Notes From Lynda Course

Question 1

Port 21

Answer 1

FTP

Question 2

Port 22

Answer 2

SSH

Question 3

Port 389

Answer 3

RDP

Question 4

Ports 137-139

Answer 4

NetBIOS

Question 5

Port 25

Answer 5

SMTP

Question 6

Port 110

Answer 6

POP

Question 7

Port 143

Answer 7

IMAP

Question 8

Port 80

Answer 8

HTTP

Question 9

Port 443

Answer 9

HTTPS

Question 10

Symmetric Algorithms

Answer 10

Encryption and decryption operations use the same key

Question 11

Asymmetric Algorithms

Answer 11

Encryption and decryption operations use different keys

Question 12

Salting

Answer 12

Adds a value to the encryption key to make it more complex

Question 13

Hashing

Answer 13

Adds time to the verification process by requiring more math

Question 14

WPA

Answer 14

WiFi Protected Access - Uses the Temporal Key Integrity Protocol (TKIP) to implement strong encryption

Question 15

WPA2

Answer 15

Wifi Protected Access v2 - Adds time to the verification process by requiring more math

Question 16

LEAP

Answer 16

Lightweight EAP - Insecure protocol that relies upon MS-CHAP

Question 17

EAP

Answer 17

Broad framework with many variants, some are secure, some are not

Question 18

PEAP

Answer 18

Protected EAP - Tunnels EAP inside an encrypted TLS session

Question 19

Spyware

Answer 19

Gathers information

Question 20

Adware

Answer 20

Displays advertisements

Question 21

Ransomware

Answer 21

Blocks access

Question 22

Christmas Tree Attack

Answer 22

Uses packet flags to exploit a system

Question 23

DNS/ARP Poisoning

Answer 23

Redirects or intercepts traffic

Question 24

Typosquatting

Answer 24

Exploits typos to get web traffic

Question 25

Two components of every malware

Answer 25

1. Propagation Mechanism

2. Payload

Question 26

Propagation Mechanism

Answer 26

The way a malware object spreads

Question 27

Payload

Answer 27

The malicious action that the malware performs

Question 28

Virus

Answer 28

Type of malware that is spread by user interaction (User education is the best preventative measure)

Question 29

Worm

Answer 29

Type of malware that spreads by itself - require vulnerable systems to spread (Keeping systems updated is the best preventive measure)

Question 30

Trojan Horse

Answer 30

Type of malware that disguise themselves as a beneficial program with a malicious payload (Application control is the best protection from this)

Question 31

Remote Access Trojans (RAT)

Answer 31

Provides backdoors to hacked systems

Question 32

Three types of malware payloads

Answer 32

Adware, Spyware, Ransomware

Question 33

Three types of propagation techniques

Answer 33

Virus, Worm, Trojan Horse

Question 34

Backdoor

Answer 34

Provides unregulated workaround access to a system using modified code

Question 35

Backdoor mechanisms

Answer 35

Hardcoded accounts, default passwords, and unknown access channels can provide access

Question 36

Logic Bomb

Answer 36

Uses modified code to deliver a triggered payload

Question 37

Three advanced malware concepts

Answer 37

Rootkits, Polymorphism, and armored viruses

Question 38

Rootkits

Answer 38

Software techniques used to hide other software on a system

Question 39

Polymorphism

Answer 39

Changes signature to avoid detection, they use a different encryption key with each system they infect

Question 40

Armored Viruses

Answer 40

Prevents reverse engineering, sandboxing, and blocks system debuggers to prevent detection

Question 41

Root Account

Answer 41

A special superuser account that provides unrestricted access to system resources

Question 42

Rootkit Payloads

Answer 42

Backdoors, Botnet agents, Adware/spyware, Antitheft mechanisms

Question 43

User Mode Rootkits

Answer 43

Run with normal user privileges, easy to write and difficult to detect

Question 44

Kernel Mode Rootkits

Answer 44

Run with system privileges, difficult to write, and easy to detect

Question 45

Signature detection

Answer 45

Identifying viruses by detecting known code patterns from a database

Question 46

Christmas Tree Attack

Answer 46

All of the flags are set to 1 in the header packet which can crash a system or can be used to do OS fingerprinting

