Notes From Lynda Course Flashcards
Port 21
FTP
Port 22
SSH
Port 389
RDP
Ports 137-139
NetBIOS
Port 25
SMTP
Port 110
POP
Port 143
IMAP
Port 80
HTTP
Port 443
HTTPS
Symmetric Algorithms
Encryption and decryption operations use the same key
Asymmetric Algorithms
Encryption and decryption operations use different keys
Salting
Adds a value to the encryption key to make it more complex
Hashing
Adds time to the verification process by requiring more math
WPA
WiFi Protected Access - Uses the Temporal Key Integrity Protocol (TKIP) to implement strong encryption
WPA2
Wifi Protected Access v2 - Adds time to the verification process by requiring more math
LEAP
Lightweight EAP - Insecure protocol that relies upon MS-CHAP
EAP
Broad framework with many variants, some are secure, some are not
PEAP
Protected EAP - Tunnels EAP inside an encrypted TLS session
Spyware
Gathers information
Adware
Displays advertisements
Ransomware
Blocks access
Christmas Tree Attack
Uses packet flags to exploit a system
DNS/ARP Poisoning
Redirects or intercepts traffic
Typosquatting
Exploits typos to get web traffic
Two components of every malware
- Propagation Mechanism
2. Payload
Propagation Mechanism
The way a malware object spreads
Payload
The malicious action that the malware performs
Virus
Type of malware that is spread by user interaction (User education is the best preventative measure)
Worm
Type of malware that spreads by itself - require vulnerable systems to spread (Keeping systems updated is the best preventive measure)
Trojan Horse
Type of malware that disguise themselves as a beneficial program with a malicious payload (Application control is the best protection from this)
Remote Access Trojans (RAT)
Provides backdoors to hacked systems
Three types of malware payloads
Adware, Spyware, Ransomware
Three types of propagation techniques
Virus, Worm, Trojan Horse
Backdoor
Provides unregulated workaround access to a system using modified code
Backdoor mechanisms
Hardcoded accounts, default passwords, and unknown access channels can provide access
Logic Bomb
Uses modified code to deliver a triggered payload
Three advanced malware concepts
Rootkits, Polymorphism, and armored viruses
Rootkits
Software techniques used to hide other software on a system
Polymorphism
Changes signature to avoid detection, they use a different encryption key with each system they infect
Armored Viruses
Prevents reverse engineering, sandboxing, and blocks system debuggers to prevent detection
Root Account
A special superuser account that provides unrestricted access to system resources
Rootkit Payloads
Backdoors, Botnet agents, Adware/spyware, Antitheft mechanisms
User Mode Rootkits
Run with normal user privileges, easy to write and difficult to detect
Kernel Mode Rootkits
Run with system privileges, difficult to write, and easy to detect
Signature detection
Identifying viruses by detecting known code patterns from a database
Christmas Tree Attack
All of the flags are set to 1 in the header packet which can crash a system or can be used to do OS fingerprinting
DNS
Domain Name Service - A service that translates common domain names into IP addresses for the purpose of network routing
ARP
Address Resolution Protocol - Protocol that translates logical IP addresses into the hardware (MAC) addresses on the LAN
Typosquatting
AKA URL Hijacking - an attack that consists of registered domain names similar to official sites, hoping that users will make a typo and visit their site
Domain Hijacking
Steals a domain registration or alter DNS records
MAC Spoofing Attack
Alters hardware addresses
IP Spoofing Attack
Alters IP Addresses - often used in DoS attacks - not useful in attacks that require return data because receiving data on a spoofed IT is not easy
Ingress Filtering
Blocks incoming traffic from external networks bearing an internal source IP address - useful for blocking spoofing attacks
Egress Filtering
Blocks outbound traffic from internal networks bearing a source IP address that you don’t control
Four Common types of password attacks
- Brute Force,
- Dictionary Attack,
- Hybrid Attack
- Rainbow Table Attack
Brute Force Attack
Attempts all combinations for a password - only works for short non-complex passwords. AKA Known Ciphertext Attacks
Dictionary Attack
All English language words are attempted
Hybrid Attacks
Adds common variations to the Dictionary Attack
Rainbow Table Attack
Pre-computed hashes are used
Keyspace
The set of all possible encryption keys usable with an algorithm
Frequency analysis
Studies the patterns of letters in cipher text
