Network Security Implemenation Flashcards
What is AAA
Authentication
Authorization
Accounting
Framework for controlling remote access to system resources
Give all the remote networking protocols that implement AAA
RADIUS
TACACS
TACACS+
Diameter
Definition of Authentication
The method of uniquely validating a particular entity or individual’s credentials.
Give all Authentication factors
Something you know, such as a password
Something you have, such as a token or access card
Something you are, including physical characteristics such as fingerprints or a retina pattern
Somewhere you are or are not
Something you do; for example, a keystroke logger that measures how hard you press the keys while typing, or how long the keys remain pressed
Definition of MFA
MFA: Multifactor authentication is an authentication scheme that requires the validation of at least two of the possible authentication factors.
Definition of Two Factor Aunthentication
Two-factor authentication: An authentication scheme that requires validation of two authentication factors.
What is Local Authentication and give examples
When users are off the network, rather than authenticating to a network server database, they authenticate to a local system account
Windows: SAM registry hive
Linux: /etc/passwd or /etc/shadow file
What do users need for Local Authentication
Biometric authentication
Passphrase
Token device
Definition of SSO
Single sign-on is a mechanism where a single user authentication provides access to all the devices or applications where the user has permission.
Definition of LDAP
Lightweight Directory Access Protocol (LDAP) is a directory service protocol that defines how a client can access information, perform operations, and share directory data on a directory server.
What is a digital certificate
Digital certificate: An electronic document that associates credentials with a public key.
What is a CA
Digital certificate: An electronic document that associates credentials with a public key.
What is the purpose of a certificate
Users, devices, services, and applications can all hold certificates.
Certificates validate the certificate holder’s identity.
Certificates are a way to distribute the holder’s public key.
A root CA is typically the first or only CA installed.
A root certificate is typically a self-signed certificate that identifies the root CA.
Defintion of Kerberos
Kerberos: A popular open-source authentication protocol that is based on a time-sensitive ticket-granting system.
Definition of TGT
TGT: (Ticket-Granting Ticket) Used in Kerberos. It is an encrypted file requested from a Ticket-Granting Server that is only valid for a short time to access network services.
Definition of TGS
TGS: (Ticket-Granting Server) Used by Kerberos. It is the logical key distribution center and functions as a trusted third party to issue Ticket-Granting Tickets.
Give the process of Kerberos
1 A user logs on to the domain.
2 The user requests a Ticket Granting Ticket (TGT) from the authenticating server.
3 The authenticating server responds with a time-stamped TGT.
4 The user presents the TGT back to the authenticating server and requests a service ticket to access a specific resource.
5 The authenticating server responds with a service ticket.
6 The user presents the service ticket to the resource.
7 The resource authenticates the user and allows access.
Give a full description of RADIUS
Enables a server to provide standardized, centralized authentication for remote users.
Configure one RADIUS server; configure the other remote access servers as RADIUS clients.
RADIUS clients will pass all authentication requests to the RADIUS server for verification.
Can centralize user configuration, remote access policies, and usage logging on a RADIUS server.
Supported by VPN servers, Ethernet switches requiring authentication, wireless access points (WAPs), as well as other types of network devices.
Give a full description of TACAS+
Authentication protocols that provide centralized authentication and authorization services for remote users.
TACACS includes process-wide encryption for authentication; RADIUS encrypts only passwords.
TACACS uses TCP instead of UDP and supports multiple protocols. Extensions to the TACACS protocols exist, such as Cisco’s TACACS+ and XTACACS.
TACACS uses TCP port 49 and also supports multifactor authentication.
TACACS+ is considered more secure and more scalable than RADIUS because it accepts login requests and authenticates the access credentials of the user.
TACACS+ is not compatible with TACACS because it uses an advanced version of the TACACS algorithm.
Give a full description of RDP
The backbone of Microsoft’s Remote Desktop system.
Its capabilities include data encryption, remote audio and printing, access to local files, and redirection of the host’s disk drives and peripheral ports.
In client versions, 6.1 and later, any application that can be accessed via the normal remote desktop can serve as a standalone remote application.
The server listens on port 3389.
The server component, the terminal server, is available on most Windows operating systems, except for Windows Vista® Home Edition.
A desktop client is available for most operating systems.