Question 47

DNS

Answer 47

Domain Name Service - A service that translates common domain names into IP addresses for the purpose of network routing

Question 48

ARP

Answer 48

Address Resolution Protocol - Protocol that translates logical IP addresses into the hardware (MAC) addresses on the LAN

Question 49

Typosquatting

Answer 49

AKA URL Hijacking - an attack that consists of registered domain names similar to official sites, hoping that users will make a typo and visit their site

Question 50

Domain Hijacking

Answer 50

Steals a domain registration or alter DNS records

Question 51

MAC Spoofing Attack

Answer 51

Alters hardware addresses

Question 52

IP Spoofing Attack

Answer 52

Alters IP Addresses - often used in DoS attacks - not useful in attacks that require return data because receiving data on a spoofed IT is not easy

Question 53

Ingress Filtering

Answer 53

Blocks incoming traffic from external networks bearing an internal source IP address - useful for blocking spoofing attacks

Question 54

Egress Filtering

Answer 54

Blocks outbound traffic from internal networks bearing a source IP address that you don’t control

Question 55

Four Common types of password attacks

Answer 55

1. Brute Force,
2. Dictionary Attack,
3. Hybrid Attack
4. Rainbow Table Attack

Question 56

Brute Force Attack

Answer 56

Attempts all combinations for a password - only works for short non-complex passwords. AKA Known Ciphertext Attacks

Question 57

Dictionary Attack

Answer 57

All English language words are attempted

Question 58

Hybrid Attacks

Answer 58

Adds common variations to the Dictionary Attack

Question 59

Rainbow Table Attack

Answer 59

Pre-computed hashes are used

Question 60

Keyspace

Answer 60

The set of all possible encryption keys usable with an algorithm

Question 61

Frequency analysis

Answer 61

Studies the patterns of letters in cipher text

Question 62

Known-Plaintext Attack

Answer 62

Attacker has both the encrypted and unencrypted versions of a password and uses this as a decryption key for other messages

Question 63

Chosen-Plaintext attack

Answer 63

The attacker creates an encrypted message and attempts to determine the key that is being used

Question 64

Downgrade Attack

Answer 64

When a system supports many different types of encryption, the attacker uses a MITM attack to force two other systems that are attempting to communicate to switch to a weaker algorithm and the attacker can eavesdrop on and crack the password

Question 65

Watering Hole Attacks

Answer 65

Client side attack that exploits vulnerabilities in the client accessing the server. Usually using a highly targeted (usually trusted websites) website and bundling a botnet to infect other systems

Question 66

Clickjacking Attack

Answer 66

An attack where the attacker hides elements of a webpage behind other elements so that a used cannot see what he or she is actually clicking - Form of CSRF

Question 67

Cursorjacking

Answer 67

Specialized form of clickjacking that tricks the used about the cursor’s location on the screen

Question 68

Directory Traversal Attacks

Answer 68

Allows an attacker to manipulate the file system structure on a web server - the attacker uses directory navigation references to search for unsecured files on a server

Question 69

Buffer Overflow Attacks

Answer 69

If user input exceeds the space allotted for the data

Question 70

Code Execution Attacks

Answer 70

An attacker exploits a vulnerability in a system that allows the attacker to run commands on that system.

Question 71

Arbitrary Code Execution

Answer 71

Code execution attacks where the attacker runs commands of his or her choice

Question 72

Remote code execution

Answer 72

Code execution attacks that take place over a network connection

Question 73

Preventive measures for code exwecution attacks

Answer 73

1. Limit administrative access

2. Patch systems and applications with all available security updates

Question 74

Driver Refactoring

Answer 74

Driver manipulation technique that modifies a driver to carry out malicious activities. It requires access to the driver source code

Question 75

Driver Shimming

Answer 75

Driver manipulation technique that wraps a malicious driver around the outside of the driver. Does not require access to the legitimate driver’s source code.

