Server and Network Security Flashcards
1
Q
premises access
A
- fencing
- bollard posts (protect buildings from vehicles)
- lighting
- locked gates
- security guards
- guard dogs
- limited access to areas of a facility
- motion-sensing security systems
- security cameras
- key codes/card readers
2
Q
mantraps
A
- vestibule where 2nd inner door opens only after 1st outer door has closed
- only space for 1 person between doors
3
Q
internal security controls
A
- clean desk policy
- locking up sensitive documents
4
Q
card-based access
A
- RFID cards to control access
- less secure than smartcards (payment cards)
5
Q
human security element
A
- strict hiring/background check policies
- segregation of duties
- user awareness/training
6
Q
authentication
A
- prove identity of users/devices/services/applications
- username/password
- PKI
- successful authentication required be access granted
7
Q
identity federation
A
- provide single centralized identity store
- can be replicated to multiple servers
- trust tokens issued from trusted identity store
- tokens contain claims
- enables SSO
- Microsoft active directory federation services (ADFS)
- Shibboleth (open source)
8
Q
claims (security tokens)
A
- assertions about user/device
- different apps consume different claims
- provide different scopes of access depending on claim values
9
Q
configuring authentication between on-premise/cloud environments
A
- identity federation
- replicating on-premise directory services to cloud-based directory service
10
Q
something you know
A
- security measures stored in user’s head
- usernames/passwords
- security questions
- single-factor authentication
- password policies
11
Q
something you have
A
- physical possession of security device
- smartcard/hardware token/MFA application
- PKI security certificate
- multi-factor authentication
12
Q
OTP
A
- one-time password
- never the same
- used for single authentication session
13
Q
something you are
A
- biometric authentication
- can expand existing systems to accept biometric authentication (i.e. AD)
14
Q
logical access control
A
- mechanisms to secure authentication/authorization to use network resources
- smart cards
- adding users to web app roles to control app access
- managing individual users on large scale is difficult
- auditing individual users reduces information overload
15
Q
security groups
A
- create group following organization standards
- grant resource permissions to group
- add members to group
- Microsoft AD users need to log off/back in to pick up changes
- groups are managed statically
16
Q
distribution groups
A
- designed for use by email systems
- can’t be assigned permissions
17
Q
DAC
A
- Windows server dynamic access control
- built into OS
- examines user/device AD attributes to determine access level
- can be used with/without groups
- user/device attributes must be completed in AD
18
Q
RBAC
A
- role-based access control
- assign resource permissions to role
- assign role occupant(s)
- can target individual
19
Q
rights vs permissions
A
- rights are either allow/deny
- permissions allow degrees of access
- principle of least privilege
20
Q
Windows NTFS permissions
A
- local file/folder permissions
- file/folder encryption using encrypting file system (EFS)
- file system auditing
- file system journaling (quicker disk recovery/repair)
- data deduplication
- disk space quotas
- disable inheritance
- apply permissions to subordinates
- uses DACL
21
Q
levels of Windows NTFS permissions
A
- full control
- modify (enables file deletion)
- read and execute
- list folder contents (applies only to folders)
- read
- write (doesn’t enable file deletion)
- special permissions
22
Q
DACL
A
- discretionary access control list
- administrator sets file system permissions
23
Q
Windows shared folder permissions
A
- only folders can be shared over network (not individual files)
- share permissions
24
Q
Windows shared folder permission levels
A
- full control
- change
- read
25
Q
applying NTFS with share permissions
A
most restrictive permissions apply
26
Q
Linux file system permissions
A
- read (r), 4
- write (w), 2
- execute (x), 1
- delete/modify included in write permission
27
Q
how Linux permissions are applied
A
