Various Concepts Flashcards
software based client that monitors data in use on a computer and can stop file transfers or alert admins of the transfers base on a set of rules or policies.
Endpoint dlp
software or hardware solution installed on the perimeter of the network to protect data in transit.
Network dlp
software stored on servers in a data center to protect data at rest.
Storage dlp
Software to protect data being stored in cloud services, usually a SaaS solution.
Cloud dlp
UEBA
User and Entity Behavior Analytics
SCCM
System Center Configuration Management - Microsoft software management system for admin device management.
trusted program to ensure that microprocessors in the supply chain are secure and is overseen by the Department of Defense
Trusted Foundry Program
process of ensuring that hardware is procured tamper free from a trusted supplier.
Hardware Source Authenticity
cryptographic module embedded within a computer system that can endorse trusted execution and can attest to boot settings and metrics
Root of Trust - ROT
PUF
Physically Unclonable Function - anti tamper mechanism used inside systems (ROT policies).
UEFI feature that prevents unwanted process from executing during the boot process.
Secure Boot
UEFI feature that gathers secure metrics to validate the boot processes in an attestation report.
Measured Boot
A claim that the data presented is valid by digitally signing it using a TPM’s private key.
Attestation
A means for software or firmware to permanently alter the state of a transistor on a computer chip.
eFuse
an update digitally signed by the vendor.
Trusted Firmware Update
low-level CPU changes and instructions that ensure secure processing and are built into the microprocessor.
Processor Security Extensions
AMD chip PSEs
- SME Secure Memory Encryption
- SEV Secure Encrypted Virtualization
Intel chip PSEs
- TXT Trusted Execution Technology
- SGX Software Guard Extensions
extensions that allow a trusted process to create an encrypted container for sensitive data.
Secure Enclave
operations that should only be performed once or not at all.
Atomic Execution
key signature of a directory traversal attack
../../ or dot dot slash and %255
key signature of a SQL attack
’ or 1 = 1
occurs when an attacker is able to execute run commands physically on a victim computer
Arbitrary Code Execution
occurs when an attacker is able to execute run commands on a victim computer remotely
RCE Remote Code Execution
occurs when an attacker fills up the buffer with NOP (nonoperation instruction) so that the return address may hit a NOP and continue until it finds the attacker’s code to run
smash the stack
User’s web browser is exploited by the attacker, usually by a compromised web server
XSS
The web page is exploited the user’s browser. User is already authenticated, then the attacker uses that trust to exploit the web site.
XSRF
Hosts or servers located in the DMZ that do not have any services configured to run on the local network.
Bastion Hosts
secures the network by keeping the machines behind it anonymous while web surfing. Uses NAT.
IP Proxy
Attempts to serve clients content itself without contacting the remote server.
Caching Proxy
Used to prevent devices from connecting to prohibited websites and other content.
Internet Content Filter
A go between device that scans for viruses, filters content, and performs dlp functions.
Web Secure Gateway WSG
Low upfront cloud storage solutions, but exorbitant fees to move the data from the cloud to another provider or on prem solution due to bandwidth and storage costs to transfer the large amounts of data
Vendor Lockin
Security appliance set up at the client network edge to forward traffic to the cloud network if the content complies with the policies.
Forward Proxy: Users can evade forward proxies.
A security appliance set up at the cloud network edge that forwards content if it complies with policy. Cloud provider must support this to work.
Reverse Proxy
FAAS
Function as a Service
A software architecture that runs functions within virtualized containers at runtime instead of on dedicated servers.
Serverless
AWS storage containers
Buckets
Microsoft azure storage containers
Blobs
CORS
Cross Origin Resource Sharing. A network policy that allows the browser to treat content from nominated domains as safe.
DoS attack which attempts to send more packets to a device/server than it can handle.
Flood Attack
A flood/dos attack using ICMP pings.
Ping of Death
attacker sends a ping to a subnet broadcast address and the devices reply to a spoofed ip address (victim’s server) using bandwidth and power.
