Server and Network Security Flashcards

1
Q

premises access

A
  • fencing
  • bollard posts (protect buildings from vehicles)
  • lighting
  • locked gates
  • security guards
  • guard dogs
  • limited access to areas of a facility
  • motion-sensing security systems
  • security cameras
  • key codes/card readers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

mantraps

A
  • vestibule where 2nd inner door opens only after 1st outer door has closed
  • only space for 1 person between doors
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

internal security controls

A
  • clean desk policy

- locking up sensitive documents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

card-based access

A
  • RFID cards to control access

- less secure than smartcards (payment cards)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

human security element

A
  • strict hiring/background check policies
  • segregation of duties
  • user awareness/training
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

authentication

A
  • prove identity of users/devices/services/applications
  • username/password
  • PKI
  • successful authentication required be access granted
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

identity federation

A
  • provide single centralized identity store
  • can be replicated to multiple servers
  • trust tokens issued from trusted identity store
  • tokens contain claims
  • enables SSO
  • Microsoft active directory federation services (ADFS)
  • Shibboleth (open source)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

claims (security tokens)

A
  • assertions about user/device
  • different apps consume different claims
  • provide different scopes of access depending on claim values
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

configuring authentication between on-premise/cloud environments

A
  • identity federation

- replicating on-premise directory services to cloud-based directory service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

something you know

A
  • security measures stored in user’s head
  • usernames/passwords
  • security questions
  • single-factor authentication
  • password policies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

something you have

A
  • physical possession of security device
  • smartcard/hardware token/MFA application
  • PKI security certificate
  • multi-factor authentication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

OTP

A
  • one-time password
  • never the same
  • used for single authentication session
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

something you are

A
  • biometric authentication

- can expand existing systems to accept biometric authentication (i.e. AD)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

logical access control

A
  • mechanisms to secure authentication/authorization to use network resources
  • smart cards
  • adding users to web app roles to control app access
  • managing individual users on large scale is difficult
  • auditing individual users reduces information overload
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

security groups

A
  • create group following organization standards
  • grant resource permissions to group
  • add members to group
  • Microsoft AD users need to log off/back in to pick up changes
  • groups are managed statically
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

distribution groups

A
  • designed for use by email systems

- can’t be assigned permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

DAC

A
  • Windows server dynamic access control
  • built into OS
  • examines user/device AD attributes to determine access level
  • can be used with/without groups
  • user/device attributes must be completed in AD
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

RBAC

A
  • role-based access control
  • assign resource permissions to role
  • assign role occupant(s)
  • can target individual
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

rights vs permissions

A
  • rights are either allow/deny
  • permissions allow degrees of access
  • principle of least privilege
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Windows NTFS permissions

A
  • local file/folder permissions
  • file/folder encryption using encrypting file system (EFS)
  • file system auditing
  • file system journaling (quicker disk recovery/repair)
  • data deduplication
  • disk space quotas
  • disable inheritance
  • apply permissions to subordinates
  • uses DACL
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

levels of Windows NTFS permissions

A
  • full control
  • modify (enables file deletion)
  • read and execute
  • list folder contents (applies only to folders)
  • read
  • write (doesn’t enable file deletion)
  • special permissions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

DACL

A
  • discretionary access control list

- administrator sets file system permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Windows shared folder permissions

A
  • only folders can be shared over network (not individual files)
  • share permissions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Windows shared folder permission levels

A
  • full control
  • change
  • read
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

applying NTFS with share permissions

A

most restrictive permissions apply

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Linux file system permissions

A
  • read (r), 4
  • write (w), 2
  • execute (x), 1
  • delete/modify included in write permission
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

how Linux permissions are applied

A
  • 3 sets of 3 permission levels applied to
  • owner of file
  • group associated with file/directory
  • everyone else
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

chmod Linux command example

A
  • chmod 760 /projects
  • 7 applies to file/directory owner
  • 4 + 2 + 1 = 7 so owner has full permissions
  • 6 applies to associated group
  • 4 + 2 = 6 so group has read/write permissions
  • 0 applies to everybody else (no permissions)
  • chmod -R switch recursively applies permissions to a directory
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

projectors

A
  • doesn’t store sensitive information
  • physical security
  • place on isolated/secure network
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

printers

A
  • queued jobs could be retrieved by attackers
  • change default passwords
  • use HTTPS administrative access over HTTP
  • print server provides centralized management/security control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

