Security Refresh

Question 1

What is ARP poisoning?

Answer 1

Address Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer’s ARP cache with a forged ARP request and reply packets

Question 2

amplification attack

Answer 2

sending small queries that result in large responses, E.x. DNS amplification

Question 3

pass the hash

Answer 3

using a stolen hash and then using it to authenticate instead of authenticating with the original password

Question 4

IV attack

Answer 4

associated with WEP

Question 5

race condition

Answer 5

a programming flaw that occurs when two sets of code attempt to access the same resource.This becomes a bug when events don’t happen in the order the programmer planned.

Question 6

RADIUS

Answer 6

Remote Authentication Dial-In User service. An authentication service that provides central authentication for remote access clients. Alternatives are TACACS+ and Diameter.

Question 7

Diameter vs Radius

Answer 7

Diameter is an extension of RADIUS and many organizations have switched to it due to its extra capabilities. Diameter adds several other commands beyond the capabilities of RADIUS, along with adding new commands that can be used with EAP.
Edition.

Question 8

TACACS+ vs RADIUS

Answer 8

Terminal Access Controller Access-Control System Plus (TACACS+) is an alternative to RADIUS. It provides two important security benefits over RADIUS. First, it encrypts the entire authentication process, whereas RADIUS encrypts only the password. Second, TACACS+ uses multiple challenges and responses between the client and the server.

Question 9

What does Windows use for authentication?

Answer 9

As a reminder, Microsoft Active Directory uses Kerberos for authentication.

Question 10

802.1X

Answer 10

port-based authentication protocol. It requires users or devices to authenticate when they connect to a specific wireless access point, or a specific physical port, and it can be implemented in both wireless and wired networks. It secures the authentication process prior to a client gaining access to a network and blocks network access if the client cannot authenticate.
RADIUS can be used as 802.1x

Question 11

pass the hash

Answer 11

A password attack that captures and uses the hash of a password. It attempts to log on as the user with the hash and is commonly associated with the Microsoft NTLM protocol.

Question 12

NTLM

Answer 12

NTLM—New Technology LAN Manager. A suite of protocols that provide confidentiality, integrity, and authentication within Windows systems. Versions include NTLM, NTLMv2, and NTLM2 Session.
.

Question 13

Golden Ticket Attack

Answer 13

gives an attacker total and complete access to your entire domain. Golden Tickets are forged Ticket-Granting Tickets (TGTs), also called authentication tickets.

Question 14

What ports does DNS use and for what?

Answer 14

DNS uses TCP port 53 for zone transfers and UDP port 53 for DNS client queries.

Question 15

BIND (what is it used for?)

Answer 15

Most DNS servers on the Internet run Berkeley Internet Name Domain (BIND) software and run on Unix or Linux servers.

Question 16

SMB

Answer 16

The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network.

Question 17

DSA

Answer 17

DSA—Digital signature algorithm. An encrypted hash of a message used for authentication, non- repudiation, and integrity. The sender’s private key encrypts the hash of the message.

Question 18

RSA

Answer 18

• RSA is a popular asymmetric algorithm. Many cryptographic protocols use RSA to secure data such as email and data transmitted over the Internet. RSA uses prime numbers to generate public and private keys.

Question 19

S/MIME

Answer 19

Secure/Multipurpose Internet Mail Extensions(S/MIME) is one of the most popular standards used to digitally sign and encrypt email. Most email applications that support encryption and digital signatures use S/MIME standards. S/MIME uses RSA for asymmetric encryption and AES for symmetric encryption.

Question 20

DEP

Answer 20

Data execution prevention (DEP) is a security feature that prevents code from executing in memory regions marked as non-executable. It helps prevent an application or service from executing code from a non-executable memory region. The primary purpose of DEP is to protect a system from malware.

Question 21

certificate chaining

Answer 21

A process that combines all certificates within a trust model. It includes all the certificates in the trust chain from the root CA down to the certificate issued to the end user.

Question 22

Certificate stapling

Answer 22

provides clients with a timestamped, digitally signed OCSP response. This is from the CA and appended to the certificate.

Question 23

Public key pinning

Answer 23

provides clients with a list of hashes for each public key it uses

Question 24

re-certification

Answer 24

reviewing account access and membership to validate it’s necessity

Question 25

rootkit

Answer 25

A set of tools used by an attacker after gaining root-level access to a host to conceal the attacker’s activities on the host and permit the attacker to maintain root-level access to the host through covert means.

Question 26

permanent agent

Answer 26

A permanent agent (sometimes called a persistent NAC agent) is installed on the client and stays on the client.

