Security Threat Landscape Flashcards
Has the potential to cause harm to an IT Asset…
Threat
A weakness that compromises the security or functionality of a system…
Vulnerability
Uses a weakness to compromise the security or functionality of a system…
Exploit
The likelihood of a successful attack…
Risk
Techniques to eliminate or reduce the potential of and seriousness of an attack…
Mitigation
Malicious software including viruses, trojan horses, worms and ransomware…
Malware
Obtains information about the intended victim in an unassuming, unobtrusive way such a searching WHOIS, phone directories, etc…
Reconnaissance
The use of user deception to manipulate individuals into divulging confidential or personal information…
Social Engineering
A Social Engineering attack where the attacker pretends to be from a reputable company to get individuals to reveal person information, such as passwords and credit card numbers….
Phishing
An attack where data leaves an organization without authorization…
Data Exfiltration
This type of attack prevents legitimate users from accessing an IT resource typically in brute force fashion…
DoS (Denial of Service)
A specific type of DoS attack when an attacker only sends Syn and receives SynAcks but never sends back an Ack…
TCP Syn Flood Attack
A DoS but from multiple sources…
DDoS (Distributed Denial of Service)
This is an army of infected zombie hosts…
Botnet
This attack is where an attacker fakes their identity …
Spoofing
A type of DoS attack where the attacker spoofs the victim’s source address…
Reflection and Amplification Attack
With this attack, the attacker inserts themselves into the communication path between legitimate hosts…
Man in the Middle
An attack where the attacker has connectivity to a login window, they can attempt to gain access to the system behind it…
Password Attack
An Attacker sends malformed and/or too much data to the target system…
Buffer Overflow Attack
An attack where an attacker has compromised a target system or inserted themselves into the network path, Packet Sniffers such a WireShark can be used to read the sent and received packets…
Packet Sniffer
IDS and IPS’ use what to inspect packets?
Signatures
What layer can IDS and IPS’ inspect packets up to?
Layer 7
In regards to the traffic flow, IDS does what?
Sits alongside the traffic flow
In regards to the traffic flow, an IPS does what?
Sits inline with the traffic flow
What is one of the chief differences between an IPS and an IDS?
- An IPS blocks attacks and notifies admins about those attacks
- An IDS inspects the traffic and notifies the administrator about potential concerns
What do firewalls block or permit traffic based on?
Rules not signatures
Do modern firewalls have IPS capability?
Yes
What is the benefit of clustered devices when it comes to Firewalls, IPS or IDS systems?
Clustering allows more throughput, traffic to be load balanced, added redundancy, etc.
What is a network segment that is isolated from both the internal, trusted network and the external, untrusted network, typically by one or more firewalls. It is used to host servers or services that need to be accessible from the internet while keeping the internal network secure
DMZ Demilitarized Zone
Firewalls secure traffic passing through them by either ___________ or _________ it
Permitting or Denying
These types of firewalls maintain a connection table which tracks the two-way state of traffic passing through a firewall
Stateful Firewalls
What type of traffic is permitted by default on Stateful Firewalls?
Return traffic
How does Stateful firewalls keep track of traffic and whether it’s permitted or denied?
The Firewall Connection Table
What Layer do old school Firewalls inspect traffic up to?
Layer 4 Port and Protocol
What Layer do Next Gen Firewalls inspect traffic up to?
Layer 7. All the way up to the application layer.
What is another name for an Access Control List
A Packet Filter
Do ACLs maintain a Connection Table?
No
How many directions does an ACL affect traffic?
One way
What does appending an ACE with the keyword established actually do?
Checks for Ack Flag in return traffic
Does the ‘established’ keyword make the ACL stateful in any way?
No
If you have an ACL applied affecting outbound traffic only with no other ACL in place what will happen to return traffic?
It will be allowed because there is no ACL in place denying it.
True or False: On next-gen firewalls, different permissions for different users can be applied
True
_______________ transforms readable messages into an unintelligible form and then later reverses the process
Cryptography
What services(s) does Cryptography provide to data?
Authenticity (Proof of Source)
Confidentiality (Privacy & Secrecy)
Integrity (Data not changed during transit)
Non-Repudiation (Non-Deniability)
What is the chief characteristic of symmetric encryption?
the same shared key both encrypts and decrypts the data (Similar to a Password)
With symmetric encryption, is the shared key known by both sender and receiver or just the sender?
Both sender and receiver
What types of transmission is symmetric encryption used for?
Large transmission such as email, secure web traffic, IPsec for VPN tunnels, etc.
What four algorithms are used for symmetric encryption?
