Security+ Book Flashcards
An organization can avoid a risk by not providing a service or not participating in risky activity. For example, an organization may evaluate an application that requires multiple open ports on the firewall that it considers too risky. It can avoid the risk by purchasing another application.
Risk Avoidance
The organization transfers the risk to another entity. The most common method is by purchasing insurance. Another method is by outsourcing.
Risk Transference
When the cost of a control outweighs a risk, an organization will often accept the risk. For example, spending $100 in hardware locks to secure a $15 mouse does not make sense.
Risk Acceptance
The organization implements controls to reduce the risk. These controls may reduce the vulnerabilities or reduce the impact of the threat. For example, up-to-date antivirus software mitigates the risks of malware.
Risk Mitigation
An organization can deter a risk by implementing some security controls.
Risk Deterrence
_____ are executable files that masquerade as something useful but are actually malicious software.
Trojan
_____ is a specific type of DNS poisoning attack that redirects a websites traffic to another website.
Self-replicating malware that travels throughout a network without the assistance of a host application or user interaction. It resides in memory and is able to use different transport protocols to travel over the network.
Worm
___ is a set of malicious code that attaches itself to a host application. The host application must be executed to run, and when the host application is executed, the malicious code executes. It will try to find other host applications to infect with this malicious code.
Virus
_____ is a string of code embedded into an application or script that will execute in response to an event. The event may be a specific date or time, when a user launches a specific program, or any event the programmer decides on. Antivirus scanners most unlikely are able to discover this.
Logic Bomb
Group of programs that hides the fact that the system has been infected or compromised by malicious code. A user may suspect something is wrong, but antivirus scans and other checks may indicate everything is fine since the _____ hides it running processes to avoid detection.
Rootkit
Specific type of command injection attack that attempts to access a file by including the full directory path, or traversing the directory structure.
Directory Traversal
The attacker learns the user’s session ID and uses it to impersonate the user. Attackers can read cookies installed on systems through cross-site scripting attacks, or with a sniffer if they are on the same network.
Session Hijacking
____ allows an attacker to redirect users to malicious websites and steal cookies. Websites prevent these type of attacks through input validation to detect and block input that include HTML and javascript tags. Many sites prevent the use of < and > characters to block this.
Cross-Site Scripting
is an attack where an attacker tricks the user into performing an action on a website. The attacker creates a specially crafted HTML link and the user performs the action without realizing it.
XSRF (Criss-site request forgery)
The attacker enters additional data into the web page form to generate different SQL statements.
SQL Injection
This ensures that data is only viewable by authorized users. If there is a risk of sensitive data falling into the wrong hands, it should be encrypted to make it unreadable. Any data should be protected with access controls to enforce this.
Confidentiality
This is used to verify that data has not been modified, and loss of this can occur through unauthorized or unintended changes. Hashing algorithms such as MD5, HMAC, or SHA1 can calculate hashes to verify this.
This ensures that systems are up and operational when needed and often addresses single points of failure. You can increase this by adding fault tolerance, and redundancies such as RAID, clustering, backups, and generators. HVAC also increases this.
Availability
This is used to prevent entities from denying they took an action. Digitally signed email prevents individuals from later denying they sent it. An audit log provides non-repudiation since audit log entries include who took an action in addition to what the action was, where the action took place, and when it occurred.
Non-Repudiation
This is a network authentication protocol within a MS AD domain or a Unix realm. IT uses a database of objects such as AD and a KDC (Key Distribution Center) to issue time stamped tickets that expire after a certain period. This requires internal time synchronization and uses Port 88.
Kerberos
This uses port 88 by default and uses symmetric key cryptography to prevent unauthorized disclosure and to ensure confidentiality.
Kerberos
Specifies formats and methods to query directories. This is an extension of the X.500 standard that was used extensively by Novell and early MS Exchange server editions. Well known ports used by this is port 389 for secure and port 636 when encrypted with SSL or TLS.
LDAP
This is a control that uses technology to reduce vulnerabilities. Some examples include the principle of least privilege, antivirus software, IDS, and firewalls.
Technical Control
This control is primarily administrative in function. They use planning and assessment methods to provide an ongoing review of the organization’s ability to reduce and manage risk.
Management Control
This control helps ensure the day-to-day operations of an organization comply with their overall security plan. Types of this control includes: Awareness and training, configuration management, contigency planning, media protection, physical and environmental protection.