Smurf Attack
flood attack using udp packets to flood the target device.
Fraggle Attack
DOS attack where the attacker initiates multiple TCP sessions but does not complete the three way handshake. Flood Guards are used to prevent these attacks.
SYN FLOOD
a network scan attack that sets the FIN, PSH, and URG flags that can cause a system to crash.
XMAS Attack
breaks apart packets into IP fragments and modifies them with oversized payloads and sends them to a victim machine.
Teardrop Attack
exploits a security flaw to permanently break a device by reflashing its firmware.
Permanent DOS attack
attack that creates a large number of resources to use up the available processing power of the device
Fork Bomb
If A=B=C, then A=C: If any trusted network is compromised, all trusted networks are also.
Transitive attack
name resolution info is modified in the DNS server’s cache
DNS Poisoning
DNS attack where the attacker requests copies of the DNS info (server names, ip info) to their system for future attacks
Unauthorized Zone transfer
DNS attack where the attacker modifies the host file to have the client bypass the dns server and redirects to a malicious site.
Altered Host File
occurs when an attacker redirects one website’s traffic to another bogus/malicious website.
Pharming
exploits the process in how dns names are registered and prevents domain names from being registered.
Domain Name Kiting
Key differences between WEP, WPA, WPA2, and open networks
: open=no security. WEP = weak IV, WPA = TKIP and RC4, WPA2 = CCMP and AES,
key components of the two WPA3 modes
WPA3(Enterprise Mode) AES-256 W/SHA-384 hash (Personal Mode) CCMP128 key and uses PFS instead of PSK
Class A Fire Suppression base, use, and symbol
Water, ordinary combustibles, and green triangle w/A
Class B Fire Suppression base, use, and symbol
Dry chemical or CO2, flammable gasses and liquids, red square withB
Class C Fire Suppression base, use, and symbol
CO2, electrical fires, blue circle w/C
Class D Fire Suppression base, use, and symbol
dry powder blend, combustible metals, yellow pentagon w/a D
Class K Fire Suppression base, use, and symbol
Potassium based, cooking oils and animal fats, black hexagon with a K
Location of HVAC hot and cold isles.
Cold isles front of rack, hot isles at rear of rack
shielding installed around an entire room to prevent electromagnetic energy from entering or exiting the area.
Faraday Cage
U.S. Government standards for the level of shielding required in a building to ensure emissions and interference cannot enter or exit the facility.
Tempest
CAN
Controller Area Network – a digital serial data communications network used in vehicles.
OBD-2
Onboard Diagnostics module – external interface for CAN networks
describe 3 CAN vulnerabilities
Attach the exploit to the OBD-2, exploit over onboard cellular, or over onboard wifi
Main difference between SoC and FPGA
SoC cant be changed, FPGA can be changed as needed.
Digital serial data connections used in operation technology networks to link PLCs
Fieldbus
input and output controls on a PLC that allow a user to configure and monitor the system.
HMI Human Machine Interface
software that catalogs and aggregates data from multiple sources within an ICS
Data Historian
Key difference between ICS and SCADA
ICS = single location, SCADA multi point of a geographical region.
communications protocol used in operational technology networks
Modbus
4 key controls for mitigating vulnerabilities in specialized systems (ISC & SCADA):
- Establish admin control by recruiting staff w/relevant expertise.
- Implemint minimum links by disconnecting unnecessary services, protocols, etc.
- Develop and test a patch management program for OT networks.
- Perform regular audits of logical and physical access to these systems.
BAS
Building Automation System
utilizes a web of trust between organizations where each one certifies others in the federation. Not efficient for large network of organizations.
Cross-Certification authentication
Organizations authorize based on a single third-party organization. More efficient.
Trusted Third Party(bridge model)
Users log in to an Identity Provider(IP) and uses their account at Relying Parties (RP). Largest is google.
Open ID
IEEE Standardized framework used for port based authentication for both wired and wireless networks.
