obj 2 Flashcards
1
Q
access control vestibule
A
all doors normally unlocked
all doors normally locked
one door open / other locked
one at a time, controlled groups
2
Q
badge reader
A
magnetic swipe, RFID, or NFC
different applications
2
Q
video surveillance
A
CCTV
camera features are important
often many different cameras
motion detection
3
Q
alarm systems
A
circuit based
motion detection
4
Q
door locks
A
conventional
deadbolt
electronic
token-based
biometric
multi-factor
5
Q
equipment locks
A
data center hardware is usually managed by different groups
racks can be installed together
enclosed cabinets with locks
6
Q
guards and access lists
A
physical security guards
ID badges
access list
7
Q
barricades/bollards
A
prevent access
channel people through a specific access point
identity safety concerns
can be used to an extreme
8
Q
fences
A
build a perimeter
transparent or opaque
robust
prevent climbing
9
Q
key fobs
A
small RFID key
replaces a physical key
10
Q
smart cards
A
certificate-based authentication
integrated card reader
external reader
11
Q
biometrics
A
biometric authentication
difficult to change
used in very specific situations
11
Q
keys
A
some doors may not have an electronic lock
use a key cabinet
12
Q
biometric factors
A
retina scanner
fingerprint scanner
palmprint scanner
12
Q
magnetometers
A
passive scanning (metal detectors)
not useful for non-metal objects
13
Q
lighting
A
more light means more security
consider overall light levels
14
Q
Mobile device management (MDM)
A
manage company-owned and user-owned mobile devices
centralized management of the mobile devices
set policies on apps, data, camera, etc.
15
Q
least privilege
A
rights and permissions should be set to the bare minimum
all user accounts must be limited
don’t allow users to run with admin privileges
16
Q
access control lists (ACLs)
A
used to allow or deny traffic
ACLs evaluate on certain criteria
deny or permit
also used in operating system
17
Q
multi-factor authentication
A
more than one factor (something you are, have, know,)
can be expensive
18
Q
software tokens
A
authenticator application
saves money
19
Q
short message service (SMS)
A
text messaging
login factor can be sent via SMS to a predefined phone number
security issues exist
20
Q
video call
A
a phone call provides the token
similar disadvantages to SMS (intercepted, number can be added to another phone)
21
Q
email filtering
A
unsolicited email
scan and block malicious software
22
active directory
a database of everything on the network
manage authentication
centralized access control
commonly used by the helpdesk
23
domain
the name associated with this related groups of users, computers, and resources
domain controllers store this central domain database
often referenced when troubleshooting
24
organizational units
keep the (very large) database organized
create your own hierarchy
apply policies to an OU
25
login script
automate a series of tasks during login
associate the script with a Group Policy
create different login scripts for different OUs
26
home folder
assign a user home folder to a network folder
when added to the user profile, the directories are automatically created
requires some training
26
group policy/ updates
manage the computers or users with Group Policies
a central console
update a client with a gpupdate /force
27
folder redirection
some users and applications use the windows library folders
redirect the folder to a network share
this is often paired with the Offline Files feature
28
security groups
create a group
set the rights and permission to the group
some built-in groups
save time
29
securing a wireless network
an organization's wireless network can contain confidential information
verify the integrity of all communication
30
wireless encryption
all wireless computers are radio transmitters and receivers
solution - encrypt the data
only people with the right key
WPA2 and CCMP (WI-FI protected access II)
CCMP block cipher mode
WPA2 PSK problem - WPA2 has a brute force problem
31
SAE
WPA3 changes the PSK authentication process
SAE - everyone uses a different session key
32
wireless security modes
configure the authentication on our wireless access point/ wireless router
open system
WPA/2/3-Personal / WPA/2/3-PSK
WPA2 or WPA3 with a pre-shared key
Everyone uses the same 256-bit key
WPA/2/3-Enterprise / WPA/2/3-802.1X
Authenticates users individually with an authentication server (i.e RADIUS)
33
TACACS
Terminal Access Controller Access-Control System
remote authentication protocol
34
RADIUS
one of the more common AAA protocols
centralized authentication for users
RADIUS services available on almost any server operating system
35
Kerberos
network authentication protocol (only needed once)
36
SSO with Kerberos
authenticate one time
no constant username and password input
only works with Kerberos
there are many other SSO methods
37
how do you get malware
your computer must run a program
your computer is vulnerable
38
