Network Security Operations Flashcards
Blank start with understanding how a firewall is used to secure a network
Foundational Network security
What is a barrier that intercepts and inspects traffic moving from one area of the network to another?
Firewall
What may be physical appliances or may be virtual appliances operating as a VMS.
firewall
What is the term for a firewall that operates as apps running on workstations and servers
host-based firewalls
All firewalls have what in common that will determine whether the firewall will permit or deny traffic to pass on to its intended destination
Set of rules
Blank is a firewall that operates on layers 3 & 4.
Packet Filtering
Most networks equate what to layer 3 and what to layer 4
IP address
TCP or UDP port number
Blank inspect incoming (ingress) and outgoing (egress) traffic and compare the attributes to a database of packet filter rules that determine if the movement is permitted
Firewalls
Name the five attributes in a packet filter
Protocol (typically IP)
Source of IP address
Destination IP address
Source TCP or UDP port number
Destination TCP or UDP port number
Packet filters are only concerned with what of the packets and perform no level of inspections on the contents of the package
Address label (header)
What could pass through packet filtering undetected as long as the source and destination values were approved by the firewall rules
Dangerous payloads
What is a device that operates as a middleman between two or more systems to help conceal the true nature of the client and server
Circuit Level Gateways
The circuit level gateway may change what two things to allow two networks to communicate that otherwise could not
IP address and TCP/UDP port number
What does NAT stand for
Network address translation
What does PAT stand for
Port address translation
What refers to the connection state of a conversation between two computers
State
What term operates on levels 3,4,5 that allows a firewall to identify traffic as conversational and automatically create temporary firewall rules to permit the response traffic to flow back to the sender
Stateful Inspection
The goal of stateful inspections is to reduce what?
Firewall rules
To combat malicious traffic passing into the network unchecked (packet filtering) , what was created as a middle-man that reads and parses the traffic payload before forwarding it (if safe)
Proxy servers
Inspection of payload is commonly called what?
Application-aware firewalls or Layer-7 firewalls
What two things are advanced security solutions that can identify malicious traffic based on a database of known behaviors and payload signatures?
IDS and IPS
What monitors networks to detect threats?
IDS
What intercepts and blocks threats?
IPS
What is the term for when IDS and IPS attach to a network in listen-only mode, alerting a network admin if they detect any suspicious behavior
Tap mode
What mode refers to the configuration required for an IPS to intercept and block suspicious traffic?
In-line mode
What is the term for when an IPS device blocks files known to carry viruses and malware, like .exe files
Reputation-based protection
What device monitors the network to detect threats, listens passively and alerts network admins of suspicious behavior?
IDS
What device intercepts and blocks and creates choke points?
IPS
Which layer includes protocols such as 802.3 and 802.11?
Layer 2 (data link)
What is a layer 1 threat because it involves tampering with the physical cables of a victim’s network?
Wiretapping
Wiretapping, theft of devices, and unlocked equipment racks are all threats at what layer?
Layer 1 (physical)
What as a Layer 1 attack could interfere with a victim’s wireless network card and prevent him from communicating with a WAP?
Radio Jammer
What layer attack would a wireless deauthentication attack be?
Layer 2 (Data Link)
What type of attack involves sending a special frame to a WAP that disconnects it from the wireless network?
Wireless Deauthentication
What can be the goal of deauthentication attacks?
Getting the wireless network password
What layer is an ARP poisoning attack?
Layer 2
What attack sends special frames to the network that quickly poison the switch’s internal traffic handling database?
ARP poisoning
What does FIB stand for?
Forwarding Information Base
The switch is a network device at what level?
Layer 2 (Data Link)
An attacker can merge ARP poisoning with what to reconstruct and analyze the received frames to gather info for future attacks?
Packet Sniffer
Ethernet switches separate traffic into multiple logical networks called what?
Virtual local area network (VLANS)
A switch can operate in one of what two modes?