USB

A
  • easy to infect with malware
  • ninja cables
  • smartphones
  • tablets
  • storage media
  • disable USB ports for storage media
  • user awareness/education
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

NAC

A
  • network access control
  • port-based security
  • edge devices should never perform authentication (forward authentication requests to RADIUS server)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

RADIUS servers

A
  • remote authentication dial-in user service
  • edge devices (RADIUS clients) forward authentication requests from supplicants
  • RADIUS server determines authentication/access
  • install software/configure shared secret to turn server into RADIUS server
  • use WPA enterprise/WPA2 enterprise for WiFi routers
  • based on UDP
  • primarily for centralized authentication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

TACACS/TACACS+

A
  • terminal access controller access-control system
  • designed to handle frequent authorization requests within a session
  • enhances security by encryption transmissions
  • based on TCP
  • normally used to administer network devices
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

VLANs

A
  • creates new broadcast domain
  • allows isolating networks/subdomains
  • router/layer 3 switch required to communicate between VLANs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

MAC flooding attacks

A
  • VLAN attack
  • fill MAC table limited memory on switches
  • causes otherwise isolated traffic to be visible on other VLANs
  • unicast traffic visible to all devices in that VLAN
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

VLAN hopping

A
  • VLAN attack
  • attacker spoofs identity of another switch
  • creates trunking link
  • all VLAN traffic can pass through link and become visible to attacker
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

mitigating VLAN attacks

A
  • disable automatic trunk negotiation
  • enable strong port security
  • allow connections from specific/limited number of MAC addresses
  • apply latest firmware updates
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

firewalls

A
  • control inbound/outbound traffic
  • block everything/create rules to allow necessary traffic
  • hardware/software based
  • hardware generally more stable/can handle more traffic
40
Q

host-based firewall

A
  • runs as software on a specific host
  • Windows firewall
  • Linux/UNIX iptables/uncomplicated firewall (ufw) command line tools
  • layer 4 firewalls
  • some Windows services i.e. AD require multiple ports (work with groups of firewall rules)
41
Q

layer 4 firewalls examine

A
  • source IP address
  • destination IP address
  • source port
  • destination port
  • protocol type
42
Q

Windows firewall

A

configured via GUI/PowerShell

43
Q

Linux firewall

A

configured via iptables command

44
Q

network-based firewalls

A
  • routers/specialized appliances
  • at least 2 network interfaces
  • configured with NACLs to control inbound/outbound traffic
  • placed where traffic that must be examined will flow into/out of the network (perimeter firewalls)
45
Q

reverse proxy servers

A
  • type of network-based firewall
  • listen for incoming traffic
  • forwards to internal device i.e. web server
46
Q

DPI

A
  • deep packet inspection
  • given with network-based firewalls
  • tracks TCP sessions instead of treating each packet separately (stateful packet inspection)
  • goes up to Layer 7 inspection
47
Q

SECaaS

A
  • security as a service
  • firewalls in cloud offered by cloud providers
  • Microsoft Azure uses network security groups (NSGs)
48
Q

DDoS attacks

A
  • distributed denial of service
  • zombies/zombie nets
  • overwhelm servers with communication requests
  • packet flooding
  • standard firewalls not designed to mitigate
49
Q

black hole traffic

A
  • mitigation of DDoS attacks
  • discard traffic destined for victim machine
  • still disrupts normal traffic
50
Q

security zones

A
  • isolation
  • firewalls control traffic from internet into public-facing network
  • second firewall further controls traffic into/out of internal secured network
  • make sure internal data is not replicated to public-facing network
51
Q

screened subnets

A
  • DMZ
  • external public-facing network
  • VPN appliances
  • SMTP mail servers
  • web servers
  • FTP servers
  • normally use a reverse proxy
52
Q

