Server and Network Security

Question 1

premises access

Answer 1

• fencing
• bollard posts (protect buildings from vehicles)
• lighting
• locked gates
• security guards
• guard dogs
• limited access to areas of a facility
• motion-sensing security systems
• security cameras
• key codes/card readers

Question 2

mantraps

Answer 2

• vestibule where 2nd inner door opens only after 1st outer door has closed
• only space for 1 person between doors

Question 3

internal security controls

Answer 3

• clean desk policy

- locking up sensitive documents

Question 4

card-based access

Answer 4

• RFID cards to control access

- less secure than smartcards (payment cards)

Question 5

human security element

Answer 5

• strict hiring/background check policies
• segregation of duties
• user awareness/training

Question 6

authentication

Answer 6

• prove identity of users/devices/services/applications
• username/password
• PKI
• successful authentication required be access granted

Question 7

identity federation

Answer 7

• provide single centralized identity store
• can be replicated to multiple servers
• trust tokens issued from trusted identity store
• tokens contain claims
• enables SSO
• Microsoft active directory federation services (ADFS)
• Shibboleth (open source)

Question 8

claims (security tokens)

Answer 8

• assertions about user/device
• different apps consume different claims
• provide different scopes of access depending on claim values

Question 9

configuring authentication between on-premise/cloud environments

Answer 9

• identity federation

- replicating on-premise directory services to cloud-based directory service

Question 10

something you know

Answer 10

• security measures stored in user’s head
• usernames/passwords
• security questions
• single-factor authentication
• password policies

Question 11

something you have

Answer 11

• physical possession of security device
• smartcard/hardware token/MFA application
• PKI security certificate
• multi-factor authentication

Question 12

OTP

Answer 12

• one-time password
• never the same
• used for single authentication session

Question 13

something you are

Answer 13

• biometric authentication

- can expand existing systems to accept biometric authentication (i.e. AD)

Question 14

logical access control

Answer 14

• mechanisms to secure authentication/authorization to use network resources
• smart cards
• adding users to web app roles to control app access
• managing individual users on large scale is difficult
• auditing individual users reduces information overload

Question 15

security groups

Answer 15

• create group following organization standards
• grant resource permissions to group
• add members to group
• Microsoft AD users need to log off/back in to pick up changes
• groups are managed statically

Question 16

distribution groups

Answer 16

• designed for use by email systems

- can’t be assigned permissions

Question 17

DAC

Answer 17

• Windows server dynamic access control
• built into OS
• examines user/device AD attributes to determine access level
• can be used with/without groups
• user/device attributes must be completed in AD

Question 18

RBAC

Answer 18

• role-based access control
• assign resource permissions to role
• assign role occupant(s)
• can target individual

Question 19

rights vs permissions

Answer 19

• rights are either allow/deny
• permissions allow degrees of access
• principle of least privilege

Question 20

Windows NTFS permissions

Answer 20

• local file/folder permissions
• file/folder encryption using encrypting file system (EFS)
• file system auditing
• file system journaling (quicker disk recovery/repair)
• data deduplication
• disk space quotas
• disable inheritance
• apply permissions to subordinates
• uses DACL

Question 21

levels of Windows NTFS permissions

Answer 21

• full control
• modify (enables file deletion)
• read and execute
• list folder contents (applies only to folders)
• read
• write (doesn’t enable file deletion)
• special permissions

Question 22

DACL

Answer 22

• discretionary access control list

- administrator sets file system permissions

Question 23

Windows shared folder permissions

Answer 23

• only folders can be shared over network (not individual files)
• share permissions

Question 24

Windows shared folder permission levels

Answer 24

• full control
• change
• read

Question 25

applying NTFS with share permissions

Answer 25

most restrictive permissions apply

Question 26

Linux file system permissions

Answer 26

• read (r), 4
• write (w), 2
• execute (x), 1
• delete/modify included in write permission

Question 27

how Linux permissions are applied

Answer 27

• 3 sets of 3 permission levels applied to
• owner of file
• group associated with file/directory
• everyone else

Question 28

chmod Linux command example

Answer 28

• chmod 760 /projects
• 7 applies to file/directory owner
• 4 + 2 + 1 = 7 so owner has full permissions
• 6 applies to associated group
• 4 + 2 = 6 so group has read/write permissions
• 0 applies to everybody else (no permissions)
• chmod -R switch recursively applies permissions to a directory