Give a full description of VNC
A platform-independent desktop sharing system.
VNC client and server software is available for almost any operating system (and for Java®), so a VNC viewer on a Linux system can connect to a VNC server on a
Microsoft system and vice versa.
VNC uses the Remote Frame Buffer (RFB) protocol, which allows the client and server to determine the best version of RFB they can support during a session.
VNC is not an inherently secure system but does offer varying levels of password and content encryption, depending on the implementation.
Definition of NAC
Network access control (NAC) is a general term for the collected protocols, policies, and hardware that govern access on network interconnections.
Give a full descrpition of NAC
NAC provides an additional security layer that scans devices for conformance and allows or quarantines updates to meet policy standards.
Security professionals will deploy a NAC policy according to an organization’s needs based on three main elements:
=The authentication method
=Endpoint vulnerability assessment
Network security enforcement
Once the NAC policy is determined, professionals must determine where NAC will be deployed within their network structure.
What is IEEE 802.1x
IEEE 802.1x is a standard for securing networks by implementing Extensible Authentication Protocol (EAP) as the authentication protocol over either a wired or wireless Ethernet LAN, rather than the more traditional implementation of EAP over Point-to-Point Protocol (PPP).
What does IEEE 802.1x employ
Employs an authentication service, such as RADIUS, to secure clients, removing the need to implement security features in APs, which typically do not have the memory or processing resources to support complex authentication functions.
Give a full description of IEEE 802.1x
The switch or wireless access point puts the client session on hold and does not allow it to enter the network until either the device or user is authenticated and authorized by a RADIUS server.
Wireless hotspots that require a user name and password in a browser are using 802.1x.
It is an IEEE standard used to provide a Port-based Network Access Control (PNAC), using the 802.11 protocols.
802.1x uses EAP to provide user authentication against a directory service.
What is an ACL
An Access Control List is a set of data that is used to control access to a resource.
What data is included in an ACL
Data includes items such as: User names Passwords Time and date IP addresses MAC addresses
What resources are included in an ACL
Resources include items such as:
Devices
Files
Networks
Give all the characteristics of an ACL
ACLS can be configured to explicitly allow or deny access to resources.
An implicit deny-all clause placed at the end of an ACL will deny permissions to all traffic that is not explicitly permitted in the list.
Definition of a Firewall
A software program or a hardware device (or a combination of both) that protects a device or network from unauthorized access by blocking unsolicited traffic.
Give a description of a Packet Filter
The simplest firewall implementation. They work at the OSI Network layer (Layer 3). Each network packet is compared either to a set of default criteria or to a set of rules configured by an administrator. Based on the rules, the packet is passed or dropped, or a message is sent back to the originator. Packet filters are usually a part of a router.
Give a description of a Stateful Inspection
Works at the OSI Session layer (Layer 5) by monitoring the condition, or state, of the connection. Monitors the TCP connection establishment to determine if a request is legitimate. Stateful inspection firewalls are also known as circuit-level gateways.
Give a description of a proxy
Works at the OSI Application layer (Layer 7) and requires incoming and outgoing packets to have the proxy to access services. This functionality allows proxy firewalls to filter application-specific commands. Can be used to log user activity and logons, which offers administrators a high level of security but significantly affects network performance. Also known as Application-level gateways.
Give a description of a hybrid
Combines the functionality of all of the above and operates at the OSI Network, Session, and Application layers simultaneously.
Definition of a UTM
Unified Threat Management (UTM) is a network security solution that is used to monitor and manage a wide variety of security-related applications and infrastructure components through a single management console.
True or False
UTMs can be network appliances or cloud services.
True
Give all the security functions that UTMs provide
UTMs provide multiple security functions such as: Network firewalling Network intrusion prevention Anti-malware VPN Spam and content filtering Load balancing Data leak prevention On-appliance reporting
Definition of IANA
IANA: (Internet Assigned Number Authority) An international organization established in 1993 to govern the use of IP addresses. The Internet Corporation for Assigned Names and Numbers (ICANN) is now responsible for leasing IP addresses worldwide.
Definition of a Port
IANA: (Internet Assigned Number Authority) An international organization established in 1993 to govern the use of IP addresses. The Internet Corporation for Assigned Names and Numbers (ICANN) is now responsible for leasing IP addresses worldwide.