- 3 sets of 3 permission levels applied to
- owner of file
- group associated with file/directory
- everyone else
28
Q
chmod Linux command example
A
- chmod 760 /projects
- 7 applies to file/directory owner
- 4 + 2 + 1 = 7 so owner has full permissions
- 6 applies to associated group
- 4 + 2 = 6 so group has read/write permissions
- 0 applies to everybody else (no permissions)
- chmod -R switch recursively applies permissions to a directory
29
Q
projectors
A
- doesn’t store sensitive information
- physical security
- place on isolated/secure network
30
Q
printers
A
- queued jobs could be retrieved by attackers
- change default passwords
- use HTTPS administrative access over HTTP
- print server provides centralized management/security control
31
Q
USB
A
- easy to infect with malware
- ninja cables
- smartphones
- tablets
- storage media
- disable USB ports for storage media
- user awareness/education
32
Q
NAC
A
- network access control
- port-based security
- edge devices should never perform authentication (forward authentication requests to RADIUS server)
33
Q
RADIUS servers
A
- remote authentication dial-in user service
- edge devices (RADIUS clients) forward authentication requests from supplicants
- RADIUS server determines authentication/access
- install software/configure shared secret to turn server into RADIUS server
- use WPA enterprise/WPA2 enterprise for WiFi routers
- based on UDP
- primarily for centralized authentication
34
Q
TACACS/TACACS+
A
- terminal access controller access-control system
- designed to handle frequent authorization requests within a session
- enhances security by encryption transmissions
- based on TCP
- normally used to administer network devices
35
Q
VLANs
A
- creates new broadcast domain
- allows isolating networks/subdomains
- router/layer 3 switch required to communicate between VLANs
36
Q
MAC flooding attacks
A
- VLAN attack
- fill MAC table limited memory on switches
- causes otherwise isolated traffic to be visible on other VLANs
- unicast traffic visible to all devices in that VLAN
37
Q
VLAN hopping
A
- VLAN attack
- attacker spoofs identity of another switch
- creates trunking link
- all VLAN traffic can pass through link and become visible to attacker
38
Q
mitigating VLAN attacks
A
- disable automatic trunk negotiation
- enable strong port security
- allow connections from specific/limited number of MAC addresses
- apply latest firmware updates
39
Q
firewalls
A
- control inbound/outbound traffic
- block everything/create rules to allow necessary traffic
- hardware/software based
- hardware generally more stable/can handle more traffic
40
Q
host-based firewall
A
- runs as software on a specific host
- Windows firewall
- Linux/UNIX iptables/uncomplicated firewall (ufw) command line tools
- layer 4 firewalls
- some Windows services i.e. AD require multiple ports (work with groups of firewall rules)
41
Q
layer 4 firewalls examine
A
- source IP address
- destination IP address
- source port
- destination port
- protocol type
42
Q
Windows firewall
A
configured via GUI/PowerShell
43
Q
Linux firewall
A
configured via iptables command
44
Q
network-based firewalls
A
- routers/specialized appliances
- at least 2 network interfaces
- configured with NACLs to control inbound/outbound traffic
- placed where traffic that must be examined will flow into/out of the network (perimeter firewalls)
45
Q
reverse proxy servers
A
- type of network-based firewall
- listen for incoming traffic
- forwards to internal device i.e. web server
46
Q
DPI
A
- deep packet inspection
- given with network-based firewalls
- tracks TCP sessions instead of treating each packet separately (stateful packet inspection)
- goes up to Layer 7 inspection
47
Q
SECaaS
A
- security as a service
- firewalls in cloud offered by cloud providers
- Microsoft Azure uses network security groups (NSGs)
48
Q
DDoS attacks
A
- distributed denial of service
- zombies/zombie nets
- overwhelm servers with communication requests
- packet flooding
- standard firewalls not designed to mitigate
49
Q
black hole traffic
A
- mitigation of DDoS attacks
- discard traffic destined for victim machine
- still disrupts normal traffic
50
Q
security zones
A
- isolation
- firewalls control traffic from internet into public-facing network
