Network Security (4.1, 4.3 & 4.5) Flashcards
Network Security Fundamentals
▪ Networks are increasingly dependent on interconnecting with other
networks
▪ Risks exist not just on the untrusted Internet, but also inside our own
organization’s networks and must be minimized or eliminated
▪ Understanding the various threats facing our networks is important in
order to best defend the network against the onslaught of cyber-attacks
they are constantly facing
Network Security Goals
▪ Commonly called the CIA Triad
● Confidentiality
● Integrity
● Availability
Confidentiality
▪ Keeping the data private and safe ● Encryption ● Authentication to access resources ▪ Encryption ensures that data can only be read (decoded) by the intended recipient ● Symmetric encryption ● Asymmetric encryption
Symmetric Encryption (Confidentiality)
▪ Both sender and receiver use the same key
▪ DES (Data Encryption Standard)
● Developed in the mid-1970s
● 56-bit key
● Used by SNMPv3
● Considered weak today
▪ 3DES (Triple DES)
● Uses three 56-bit keys (168-bit total)
● Encrypt, decrypt, encrypt
▪ AES (Advanced Encryption Standard)
● Preferred symmetric encryption standard
● Used by WPA2
● Available in 128-bit, 192-bit, and 256-bit keys
▪ Sender and receiver use the same key to encrypt and decrypt the
messages
Asymmetric Encryption (Confidentiality)
▪ Uses different keys for sender and receiver
▪ RSA is the most popular implementation
▪ RSA algorithm is commonly used with a public key infrastructure (PKI)
▪ PKI is used to encrypt data between your web browser and a shopping
website
▪ Can be used to securely exchange emails
▪ Sender and receiver use different keys to encrypt and decrypt the
messages
Confidentiality with HTTPS
▪ Uses asymmetrically encrypted messages to transfer a symmetric key
Integrity
▪ Ensures data has not been modified in transit
▪ Verifies the source that traffic originates from
▪ Integrity violations
● Defacing a corporate web page
● Altering an e-commerce transaction
● Modifying electronically stored financial records
Hashing (Integrity)
▪ Sender runs string of data through algorithm
● Result is a hash or hash digest
▪ Data and its hash are sent to receiver
▪ Receiver runs data received through the same algorithm and obtains a
hash
▪ Two hashes are compared
● If the same, the data was not modified
Hashing Algorithms (Integrity
▪ Message digest 5 (MD5) ● 128-bit hash digest ▪ Secure Hash Algorithm 1 (SHA-1) ● 160-bit hash digest ▪ Secure Hash Algorithm 256 (SHA-256) ● 256-bit hash digest ▪ Challenge-Response Authentication Mechanism Message Digest 5 (CRAMMD5) ● Common variant often used in e-mail systems
Availability
vailability
▪ Measures accessibility of the data
▪ Increased by designing redundant networks
▪ Compromised by
● Crashing a router or switch by sending improperly formatted data
● Flooding a network with so much traffic that legitimate requests
cannot be processed
o Denial of Service (DoS)
o Distributed Denial of Service
Threat
o Threat ▪ A person or event that has the potential for impacting a valuable resource in a negative manner o Vulnerability ▪ A quality or characteristic within a given resource or its environment that might allow the threat to be realized ● Internal Threat o Any threat that originates within the organization itself ● External Threat o Any threat that could be people, like a hacker, or it can be an event or environmental condition
Threat
o Threat ▪ A person or event that has the potential for impacting a valuable resource in a negative manner o Vulnerability ▪ A quality or characteristic within a given resource or its environment that might allow the threat to be realized ● Internal Threat o Any threat that originates within the organization itself ● External Threat o Any threat that could be people, like a hacker, or it can be an event or environmental condition
Environmental Vulnerabilities
▪ Undesirable conditions or weaknesses that are in the general area
surrounding the building where a network is run
Physical Vulnerabilities
▪ Undesirable conditions or weaknesses in the building where the network
is located
Operational Vulnerabilities
▪ Focuses on how the network and its systems are run from the
perspective of an organization’s policies and procedures
Technical Vulnerabilities
▪ System-specific conditions that create security weaknesses
● Common Vulnerabilities and Exposures (CVE)
o A list of publicly disclosed computer security weaknesses
● Zero-Day Vulnerability
o Any weakness in the system design, implementation,
software code, or a lack of preventive mechanisms in place
▪ CVEs (Known vulnerabilities)
▪ Zero-Day (Brand new vulnerability)
Exploit
▪ Piece of software code that takes advantage of a security flaw or
vulnerability within a system or network
▪ Keep systems properly patched and antimalware software updated
Risk Management
o The identification, evaluation, and prioritization of risks to minimize, monitor,
and control the vulnerability exploited by a threat
Risk Assessment
▪ A process that identifies potential hazards and analyzes what could
happen if a hazard occurs
