Security Refresh Flashcards
What is ARP poisoning?
Address Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer’s ARP cache with a forged ARP request and reply packets
amplification attack
sending small queries that result in large responses, E.x. DNS amplification
pass the hash
using a stolen hash and then using it to authenticate instead of authenticating with the original password
IV attack
associated with WEP
race condition
a programming flaw that occurs when two sets of code attempt to access the same resource.This becomes a bug when events don’t happen in the order the programmer planned.
RADIUS
Remote Authentication Dial-In User service. An authentication service that provides central authentication for remote access clients. Alternatives are TACACS+ and Diameter.
Diameter vs Radius
Diameter is an extension of RADIUS and many organizations have switched to it due to its extra capabilities. Diameter adds several other commands beyond the capabilities of RADIUS, along with adding new commands that can be used with EAP.
Edition.
TACACS+ vs RADIUS
Terminal Access Controller Access-Control System Plus (TACACS+) is an alternative to RADIUS. It provides two important security benefits over RADIUS. First, it encrypts the entire authentication process, whereas RADIUS encrypts only the password. Second, TACACS+ uses multiple challenges and responses between the client and the server.
What does Windows use for authentication?
As a reminder, Microsoft Active Directory uses Kerberos for authentication.
802.1X
port-based authentication protocol. It requires users or devices to authenticate when they connect to a specific wireless access point, or a specific physical port, and it can be implemented in both wireless and wired networks. It secures the authentication process prior to a client gaining access to a network and blocks network access if the client cannot authenticate.
RADIUS can be used as 802.1x
pass the hash
A password attack that captures and uses the hash of a password. It attempts to log on as the user with the hash and is commonly associated with the Microsoft NTLM protocol.
NTLM
NTLM—New Technology LAN Manager. A suite of protocols that provide confidentiality, integrity, and authentication within Windows systems. Versions include NTLM, NTLMv2, and NTLM2 Session.
.
Golden Ticket Attack
gives an attacker total and complete access to your entire domain. Golden Tickets are forged Ticket-Granting Tickets (TGTs), also called authentication tickets.
What ports does DNS use and for what?
DNS uses TCP port 53 for zone transfers and UDP port 53 for DNS client queries.
BIND (what is it used for?)
Most DNS servers on the Internet run Berkeley Internet Name Domain (BIND) software and run on Unix or Linux servers.
SMB
The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network.
DSA
DSA—Digital signature algorithm. An encrypted hash of a message used for authentication, non- repudiation, and integrity. The sender’s private key encrypts the hash of the message.
RSA
• RSA is a popular asymmetric algorithm. Many cryptographic protocols use RSA to secure data such as email and data transmitted over the Internet. RSA uses prime numbers to generate public and private keys.
S/MIME
Secure/Multipurpose Internet Mail Extensions(S/MIME) is one of the most popular standards used to digitally sign and encrypt email. Most email applications that support encryption and digital signatures use S/MIME standards. S/MIME uses RSA for asymmetric encryption and AES for symmetric encryption.
DEP
Data execution prevention (DEP) is a security feature that prevents code from executing in memory regions marked as non-executable. It helps prevent an application or service from executing code from a non-executable memory region. The primary purpose of DEP is to protect a system from malware.
certificate chaining
A process that combines all certificates within a trust model. It includes all the certificates in the trust chain from the root CA down to the certificate issued to the end user.
Certificate stapling
provides clients with a timestamped, digitally signed OCSP response. This is from the CA and appended to the certificate.
Public key pinning
provides clients with a list of hashes for each public key it uses
re-certification
reviewing account access and membership to validate it’s necessity
rootkit
A set of tools used by an attacker after gaining root-level access to a host to conceal the attacker’s activities on the host and permit the attacker to maintain root-level access to the host through covert means.
permanent agent
A permanent agent (sometimes called a persistent NAC agent) is installed on the client and stays on the client.
dissolvable agent
A dissolvable agent is downloaded and run on the client when the client logs on remotely. It collects the information it needs, identifies the client as healthy or not healthy, and reports the status back to the NAC system. Some dissolvable NAC agents remove themselves immediately after they report back to the NAC system. Others remove themselves after the remote session ends.
Tunnel mode (ipsec)
encrypts the entire IP packet used in the internal network, and is the mode used with VPNs transmitted over the Internet. The benefit is that the IP addressing used within the internal network is encrypted and not visible to anyone who intercepts the traffic.
Transport mode
only encrypts the payload and is commonly used in private networks, but not with VPNs. If traffic is transmitted and used only within a private network, there isn’t any need to hide the IP addresses by encrypting them.
STARTTLS
it is a command used to upgrade an unencrypted connection to an encrypted connection on the same port.
AH (authentication header)
An option within IPsec to provide authentication and integrity.
ESP
Encapsulating Security Payload. An option within IPsec to provide confidentiality, integrity, and authentication.
stored procedure
A group of SQL statements that execute as a whole, similar to a mini-program. Developers use stored procedures to prevent SQL injection attacks.
XSRF
A web application attack. XSRF attacks trick users into performing actions on web sites, such as making purchases, without their knowledge.
XSS
A web application vulnerability. Attackers embed malicious HTML or JavaScript code into a web site’s code, which executes when a user visits the site.
transitive trust
An indirect trust relationship created by two or more direct trust relationships.
SAML
Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML)– based data format used for SSO on web browsers. (can use SAML as federated identity management system).
used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications.
shibboleth
Shibboleth is one of the federated identity solutions
It is open source and freely available, making it a more affordable solution than some of the commercially available federated identity solutions.
federated identity
One common method is with a federated identity management system, often integrated as a federated database.A federation requires a federated identity management system that all members of the federation use. This federated database provides central authentication in a nonhomogeneous system that assists in managing identities and providing access to resources across different security domains and/or companies.
OAuth
is an open standard for authorization many companies use to provide secure access to protected resources.
openID Connect
OpenID Connect works with OAuth 2.0 and it allows clients to verify the identity of end users without managing their credentials.OpenID Connect provides identification services, without requiring the application to handle the credentials.
pointer dereference
pointer dereference—A programming practice that uses a pointer to reference a memory area. A failed dereference operation can corrupt memory and sometimes even cause an application to crash.
SPI
Sensitive Personal Information (SPI) refers to information that does not identify an individual, but is related to an individual, and communicates information that is private or could potentially harm an individual should it be made public.
refactoring
A driver manipulation method. Developers rewrite the code without changing the driver’s behavior.
shimming
A driver manipulation method. It uses additional code to modify the behavior of a driver.
RPO
Recovery point objective. A term that refers to the amount of data you can afford to lose by identifying a point in time where data loss is acceptable. It is often identified in a BIA.
pharming
A pharming attack is another type of attack that manipulates the DNS name resolution process. It either tries to corrupt the DNS server or the DNS client. Just as a DNS poisoning attack can redirect users to different web sites, a successful pharming attack redirects a user to a different web site.
RTO
Recovery time objective. The maximum amount of time it should take to restore a system after an outage. It is derived from the maximum allowable outage time identified in the BIA.
MTTR
Mean time to recover. A metric that identifies the average time it takes to restore a failed system. Organizations that have maintenance contracts often specify the MTTR as a part of the contract.
fault tolerance
The capability of a system to suffer a fault, but continue to operate. Said another way, the system can tolerate the fault as if it never occurred.
SED
Self-encrypting drive. A drive that includes the hardware and software necessary to encrypt a hard drive. Users typically enter credentials to decrypt and use the drive.
hardware root of trust
A known secure starting point. TPMs have a private key burned into the hardware that provides a hardware root of trust.