Access mode (untagged mode)
Trunk Mode (tagging mode)
What ports are used by servers and workstations assigned to a single VLAN?
Access Mode
What ports are used to interconnect multiple switches or routers and carry traffic to multiple VLANS
Trunk mode
What is a layer 2 attack that occurs when an attacker gets access to a computer connected trunk port that allows them to join a network that would not normally be available to them?
VLAN hopping attack
What attack can be mitigated by following a switch vendor’s recommendation for VLAN configuration as well as designating computer switch ports as access mode?
VLAN hopping attack
What layer attack is a ping attack?
Layer 3: Network
What can mitigate a ping attack?
Packet filtering firewall
Spoofing attacks can occur on what two levels?
Layer 2 (data Link) and Layer 3(network)
What does MAC stand for?
Media Access Control
Which protocol is a connection-oriented protocol?
TCP
Which protocol is a connection-less protocol?
UDP
A connection-oriented protocol provides what when data is sent between two computers?
Delivery confirmation
What tool can an attacker run that allows him to scan the victim’s computer for open ports that they could later attack?
Port Scanner
What helps against a port scanning attack?
Packet-filtering firewall
What layer does a port scanning attack work on?
Layer 4: Transport
What is a commonly known port number?
TCP port 8080
What is the practice of redirecting a commonly known port number in hopes of hiding that the computer is running a web browser?
Port redirection
What is a protocol at layer 5: Session?
Remote Procedure Call (RPC)
What attacks are at layer 5?
RPC attacks
How do you mitigate RPC attacks?
Regular operating system updates and patches
What conceals data and is commonly performed at presentation level?
Encryption
Encryption at the presentation level uses what, which is the replacement for what?
Transport Layer Security
SSL protocol
What attack occurs at Layer 6?
Man-in-the-middle attack
How do you mitigate man-in-the-middle attacks?
Use an Application-layer proxy or an IPS
What does API stand for?
Application Programming Interface
What can be attacked at Layer 7?
API
How can you mitigate attacks via the API of you application?
By adding authentication
What do security professionals use to detect problems and known bad code in an application?
Vulnerability scanner
SQL injection, buffer overrun, and other take control attacks happen at what layer?
Layer 7: Application
What are two other ways other than authentication that helps mitigate attacks at the application level?
Reverse Proxy system and an IPS device
Encrypted data is referred to as what?
Ciphertext
What is the proper term for an encryption algorithm?
Cipher
What is also known as private key encryption that uses the same key to encrypt data as it does to decrypt data?
Symmetric key encryption
The what of the symmetric key encryption depends on the complexity of the cipher and the key?
Security
What is the most vulnerable point of a symmetric key encryption?
During key exchange
What are the two advantages of a symmetric key encryption?
Simplicity
Speed
What relies on two different keys to encrypt and decrypt traffic?
Asymmetric key encryption
Asymmetric key encryption relies on what since customers have no reliable and secure means to exchange a secret key prior to data transfer?
Public key infrastructure
In a PKI system, each party that can either send or receive data must first create a what that contains what two things?
Key pair
Public Key
Private key
The key pair is created using what that enables one key to decrypt the ciphertext that the other key has written>
algorithm
What feature is known as allowing anybody to decrypt your data who downloaded your public key guaranteeing that you haven’t changed it since creation?
Digital Signature
Blank is one downside to asymmetric key ciphers?
Computational power
What type of encryption uses a symmetric key to cipher, but exchanges that key by using an asymmetric key to have both speed and security?
Transport Layer Security (TLS)
What uses algebraic structures to create a key that is even smaller than traditional asymmetric keys, yet is substantially more difficult to breach without the aid of quantum computers?
Elliptic Curve Cryptography (ECC)
What is the most common forms of encryption found on the internet today?
SSL/TLS encryption
What type of encryption creates a secure channel over the internet in order to exchange a public key in the form of a certification (certification authority like Verisign) issued by a well known authority that is presented to the public when the user connects to the website while the private key is kept on the webserver in secret and protected?