- second firewall further controls traffic into/out of internal secured network
- make sure internal data is not replicated to public-facing network
51
Q
screened subnets
A
- DMZ
- external public-facing network
- VPN appliances
- SMTP mail servers
- web servers
- FTP servers
- normally use a reverse proxy
52
Q
PKI
A
- public key infrastructure
- hierarchy of digital certificates issues to users/devices/services
- encrypt/digitally sign sensitive email messages
- encrypt files
- authenticate to VPN
- secure web site over HTTPS
53
Q
CA
A
- certificate authority
- top of PKI hierarchy
- can have subordinate CAs (RAs)
- issue PKI certificates
- root (top-level) CA should be kept offline (compromise also compromises all certificates with hierarchy)
54
Q
PKI certificates
A
- manually requested/issued
- automatically issued via group policy
- X.509 certificate
- can be a file/burned into magnetic strip/smartcard
55
Q
PKI certificate contents
A
- serial number
- subject name (user email/FQDN of web site)
- unique mathematically related public/private key pair
- certificate use (email/file encryption/code signing)
- digital signature of CA/signature algorithm used
- date of issuance/expiration date
56
Q
PKI certificate private key
A
- must be kept secret
- can be stored with certificate
- technically stored safely on device in a key store
57
Q
SSL/TLS
A
- secure sockets layer
- transport layer security (newer/more secure)
- provide encryption/authentication over a network
- TLS version 1.3 = latest version
- don’t use TLS/SSL 1.0/1.1
- require PKI certificate
58
Q
configuring Windows/Linux TLS options
A
- modify registry in Windows to disable SSL 3.0/enable TLS
- use OpenSSL in Linux to support TLS
59
Q
IPSec
A
- internet protocol security
- built into IPv6
- works with IPv4
- VPNs
- doesn’t require use of PKI certificates
- applies policy settings to computers
60
Q
IPSec authentication keys
A
- Kerberos
- certificates
- preshared keys
61
Q
best authentication method for AD domain
A
Kerberos
62
Q
weakest authentication method for AD domain
A
preshared key (symmetric key)
63
Q
IPSec tunnel mode
A
- normally used between 2 endpoint VPN devices
- encrypts the entire original IP packet (not just payload)
- adds a new IP header
- encapsulates packet
64
Q
IPSec transport mode
A
- only encrypts packet payload
- communication protected regardless of protocol being used
65
Q
VPNs
A
- provides encrypted secured connection to private network over an unsecured network
- client-to-site
- site-to-site
- point-to-point tunneling protocol (PPTP)
- layer 2 tunneling protocol with IPSec (L2TP/IPSEC)
- SSL tunnel
66
Q
client-to-site VPN
A
- require client VPN software configured to connect to a VPN appliance in screened subnet (or reachable by reverse proxy)
- user authenticates to VPN
- encrypted tunnel established
67
Q
site-to-site VPN
A
- require VPN appliance at 2 different network sites
- point-to-point encrypted tunnel is established
68
Q
configuring VPN connections
A
- L2TP/IPSec appliance requires client software is configured correctly
- SSL VPNs use standard HTTPS ports
69
Q
HIDS
A
- host intrusion detection system
- detects suspicious activity related to a specific host
- looks for abnormalities
- can read traffic encrypted over the network (host decrypts)
70
Q
NIDS
A
- network intrusion detection system
- standalone appliance
- monitors network activity
- security information and event management (SIEM) software provides centralized repository for logs/audit events/security device alerts
- switches must be configured to copy all packets to port connected to NIDS
71
Q
IPSs
A
- intrusion prevention systems
- extend functionality of IDSs
- take steps to prevent further damage when malicious activity is detected
- HIPS/NIPS
72
Q
server/OS hardening
A
- reduces attack surface
- centralized in data centers
- OSs images can be hardened for creating new servers
- NIST SP 800-123
- HIDS/HIPS
- apply firmware updates to network appliances
- apply firmware updates to BIOS/UEFI RAID controllers
- set UEFI/BIOS boot password to prevent changing boot order
- enable CPU no-execute (NX bit) at BIOS level
- lock server chassis or rack case
- disable wake-on-LAN