What is the purpose of a dynamic port
Dynamic ports: assigned by a client operating system as needed when there is a request for service.
What port is FTP assigned to
20,21
What port is SMTP assigned to
25
What port is DNS assigned to
53
What port is HTTP assigned to
80
What port is POP3 assigned to
110
What port is HTTPS assigned to
443
What port is SMB assigned to
445
What is the purpose of registered ports
Registered ports: available to user processes and listed as a convenience by the IANA.
What do all ports have?
All ports are assigned a number between 0 and 65,535.
Give the concept of Open Ports
A TCP or UDP port number is configured to accept packets, unlike a closed port (which rejects connections or ignores all packets directed at it).
Characteristics of Open Ports
Every open port is a potential security vulnerability.
When ports are open and not needed, consider disabling them.
Give the protocol and service of the port 21
Protocol: TCP and Service: FTP
Give the protocol and service of the port 22
Protocol: TCP and Service: SSH
Give the protocol and service of the port 23
Protocol: TCP and Service: Telnet
Give the protocol and service of the port 25
Protocol: TCP and Service: SMTP
Give the protocol and service of the port 53
Protocol: TCP/UDP and Service: DNS
Give the protocol and service of the port 80
Protocol: TCP and Service: HTTP
Give the protocol and service of the port 110
Protocol: TCP and Service: POP3
Give the protocol and service of port 135
Protocol: TCP/UDP
and Service: Windows RPC
Give the protocol and service of port 137
Protocol: TCP/UDP
and Service: NetBIOS over TCP/IP
Give the protocol and service of port 138
Protocol: TCP/UDP
and Service: NetBIOS over TCP/IP
Give the protocol and service of port 139
Protocol: TCP/UDP
and Service: NetBIOS over TCP/IP
Give the protocol and service of the port 443
Protocol: TCP
and Service: HTTPS
Give the protocol and service of the port 1433
Protocol: TCP
and Service: Microsoft SQL Server
Give the protocol and service of the port 1434
Protocol: UDP and Service: Microsoft SQL Server
Give reasons, why unused physical ports can be a security risk.
On a server, if USB ports are enabled, someone could insert a portable USB drive and copy sensitive files directly from the hard drive.
On a switch, if unused ports are left enabled, attackers could physically connect to and access the network.
Give all the ways to disable physical ports.
Entering BIOS setup or other management software and disabling a port.
Editing the Windows Registry.
Physically disconnecting the port from the motherboard.
For details, consult the manufacturer documentation for the individual devices you are responsible for hardening.
Give all the ways you can increase port-security
Disable unnecessary services.
Close ports that are by default open or have limited functionality.
Disable unnecessary running services.
Regularly apply appropriate security patches.
Hide responses from ports that indicate their status and allow pre-configured connections only.
Definition of Secure Protocols
Protocols that do not expose data and/or credentials in cleartext.
Give a description of SSH
SSH(Secure Shell)
Used for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers.
It was designed as a replacement for Telnet and other insecure remote shell protocols.
Give a description of HTTP
HTTPS (Hypertext Transfer Protocol Secure)
Used for secure communication over a computer network, with especially wide deployment on the Internet.
The main purpose of HTTPS is to prevent eavesdropping and man-in-the-middle attacks.
Give a description of TLS/SSL
TLS/SSLTLS/SSL (Transport Layer Security/Secure Sockets Layer)
Used to provide communication security over the Internet.
Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging, and voice-over-IP (VoIP).
Give a description of SFTP
SFTP (Secure File Transfer Protocol)
Used for secure file access, file transfer, and file management.
Give a description of SNMPv3
SNMPv3 (Simple Network Management Protocol version3)
Used for managing devices on IP networks.
Version 3 added cryptographic security to secure data and user credentials.
Give a description of IPsec
IPSec (IP Security)
Used for securing IP communications by authenticating and/or encrypting each IP packet of a communication session.
Give a full description of Windows Firewall
Windows Firewall and Windows Defender Firewall with Advanced Security are software firewall applications that are included with every version of the Windows operating system, including versions of Windows Server.
Some versions of Windows Server also contain Datacenter Firewall.
