
Statistical anomaly - watches traffic patterns to build a baseline
Non-statistical anomaly - Admin defines patterns/baseline
CVE
Common Vulnerabilities & Exposures:
A list of publicly disclosed computer security weaknesses
Penetration Test
Evaluates the security of an IT infrastructure by safely trying to exploit vulnerabilities within the systems/network
Posture Assessment
Assesses cyber risk posture & exposure to threats caused by misconfigurations & patching delays.
(Stay in control, strengthen position, define mission-critical components, identify strengths/weaknesses)
Business Risk Assessment
Identify, understand, & evaluate potential hazards in the workplace
Process Assessment
The disciplined examination of the processes used by the organization against a set of criteria
(Vendor assessment: make sure they can fit needs of the business)
DAC (Access Control)
Discretionary Access Control:
An access control method where access is determined by the owner of the resource
MAC (Access Control)
Mandatory Access Control:
An access control policy where the computer system gets to decide who gets access to what objects
(Unclassified, confidential, secret, top secret)
RBAC (Access Control)
Role-Based Access Control:
An access model that is controlled by the system but focuses on a set of permissions versus an individual’s permissions
(Creating groups makes it easy to control permissions based around job functions)
Zero-Trust
A security framework that requires users to be authenticated & authorized before being granted access to apps/data
1) Reexamine all default access controls
2) Employ prevention/defense techniques
3) Enable real-time monitoring & controls to stop malicious activity quickly
4) Ensure network’s zero-trust architecture aligns to a broader security strategy
DMZ
Demilitarized Zone:
A perimeter network that protects an organization’s internal LAN from untrusted traffic
Screen Subnet
Subnet in the network architecture that uses a single firewall with 3 interfaces to connect 3 dissimilar networks
(Triple-homed firewall)
Separation of Duties
Prevents frauds & abuse by distributing various tasks & approval authorities across a number of different users
Dual Control
Two people have to be present at the same time to do something
Split Knowledge
Two people have half of the knowledge on how to do something
Kerberos
Focused on authentication & authorization within a Windows domain
Provides secure authentication over an insecure network
RADIUS
Provides centralized administration of dial-up, VPN, & wireless network authentication
(Authentication, Authorization, Accounting)
Accounting (Common Uses):
Port 1812 Authentication Messages
Port 1813 Accounting Messages
Proprietary RADIUS versions may use:
Port 1645 Authentication messages
Port 1646 Accounting messages
TACACS+
Used to perform the role of an authenticator in an 802.1x network RADIUS: UDP TACACS+: TCP Ensure port 49 is open Excellent for Cisco devices
802.1X
A standardized framework that’s used for port-based authentication on both wired/wireless networks
(Supplicant, authenticator, authentication server)
EAP
Extensible Authentication Protocol:
Authentication performed using 802.1x
EAP-MD5: Simple passwords & challenge handshake auth process for remote access
EAP-TLS: Uses public key infrastructure with digital certificate on both client/server
EAP-TTLS: Digital certificate on server & password on the client for auth
EAP-FAST: Uses a protected access credential to establish mutual auth between devices (also uses TLS; Cisco upgrade from LEAP)
PEAP: Uses server certifications & AD databases to auth a password
(Protected EAP)
LEAP: Proprietary Cisco protocol
(Lightweight EAP)
NAC
Network Access Control:
Ensures a device is scanned to determine its current state of security prior to being allowed network access
NAC: Persistent Agent
A piece of software installed on a device requesting access to the network
NAC: Non-Persistent Agent
Requires the users to connect to the network & go to a web-based captive portal to download the agent onto their device
Infrared System
Displays images based on the amount of heat in a room
Identify hot spots in the room (potential gear overheating)
Easily identify where a person is in a room
Ultrasonic Camera
A type of surveillance camera that uses sound-based detection
eFuse
An electronic detection mechanism that can record the version of the IOS used by a switch
Access Control Vestibule
AKA: Mantrap
Smart Locker
A fully integrated system that allows you to keep your valuables inside
Small businesses: 69% ROI
Large enterprises: 248% ROI
Purging/Sanitizing
Removes data through a means of which it cannot be reconstructed (guaranteed)
Clearing Technique
Removes data with a certain amount of assurance it can’t be reconstructed