trojan horse
software that pretends to be something else
circumvents your existing security
once inside it has free reign
39
rootkits
originally a Unix technique
modifies core system files
can be invisible to the operating system
also invisible to traditional antivirus abilities
39
virus
malware that can reproduce itself
reproduces through file systems or the network
may or may not cause problems
anti-virus is very common
40
boot sector virus
most viruses run after the OS is locked
some boot loaders can be modified to run malware
modern UEFI BIOS includes Secure Boot
41
Spyware
malware that spies on you
can trick you into stalling
browser monitoring
keyloggers
41
keyloggers
your keystrokes contain valuable information
save all of your input
circumvents encryption protections
other data logging
42
ransomware
a nasty malware
malware encrypts your data files
you must pay the bad guys to obtain the decryption key
43
cryptominers
some cryptocurrency mining requires "proof of work"
this requires extensive CPU processing
many appear in different ways
44
windows recovery mode
very powerful
very dangerous
complete control
requires additional information
45
anti-virus and anti-malware
you need both, often included together
real-time options
modern anti-malware recognizes malicious activity
46
software firewalls
monitor the local computer
prevent malware communication
use Microsoft defender firewall
runs by default
46
anti-phishing training
no single technology can stop social engineering
extensive training
test the users
train train train
47
end user education
one on one
posters and signs
message board posting
login message
intranet page
48
OS installation
only one way to guarantee to remove malware
restore from backup (fast)
manual installation (slowest) (backup data files) (install windows from installation media)
image the system (fastest)(user's data on a network share)
48
effective social engineering
constantly changing
may involve multiple people
may be in person or electronic
49
phishing
social engineering with a touch of spoofing
don't be fooled
usually there's something not quite right
vishing (voice phishing) is done over the phone or voicemail
50
shoulder surfing
you have access to important information
people want to see
they take a peek
this is surprisingly easy
surf from afar
51
spear phishing
targeted phishing with inside information
spear phishing the CEO is "whaling"
these executives have direct access to the corporate bank account
52
tailgaiting
uses an authorized person to gain unauthorized access to a building
53
impersonation
pretend to be someone you're not
use some of those details you got from the dumpster
attack the victim as someone higher in rank
throw tons of technical details around
be a buddy
54
dumpster diving
mobile garbage bin
important information thrown out with the trash
gather details that can be used for an attack
timing is important
55
wireless evil twin
looks legitimate
configure an access point to look like an existing network
overpower the existing access points
Wi-Fi hotspots are easy to fool
56
denial of service
force a service to fail
take advantage of a design failure or vulnerability
cause a system to be unavailable
create a smokescreen for some other exploit
doesn't have to be complicated
57
Distributed Denial Of Service
Launch an army of computers to bring down a service
this is why the bad guys have botnets
the attackers are zombies
57
zero-day attacks
many applications have vulnerabilities
someone is working hard to find the next big vulnerability
attackers keep these yet-to-be-discovered holes to themselves
58
on path network attack
redirects your traffic, then passes it on to the destination
59
ARP poisoning (spoofing)
on-path attack on your local IP subnet
59
on path browser attack
everything looks normal to the victim
the malware in your browser waits for you to login into to something involving sensitive information
then gets you
60
dictionary attack
use a dictionary to find common words
many common wordlists are available on the internet
the password crackers can substitute letters
this takes time
discovers passwords for common words
61
insider threat
more than just passwords on a sticky note
sophistication may not be advanced, but the insider has institutional knowledge
extensive resources , eats away from the inside
62
SQL injection
Modify SQL requests (this shouldn't happen)
if you can manipulate the database, then you can control the application
63
Cross-site scripting
information from one site could be shared with another
one of the most common web applications
development errors
takes advantage of the trust a user has for a site
64
non-compliant systems
a constant change
standard operating environments (SOE)
operating system and application updates
64
unpatched systems
Microsoft patch Tuesday
suddenly, systems are vulnerable to security flaws
an organization might have thousands of systems
one forgotten system may be the weakest link