Question 29

projectors

Answer 29

• doesn’t store sensitive information
• physical security
• place on isolated/secure network

Question 30

printers

Answer 30

• queued jobs could be retrieved by attackers
• change default passwords
• use HTTPS administrative access over HTTP
• print server provides centralized management/security control

Question 31

USB

Answer 31

• easy to infect with malware
• ninja cables
• smartphones
• tablets
• storage media
• disable USB ports for storage media
• user awareness/education

Question 32

NAC

Answer 32

• network access control
• port-based security
• edge devices should never perform authentication (forward authentication requests to RADIUS server)

Question 33

RADIUS servers

Answer 33

• remote authentication dial-in user service
• edge devices (RADIUS clients) forward authentication requests from supplicants
• RADIUS server determines authentication/access
• install software/configure shared secret to turn server into RADIUS server
• use WPA enterprise/WPA2 enterprise for WiFi routers
• based on UDP
• primarily for centralized authentication

Question 34

TACACS/TACACS+

Answer 34

• terminal access controller access-control system
• designed to handle frequent authorization requests within a session
• enhances security by encryption transmissions
• based on TCP
• normally used to administer network devices

Question 35

VLANs

Answer 35

• creates new broadcast domain
• allows isolating networks/subdomains
• router/layer 3 switch required to communicate between VLANs

Question 36

MAC flooding attacks

Answer 36

• VLAN attack
• fill MAC table limited memory on switches
• causes otherwise isolated traffic to be visible on other VLANs
• unicast traffic visible to all devices in that VLAN

Question 37

VLAN hopping

Answer 37

• VLAN attack
• attacker spoofs identity of another switch
• creates trunking link
• all VLAN traffic can pass through link and become visible to attacker

Question 38

mitigating VLAN attacks

Answer 38

• disable automatic trunk negotiation
• enable strong port security
• allow connections from specific/limited number of MAC addresses
• apply latest firmware updates

Question 39

firewalls

Answer 39

• control inbound/outbound traffic
• block everything/create rules to allow necessary traffic
• hardware/software based
• hardware generally more stable/can handle more traffic

Question 40

host-based firewall

Answer 40

• runs as software on a specific host
• Windows firewall
• Linux/UNIX iptables/uncomplicated firewall (ufw) command line tools
• layer 4 firewalls
• some Windows services i.e. AD require multiple ports (work with groups of firewall rules)

Question 41

layer 4 firewalls examine

Answer 41

• source IP address
• destination IP address
• source port
• destination port
• protocol type

Question 42

Windows firewall

Answer 42

configured via GUI/PowerShell

Question 43

Linux firewall

Answer 43

configured via iptables command

Question 44

network-based firewalls

Answer 44

• routers/specialized appliances
• at least 2 network interfaces
• configured with NACLs to control inbound/outbound traffic
• placed where traffic that must be examined will flow into/out of the network (perimeter firewalls)

Question 45

reverse proxy servers

Answer 45

• type of network-based firewall
• listen for incoming traffic
• forwards to internal device i.e. web server

Question 46

DPI

Answer 46

• deep packet inspection
• given with network-based firewalls
• tracks TCP sessions instead of treating each packet separately (stateful packet inspection)
• goes up to Layer 7 inspection

Question 47

SECaaS

Answer 47

• security as a service
• firewalls in cloud offered by cloud providers
• Microsoft Azure uses network security groups (NSGs)

Question 48

DDoS attacks

Answer 48

• distributed denial of service
• zombies/zombie nets
• overwhelm servers with communication requests
• packet flooding
• standard firewalls not designed to mitigate

Question 49

black hole traffic

Answer 49

• mitigation of DDoS attacks
• discard traffic destined for victim machine
• still disrupts normal traffic

Question 50

security zones

Answer 50

• isolation
• firewalls control traffic from internet into public-facing network
• second firewall further controls traffic into/out of internal secured network
• make sure internal data is not replicated to public-facing network

Question 51

screened subnets

Answer 51

• DMZ
• external public-facing network
• VPN appliances
• SMTP mail servers
• web servers
• FTP servers
• normally use a reverse proxy