This provides users and administrators with at least a minimal firewall solution to help create a more secure network.
For many users and for small organizations, the Windows Firewall will meet their needs without purchasing a more complicated firewall solution.
Home users should use the Windows Firewall program in Control Panel.
Windows Defender Firewall with Advanced Security is designed for administrators of a managed network to allow, deny, or secure network traffic in an enterprise environment.
Datacenter Firewall is a multi-tenant firewall intended to be used in cloud service provider situations.
Connection security rules are used to implement IPSec.
Give all the guidelines for securing ports and services
Determine which ports are currently open.
Determine which of the open ports are required to be open.
Close any ports that are not required to be open.
Determine which services are currently running.
Determine which of the running services are required.
Disable any services which are not required.
Definition of Wireless Security
Wireless security: Any method of securing your WLAN to prevent unauthorized network access and network data theft.
Definition of Site of Survey
Site survey: An analysis technique that determines the coverage area of a wireless network, identifies any sources of interference and establishes other characteristics of the coverage area.
Give all the ways of improving wireless security
You need to ensure that authorized users can connect to the network without any hindrances.
Wireless networks are more vulnerable to attacks than any other network system.
Most wireless devices search and connect automatically to the access point with the best signal, which could be coming from an attacker.
Wireless transmissions can also be scanned or sniffed out of the air, with no need to access physical network media.
Such attacks can be avoided by using relevant security protocols.
You use a site survey to help you install and secure a WLAN.
Although an authorized site survey is a standard part of planning or maintaining a wireless network, unauthorized site surveys or compromise of the site survey data can be a security risk.
Wireless access points (WAP) and wireless routers come with a default service set identifier (SSID).
An administrator can accept a device’s default SSID, but this is not recommended.
The administrator should specify an SSID manually.
Another method of securing a wireless connection is by disabling the broadcast of the SSID of the wireless device.
Disabling the broadcast causes the wireless device to not appear on the network. Therefore, when a client device scans the network, it will not be able to locate the disabled SSID.
Though disabling the broadcast of SSID is a comparatively easy task, this method is not completely effective because hackers can still access the WLAN by using sniffing software.
Do not use WPS (WiFi Protected Setup).
If any devices on your network have WPS, disable it.
When purchasing devices, try to obtain devices that do not include WPS.
Give a description of WEP
Encrypts wireless communications, making them less vulnerable.
Designed to provide the same level of security as wired networks.
Has many well-known security flaws.
Give a description of WPA/WPA2
Both encrypt wireless communications, making them less vulnerable to unauthorized access.
Both offer better security than WEP, with WPA2 being more secure.
Both protocols have a Personal and Enterprise mode.
The personal mode uses a preshared key that all clients use for encryption.
Enterprise mode uses 802.1x authentication and a unique encryption key for every client who logs on to the network.
Give a description of TKIP/AES
TKIP provides the encryption for WPA.
AES provides the encryption for WPA2.
Give a description of TLS/TLLS
A security protocol that protects sensitive communication from being eavesdropped on and tampered with.
TTLS is an EAP protocol that extends TLS by providing authentication that is as strong as TLS, but it does not require that each user be issued a certificate. Instead, only the authentication servers are issued certificates.
Give all wireless authentication methods
Open system authentication uses null authentication, which means that user names and passwords are not used to authenticate a user.
This is the default for many access points (APs) and stations.
Open system authentication enables a station to connect to any wireless AP that has open system authentication enabled, even if the service set identifier (SSID) is different from the station.
An open system is often used in conjunction with 802.1x.
The wireless client is allowed to make an unauthenticated association with the AP, but until the user logs on, the client cannot connect to the network.
The shared-key authentication method verifies the identity of a station by using a WEP key.
Both the station and the AP must be configured to use data encryption and the same WEP key.
The station also needs to be configured to use a shared-key authentication instead of the default open-system authentication.
A pre-shared key is used for WPA-Personal and WPA2-Personal.
The key needs to be shared by the communicating parties before it can be used.
PSKs are more often found in use on home wireless networks.
The EAP authentication method authenticates a user and not the station.
This is an enterprise implementation that is done with a RADIUS server.
An AP forwards the authentication request to the RADIUS server, and the server calls the user credential database (for example, Active Directory in Windows domains) to verify the user.