TLS
When a client computer (the web browser) contacts the web server, the client initiates what that establishes a symmetric key that encrypts a token with the web server’s public key, ensuring that only a computer holding the private key can decrypt the token?
Encryption handshake
What type of encryption provides an authentication and encryption solution that secures IP network traffic at Layer 3?
Internet Protocol Security (IPSEC)
TLS encryption works at what layer?
Layer 6
IPSEC encryption works at what layer?
Layer 3
IPSEC encryption is commonly used to create what across the internet or other untrusted networks that allow computers to communicate with each other?
VPN tunnels
IPSEC traffic is what and what, which allows the devices to create an encrypted tunnel that traffic may pass through.
Encapsulated and authenticated
What hides the fact that the packets are flowing across an untrusted network and gives the client the illusion they are directly connected to each other in the same network in IPSEC encryption?
Encapsulation
IPSEC encryption is composed of what which provides the encryption for the connection, and the security associations which define the algorithms to be used and the key exchange methods?
Authentication Header (AH) protocol
IPSEC is often used with what negotiation that holds the tunnel?
Internet Key Exchange (IKE)
What in IPSEC encryption is used to create encrypted IP packets for transferring data?
IPSEC keys
Data payload in IPSEC is encrypted how?
DES or AES
Data integrity in IPSEC encryption is ensured how?
One way hash functions (MD5 or SHA1)
When data is stored in a permanent or semi-permanent state, the data is said to be at what and should be treated with the same level care as data in transit?
At rest
What is the most secure algorithm for storing and encrypting data at rest?
Advanced Encryption Standard (AES)
What is the term for a symmetric key cipher that makes use of different key and block sizes and creates a near-impenetrable encryption by using a series of transformations on plain text?
AES
What three things all play a role in protecting data?
Data Classification
Data Protection
Encryption
What is the term for identifying the type of data you are storing and creating policies that describe how to handle the data>?
Data classification
What is the term for something that dictates how long a piece of data should remain active whether in day-to-day storage or in archive copies?
Retention policy
Data stored in the public cloud is or isn’t backed up automatically and can be restored at any time?
Is not
Sending backup from your onsite premises to the cloud would cause how much in network fees with a cloud provider?
Nothing
What provides a physical safeguard for your data because even if the server is stolen, the data remains protected?
Encryption for data at rest
What is the term for the thing used to encrypt and decrypt your data that must be kept from an attacker getting?
Data Encryption Key (DEK)
What are the two ways to mitigate an attacker from getting access to your data through a DEK?
1) Rotate the DEK regularly
2) Seek a method that does not require you to expose the DEK to anybody
What should you do to ensure you have a method that does not require you to expose the DEK to anybody?
Encrypt the DEK
What does KMS stand for?
Key management System
Data in transit is also known as what?
Data in flight
What is the term that means users can can authenticate to your app using identity servers like Google or Facebook?
Federated Identity management
What is the term for a secured region of your private network where firewalls are configured to carefully inspect and traffic entering and leaving the network and where an IPS can be implemented?
Extranet
What stems from the idea that you will have to authenticate using different methods - what you know (username and password) and what you have (fingerprints or other biometric data)?
Multifactor Authentication (MFA)
Most public cloud providers rely on what that may be a device or a virtual identification program that generates a PIN
Token
What is a key chain-like device?
Key fob
Public cloud providers keep detailed what that account the actions taken within your system to help you see changes and unauthorized use of privileged credentials?
Audit logs
In a private cloud, who holds the final responsibility for all of the hardware and most, if not all, of the physical data center security concerns?
Owner of the equipment
Who is generally responsible for the physical data center security in a public cloud?
Public Cloud provider
Who typically owns the responsibility of security for the data center in a hybrid cloud service?
Whoever owns the equipment
Whenever you connect to what, you are sending and receiving all of your data in the clear, meaning unencrypted?