Known-Plaintext Attack
Attacker has both the encrypted and unencrypted versions of a password and uses this as a decryption key for other messages
Chosen-Plaintext attack
The attacker creates an encrypted message and attempts to determine the key that is being used
Downgrade Attack
When a system supports many different types of encryption, the attacker uses a MITM attack to force two other systems that are attempting to communicate to switch to a weaker algorithm and the attacker can eavesdrop on and crack the password
Watering Hole Attacks
Client side attack that exploits vulnerabilities in the client accessing the server. Usually using a highly targeted (usually trusted websites) website and bundling a botnet to infect other systems
Clickjacking Attack
An attack where the attacker hides elements of a webpage behind other elements so that a used cannot see what he or she is actually clicking - Form of CSRF
Cursorjacking
Specialized form of clickjacking that tricks the used about the cursor’s location on the screen
Directory Traversal Attacks
Allows an attacker to manipulate the file system structure on a web server - the attacker uses directory navigation references to search for unsecured files on a server
Buffer Overflow Attacks
If user input exceeds the space allotted for the data
Code Execution Attacks
An attacker exploits a vulnerability in a system that allows the attacker to run commands on that system.
Arbitrary Code Execution
Code execution attacks where the attacker runs commands of his or her choice
Remote code execution
Code execution attacks that take place over a network connection
Preventive measures for code exwecution attacks
- Limit administrative access
2. Patch systems and applications with all available security updates
Driver Refactoring
Driver manipulation technique that modifies a driver to carry out malicious activities. It requires access to the driver source code
Driver Shimming
Driver manipulation technique that wraps a malicious driver around the outside of the driver. Does not require access to the legitimate driver’s source code.
Six reasons social engineering attacks are successful
- Authority/Trust
- Intimidation
- Consensus and Social Proof (Herd mentality)
- Scarcity (Act quickly or you will miss out)
- Urgency
- Familiarity and Liking
Spear Phishing
Highly targeted phishing attack
Whaling
Subset of spear phishing - focuses on senior executives
Pharming
A fake website is sent to users and looks like a familiar website
Vishing
Voice phishing attacks asking for credentials over the phone or tell them to go to a website to download something
SPIM
Spam via IMs
Bridges
Connects two networks together at Layer 2 using MAC address
Media Gateways
Connect different telecommunications networks together
TCP/IP
Transmission Control Protocol/Internet Protocol
IP (Internet Protocol)
Responsible for routing information across the networks
Provides an addressing schema (IP Addresses)
Delivers packets from the source to its destination
Network Layer Protocol
Two main transport layer protocols
TCP and UDP
TCP (Transport Layer Protocol)
Responsible for the majority on internet traffic
Connection-oriented protocol
Establishes connections between to systems before transmitting data
Guarantees delivery through acknowledgement
Widely used for critical applications because of its reliability
TCP Flags
Used to identify packets in the three way handshake process
TCP Flag Types
SYN - Establish a connection
FIN - Close a connection
ACK - Acknowledges a SYN or FIN request
UDP (User Datagram Protocol)
More lightweight than TCP
Connectionless/ no handshake
No Acknowledgements or guaranteed delivery
Good for voice and video applications
Physical Layer
Wires, Radios, Optics
Data Link Layer
Data transfers between two nodes
Network Layer
IP
Transport Layer
TCP and UDP
Session Layer
Exchanges between two systems
Presentation Layer
Data translation and encryption
Application Layer
User programs
DNS Servers
Translates domain names into IP addresses
UDP Port 53
DNS
Network Ports
16-bit binary number
2 to the 16th power or 65,536 possible
Ranges from 0-65,535
Port 21
FTP
Port 22
SSH
Port 3389
RDP
Ports 137, 138, 139
NetBIOS
Port 53
DNS
Administrative Service Ports
21: FTP
22: SSH
53: DNS
137-139: NetBIOS
3389: RDP
Port 25
SMTP (Simple Mail Transfer Protocol)
Port 110
POP (Post Office Protocol)
Port 143
IMAP (Internet Message Access Protocol)
Mail Services Ports
25: SMTP
110: POP
143: IMAP
Port 80
HTTP
Port 443
HTTPS
ICMP (Internet Control Message Protocol) Functions