The RADIUS server then passes the identity verification to the AP.
Give a description of EAP
A protocol that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication.
EAP categorizes the devices into different EAP types depending on each device’s authentication scheme.
The EAP method associated with each type enables the device to interact with a system’s account database.
Give a description of EAP-Fast
Designed to replace the Lightweight EAP (LEAP).
It addresses LEAP vulnerabilities through the use of TLS tunneling using a Protected Access Credential (PAC).
Give a description of EAP-TLS
Mac OS X 10.3 and above
Windows 7 and above
Windows Server 2012 and above
Windows Mobile 7 and above
Give a description of PEAP
Proposed as an open standard by a coalition made up of Cisco Systems®, Microsoft, and RSA Security.
PEAPv0/EAP-MSCHAPv2 is a widely supported authentication method in EAP implementations.
Give a definition of MAC Filtering
A simple method of securing a wireless network is by controlling which MAC addresses are allowed to access the network.
Give all the characteristics of MAC Filtering
By configuring a wireless access point (WAP) to filter MAC addresses, you can control which wireless clients can access your network.
Typically, an administrator configures a list of client MAC addresses that are allowed to join the network.
Those pre-approved clients are granted access if the MAC address is “known” by the access point.
Although MAC filtering is usually implemented on wireless networks, it can also be used on wired networks to allow and deny access to the network.
Give all the characteristics of Captive Portals
A public-access or guest network often presents a web page users must view and acknowledge before they are granted network access.
These open networks usually include anti-virus software and a firewall between the open network and the organization’s production network.
These are often found in places such as restaurants, airports, lobbies, libraries, and other public spaces that provide free WiFi access.
The captive portal typically includes:
A statement indicating who is providing the network service. This will help users know whether this is a legitimate site or one set up by a hacker.
A statement that the information users send over the network is not secure. These open networks are typically do not using authentication or data encryption.
Advertisements or social media links. This can help the organization provide access to customize the content based on which advertisements are clicked on and by seeing the users’ social media content.
Definition of Geofencing
A method of defining virtual geographical boundaries using GPS or RFID.
Characteristics of Geo-Fencing
When a mobile device with GPS or RFID capabilities enabled crosses into or out of the geofenced area, an event can be triggered.
Examples of triggered events might include:
Changing the temperature in a room or building.
Turning the lights on or off when you enter a room or building.
Locking your computer when you and your mobile device leave the defined area.
Network administrators can also use geofencing to help manage BYODs to automatically change settings on the devices to comply with organization policies.
Blocking some apps.
Making other apps available only when within the organization’s geofenced area.
Changing access rights to data based on location.
It can also be used to alert administrators if equipment owned by the organization travels outside of the geofenced area.
Give a full description of a rogue access point
Unauthorized wireless access point on a corporate or private network.
Not detected easily; can allow private network access to many unauthorized users with the proper devices.
Can allow man-in-the-middle attacks and access to private information.
Organizations should protect themselves from this type of attack by implementing techniques to constantly monitor the system, such as installing an IPS.
Give a full description of evil twins
Rogue access points on a network that appear to be legitimate.
Typically found in public Wi-Fi hotspots where users select available networks from a list.
Evil twins can be more dangerous than other rogue access points because the user thinks that the wireless signal is genuine, making it difficult to differentiate from a valid access point with the same name.
Give a full description of wardriving
Locates wireless access points while traveling, which can be exploited to obtain unauthorized Internet access and potentially steal data.
This process can be automated by using a GPS device and wardriving software.
Common war driving and war chalking tools include NetStumbler, Kismet, Aircrack, and Airsnort.
Give a full description of war chalking
The act of using symbols to mark off a sidewalk or wall to indicate that there is an open wireless network that may be offering Internet access.
Give a full of description of WEP, WPA, and WPS cracking
The method used to crack the encryption keys used in WEP, WPA, and WPS installations to gain access to private wireless networks.
Many tools are available that can aid attackers in cracking encryption keys, such as Aircrack.
Give a full of description of the IV attack
IV is used in many cryptosystems; its implementation in wireless WEP encryption is weak.
It is fairly easy and quick, using automated tools and a replay attack, to extract enough IV data to crack the WEP key. This gives the attacker the ability to connect to a WEP-encrypted wireless network along with all the other clients.
