Security+ 2 Flashcards
SYN Floods : fill connection state tables on firewalls with half-open connection entries.
MAC Floods : fill switchs MAC address table with many entries, causing it to flood traffic on all ports.
Flood Guard : controls number of open connections that each source system may have.
Netflow Records : source/dest. systems, src/dest. ports, timestamps, amount of data transferred.
Info
SIEM = network security systems that automate collection of anaylsis of logs from many systems for security purposes. Perform detailed log analysis for firewalls, network devices, servers, applications. Use AI, to detect malicious activity.
Fibre Channel = uses direct fiber optic connections between SAN and devices, FCoE = uses ethernet links and can be used with existing infrastructure, iSCSI = runs SCSI standard over network connections.
SIEM / Fibre Channel Etc …
LEAP : insecure that uses MS-CHAP, EAP : broad framework with many types some secure some not, EAP/TLS is very secure; PEAP : tunnel EAP inside encrypted TLS session. EAP-TTLS : uses tunneled TLS for authentication, EAP-FAST : provides flexible authentication via Secure Tunneling (FAST) using Cisco protocol.
Directional Antenna = direct all power from access point into single direction and greatly increases range of network.
LEAP Etc …
SIEM Configuration = have all relevant info about systems to process and point relevant security logs to SIEM’s log repository, then system can analyze them. The centralized log repository associated with SIEM should be configured to use a WORM (write once, read many) repository; meaning once system sends log entry to repository the log entry is premenantly recorded and cant be modified. Synchoronizing the time on system clocks, enables consistent analysis use NTP. Then tune the SIEM for performance by customize configuraton for your environment, modify rules to prevent false positive alerts. Also block trivial and irrelevant SIEM alerts.
SIEM Configuration …
Continuous Security Monitoring = monitor events in real time and can take action in response to suspicious events. Monitoring process : Maps to risk tolerance, adapts to ongoing needs, actively involves management. Steps : (1) define : continuous monitoring strategy based upon risk tolerance that maintains clear visibility into assets, vul. threats, and business impact. (2) Establish : a monitoring program by outlining metrics we use and frequency we monitor and access our security. (3) Implement : the program by collecting metrics performing assessments and building reports, these tasks should be as automated as possible. (4) Analyze/Report : findings from collected data. (5) Responding : to those findings by mitigating, avoiding, transferring or accepting the risk. (6) Review/Update : the monitoring program adjusting monitoring strategy and maturing out measurement capabilities. Trend Analysis : looks for historical changes over time. Behavioral Analysis : looks at behavior of users and looks for suspicious actions.
Continuous Security Monitoring
DLP (Data Loss Prevention) : systems that look for sensitive company info and monitor networks that is unsecured and provide ability to remove the info, block the transmission, or encrypt the stored data.
Host-Based DLP : uses software agents installed on single system, can block access to users using usb to protect from users leaving company grounds with sensitive usb info.
Network-Based DLP : can block traffic or auto apply encryption and scan network transmissions for sensitive info.
DLP : pattern matching = recognizes known patterns of sensitive info like SSN’s - Watermarking = identifies sensitive info using electronic tags, and DLP system can monitor systems and networks for unencrypted content containing those tags. Cloud-based DLP also available.
DLP Types …
NAC uses 802.1X authentication : device that connects to network runs a supplicant, supplicant is responsible for performing all of NAC related tasks … the switch the device connects to recieves credentials from end user is called authenticator, on wireless network wireless controller is authenticator, then you have back end authentication server - these things are necessary for authentciation.
(NAC) Role-based Access : authentication server provides additional user info; authenticator places user on a role-appropriate network based on that info. For example having people on separate VLAN’s one for students and one for teachers based on their roles.
NAC info …
(NAC) Posture Checking : verify that the devices conecting to network comply with org. security policy before granting broader access. Some checks may include : verifying antivirus software presence, validating current sig.’s, ensuring proper firewall config, verifying presence of security patches. if device fails this check it may go on quarantine VLAN, then after device gets updated it will go back to regular VLAN.
(NAC) Posture Checking (Persistent Agent) : NAC software remains on device permanently and communicates with NAC controller but this is difficult to implement. Dissolvable Agent : NAC software dowdloaded from portal for temporary endpoint use (removed after posture checking). Agentless : NAC systems dont require installation of an agent. Can monitor network traffic and can make decisions about network access etc …
NAC Info 2
Secure Mail Gateways : serve as gateway from incoming and outgoing email messages being sent across the internet. They can scan messages for security purposes before passing them on or what to do with them. Mail Gateway Actions : (1) allow message to proceed to dest., (2) blocks or quarantines a malicious message, (3) tags message with warning to receiver, (4) if message might have sensitive info the DLP might encrypt message before sending to dest. SMG’s can use text analysis : blocks spam and phishing, Signature detection : blocks viruses and malware, URL filtering : blocks known malicious websites. On premises SMG’s are responsible for maintaining, cloud based SMG’s vendor is responsible.
Secure Mail Gateways …
Steganography : process of hiding a file within another file so it is not visible to the eye. Images with pixels are a common way to do this method.
tcpdump : command-line protocol analyzer.
nmap “ipAddress w/subnet mask” -Pn = scans all ports — Banner Grabbing = retrieves info over network connection that explicitly identifies the OS and version.
Network Fingerprinting = analyzes details of network communications to find oddities particular to specific OS and version.
ss (netstat command for linux) // nc (MAC and Linux command) = allows to open network connections manually.
DNS Harvesting : use dig and nslookup to find info about DNS.
Reverse Whois : allow to determine all domain names associated with an email address.
Info …