Function shows: Destination unreachable Redirects Time exceeded Address mask requests and replies
ICMP commands
ping
traceroute
Stateful inspection
Tracks open connections
Firewall Rule Contents
Source system address
Destination system addresses
Destination port and protocol
Action (allow or deny)
Implicit Deny
Any traffic not explicitly permitted by a rule should be automatically denied
Web Application Firewall
Specifically protect web applications by using application awareness to peer deep into the application layer and block web attacks
Benefits of a Proxy Server
Anonymization
Performance boosting because the proxy server caches website
Content filtering increases security
Proxy server
Sits between the user and web server
Forward proxies
Work on behalf of the client, web server does not detect the proxy server
Reverse proxies
Work on behalf of the server, Client does not detect proxy server
Transparent proxies
Are not seen by the client or server. AKA inline proxies or forced proxies. Sits between the client and the outside network. Causes issues with SSL and TLS encrypted communications
Load Balancer Security Functions
SSL Cert Mgmt
URL Filtering
Other Web Application Security tasks
Round-Robin Scheduling
A type of load balancing where each server gets an equal number of requests (Simplest)
Session Persistence
Type of load balancing that routes an individual user’s requests to the same server every time
Load Balancer Approaches
Active-Active and Active-Passive
Active-Active Load Balancing
Tow or more load balancers actively handle network traffic and continue to function with diminished capacity if one fails
Active-Passive Load Balancing
One load-balancer handles all traffic while a second monitors activity and assumes responsibility of the primary load balancer fails
Two important security functions of VPNs
- They allow secure interconnection of remote networks
2. They provide mobile workers with a way to securely connect from a remote location to an organization’s network
IPSec
Network layer VPN protocol commonly used for site-to-site VPNs but is difficult to configure. May be blocked by the firewall. Adds security to TCP/IP networks
SSL/TLS
Application layer VPN protocol commonly user for remote access VPNs and easier to configure. Uses port 443 because it is typically allowed through every firewall
Two type of remote access VPNs
Full-Tunnel VPN
Split-Tunnel VPN
Full-Tunnel VPN
Everything is encrypted, including web browsing. All network traffic leaving the connected device is routed through the VPN tunnel. regardless of its final destination.
Split-Tunnel VPN
Only traffic destined for the corporate network is sent through the VPN tunnel. Other traffic is routed directly over the Internet
Always-On VPN
All mobile devices are configured automatically to connect to the VPN
IPSec’s two protocols
ESP (Encapsulating Security Payload) and AH (Authentication Headers)
ESP (Encapsulating Security Payload)
Provides confidentiality and integrity protection for packet payloads
AH (Authentication Headers)
Provides integrity protection for packet headers and payloads. Makes sure that no changes are made to the packet while it is in transit
SA (Security Association)
Each pair of cryptographic protocol and hash function
Three common firewall errors
Shadowed rules
Promiscuous rules
Orphaned rules
Shadowed rules
Rules that are placed in a lower priority position and are overlooked by a firewall
Promiscuous rules
Allow more access than necessary
Orphaned rules
When something likes a service is decommissioned and the rules are never removed.
Router Access Control Lists
Restrict network traffic
WORM Repository
“Write Once, Read Many” - The centralized log repository should be configured this way to prevent log tampering
NTP (Network Time Protocol)
Standardized way to quickly and easily synchronize all of the system clocks within an organization. Install on a centralized time server.
Continuous Security Monitoring
Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. (Formal definition from NIST)
Three core characteristics of Continuous Monitoring
- Maps to risk tolerance
- Adapts to ongoing needs
- Actively involves management providing leadership and resources
Six Steps of the Continuous Monitoring Process
- Define a strategy
- Establish a monitoring program
- Implement the program as automated as possible to collect the metrics, perform assessments and build reports
- Analyze and report the findings from the collected data
- Respond by mitigating, avoiding, transferring, or accepting the risk
- Review and update the monitoring program to fit needs