Question 76

Six reasons social engineering attacks are successful

Answer 76

1. Authority/Trust
2. Intimidation
3. Consensus and Social Proof (Herd mentality)
4. Scarcity (Act quickly or you will miss out)
5. Urgency
6. Familiarity and Liking

Question 77

Spear Phishing

Answer 77

Highly targeted phishing attack

Question 78

Whaling

Answer 78

Subset of spear phishing - focuses on senior executives

Question 79

Pharming

Answer 79

A fake website is sent to users and looks like a familiar website

Question 80

Vishing

Answer 80

Voice phishing attacks asking for credentials over the phone or tell them to go to a website to download something

Question 81

SPIM

Answer 81

Spam via IMs

Question 82

Bridges

Answer 82

Connects two networks together at Layer 2 using MAC address

Question 83

Media Gateways

Answer 83

Connect different telecommunications networks together

Question 84

TCP/IP

Answer 84

Transmission Control Protocol/Internet Protocol

Question 85

IP (Internet Protocol)

Answer 85

Responsible for routing information across the networks
Provides an addressing schema (IP Addresses)
Delivers packets from the source to its destination
Network Layer Protocol

Question 86

Two main transport layer protocols

Answer 86

TCP and UDP

Question 87

TCP (Transport Layer Protocol)

Answer 87

Responsible for the majority on internet traffic
Connection-oriented protocol
Establishes connections between to systems before transmitting data
Guarantees delivery through acknowledgement
Widely used for critical applications because of its reliability

Question 88

TCP Flags

Answer 88

Used to identify packets in the three way handshake process

Question 89

TCP Flag Types

Answer 89

SYN - Establish a connection
FIN - Close a connection
ACK - Acknowledges a SYN or FIN request

Question 90

UDP (User Datagram Protocol)

Answer 90

More lightweight than TCP
Connectionless/ no handshake
No Acknowledgements or guaranteed delivery
Good for voice and video applications

Question 91

Physical Layer

Answer 91

Wires, Radios, Optics

Question 92

Data Link Layer

Answer 92

Data transfers between two nodes

Question 93

Network Layer

Answer 93

IP

Question 94

Transport Layer

Answer 94

TCP and UDP

Question 95

Session Layer

Answer 95

Exchanges between two systems

Question 96

Presentation Layer

Answer 96

Data translation and encryption

Question 97

Application Layer

Answer 97

User programs

Question 98

DNS Servers

Answer 98

Translates domain names into IP addresses

Question 99

UDP Port 53

Answer 99

DNS

Question 100

Network Ports

Answer 100

16-bit binary number
2 to the 16th power or 65,536 possible
Ranges from 0-65,535

Question 101

Port 21

Answer 101

FTP

Question 102

Port 22

Answer 102

SSH

Question 103

Port 3389

Answer 103

RDP

Question 104

Ports 137, 138, 139

Answer 104

NetBIOS

Question 105

Port 53

Answer 105

DNS

Question 106

Administrative Service Ports

Answer 106

21: FTP
22: SSH
53: DNS
137-139: NetBIOS
3389: RDP

Question 107

Port 25

Answer 107

SMTP (Simple Mail Transfer Protocol)

Question 108

Port 110

Answer 108

POP (Post Office Protocol)

Question 109

Port 143

Answer 109

IMAP (Internet Message Access Protocol)

Question 110

Mail Services Ports

Answer 110

25: SMTP
110: POP
143: IMAP

Question 111

Port 80

Answer 111

HTTP

Question 112

Port 443

Answer 112

HTTPS

Question 113

ICMP (Internet Control Message Protocol) Functions

Answer 113

Function shows:
Destination unreachable
Redirects
Time exceeded
Address mask requests and replies

Question 114

ICMP commands

Answer 114

ping

traceroute

Question 115

Stateful inspection

Answer 115

Tracks open connections

Question 116

Firewall Rule Contents

Answer 116

Source system address
Destination system addresses
Destination port and protocol
Action (allow or deny)

Question 117

Implicit Deny

Answer 117

Any traffic not explicitly permitted by a rule should be automatically denied

Question 118

Web Application Firewall

Answer 118

Specifically protect web applications by using application awareness to peer deep into the application layer and block web attacks

Question 119

Benefits of a Proxy Server

Answer 119

Anonymization
Performance boosting because the proxy server caches website
Content filtering increases security