Question 27

dissolvable agent

Answer 27

A dissolvable agent is downloaded and run on the client when the client logs on remotely. It collects the information it needs, identifies the client as healthy or not healthy, and reports the status back to the NAC system. Some dissolvable NAC agents remove themselves immediately after they report back to the NAC system. Others remove themselves after the remote session ends.

Question 28

Tunnel mode (ipsec)

Answer 28

encrypts the entire IP packet used in the internal network, and is the mode used with VPNs transmitted over the Internet. The benefit is that the IP addressing used within the internal network is encrypted and not visible to anyone who intercepts the traffic.

Question 29

Transport mode

Answer 29

only encrypts the payload and is commonly used in private networks, but not with VPNs. If traffic is transmitted and used only within a private network, there isn’t any need to hide the IP addresses by encrypting them.

Question 30

STARTTLS

Answer 30

it is a command used to upgrade an unencrypted connection to an encrypted connection on the same port.

Question 31

AH (authentication header)

Answer 31

An option within IPsec to provide authentication and integrity.

Question 32

ESP

Answer 32

Encapsulating Security Payload. An option within IPsec to provide confidentiality, integrity, and authentication.

Question 33

stored procedure

Answer 33

A group of SQL statements that execute as a whole, similar to a mini-program. Developers use stored procedures to prevent SQL injection attacks.

Question 34

XSRF

Answer 34

A web application attack. XSRF attacks trick users into performing actions on web sites, such as making purchases, without their knowledge.

Question 35

XSS

Answer 35

A web application vulnerability. Attackers embed malicious HTML or JavaScript code into a web site’s code, which executes when a user visits the site.

Question 36

transitive trust

Answer 36

An indirect trust relationship created by two or more direct trust relationships.

Question 37

SAML

Answer 37

Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML)– based data format used for SSO on web browsers. (can use SAML as federated identity management system).
used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications.

Question 38

shibboleth

Answer 38

Shibboleth is one of the federated identity solutions
It is open source and freely available, making it a more affordable solution than some of the commercially available federated identity solutions.

Question 39

federated identity

Answer 39

One common method is with a federated identity management system, often integrated as a federated database.A federation requires a federated identity management system that all members of the federation use. This federated database provides central authentication in a nonhomogeneous system that assists in managing identities and providing access to resources across different security domains and/or companies.

Question 40

OAuth

Answer 40

is an open standard for authorization many companies use to provide secure access to protected resources.

Question 41

openID Connect

Answer 41

OpenID Connect works with OAuth 2.0 and it allows clients to verify the identity of end users without managing their credentials.OpenID Connect provides identification services, without requiring the application to handle the credentials.

Question 42

pointer dereference

Answer 42

pointer dereference—A programming practice that uses a pointer to reference a memory area. A failed dereference operation can corrupt memory and sometimes even cause an application to crash.

Question 43

SPI

Answer 43

Sensitive Personal Information (SPI) refers to information that does not identify an individual, but is related to an individual, and communicates information that is private or could potentially harm an individual should it be made public.

Question 44

refactoring

Answer 44

A driver manipulation method. Developers rewrite the code without changing the driver’s behavior.

Question 45

shimming

Answer 45

A driver manipulation method. It uses additional code to modify the behavior of a driver.

Question 46

RPO

Answer 46

Recovery point objective. A term that refers to the amount of data you can afford to lose by identifying a point in time where data loss is acceptable. It is often identified in a BIA.

Question 47

pharming

Answer 47

A pharming attack is another type of attack that manipulates the DNS name resolution process. It either tries to corrupt the DNS server or the DNS client. Just as a DNS poisoning attack can redirect users to different web sites, a successful pharming attack redirects a user to a different web site.

Question 48

RTO

Answer 48

Recovery time objective. The maximum amount of time it should take to restore a system after an outage. It is derived from the maximum allowable outage time identified in the BIA.

Question 49

MTTR

Answer 49

Mean time to recover. A metric that identifies the average time it takes to restore a failed system. Organizations that have maintenance contracts often specify the MTTR as a part of the contract.

Question 50

fault tolerance

Answer 50

The capability of a system to suffer a fault, but continue to operate. Said another way, the system can tolerate the fault as if it never occurred.

Question 51

SED

Answer 51

Self-encrypting drive. A drive that includes the hardware and software necessary to encrypt a hard drive. Users typically enter credentials to decrypt and use the drive.

Question 52

hardware root of trust

Answer 52

A known secure starting point. TPMs have a private key burned into the hardware that provides a hardware root of trust.