Question 52

PKI

Answer 52

• public key infrastructure
• hierarchy of digital certificates issues to users/devices/services
• encrypt/digitally sign sensitive email messages
• encrypt files
• authenticate to VPN
• secure web site over HTTPS

Question 53

CA

Answer 53

• certificate authority
• top of PKI hierarchy
• can have subordinate CAs (RAs)
• issue PKI certificates
• root (top-level) CA should be kept offline (compromise also compromises all certificates with hierarchy)

Question 54

PKI certificates

Answer 54

• manually requested/issued
• automatically issued via group policy
• X.509 certificate
• can be a file/burned into magnetic strip/smartcard

Question 55

PKI certificate contents

Answer 55

• serial number
• subject name (user email/FQDN of web site)
• unique mathematically related public/private key pair
• certificate use (email/file encryption/code signing)
• digital signature of CA/signature algorithm used
• date of issuance/expiration date

Question 56

PKI certificate private key

Answer 56

• must be kept secret
• can be stored with certificate
• technically stored safely on device in a key store

Question 57

SSL/TLS

Answer 57

• secure sockets layer
• transport layer security (newer/more secure)
• provide encryption/authentication over a network
• TLS version 1.3 = latest version
• don’t use TLS/SSL 1.0/1.1
• require PKI certificate

Question 58

configuring Windows/Linux TLS options

Answer 58

• modify registry in Windows to disable SSL 3.0/enable TLS

- use OpenSSL in Linux to support TLS

Question 59

IPSec

Answer 59

• internet protocol security
• built into IPv6
• works with IPv4
• VPNs
• doesn’t require use of PKI certificates
• applies policy settings to computers

Question 60

IPSec authentication keys

Answer 60

• Kerberos
• certificates
• preshared keys

Question 61

best authentication method for AD domain

Answer 61

Kerberos

Question 62

weakest authentication method for AD domain

Answer 62

preshared key (symmetric key)

Question 63

IPSec tunnel mode

Answer 63

• normally used between 2 endpoint VPN devices
• encrypts the entire original IP packet (not just payload)
• adds a new IP header
• encapsulates packet

Question 64

IPSec transport mode

Answer 64

• only encrypts packet payload

- communication protected regardless of protocol being used

Question 65

VPNs

Answer 65

• provides encrypted secured connection to private network over an unsecured network
• client-to-site
• site-to-site
• point-to-point tunneling protocol (PPTP)
• layer 2 tunneling protocol with IPSec (L2TP/IPSEC)
• SSL tunnel

Question 66

client-to-site VPN

Answer 66

• require client VPN software configured to connect to a VPN appliance in screened subnet (or reachable by reverse proxy)
• user authenticates to VPN
• encrypted tunnel established

Question 67

site-to-site VPN

Answer 67

• require VPN appliance at 2 different network sites

- point-to-point encrypted tunnel is established

Question 68

configuring VPN connections

Answer 68

• L2TP/IPSec appliance requires client software is configured correctly
• SSL VPNs use standard HTTPS ports

Question 69

HIDS

Answer 69

• host intrusion detection system
• detects suspicious activity related to a specific host
• looks for abnormalities
• can read traffic encrypted over the network (host decrypts)

Question 70

NIDS

Answer 70

• network intrusion detection system
• standalone appliance
• monitors network activity
• security information and event management (SIEM) software provides centralized repository for logs/audit events/security device alerts
• switches must be configured to copy all packets to port connected to NIDS

Question 71

IPSs

Answer 71

• intrusion prevention systems
• extend functionality of IDSs
• take steps to prevent further damage when malicious activity is detected
• HIPS/NIPS

Question 72

server/OS hardening

Answer 72

• reduces attack surface
• centralized in data centers
• OSs images can be hardened for creating new servers
• NIST SP 800-123
• HIDS/HIPS
• apply firmware updates to network appliances
• apply firmware updates to BIOS/UEFI RAID controllers
• set UEFI/BIOS boot password to prevent changing boot order
• enable CPU no-execute (NX bit) at BIOS level
• lock server chassis or rack case
• disable wake-on-LAN
• apply OS updates
• apply app software updates
• follow OS/app configuration best practices
• enable MFA
• keep AV solution updated
• configure host-based firewall (block unused ports)
• disable unused services/daemons
• disable unused accounts
• rename/disable default accounts
• enable auditing/logging related to IT workload
• follow principle of least privilege
• enable network encryption for as much traffic as possible
• encrypt data at rest
• plan for hardware failure