● Security
● Business
Security Risk Assessment
▪ Used to identify, assess, and implement key security controls within an
application, system, or network
Threat Assessment
▪ Focused on the identification of the different threats that may wish to
attack or cause harm to your systems or network
Vulnerability Assessment
▪ Focused on identifying, quantifying, and prioritizing the risks and
vulnerabilities in a system or network
● Nessus
● QualysGuard
● OpenVAS
o Threat controlled by the attacker of event
o Vulnerability within your control
Penetration Test
▪ Evaluates the security of an IT infrastructure by safely trying to exploit
vulnerabilities within the systems or network
Posture Assessment
▪ Assesses cyber risk posture and exposure to threats caused by
misconfigurations and patching delays
● Define mission-critical components
● Identify strengths, weaknesses, and security issues
● Stay in control
● Strengthen position
Business Risk Assessment
▪ Used to identify, understand, and evaluate potential hazards in the
workplace
Process Assessment
▪ The disciplined examination of the processes used by the organization
against a set of criteria
● Determines if you are doing things right, and if you are doing the
right things
● Vendor Assessment
● The assessment of a prospective vendor to determine if they can
effectively meet the obligations and the needs of the business
Least Privilege
▪ Using the lowest level of permissions or privileges needed in order to
complete a job function or admin task
Least Privilege
▪ Using the lowest level of permissions or privileges needed in order to
complete a job function or admin task
Role-based Access
▪ Discretionary Access Control (DAC)
● An access control method where access is determined by the
owner of the resource
o Every object in a system has to have an owner
o Each owner must determine the access rights and
permissions for each object
▪ Mandatory Access Control (MAC)
● An access control policy where the computer system gets to
decide who gets access to what objects
o Unclassified
o Confidential
o Secret
o Top secret
Role-Based Access Control (RBAC)
▪ An access model that is controlled by the system but focuses on a set of
permissions versus an individual’s permissions
▪ Creating groups makes it easy to control permissions based around actual
job functions
Zero-Trust
▪ A security framework that requires users to be authenticated and
authorized before being granted access to applications and data
1. Reexamine all default access controls
2. Employ a variety of prevention techniques and defense in depth
3. Enable real-time monitoring and
controls to identify and stop
malicious activity quickly
4. Ensure the network’s zero-trust
architecture aligns to a broader
security strategy
Defense in Depth
o Cybersecurity approach in which a series of
defensive mechanisms are layered in order to protect valuable data and
information
▪ Physical
▪ Logic
▪ Administrative
DMZ
▪ A perimeter network that protects an organization’s internal local area
network from untrusted traffic
Screen Subnet
▪ Subnet in the network architecture that uses a single firewall with three
interfaces to connect three dissimilar networks
● Triple-homed firewall
Separation of Duties
▪ Prevent frauds and abuse by distributing various tasks and approval
authorities across a number of different users
Dual Control
▪ Two people have to be present at the same time to do something
Split Knowledge
▪ Two people each have half of the knowledge of how to do something
Honeypot/ Honeynet
▪ Attracts and traps potential attackers to counteract any attempts at
unauthorized access to a network
▪ Think vertical through the layers as well as horizontal or lateral across the
network using screen subnets
Multifactor Authentication
o Authenticates or proves an identity using more than one method ▪ Something you know ▪ Something you have ▪ Something you are ▪ Something you do ▪ Somewhere you are
Dictionary Attack
▪ Guesses the password by attempting to check every single word or
phrase contained within a word list, called a dictionary
● Do not use anything that looks like a regular word
Brute Force Attack
▪ Tries every possible combination until they figure out the password
● Use a longer and more complicated password
o Uppercase
o Lowercase
o Numbers
o Special characters
● For good security, use a minimum of 12 characters
Hybrid Attack
▪ Combination of dictionary and brute force attacks
Local Authentication
▪ Process of determining whether someone or something is who or what it
● Claims itself to be
● Simplified version of X.500
Lightweight Directory Access Protocol (LDAP)
▪ Validates a username and password combination against an LDAP server
as a form of authentication
● Port 389 LDAP
● Port 636 LDAP Secure
Active Directory (AD)
▪ Organizes and manages everything on the network, including clients,
servers, devices, and users
Kerberos
▪ Focused on authentication and authorization within a Windows domain
environment
▪ Provides secure authentication over an insecure network
Remote Authentication Dial-In User Service (RADIUS)
