Security/Network Basics (Ch. 1,2)

Question 1

CIA triad

Answer 1

_ confidentiality
_ integrity
_ availability

Question 2

User identification

Answer 2

_ Claiming an identity prior to authentication

Question 3

Integrity

Answer 3

_ Ensures data has not changed.
_ Can uses hashes to verify integrity

Question 4

Redundancy

Answer 4

_ Provides fault tolerance

Question 5

SPOF

Answer 5

_ Single point of failure
_ If it fails, the entire system “can” fail

Question 6

Scalability vs. elasticity

Answer 6

Scalability:
_ long-term strategy for being able to scale
_ done manually
Elasticity:
_ ability to dynamically scale up or out as needed
_ scales back down when not needed

Question 7

TCO

Answer 7

_ total cost of ownership

Question 8

resiliency

Answer 8

_ ability to self-heal or recover from faults with minimal downtime
_ e.g. performing and testing backups
_ e.g. UPS or generators
_ e.g. NIC teaming
_ e.g. redundant disk subsystems
_ e.g. retrying failed processes

Question 9

Space needed for encryption

Answer 9

_ typically about a 40% increase

Question 10

risk

Answer 10

_ the possibility or likelihood of a threat exploiting a vulnerability and resulting in a loss

Question 11

threat

Answer 11

_ a circumstance or event that has the potential to compromise confidentiality, integrity, or availability
_ can be natural or man-made
_ can be intentional or accidental

Question 12

Risk mitigation

Answer 12

_ reducing the chances that a threat will exploit a vulnerability

Question 13

Categories of security controls

Answer 13

_ managerial controls
_ operational controls
_ technical controls
_ (classification alternative to “control types”)

Question 14

Managerial controls

Answer 14

_ administrative controls
_ document policy
_ regular reviews, such as risk assessments and vulnerability assessments

Question 15

Operational controls

Answer 15

_ ensure day-to-day ops comply with security plan
_ primarily implemented by people rather than systems
_ e.g. awareness and training
_ e.g. configuration management (such as secure baselines and change management)
_ e.g. media protection
_ e.g. physical and environmental protection

Question 16

Technical controls

Answer 16

_ technological controls, whether software or hardware

Question 17

Control types

Answer 17

_ preventative
_ detective
_ corrective
_ deterrent
_ compensating
_ physical
_ (classification alternative to “control categories”)

Question 18

Preventative controls

Answer 18

_ hardening (making more secure than default config, using defense-in-depth)
_ training
_ security guards
_ change management (a change process helps catch configuration problems before they occur)
_ account disablement policy
_ intrusion prevention system (IPS)
_ and others (not listed)

Question 19

SEM

Answer 19

_ security event management
_ real-time monitoring and analysis of security events

Question 20

SIM

Answer 20

_ security information management
_ long-term storage of security data
_ used for analyzing trends and creating reports

Question 21

SIEM

Answer 21

_ security information and event management system
_ collects, analyzes, manages data from multiple sources
_ detects trends
_ raises alerts
_ combines SEM and SIM functions

Question 22

IDS

Answer 22

_ intrusion detection system
_ monitors network and sends alerts
_ out-of-band with traffic (can’t block traffic)
_ may modify ACLs, terminate processes, or redirect traffic in response to detections

Question 23

Detective controls

Answer 23

_ post-exploit
_ log monitoring
_ SIEM systems
_ security audit of organization
_ video surveillance
_ motion dection
_ intrusion detection system (IDS)
_ and others (not listed)

Question 24

Corrective and recovery controls

Answer 24

_ backups and system recovery
_ incident handling process

Question 25

Deterrent controls

Answer 25

_ discourage hackers from attacking or employees from violating security policies
_ often also preventative
_ e.g. cable locks (for laptops)
_ e.g. physical locks

Question 26

TOTP

Answer 26

_ time-based one-time password
_ example of a compensating control

Question 27

Compensating controls

Answer 27

_ controls that are alternatives to the primary control
_ usually for handling special situations
_ e.g. TOTP access until user receives a security card