Give a full description of packet sniffing
An attack on a network where an attacker captures network traffic, allowing data to be extracted from the packets.
On a wireless network, a sniffer can be used not only to monitor transmitted data but also to identify the SSID of a wireless network even if that network’s SSID broadcast is disabled.
Give a full description of bluejacking
A method used by attackers to send out unwanted Bluetooth® signals.
Because Bluetooth has a 30-foot transmission limit, this is a very close-range attack.
Attackers can send out unsolicited messages along with images and videos.
These types of signals can lead to many different types of threats. They can lead to devise malfunctions, or even propagate viruses, including Trojan horses.
Users should reject anonymous contacts and configure their mobile devices to the non-discoverable mode.
Give a full description of bluesnarfing
A method in which attackers gain access to unauthorized information on a wireless device by using a Bluetooth connection within the 30-foot Bluetooth transmission limit.
Unlike bluejacking, access to wireless devices such as tablets, mobile phones, and laptops by bluesnarfing can lead to the exploitation of private information including email messages, contact information, calendar entries, images, videos, and any data stored on the device.
Characteristics of device hardening
Makes the attack surface smaller.
Hardening is done in multiple ways or layers to protect devices, the network, and data.
An important part of hardening is ensuring appropriate patches and updates are installed.
Definition of a patch
Patch: A small unit of supplemental code meant to address either a security problem or a functionality flaw in a software package or operating system.
Definition of hotfix
Hotfix: A patch that is often issued on an emergency basis to address a specific security flaw.
Definition of rollup
Rollup: A collection of previously issued patches and hotfixes, usually meant to be applied to one component of a device, such as a web browser or a particular service.
Definition of service pack
Service pack: A larger compilation of operating system updates that can include functionality enhancements, new features, and typically all patches, updates, and hotfixes issued up to the point of the release of the service pack.
Definition of patch management
The practice of monitoring for, obtaining, evaluating, testing, and deploying software patches and updates
Characteristics of patch management
Test the functionality of the updates before widespread installation of updates.
In order for some updates to function properly, you might need to also update system firmware and drivers.
Additional features might be available with some updates.
If vulnerabilities in the firmware or operating system software on a server, workstation or other network device are detected, and an update is issued, you should immediately begin testing the updates.
Characteristics of Patch Rollback
As part of the patch management process, you backed up the software before installing the patch or update.
If something goes wrong with updates or additional problems are found after deploying the updates, you can downgrade again to the previous version.
If you have a configuration backup of all devices stored, and the patch or update is causing problems, the devices can easily be restored to the previous configuration.
Many operating systems and applications have options built in that allow you to roll back to the previous version.
Sometimes this is accessed through the installation program and other times it is a feature within an application or operating system.
What is updating firmware called
Is called flashing
Why should you consider upgrading firmware
There are a few reasons why you should consider upgrading the system firmware, including:
Provide support for new hardware.
Fix bugs that prevent the operating system from installing or running properly.
Enable advanced management features.
Be eligible for vendor support.
How can upgrading firmware damage a device
Upgrading firmware can be damaging to devices if it is not done correctly.
If you improperly flash the system firmware, it can render the device unusable.
Often, your recovery options will be limited, but they should be listed on the manufacturer’s support website.
Definition of antivirus software
A category of protective software that scans devices and sometimes networks for known viruses, Trojans, worms, and other malicious programs.
How do you implement internet virus protection
Implement Internet email virus protection by:
Screening the Internet gateway devices for viruses
Employing reliable desktop antivirus software
Scanning incoming emails between the Internet and the email server
Scanning email again at the device level
Disabling all Internet connections and isolating affected devices if a virus attack is detected
Chararcritiscs of an antivirus software
Scans devices or networks for known viruses, Trojans, worms, other malware.
Some software can scan for unknown harmful software.
Install on all devices and keep it updated.
Can be host-based, server-based, or cloud-based.
Definition of Shared Key or Symmetric encryption
Shared Key or Symmetric encryption: The same key is used both to encode and decode the message.
Definition of Key Pair or Asymmetric encryption
Key Pair or Asymmetric encryption: Each party has a public key that anyone can obtain and a private key known only to the individual.
