Security Flashcards
What’s SASE?
Secure Access Service Edge (SASE) is a cloud based architecture whereby network and security are combined. SASE client is installed on every end user device that automatically connects to the cloud based virtualised SASE security technologies.
This greatly reduces the risk of non-authorised access to cloud networks!
What is Zero Trust?
Zero Trust is an approach to network security whereby everything (users, devices, data packets) aren’t trusted inherently. Therefore EVERYTHING must be verified.
What is a Public Key Infrastructure (PKI)?
PKI = a framework that enables secure authentication and communication over networks by using private/public key pairs to ensure data hasn’t been tampered with and encrypt it.
What’s a digital certificate and who issues them?
Digital Certificate = a document that proves the authenticity of a person/website/organization/program and is issued by a trusted authority/certificate authority, so end users know it’s legitimate, not a scam or virus etc.
What’s RBAC?
RBAC - Role-Based Access Control - is a way of managing user permissions/access based on their role/level within a company.
What is geofencing?
Allowing or restricting user access based on their location, e.g. don’t let some guy in Russia to connect to the UK’s local company network.
What does each of the A’s in the AAA framework stand for?
Authentication - prove who you are, code, password, etc
Authorization - do you have the required access/privilege
Accounting - logging all access information possible: login time, IP, logout, what data the user sent/requested, etc.
What is TOTP - Time-based One Time Password?
TOTP is an algorithm that creates a pseudo-random (not random) one time code by combining a pre-configured secret key with an NTP timestamp.
This TOTP you entered is then combined with your username, password when logging in. MFA
What is a honeynet?
A virtualised full network including firewalls, servers etc to make hackers think its real then they attack it and you track what they do. Then you use that information to create countermeasures on your production/real network.
What are the CIA Triad security principles?
The CIA Triad consists of three security principles regarding data:
Confidentiality = private data should be kept private wherever possible.
Integrity = data integrity should be verified and any rogue modifications detected.
Availability = data must be kept accessible to the right/intended users (no point locking it down so much that nobody can use it!)
What is VLAN hopping?
VLAN hopping is a network attack technique that allows attackers to access a VLAN via another VLAN that has a vulnerability/access.
It’s done via, either, switch spoofing (pretending you are a trunking switch which is allowed to send and receive traffic for multiple unlinked VLANs) or double tagging (the attacker uses packets with two VLAN (802.1Q) tags. The first tag is stripped away by the first switch exposing the second tag meant for another VLAN which the first switch then forwards!).
What is switch spoofing?
Switch Spoofing = a type of VLAN hopping network attack where the attacker pretends to be a trunking switch to a switch on the victim network, which then can send and receive traffic for any VLAN’s on that port thereby becoming a Man-In-The-Middle.
You can prevent switch spoofing attacks by disabling trunking/trunk negotiation process on your network switches.
What is double tagging?
Double Tagging = is a VLAN hopping (use access to one VLAN to jump to another VLAN) network attack. It works via crafting a packet that has two VLAN tags (VLAN destination addresses) and once it reaches a network switch the first tag is stripped off revealing the second tag addressed to a different VLAN which the first switch then forwards on to the victim VLAN where the data is unloaded.
As the tag being stripped off means the original source IP on the packet is lost therefore this is a ONE-WAY ONLY COMMUNICATION - good for DoS, makes it harder to trace.
How to prevent double tagging vlan hopping attacks?
To stop double tagging attacks - DONT USE NATIVE VLAN - because it’s the innate behaviour of the native VLAN in which untagged traffic is assigned to it that allows double-tagging to work.
Therefore by using a “dummy/fake” VLAN to send untagged traffic to by default means that double tagging attack packets will be sent to a fake VLAN and rendered useless.
What’s is MAC flooding of a switch?
An attack that flushes a switches cached MAC address table with tonnes of packets all from different source MAC addresses. This forces the default switch behaviour which is to forward a received packet with no matching cached MAC address to ALL switch interfaces. Aka makes it work like a hub which means the attacker can then receive all packets sent to that hub for their malicious gains.
The switch’s port security settings block flooding.
What is ARP poisoning/IP spoofing?
ARP poisoning/IP spoofing = where an attacker pretends to be another device (usually a router) on the network by sending ARP responses claiming to have a different MAC/IP address.
This allows the attacker to be sent packets from the victim.
What is DNS poisoning/DNS spoofing?
DNS poisoning = sending fake responses to DNS queries so that the client machine populates it’s HOSTS FILE (maps IP addresses to domain names for quick local lookups - this takes precedent over DNS queries. So if a domain name/IP pair is found in the hosts file that is used instead of searching DNS). Therefore, the next time the client sends data to the fake domain/IP address it is sent to the attacker that can then read it and forward it to the right IP/domain and send the response back to the victim thus becoming MITM/on-path attacker.
If a rogue DHCP server is on a network what security feature could be used to prevent fake IP addresses being given out thereby preventing clients accessing resources on the network?
DHCP snooping = is a security feature on switches that inspects DHCP packets and validates them against a list of known/trusted DHCP servers.
Authorised DHCP server feature in AD also could work - it determines what an authorised DHCP might be and only allow IP’s allocated from those servers.