▪ Provides centralized administration of dial-up, VPN, and wireless network authentication ● Authentication ● Authorization ● Accounting o Commonly uses: ▪ Port 1812 Authentication messages ▪ Port 1813 Accounting messages o Proprietary versions of RADIUS may also use: ▪ Port 1645 Authentication messages ▪ Port 1646 Accounting messages
Terminal Access Controller Access Control System Plus (TACACS+)
▪ Used to perform the role of an authenticator in an 802.1x network ● RADIUS (UDP) ● TACACS+ (TCP) ● Ensure Port 49 is open ● Excellent if using Cisco devices
802.1x
▪ A standardized framework that’s used for port-based authentication on both wired and wireless networks ● Supplicant ● Authenticator ● Authentication server
Extensible Authentication Protocol (EAP)
▪ Allows for numerous different mechanisms of authentication
EAP-MD5
o Utilizes simple passwords and the challenge handshake
authentication process to provide remote access
authentication
EAP-TLS
o Uses public key infrastructure with a digital certificate
being installed on both the client and the server
EAP-TTLS
o Requires a digital certificate on the server and a password
on the client for its authentication
EAP Flexible Authentication via Secure Tunneling (EAP-FAST)
o Uses a protected access credential to establish mutual
authentication between devices
Protected EAP (PEAP)
o Uses server certificates and Microsoft’s Active Directory
databases to authenticate a client’s password
Lightweight EAP (LEAP)
o A proprietary protocol that only works on Cisco-based
devices
Network Access Control (NAC)
o Ensures a device is scanned to determine its current state of security prior to
being allowed network access
Persistent Agent
▪ A piece of software installed on a device requesting access to the
network
Non-Persistent Agent
▪ Requires the users to connect to the network and go to a web-based
captive portal to download an agent onto their devices
IEEE 802.1x
▪ Used in port-based Network Access Contro
Time-based
o Defines access periods for given hosts on using a timebased schedule
Location-based
o Evaluates the location of the endpoint requesting access
using IP or GPS geolocation
Role-Based (Adaptive NAC)
o Reevaluates a device’s authentication when it’s being used
to do something
Rule-based
o Uses a complex admission policy that might enforce a
series of rules with the use of logical statements
Detection Methods
▪ Security control used during an event to find out whether or not
something malicious may have happened
Wired
o Allows the device to be physically cabled from its camera
all the way to a central monitoring station
Wireless
o Easier to install, but they can interfere with other wireless
systems, like 802.11 wireless networks
▪ Indoor and Outdoor
● Indoor cameras tend to be lighter, cheaper, and easier to install
Infrared System
● Displays images based on the amount of heat in a room
1. Quickly and easily identify where a person is inside the room
2. Identify hot spots in the room and detect gear that could
overheat before it actually does
Ultrasonic Camera
● A type of surveillance camera that uses sound-based detection
Asset Tag
● Identifies a piece of equipment using a unique serial number,
code, or barcode
o Reduce theft and helps to identify the device
Tamper Detection
● Ensures a network equipment has not been modified once labeled
and stored
eFuse
● An electronic detection mechanism that can record the version of
the IOS used by a switch
Prevention Method
▪ Security control used to prevent incidents from occurring ● Access control hardware ● Access control vestibules ● Smart lockers ● Locking racks ● Locking cabinets ● Employee training
Access Control Vestibule (Mantrap)
▪ An area between two doorways that holds people until they are
identified and authenticated
Smart Locker
▪ A fully integrated system that allows you to keep your laptop, tablet, smartphone, or other valuables inside ● 69% ROI o Small and medium sized business ● 248% ROI o Large enterprises
Asset Disposal
o Occurs whenever a system is no longer needed by an organization
▪ Perform a factory reset
▪ Wipe the configuration
▪ Sanitize the devices
Factory Reset
▪ Removes all customer specific data that has been added to a network
device since the time it was shipped from the manufacturer
● Enable
● Factory-reset all
● Write-erase
▪ NVRAM stores configuration files
▪ Flash Module stores the Cisco IOS
Degaussing
▪ Exposes the hard drive to a powerful magnetic field to wipe previously
written data from the drive
o Purging/Sanitizing
▪ Removes data which cannot be reconstructed using any known forensic
techniques
Clearing Technique
▪ Removes data with a certain amount of assurance that it can’t be
reconstructed
Data Remnants
▪ Leftover pieces of data that may exist in the hard drive which we no
longer need
Network Security Attacks
▪ Our security goals (CIA) are subject to attack
▪ Confidentiality attack
● Attempts to make data viewable by an attacker
▪ Integrity attack
● Attempts to alter data
▪ Availability attack
● Attempts to limit network accessibility and usability