Question 28

Response controls

Answer 28

_ aka incident response controls
_ prepare for security incidents
_ respond to security incidents

Question 29

Network discovery

Answer 29

_ devices on a network discovering other devices on the same network

Question 30

Network reconnaissance

Answer 30

_ acquiring details about a network and its devices

Question 31

ICMP

Answer 31

_ Internet Control Message Protocol
_ often used in DoS attacks
_ used by ping

Question 32

ping (e.g count)

Answer 32

_ sends an ICMP echo request packet
_ can limit counts on Linux with “-c count”
_ can loop pings on Windows with “-t”
_ firewall may block

Question 33

hping

Answer 33

_ only on Linux
_ sends pings to TCP, UDP, and ICMP

Question 34

NIC

Answer 34

_ network interface card
_ wired or wireless

Question 35

ifconfig

Answer 35

Often first step in troubleshooting network problems. Can show:
_ IP address
_ subnet mask
_ default gateway
_ MAC address
_ DNS address
_ config info for NICs
_ deprecated but still useful
_ ipconfig on Windows

Question 36

Use ifconfig to get basic network info

Answer 36

_ ifconfig

Question 37

Use ifconfig to show TCP/IP config for each NIC

Answer 37

_ ifconfig -a

Question 38

Show local DNS cache

Answer 38

_ displaydns

Question 39

Flush the local DNS cache

Answer 39

_ flushdns

Question 40

Ip command

Answer 40

_ recommended over ifconfig, but not as functional
_ show details on interfaces: ip link show
_ enable a network interface: ip link set eth0 up
_ show stats on network interface: ip -s link

Question 41

netstat

Answer 41

_ shows TPC/IP stats
_ shows active TCP/IP connections
_ switches can be combined

Question 42

Display list of all open connections

Answer 42

_ netstat

Question 43

Display list of all TCP and UDP ports being listened to, plus display all open connections

Answer 43

_ netstat -a

Question 44

Display network statistics details, including bytes sent/received

Answer 44

_ netstat -e

Question 45

traceroute

Answer 45

_ lists all routers between two systems (each is a hop)
_ provides IP, hostname, and round-trip times (RTTs)
_ useful for identifying faulty routers (e.g. where traffic stops)
_ often used after ping fails to reach an IP
_ can find an unauthorized router monitoring packets
_ on windows: tracert

Question 46

ARP

Answer 46

_ Address Resolution Protocol
_ resolves IPv4 addresses to MAC addresses
_ caches resolved mappings
_ required when packet reaches destination subnet

Question 47

arp

Answer 47

_ command to show/manipulate the ARP cache
_ can be used to find MAC addresses of other systems on local network (after getting their IPs)

Question 48

Show the entire ARP cache

Answer 48

_ arp

Question 49

Show the ARP cache for a single IP address

Answer 49

_ arp -a 192.168.1.1

Question 50

logger command

Answer 50

_ adds a log entry to “/var/log/syslog”

Question 51

Linux permission groups

Answer 51

_ 1st: owner
_ 2nd: owner’s group
_ 3rd: everyone else

Question 52

Give owner’s group only write permission to a file

Answer 52

_ chmod g=w filename

Question 53

Remove owner’s execute permission from file

Answer 53

_ chmod u-x filename

Question 54

Add read permission to file for everyone

Answer 54

_ chmod o+r filename

Question 55

Windows logs

Answer 55

_ security log (audit and access)
_ system log
_ app log

Question 56

Network logs

Answer 56

_ found on a variety of devices

Question 57

UBA

Answer 57

_ user behavior analysis

Question 58

NTP

Answer 58

_ network time protocol
_ for syncing time across a network

Question 59

SIEM capabilities

Answer 59

_ log collection - keeps logs in a searchable DB
_ log aggregation - storing varying log data in same format
_ correlation - looks for patterns, raises alerts
_ reporting
_ packet capture
_ user behavior analysis (UBA)
_ sentiment analysis - detects unwanted behavior
_ security monitoring - predefined alerts
_ automated triggers - actions to perform after detecting a predetermined number of repeated events
_ time sync across servers providing source data using NTP (or converting time to a common format)
_ event deduplication - same data only stored once
_ WORM logs - write-once read-many log archiving