Question 120

Proxy server

Answer 120

Sits between the user and web server

Question 121

Forward proxies

Answer 121

Work on behalf of the client, web server does not detect the proxy server

Question 122

Reverse proxies

Answer 122

Work on behalf of the server, Client does not detect proxy server

Question 123

Transparent proxies

Answer 123

Are not seen by the client or server. AKA inline proxies or forced proxies. Sits between the client and the outside network. Causes issues with SSL and TLS encrypted communications

Question 124

Load Balancer Security Functions

Answer 124

SSL Cert Mgmt
URL Filtering
Other Web Application Security tasks

Question 125

Round-Robin Scheduling

Answer 125

A type of load balancing where each server gets an equal number of requests (Simplest)

Question 126

Session Persistence

Answer 126

Type of load balancing that routes an individual user’s requests to the same server every time

Question 127

Load Balancer Approaches

Answer 127

Active-Active and Active-Passive

Question 128

Active-Active Load Balancing

Answer 128

Tow or more load balancers actively handle network traffic and continue to function with diminished capacity if one fails

Question 129

Active-Passive Load Balancing

Answer 129

One load-balancer handles all traffic while a second monitors activity and assumes responsibility of the primary load balancer fails

Question 130

Two important security functions of VPNs

Answer 130

1. They allow secure interconnection of remote networks

2. They provide mobile workers with a way to securely connect from a remote location to an organization’s network

Question 131

IPSec

Answer 131

Network layer VPN protocol commonly used for site-to-site VPNs but is difficult to configure. May be blocked by the firewall. Adds security to TCP/IP networks

Question 132

SSL/TLS

Answer 132

Application layer VPN protocol commonly user for remote access VPNs and easier to configure. Uses port 443 because it is typically allowed through every firewall

Question 133

Two type of remote access VPNs

Answer 133

Full-Tunnel VPN

Split-Tunnel VPN

Question 134

Full-Tunnel VPN

Answer 134

Everything is encrypted, including web browsing. All network traffic leaving the connected device is routed through the VPN tunnel. regardless of its final destination.

Question 135

Split-Tunnel VPN

Answer 135

Only traffic destined for the corporate network is sent through the VPN tunnel. Other traffic is routed directly over the Internet

Question 136

Always-On VPN

Answer 136

All mobile devices are configured automatically to connect to the VPN

Question 137

IPSec’s two protocols

Answer 137

ESP (Encapsulating Security Payload) and AH (Authentication Headers)

Question 138

ESP (Encapsulating Security Payload)

Answer 138

Provides confidentiality and integrity protection for packet payloads

Question 139

AH (Authentication Headers)

Answer 139

Provides integrity protection for packet headers and payloads. Makes sure that no changes are made to the packet while it is in transit

Question 140

SA (Security Association)

Answer 140

Each pair of cryptographic protocol and hash function

Question 141

Three common firewall errors

Answer 141

Shadowed rules
Promiscuous rules
Orphaned rules

Question 142

Shadowed rules

Answer 142

Rules that are placed in a lower priority position and are overlooked by a firewall

Question 143

Promiscuous rules

Answer 143

Allow more access than necessary

Question 144

Orphaned rules

Answer 144

When something likes a service is decommissioned and the rules are never removed.

Question 145

Router Access Control Lists

Answer 145

Restrict network traffic

Question 146

WORM Repository

Answer 146

“Write Once, Read Many” - The centralized log repository should be configured this way to prevent log tampering

Question 147

NTP (Network Time Protocol)

Answer 147

Standardized way to quickly and easily synchronize all of the system clocks within an organization. Install on a centralized time server.

Question 148

Continuous Security Monitoring

Answer 148

Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. (Formal definition from NIST)

Question 149

Three core characteristics of Continuous Monitoring

Answer 149

1. Maps to risk tolerance
2. Adapts to ongoing needs
3. Actively involves management providing leadership and resources

Question 150

Six Steps of the Continuous Monitoring Process

Answer 150

1. Define a strategy
2. Establish a monitoring program
3. Implement the program as automated as possible to collect the metrics, perform assessments and build reports
4. Analyze and report the findings from the collected data
5. Respond by mitigating, avoiding, transferring, or accepting the risk
6. Review and update the monitoring program to fit needs