Give a full description of a public key
Public key: In key-pair encryption, the key is available to all and is used to encode data.
Give a full description of a private key
Private key: In key-pair encryption, the key is known only to an individual and is used to decode data.
Give reasons why we should generate new keys
Reasons to generate new keys include:
If a key is compromised.
To replace the special production key shipped with some software images.
If required by the organization’s policy to update a key after a period of time.
This helps limit exposure if a key compromise was not detected
Definition of CA
CA: (Certificate Authority) A server that can issue digital certificates and the associated public/private key pairs.
Definition of an Encryption Key
Encryption key: A specific piece of information that is used with an algorithm to perform encryption and decryption in cryptography.
Give a full description of a CA
A root CA is typically the first or only CA installed.
A root certificate is an unsigned public key certificate or a self-signed certificate that identifies the root CA.
A CA can issue multiple certificates in the form of a tree structure.
A root certificate is at the top of the tree and is the private key that is used to sign other certificates.
All certificates immediately below the root certificate inherit the trustworthiness of the root certificate.
Certificates further down the tree also depend on the trustworthiness of the intermediate CAs.
Give a full description of an encryption key
A different key can be used with the same algorithm to produce different ciphertext.
Without the correct key, the receiver cannot decrypt the ciphertext even if the algorithm is known.
The longer the key, the stronger the encryption
Definition of Permissions
Permission: A security setting that determines the level of access a user or group account has to a particular resource.
Definition of Hashing encryption
Hashing encryption: One-way encryption that transforms cleartext into a coded form that is never decrypted.
Definition of Hash
Hash (Hash value, message digest): The value that results from hashing encryption.
Definition of EFS
EFS: (Encrypting File System) A file encryption tool available on Windows systems that have partitions formatted with NTFS.
Definition of FDE
FDE: (full disk encryption) A storage technology that encrypts an entire storage drive at the hardware level.
Defintion of SED
SED: (self-encrypting disk) A storage device that is encrypted at the hardware level in order to avoid relying on software solutions.
Give a full description of permissions
A permission is a security setting that determines the level of access a user or group account has to a particular resource.
Permissions can be associated with a variety of resources, such as files, printers, shared folders, and network directory databases.
Permissions can typically be configured to allow different levels of privileges or to deny privileges to users who should not access a resource.
Assign rights and permissions to user groups.
As the needs of individual users change, the users can be placed in groups with the appropriate security configuration.
Give the process of Certificates and Encryption
Certificates can be used for data encryption. The certificate encryption process consists of four steps:
A security principal obtains a certificate and a public/private key pair from a CA.
The party that encrypts data obtains the user’s public key from the user or from the CA’s certificate repository.
The encrypting party then uses the public key to encrypt the data and sends it to the other user.
The other user uses the private key to decrypt the data.
Give a full description of File hashing
Hashing encryption is one-way encryption that transforms cleartext into ciphertext that is not intended to be decrypted.
The result of the hashing process is called a hash, hash value, or message digest.
The input data can vary in length, whereas the hash length is fixed.
Two types of hashes:
MD5 (Message Digest version 5) creates a 128-bit message digest from the input data.
Secure Hash Algorithm (SHA) is used for US government documents and other documents to create a digital signature. SHA-2 and SHA-3 have four variations: SHA-224, SHA-256, SHA-384, and SHA-512.
Give a full description of EFS
A file-encryption tool is available on Windows devices that have NTFS-formatted partitions.
EFS encrypts file data by using digital certificates.
If a CA is not available to issue a file-encryption certificate, the local device can issue a self-signed encryption certificate to users who want to encrypt files.
NTFS permissions control file access, but EFS protects the contents of the file.
EFS can keep data secure even if NTFS security is breached—for example, if an attacker moves a physical hard drive to another system to bypass NTFS.
Give a full description of FDE
Used on SED devices, it ensures encryption at the hardware level.
Give all the characteristics of a Privileged User Account
A privileged user has full access to all aspects of a network, a device, or a computer.
On a Windows system, this is the Administrator user.
On a Linux or UNIX system, this is the root user.
This account should only be used when absolutely necessary.
For day-to-day operations, each user should have a regular user account.