- apply OS updates
- apply app software updates
- follow OS/app configuration best practices
- enable MFA
- keep AV solution updated
- configure host-based firewall (block unused ports)
- disable unused services/daemons
- disable unused accounts
- rename/disable default accounts
- enable auditing/logging related to IT workload
- follow principle of least privilege
- enable network encryption for as much traffic as possible
- encrypt data at rest
- plan for hardware failure
73
Q
NX bit
A
- prevents certain memory pages from running executable code
- stop buffer overflow attacks
74
Q
logging considerations
A
- copies of log entries should be forwarded to a different host
- Windows Event Log Forwarding
- Linux syslog fowarding
75
Q
auditing specifics
A
- audit user logins
- group membership changes
- user file system activity
76
Q
switch hardening
A
- disable unused ports
- ports shouldn’t allow numerous MAC addresses
- use SSH over Telnet
77
Q
data in use
A
currently being processed
78
Q
data in motion
A
transmitted over network
79
Q
data at rest
A
stored on media
80
Q
symmetric encryption
A
same key used to encrypt/decrypt
81
Q
asymmetric encryption
A
- pair of keys used
- 1 encrypts
- 1 decrypts
- PKI uses related public/private key pairs
82
Q
DLP
A
- data loss prevention
- tools available to prevent sensitive data/IP from leaving organization
- labeling data to be handled in accordance with DLP policies
83
Q
mobile devices
A
- centralized management
- logical partitioning/containerization
- tools to prevent sensitive data from being stored on removable media
- geofencing (limit where devices can be used)
84
Q
encrypting data at rest
A
- several laws require encrypting data at rest
- HIPAA
- Banking
- legal access/subpoena
85
Q
Windows bitlocker
A
- Windows OS enterprise editions
- encrypts entire disk volumes/removable drives
- use group policy to require bitlocker on certain drives
- trusted platform module (TPM) can store keys/detect unauthorized system startup modifications
86
Q
Windows EFS
A
- encrypting file system
- ties encrypted files/folders to specific users
- GUI control
- cipher.exe command line tool
- PKI certificate is automatically generated the 1st time user encrypts a file
- uses bulk encryption key/file encryption key (FEK) to encrypt blocks of data (stored within file)
- public key from PKI certificate encrypts the FEK
- private key from PKI reveals FEK which then decrypts blocks of data
- user PKI certificate must be backed up to secure location
- EFS data recovery agents can be configured to grant administrators ability to decrypt EFS encrypted files
- domain admin in AD environment can decrypt any files on any station joined to the domain
87
Q
OpenSSL
A
- included in some Linux distros
- used for file encryption
88
Q
tape encryption
A
- tapes still commonly used for backups
- should be encrypted
89
Q
SAN-based tape backup security considerations
A
- which user account performs backups (root or admin)
- scripts are normally used before/after backup (are malicious scripts present)
- when encryption occurs (during/after backup)
- human element (reliable admins)
- reliability (offsite tape storage trustworthy)
90
Q
disk scrubbing
A
- making it as difficult as possible to retrieve data previously stored on a disk
- writing useless random data to disk in multiple passes
- zeroing out a disk writes a 0 byte to all storage locations on the disk
91
Q
physical destruction
A
- sort so that sensitive data disks are destroyed
- drill holes into platters of HDDs
- degaussing HDDs with high-intensity magnetic field
- shredding with industrial shredder
92
Q
remote wipe
A
- mobile device management (MDM) enable centralized management
- remotely wipe lost/stolen devices
- wipe can reset device to factory settings (full wipe)
- wipe only corporate apps/data (selective wipe)
93
Q
VPN authentication tool that uses a changing numeric code synchronized with VPN appliance
A
- key fobs
- hardware/software tokens
94
Q
IEEE standard that defines port level security
A
802.1X
95
Q
RADIUS clients are referred to as
A
supplicants
96
Q
firewall can filter based on UDP/TCP port numbers
A
layer 4
97
Q
firewall can filter based on contents of packet payload
A
layer 7