Open Wi-Fi network
What is the term for a symmetric encryption algorithm that uses the now antiquated DES (data encryption standard) algorithm three times in a row to encrypt your data?
3DES (triple DES)
3DES uses only what bit encryption and can be compromised by brute force software running on modern hardware in less than a day?
56-bit
What does AES stand for?
Advanced Encryption Standard
What form of encryption is used by most wireless networks today?
AES
AES can be used with what three bit lengths?
128-bit, 192-bit, or 256-bit
Today, most AES use what bit length?
256-bit (AES-256)
In AES, most modern processors support hardware acceleration via the CPU instruction set called what which allow the CPU to process AES encryption at very fast speeds?
AES-NI (AES new instruction)
What does WEP stand for?
Wired Equipment Privacy
What was the first wireless standards proposed by the IEEE in 1997 that was designed to provide the same level of security as wired networks?
WEP
A WEP key is either 10 or 26 what?
hexadecimal
In 2004, what did the WI-FI alliance deprecate?
WEP
What was created by the WI-FI alliance and IEEE to overcome the weakness of WEP that was first released in 2003?
WPA (Wi-Fi Protected Access)
In WPA, the key is a what that can range from 8-63 characters in length?
variable-length alphanumeric passphrase
A difference between WEP and WPA was the addition of what, which gave WPA a significant security boost by generating a new 128 bit encryption key for every packet sent on the network (not the same key like in WEP)?
Temporal key integrity protocol (TKIP)
What was introduced in 2004 and quickly became the standard for wireless security for the next 15 years?
WPA2
What was the major difference between WPA and WPA2?
Counter Blocking Message Authentication Code (CCMP)
What was designed to provide data confidentiality authentication and access control to WPA2?
CCMP
What was released in 2018 that increases minimum key strength to 192 bits, provides SAE and PFS?
WPA3
What does SAE stand for?
Simultaneous Authentication of Equals
What is the term for the method to exchange the network key in personal mode by eliminating the need to tell others the key before connecting?
SAE
What does PFS stand for?
Perfect forward secrecy
What ensures that even if one session key is compromised that no past or future session’s data will be compromised, just that one session?
PFS
In what wireless network infrastructure is all wireless communication performed in a peer-to-peer fashion and does not require of involve WAP?
Ad-hoc
In what wireless network infrastructure is a WAP, or a wireless router, used to connect wireless devices to the network?
Infrastructure
What is the security standard used to provide network access control at the port level and provides an authentication standard level based on Extensible Authentication Protocol (EPA)?
802.1x
What does RADIUS stand for?
Remote Authentication Dial-In User Service
What type of wireless attack is a DoS attack that can prevent access to a network, can force users to reconnect to the attacker’s point instead, and captures the 4-way handshake to gain intelligence to gain access to the corporate network?
Deauth attack
What is the simplest defense against a deauth attack?
Use WPA3 since the management packets are encrypted
In what attack, does the attacker set up an illegitimate wireless network to gain access to unencrypted data from the victim?
Fake Access
How can you mitigate a fake access attack if you must use an unsecured network?
Create a VPN tunnel
What are the three As in AAA?
Authentication, Authorization, and accounting
What is the process of confirming a person’s identity?
Authentication
What determines what the user may access?
Authorization
What is auditing needed to verify the restrictions put in place are working?
Accounting
What is the term for carefully reviewing the security settings, updating device software and testing the security of the device?
Device Hardening
What are ten steps to harden devices?
1) Change Default Passwords
2) Remove unnecessary logins
3) Enforce a strong password policy
4) Remove unnecessary services
5) Keep patches up to date
6) Limit Physical Access to devices
7) Only allow for changes from a trusted network
8) Require Encryption for wireless networks
9) Control Audit access
10) Backup
What is the common way to get audit logs?
Syslog
How long before a vulnerability has to be publicly disclosed from discovery?
90 days