patch management is a critical practice
65
unprotected systems
security issues are often roadblocks
some troubleshooting tasks can be unsecure
permanently disabling security isn't the answer
66
product support lifetime
End of life (EOL) operating systems
End of service life (EOSL)
technology EOSL is a significant concern
66
BYOD
Bring your own device
Bring your own technology
Employee owns the device
Difficult to secure
67
Microsoft defender antivirus
built-in antivirus for Windows 10 and 11
included in the windows security app
may not specifically display "defender antivirus"
67
activate or deactivate
don't disable your security protection
defender antivirus operates in real time
windows security app
68
updated definitions
antivirus is only as good as the latest signature
virus and threat protection updates
click the "check the updates" button
69
windows firewall
filters network traffic based on specified criteria
permitting or denying programs
allowing or block connections
70
enabling and disabling windows firewall
your firewall should always be enabled
temporarily disable from the control panel or from windows security
different settings for each network type
70
windows firewall configuration
block all incoming connections
modify notification
71
creating a firewall exception
allow an app or feature through windows firewall
port number
predefined exceptions
custom rule
72
windows authentication
login to the windows desktop
local accounts (specific windows device)
Microsoft accounts (sync settings between devices)
73
users and groups
administrator
guest (limited access)
standard users
groups
power users
74
login options
username / password
personal identification number (PIN)
biometrics
single sign-on
75
NTFS vs. Share permission
NTFS permission apply from local and network connections
Share permission only apply to connections over the network
the most restrictive settings wins
NFTS permissions are inherited from the parent object
76
explicit and inherited permissions
explicit permissions (default permissions)
inherited permissions (from the parent object to the child object)
explicit permissions take precedence over inherited permissions
77
run as administrator
administrators have special rights and permissions
use rights and permissions of the administrator
right-click the application
78
UAC (User Account Control)
limit software access
standard users
administrators
secure desktop
79
BitLocker
encrypt an entire volume
lose your laptop?
data is always protected
BitLocker To Go
79
EFS
Encrypting File System
OS support
uses password and username to encrypt the key
80
data encryption
full-disk encryption
file system encryption
removeable media
key backups are critical
81
password complexity and length
make your password strong
increase password entropy
stronger passwords are at least 8 characters
82
password expiration and recovery
all passwords should expire
critical systems might change more frequently
the recovery process should not be trivial
82
password best practices
changing default usernames/passwords
BIOS/UEFI passwords
requiring passwords
end-user best practices
83
securing PII and passwords
Personally identifiable information
control your input
use privacy filters
keep your monitor out of sight
84
account management
user permissions
assign rights based on groups
login time restrictions
85
disabling unnecessary accounts
all operating system include other accounts
not all accounts are necessary
disable interactive logins
change the default usernames
85
locking the desktop
failed password attempts
automatically lock the system
86
autorun and autoplay
disable autorun on older OSes
disable AutoPlay
get the latest security patches
86
screen locks
Restrict access to the device
Facial ID - unlock with your face
PIN - choose a PIN
Fingerprint - built-in fingerprint reader
Swipe - Choose a pattern
IOS - erase everything after 10 failed attempts
Android - lock the device and require a google login or wipe the device
87
locator applications and remote wipe
built-in GPS
find your phone
control from afar
wipe everything
88
patching/OS updates
all devices need updates
device patches
OS updates
Don't get behind
89
full device encryption
encrypt all device data
iOS 8 and later (personal data encrypted with passcode)
android (Version 5.0 and later is likely encrypted)
89
remote backup
difficult to back something up that's always moving
constant backup
backup without wires
restore with one click
89
antivirus and antimalware
Apple iOS (tightly regulated, malware has to find a vulnerability)
Android (more open, can be installed from anywhere)
Third-party virus and malware protection
90
firewalls
mobile phones don't include a firewall
some mobile firewall apps are available
enterprise environments can control mobile apps
90
policies and procedures
manage company owned and user owned mobile devices
centralized management of the mobile devices
set policies on apps, data, camera, etc.