With the additional access that the privileged account has, if the account is compromised, the attacker can reach more data and devices.
The principle of least privilege dictates that users and software should have only the minimal level of access that is necessary for them to perform their duties.
This level of minimal access includes facilities, computing hardware, software, and information.
Where a user or system is given access, that access should conform to the least privilege level required to perform the necessary task.
Give a full description of Role Separation
Role separation, also known as separation of duties, is implemented as a policy that states that no one person should have too much power or responsibility.
Duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuses of power.
Duties such as authorization and approval, and design and development, should not be held by the same individual because it would be far too easy for that individual to defraud or otherwise harm an organization.
In many typical IT departments, roles like backup operator, restore operator, and the auditor is assigned to different people.
Give a full description of Switch spoofing
Turn off trunking on all ports unless trunking is specifically required on a certain port.
On a port where trunking is enabled, disable dynamic trunk protocol (DTP), then manually enable trunking.
Give a full description of Switch Port Protection
Used on Cisco switches to prevent protected ports from forwarding traffic to any other protected port on the switch.
Traffic is forced to be forwarded through a router or other Layer 3 device.
The switch port port-security command enables port security on a port.
switch port command options allow you to configure:
Spanning tree
Flood guard
BPDU guard
Root guard
DHCP snooping
MAC address filtering
Give a full description of Double tagging
Make sure that user ports and native VLAN trunk ports are different.
Consider using a fixed VLAN that is completely separate from all user VLANs on the switched network.
Give all the characteristics of Network Segmentation
Increases system security by reducing the attack surface.
Compliance requirements might require segmentation.
DMZ helps protect networks from unauthorized access.
VLANs can be used to create smaller segmented networks.
If an attacker gets through the DMZ, they must breach another firewall to get into a network segment.
Each subsystem is placed in its own area or zone.
Zones are defined by a logical or physical boundary.
Each zone has a security zone that contains a group of logical or physical assets that require similar security measures.
A physical or logical border separates zones from other resources.
A conduit is established that connects defined zones with other network resources.
The conduit enables safe and secure communications between the defined zone and other network zones.
Conduits can include network security features such as firewalls and VPNs.
All communication between any zones must take place through one of the implemented conduits to protect the data and systems.
Give a full description of NAT and PAT
NAT conceals internal private IP addresses from external networks.
The private address is a virtual IP address, not assigned to an actual device.
The router is configured with a single public IP address on its external interface and a private address on its internal interface.
NAT service translates between the two addressing schemes.
Packets sent to the Internet from internal hosts appear as if they came from a single IP address.
In static NAT, an unregistered address is mapped to a single specific registered address.
In dynamic NAT, a single unregistered address is mapped to the first registered address in an address pool.
PAT is a subset of dynamic NAT functionality that maps either one or more unregistered addresses to a single registered address using multiple ports.
PAT is also known as overloading
Give a full description of port forwarding
Port forwarding, also called port mapping, enables a permanent translation entry that maps a protocol port on a gateway to an IP address and protocol port on a private LAN.
Network clients cannot see port forwarding.
This allows communications from an external source to a destination within a private LAN.
For example, a remote device could use port forwarding to connect to a specific device or service within a private LAN.
Definition of Penetration testing
Penetration testing: An attack authorized by the owner of a computer network with the purpose of finding security weaknesses.
Definition of IDS
IDS: (intrusion detection system) Software, hardware, or both, that scans, audits, and monitors for signs of attacks in progress.
Definition of IPS
IPS: (intrusion protection system) Inline security device that monitors suspicious network traffic and reacts in real-time to block it.
Give a full description of Penetration testing
Can discover which defenses were effective and which were vulnerable.
Penetration test results should be reported to the owners so that they are aware of any issues they need to address.
Uses intrusion detection (IDS) and intrusion prevention systems (IPS).
Definition of Honeypot
Honeypot: A security tool used to lure attackers away from the actual network components. Also called a decoy.
Definition of Honeynet
Honeynet: An entire dummy network used to lure attackers away from actual network components.
Definition of a Proxy Server
Proxy server: A system that isolates internal clients from the servers by downloading and storing files on behalf of clients.
Definition of Reverse proxy server
Reverse proxy server: A type of proxy server that retrieves resources on behalf of a client from one or more servers.