Question 60

Elements of a SIEM dashboard

Answer 60

_ sensor logs
_ alerts
_ sensitivity levels
_ correlation
_ trends

Question 61

Syslog protocol

Answer 61

_ specifies a general entry format
_ specifies a protocol for transporting log entries
_ can collect log entries from many devices (like SIEM)
_ syslogd collects syslog messages on Linux
_ log format in /etc/syslog.conf
_ logs in /var/syslog
_ formerly used UDP, now uses TCP

Question 62

Linux logs

Answer 62

_ in /var/log/
_ /var/log/auth.log - user login attempts (debian/ubuntu)
_ /var/log/secure - user login attempts (red hat/centos)
_ /var/log/syslog/ - general system messages (debian/ubuntu)
_ /var/log/messages/ - general system messages (red hat/centos)

Question 63

U.S. DHS password recommendations

Answer 63

_ hash all passwords
_ require MFA
_ don’t require mandatory password resets
_ requires passwords to be 8+ chars
_ prevent use of common passwords
_ tell users not to share passwords across sites
_ allow all special chars but don’t require any

Question 64

Password history

Answer 64

_ prevents users from reusing old passwords

Question 65

Four security factors

Answer 65

_ Something you know
_ Something you have (other than biometrics)
_ Something you are (including biometrics)
_ Somewhere you are

Question 66

KBA

Answer 66

_ knowledge-based authentication
_ static KBA
_ dynamic KBA

Question 67

Static KBA

Answer 67

_ static knowledge-based authentication
_ authentication information that doesn’t change
_ e.g. personal security questions

Question 68

Dynamic KBA

Answer 68

_ authenticates individuals not already having an account
_ retrieves from other sources information that only the individual should know, verifies that
_ time limit answering questions to reduce risk of someone looking them up on the Internet

Question 69

Smart card

Answer 69

_ card with microchip and certificated
_ embedded cert holds user’s private key
_ requires PKI (public key infrastructure)

Question 70

Hard token

Answer 70

_ aka hardware token
_ device with a one-time password (OTP)
_ password (usually a number) changes over time

Question 71

Soft token

Answer 71

_ aka software token
_ app running on smartphone generating the OTP
_ e.g. Google Authenticator

Question 72

HOTP

Answer 72

_ HMAC-based One-Time-Password
_ token and server apply an algorithm to a shared secret key
_ each time token is used, both advance to the next token
_ device usually has a button for displaying the token

Question 73

TOTP

Answer 73

_ Time-based One-Time Password
_ select token as a function of the time

Question 74

Retina vs iris scanners

Answer 74

_ Retinal scanners ID the pattern of blood vessels at the back of the eye - requires physical contact
_ Iris canners use IR to capture the unique patterns of the iris around the pupil - no physical contact required

Question 75

Strongest authentication factor

Answer 75

_ biometrics (“something you are”)
_ aka “third factor”
_ retina and iris scans are strongest

Question 76

Four biometric acceptance possibilities

Answer 76

_ false acceptance (incorrectly identifies unknown user as known)
_ false rejection (incorrectly rejects a known user)
_ true acceptance
_ true rejection

Question 77

FAR and FRR

Answer 77

_ false acceptance rate
_ false rejection rate

Question 78

CER

Answer 78

_ crossover error rate
_ point at which FAR crosses with FRR on a graph as system increases with sensitivity
_ low CER indicates greater accuracy

Question 79

2FA combos

Answer 79

_ something you have and something you know
_ something you know and something you are
_ (excludes something you have and something you are)
_ (can’t both use the same class of factor)
_ (“something you have” often verified by push notification to smartphone)

Question 80

Account types and their credential policies

Answer 80

_ personnel or end-user accounts
_ admin and root accounts
_ service accounts (user account under which a server runs – credentials don’t expire)
_ device accounts
_ third-party accounts (used by external entities)
_ guest accounts
_ shared and generic account/credentials (when user varies)