PKI

A
  • public key infrastructure
  • hierarchy of digital certificates issues to users/devices/services
  • encrypt/digitally sign sensitive email messages
  • encrypt files
  • authenticate to VPN
  • secure web site over HTTPS
53
Q

CA

A
  • certificate authority
  • top of PKI hierarchy
  • can have subordinate CAs (RAs)
  • issue PKI certificates
  • root (top-level) CA should be kept offline (compromise also compromises all certificates with hierarchy)
54
Q

PKI certificates

A
  • manually requested/issued
  • automatically issued via group policy
  • X.509 certificate
  • can be a file/burned into magnetic strip/smartcard
55
Q

PKI certificate contents

A
  • serial number
  • subject name (user email/FQDN of web site)
  • unique mathematically related public/private key pair
  • certificate use (email/file encryption/code signing)
  • digital signature of CA/signature algorithm used
  • date of issuance/expiration date
56
Q

PKI certificate private key

A
  • must be kept secret
  • can be stored with certificate
  • technically stored safely on device in a key store
57
Q

SSL/TLS

A
  • secure sockets layer
  • transport layer security (newer/more secure)
  • provide encryption/authentication over a network
  • TLS version 1.3 = latest version
  • don’t use TLS/SSL 1.0/1.1
  • require PKI certificate
58
Q

configuring Windows/Linux TLS options

A
  • modify registry in Windows to disable SSL 3.0/enable TLS

- use OpenSSL in Linux to support TLS

59
Q

IPSec

A
  • internet protocol security
  • built into IPv6
  • works with IPv4
  • VPNs
  • doesn’t require use of PKI certificates
  • applies policy settings to computers
60
Q

IPSec authentication keys

A
  • Kerberos
  • certificates
  • preshared keys
61
Q

best authentication method for AD domain

A

Kerberos

62
Q

weakest authentication method for AD domain

A

preshared key (symmetric key)

63
Q

IPSec tunnel mode

A
  • normally used between 2 endpoint VPN devices
  • encrypts the entire original IP packet (not just payload)
  • adds a new IP header
  • encapsulates packet
64
Q

IPSec transport mode

A
  • only encrypts packet payload

- communication protected regardless of protocol being used

65
Q

VPNs

A
  • provides encrypted secured connection to private network over an unsecured network
  • client-to-site
  • site-to-site
  • point-to-point tunneling protocol (PPTP)
  • layer 2 tunneling protocol with IPSec (L2TP/IPSEC)
  • SSL tunnel
66
Q

client-to-site VPN

A
  • require client VPN software configured to connect to a VPN appliance in screened subnet (or reachable by reverse proxy)
  • user authenticates to VPN
  • encrypted tunnel established
67
Q

site-to-site VPN

A
  • require VPN appliance at 2 different network sites

- point-to-point encrypted tunnel is established

68
Q

configuring VPN connections

A
  • L2TP/IPSec appliance requires client software is configured correctly
  • SSL VPNs use standard HTTPS ports
69
Q

HIDS

A
  • host intrusion detection system
  • detects suspicious activity related to a specific host
  • looks for abnormalities
  • can read traffic encrypted over the network (host decrypts)
70
Q

NIDS

A
  • network intrusion detection system
  • standalone appliance
  • monitors network activity
  • security information and event management (SIEM) software provides centralized repository for logs/audit events/security device alerts
  • switches must be configured to copy all packets to port connected to NIDS
71
Q

IPSs

A
  • intrusion prevention systems
  • extend functionality of IDSs
  • take steps to prevent further damage when malicious activity is detected
  • HIPS/NIPS
72
Q

server/OS hardening

A
  • reduces attack surface
  • centralized in data centers
  • OSs images can be hardened for creating new servers
  • NIST SP 800-123
  • HIDS/HIPS
  • apply firmware updates to network appliances
  • apply firmware updates to BIOS/UEFI RAID controllers
  • set UEFI/BIOS boot password to prevent changing boot order
  • enable CPU no-execute (NX bit) at BIOS level
  • lock server chassis or rack case
  • disable wake-on-LAN
  • apply OS updates
  • apply app software updates
  • follow OS/app configuration best practices
  • enable MFA
  • keep AV solution updated
  • configure host-based firewall (block unused ports)
  • disable unused services/daemons
  • disable unused accounts
  • rename/disable default accounts
  • enable auditing/logging related to IT workload
  • follow principle of least privilege
  • enable network encryption for as much traffic as possible
  • encrypt data at rest
  • plan for hardware failure
73
Q