Question 73

NX bit

Answer 73

• prevents certain memory pages from running executable code

- stop buffer overflow attacks

Question 74

logging considerations

Answer 74

• copies of log entries should be forwarded to a different host
• Windows Event Log Forwarding
• Linux syslog fowarding

Question 75

auditing specifics

Answer 75

• audit user logins
• group membership changes
• user file system activity

Question 76

switch hardening

Answer 76

• disable unused ports
• ports shouldn’t allow numerous MAC addresses
• use SSH over Telnet

Question 77

data in use

Answer 77

currently being processed

Question 78

data in motion

Answer 78

transmitted over network

Question 79

data at rest

Answer 79

stored on media

Question 80

symmetric encryption

Answer 80

same key used to encrypt/decrypt

Question 81

asymmetric encryption

Answer 81

• pair of keys used
• 1 encrypts
• 1 decrypts
• PKI uses related public/private key pairs

Question 82

DLP

Answer 82

• data loss prevention
• tools available to prevent sensitive data/IP from leaving organization
• labeling data to be handled in accordance with DLP policies

Question 83

mobile devices

Answer 83

• centralized management
• logical partitioning/containerization
• tools to prevent sensitive data from being stored on removable media
• geofencing (limit where devices can be used)

Question 84

encrypting data at rest

Answer 84

• several laws require encrypting data at rest
• HIPAA
• Banking
• legal access/subpoena

Question 85

Windows bitlocker

Answer 85

• Windows OS enterprise editions
• encrypts entire disk volumes/removable drives
• use group policy to require bitlocker on certain drives
• trusted platform module (TPM) can store keys/detect unauthorized system startup modifications

Question 86

Windows EFS

Answer 86

• encrypting file system
• ties encrypted files/folders to specific users
• GUI control
• cipher.exe command line tool
• PKI certificate is automatically generated the 1st time user encrypts a file
• uses bulk encryption key/file encryption key (FEK) to encrypt blocks of data (stored within file)
• public key from PKI certificate encrypts the FEK
• private key from PKI reveals FEK which then decrypts blocks of data
• user PKI certificate must be backed up to secure location
• EFS data recovery agents can be configured to grant administrators ability to decrypt EFS encrypted files
• domain admin in AD environment can decrypt any files on any station joined to the domain

Question 87

OpenSSL

Answer 87

• included in some Linux distros

- used for file encryption

Question 88

tape encryption

Answer 88

• tapes still commonly used for backups

- should be encrypted

Question 89

SAN-based tape backup security considerations

Answer 89

• which user account performs backups (root or admin)
• scripts are normally used before/after backup (are malicious scripts present)
• when encryption occurs (during/after backup)
• human element (reliable admins)
• reliability (offsite tape storage trustworthy)

Question 90

disk scrubbing

Answer 90

• making it as difficult as possible to retrieve data previously stored on a disk
• writing useless random data to disk in multiple passes
• zeroing out a disk writes a 0 byte to all storage locations on the disk

Question 91

physical destruction

Answer 91

• sort so that sensitive data disks are destroyed
• drill holes into platters of HDDs
• degaussing HDDs with high-intensity magnetic field
• shredding with industrial shredder

Question 92

remote wipe

Answer 92

• mobile device management (MDM) enable centralized management
• remotely wipe lost/stolen devices
• wipe can reset device to factory settings (full wipe)
• wipe only corporate apps/data (selective wipe)

Question 93

VPN authentication tool that uses a changing numeric code synchronized with VPN appliance

Answer 93

• key fobs

- hardware/software tokens

Question 94

IEEE standard that defines port level security

Answer 94

802.1X

Question 95

RADIUS clients are referred to as

Answer 95

supplicants

Question 96

firewall can filter based on UDP/TCP port numbers

Answer 96

layer 4

Question 97

firewall can filter based on contents of packet payload

Answer 97

layer 7