Operational Control
This functional control attempt to prevent an incident from occurring. The goal is to take steps to prevent the risk. Examples are: Security guards, change management, account disablement policy, and system hardening.
Preventative Controls
This functional control can detect when a vulnerability has been exploited. Two examples are security audits and CCTV systems.
Detective Control
This functional control attempts to reverse the impact of an incident or problem after it has occurred. Some examples include: Active IDS, Backups and system recovery.
Corrective Control
This access control uses roles o manage rights and permissions for users. This is useful for users within a specific department that perform the same job functions.
Role Based Access Control
This access control is based on a set of approved instrucitons configured on rules. A simple example is the rules of a router or firewall.
Rule Based Access Control
In this access control model, every object has an owner, and the owner establishes access for the objects.
DAC (Discretionary Access Control)
This access control model uses labels (sometimes referred to as sensitivity labels or security labels) to determine access. SELinux is a trusted operating system platform using the MAC model that prevents malicious or suspicious code from executing on the system.
Mandatory Access Control
This is a common DoS attack. The attacker sends multiple SYN packets but never completes the third part of the handshake. Instead the attacker witholds the last ACK packet, leaving the server with several open sessions waiting to complete the handshake in each.
Syn Flood Attack
Some implementations of this use port 989 and 990.
FTPS
This uses UDP port 69
TFTP
Frequently used to connect to network devices (such as routers) to make configuration changes. It uses port 23 and sends data in clear text. This traffic can be encrypted with SSH.
Telnet
This is a name resolution service for this type of names on internal networks. It uses ports 137 through 139.
NetBIOS
This type of server is a server application that hosts databases accessible from web servers and a wide array of applications. Uses port 1433 by default.
MS-SQL Server
Used to send email and uses port 25.
SMTP
Transfers emails from servers down to clients, uses port 110.
POP3
Used to store email on an email server. Uses port 143.
IMAP4
Port 500
IKE
Tunneling protocol used with VPNs that has some known vulnerabilities. TCP port 1723
PPTP
Commonly used with IPSec for VPNs. This uses UDP port 1701.
L2TP
UDP Port 49
TACACS/XTACACS
Uses TCP Port 49
TACACS+
The range of UDP and TCP ports is ______.
0-65,535
IANA range of well-known ports is_____.
0 - 1023
IANA range of registered ports are _______. IANA registers these ports for companies as a convenience to the IT community. A single company may register a port for proprietary use, or multiple companies may use the same port for a specific standard.
1024-49, 151.
IANA range of Dynamic and Private Ports are ______. These ports are available for use by any application. Applications commonly use these ports to temporally map an application to a port. These are also called ephermeral ports, indicating they are short lived.
49,152 - 65,535
This is any unauthorized access to or theft of information from a bluetooth connection. This type of attack can access information such as e-mail, contact lists, calendars, and text messages.
Bluesnarfing attack
Unauthorized sending of text messages from a bluetooth device.
Bluejacking
This type of attack allows an attacker to access the host system from within the virtual system. If successful, it allows the attacker to control the physical host server and all other virtual servers on the physical server.
VM Escape
Software installed on users’ systems without their awareness or consent. Its purpose is often to take some level of control over the user’s computer to learn information and send this information to a 3rd party.
Spyware
Software that is free but includes advertisements. Usually as popups that are annoying.
Adware
A wide range of different software that has malicious intent. This is not software that you would knowingly purchase or download and install. It is installed onto your computer through devious means. Examples include viruses, trojans and worms. Can be detected by anti-virus software.
Malware
An attack where the attacker replays data that was already part of a communication session.
Replay
The practice of checking data for validity before using it. Example: Error handling routines.
Input Validation
This type of attack sends random strings of data to applications looking for vulnerabilities. Security professionals use this technique for vulnerability testing.
Fuzzing
This risk assessment uses judgment to categorize risks based on probability and impact.
Qualitative Risk Assessment
This risk assessment uses specific monetary amounts to identify cost and asset values.
Quantitative Risk Assessment
Describe the elements of an attack:
Identify IP addresses of targets.
Identify Open ports with a port scanner.
Fingerprint system.
Identify vulnerabilities.
Attack.
This type of pen test have zero knowledge of the environment prior to the test. They approach the test with the same knowledge of the attacker.