manage access control
91
IoT (Internet of Things)
Sensors
smart devices
wearable tech
facility information
weak defaults
92
physical destruction
shredder
drill/hammer
electromagnetic (degaussing)
incineration
93
certificate of destruction
destruction is often done by a 3rd party
need confirmation that your data is destroyed
a paper trail of broken data
94
disk formatting
low-level formatting (provided at the factory)
standard formatting / quick formatting (sets up file system, installs boot sector, possible to be recovered)
standard formatting / regular formatting (overwrites every sector with zeros, unrecoverable)
95
erasing data
file level overwriting
whole drive wipe secure data removal
physical drive destruction
95
change default passwords
all access points have default usernames and passwords
the right credentials provide full control
very easy to find the defaults for your access point or router
96
firmware updates
small office / home office appliances
updates by address different requirements
install the latest software
97
IP address filtering
content filtering, IP address ranges
allow list
deny list
98
physical placement
often a single device
location may be restricted to a secure room
for wireless, location becomes more important
plan before the installation
98
content filtering
control traffic based on data within the content
corporate control of outbound and inbound data
control of inappropriate content
protection against evil
99
IP addressing
DHCP Ip addressing vs manual IP addressing
IP addresses are easy to see in an unencrypted network
If the encryption is broken the IP addresses will be obvious
Configuring a static IP address is not a security technique
100
DHCP reservations
Address reservation
table of MAC addresses
100
UPnP (Universal Plug and Play)
allows network devices to automatically configure and find other network connections
application on the internal network can open inbound ports using UPnP
best practice would be to disable UPnP
101
Static WAN IP
wide area network / internet link
many ISPs dynamically allocate WAN addresses
it's easier to manage if the IP address is static
this may be an additional cost
102
screened subnet
previously known as the demilitarized Zone (DMZ)
an additional layer of security between the internet and you
103
SSID management
Service Set Identifier
Change the SSID to something not-so obvious
Disable SSID broadcasting
104
Wireless channels and encryption
open system (no authentication password is required)
WPA/2/3-Personal / WPA/2/3-PSK (pre-shared key)
WPA/2/3-Enterprise / WPA/2/3-802.1X (individually authenticate users with a server)
use an open frequency
104
disable guest networks
limit access to outsiders
some guest networks can be used for other connections
don't enable without security
105
disabling ports
enabled physical ports
administratively disable unused ports
Network Access Control (NAC)
106
Port forwarding
24x7 access to a service hosted internally
external IP/port number maps to an internal IP/port
Also called Destination NAT or Static NAT
107
browser download and installation
Always use trusted sources
avoid untrusted third-party sites
use hashes to verify the download
108
hash verification
install a hash checking application
hash values may be available on the download site
verify the downloaded file
108
extensions and plug-ins
trusted sources (official browser extension library)
untrusted sources (random or unfamiliar websites)
109
secure connections
security alerts and invalid certificates
look at the certificate details
109
password managers
passwords vaults
secure storage
create unique passwords
personal and enterprise options
110
enable pop-up blockers
pop-up blocker
enable or disable
block and allow
111
clearing private data
clear browsing data
clear cache
112
private browsing mode
don't store information from a browsing session
removes the information when the browser is closed
113
browser data synchronization
share browsing data across multiple systems
use with other computers, tablets, and mobile devices
113
ad blockers
some browsers can block advertisements
many sites will track visits
difficult to always recognize an ad
