Security+ 4 Flashcards
Domain Validation : verifies domain ownership (lowest level of trust). Organizational Validation : verifies business name. Extended Validation : requires extensive investigation (highest level of trust) verifies physical existence and legitimacy of an org.
Certificate Formats = DER : binary cert. format, use DER/CRT/CER file extensions. PEM : names comes from Privacy Enhanced Mail (outdated), ASCII text equivalents of DER cert.’s, use PEM/CRT file extensions. PFX : binary format used in Windows systems commonly, use PFX/P12 file extensions. P7B : ASCII text equivalent of PFX, commonly used in Windows systems, uses P7B file extension.
info …
IRM : enforcing data, provisioning access, implementing access control models.
DRM : provides owners of intellectual property w/technical means to prevent unauthorized use of their content through encryption technology. Business applications of DRM : protect trade secrets and other intellectual property, limit redistribution of info., revoke access after expiration date.
IRM/DRM …
Specialized hardware and encryption can minimize power consumption.
High Resiliency : requires the protection of encrypted data against loss.
Homomorphic Encryption : algorithms to create ciphertext outputs which allow computations that generate an encrypted result which when decrypted matches the results of computation on the plaintext.
Blockchain : distributed and immutable and sometimes public ledger … can store records among many different systems located around the world, and prevents anyone from tampering with those records. Blockchain contains a datastore that no one can destroy or tamper with.
info …
CHAP : secure alternative to PAP that accomplished same objective. Both client and server have prior knowledge of shared secret w/o actually exchanging secret over network.
MS-CHAP / MS-CHAPv2 : both insecure.
HOTP : uses a shared secret and incrementing counter to generate the code display on token.
TOTP : uses time of day in conjunction with a shared secret which makes code change constantly. Dont do password-less sign-ons like fb.
info …
PAP : client wants to authenticate to server and both client and server know users password, the client transmits username and password to server and server validates password. PAP does not use encryption though. Eavesdropping is possible. But encryption can be encrypted by other means.
Federal Identity Management : individuals may have accounts across multiple systems, federated identity management systems share identity info., this reduces no. of individual identities a user must have. Google/FB/Etc … Transitive Trust : trust relationships transfer across domains. Non-Transitive Trust : trust relationships do not transfer across domains.
info …
RADIUS : end user attempts to attach to a WAP, the AP serves as client in RADIUS request, passing authentication to a RADIUS server. The RADIUS server then checks with external authentication source like active directory or LDAP server, to determine users password correct, if password correct then RADIUS server sends an access accepted message to WAP which allows user on network. if password incorrect RADIUS server sends access rejected message to WAP denying user on network. Encrypts password but not entire authentication sequence and uses UDP which is unreliable.
TACACS+ : functions similirary to RADIUS and uses TCP and encrypts full authentication session.
info …
Kerberos : ticket-based authentication system that allows users to authenticate to centralized service and then use tickets to gain access to services. uses port 88.
LDAP : provides means to query centralized directory service like Microsoft Active Directory. uses port 389 and secure LDAP port 636.
NTLM Authentication : was used by Windows, uses hash-based challenge-response protocol. Weak encryption and suseptible to pass the hash attack (allows use of credentials of 1 system to gain access to another system).
SAML : allows SSO w/in web browser across variety of systems. End user is known as principal, proof of identity is known as identity provider, web based service user wants to access is known as service provider. No credential access for service providers.
info …
OAuth (authorization protocol) /OpenID Connect (authentication protocol works with OAuth): SSO
Key-Based Authentication : connection request for public key, random challenge message to user (owner of private key), then challenge message encrypted w/private key sent to server, then server sends connection authenticated message to user.
Certificate Authentication Uses : SSH connections, smart cards (CAC/PIV), network access (802.1X).
Separation of Duties : performing any critical business function should require 2 or more people.
info …
Privilege Creep : occurs when user accumulates excess permissions after shifting job responsibilities 1 or more times.
Account Review : limits privilege creep, can be automated.
Mandatory Access Control (MAC) : access control system where OS restricts authorizations based on labels and users arent permitted to modify those authorizations. Users and Documents are labeled as confidential, secret and top secret.
DAC : access control system where permissions may be set by owners of files, computers and other resources. ex : NTFS on Windows.
info …
Resource owners set DAC permissions through use of access control lists. ex : NTFS.
RBAC : role-based access control systems, permissions are grouped together into functional roles and users are assigned to those roles.
ABAC : admins make access control decisions based on characteristics of user, object and environment (situation).
info …