Black Box Testing
This type of pen test have full knowledge of the environment.
White Box Testing
Pen testers have some knowledge of the environment but do not have access to all documentation or data.
Gray Box Testing
This software can crack passwords on multiple platofrms. Its often used to detect weak passwords.
John the Ripper
Commonly used to discover passwords on Windows systems; it can sniff the network and use dictionary, brute force, and cryptanalysis attacks.
Cain and Abel
Used to crack passwords on Windows systems through the use of rainbow tables.
Ophcrack
Can discover WEP keys used on 802.11 wireless networks.
Airsnort
Used for both WEP and WPA cracking on 802.11 wireless networks.
Aircrack
Can crack passwords on older Windows systems.
L0phtcrack
This is an international standard used to rate the exposure of vulnerabilities. The goal is to standardize the assessment process and reporting used by vulnerability scanners and assessment tools.
OVAL (Open Vulnerability and Assessment Language)
Type of backup that is the easiest and quickest to restore. If you have unlimited time and money, this type of backup alone provides the fastest recovery time.
Full Backup
This type of backup strategy starts with a full backup, then afterwards only backs up data that has changed or is different since the last full backup. It only requires 2 tapes to restore, the day of the full backup and the day of the data restore requested. It takes longer to backup but faster to restore.
Differential Backups
Backup strategy that starts with a full backup, then afterwards it backs up the data that has changed since the last backup. This type of backup takes less time to backup data but longer to restore.
Incremental Backup
If availability is more important than security, if something fails then you want it to fail in what kind of state?
Fail Open
If security is more important than availability, if something should fail it should fail in what kind of state?
Fail Closed
A room that prevents signals from emanating beyond this room.
Faraday Cage
A government program that has been around for several decades to measure emanations from different devices.
TEMPEST
Explain MD5 Hash.
A common hashing algorithm that produces a 128 bit hash. This includes email, files downloaded from the internet, executable files, and more.
Explain SHA.
A hashing algorithm that has several variations grouped into 3 families.
SHA-0 is not used.
SHA-1 creates 160-bit hashes.
SHA-2 improved to overcome potential weaknesses. It includes 4 versions SHA-224, SHA-256, SHA-384, and SHA-512.
SHA-3 is currently in development
A strong symmetric block cipher that is still widely used today. Bruce Schneier designed this as a general purpose algorithm to replace DES.
Blowfish
This cipher encrypts data in specific sized blocks, such as 64-bit blocks or 128-bit blocks. It divides large files or messages into these blocks and then encrypts each individual block separately.
Block Cipher
Encrypts data as a strem of bits rather than dividing it into blocks. An important principle when using this type of cipher that the encryption keys should never be reused.
Stream Cipher
Key exchange algorithm used to privately share a symmetric key between two parties. It is widely believed that the work of of these 3 provided the basis for public key cryptography.
Deffie-Hellman
This is an encrypted hash of a message. The sender’s private key encrypts the hash of the message to create this ____. The recipient decrypts the hash with the sender’s public key, and if successful, provides authentication, non-repudiation, and integrity.
Digital Signature
Explain the steps of encrypting email using only asymmetric encryption from Sally to Joe.
Sally retrieves a copy of Joe’s certificate that contains his public key.
Sally encrypts the email with Joe’s public key.
Sally sends the encrypted email to joe.
Joe decrypts the email with his private key.
Explain the steps of encrypting email with asymmetric and symmetric encryption from Sally to Joe.
Sally identifies a symmetric key to encrypt her email.
Sally encrypts the email contents with a symmetric key.
Sally retrieves a copy of Joe’s certificate that contains his public key. She then uses Joe’s public key to encrypt the symmetric key.
Sally sends the encrypted email and the encrypted symmetric key to Joe.
Joe decrypts the symmetric key with his private key. He then decrypts the email with the decrypted symmetric key.
Explain the steps of encrypting HTTPS with SSL and TLS.
Client requests the secure session using HTTPS.
Server responds with certificat which includes the servers public key.
Client creates symmetric key and encrypts it with the public key.
Encrypted symmetric key is sent to server.
Server decrypts symmetric key with the private key.
The session is encrypted with the session key using symmetric encryption.
This _____ maintains a copy of a private key for recovery in the event the original is lost.
Key Escrow
An individual who can recover or restore cryptographic keys.
Recovery Agent