If you don’t want to go around looking for rogue access points/scanning for wireless rogue AP’s what protocol could you enable?
802.1X is a Network Access Control protocol that forces all users trying to connect to a network to authenticate (user/pw/MFA/2fa/etc) e.g. through a RADIUS server before they can access and use the network.
What’s an on-path network attack commonly known as?
On-path network attack = Man In The Middle attack (MITM), although MITM implies the attacker is actively controlling/manipulating the traffic whereas an on-path network attack can be passive (just viewing the data that flows through the path) or active.
To combat most on-path/MITM attacks encrypt all data in transit so even if they capture it they can’t read it.
Common types of on-path/MITM attack include:
ARP Spoofing, DNS Spoofing, Eavesdropping, SSL Stripping, Session Hijacking, HTTP Spoofing
What is social engineering?
Malicious activities via human interactions - e.g. phishing, dumpster diving, tailgating, shoulder surfing, spoofing (pretending to be something/someone you’re not). Trick users into giving you sensitive information etc.
What is the name for the type of malware that spreads and activates via human input and what is the type that spreads without any human intervention/input (e.g. clicking it)?
Virus = spreads via human interaction/prompting.
Worm = more dangerous than a virus as it doesn’t require anything to spread - but more rare than viruses.
What’s a trojan horse?
Trojan horse = malware that pretends to be some software/game you want but is or has a virus in it.
What is port security?
Port security = feature that prevents users from connecting to a switch interface from an unauthorised source MAC address. Each port can be configured individually. Configure how many MAC addresses should be on each physical switch interface.
What does Network Access Control (NAC)/802.1X do?
Network Access Control/802.1X is a common enterprise protocol that secures networks by requiring all users/devices to authenticate (pw/username/MFA/etc) even over ethernet connections.
What is a security zone?
A security zone is a logical group of systems, devices, or networks with similar security requirements, policies, and access controls. E.g. trusted and untrusted security zones can be created to segregate traffic and thereby improve security of sensitive information. Creating these security zones limits the lateral movement of attackers as they cannot hop easily from an untrusted zone to a trusted one without getting pass more restrictive access control measures.
If an ACL is enabled but empty on a switch who can access it?
Nobody. Implicit/default ACL behaviour is to DENY access so an empty ACL list that is enabled will block ALL traffic.
What is the MAC security model for accessing data?
MAC - Mandatory Access Control = security access model that is very strict, access is granted based on the sensitivity of the data and the user’s security clearance level.
Used in CIA, NSA, etc. Very restrictive, set and enforced by system administrator.
What is Attribute Based Access Control (ABAC)?
ABAC - Attribute/user info. Based Access Control determines user access based on user information - e.g. login location, age of user, registered or not.
What is federation?
Federation = cross-organization/cross-platform SSO for websites/applications. Uses a single set of credentials to access/enable trust between multiple service providers.
Federation uses SAML protocol.
What is SAML (Security Assertion Markup Language)?
SAML (Security Assertion Markup Language) = protocol for exchanging authentication and authorization data between identity providers (e.g. Google account) and service providers (Office 365).
What is an Identity Provider (IdP)?
IdP - Identity Provider verify who you are by you logging in etc and then pass on your details to a Service Provider (SP) who then have your details/verification (ASSERTION/declaration/statement of authenticity) that you are you. Therefore you don’t need to login again.
What is a symmetric key algorithm?
Symmetric key algorithms use the SAME (symmetrical) key for encryption and decryption. The problem is how to send the key/key distribution as if the key is captured in transmission then all data can be decrypted by attacker….
Longer the key the harder it is to crack.
Whereas asymmetric/hybrid key algorithms use a one key for encryption and a different one for decryption. Private key encrypts public key decrypts and vice versa.
With an asymmetric key which encrypts and which decrypts?
Trick question: in asymmetric keys the public key encrypts and then only the corresponding private key can decrypt it and vice versa.
So if something is encrypted with a private key then it can only be decrypted using the public key.
Why isn’t asymmetric encryption used much for encryption of large amounts of data?
Asymmetric encryption isn’t used much for encrypting large data because it is very slow and requires a large amount of computer resources (resource intensive on the CPU).
What is PKI (Public Key Infrastructure)?
PKI (Public Key Infrastructure) - framework for the creation, management, storage and revocation of digital certificates (and manage public-key encryption.
PKI facilitates/allows for the secure transfer of information. Such as in banking, confidential email.
PKI allows encryption and decryption of data via private and public keys.
PKI allows digital signature creation and verification to ensure data integrity.
Who issues digital certificates to websites?
Certificate Authority (CA) issues and revokes digital certificates as needed. They are generally valid for one year.
What is 802.1x?
802.1x is a standard for port-based Network Access Control (PNAC) it authenticates devices that are attempting to connect to a LAN or WLAN.
What is EAP (Extensible Authentication Protocol)?
EAP (Extensible Authentication Protocol) = framework used in NAC (Network Access Control) that SUPPORTS MULTIPLE METHODS OF AUTHENTICATION such as password, OTP, tokens, public key encryption to login to a network.
EAP provides choices/methods for authenticating to the network via a RADIUS server/authentication server.
RADIUS/auth servers verify users credentials using an EAP method (like EAP-TLS)