802.1x
application layer protocol for accessing and modifying directory services. Used in MS AD.
LDAP
what is the supplicant in the 802.1x process
pc, client, etc.
The device through which the supplicant is attempting to access the network(switches, vpn concentrators, etc.). 802.1x process
Authenticator
The centralized device that performs the authentication (RADIAUS, TACACS, etc. servers) . 802.1x
authentication server
A standardized framework of protocols that allows for many methods of authentication including passwords, PKI, and digital certificates.
EAP
uses simple passwords, CHAP for authentication, and a 1 way process.
EAP MD5
uses PKI and digital certificates for mutual authentication (2 way).
EAP TLS
requires server-side digital certificates and a client-side password for mutual authentication.
EAP TTLS
uses protected access credentials (a security credential generated by the server that holds information specific to a peer) instead of digital certificates for mutual authentication.
EAP FAST
uses server certificates and MS Active Directory databases to authenticate a client’s password.
PEAP
Cisco’s proprietary authentication protocol requiring Cisco based networks.
LEAP
Cross platform version of RDP(MS only) for remote user GUI access.
Virtual Network Computing (VNC)
specialized hardware device that allows for hundreds of simultaneous vpn connections from remote devices.
vpn concentrator
a remote worker’s machine diverts internal traffic(file transer, email, etc.) over a vpn and external traffic over their own internet connection.
Split tunneling
Cisco’s proprietary version of RADIUS and is not available for cross platform use..
TACACS+
attack that intercepts API calls between the browser process and its DLLs.
MITB Man in the Browser
brute force attack where stolen names and passwords are tried against multiple websites.
Credential Stuffing
software vulnerability where the authentication mechanism allows an attacker to gain entry.
Broken Authentication
the access control policy is determined by the owner.
DAC
the computer systems determine the access control policies for an object. Military, top secret, secret, etc. Lattice and Rule based are MAC models.
MAC
uses a set of permissions instead of labels in MAC.
RBAC - Role Based
if/then access control. If Jason is in HR, then give access to HR files.
Attribute based
requires more than one person to conduct a sensitive task or operation.
Separation of Duties
ADUC
Active Directory Users and Computers
3 Types of Linux user permissions
U = owners, G = groups, and O or A = all users.
used to change permissions or rights of a file of folder system in linux.
chmod change mode
Linux numeric value for R,W, and X
: 4(R) = read, 2(W)= write, 1(X) = Execute. (binary values) Add to combine, 6=rw, 3 = wx, etc.
occurs when permissions are passed to a subfolder from the parent through inheritance.
Propagation
Two most popular password crackers
Cain and Able & John the Ripper
Attack method where a program attempts to guess a password by using a list of possible passwords.
Dictionary attack
Attack method where a program attempts to try every possible combination until the password has been compromised.
Brute Force Attack
attack method that compares a precomputed encrypted password to a value in a lookup table.
Cryptanalysis Attack
A list of precomputed values (hashes) to more quickly break a password.
Rainbow table
network traffic is analyzed to discover predetermined attack patterns.
Signature-based monitoring
network traffic is analyzed to discover traffic that is outside of an established baseline.
Anomaly-based monitoring
network traffic is analyzed to discover data that does not match previous network activity, applications, etc.
Behavior-based monitoring
Windows program for performance monitoring.
perfmon.exe (perfmon in cmd will load)
2 Protocol analyzer modes
Promiscuous and Non-Promiscuous modes
Network adaptor captures all traffic on the network regardless of the MAC address on the frames carrying them.
Promiscuous Mode
Network adaptor only captures traffic directly addressed to itself.
Non-promiscuous mode
Data files that contain the accounting and audit trail for actions performed by a user on the computer or network.
Logs
Logs the events such as successful and unsuccessful user logons to the system.
Security Logs
Logs the events such as a system shutdown or driver failure.
System Logs
Logs the events for the operating system and third party applications.
Application Logs