DES, 3DES, AES and SEAL
DES and 3DES are considered legacy though
__________________ uses Private and Public Key Pairs
Asymmetric Encryption
What is the chief characteristic of Asymmetric Encyption?
Data encrypted with the public key can only be decrypted with the private key, and vice versa
With Asymmetric Encryption can the public key be decrypted with the public key?
No, it can only be decrypted with the private key
What are the algorithms for Asymmetric Encryption?
RSA and ECDSA
What are the algorithms used with HMAC?
MD5 and SHA
What does HMAC stand for?
Hash Based Message Authentication Codes
What is HMAC used for?
Large transmissions such as Email, Secure web traffic and IPsec
What do you need to combine with HMAC to make sure the data is encrypted?
A symmetric key
HMAC is used primarily for what?
Integrity to make sure data hasn’t been altered in transmission
This uses a trusted introducer (The Certificate Authority) for the two parties who need secure communication
PKI Public Key Infrastructure
Scenario:
You’re purchasing something online and need encrypted transmission… does your computer know the shared key and if so how does it get it?
Yes, it needs to know the shared key and gets it from the site who uses a trusted certificate authority
What is the chief characteristic of a certificate authority?
It establishes trust between two parties on the internet
What does SSL stand for?
Secure Sockets Layer
Which is a better security protocol to use… SSL or TLS?
TLS because SSL has been deprecated
What does TLS stand for?
Transport Layer Security
Site to Site VPNs use what kind of encryption algorithm?
Symmetric encryption algorithms such as DES, 3DES and AES
Where do Site to Site VPN’s typically terminate?
On a firewall or router on both sides
Each VPN tunnel in a network should have it’s own what?
Unique Pre-Shared Key
What security encryption standard is typically used for Site to Site VPNs?
IPsec
This is a framework of open standards that provides secure encrypted communication on an IP network
IPsec
Inside IPsec, what handles negotiation of protocols and algorithms and generates the encryption and authentication keys
IKE (Internet Key Exchange)
This provides and defines the procedures for authenticating and communicating peer creation and management of Security
ISAKMP (Internet Security Association and Key Management Protocol)
What two options for authentication protocols can you use when implementing IPsec?
AH (Authentication Header)
ESP (Encapsulating Security Payload)
Which authentication protocol is more commonly used and why?
AH or ESP?
ESP because confidentiality is missing from Authentication Header and that’s what encrypts the data
What two encapsulation modes are associated with ESP (Encapsulating Security Payload)?
Tunnel Mode
Transport Mode
This encapsulation mode protects the internal routing information by encrypting the IP header of the original packet. The original packet is encapsulated by another set of IP headers. It is widely implemented in Site to Site VPN scenarios
ESP Tunnel Mode
This IPsec encapsulation mode encrypts only the payload and ESP trailer; so the IP header of the original packet is not encrypted
ESP Transport Mode
What IPsec encapsulation mode protocol is typically implemented for Remote Access VPN?
EPS Transport Mode
When would transport mode be used with IPsec?
When another tunneling protocol is being used such as GRE or L2TP (Layer 2 Tunneling Protocol) because those do not have encryption
What are the four phases of IPsec VPN implementation?
- Interesting Traffic
- ISAKMP / IKE Phase 1
- ISAKMP / IKE Phase 2
- Data Transfer
What phase IPsec configuration is this?
The VPN devices negotiate (the two routers) an IKE security policy, authenticate each other and establish a secure channel. This deals with initial authentication and initial set up of the tunnel
Phase 1
What phase of IPsec configuration is this?
The VPN devices negotiate an IPsec security policy to protect IPsec data. Negotiating the settings and algorithms that are going to be used for the encryption of the actual data
Phase 2
What are a couple of solutions to prevent Malware?
Anti Malware Software
An IPS
What are a few solutions to prevent things like malware, phishing and data exfiltration?
Cisco ESA (Email Security Appliance)
Cisco WSA (Web Security Appliance)
Policies and education related to staff
How does an IPS detect DDoS attacks?
Through anomaly-based inspections of traffic
Can geographic dispersion of an organizations service help mitigate a DDoS attack?
Yes
What does uRPF stand for and what it is used to guard against?
Unicast Reverse Path Forwarding
Used to guard against spoofed IP Addresses
Traffic should be _____________ and _____________ if it passes over an untrusted network
Authenticated and encrypted
What can guard against password attacks?
MFA
Staff Education
Strong Password Policies
What are several ways to prevent Man in the Middle Attacks?
Dynamic ARP Inspection
What type of device can defend against deeper reconnaissance which uses port and vulnerability scanners?
An IPS
What does a Cisco ESA stand for?
Email Security Appliance
What does Cisco WSA stand for?
Web Security Appliance