NX bit

A
  • prevents certain memory pages from running executable code

- stop buffer overflow attacks

74
Q

logging considerations

A
  • copies of log entries should be forwarded to a different host
  • Windows Event Log Forwarding
  • Linux syslog fowarding
75
Q

auditing specifics

A
  • audit user logins
  • group membership changes
  • user file system activity
76
Q

switch hardening

A
  • disable unused ports
  • ports shouldn’t allow numerous MAC addresses
  • use SSH over Telnet
77
Q

data in use

A

currently being processed

78
Q

data in motion

A

transmitted over network

79
Q

data at rest

A

stored on media

80
Q

symmetric encryption

A

same key used to encrypt/decrypt

81
Q

asymmetric encryption

A
  • pair of keys used
  • 1 encrypts
  • 1 decrypts
  • PKI uses related public/private key pairs
82
Q

DLP

A
  • data loss prevention
  • tools available to prevent sensitive data/IP from leaving organization
  • labeling data to be handled in accordance with DLP policies
83
Q

mobile devices

A
  • centralized management
  • logical partitioning/containerization
  • tools to prevent sensitive data from being stored on removable media
  • geofencing (limit where devices can be used)
84
Q

encrypting data at rest

A
  • several laws require encrypting data at rest
  • HIPAA
  • Banking
  • legal access/subpoena
85
Q

Windows bitlocker

A
  • Windows OS enterprise editions
  • encrypts entire disk volumes/removable drives
  • use group policy to require bitlocker on certain drives
  • trusted platform module (TPM) can store keys/detect unauthorized system startup modifications
86
Q

Windows EFS

A
  • encrypting file system
  • ties encrypted files/folders to specific users
  • GUI control
  • cipher.exe command line tool
  • PKI certificate is automatically generated the 1st time user encrypts a file
  • uses bulk encryption key/file encryption key (FEK) to encrypt blocks of data (stored within file)
  • public key from PKI certificate encrypts the FEK
  • private key from PKI reveals FEK which then decrypts blocks of data
  • user PKI certificate must be backed up to secure location
  • EFS data recovery agents can be configured to grant administrators ability to decrypt EFS encrypted files
  • domain admin in AD environment can decrypt any files on any station joined to the domain
87
Q

OpenSSL

A
  • included in some Linux distros

- used for file encryption

88
Q

tape encryption

A
  • tapes still commonly used for backups

- should be encrypted

89
Q

SAN-based tape backup security considerations

A
  • which user account performs backups (root or admin)
  • scripts are normally used before/after backup (are malicious scripts present)
  • when encryption occurs (during/after backup)
  • human element (reliable admins)
  • reliability (offsite tape storage trustworthy)
90
Q

disk scrubbing

A
  • making it as difficult as possible to retrieve data previously stored on a disk
  • writing useless random data to disk in multiple passes
  • zeroing out a disk writes a 0 byte to all storage locations on the disk
91
Q

physical destruction

A
  • sort so that sensitive data disks are destroyed
  • drill holes into platters of HDDs
  • degaussing HDDs with high-intensity magnetic field
  • shredding with industrial shredder
92
Q

remote wipe

A
  • mobile device management (MDM) enable centralized management
  • remotely wipe lost/stolen devices
  • wipe can reset device to factory settings (full wipe)
  • wipe only corporate apps/data (selective wipe)
93
Q

VPN authentication tool that uses a changing numeric code synchronized with VPN appliance

A
  • key fobs

- hardware/software tokens

94
Q

IEEE standard that defines port level security

A

802.1X

95
Q

RADIUS clients are referred to as

A

supplicants

96
Q

firewall can filter based on UDP/TCP port numbers

A

layer 4

97
Q

firewall can filter based on contents of packet payload

A

layer 7