Question 81

PAM

Answer 81

_ privileged access management
_ can be just-in-time permissions (given as needed, usually auto-revoked after a period of time)
_ can be temporal accounts (temporary grants)
_ often used for admin or root accounts
_ prevents exposure of a root password

Question 82

PAM capabilities

Answer 82

_ allow users access to privileged account without giving them the password
_ automatically change privileged account passwords periodically
_ limit time users can use the privileged account
_ allow users to check out credentials
_ log all access of credentials

Question 83

deprovisioning

Answer 83

_ process of disabling a user account

Question 84

attestation

Answer 84

_ formal process of reviewing user permissions

Question 85

SSO

Answer 85

_ single-sign on
_ login once to access multiple systems
_ increases security because user need only remember one password, reducing likelihood they write it down
_ may generate a unique secure token per sign-in
_ often provided by LDAP

Question 86

Federated system

Answer 86

_ aka federated identity management system
_ provides central authentication in a non-homogeneous environment
_ associates varied credentials with a single identity
_ single sign-on across disparate servers

Question 87

SAML

Answer 87

_ security assertion markup language
_ provides federated identity management across different websites
_ e.g. a frontend provides auth before redirecting user to a backend system without requiring re-auth
_ does not provide authorization, but may support transfer of authorization info between systems

Question 88

SAML roles

Answer 88

_ principal - typical user
_ identity provider (IdP) - maintains the auth system
_ service provider - provides services to the user

Question 89

OAuth

Answer 89

_ open standard for authorization (not authentication)

Question 90

Authorization models

Answer 90

_ role-based access control
_ rule-based access control
_ discretionary access control (DAC)
_ mandatory access control (MAC)
_ attribute-based access control (ABAC)

Question 91

Role-BAC

Answer 91

_ role-based access control
_ aka group-based access control
_ can be hierarchy based, mimicking heirarching of org
_ can be job/task/function-based
_ assigns permissions to groups (windows calls roles “security groups”)

Question 92

Rule-BAC

Answer 92

_ rule-based access control
_ usually in routers and firewalls in ACLs, defining what traffic is allowed into the network
_ intrusion detection systems can use dynamic rules to detect and block attacks
_ some rules trigger in response to an event

Question 93

DAC

Answer 93

_ discretionary access control
_ owners of objects have full control over permissions to object and establish access to the objects
_ Windows (e.g. NTFS) and most Unix-based systems use DAC (with DAC lists – DACLs)

Question 94

ACE

Answer 94

_ access control entry in an ACL

Question 95

NTFS

Answer 95

_ Microsoft’s New Technology File System
_ permissions: write, read, read/execute, modify, full-control

Question 96

SID

Answer 96

_ security identifier on Windows
_ used in DACLs

Question 97

MAC (authorization)

Answer 97

_ mandatory access control
_ assigns labels to both subjects and objects
_ objects are organized into compartments
_ labels define security levels and designate compartments
_ subjects have access to the objects for which the subject’s labels are >= the object’s label and the subject also has the label for the compartment
_ also enforces need-to-know
_ government classification access

Question 98

SELinux

Answer 98

_ security-enhanced Linux
_ uses MAC

Question 99

MAC (networks)

Answer 99

_ media access control
_ assigns physical/hardware addresses to NICs

Question 100

MAC (authentication)

Answer 100

_ message authentication code
_ provides integrity akin to a hash

Question 101

SDN

Answer 101

_ software defined network
_ network in which software routes traffic rather than hardware controllers and switches

Question 102

ABAC

Answer 102

_ attribute-based access control
_ bases access on attributes of the user, the resource, or the environment
_ rules for access control are called “policies”
_ policies state subject, object, action (what user wants to do), and environment (context of request)
_ commonly used in SDNs
_ can enforce DAC or MAC schemes

Question 103

What to look for when reviewing authentication logs

Answer 103

_ account lockouts
_ concurrent session usage
_ impossible travel time
_ blocked content (due to validation)
_ resource consumption (indicating attack)
_ resource inaccessibility
_ log anomalies (e.g. unusual numbers of logs, logs at unusual times, or missing log entries)